From bd465587bf63a0ba389a60432b5bf30a88526917 Mon Sep 17 00:00:00 2001 From: seanlongcc Date: Mon, 22 Apr 2024 15:19:14 -0400 Subject: [PATCH] new inspec inputs and 155 inspec working --- .../controls/SV-252155.rb | 54 +++++++++++-------- .../controls/SV-252174.rb | 8 +-- .../controls/SV-252178.rb | 7 +++ spec/mongo-inspec-profile/inspec.yml | 27 ++++++++-- 4 files changed, 65 insertions(+), 31 deletions(-) diff --git a/spec/mongo-inspec-profile/controls/SV-252155.rb b/spec/mongo-inspec-profile/controls/SV-252155.rb index 0d2d538..0e6f91f 100644 --- a/spec/mongo-inspec-profile/controls/SV-252155.rb +++ b/spec/mongo-inspec-profile/controls/SV-252155.rb @@ -44,34 +44,42 @@ tag cci: ['CCI-001499'] tag nist: ['CM-5 (6)'] - get_roles = "EJSON.stringify(db.getRoles({rolesInfo: 1, showPrivileges:true, showBuiltinRoles: true}))" + get_system_users = "EJSON.stringify(db.system.users.find().toArray())" - get_dbs = "EJSON.stringify(db.adminCommand('listDatabases'))" + run_get_system_users = "mongosh \"mongodb://#{input('mongo_dba')}:#{input('mongo_dba_password')}@#{input('mongo_host')}:#{input('mongo_port')}/admin?authSource=#{input'auth_source'}&tls=true&tlsCAFile=#{input('ca_file')}&tlsCertificateKeyFile=#{input('certificate_key_file')}\" --quiet --eval \"#{get_system_users}\"" - run_get_dbs = "mongosh \"mongodb://#{input('mongo_dba')}:#{input('mongo_dba_password')}@#{input('mongo_host')}:#{input('mongo_port')}/?tls=true&tlsCAFile=#{input('ca_file')}&tlsCertificateKeyFile=#{input('certificate_key_file')}\" --quiet --eval \"#{get_dbs}\"" + system_users = json({command: run_get_system_users}).params - dbs_output = json({command: run_get_dbs}).params + system_users.each do |user| + user_id = user['_id'] - # extract just the names of the databases - db_names = dbs_output["databases"].map { |db| db["name"] } - - db_names.each do |db_name| - run_get_roles = "mongosh \"mongodb://#{input('mongo_dba')}:#{input('mongo_dba_password')}@#{input('mongo_host')}:#{input('mongo_port')}/#{db_name}?tls=true&tlsCAFile=#{input('ca_file')}&tlsCertificateKeyFile=#{input('certificate_key_file')}\" --quiet --eval \"#{get_roles}\"" - - # run the command and parse the output as json - roles_output = json({command: run_get_roles}).params + describe "User #{user_id}" do + subject { user_id } + it 'should be in either mongo_superusers or mongo_users' do + list = [input('mongo_superusers'), input('mongo_users')].flatten + if !list.include?(subject) + fail "User #{subject} is not authorized as a superuser or regular user" + end + end + end + end - # run_get_roles['users'].each do |user| - # # check if user is not a superuser - # unless input('mongo_superusers').include?(user['user']) - # # check each users role - # describe "User #{user['_id']} in database #{db_name}" do - # # collect all roles for user - # subject { user['roles'].map { |role| role['role'] } } - # it { should_not include 'dbOwner' } - # end - # end - # end + system_users.each do |user| + user_id = user['_id'] + db_name = user['db'] + user_roles = user['roles'].map { |role| "#{role['role']}" } + db_roles = user_roles.map { |role| "#{db_name}.#{role}" } + + db_roles.each do |role| + describe "Role #{role}" do + subject { role } + it 'should be in authorized in mongo_roles' do + if !input('mongo_roles').include?(subject) + fail "Role #{role} is not authorized as a role" + end + end + end + end end end diff --git a/spec/mongo-inspec-profile/controls/SV-252174.rb b/spec/mongo-inspec-profile/controls/SV-252174.rb index 9b550d1..aaace22 100644 --- a/spec/mongo-inspec-profile/controls/SV-252174.rb +++ b/spec/mongo-inspec-profile/controls/SV-252174.rb @@ -68,7 +68,7 @@ get_dbs = "EJSON.stringify(db.adminCommand('listDatabases'))" - run_get_dbs = "mongosh \"mongodb://#{input('mongo_dba')}:#{input('mongo_dba_password')}@#{input('mongo_host')}:#{input('mongo_port')}/?authSource=admin&tls=true&tlsCAFile=#{input('ca_file')}&tlsCertificateKeyFile=#{input('certificate_key_file')}\" --quiet --eval \"#{get_dbs}\"" + run_get_dbs = "mongosh \"mongodb://#{input('mongo_dba')}:#{input('mongo_dba_password')}@#{input('mongo_host')}:#{input('mongo_port')}/?authSource=#{input'auth_source'}&tls=true&tlsCAFile=#{input('ca_file')}&tlsCertificateKeyFile=#{input('certificate_key_file')}\" --quiet --eval \"#{get_dbs}\"" dbs_output = json({command: run_get_dbs}).params @@ -77,7 +77,7 @@ db_names.each do |db_name| p "db_name", db_name - run_get_users = "mongosh \"mongodb://#{input('mongo_dba')}:#{input('mongo_dba_password')}@#{input('mongo_host')}:#{input('mongo_port')}/#{db_name}?authSource=admin&tls=true&tlsCAFile=#{input('ca_file')}&tlsCertificateKeyFile=#{input('certificate_key_file')}\" --quiet --eval \"#{get_users}\"" + run_get_users = "mongosh \"mongodb://#{input('mongo_dba')}:#{input('mongo_dba_password')}@#{input('mongo_host')}:#{input('mongo_port')}/#{db_name}?authSource=#{input'auth_source'}&tls=true&tlsCAFile=#{input('ca_file')}&tlsCertificateKeyFile=#{input('certificate_key_file')}\" --quiet --eval \"#{get_users}\"" # run the command and parse the output as json users_output = json({command: run_get_users}).params @@ -86,7 +86,7 @@ p "user", user # check if user is not a superuser - unless input('mongo_superusers').include?(user['user']) + unless input('mongo_superusers').include?(user['_id']) # collect all roles for user and wrap in single quotes user_roles = user['roles'].map { |role| "#{role['role']}" } @@ -94,7 +94,7 @@ user_roles.each do |role| p "role", role - run_get_role = "mongosh \"mongodb://#{input('mongo_dba')}:#{input('mongo_dba_password')}@#{input('mongo_host')}:#{input('mongo_port')}/#{db_name}?authSource=admin&tls=true&tlsCAFile=#{input('ca_file')}&tlsCertificateKeyFile=#{input('certificate_key_file')}\" --quiet --eval \"EJSON.stringify(db.getRole('#{role}', {showPrivileges: true}))\"" + run_get_role = "mongosh \"mongodb://#{input('mongo_dba')}:#{input('mongo_dba_password')}@#{input('mongo_host')}:#{input('mongo_port')}/#{db_name}?authSource=#{input'auth_source'}&tls=true&tlsCAFile=#{input('ca_file')}&tlsCertificateKeyFile=#{input('certificate_key_file')}\" --quiet --eval \"EJSON.stringify(db.getRole('#{role}', {showPrivileges: true}))\"" role_output = json({command: run_get_role}).params diff --git a/spec/mongo-inspec-profile/controls/SV-252178.rb b/spec/mongo-inspec-profile/controls/SV-252178.rb index e43e690..cc29dc4 100644 --- a/spec/mongo-inspec-profile/controls/SV-252178.rb +++ b/spec/mongo-inspec-profile/controls/SV-252178.rb @@ -23,4 +23,11 @@ tag 'documentable' tag cci: ['CCI-002470'] tag nist: ['SC-23 (5)'] + + run_check_command = "openssl x509 -in /etc/ssl/CA_bundle.pem -text | grep -i issuer" + + describe command(run_check_command) do + its('stdout'){should match /Issuer: C = US, O = U.S. Government, OU = DoD, OU = PKI, CN = DoD Root CA/i} + end + end diff --git a/spec/mongo-inspec-profile/inspec.yml b/spec/mongo-inspec-profile/inspec.yml index faf36bc..70bd64d 100644 --- a/spec/mongo-inspec-profile/inspec.yml +++ b/spec/mongo-inspec-profile/inspec.yml @@ -65,6 +65,13 @@ inputs: required: true sensitive: true + # SV-252155, SV-252174 + - name: auth_source + description: "The database used to authorize users" + type: string + required: true + sensitive: true + # SV-252141, SV-252146, SV-252154,SV-252155, SV-252157, SV-252159, SV-252165, SV-252167, SV-252168, SV-252169, SV-252174, SV-252175, SV-252176 - name: ca_file description: "The path to the CA file" @@ -79,20 +86,32 @@ inputs: required: true sensitive: true - # SV-252154 + # SV-252154, SV-252155 - name: mongo_superusers description: "Authorized superuser accounts" type: array value: - - "admin" + - "admin.admin" required: true sensitive: true + # SV-252154, SV-252155 - name: mongo_users - description: "Authorized user accounts" + description: "Authorized user accounts in the format of database.user" type: array value: - - "" + - "test.myTester" + - "products.myRoleTestUser" + required: true + sensitive: true + + # SV-252155 + - name: mongo_roles + description: "Authorized roles for MongoDB in the format of database.role" + type: array + value: + - "admin.root" + - "products.myTestRole" required: true sensitive: true