updated inspec checks

spec/ansible/roles/mongo-stig/tasks/cat2.yml

@@ -281,7 +281,6 @@
 #     - medium
 #     - SV-252166
 
-##### SAME AS 252143?
 - name: "MEDIUM | SV-252167 | MongoDB must check the validity of all data inputs except those specifically identified by the organization."
   yedit:
       src: "{{ mongod_config_path }}"
@@ -377,7 +376,7 @@
 #     - medium
 #     - SV-252174
 
-#####MANUAL 
+##### MANUAL 
 # - name: "MEDIUM | SV-252175 | MongoDB must enforce access restrictions associated with changes to the configuration of MongoDB or database(s)."
 #   command: true
 #   ignore_errors: true
@@ -412,14 +411,6 @@
 #     - SV-252178
 
 # - name: "MEDIUM | SV-252179 | MongoDB must maintain the confidentiality and integrity of information during preparation for transmission."
-#   command: true
-#   ignore_errors: true
-#   tags:
-#     - cat2
-#     - medium
-#     - SV-252179
-
-# - name: "MEDIUM | SV-252180 | MongoDB must maintain the confidentiality and integrity of information during reception."
 #   yedit:
 #     src: "{{ mongod_config_path }}"
 #     edits:
@@ -435,6 +426,29 @@
 #       value: false
 #     - key: net.tls.FIPSMode
 #       value: true
+#   command: true
+#   ignore_errors: true
+#   tags:
+#     - cat2
+#     - medium
+#     - SV-252179
+
+# - name: "MEDIUM | SV-252180 | MongoDB must maintain the confidentiality and integrity of information during reception."
+  # yedit:
+  #   src: "{{ mongod_config_path }}"
+  #   edits:
+  #   - key: net.tls.mode
+  #     value: requireTLS
+  #   - key: net.tls.certificateKeyFile
+  #     value: "{{ certificate_key_file_path }}"
+  #   - key: net.tls.CAFile
+  #     value: "{{ ca_file_path }}"
+  #   - key: net.tls.allowInvalidCertificates
+  #     value: false
+  #   - key: net.tls.allowConnectionsWithoutCertificates
+  #     value: false
+  #   - key: net.tls.FIPSMode
+  #     value: true
 #   ignore_errors: true
 #   tags:
 #     - cat2

spec/mongo-inspec-profile/controls/SV-252165.rb

@@ -43,4 +43,17 @@
   tag 'documentable'
   tag cci: ['CCI-001199']
   tag nist: ['SC-28']
+
+  check_command="db.serverStatus().encryptionAtRest.encryptionEnabled"
+
+  run_check_command = "mongosh mongodb://#{input('mongo_dba')}:#{input('mongo_dba_password')}@#{input('mongo_host')}:#{input('mongo_port')} --quiet --eval \"#{check_command}\""
+
+  check_output = command(run_check_command)
+
+  describe 'Encrypted Storage Engine' do
+      it 'should be enabled' do 
+        expect(check_output.stdout).to match(/false/)
+      end
+    end
+
 end

spec/mongo-inspec-profile/controls/SV-252167.rb

@@ -43,8 +43,28 @@
   tag cci: ['CCI-001310']
   tag nist: ['SI-10']
 
+  check_command = "db.col.find({\$where:'return true;'})"
+
+  run_check_command = "mongosh mongodb://#{input('mongo_dba')}:#{input('mongo_dba_password')}@#{input('mongo_host')}:#{input('mongo_port')} --quiet --eval \"#{check_command}\""
+
+  check_output = command(run_check_command)
+
+  describe command('mongosh mongodb://admin:admin@localhost:27017 --quiet --eval "db.col.find({\$where:\'return true;\'})"') do
+    its('stderr') { should match /MongoServerError: no globalScriptEngine in $where parsing/ }
+  end
+
+  describe command(run_check_command) do
+    its('stderr') {should match /MongoServerError: no globalScriptEngine in $where parsing/}
+  end
+
+  describe 'Javascript' do
+    it 'should be disabled' do 
+      expect(check_output.stderr).to match(/MongoServerError: no globalScriptEngine in $where parsing/)
+    end
+  end
+
   describe mongodb_conf(input('mongod_config_path')) do
     its(['security','javascriptEnabled']){should eq false}
   end
 
-end
+end

spec/mongo-inspec-profile/controls/SV-252168.rb

@@ -47,6 +47,18 @@
   tag cci: ['CCI-001312']
   tag nist: ['SI-11 a']
 
+  check_command="db.getSiblingDB('admin').runCommand({getCmdLineOpts: 1}).parsed.security.redactClientLogData"
+
+  run_check_command = "mongosh mongodb://#{input('mongo_dba')}:#{input('mongo_dba_password')}@#{input('mongo_host')}:#{input('mongo_port')} --quiet --eval \"#{check_command}\""
+
+  check_output = command(run_check_command)
+
+  describe 'Client log data' do
+      it 'should be redacted' do 
+        expect(check_output.stdout).to match(/true/)
+      end
+    end
+
   describe mongodb_conf(input('mongod_config_path')) do
     its(['security','redactClientLogData']){should eq true}
   end

spec/mongo-inspec-profile/controls/SV-252169.rb

@@ -48,8 +48,20 @@
   tag cci: ['CCI-001314']
   tag nist: ['SI-11 b']
 
+  check_command="db.getSiblingDB('admin').runCommand({getCmdLineOpts: 1}).parsed.security.redactClientLogData"
+
+  run_check_command = "mongosh mongodb://#{input('mongo_dba')}:#{input('mongo_dba_password')}@#{input('mongo_host')}:#{input('mongo_port')} --quiet --eval \"#{check_command}\""
+
+  check_output = command(run_check_command)
+
+  describe 'Client log data' do
+      it 'should be redacted' do 
+        expect(check_output.stdout).to match(/true/)
+      end
+    end
+
   describe mongodb_conf(input('mongod_config_path')) do
     its(['security','redactClientLogData']){should eq true}
   end
-  
+
 end

spec/mongo-inspec-profile/controls/SV-252175.rb

@@ -85,8 +85,8 @@
 
   create_user_output = json({command: run_create_user})
 
-  create_user_again = command( run_create_user)
-  
+  create_user_again = command(run_create_user)
+
   run_user_output = command(run_user_write)
 
   describe.one do

spec/mongo-inspec-profile/controls/SV-252179.rb

@@ -52,4 +52,14 @@
   tag 'documentable'
   tag cci: ['CCI-002420']
   tag nist: ['SC-8 (2)']
+
+  describe mongodb_conf(input('mongod_config_path')) do
+    its(['net','tls','mode']){should eq "requireTLS"}
+    its(['net','tls','certificateKeyFile']){should match input('certificate_key_file_path')}
+    its(['net','tls','CAFile']){should match input('ca_file_path')}
+    its(['net','tls','allowInvalidCertificates']){should eq false}
+    its(['net','tls','allowConnectionsWithoutCertificates']){should eq false}
+    its(['net','tls','FIPSMode']){should eq true}
+  end
+
 end