add cleanup script, update pipeline

mitre · Sep 19, 2024 · 21eaca4 · 21eaca4
1 parent 17fb97c
commit 21eaca4
Show file tree

Hide file tree

Showing 6 changed files with 84 additions and 9 deletions.
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -53,6 +53,14 @@ jobs:
         run: |
           packer build -var 'report={"report_to_heimdall":"${{ env.REPORT_TO_HEIMDALL }}","heimdall_url":"${{ env.HEIMDALL_URL }}","heimdall_api_key":"${{ env.HEIMDALL_API_KEY }}"}' -var 'attestation={"report_dir":"${{ env.REPORT_DIR }}","inspec_report_filename":"${{ env.INSPEC_REPORT_FILENAME }}","attestation_filename":"attestation.json","attested_inspec_filename":"${{ env.ATTESTED_INSPEC_FILE_NAME }}"}' mongo-validate.pkr.hcl
 
+      - name: Run Packer Validation
+        run: |
+          packer build \
+            -var 'report={"report_to_heimdall":"${{ env.REPORT_TO_HEIMDALL }}","heimdall_url":"${{ env.HEIMDALL_URL }}","heimdall_api_key":"${{ env.HEIMDALL_API_KEY }}"}' \
+            -var 'attestation={"report_dir":"${{ env.REPORT_DIR }}","inspec_report_filename":"${{ env.INSPEC_REPORT_FILENAME }}","attestation_filename":"attestation.json","attested_inspec_filename":"${{ env.ATTESTED_INSPEC_FILE_NAME }}"}' \
+            -var 'mongo={"container_name":"mongo-hardened","mongo_dba":"root","mongo_dba_password":"root","mongo_host":"localhost","mongo_port":"27017","ca_file":"/etc/ssl/CA_bundle.pem","certificate_key_file":"/etc/ssl/mongodb.pem","auth_mechanism":"SCRAM-SHA-256"}' \
+            mongo-validate.pkr.hcl
+
       - name: Get Docker Image Tag
         run: |
           if docker images | grep 'passed'; then

diff --git a/README.md b/README.md
@@ -145,19 +145,17 @@ mongo_superusers:
     ```
 
 12. **Cleanup Test Users and Roles**
-
       Once the hardened Mongo image is up and running, ensure you review and clean up any test users, roles, and databases that may have been created during the validation process.
 
+      - **Databases**:
+         - `products`
+
       - **Users**:
          - `test.myTester`
          - `products.myRoleTestUser`
 
       - **Roles**:
          - `products.myTestRole`
-         - `test.read`
-
-      - **Databases**:
-         - `products`
 
       For a full check of what could have been created, visit the [inspec repository](https://github.com/mitre/mongodb-enterprise-advanced-4-stig-baseline/blob/main/inspec.yml) and review the users and roles listed there.
 

diff --git a/mongo-validate.pkr.hcl b/mongo-validate.pkr.hcl
@@ -37,7 +37,12 @@ variable "report" {
 
 variable "attestation" {
   type = map(string)
-  description = "Configuration for attesting inspec results"
+  description = "Configuration for attesting InSpec results"
+}
+
+variable "mongo" {
+  type = map(string)
+  description = "Configuration for connecting to MongoDB"
 }
 
 # Hardened docker container to be validated
@@ -97,7 +102,7 @@ build {
       "HEIMDALL_URL=${var.report.heimdall_url}",
       "HEIMDALL_API_KEY=${var.report.heimdall_api_key}"
     ]
-    scripts          = ["spec/scripts/report.sh"]
+    script          = "spec/scripts/report.sh"
   }
 
   ### VERIFY
@@ -109,6 +114,21 @@ build {
     ]
     valid_exit_codes = [0, 1] # the threshold checks return 1 if the thresholds aren't met
                               # this does not mean we want to halt the run 
-    scripts          = ["spec/scripts/verify_threshold.sh"]
+    script          = "spec/scripts/verify_threshold.sh"
   }
+
+  ### CLEANUP
+  provisioner "shell-local" {
+    environment_vars = [
+      "CONTAINER_NAME=${var.mongo.container_name}",
+      "MONGO_DBA=${var.mongo.mongo_dba}",
+      "MONGO_DBA_PASSWORD=${var.mongo.mongo_dba_password}",
+      "MONGO_HOST=${var.mongo.mongo_host}",
+      "MONGO_PORT=${var.mongo.mongo_port}",
+      "CA_FILE=${var.mongo.ca_file}",
+      "CERTIFICATE_KEY_FILE=${var.mongo.certificate_key_file}",
+      "AUTH_MECHANISM=${var.mongo.auth_mechanism}"
+    ]
+    script          = "spec/scripts/cleanup.sh"
+}
 }
diff --git a/spec/scripts/cleanup.sh b/spec/scripts/cleanup.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+set -u
+
+### Cleanup databases, users, and roles generated by the inspec profile ###
+echo "--- Cleaning up InSpec artifacts ---"
+
+DROP_TEST_USER_COMMAND="db.getSiblingDB('test').dropUser('myTester')"
+DROP_PRODUCTS_DB_COMMAND="db.getSiblingDB('products').dropDatabase()"
+
+echo "Dropping the 'myTester' user from the 'test' database:"
+docker exec $CONTAINER_NAME mongosh "mongodb://$MONGO_DBA:$MONGO_DBA_PASSWORD@$MONGO_HOST:$MONGO_PORT/?authMechanism=$AUTH_MECHANISM&tls=true&tlsCAFile=$CA_FILE&tlsCertificateKeyFile=$CERTIFICATE_KEY_FILE" --quiet --eval "$DROP_TEST_USER_COMMAND"
+
+echo "Dropping the 'products' database:"
+docker exec $CONTAINER_NAME mongosh "mongodb://$MONGO_DBA:$MONGO_DBA_PASSWORD@$MONGO_HOST:$MONGO_PORT/?authMechanism=$AUTH_MECHANISM&tls=true&tlsCAFile=$CA_FILE&tlsCertificateKeyFile=$CERTIFICATE_KEY_FILE" --quiet --eval "$DROP_PRODUCTS_DB_COMMAND"
diff --git a/spec/scripts/cleanup_manual.sh b/spec/scripts/cleanup_manual.sh
@@ -0,0 +1,24 @@
+#!/bin/bash
+
+### Manual script to cleanup databases, users, and roles generated by the inspec profile ###
+echo "--- Cleaning up InSpec artifacts ---"
+
+# Variables
+CONTAINER_NAME="mongo-hardened"
+MONGO_DBA="root"
+MONGO_DBA_PASSWORD="root"
+MONGO_HOST="localhost"
+MONGO_PORT="27017"
+CA_FILE="/etc/ssl/CA_bundle.pem"
+CERTIFICATE_KEY_FILE="/etc/ssl/mongodb.pem"
+AUTH_MECHANISM="SCRAM-SHA-256"
+
+# Commands
+DROP_TEST_USER_COMMAND="db.getSiblingDB('test').dropUser('myTester')"
+DROP_PRODUCTS_DB_COMMAND="db.getSiblingDB('products').dropDatabase()"
+
+echo "Dropping the 'myTester' user from the 'test' database:"
+docker exec -it $CONTAINER_NAME mongosh "mongodb://$MONGO_DBA:$MONGO_DBA_PASSWORD@$MONGO_HOST:$MONGO_PORT/?authMechanism=$AUTH_MECHANISM&tls=true&tlsCAFile=$CA_FILE&tlsCertificateKeyFile=$CERTIFICATE_KEY_FILE" --quiet --eval "$DROP_TEST_USER_COMMAND"
+
+echo "Dropping the 'products' database:"
+docker exec -it $CONTAINER_NAME mongosh "mongodb://$MONGO_DBA:$MONGO_DBA_PASSWORD@$MONGO_HOST:$MONGO_PORT/?authMechanism=$AUTH_MECHANISM&tls=true&tlsCAFile=$CA_FILE&tlsCertificateKeyFile=$CERTIFICATE_KEY_FILE" --quiet --eval "$DROP_PRODUCTS_DB_COMMAND"
diff --git a/variables_template.pkrvar.hcl b/variables_template.pkrvar.hcl
@@ -9,4 +9,15 @@ attestation = {
   "inspec_report_filename"      = "mongo_inspec_results.json",
   "attestation_filename"        = "attestation_template.json"
   "attested_inspec_filename"    = "mongo_inspec_results_attested.json"
-}
+}
+
+mongo = {
+  "container_name"         = "mongo-hardened"
+  "mongo_dba"              = "root"
+  "mongo_dba_password"     = "root"
+  "mongo_host"             = "localhost"
+  "mongo_port"             = "27017"
+  "ca_file"                = "/etc/ssl/CA_bundle.pem"
+  "certificate_key_file"   = "/etc/ssl/mongodb.pem"
+  "auth_mechanism"         = "SCRAM-SHA-256"
+}