updated playbook and inspec

mitre · Feb 21, 2024 · 04832d6 · 04832d6
1 parent cd733cf
commit 04832d6
Show file tree

Hide file tree

Showing 8 changed files with 104 additions and 40 deletions.
diff --git a/spec/ansible/roles/mongo-stig/defaults/main.yml b/spec/ansible/roles/mongo-stig/defaults/main.yml
@@ -9,5 +9,11 @@ mongo_group: root
 mongod_config_path: "/etc/mongod.conf"
 mongo_audit_directory_path: "/var/log/mongodb/audit"
 mongo_audit_file_path: "/var/log/mongodb/audit/auditlog.bson"
-certificate_key_path: "/etc/ssl/mongodb.pem"
-ca_file_path: "/etc/ssl/caToValidateClientCertificates.pem"
+certificate_key_file_path: "/etc/ssl/mongodb.pem"
+ca_file_path: "/etc/ssl/caToValidateClientCertificates.pem"
+data_file_directory_path: "/var/lib/mongo"
+max_incoming_connections: 800000
+KMIP_server_host_name: ""
+KMIP_server_port: ""
+KMIP_server_ca_file: ""
+KMIP_client_certificate_file: ""
diff --git a/spec/ansible/roles/mongo-stig/tasks/cat1.yml b/spec/ansible/roles/mongo-stig/tasks/cat1.yml
@@ -7,7 +7,7 @@
 #     - key: net.tls.mode
 #       value: requireTLS
 #     - key: net.tls.certificateKeyFile
-#       value: "{{ certificate_key_path }}"
+#       value: "{{ certificate_key_file_path }}"
 #     - key: net.tls.CAFile
 #       value: "{{ ca_file_path }}"
 #     - key: net.tls.allowInvalidCertificates
@@ -103,13 +103,13 @@
     - high
     - SV-252159
 
-##### check text conflict with 252136?
+##### FILES DONT EXIST check text conflict with 252136? 
 # - name: "HIGH | SV-252160 | MongoDB must enforce authorized access to all PKI private keys stored/utilized by MongoDB."
 #   ansible.builtin.shell: |
-#       chown {{ mongo_user }}:{{ mongo_user }} /etc/ssl/mongodb.pem
-#       chmod 600 /etc/ssl/mongodb.pem
-#       chown {{ mongo_user }}:{{ mongo_user }} /etc/ssl/caToValidateClientCertificates.pem
-#       chmod 600 /etc/ssl/caToValidateClientCertificates.pem
+#       chown {{ mongo_user }}:{{ mongo_user }} {{ certificate_key_file_path }}
+#       chmod 600 {{ certificate_key_file_path }}
+#       chown {{ mongo_user }}:{{ mongo_user }} {{ ca_file_path }}
+#       chmod 600 {{ ca_file_path }}
 #   ignore_errors: true
 #   tags:
 #     - cat1

diff --git a/spec/ansible/roles/mongo-stig/tasks/cat2.yml b/spec/ansible/roles/mongo-stig/tasks/cat2.yml
@@ -17,16 +17,17 @@
     - SV-252134
     - enterprise
 
-- name: "MEDIUM | SV-252135 | The audit information produced by MongoDB must be protected from unauthorized access."
-  ansible.builtin.shell: |
-      chown {{ mongo_user }} {{ mongo_audit_directory_path }}
-      chgrp {{ mongo_user }} {{ mongo_audit_directory_path }}
-      chmod 700 {{ mongo_audit_directory_path }}
-  ignore_errors: true
-  tags:
-    - cat2
-    - medium
-    - SV-252135
+##### FILES DONT EXIST
+# - name: "MEDIUM | SV-252135 | The audit information produced by MongoDB must be protected from unauthorized access."
+#   ansible.builtin.shell: |
+#       chown {{ mongo_user }} {{ mongo_audit_directory_path }}
+#       chgrp {{ mongo_user }} {{ mongo_audit_directory_path }}
+#       chmod 700 {{ mongo_audit_directory_path }}
+#   ignore_errors: true
+#   tags:
+#     - cat2
+#     - medium
+#     - SV-252135
 
 ##### DONE BUT DOESNT WONT RUN CUZ PERMISSIONS ERROR???, maybe it requires the user to be mongod
 # - name: "MEDIUM | SV-252136 | MongoDB must protect its audit features from unauthorized access."
@@ -68,6 +69,7 @@
     - medium
     - SV-252138
 
+##### MANUAL??? https://github.com/mitre/crunchy-data-postgresql-stig-baseline/blob/ebc58258ba175cb1d3859fd8039e05b5b3493dda/controls/V-233524.rb#L4
 # - name: "MEDIUM | SV-252140 | MongoDB must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users)."
 #   command: true
 #   ignore_errors: true
@@ -77,25 +79,26 @@
 #     - SV-252140
 
 ##### DOES NOT EXIST IN MONGO 6+
-##### need to add check text and if else statement
 # - name: "MEDIUM | SV-252141 | MongoDB must fail to a secure state if system initialization fails, shutdown fails, or aborts fail."
-#   blockinfile:
-#     path: "{{ mongod_config_path }}"
-#     marker: "#Rule ID SV-252141"
-#     prepend_newline: true
-#     insertafter: "^storage:"
-#     block: |
-#       #
-#         journal:
-#           enabled: true
+#   yedit:
+#     src: "{{ mongod_config_path }}"
+#     key: storage.journale.enabled
+#     state: true
 #   ignore_errors: true
 #   tags:
 #     - cat2
 #     - medium
 #     - SV-252141
 
+##### UNTESTED, FILES DONT EXIST
 # - name: "MEDIUM | SV-252142 | MongoDB must prevent unauthorized and unintended information transfer via shared system resources."
-#   command: true
+#   ansible.builtin.shell: |
+#       chown {{ mongo_user }}:{{ mongo_user }} {{ mongod_config_path }}
+#       chmod 600 {{ mongod_config_path }}
+#       chown -R mongod:mongod {{ data_file_directory_path }}
+#       chmod 755 {{ data_file_directory_path }}
+#       find {{ data_file_directory_path }}/* -type f | xargs  chmod 600
+#       find {{ data_file_directory_path }}/* -type d | xargs  chmod 700
 #   ignore_errors: true
 #   tags:
 #     - cat2
@@ -113,6 +116,7 @@
     - medium
     - SV-252143
 
+##### MANUAL
 # - name: "MEDIUM | SV-252144 | MongoDB must associate organization-defined types of security labels having organization-defined security label values with information in storage and transmission."
 #   command: true
 #   ignore_errors: true
@@ -121,31 +125,53 @@
 #     - medium
 #     - SV-252144
 
+##### same ansible as 252149
 # - name: "MEDIUM | SV-252145 | MongoDB must enforce discretionary access control policies, as defined by the data owner, over defined subjects and objects."
-#   command: true
+#   yedit:
+#       src: "{{ mongod_config_path }}"
+#       key: security.authorization
+#       value: enabled
 #   ignore_errors: true
 #   tags:
 #     - cat2
 #     - medium
 #     - SV-252145
 
+##### ENTERPRISE, Added a PII tag, this only needs to be run if there will be PII in the db
 # - name: "MEDIUM | SV-252147 | MongoDB must implement cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest (to include, at a minimum, PII and classified information) on organization-defined information system components."
-#   mongo enterprise only
-#   command: true
+#   yedit:
+#     src: "{{ mongod_config_path }}"
+#     edits:
+#     - key: security.enableEncryption
+#       value: true
+#     - key: kmip.serverName
+#       value: "{{ KMIP_server_host_name }}"
+#     - key: kmip.port
+#       value: "{{ KMIP_server_port }}"
+#     - key: kimp.ServerCAFile
+#       value: "{{ KMIP_server_ca_file }}"
+#     - key: kmip.clientCertificationFile
+#       value: "{{ KMIP_client_certificate_file }}"
 #   ignore_errors: true
 #   tags:
 #     - cat2
 #     - medium
 #     - SV-252147
+#     - enterprise
+#     - pii
 
-# - name: "MEDIUM | SV-252148 | MongoDB must limit the total number of concurrent connections to the database."
-#   command: true
-#   ignore_errors: true
-#   tags:
-#     - cat2
-#     - medium
-#     - SV-252148
+- name: "MEDIUM | SV-252148 | MongoDB must limit the total number of concurrent connections to the database."
+  yedit:
+      src: "{{ mongod_config_path }}"
+      key: net.maxIncomingConnections
+      value: "{{ max_incoming_connections }}"
+  ignore_errors: true
+  tags:
+    - cat2
+    - medium
+    - SV-252148
 
+##### MANUAL
 # - name: "MEDIUM | SV-252151 | MongoDB must limit privileges to change software modules, to include stored procedures, functions and triggers, and links to software external to MongoDB."
 #   command: true
 #   ignore_errors: true
@@ -154,6 +180,7 @@
 #     - medium
 #     - SV-252151
 
+##### MANUAL
 # - name: "MEDIUM | SV-252153 | Database software, including DBMS configuration files, must be stored in dedicated directories, or DASD pools, separate from the host OS and other applications."
 #   command: true
 #   ignore_errors: true
@@ -178,6 +205,7 @@
 #     - medium
 #     - SV-252155
 
+##### THIS IS LITERALLY JUST 252137 and 252138
 # - name: "MEDIUM | SV-252156 | Unused database components that are integrated in MongoDB and cannot be uninstalled must be disabled."
 #   command: true
 #   ignore_errors: true
@@ -186,8 +214,12 @@
 #     - medium
 #     - SV-252156
 
+##### IS THIS ALSO NOT 252149 and 252145 BUT WITH A MANUAL CHECK???
 # - name: "MEDIUM | SV-252157 | MongoDB must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users)."
-#   command: true
+#   yedit:
+#       src: "{{ mongod_config_path }}"
+#       key: security.authorization
+#       value: enabled
 #   ignore_errors: true
 #   tags:
 #     - cat2

diff --git a/spec/mongo-inspec-profile/controls/SV-252144.rb b/spec/mongo-inspec-profile/controls/SV-252144.rb
@@ -122,4 +122,13 @@
   tag 'documentable'
   tag cci: ['CCI-002262', 'CCI-002263', 'CCI-002264']
   tag nist: ['AC-16 a', 'AC-16 a', 'AC-16 a']
+
+
+  #not sure what goes here for this one
+  describe 'Review the organizational or site-specific security labeling documentation to understand how documents in specific MongoDB collection(s) must be marked.
+  This marking process should be applied as data is entered into the database.' do
+    skip 'If security labeling is not required, this is not a finding.
+    If security labeling is required, then there must be organizational or site-specific documentation on what the security labeling policy is and guidance on how and where to apply it.'
+  end
+
 end
diff --git a/spec/mongo-inspec-profile/controls/SV-252145.rb b/spec/mongo-inspec-profile/controls/SV-252145.rb
@@ -54,4 +54,9 @@
   tag 'documentable'
   tag cci: ['CCI-002165', 'CCI-002235']
   tag nist: ['AC-3 (4)', 'AC-6 (10)']
+
+  describe yaml('/etc/mongod.conf') do
+        its(['security','authorization']){should eq "enabled"}
+    end
+
 end
diff --git a/spec/mongo-inspec-profile/controls/SV-252146.rb b/spec/mongo-inspec-profile/controls/SV-252146.rb
@@ -57,4 +57,5 @@
   describe yaml('/etc/mongod.conf') do
         its(['net','tls','FIPSMode']){should eq true}
     end
+
 end
diff --git a/spec/mongo-inspec-profile/controls/SV-252151.rb b/spec/mongo-inspec-profile/controls/SV-252151.rb
@@ -27,4 +27,10 @@
   tag 'documentable'
   tag cci: ['CCI-001499']
   tag nist: ['CM-5 (6)']
+
+  describe 'Review monitoring procedures and implementation evidence to verify monitoring of changes to database software libraries, related applications, and configuration files occurs.' do
+    skip 'Implement procedures to monitor for unauthorized changes to DBMS software libraries, related software application libraries, and configuration files.
+    If a third-party automated tool is not employed, an automated job that reports file information on the directories and files of interest and compares them to the baseline report for the same will meet the requirement.'
+  end
+
 end
diff --git a/spec/mongo-inspec-profile/controls/SV-252153.rb b/spec/mongo-inspec-profile/controls/SV-252153.rb
@@ -42,4 +42,9 @@
   tag 'documentable'
   tag cci: ['CCI-001499']
   tag nist: ['CM-5 (6)']
+
+  describe 'Check if any non-MongoDB application, non-MongoDB data, or non-MongoDB directories exists under any of the MongoDB created directories or sub-directories.' do
+    skip 'If any non-MongoDB application, non-MongoDB data, or non-MongoDB directories exists under the MongoDB-created directories, this is a finding.'
+  end
+
 end
-Original file line number
+Diff line change
@@ Expand Up / @@ -57,4 +57,5 @@ @@
       describe yaml('/etc/mongod.conf') do
             its(['net','tls','FIPSMode']){should eq true}
         end
     end