From 05375eec233879d1674e4a07a9ec290e57fbc4c6 Mon Sep 17 00:00:00 2001 From: seanlongcc Date: Mon, 19 Feb 2024 16:11:37 -0500 Subject: [PATCH] updated inspect for cat1 --- spec/ansible/roles/mongo-stig/tasks/cat1.yml | 163 ++++++------------ spec/ansible/roles/mongo-stig/tasks/cat2.yml | 39 +---- .../controls/SV-252146.rb | 4 + .../controls/SV-252150.rb | 6 + .../controls/SV-252152.rb | 5 + .../controls/SV-252158.rb | 7 + .../controls/SV-252159.rb | 2 +- .../controls/SV-252162.rb | 8 + .../controls/SV-252184.rb | 8 + 9 files changed, 97 insertions(+), 145 deletions(-) diff --git a/spec/ansible/roles/mongo-stig/tasks/cat1.yml b/spec/ansible/roles/mongo-stig/tasks/cat1.yml index 377b709..91ee0d6 100644 --- a/spec/ansible/roles/mongo-stig/tasks/cat1.yml +++ b/spec/ansible/roles/mongo-stig/tasks/cat1.yml @@ -1,99 +1,44 @@ --- -##### DOES NOT WORK DUE TO MISSING FILE PATHS -# - name: Check if 'net:' exists and is not commented out -# shell: "grep -P '^net:' {{ mongod_config_path }} || true" -# register: net_check -# changed_when: false -# ignore_errors: true -# tags: -# - SV-252139 - -# - name: "HIGH | SV-252139 | If passwords are used for authentication, MongoDB must transmit only encrypted representations of passwords. | Net block does not exist" -# blockinfile: -# path: "{{ mongod_config_path }}" -# marker: "#Rule ID SV-252139" -# prepend_newline: true -# insertafter: "^#net:" -# block: | -# net: -# tls: -# mode: requireTLS -# certificateKeyFile: /etc/ssl/mongodb.pem -# CAFile: /etc/ssl/caToValidateClientCertificates.pem -# allowInvalidCertificates: false -# allowConnectionsWithoutCertificates: false -# when: security_check.stdout == "" -# ignore_errors: true -# tags: -# - cat1 -# - high -# - SV-252139 - -# - name: "HIGH | SV-252139 | If passwords are used for authentication, MongoDB must transmit only encrypted representations of passwords. | Net block does exist" -# blockinfile: -# path: "{{ mongod_config_path }}" -# marker: "#Rule ID SV-252139" -# prepend_newline: true -# insertafter: "^net:" -# block: | -# # -# tls: -# mode: requireTLS -# certificateKeyFile: /etc/ssl/mongodb.pem -# CAFile: /etc/ssl/caToValidateClientCertificates.pem -# allowInvalidCertificates: false -# allowConnectionsWithoutCertificates: false -# when: security_check.stdout == "" +##### DOES NOT WORK DUE TO MISSING FILE PATHS, disabled +# - name: "HIGH | SV-252139 | If passwords are used for authentication, MongoDB must transmit only encrypted representations of passwords." +# yedit: +# src: "{{ mongod_config_path }}" +# edits: +# - key: net.tls.mode +# value: requireTLS +# - key: net.tls.certificateKeyFile +# value: /etc/ssl/mongodb.pem +# - key: net.tls.CAFile +# value: /etc/ssl/caToValidateClientCertificates.pem +# - key: net.tls.allowInvalidCertificates +# value: false +# - key: net.tls.allowConnectionsWithoutCertificates +# value: false # ignore_errors: true # tags: # - cat1 # - high # - SV-252139 -##### ENTERPRISE ONLY +##### ENTERPRISE ONLY, DISABLED FOR EASIER TESTING # - name: "HIGH | SV-252146 | MongoDB must use NIST FIPS 140-2 or 140-3 validated cryptographic modules for cryptographic operations." -# command: true +# yedit: +# src: "{{ mongod_config_path }}" +# key: net.tls.FIPSMode +# value: true # ignore_errors: true # tags: # - cat1 # - high # - SV-252146 +# - enterprise -# ### DISABLED NOW FOR EASIER TESTING -# - name: Check if 'security:' exists and is not commented out -# shell: "grep -P '^security:' {{ mongod_config_path }} || true" -# register: security_check -# changed_when: false -# ignore_errors: true -# tags: -# - SV-252149 - -# - name: "HIGH | SV-252149 | MongoDB must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals. | Security block does not exist." -# blockinfile: -# path: "{{ mongod_config_path }}" -# marker: "#Rule ID SV-252149" -# prepend_newline: true -# insertafter: "^#security:" -# block: | -# security: -# authorization: enabled -# when: security_check.stdout == "" -# ignore_errors: true -# tags: -# - cat1 -# - high -# - SV-252149 - -# - name: "HIGH | SV-252149 | MongoDB must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals. | Security block exists." -# blockinfile: -# path: "{{ mongod_config_path }}" -# marker: "#Rule ID SV-252149" -# prepend_newline: true -# insertafter: "^security:" -# block: | -# #REMOVE THIS TEXT LATER -# authorization: enabled -# when: security_check.stdout != "" +##### DISABLED FOR EASIER TESTING +# - name: "HIGH | SV-252149 | MongoDB must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals." +# yedit: +# src: "{{ mongod_config_path }}" +# key: security.authorization +# value: enabled # ignore_errors: true # tags: # - cat1 @@ -102,9 +47,7 @@ ##### MANUAL # - name: "HIGH | SV-252150 | MongoDB must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies." -# community.mongodb.mongodb_shell: -# db: "database" -# eval: "db.getRoles({rolesInfo: 1, showPrivileges:true, showBuiltinRoles: true })" +# commant: true # ignore_errors: true # tags: # - cat1 @@ -121,7 +64,7 @@ # - high # - SV-252152 -##### ENTERPRISE ONLY, not sure if can be changed with ansible? +##### MANUAL # - name: "HIGH | SV-252158 | If passwords are used for authentication, MongoDB must implement LDAP or Kerberos for authentication to enforce the DoD standards for password complexity and lifetime." # command: true # ignore_errors: true @@ -131,7 +74,7 @@ # - SV-252158 -##### PART TWO OF THIS DOESNT EXIST IN NEWER MONGO +##### PART TWO OF THIS DOESNT EXIST IN MONGO 4+ ##### This whole rule seems out of date as the authSchemaUpgrade command was removed in mongo 4 # - name: "HIGH | SV-252159 | If passwords are used for authentication, MongoDB must store only hashed, salted representations of passwords." # blockinfile: @@ -149,32 +92,31 @@ # - high # - SV-252159 -# - name: "HIGH | SV-252159 | If passwords are used for authentication, MongoDB must store only hashed, salted representations of passwords." -# yedit: -# src: "{{ mongod_config_path }}" -# key: setParameter -# value: -# authenticationMechanisms: SCRAM-SHA-256 -# ignore_errors: true -# tags: -# - cat1 -# - high -# - SV-252159 - -##### check text conflict with 252136? -- name: "HIGH | SV-252160 | MongoDB must enforce authorized access to all PKI private keys stored/utilized by MongoDB." - ansible.builtin.shell: | - chown {{ mongo_user }}:{{ mongo_user }} /etc/ssl/mongodb.pem - chmod 600 /etc/ssl/mongodb.pem - chown {{ mongo_user }}:{{ mongo_user }} /etc/ssl/caToValidateClientCertificates.pem - chmod 600 /etc/ssl/caToValidateClientCertificates.pem +- name: "HIGH | SV-252159 | If passwords are used for authentication, MongoDB must store only hashed, salted representations of passwords." + yedit: + src: "{{ mongod_config_path }}" + key: setParameter.authenticationMechanisms + value: SCRAM-SHA-256 ignore_errors: true tags: - cat1 - high - - SV-252160 + - SV-252159 + +##### check text conflict with 252136? +# - name: "HIGH | SV-252160 | MongoDB must enforce authorized access to all PKI private keys stored/utilized by MongoDB." +# ansible.builtin.shell: | +# chown {{ mongo_user }}:{{ mongo_user }} /etc/ssl/mongodb.pem +# chmod 600 /etc/ssl/mongodb.pem +# chown {{ mongo_user }}:{{ mongo_user }} /etc/ssl/caToValidateClientCertificates.pem +# chmod 600 /etc/ssl/caToValidateClientCertificates.pem +# ignore_errors: true +# tags: +# - cat1 +# - high +# - SV-252160 -##### dont think can do this one in ansible +##### MANUAL # - name: "HIGH | SV-252162 | MongoDB must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals." # command: true # ignore_errors: true @@ -183,7 +125,7 @@ # - high # - SV-252162 -#####ENTERPRISE ONLY +##### ENTERPRISE ONLY # - name: "HIGH | SV-252165 | MongoDB must protect the confidentiality and integrity of all information at rest." # command: true # ignore_errors: true @@ -191,8 +133,9 @@ # - cat1 # - high # - SV-252165 +# - enterprise -#####This also seems like a manual review activity +##### MANUAL # - name: "HIGH | SV-252184 | MongoDB products must be a version supported by the vendor." # command: true # ignore_errors: true diff --git a/spec/ansible/roles/mongo-stig/tasks/cat2.yml b/spec/ansible/roles/mongo-stig/tasks/cat2.yml index e4a29ea..3da230c 100644 --- a/spec/ansible/roles/mongo-stig/tasks/cat2.yml +++ b/spec/ansible/roles/mongo-stig/tasks/cat2.yml @@ -96,40 +96,11 @@ # - medium # - SV-252142 -- name: Check if 'security:' exists and is not commented out - shell: "grep -P '^security:' {{ mongod_config_path }} || true" - register: security_check - changed_when: false - ignore_errors: true - tags: - - SV-252143 - -- name: "MEDIUM | SV-252143 | MongoDB and associated applications must reserve the use of dynamic code execution for situations that require it. | Security block does not exist." - blockinfile: - path: "{{ mongod_config_path }}" - marker: "#Rule ID SV-252143" - prepend_newline: true - insertafter: "^#security:" - block: | - security: - javascriptEnabled: false - when: security_check.stdout == "" - ignore_errors: true - tags: - - cat2 - - medium - - SV-252143 - -- name: "MEDIUM | SV-252143 | MongoDB and associated applications must reserve the use of dynamic code execution for situations that require it. | Security block exists." - blockinfile: - path: "{{ mongod_config_path }}" - marker: "#Rule ID SV-252143" - prepend_newline: true - insertafter: "^security:" - block: | - # - javascriptEnabled: false - when: security_check.stdout != "" +- name: "MEDIUM | SV-252143 | MongoDB and associated applications must reserve the use of dynamic code execution for situations that require it." + yedit: + src: "{{ mongod_config_path }}" + key: security.javascriptEnabled + value: false ignore_errors: true tags: - cat2 diff --git a/spec/mongo-inspec-profile/controls/SV-252146.rb b/spec/mongo-inspec-profile/controls/SV-252146.rb index 8cab6a0..feec558 100644 --- a/spec/mongo-inspec-profile/controls/SV-252146.rb +++ b/spec/mongo-inspec-profile/controls/SV-252146.rb @@ -53,4 +53,8 @@ tag 'documentable' tag cci: ['CCI-002450', 'CCI-000803'] tag nist: ['SC-13 b', 'IA-7'] + + describe yaml('/etc/mongod.conf') do + its(['net','tls','FIPSMode']){should eq true} + end end diff --git a/spec/mongo-inspec-profile/controls/SV-252150.rb b/spec/mongo-inspec-profile/controls/SV-252150.rb index 7010a68..9084472 100644 --- a/spec/mongo-inspec-profile/controls/SV-252150.rb +++ b/spec/mongo-inspec-profile/controls/SV-252150.rb @@ -38,4 +38,10 @@ tag 'documentable' tag cci: ['CCI-000213'] tag nist: ['AC-3'] + + describe 'The MongoDB administrator must ensure that additional application access control is enforced.' do + skip 'Review the system documentation to determine the required levels of protection for MongoDB server securables by type of login. + Review the permissions actually in place on the server. If the actual permissions do not match the documented requirements, this is a finding.' + end + end diff --git a/spec/mongo-inspec-profile/controls/SV-252152.rb b/spec/mongo-inspec-profile/controls/SV-252152.rb index 11248a9..5460e94 100644 --- a/spec/mongo-inspec-profile/controls/SV-252152.rb +++ b/spec/mongo-inspec-profile/controls/SV-252152.rb @@ -23,4 +23,9 @@ tag 'documentable' tag cci: ['CCI-001499'] tag nist: ['CM-5 (6)'] + + describe 'Review procedures for controlling, granting access to, and tracking use of the DBMS software installation account.' do + skip 'If access or use of this account is not restricted to the minimum number of personnel required or if unauthorized access to the account has been granted, this is a finding.' + end + end diff --git a/spec/mongo-inspec-profile/controls/SV-252158.rb b/spec/mongo-inspec-profile/controls/SV-252158.rb index acbd2f4..c791fc1 100644 --- a/spec/mongo-inspec-profile/controls/SV-252158.rb +++ b/spec/mongo-inspec-profile/controls/SV-252158.rb @@ -33,4 +33,11 @@ tag 'documentable' tag cci: ['CCI-000192'] tag nist: ['IA-5 (1) (a)'] + + describe 'Password complexity and lifetime must be enforced by an external authentication source such as LDAP, Active Directory, or Kerberos.' do + skip 'If MongoDB is using Native LDAP authentication where the LDAP server is configured to enforce password complexity and lifetime, this is not a finding. + If MongoDB is using Kerberos authentication where Kerberos is configured to enforce password complexity and lifetime, this is not a finding. + If MongoDB is not configured for SCRAM-SHA1, MONGODB-CR, or LDAP authentication, this is a finding.' + end + end diff --git a/spec/mongo-inspec-profile/controls/SV-252159.rb b/spec/mongo-inspec-profile/controls/SV-252159.rb index c2073ea..791b683 100644 --- a/spec/mongo-inspec-profile/controls/SV-252159.rb +++ b/spec/mongo-inspec-profile/controls/SV-252159.rb @@ -63,7 +63,7 @@ tag cci: ['CCI-000196'] tag nist: ['IA-5 (1) (c)'] - #THERE IS A PART TWO THATS NOT COMPLETED + #authSchemaUpgrade command doesn't exist anymore since version 4, so part 2 is not doable describe yaml('/etc/mongod.conf') do its(['setParameter','authenticationMechanisms']){should be_in ['SCRAM-SHA-1', 'SCRAM-SHA-256', 'MONGODB-X509', 'GSSAPI', 'PLAIN']} end diff --git a/spec/mongo-inspec-profile/controls/SV-252162.rb b/spec/mongo-inspec-profile/controls/SV-252162.rb index 3664890..4375068 100644 --- a/spec/mongo-inspec-profile/controls/SV-252162.rb +++ b/spec/mongo-inspec-profile/controls/SV-252162.rb @@ -37,4 +37,12 @@ tag 'documentable' tag cci: ['CCI-000206'] tag nist: ['IA-6'] + + describe 'To prevent the compromise of authentication information such as passwords and PINs during the authentication process, the feedback from the system must not provide any information that would allow an unauthorized user to compromise the authentication mechanism.' do + skip 'For the MongoDB command-line tools mongo shell, mongodump, mongorestore, mongoimport, mongoexport, which cannot be configured not to obfuscate a plain-text password, and any other essential tool with the same limitation; verify that the system documentation explains the need for the tool, who uses it, and any relevant mitigations and that AO approval has been obtained. + If it is not documented, this is a finding. + Request evidence that all users of MongoDB command-line tools are trained in the use of the -p option/plain-text password option and how to keep the password protected from unauthorized viewing/capture, and that they adhere to this practice. + If evidence of training does not exist, this is a finding.' + end + end diff --git a/spec/mongo-inspec-profile/controls/SV-252184.rb b/spec/mongo-inspec-profile/controls/SV-252184.rb index d907a49..58d5244 100644 --- a/spec/mongo-inspec-profile/controls/SV-252184.rb +++ b/spec/mongo-inspec-profile/controls/SV-252184.rb @@ -31,4 +31,12 @@ tag 'documentable' tag cci: ['CCI-002605'] tag nist: ['SI-2 c'] + + describe 'Review the system documentation and interview the database administrator. + Identify all database software components. Review the version and release information.' do + skip 'If the DBMS or any of the software components are not supported by MongoDB, this is a finding. + Remove or decommission all unsupported software products. + Upgrade unsupported DBMS or unsupported components to a supported version of the product.' + end + end