diff --git a/controls/access_control.rb b/controls/access_control.rb index fb0ba92..41f3180 100644 --- a/controls/access_control.rb +++ b/controls/access_control.rb @@ -7,8 +7,14 @@ control "mongod-auth-1" do title "Authentication is enabled" - desc "Authentication should be required for any interaction with mongod" + desc "Authentication should be enabled and required for any interaction with mongod. + It ensures that all clients, users, servers are required to authenticate before being + granted access to the MongoDB database." impact 1.0 + tag Vulnerability: 'Critical' + tag Version: 'CIS_MongoDB_3.6_Benchmark_v1.0.0' + tag Remedy:"Open mongod.conf and change for authorization value to enabled" + ref 'Mongodb Authentication', url: 'https://docs.mongodb.com/v3.6/core/authentication/' describe yaml(mongo_conf_file) do its(["security", "authorization"]) { should cmp "enabled" } @@ -24,32 +30,35 @@ its("stdout") { should include "Error: not authorized"} end - only_if do - !mongo_username.nil? - end + # only_if do + # !mongo_username.nil? + # end end -control "mongod-auth-3" do - title "Multiple user accounts exist" - desc "A single administrator user should be created, and then - individual accounts should be created for each specific use - of MongoDB. Therefore, there should be at least two users - created." - impact 0.7 +# These checks are not accurate and also they are being executed on 127.0.0.1 bind address, +# Host part is required to add - describe mongo_command("db.getUsers()", username: mongo_username, password: mongo_password, verify_ssl: mongo_verify_ssl) do - its("params.length") { should be >= 2 } - end -end +# control "mongod-auth-3" do +# title "Multiple user accounts exist" +# desc "A single administrator user should be created, and then +# individual accounts should be created for each specific use +# of MongoDB. Therefore, there should be at least two users +# created." +# impact 0.7 -control "mongod-auth-4" do - title "Roles are used" - desc "Role-based access control should be used. Therefore, at - least 1 role should be created." - impact 0.7 +# describe mongo_command("db.getUsers()", username: mongo_username, password: mongo_password, host: "18.222.239.69" ,verify_ssl: mongo_verify_ssl) do +# its("params.length") { should be >= 2 } +# end +# end - describe mongo_command("db.getRoles()", username: mongo_username, password: mongo_password, verify_ssl: mongo_verify_ssl) do - its("params.length") { should be >= 1 } - end -end +# control "mongod-auth-4" do +# title "Roles are used" +# desc "Role-based access control should be used. Therefore, at +# least 1 role should be created." +# impact 0.7 + +# describe mongo_command("db.getRoles()", username: mongo_username, password: mongo_password, verify_ssl: mongo_verify_ssl) do +# its("params.length") { should be >= 1 } +# end +# end diff --git a/controls/fileandDirectories.rb b/controls/fileandDirectories.rb new file mode 100644 index 0000000..b16128b --- /dev/null +++ b/controls/fileandDirectories.rb @@ -0,0 +1,61 @@ +mongo_directory = attribute('mongodbPath', default: '/var/lib/mongodb', description: 'Path to the mongodb directory where database file are saved') +mongo_conf_file = attribute('conf_file', default: '/etc/mongod.conf', description: 'Path to the mongod.conf file') + + +control "mongod-file-Directories-1" do + title "Ensure that database file owner and group are set correctly" + desc "Mongodb Path is a directory where all databases related files are stored in different format. + The owner and group should be mongod" + impact 1.0 + tag Vulnerability: 'High' + tag Version: 'CIS_MongoDB_3.6_Benchmark_v1.0.0' + tag Remedy:"Set ownership of the database file to mongodb user using + the following commands: sudo chown mongodb:mongodb /var/lib/mongodb" + ref 'MongodB dbPath', url: 'https://docs.mongodb.com/v3.6/reference/configuration-options/#storage.dbPath' + describe file(mongo_directory) do + it { should be_directory } + its('group') { should eq 'mongodb' } + its('owner') { should eq 'mongodb' } + end + end + +control "mongod-file-Directories-2" do + title "Ensure that database file permission are set correctly" + desc "Mongodb Path is a directory where all databases related files are stored in different format. + The mode of this directory should be 770. It should not be readble,executable and writeable by others." + impact 1.0 + tag Vulnerability: 'High' + tag Version: 'CIS_MongoDB_3.6_Benchmark_v1.0.0' + tag Remedy:"Remove other permissions using + the following commands: chmod 770 /var/lib/mongodb" + ref 'MongodB dbPath', url: 'https://docs.mongodb.com/v3.6/reference/configuration-options/#storage.dbPath' + describe file(mongo_directory) do + its('mode') { should cmp '0770' } + it { should be_readable.by('owner') } + it { should be_readable.by('group') } + it { should_not be_readable.by('other') } + it { should be_writable.by('owner') } + it { should_not be_writable.by('other') } + it { should be_executable.by('owner') } + it { should be_executable.by('group') } + it { should_not be_executable.by('other') } + end + end + +control "mongod-file-Directories-3" do + title "Ensure that configuration file owner is root and it is not writable by others" + desc "mongodB configuration file are very important and if other has permission to write this file then anyone will be + able to change the state of mongodB" + impact 1.0 + tag Vulnerability: 'High' + tag Version: 'CIS_MongoDB_3.6_Benchmark_v1.0.0' + tag Remedy:"Set ownership of the configuration file to root user and remove other write permissions using + the following commands: chmod 640 /var/lib/mongodb" + describe file(mongo_conf_file) do + its('mode') { should cmp '0644' } + its('group') { should eq 'root' } + its('owner') { should eq 'root' } + it { should_not be_writable.by('other') } + it { should_not be_writable.by('group') } + end + end diff --git a/controls/installation.rb b/controls/installation.rb new file mode 100644 index 0000000..47b8488 --- /dev/null +++ b/controls/installation.rb @@ -0,0 +1,22 @@ +control "mongod-installation-1" do + title "Latest version of mongodB is installed or not" + desc "Using the most recent MongoDB software version along with all applicable patches, helps \n + limit the possibilities for vulnerabilities in the software. The installation version \n + patches applied should be selected according to the needs of the organization." + impact 1.0 + tag Vulnerability: 'Medium' + tag Version: 'CIS_MongoDB_3.6_Benchmark_v1.0.0' + tag Remedy:"1. Backup the data set.\n + 2. Download the binaries for the latest MongoDB revision from the MongoDB Download Page and store \n + the binaries in a temporary location. The binaries download as compressed files that extract to the directory structure used by the + MongoDB installation. + 3. Shutdown the MongoDB instance. + 4. Replace the existing MongoDB binaries with the downloaded binaries. + 5. Restart the MongoDB instance" + ref 'MongodB upgrade to Newer Version', url: 'https://docs.mongodb.com/manual/tutorial/upgrade-revision/' + describe command('mongod --version') do + its('stdout') { should match(/db version v4.4.?/) } + + end + end + diff --git a/controls/logging.rb b/controls/logging.rb new file mode 100644 index 0000000..bda86a6 --- /dev/null +++ b/controls/logging.rb @@ -0,0 +1,66 @@ +mongo_conf_file = attribute('conf_file', default: '/etc/mongod.conf', description: 'Path to the mongod.conf file') +conf_file = yaml(mongo_conf_file) + +control "mongod-logging-1" do + title "Ensure that system activity is audited" + desc "MongoDB Enterprise includes a system auditing facility that can record system events (e.g. user operations, \n + connection events) on a MongoDB instance. These logging enable to track incident happend" + impact 1.0 + tag Vulnerability: 'High' + tag Version: 'CIS_MongoDB_3.6_Benchmark_v1.0.0' + tag Remedy:"Set the destinations based on the organization’s requirements. + mongod --dbpath data/db --auditDestination file --auditFormat JSON --auditPath data/db/auditLog.json + or you change configuration file and add destination and path of Log" + ref 'MongodB configure Auditing', url: 'https://docs.mongodb.com/v3.6/tutorial/configure-auditing/' + describe conf_file do + its(["systemLog", "destination"]) { should match(/syslog|file/) } + its(["systemLog", "destination"]) { should_not eq "console" } + end + end + +control "mongod-logging-2" do + title "Ensure that new entries are appended to the end of the log file" + desc "By default, new log entries will overwrite old entries after a restart of the mongod or mongos service.\n + Enabling the systemLog.logAppend setting causes new entries to be appended to the end of the log file rather \n + than overwriting the existing content of the log when the mongod or mongos instance restarts." + impact 1.0 + tag Vulnerability: 'High' + tag Version: 'CIS_MongoDB_3.6_Benchmark_v1.0.0' + tag Remedy:"Set systemLog.logAppend to true in the /etc/mongod.conf file." + ref 'MongodB configuration Log Append', url: 'https://docs.mongodb.com/v3.6/reference/configuration-options/#systemLog.logAppend' + describe conf_file do + its(["systemLog", "logAppend"]) { should eq true } + end + end + +control "mongod-logging-3" do + title "Ensure that logging captures as much information as possible" + desc "Ensure that logging captures as much information such as connection events, authentication events, replication sync activities + evidence of some potentially impactful commands being run (eg: drop , dropIndexes , validate )" + impact 1.0 + tag Vulnerability: 'High' + tag Version: 'CIS_MongoDB_3.6_Benchmark_v1.0.0' + tag Remedy:"Set SystemLog.quiet to false in the /etc/mongod.conf file to disable it." + ref 'MongodB configuration systemlog quiet', url: 'https://docs.mongodb.com/v3.6/reference/configuration-options/#systemLog.quiet' + describe conf_file do + its(["systemLog", "quiet"]) { should eq false } + end + end + +control "mongod-logging-4" do + title "Ensure that audit filters are configured properly" + desc "When enabled, the audit facility, by default, records all auditable operations as detailed in Audit Event Actions, + Details, and Results. To specify which events to record, the audit feature includes the -- auditFilter option" + impact 1.0 + tag Vulnerability: 'Low' + tag Version: 'CIS_MongoDB_3.6_Benchmark_v1.0.0' + tag Remedy:"Set SystemLog.quiet to false in the /etc/mongod.conf file to disable it." + ref 'MongodB configuration systemlog quiet', url: 'https://docs.mongodb.com/v3.6/reference/configuration-options/#systemLog.quiet' + describe conf_file do + its(["auditLog", "destination"]) { should match(/syslog|file/) } + its(["auditLog", "filter"]) { should match(/\*/) } + + end + end + + \ No newline at end of file diff --git a/controls/network_and_communication.rb b/controls/network_and_communication.rb index a38465f..4310859 100644 --- a/controls/network_and_communication.rb +++ b/controls/network_and_communication.rb @@ -6,9 +6,16 @@ conf_file = yaml(mongo_conf_file) control "mongod-network-1" do - title "SSL is enabled" - desc "Enabling SSL ensures communication to mongod is secure" + title "Ensure Encryption of Data in Transit TLS/SSL" + desc "Use TLS or SSL to protect all incoming and outgoing connections. This should include using + TLS or SSL to encrypt communication between the mongod and mongos components of a + MongoDB client as well as between all applications and MongoDB." impact 0.6 + tag Vulnerability: 'Medium' + tag Remedy: "ssl: + mode: requireSSL + PEMKeyFile: /etc/ssl/mongodb.pem" + ref 'SSL Encryption', url: 'https://docs.mongodb.com/v3.6/core/security-transport-encryption/' describe conf_file do its(["net", "ssl", "mode"]) { should eq "requireSSL" } @@ -16,16 +23,19 @@ end end -control "mongod-network-2" do - title "HTTP-based interfaces are disabled" - desc "MongoDB recommends all HTTP-based interfaces are disabled in production to avoid data leakage." +# control "mongod-network-2" do +# title "HTTP-based interfaces are disabled" +# desc "MongoDB recommends all HTTP-based interfaces are disabled in production to avoid data leakage." +# tag Vulnerability: 'Low' +# tag Version: 'Extra Check' +# ref 'Mongod Realm Service', url: 'https://docs.mongodb.com/realm/services/http/' - describe conf_file do - its(["net", "http", "enabled"]) { should eq false } - its(["net", "http", "JSONPEnabled"]) { should eq false } - its(["net", "http", "RESTInterfaceEnabled"]) { should eq false } - end -end +# describe conf_file do +# its(["net", "http", "enabled"]) { should eq false } +# its(["net", "http", "JSONPEnabled"]) { should eq false } +# its(["net", "http", "RESTInterfaceEnabled"]) { should eq false } +# end +# end control "mongod-network-3" do title "Bind to localhost" @@ -33,6 +43,9 @@ Whenever possible, do not expose MongoDB instances to publicly-accessible interfaces. If having MongoDB be accessible to other machines, skip this control. " + tag Vulnerability: 'Medium' + tag Remedy:"Create a service file and set user and group to mongodb" + ref 'Why daemon should not run as root', url: 'https://github.com/openbmc/openbmc/issues/3383' impact 0.1 describe conf_file do @@ -42,10 +55,32 @@ control "mongod-network-4" do title "Wirechecking payload is enabled" - desc "mongod should validate all requests on receipt to prevent clients inserting malformed data" + desc "mongod should validate all requests on receipt to prevent clients inserting malformed data.Setting Wirechecking paylod to true\n + It validates all requests from clients upon receipt to prevent clients from inserting malformed or invalid BSON into a MongoDB database." impact 0.1 + tag Vulnerability: 'Low' + tag Version: 'Extra checks' + ref 'See Wirechecking Section', url: 'https://docs.mongodb.com/manual/reference/configuration-options/#net-options' describe conf_file do its(["net", "wireObjectCheck"]) { should eq true } end end + +control "mongod-network-5" do + title "Ensure Federal Information Processing Standard" + desc "The Federal Information Processing Standard (FIPS) is a computer security standard used + to certify software modules and libraries that encrypt and decrypt data securely. You can + configure MongoDB to run with a FIPS 140-2 certified library for OpenSSL." + impact 0.1 + tag Vulnerability: 'Medium' + tag Remedy:"Add in configuration file + net: + ssl: + FIPSMode: true" + ref 'MongodB Configure FIPS', url: 'https://docs.mongodb.com/v3.6/tutorial/configure-fips/' + + describe conf_file do + its(["net", "ssl","FIPSMode"]) { should eq true } + end +end diff --git a/controls/operatingSystem.rb b/controls/operatingSystem.rb new file mode 100644 index 0000000..fb5e813 --- /dev/null +++ b/controls/operatingSystem.rb @@ -0,0 +1,71 @@ +mongo_conf_file = attribute('conf_file', default: '/etc/mongod.conf', description: 'Path to the mongod.conf file') +conf_file = yaml(mongo_conf_file) + +control 'mongod-Operating-System-Hardening-1' do + impact 1.0 + title 'mongod should be running and enabled' + desc 'mongod should be running and enabled. When system restarts apruptly mongod should be started and loaded automatically' + tag Vulnerability: 'High' + tag Version: 'CIS_MongoDB_3.6_Benchmark_v1.0.0' + case os[:name] + when 'ubuntu' + case os[:release] + when '12.04' + describe command('/etc/init.d/mongod status') do + its('stdout') { should include 'online' } + end + when '14.04' + describe command('service mongod status') do + its('stdout') { should include 'online' } + end + when '16.04' + describe systemd_service(postgres.service) do + it { should be_installed } + it { should be_running } + it { should be_enabled } + end + # Added for ubuntu 18.04 + when '18.04' + describe command('service mongod status') do + its('stdout') { should include 'active' } + end + describe command('systemctl list-unit-files | grep mongod.service') do + its('stdout') { should include 'enabled' } + end + end + when 'debian' + case os[:release] + when /7\./ + describe command('/etc/init.d/mongod status') do + its('stdout') { should include 'Running' } + end + end + when 'redhat', 'centos', 'oracle', 'fedora' + case os[:release] + when /6\./ + describe command('/etc/init.d/mongod-9.4 status') do + its('stdout') { should include 'running' } + end + when /7\./ + describe command('ps aux | awk /\'bin\/postgres\'/ | wc -l') do + its('stdout') { should include '1' } + end + end + end + end + +control "mongod-Operating-System-Hardening-2" do + title "Ensure that MongoDB uses a non-default port" + desc "Changing the default port used by MongoDB makes it harder for attackers to find the + database and target it." + impact 1.0 + tag Vulnerability: 'Medium' + tag Version: 'CIS_MongoDB_3.6_Benchmark_v1.0.0' + tag Remedy:"Change the port for MongoDB server to a number other than 27017 ." + ref 'Default mongodb Port', url: 'https://docs.mongodb.com/v3.6/reference/default-mongodb-port/' + describe conf_file do + its(["net", "port"]) { should_not eq 27017 } + end +end + + diff --git a/controls/process.rb b/controls/process.rb index 65d947a..e8ecd07 100644 --- a/controls/process.rb +++ b/controls/process.rb @@ -1,10 +1,16 @@ title "Process Security" control "mongod-process-1" do - title "mongod runs as non-root" - desc "The MongoDB process should not run as the root user" + title "Ensure that MongoDB is run using a Least Privileges, dedicated service account i.e mongod" + desc "The MongoDB process should not run as the root user. We should follow Principle of least priviledge \n + When a daemon running as root is compromised, the attacker will have root access + The mitigation is to run the daemon as a non-root user who has the least amount of privilege it needs. + " impact 0.7 - + tag Vulnerability: 'Medium' + tag Remedy:"Create a service file and set user and group to mongodb" + tag Version: "CIS_MongoDB_3.6_Benchmark_v1.0.0" + ref 'Why daemon should not run as root', url: 'https://github.com/openbmc/openbmc/issues/3383' describe processes("mongod") do its("users") { should_not include "root" } end diff --git a/inspec.lock b/inspec.lock new file mode 100644 index 0000000..e687b9b --- /dev/null +++ b/inspec.lock @@ -0,0 +1,3 @@ +--- +lockfile_version: 1 +depends: [] diff --git a/inspec.yml b/inspec.yml index 2a23d87..58c703b 100644 --- a/inspec.yml +++ b/inspec.yml @@ -6,3 +6,9 @@ copyright_email: adamleff@chef.io license: Apache 2.0 summary: An InSpec Compliance Profile that checks many of the suggestions from the MongoDB Security Checklist. version: 0.1.0 +attributes: + - name: username + value: "useradmin" + - name: password + value: "passw0rd" +