Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added checks #1

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
57 changes: 33 additions & 24 deletions controls/access_control.rb
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,14 @@

control "mongod-auth-1" do
title "Authentication is enabled"
desc "Authentication should be required for any interaction with mongod"
desc "Authentication should be enabled and required for any interaction with mongod.
It ensures that all clients, users, servers are required to authenticate before being
granted access to the MongoDB database."
impact 1.0
tag Vulnerability: 'Critical'
tag Version: 'CIS_MongoDB_3.6_Benchmark_v1.0.0'
tag Remedy:"Open mongod.conf and change for authorization value to enabled"
ref 'Mongodb Authentication', url: 'https://docs.mongodb.com/v3.6/core/authentication/'

describe yaml(mongo_conf_file) do
its(["security", "authorization"]) { should cmp "enabled" }
Expand All @@ -24,32 +30,35 @@
its("stdout") { should include "Error: not authorized"}
end

only_if do
!mongo_username.nil?
end
# only_if do
# !mongo_username.nil?
# end
end

control "mongod-auth-3" do
title "Multiple user accounts exist"
desc "A single administrator user should be created, and then
individual accounts should be created for each specific use
of MongoDB. Therefore, there should be at least two users
created."
impact 0.7
# These checks are not accurate and also they are being executed on 127.0.0.1 bind address,
# Host part is required to add

describe mongo_command("db.getUsers()", username: mongo_username, password: mongo_password, verify_ssl: mongo_verify_ssl) do
its("params.length") { should be >= 2 }
end
end
# control "mongod-auth-3" do
# title "Multiple user accounts exist"
# desc "A single administrator user should be created, and then
# individual accounts should be created for each specific use
# of MongoDB. Therefore, there should be at least two users
# created."
# impact 0.7

control "mongod-auth-4" do
title "Roles are used"
desc "Role-based access control should be used. Therefore, at
least 1 role should be created."
impact 0.7
# describe mongo_command("db.getUsers()", username: mongo_username, password: mongo_password, host: "18.222.239.69" ,verify_ssl: mongo_verify_ssl) do
# its("params.length") { should be >= 2 }
# end
# end

describe mongo_command("db.getRoles()", username: mongo_username, password: mongo_password, verify_ssl: mongo_verify_ssl) do
its("params.length") { should be >= 1 }
end
end
# control "mongod-auth-4" do
# title "Roles are used"
# desc "Role-based access control should be used. Therefore, at
# least 1 role should be created."
# impact 0.7

# describe mongo_command("db.getRoles()", username: mongo_username, password: mongo_password, verify_ssl: mongo_verify_ssl) do
# its("params.length") { should be >= 1 }
# end
# end

61 changes: 61 additions & 0 deletions controls/fileandDirectories.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
mongo_directory = attribute('mongodbPath', default: '/var/lib/mongodb', description: 'Path to the mongodb directory where database file are saved')
mongo_conf_file = attribute('conf_file', default: '/etc/mongod.conf', description: 'Path to the mongod.conf file')


control "mongod-file-Directories-1" do
title "Ensure that database file owner and group are set correctly"
desc "Mongodb Path is a directory where all databases related files are stored in different format.
The owner and group should be mongod"
impact 1.0
tag Vulnerability: 'High'
tag Version: 'CIS_MongoDB_3.6_Benchmark_v1.0.0'
tag Remedy:"Set ownership of the database file to mongodb user using
the following commands: sudo chown mongodb:mongodb /var/lib/mongodb"
ref 'MongodB dbPath', url: 'https://docs.mongodb.com/v3.6/reference/configuration-options/#storage.dbPath'
describe file(mongo_directory) do
it { should be_directory }
its('group') { should eq 'mongodb' }
its('owner') { should eq 'mongodb' }
end
end

control "mongod-file-Directories-2" do
title "Ensure that database file permission are set correctly"
desc "Mongodb Path is a directory where all databases related files are stored in different format.
The mode of this directory should be 770. It should not be readble,executable and writeable by others."
impact 1.0
tag Vulnerability: 'High'
tag Version: 'CIS_MongoDB_3.6_Benchmark_v1.0.0'
tag Remedy:"Remove other permissions using
the following commands: chmod 770 /var/lib/mongodb"
ref 'MongodB dbPath', url: 'https://docs.mongodb.com/v3.6/reference/configuration-options/#storage.dbPath'
describe file(mongo_directory) do
its('mode') { should cmp '0770' }
it { should be_readable.by('owner') }
it { should be_readable.by('group') }
it { should_not be_readable.by('other') }
it { should be_writable.by('owner') }
it { should_not be_writable.by('other') }
it { should be_executable.by('owner') }
it { should be_executable.by('group') }
it { should_not be_executable.by('other') }
end
end

control "mongod-file-Directories-3" do
title "Ensure that configuration file owner is root and it is not writable by others"
desc "mongodB configuration file are very important and if other has permission to write this file then anyone will be
able to change the state of mongodB"
impact 1.0
tag Vulnerability: 'High'
tag Version: 'CIS_MongoDB_3.6_Benchmark_v1.0.0'
tag Remedy:"Set ownership of the configuration file to root user and remove other write permissions using
the following commands: chmod 640 /var/lib/mongodb"
describe file(mongo_conf_file) do
its('mode') { should cmp '0644' }
its('group') { should eq 'root' }
its('owner') { should eq 'root' }
it { should_not be_writable.by('other') }
it { should_not be_writable.by('group') }
end
end
22 changes: 22 additions & 0 deletions controls/installation.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
control "mongod-installation-1" do
title "Latest version of mongodB is installed or not"
desc "Using the most recent MongoDB software version along with all applicable patches, helps \n
limit the possibilities for vulnerabilities in the software. The installation version \n
patches applied should be selected according to the needs of the organization."
impact 1.0
tag Vulnerability: 'Medium'
tag Version: 'CIS_MongoDB_3.6_Benchmark_v1.0.0'
tag Remedy:"1. Backup the data set.\n
2. Download the binaries for the latest MongoDB revision from the MongoDB Download Page and store \n
the binaries in a temporary location. The binaries download as compressed files that extract to the directory structure used by the
MongoDB installation.
3. Shutdown the MongoDB instance.
4. Replace the existing MongoDB binaries with the downloaded binaries.
5. Restart the MongoDB instance"
ref 'MongodB upgrade to Newer Version', url: 'https://docs.mongodb.com/manual/tutorial/upgrade-revision/'
describe command('mongod --version') do
its('stdout') { should match(/db version v4.4.?/) }

end
end

66 changes: 66 additions & 0 deletions controls/logging.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
mongo_conf_file = attribute('conf_file', default: '/etc/mongod.conf', description: 'Path to the mongod.conf file')
conf_file = yaml(mongo_conf_file)

control "mongod-logging-1" do
title "Ensure that system activity is audited"
desc "MongoDB Enterprise includes a system auditing facility that can record system events (e.g. user operations, \n
connection events) on a MongoDB instance. These logging enable to track incident happend"
impact 1.0
tag Vulnerability: 'High'
tag Version: 'CIS_MongoDB_3.6_Benchmark_v1.0.0'
tag Remedy:"Set the destinations based on the organization’s requirements.
mongod --dbpath data/db --auditDestination file --auditFormat JSON --auditPath data/db/auditLog.json
or you change configuration file and add destination and path of Log"
ref 'MongodB configure Auditing', url: 'https://docs.mongodb.com/v3.6/tutorial/configure-auditing/'
describe conf_file do
its(["systemLog", "destination"]) { should match(/syslog|file/) }
its(["systemLog", "destination"]) { should_not eq "console" }
end
end

control "mongod-logging-2" do
title "Ensure that new entries are appended to the end of the log file"
desc "By default, new log entries will overwrite old entries after a restart of the mongod or mongos service.\n
Enabling the systemLog.logAppend setting causes new entries to be appended to the end of the log file rather \n
than overwriting the existing content of the log when the mongod or mongos instance restarts."
impact 1.0
tag Vulnerability: 'High'
tag Version: 'CIS_MongoDB_3.6_Benchmark_v1.0.0'
tag Remedy:"Set systemLog.logAppend to true in the /etc/mongod.conf file."
ref 'MongodB configuration Log Append', url: 'https://docs.mongodb.com/v3.6/reference/configuration-options/#systemLog.logAppend'
describe conf_file do
its(["systemLog", "logAppend"]) { should eq true }
end
end

control "mongod-logging-3" do
title "Ensure that logging captures as much information as possible"
desc "Ensure that logging captures as much information such as connection events, authentication events, replication sync activities
evidence of some potentially impactful commands being run (eg: drop , dropIndexes , validate )"
impact 1.0
tag Vulnerability: 'High'
tag Version: 'CIS_MongoDB_3.6_Benchmark_v1.0.0'
tag Remedy:"Set SystemLog.quiet to false in the /etc/mongod.conf file to disable it."
ref 'MongodB configuration systemlog quiet', url: 'https://docs.mongodb.com/v3.6/reference/configuration-options/#systemLog.quiet'
describe conf_file do
its(["systemLog", "quiet"]) { should eq false }
end
end

control "mongod-logging-4" do
title "Ensure that audit filters are configured properly"
desc "When enabled, the audit facility, by default, records all auditable operations as detailed in Audit Event Actions,
Details, and Results. To specify which events to record, the audit feature includes the -- auditFilter option"
impact 1.0
tag Vulnerability: 'Low'
tag Version: 'CIS_MongoDB_3.6_Benchmark_v1.0.0'
tag Remedy:"Set SystemLog.quiet to false in the /etc/mongod.conf file to disable it."
ref 'MongodB configuration systemlog quiet', url: 'https://docs.mongodb.com/v3.6/reference/configuration-options/#systemLog.quiet'
describe conf_file do
its(["auditLog", "destination"]) { should match(/syslog|file/) }
its(["auditLog", "filter"]) { should match(/\*/) }

end
end


59 changes: 47 additions & 12 deletions controls/network_and_communication.rb
Original file line number Diff line number Diff line change
Expand Up @@ -6,33 +6,46 @@
conf_file = yaml(mongo_conf_file)

control "mongod-network-1" do
title "SSL is enabled"
desc "Enabling SSL ensures communication to mongod is secure"
title "Ensure Encryption of Data in Transit TLS/SSL"
desc "Use TLS or SSL to protect all incoming and outgoing connections. This should include using
TLS or SSL to encrypt communication between the mongod and mongos components of a
MongoDB client as well as between all applications and MongoDB."
impact 0.6
tag Vulnerability: 'Medium'
tag Remedy: "ssl:
mode: requireSSL
PEMKeyFile: /etc/ssl/mongodb.pem"
ref 'SSL Encryption', url: 'https://docs.mongodb.com/v3.6/core/security-transport-encryption/'

describe conf_file do
its(["net", "ssl", "mode"]) { should eq "requireSSL" }
its(["net", "ssl", "PEMKeyFile"]) { should_not be_nil }
end
end

control "mongod-network-2" do
title "HTTP-based interfaces are disabled"
desc "MongoDB recommends all HTTP-based interfaces are disabled in production to avoid data leakage."
# control "mongod-network-2" do
# title "HTTP-based interfaces are disabled"
# desc "MongoDB recommends all HTTP-based interfaces are disabled in production to avoid data leakage."
# tag Vulnerability: 'Low'
# tag Version: 'Extra Check'
# ref 'Mongod Realm Service', url: 'https://docs.mongodb.com/realm/services/http/'

describe conf_file do
its(["net", "http", "enabled"]) { should eq false }
its(["net", "http", "JSONPEnabled"]) { should eq false }
its(["net", "http", "RESTInterfaceEnabled"]) { should eq false }
end
end
# describe conf_file do
# its(["net", "http", "enabled"]) { should eq false }
# its(["net", "http", "JSONPEnabled"]) { should eq false }
# its(["net", "http", "RESTInterfaceEnabled"]) { should eq false }
# end
# end

control "mongod-network-3" do
title "Bind to localhost"
desc "
Whenever possible, do not expose MongoDB instances to publicly-accessible interfaces.
If having MongoDB be accessible to other machines, skip this control.
"
tag Vulnerability: 'Medium'
tag Remedy:"Create a service file and set user and group to mongodb"
ref 'Why daemon should not run as root', url: 'https://github.com/openbmc/openbmc/issues/3383'
impact 0.1

describe conf_file do
Expand All @@ -42,10 +55,32 @@

control "mongod-network-4" do
title "Wirechecking payload is enabled"
desc "mongod should validate all requests on receipt to prevent clients inserting malformed data"
desc "mongod should validate all requests on receipt to prevent clients inserting malformed data.Setting Wirechecking paylod to true\n
It validates all requests from clients upon receipt to prevent clients from inserting malformed or invalid BSON into a MongoDB database."
impact 0.1
tag Vulnerability: 'Low'
tag Version: 'Extra checks'
ref 'See Wirechecking Section', url: 'https://docs.mongodb.com/manual/reference/configuration-options/#net-options'

describe conf_file do
its(["net", "wireObjectCheck"]) { should eq true }
end
end

control "mongod-network-5" do
title "Ensure Federal Information Processing Standard"
desc "The Federal Information Processing Standard (FIPS) is a computer security standard used
to certify software modules and libraries that encrypt and decrypt data securely. You can
configure MongoDB to run with a FIPS 140-2 certified library for OpenSSL."
impact 0.1
tag Vulnerability: 'Medium'
tag Remedy:"Add in configuration file
net:
ssl:
FIPSMode: true"
ref 'MongodB Configure FIPS', url: 'https://docs.mongodb.com/v3.6/tutorial/configure-fips/'

describe conf_file do
its(["net", "ssl","FIPSMode"]) { should eq true }
end
end
71 changes: 71 additions & 0 deletions controls/operatingSystem.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
mongo_conf_file = attribute('conf_file', default: '/etc/mongod.conf', description: 'Path to the mongod.conf file')
conf_file = yaml(mongo_conf_file)

control 'mongod-Operating-System-Hardening-1' do
impact 1.0
title 'mongod should be running and enabled'
desc 'mongod should be running and enabled. When system restarts apruptly mongod should be started and loaded automatically'
tag Vulnerability: 'High'
tag Version: 'CIS_MongoDB_3.6_Benchmark_v1.0.0'
case os[:name]
when 'ubuntu'
case os[:release]
when '12.04'
describe command('/etc/init.d/mongod status') do
its('stdout') { should include 'online' }
end
when '14.04'
describe command('service mongod status') do
its('stdout') { should include 'online' }
end
when '16.04'
describe systemd_service(postgres.service) do
it { should be_installed }
it { should be_running }
it { should be_enabled }
end
# Added for ubuntu 18.04
when '18.04'
describe command('service mongod status') do
its('stdout') { should include 'active' }
end
describe command('systemctl list-unit-files | grep mongod.service') do
its('stdout') { should include 'enabled' }
end
end
when 'debian'
case os[:release]
when /7\./
describe command('/etc/init.d/mongod status') do
its('stdout') { should include 'Running' }
end
end
when 'redhat', 'centos', 'oracle', 'fedora'
case os[:release]
when /6\./
describe command('/etc/init.d/mongod-9.4 status') do
its('stdout') { should include 'running' }
end
when /7\./
describe command('ps aux | awk /\'bin\/postgres\'/ | wc -l') do
its('stdout') { should include '1' }
end
end
end
end

control "mongod-Operating-System-Hardening-2" do
title "Ensure that MongoDB uses a non-default port"
desc "Changing the default port used by MongoDB makes it harder for attackers to find the
database and target it."
impact 1.0
tag Vulnerability: 'Medium'
tag Version: 'CIS_MongoDB_3.6_Benchmark_v1.0.0'
tag Remedy:"Change the port for MongoDB server to a number other than 27017 ."
ref 'Default mongodb Port', url: 'https://docs.mongodb.com/v3.6/reference/default-mongodb-port/'
describe conf_file do
its(["net", "port"]) { should_not eq 27017 }
end
end


Loading