From 04832d62c21b8c109ef8ec56524800f85851beca Mon Sep 17 00:00:00 2001 From: seanlongcc Date: Wed, 21 Feb 2024 16:51:10 -0500 Subject: [PATCH] updated playbook and inspec --- .../roles/mongo-stig/defaults/main.yml | 10 +- spec/ansible/roles/mongo-stig/tasks/cat1.yml | 12 +-- spec/ansible/roles/mongo-stig/tasks/cat2.yml | 96 ++++++++++++------- .../controls/SV-252144.rb | 9 ++ .../controls/SV-252145.rb | 5 + .../controls/SV-252146.rb | 1 + .../controls/SV-252151.rb | 6 ++ .../controls/SV-252153.rb | 5 + 8 files changed, 104 insertions(+), 40 deletions(-) diff --git a/spec/ansible/roles/mongo-stig/defaults/main.yml b/spec/ansible/roles/mongo-stig/defaults/main.yml index c24b22b..6eadc9f 100644 --- a/spec/ansible/roles/mongo-stig/defaults/main.yml +++ b/spec/ansible/roles/mongo-stig/defaults/main.yml @@ -9,5 +9,11 @@ mongo_group: root mongod_config_path: "/etc/mongod.conf" mongo_audit_directory_path: "/var/log/mongodb/audit" mongo_audit_file_path: "/var/log/mongodb/audit/auditlog.bson" -certificate_key_path: "/etc/ssl/mongodb.pem" -ca_file_path: "/etc/ssl/caToValidateClientCertificates.pem" \ No newline at end of file +certificate_key_file_path: "/etc/ssl/mongodb.pem" +ca_file_path: "/etc/ssl/caToValidateClientCertificates.pem" +data_file_directory_path: "/var/lib/mongo" +max_incoming_connections: 800000 +KMIP_server_host_name: "" +KMIP_server_port: "" +KMIP_server_ca_file: "" +KMIP_client_certificate_file: "" \ No newline at end of file diff --git a/spec/ansible/roles/mongo-stig/tasks/cat1.yml b/spec/ansible/roles/mongo-stig/tasks/cat1.yml index c60f9c5..fb6f817 100644 --- a/spec/ansible/roles/mongo-stig/tasks/cat1.yml +++ b/spec/ansible/roles/mongo-stig/tasks/cat1.yml @@ -7,7 +7,7 @@ # - key: net.tls.mode # value: requireTLS # - key: net.tls.certificateKeyFile -# value: "{{ certificate_key_path }}" +# value: "{{ certificate_key_file_path }}" # - key: net.tls.CAFile # value: "{{ ca_file_path }}" # - key: net.tls.allowInvalidCertificates @@ -103,13 +103,13 @@ - high - SV-252159 -##### check text conflict with 252136? +##### FILES DONT EXIST check text conflict with 252136? # - name: "HIGH | SV-252160 | MongoDB must enforce authorized access to all PKI private keys stored/utilized by MongoDB." # ansible.builtin.shell: | -# chown {{ mongo_user }}:{{ mongo_user }} /etc/ssl/mongodb.pem -# chmod 600 /etc/ssl/mongodb.pem -# chown {{ mongo_user }}:{{ mongo_user }} /etc/ssl/caToValidateClientCertificates.pem -# chmod 600 /etc/ssl/caToValidateClientCertificates.pem +# chown {{ mongo_user }}:{{ mongo_user }} {{ certificate_key_file_path }} +# chmod 600 {{ certificate_key_file_path }} +# chown {{ mongo_user }}:{{ mongo_user }} {{ ca_file_path }} +# chmod 600 {{ ca_file_path }} # ignore_errors: true # tags: # - cat1 diff --git a/spec/ansible/roles/mongo-stig/tasks/cat2.yml b/spec/ansible/roles/mongo-stig/tasks/cat2.yml index fd5bfb0..7909e4b 100644 --- a/spec/ansible/roles/mongo-stig/tasks/cat2.yml +++ b/spec/ansible/roles/mongo-stig/tasks/cat2.yml @@ -17,16 +17,17 @@ - SV-252134 - enterprise -- name: "MEDIUM | SV-252135 | The audit information produced by MongoDB must be protected from unauthorized access." - ansible.builtin.shell: | - chown {{ mongo_user }} {{ mongo_audit_directory_path }} - chgrp {{ mongo_user }} {{ mongo_audit_directory_path }} - chmod 700 {{ mongo_audit_directory_path }} - ignore_errors: true - tags: - - cat2 - - medium - - SV-252135 +##### FILES DONT EXIST +# - name: "MEDIUM | SV-252135 | The audit information produced by MongoDB must be protected from unauthorized access." +# ansible.builtin.shell: | +# chown {{ mongo_user }} {{ mongo_audit_directory_path }} +# chgrp {{ mongo_user }} {{ mongo_audit_directory_path }} +# chmod 700 {{ mongo_audit_directory_path }} +# ignore_errors: true +# tags: +# - cat2 +# - medium +# - SV-252135 ##### DONE BUT DOESNT WONT RUN CUZ PERMISSIONS ERROR???, maybe it requires the user to be mongod # - name: "MEDIUM | SV-252136 | MongoDB must protect its audit features from unauthorized access." @@ -68,6 +69,7 @@ - medium - SV-252138 +##### MANUAL??? https://github.com/mitre/crunchy-data-postgresql-stig-baseline/blob/ebc58258ba175cb1d3859fd8039e05b5b3493dda/controls/V-233524.rb#L4 # - name: "MEDIUM | SV-252140 | MongoDB must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users)." # command: true # ignore_errors: true @@ -77,25 +79,26 @@ # - SV-252140 ##### DOES NOT EXIST IN MONGO 6+ -##### need to add check text and if else statement # - name: "MEDIUM | SV-252141 | MongoDB must fail to a secure state if system initialization fails, shutdown fails, or aborts fail." -# blockinfile: -# path: "{{ mongod_config_path }}" -# marker: "#Rule ID SV-252141" -# prepend_newline: true -# insertafter: "^storage:" -# block: | -# # -# journal: -# enabled: true +# yedit: +# src: "{{ mongod_config_path }}" +# key: storage.journale.enabled +# state: true # ignore_errors: true # tags: # - cat2 # - medium # - SV-252141 +##### UNTESTED, FILES DONT EXIST # - name: "MEDIUM | SV-252142 | MongoDB must prevent unauthorized and unintended information transfer via shared system resources." -# command: true +# ansible.builtin.shell: | +# chown {{ mongo_user }}:{{ mongo_user }} {{ mongod_config_path }} +# chmod 600 {{ mongod_config_path }} +# chown -R mongod:mongod {{ data_file_directory_path }} +# chmod 755 {{ data_file_directory_path }} +# find {{ data_file_directory_path }}/* -type f | xargs chmod 600 +# find {{ data_file_directory_path }}/* -type d | xargs chmod 700 # ignore_errors: true # tags: # - cat2 @@ -113,6 +116,7 @@ - medium - SV-252143 +##### MANUAL # - name: "MEDIUM | SV-252144 | MongoDB must associate organization-defined types of security labels having organization-defined security label values with information in storage and transmission." # command: true # ignore_errors: true @@ -121,31 +125,53 @@ # - medium # - SV-252144 +##### same ansible as 252149 # - name: "MEDIUM | SV-252145 | MongoDB must enforce discretionary access control policies, as defined by the data owner, over defined subjects and objects." -# command: true +# yedit: +# src: "{{ mongod_config_path }}" +# key: security.authorization +# value: enabled # ignore_errors: true # tags: # - cat2 # - medium # - SV-252145 +##### ENTERPRISE, Added a PII tag, this only needs to be run if there will be PII in the db # - name: "MEDIUM | SV-252147 | MongoDB must implement cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest (to include, at a minimum, PII and classified information) on organization-defined information system components." -# mongo enterprise only -# command: true +# yedit: +# src: "{{ mongod_config_path }}" +# edits: +# - key: security.enableEncryption +# value: true +# - key: kmip.serverName +# value: "{{ KMIP_server_host_name }}" +# - key: kmip.port +# value: "{{ KMIP_server_port }}" +# - key: kimp.ServerCAFile +# value: "{{ KMIP_server_ca_file }}" +# - key: kmip.clientCertificationFile +# value: "{{ KMIP_client_certificate_file }}" # ignore_errors: true # tags: # - cat2 # - medium # - SV-252147 +# - enterprise +# - pii -# - name: "MEDIUM | SV-252148 | MongoDB must limit the total number of concurrent connections to the database." -# command: true -# ignore_errors: true -# tags: -# - cat2 -# - medium -# - SV-252148 +- name: "MEDIUM | SV-252148 | MongoDB must limit the total number of concurrent connections to the database." + yedit: + src: "{{ mongod_config_path }}" + key: net.maxIncomingConnections + value: "{{ max_incoming_connections }}" + ignore_errors: true + tags: + - cat2 + - medium + - SV-252148 +##### MANUAL # - name: "MEDIUM | SV-252151 | MongoDB must limit privileges to change software modules, to include stored procedures, functions and triggers, and links to software external to MongoDB." # command: true # ignore_errors: true @@ -154,6 +180,7 @@ # - medium # - SV-252151 +##### MANUAL # - name: "MEDIUM | SV-252153 | Database software, including DBMS configuration files, must be stored in dedicated directories, or DASD pools, separate from the host OS and other applications." # command: true # ignore_errors: true @@ -178,6 +205,7 @@ # - medium # - SV-252155 +##### THIS IS LITERALLY JUST 252137 and 252138 # - name: "MEDIUM | SV-252156 | Unused database components that are integrated in MongoDB and cannot be uninstalled must be disabled." # command: true # ignore_errors: true @@ -186,8 +214,12 @@ # - medium # - SV-252156 +##### IS THIS ALSO NOT 252149 and 252145 BUT WITH A MANUAL CHECK??? # - name: "MEDIUM | SV-252157 | MongoDB must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users)." -# command: true +# yedit: +# src: "{{ mongod_config_path }}" +# key: security.authorization +# value: enabled # ignore_errors: true # tags: # - cat2 diff --git a/spec/mongo-inspec-profile/controls/SV-252144.rb b/spec/mongo-inspec-profile/controls/SV-252144.rb index 9bbf536..3d50a61 100644 --- a/spec/mongo-inspec-profile/controls/SV-252144.rb +++ b/spec/mongo-inspec-profile/controls/SV-252144.rb @@ -122,4 +122,13 @@ tag 'documentable' tag cci: ['CCI-002262', 'CCI-002263', 'CCI-002264'] tag nist: ['AC-16 a', 'AC-16 a', 'AC-16 a'] + + + #not sure what goes here for this one + describe 'Review the organizational or site-specific security labeling documentation to understand how documents in specific MongoDB collection(s) must be marked. + This marking process should be applied as data is entered into the database.' do + skip 'If security labeling is not required, this is not a finding. + If security labeling is required, then there must be organizational or site-specific documentation on what the security labeling policy is and guidance on how and where to apply it.' + end + end diff --git a/spec/mongo-inspec-profile/controls/SV-252145.rb b/spec/mongo-inspec-profile/controls/SV-252145.rb index 5a0b98f..908c260 100644 --- a/spec/mongo-inspec-profile/controls/SV-252145.rb +++ b/spec/mongo-inspec-profile/controls/SV-252145.rb @@ -54,4 +54,9 @@ tag 'documentable' tag cci: ['CCI-002165', 'CCI-002235'] tag nist: ['AC-3 (4)', 'AC-6 (10)'] + + describe yaml('/etc/mongod.conf') do + its(['security','authorization']){should eq "enabled"} + end + end diff --git a/spec/mongo-inspec-profile/controls/SV-252146.rb b/spec/mongo-inspec-profile/controls/SV-252146.rb index feec558..6172186 100644 --- a/spec/mongo-inspec-profile/controls/SV-252146.rb +++ b/spec/mongo-inspec-profile/controls/SV-252146.rb @@ -57,4 +57,5 @@ describe yaml('/etc/mongod.conf') do its(['net','tls','FIPSMode']){should eq true} end + end diff --git a/spec/mongo-inspec-profile/controls/SV-252151.rb b/spec/mongo-inspec-profile/controls/SV-252151.rb index 8e6477c..5e70202 100644 --- a/spec/mongo-inspec-profile/controls/SV-252151.rb +++ b/spec/mongo-inspec-profile/controls/SV-252151.rb @@ -27,4 +27,10 @@ tag 'documentable' tag cci: ['CCI-001499'] tag nist: ['CM-5 (6)'] + + describe 'Review monitoring procedures and implementation evidence to verify monitoring of changes to database software libraries, related applications, and configuration files occurs.' do + skip 'Implement procedures to monitor for unauthorized changes to DBMS software libraries, related software application libraries, and configuration files. + If a third-party automated tool is not employed, an automated job that reports file information on the directories and files of interest and compares them to the baseline report for the same will meet the requirement.' + end + end diff --git a/spec/mongo-inspec-profile/controls/SV-252153.rb b/spec/mongo-inspec-profile/controls/SV-252153.rb index bf43bce..2a297c1 100644 --- a/spec/mongo-inspec-profile/controls/SV-252153.rb +++ b/spec/mongo-inspec-profile/controls/SV-252153.rb @@ -42,4 +42,9 @@ tag 'documentable' tag cci: ['CCI-001499'] tag nist: ['CM-5 (6)'] + + describe 'Check if any non-MongoDB application, non-MongoDB data, or non-MongoDB directories exists under any of the MongoDB created directories or sub-directories.' do + skip 'If any non-MongoDB application, non-MongoDB data, or non-MongoDB directories exists under the MongoDB-created directories, this is a finding.' + end + end