new inspec inputs and 155 inspec working

mitre · Apr 22, 2024 · bd46558 · bd46558
1 parent afddfa8
commit bd46558
Show file tree

Hide file tree

Showing 4 changed files with 65 additions and 31 deletions.
diff --git a/spec/mongo-inspec-profile/controls/SV-252155.rb b/spec/mongo-inspec-profile/controls/SV-252155.rb
@@ -44,34 +44,42 @@
   tag cci: ['CCI-001499']
   tag nist: ['CM-5 (6)']
 
-  get_roles = "EJSON.stringify(db.getRoles({rolesInfo: 1, showPrivileges:true, showBuiltinRoles: true}))"
+  get_system_users = "EJSON.stringify(db.system.users.find().toArray())"
 
-  get_dbs = "EJSON.stringify(db.adminCommand('listDatabases'))"
+  run_get_system_users = "mongosh \"mongodb://#{input('mongo_dba')}:#{input('mongo_dba_password')}@#{input('mongo_host')}:#{input('mongo_port')}/admin?authSource=#{input'auth_source'}&tls=true&tlsCAFile=#{input('ca_file')}&tlsCertificateKeyFile=#{input('certificate_key_file')}\" --quiet --eval \"#{get_system_users}\""
 
-  run_get_dbs = "mongosh \"mongodb://#{input('mongo_dba')}:#{input('mongo_dba_password')}@#{input('mongo_host')}:#{input('mongo_port')}/?tls=true&tlsCAFile=#{input('ca_file')}&tlsCertificateKeyFile=#{input('certificate_key_file')}\" --quiet --eval \"#{get_dbs}\""
+  system_users = json({command: run_get_system_users}).params
 
-  dbs_output = json({command: run_get_dbs}).params
+  system_users.each do |user|
+    user_id = user['_id']
 
-  # extract just the names of the databases
-  db_names = dbs_output["databases"].map { |db| db["name"] }
-
-  db_names.each do |db_name|
-    run_get_roles = "mongosh \"mongodb://#{input('mongo_dba')}:#{input('mongo_dba_password')}@#{input('mongo_host')}:#{input('mongo_port')}/#{db_name}?tls=true&tlsCAFile=#{input('ca_file')}&tlsCertificateKeyFile=#{input('certificate_key_file')}\" --quiet --eval \"#{get_roles}\""
-
-    # run the command and parse the output as json
-    roles_output = json({command: run_get_roles}).params
+    describe "User #{user_id}" do
+      subject { user_id }
+      it 'should be in either mongo_superusers or mongo_users' do
+        list = [input('mongo_superusers'), input('mongo_users')].flatten
+        if !list.include?(subject)
+          fail "User #{subject} is not authorized as a superuser or regular user"
+        end
+      end
+    end
+  end
 
-    # run_get_roles['users'].each do |user|
-    #   # check if user is not a superuser
-    #   unless input('mongo_superusers').include?(user['user'])
-    #     # check each users role
-    #     describe "User #{user['_id']} in database #{db_name}" do
-    #       # collect all roles for user
-    #       subject { user['roles'].map { |role| role['role'] } }
-    #       it { should_not include 'dbOwner' }
-    #     end
-    #   end
-    # end
+  system_users.each do |user|
+    user_id = user['_id']
+    db_name = user['db']
+    user_roles = user['roles'].map { |role| "#{role['role']}" }
+    db_roles = user_roles.map { |role| "#{db_name}.#{role}" }
+
+    db_roles.each do |role|
+      describe "Role #{role}" do
+        subject { role }
+        it 'should be in authorized in mongo_roles' do
+          if !input('mongo_roles').include?(subject)
+            fail "Role #{role} is not authorized as a role"
+          end
+        end
+      end
+    end
   end
 
 end
diff --git a/spec/mongo-inspec-profile/controls/SV-252174.rb b/spec/mongo-inspec-profile/controls/SV-252174.rb
@@ -68,7 +68,7 @@
 
   get_dbs = "EJSON.stringify(db.adminCommand('listDatabases'))"
 
-  run_get_dbs = "mongosh \"mongodb://#{input('mongo_dba')}:#{input('mongo_dba_password')}@#{input('mongo_host')}:#{input('mongo_port')}/?authSource=admin&tls=true&tlsCAFile=#{input('ca_file')}&tlsCertificateKeyFile=#{input('certificate_key_file')}\" --quiet --eval \"#{get_dbs}\""
+  run_get_dbs = "mongosh \"mongodb://#{input('mongo_dba')}:#{input('mongo_dba_password')}@#{input('mongo_host')}:#{input('mongo_port')}/?authSource=#{input'auth_source'}&tls=true&tlsCAFile=#{input('ca_file')}&tlsCertificateKeyFile=#{input('certificate_key_file')}\" --quiet --eval \"#{get_dbs}\""
 
   dbs_output = json({command: run_get_dbs}).params
 
@@ -77,7 +77,7 @@
 
   db_names.each do |db_name|
     p "db_name", db_name
-    run_get_users = "mongosh \"mongodb://#{input('mongo_dba')}:#{input('mongo_dba_password')}@#{input('mongo_host')}:#{input('mongo_port')}/#{db_name}?authSource=admin&tls=true&tlsCAFile=#{input('ca_file')}&tlsCertificateKeyFile=#{input('certificate_key_file')}\" --quiet --eval \"#{get_users}\""
+    run_get_users = "mongosh \"mongodb://#{input('mongo_dba')}:#{input('mongo_dba_password')}@#{input('mongo_host')}:#{input('mongo_port')}/#{db_name}?authSource=#{input'auth_source'}&tls=true&tlsCAFile=#{input('ca_file')}&tlsCertificateKeyFile=#{input('certificate_key_file')}\" --quiet --eval \"#{get_users}\""
 
     # run the command and parse the output as json
     users_output = json({command: run_get_users}).params
@@ -86,15 +86,15 @@
       p "user", user
 
       # check if user is not a superuser
-      unless input('mongo_superusers').include?(user['user'])
+      unless input('mongo_superusers').include?(user['_id'])
 
         # collect all roles for user and wrap in single quotes
         user_roles = user['roles'].map { |role| "#{role['role']}" }
 
         user_roles.each do |role|
           p "role", role
 
-          run_get_role = "mongosh \"mongodb://#{input('mongo_dba')}:#{input('mongo_dba_password')}@#{input('mongo_host')}:#{input('mongo_port')}/#{db_name}?authSource=admin&tls=true&tlsCAFile=#{input('ca_file')}&tlsCertificateKeyFile=#{input('certificate_key_file')}\" --quiet --eval \"EJSON.stringify(db.getRole('#{role}', {showPrivileges: true}))\""
+          run_get_role = "mongosh \"mongodb://#{input('mongo_dba')}:#{input('mongo_dba_password')}@#{input('mongo_host')}:#{input('mongo_port')}/#{db_name}?authSource=#{input'auth_source'}&tls=true&tlsCAFile=#{input('ca_file')}&tlsCertificateKeyFile=#{input('certificate_key_file')}\" --quiet --eval \"EJSON.stringify(db.getRole('#{role}', {showPrivileges: true}))\""
 
           role_output = json({command: run_get_role}).params
 

diff --git a/spec/mongo-inspec-profile/controls/SV-252178.rb b/spec/mongo-inspec-profile/controls/SV-252178.rb
@@ -23,4 +23,11 @@
   tag 'documentable'
   tag cci: ['CCI-002470']
   tag nist: ['SC-23 (5)']
+
+  run_check_command = "openssl x509 -in /etc/ssl/CA_bundle.pem -text | grep -i issuer"
+
+  describe command(run_check_command) do
+    its('stdout'){should match /Issuer: C = US, O = U.S. Government, OU = DoD, OU = PKI, CN = DoD Root CA/i}
+  end
+
 end
diff --git a/spec/mongo-inspec-profile/inspec.yml b/spec/mongo-inspec-profile/inspec.yml
@@ -65,6 +65,13 @@ inputs:
     required: true
     sensitive: true
 
+  # SV-252155, SV-252174
+  - name: auth_source
+    description: "The database used to authorize users"
+    type: string
+    required: true
+    sensitive: true
+
   # SV-252141, SV-252146, SV-252154,SV-252155, SV-252157, SV-252159, SV-252165, SV-252167, SV-252168, SV-252169, SV-252174, SV-252175, SV-252176
   - name: ca_file
     description: "The path to the CA file"
@@ -79,20 +86,32 @@ inputs:
     required: true
     sensitive: true
 
-  # SV-252154
+  # SV-252154, SV-252155
   - name: mongo_superusers
     description: "Authorized superuser accounts"
     type: array
     value:
-      - "admin"
+      - "admin.admin"
     required: true
     sensitive: true
 
+  # SV-252154, SV-252155
   - name: mongo_users
-    description: "Authorized user accounts"
+    description: "Authorized user accounts in the format of database.user"
     type: array
     value:
-      - ""
+      - "test.myTester"
+      - "products.myRoleTestUser"
+    required: true
+    sensitive: true
+
+  # SV-252155
+  - name: mongo_roles
+    description: "Authorized roles for MongoDB in the format of database.role"
+    type: array
+    value:
+      - "admin.root"
+      - "products.myTestRole"
     required: true
     sensitive: true