-
Notifications
You must be signed in to change notification settings - Fork 0
/
inspec.yml
214 lines (188 loc) · 6.54 KB
/
inspec.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
name: mongodb-enterprise-advanced-4-stig-baseline
title: mongodb-enterprise-advanced-4-stig-baseline
maintainer: MITRE SAF Team
copyright: MITRE, 2024
copyright_email: saf@groups.mitre.org
license: Apache-2.0
summary: "Inspec validation profile for MongoDB Enterprise Advanced 4.x Security Technical Implementation Guide :: Version 1, Release: 2 Benchmark Date: 27 Oct 2022"
version: 1.0.0
supports: []
depends: []
inspec_version: ">=6.0"
inputs:
# SV-252134, SV-252135, SV-252136, SV-252137, SV-252138, SV-252139, SV-252141, SV-252142,
# SV-252143, SV-252145, SV-252146, SV-252147, SV-252148, SV-252149, SV-252156, SV-252157,
# SV-252159, SV-252160, SV-252164, SV-252167, SV-252168, SV-252169, SV-252171, SV-252179,
# SV-252180
- name: mongod_config_path
description: "The path to the mongod configuration file"
type: string
value: "/etc/mongod.conf"
required: true
# SV-252135, SV-252136, SV-252142, SV-252160
- name: mongo_owner
description: "The system user of the mongod process"
type: string
value: "root"
required: true
sensitive: true
# SV-252135, SV-252136, SV-252142, SV-252160
- name: mongo_group
description: "The system group of the mongod process"
type: string
value: "root"
required: true
sensitive: true
# SV-252140, SV-252141, SV-252146, SV-252154, SV-252155, SV-252157, SV-252159, SV-252163,
# SV-252165, SV-252167, SV-252168, SV-252169, SV-252174, SV-252175, SV-252176, SV-252182
- name: mongo_dba
description: "The mongo DBA user to access the test database"
type: string
required: true
sensitive: true
# SV-252140, SV-252141, SV-252146, SV-252154, SV-252155, SV-252157, SV-252159, SV-252163,
# SV-252165, SV-252167, SV-252168, SV-252169, SV-252174, SV-252175, SV-252176, SV-252182
- name: mongo_dba_password
description: "The password for the mongo DBA user"
type: string
required: true
sensitive: true
# SV-252140, SV-252141, SV-252146, SV-252154, SV-252155, SV-252157, SV-252159, SV-252163,
# SV-252165, SV-252167, SV-252168, SV-252169, SV-252174, SV-252175, SV-252176, SV-252182
- name: mongo_host
description: "The hostname or IP address used to connect to the database"
type: string
required: true
sensitive: true
# SV-252140, SV-252141, SV-252146, SV-252154, SV-252155, SV-252157, SV-252159, SV-252163,
# SV-252165, SV-252167, SV-252168, SV-252169, SV-252174, SV-252175, SV-252176, SV-252182
- name: mongo_port
description: "The port used to connect to the database"
type: numeric
required: true
sensitive: true
# SV-252140,SV-252154, SV-252155, SV-252157, SV-252163, SV-252174
- name: mongo_auth_source
description: "The database used to authorize users"
type: string
required: true
sensitive: true
# SV-252134, SV-252171
- name: mongo_filter
description: "The filter used in authLog"
type: string
value: "{ atype: { $in: [ \"createCollection\", \"dropCollection\" ] } }"
required: true
sensitive: true
# SV-252139, SV-252140, SV-252141, SV-252146, SV-252147, SV-252154, SV-252155, SV-252157,
# SV-252159, SV-252160, SV-252163, SV-252165, SV-252167, SV-252168, SV-252169, SV-252174,
# SV-252175, SV-252176, SV-252179, SV-252180, SV-252182
- name: ca_file
description: "The path to the CA file"
type: string
required: true
sensitive: true
# SV-252139, SV-252140, SV-252141, SV-252146, SV-252147, SV-252154, SV-252155, SV-252157,
# SV-252159, SV-252160, SV-252163, SV-252165, SV-252167, SV-252168, SV-252169, SV-252174,
# SV-252175, SV-252176, SV-252179, SV-252180, SV-252182
- name: certificate_key_file
description: "The path to the certificate key file"
type: string
required: true
sensitive: true
# SV-252140, SV-252154, SV-252155, SV-252157, SV-252163, SV-252174
- name: mongo_superusers
description: "Authorized superuser accounts"
type: array
value:
- "admin.root"
required: true
sensitive: true
# SV-252155, SV-252157
- name: mongo_users
description: "Authorized user accounts in the format of database.user"
type: array
value:
- "test.myTester"
- "products.myRoleTestUser"
required: true
sensitive: true
# SV-252155
- name: mongo_roles
description: "Authorized roles for MongoDB in the format of database.role"
type: array
value:
- "admin.root"
- "products.myTestRole"
- "test.read"
required: true
sensitive: true
# SV-252140, SV-252163, SV-252174
- name: inappropriate_mongo_privileges
description: "Inappropriate priveleges for all roles in MongoDB"
type: array
value:
- "changeStream"
- "createCollection"
required: true
sensitive: true
# SV-252135, SV-252136, SV-252142, SV-252160
- name: mongo_permissions
description: "File and directory permissions that should be granted to mongo"
type: string
value: "0600"
required: true
# SV-252135
- name: mongo_audit_directory_path
description: "The path to the mongo audit directory"
type: string
value: "/var/log/mongodb/audit/"
required: true
# SV-252134, SV-252135, SV-252171
- name: mongo_audit_file_path
description: "The path to the mongo audit file"
type: string
value: "/var/log/mongodb/audit/auditLog.bson"
required: true
# SV-252139, SV-252160, SV-252179, SV-252180
- name: certificate_key_file_dest
description: "The path to the mongo certificate key"
type: string
value: "/etc/ssl/mongodb.pem"
required: true
# SV-252139, SV-252160, SV-252179, SV-252180
- name: ca_file_dest
description: "The path to the mongo CA file"
type: string
value: "/etc/ssl/CA_bundle.pem"
required: true
# SV-252142
- name: data_file_directory_path
description: "The path to the mongo data file directory"
type: string
value: "/data/db/"
required: true
# SV-252147, SV-252165
- name: encryption_at_rest
description: "If any data is PII, classified or is deemed by the organization the need to be encrypted at rest"
type: boolean
value: false
required: true
# SV-252149, SV-252157
- name: ldap_enabled
description: "LDAP is used for authentication and authorization"
type: boolean
value: false
required: true
# SV-252141, SV-252182
- name: mongo_version
description: "The edition of MongoDB in use"
type: string
value: "7.0.12"
required: true
# SV-252182
- name: mongo_edition
description: "The edition of MongoDB in use"
type: string
value: mongodb-enterprise-server
required: true