Added checks

controls/access_control.rb

@@ -7,8 +7,14 @@
 
 control "mongod-auth-1" do
   title "Authentication is enabled"
-  desc "Authentication should be required for any interaction with mongod"
+  desc "Authentication should be enabled and required for any interaction with mongod.
+        It ensures that all clients, users, servers are required to authenticate before being
+        granted access to the MongoDB database."
   impact 1.0
+  tag Vulnerability: 'Critical'
+  tag Version: 'CIS_MongoDB_3.6_Benchmark_v1.0.0'
+  tag Remedy:"Open mongod.conf and change for authorization value to enabled"
+  ref 'Mongodb Authentication', url: 'https://docs.mongodb.com/v3.6/core/authentication/'
 
   describe yaml(mongo_conf_file) do
     its(["security", "authorization"]) { should cmp "enabled" }
@@ -24,32 +30,35 @@
     its("stdout") { should include "Error: not authorized"}
   end
 
-  only_if do
-    !mongo_username.nil?
-  end
+  # only_if do
+  #   !mongo_username.nil?
+  # end
 end
 
-control "mongod-auth-3" do
-  title "Multiple user accounts exist"
-  desc "A single administrator user should be created, and then
-    individual accounts should be created for each specific use
-    of MongoDB. Therefore, there should be at least two users
-    created."
-  impact 0.7
+# These checks are not accurate and also they are being executed on 127.0.0.1 bind address,
+# Host part is required to add 
 
-  describe mongo_command("db.getUsers()", username: mongo_username, password: mongo_password, verify_ssl: mongo_verify_ssl) do
-    its("params.length") { should be >= 2 }
-  end
-end
+# control "mongod-auth-3" do
+#   title "Multiple user accounts exist"
+#   desc "A single administrator user should be created, and then
+#     individual accounts should be created for each specific use
+#     of MongoDB. Therefore, there should be at least two users
+#     created."
+#   impact 0.7
 
-control "mongod-auth-4" do
-  title "Roles are used"
-  desc "Role-based access control should be used. Therefore, at
-    least 1 role should be created."
-  impact 0.7
+#   describe mongo_command("db.getUsers()", username: mongo_username, password: mongo_password, host: "18.222.239.69" ,verify_ssl: mongo_verify_ssl) do
+#     its("params.length") { should be >= 2 }
+#   end
+# end
 
-  describe mongo_command("db.getRoles()", username: mongo_username, password: mongo_password, verify_ssl: mongo_verify_ssl) do
-    its("params.length") { should be >= 1 }
-  end
-end
+# control "mongod-auth-4" do
+#   title "Roles are used"
+#   desc "Role-based access control should be used. Therefore, at
+#     least 1 role should be created."
+#   impact 0.7
+
+#   describe mongo_command("db.getRoles()", username: mongo_username, password: mongo_password, verify_ssl: mongo_verify_ssl) do
+#     its("params.length") { should be >= 1 }
+#   end
+# end
 

controls/fileandDirectories.rb

@@ -0,0 +1,61 @@
+mongo_directory  = attribute('mongodbPath', default: '/var/lib/mongodb', description: 'Path to the mongodb directory where database file are saved')
+mongo_conf_file  = attribute('conf_file', default: '/etc/mongod.conf', description: 'Path to the mongod.conf file')
+
+
+control "mongod-file-Directories-1" do
+    title "Ensure that database file owner and group are set correctly"
+    desc "Mongodb Path is a directory where all databases related files are stored in different format.
+          The owner and group should be mongod"
+    impact 1.0
+    tag Vulnerability: 'High'
+    tag Version: 'CIS_MongoDB_3.6_Benchmark_v1.0.0'
+    tag Remedy:"Set ownership of the database file to mongodb user using
+                the following commands: sudo chown mongodb:mongodb /var/lib/mongodb"
+    ref 'MongodB dbPath', url: 'https://docs.mongodb.com/v3.6/reference/configuration-options/#storage.dbPath'
+    describe file(mongo_directory) do
+        it { should be_directory }
+        its('group') { should eq 'mongodb' }
+        its('owner') { should eq 'mongodb' }
+      end
+    end
+
+control "mongod-file-Directories-2" do
+    title "Ensure that database file permission are set correctly"
+    desc "Mongodb Path is a directory where all databases related files are stored in different format.
+          The mode of this directory should be 770. It should not be readble,executable and writeable by others."
+    impact 1.0
+    tag Vulnerability: 'High'
+    tag Version: 'CIS_MongoDB_3.6_Benchmark_v1.0.0'
+    tag Remedy:"Remove other permissions using
+                the following commands: chmod 770 /var/lib/mongodb"
+    ref 'MongodB dbPath', url: 'https://docs.mongodb.com/v3.6/reference/configuration-options/#storage.dbPath'
+    describe file(mongo_directory) do
+        its('mode') { should cmp '0770' }
+        it { should be_readable.by('owner') }
+        it { should  be_readable.by('group') }
+        it { should_not be_readable.by('other') }
+        it { should be_writable.by('owner') }
+        it { should_not be_writable.by('other') }
+        it { should be_executable.by('owner') }
+        it { should be_executable.by('group') }
+        it { should_not be_executable.by('other') }
+      end
+    end
+
+control "mongod-file-Directories-3" do
+    title "Ensure that configuration file owner is root and it is not  writable by others"
+    desc "mongodB configuration file are very important and if other has permission to write this file then anyone will be 
+          able to change the state of mongodB"
+    impact 1.0
+    tag Vulnerability: 'High'
+    tag Version: 'CIS_MongoDB_3.6_Benchmark_v1.0.0'
+    tag Remedy:"Set ownership of the configuration file to root user and remove other write permissions using
+                the following commands: chmod 640 /var/lib/mongodb"
+    describe file(mongo_conf_file) do
+        its('mode') { should cmp '0644' }
+        its('group') { should eq 'root' }
+        its('owner') { should eq 'root' }
+        it { should_not be_writable.by('other') }
+        it { should_not be_writable.by('group') }
+      end
+    end

controls/installation.rb

@@ -0,0 +1,22 @@
+control "mongod-installation-1" do
+    title "Latest version of mongodB is installed or not"
+    desc "Using the most recent MongoDB software version along with all applicable patches, helps \n
+          limit the possibilities for vulnerabilities in the software. The installation version \n
+          patches applied should be selected according to the needs of the organization."
+    impact 1.0
+    tag Vulnerability: 'Medium'
+    tag Version: 'CIS_MongoDB_3.6_Benchmark_v1.0.0'
+    tag Remedy:"1. Backup the data set.\n
+                2. Download the binaries for the latest MongoDB revision from the MongoDB Download Page and store \n
+                   the binaries in a temporary location. The binaries download as compressed files that extract to the directory structure used by the
+                   MongoDB installation.
+                3. Shutdown the MongoDB instance.
+                4. Replace the existing MongoDB binaries with the downloaded binaries.
+                5. Restart the MongoDB instance"
+    ref 'MongodB upgrade to Newer Version', url: 'https://docs.mongodb.com/manual/tutorial/upgrade-revision/'
+    describe command('mongod --version') do
+        its('stdout') { should match(/db version v4.4.?/)  }
+
+      end
+    end
+

controls/logging.rb

@@ -0,0 +1,66 @@
+mongo_conf_file  = attribute('conf_file', default: '/etc/mongod.conf', description: 'Path to the mongod.conf file')
+conf_file = yaml(mongo_conf_file)
+
+control "mongod-logging-1" do
+    title "Ensure that system activity is audited"
+    desc "MongoDB Enterprise includes a system auditing facility that can record system events (e.g. user operations, \n
+          connection events) on a MongoDB instance. These logging enable to track incident happend"
+    impact 1.0
+    tag Vulnerability: 'High'
+    tag Version: 'CIS_MongoDB_3.6_Benchmark_v1.0.0'
+    tag Remedy:"Set the destinations based on the organization’s requirements.
+                mongod --dbpath data/db --auditDestination file --auditFormat JSON --auditPath data/db/auditLog.json
+                or you change configuration file and add destination and path of Log"
+    ref 'MongodB configure Auditing', url: 'https://docs.mongodb.com/v3.6/tutorial/configure-auditing/'
+    describe conf_file do
+        its(["systemLog", "destination"]) { should  match(/syslog|file/) }
+        its(["systemLog", "destination"]) { should_not  eq "console" }
+        end
+    end
+
+control "mongod-logging-2" do
+    title "Ensure that new entries are appended to the end of the log file"
+    desc "By default, new log entries will overwrite old entries after a restart of the mongod or mongos service.\n
+         Enabling the systemLog.logAppend setting causes new entries to be appended to the end of the log file rather \n
+         than overwriting the existing content of the log when the mongod or mongos instance restarts."
+    impact 1.0
+    tag Vulnerability: 'High'
+    tag Version: 'CIS_MongoDB_3.6_Benchmark_v1.0.0'
+    tag Remedy:"Set systemLog.logAppend to true in the /etc/mongod.conf file."
+    ref 'MongodB configuration Log Append', url: 'https://docs.mongodb.com/v3.6/reference/configuration-options/#systemLog.logAppend'
+    describe conf_file do
+        its(["systemLog", "logAppend"]) { should  eq true }
+        end
+    end
+
+control "mongod-logging-3" do
+    title "Ensure that logging captures as much information as possible"
+    desc "Ensure that logging captures as much information such as connection events, authentication events, replication sync activities
+          evidence of some potentially impactful commands being run (eg: drop , dropIndexes , validate )"
+    impact 1.0
+    tag Vulnerability: 'High'
+    tag Version: 'CIS_MongoDB_3.6_Benchmark_v1.0.0'
+    tag Remedy:"Set SystemLog.quiet to false in the /etc/mongod.conf file to disable it."
+    ref 'MongodB configuration systemlog quiet', url: 'https://docs.mongodb.com/v3.6/reference/configuration-options/#systemLog.quiet'
+    describe conf_file do
+        its(["systemLog", "quiet"]) { should  eq false }
+        end
+    end
+
+control "mongod-logging-4" do
+    title "Ensure that audit filters are configured properly"
+    desc "When enabled, the audit facility, by default, records all auditable operations as detailed in Audit Event Actions,
+          Details, and Results. To specify which events to record, the audit feature includes the -- auditFilter option"
+    impact 1.0
+    tag Vulnerability: 'Low'
+    tag Version: 'CIS_MongoDB_3.6_Benchmark_v1.0.0'
+    tag Remedy:"Set SystemLog.quiet to false in the /etc/mongod.conf file to disable it."
+    ref 'MongodB configuration systemlog quiet', url: 'https://docs.mongodb.com/v3.6/reference/configuration-options/#systemLog.quiet'
+    describe conf_file do
+        its(["auditLog", "destination"]) { should  match(/syslog|file/) }
+        its(["auditLog", "filter"]) { should  match(/\*/) }
+
+        end
+    end
+
+

controls/network_and_communication.rb

@@ -6,33 +6,46 @@
 conf_file = yaml(mongo_conf_file)
 
 control "mongod-network-1" do
-  title "SSL is enabled"
-  desc "Enabling SSL ensures communication to mongod is secure"
+  title "Ensure Encryption of Data in Transit TLS/SSL"
+  desc "Use TLS or SSL to protect all incoming and outgoing connections. This should include using
+        TLS or SSL to encrypt communication between the mongod and mongos components of a
+        MongoDB client as well as between all applications and MongoDB."
   impact 0.6
+  tag Vulnerability: 'Medium'
+  tag Remedy: "ssl:
+                mode: requireSSL
+                PEMKeyFile: /etc/ssl/mongodb.pem"
+  ref 'SSL Encryption', url: 'https://docs.mongodb.com/v3.6/core/security-transport-encryption/'
 
   describe conf_file do
     its(["net", "ssl", "mode"]) { should eq "requireSSL" }
     its(["net", "ssl", "PEMKeyFile"]) { should_not be_nil }
   end
 end
 
-control "mongod-network-2" do
-  title "HTTP-based interfaces are disabled"
-  desc "MongoDB recommends all HTTP-based interfaces are disabled in production to avoid data leakage."
+# control "mongod-network-2" do
+#   title "HTTP-based interfaces are disabled"
+#   desc "MongoDB recommends all HTTP-based interfaces are disabled in production to avoid data leakage."
+#   tag Vulnerability: 'Low'
+#   tag Version: 'Extra Check'
+#   ref 'Mongod Realm Service', url: 'https://docs.mongodb.com/realm/services/http/'
 
-  describe conf_file do
-    its(["net", "http", "enabled"]) { should eq false }
-    its(["net", "http", "JSONPEnabled"]) { should eq false }
-    its(["net", "http", "RESTInterfaceEnabled"]) { should eq false }
-  end
-end
+#   describe conf_file do
+#     its(["net", "http", "enabled"]) { should eq false }
+#     its(["net", "http", "JSONPEnabled"]) { should eq false }
+#     its(["net", "http", "RESTInterfaceEnabled"]) { should eq false }
+#   end
+# end
 
 control "mongod-network-3" do
   title "Bind to localhost"
   desc "
     Whenever possible, do not expose MongoDB instances to publicly-accessible interfaces.
     If having MongoDB be accessible to other machines, skip this control.
   "
+  tag Vulnerability: 'Medium'
+  tag Remedy:"Create a service file and set user and group to mongodb"
+  ref 'Why daemon should not run as root', url: 'https://github.com/openbmc/openbmc/issues/3383'
   impact 0.1
 
   describe conf_file do
@@ -42,10 +55,32 @@
 
 control "mongod-network-4" do
   title "Wirechecking payload is enabled"
-  desc "mongod should validate all requests on receipt to prevent clients inserting malformed data"
+  desc "mongod should validate all requests on receipt to prevent clients inserting malformed data.Setting Wirechecking paylod to true\n
+        It validates all requests from clients upon receipt to prevent clients from inserting malformed or invalid BSON into a MongoDB database."
   impact 0.1
+  tag Vulnerability: 'Low'
+  tag Version: 'Extra checks'
+  ref 'See  Wirechecking Section', url: 'https://docs.mongodb.com/manual/reference/configuration-options/#net-options'
 
   describe conf_file do
     its(["net", "wireObjectCheck"]) { should eq true }
   end
 end
+
+control "mongod-network-5" do
+  title "Ensure Federal Information Processing Standard"
+  desc "The Federal Information Processing Standard (FIPS) is a computer security standard used
+        to certify software modules and libraries that encrypt and decrypt data securely. You can
+        configure MongoDB to run with a FIPS 140-2 certified library for OpenSSL."
+  impact 0.1
+  tag Vulnerability: 'Medium'
+  tag Remedy:"Add in configuration file
+              net:
+                ssl:
+                FIPSMode: true"
+  ref 'MongodB Configure FIPS', url: 'https://docs.mongodb.com/v3.6/tutorial/configure-fips/'
+
+  describe conf_file do
+    its(["net", "ssl","FIPSMode"]) { should eq true }
+  end
+end

controls/operatingSystem.rb

@@ -0,0 +1,71 @@
+mongo_conf_file  = attribute('conf_file', default: '/etc/mongod.conf', description: 'Path to the mongod.conf file')
+conf_file = yaml(mongo_conf_file)
+
+control 'mongod-Operating-System-Hardening-1' do
+    impact 1.0
+    title 'mongod should be running and enabled'
+    desc 'mongod should be running and enabled. When system restarts apruptly mongod should be started and loaded automatically'
+    tag Vulnerability: 'High'
+    tag Version: 'CIS_MongoDB_3.6_Benchmark_v1.0.0'
+    case os[:name]
+    when 'ubuntu'
+      case os[:release]
+      when '12.04'
+        describe command('/etc/init.d/mongod status') do
+          its('stdout') { should include 'online' }
+        end
+      when '14.04'
+        describe command('service mongod status') do
+          its('stdout') { should include 'online' }
+        end
+      when '16.04'
+        describe systemd_service(postgres.service) do
+          it { should be_installed }
+          it { should be_running }
+          it { should be_enabled }
+        end
+      # Added for ubuntu 18.04 
+      when '18.04'
+        describe command('service mongod status') do
+          its('stdout') { should include 'active' }
+        end
+        describe command('systemctl list-unit-files | grep mongod.service') do
+          its('stdout') { should include 'enabled' }
+        end
+      end
+    when 'debian'
+      case os[:release]
+      when /7\./
+        describe command('/etc/init.d/mongod status') do
+          its('stdout') { should include 'Running' }
+        end
+      end
+    when 'redhat', 'centos', 'oracle', 'fedora'
+      case os[:release]
+      when /6\./
+        describe command('/etc/init.d/mongod-9.4 status') do
+          its('stdout') { should include 'running' }
+        end
+      when /7\./
+        describe command('ps aux | awk /\'bin\/postgres\'/ | wc -l') do
+          its('stdout') { should include '1' }
+        end
+      end
+    end
+  end
+
+control "mongod-Operating-System-Hardening-2" do
+    title "Ensure that MongoDB uses a non-default port"
+    desc "Changing the default port used by MongoDB makes it harder for attackers to find the
+          database and target it."
+    impact 1.0
+    tag Vulnerability: 'Medium'
+    tag Version: 'CIS_MongoDB_3.6_Benchmark_v1.0.0'
+    tag Remedy:"Change the port for MongoDB server to a number other than 27017 ."
+    ref 'Default mongodb Port', url: 'https://docs.mongodb.com/v3.6/reference/default-mongodb-port/'
+    describe conf_file do
+    its(["net", "port"]) { should_not eq 27017 }
+    end
+end
+
+