updated some controls and inspec

spec/ansible/roles/mongo-stig/tasks/cat2.yml

@@ -59,7 +59,6 @@
     - medium
     - SV-252136
 
-##### Work around since removing multiple edits doesnt seem to work
 - name: "MEDIUM | SV-252137 | Unused database components that are integrated in MongoDB and cannot be uninstalled must be disabled."
   yedit:
     src: "{{ mongod_config_path }}"
@@ -95,15 +94,15 @@
 # - name: "MEDIUM | SV-252141 | MongoDB must fail to a secure state if system initialization fails, shutdown fails, or aborts fail."
 #   yedit:
 #     src: "{{ mongod_config_path }}"
-#     key: storage.journale.enabled
+#     key: storage.journal.enabled
 #     state: true
 #   ignore_errors: true
 #   tags:
 #     - cat2
 #     - medium
 #     - SV-252141
 
-##### UNTESTED, FILES DONT EXIST
+##### DIRECTORY DOESNT EXIST
 # - name: "MEDIUM | SV-252142 | MongoDB must prevent unauthorized and unintended information transfer via shared system resources."
 #   ansible.builtin.shell: |
 #       chown {{ mongo_user }}:{{ mongo_user }} {{ mongod_config_path }}
@@ -218,14 +217,16 @@
 #     - medium
 #     - SV-252155
 
-##### THIS IS LITERALLY JUST 252137 and 252138
-# - name: "MEDIUM | SV-252156 | Unused database components that are integrated in MongoDB and cannot be uninstalled must be disabled."
-#   command: true
-#   ignore_errors: true
-#   tags:
-#     - cat2
-#     - medium
-#     - SV-252156
+- name: "MEDIUM | SV-252156 | Unused database components that are integrated in MongoDB and cannot be uninstalled must be disabled."
+  yedit:
+    src: "{{ mongod_config_path }}"
+    key: net.http
+    state: absent
+  ignore_errors: true
+  tags:
+    - cat2
+    - medium
+    - SV-252156
 
 ##### IS THIS ALSO NOT 252149 and 252145 BUT WITH A MANUAL CHECK???
 # - name: "MEDIUM | SV-252157 | MongoDB must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users)."
@@ -321,7 +322,7 @@
 #     - medium
 #     - SV-252170
 
-##### ENTERPRISE ONLY, NOT SO SURE ABOUT THAT KEY VALUE
+##### KEY VALUE DOESNT WORKY
 - name: "MEDIUM | SV-252171 | MongoDB must utilize centralized management of the content captured in audit records generated by all components of MongoDB."
   yedit:
     src: "{{ mongod_config_path }}"
@@ -333,7 +334,7 @@
     - key: auditLog.path
       value: "{{ mongo_audit_file_path }}"
     # - key: auditLog.filter
-    #   value: '{ atype: { $in: [ "createCollection", "dropCollection" ] } }'
+    #   value: "{ atype: { $in: [ 'createCollection', 'dropCollection' ] } }"
   when: audit_log_destination == "file"
   ignore_errors: true
   tags:
@@ -342,13 +343,18 @@
     - SV-252171
     - enterprise
 
-# - name: "MEDIUM | SV-252172 | MongoDB must allocate audit record storage capacity in accordance with site audit record storage requirements."
-#   command: true
-#   ignore_errors: true
-#   tags:
-#     - cat2
-#     - medium
-#     - SV-252172
+- name: "MEDIUM | SV-252172 | MongoDB must allocate audit record storage capacity in accordance with site audit record storage requirements."
+  yedit:
+    src: "{{ mongod_config_path }}"
+    key: auditLog.destination
+    value: "{{ audit_log_destination}}"
+  when: audit_log_destination == "syslog"
+  ignore_errors: true
+  tags:
+    - cat2
+    - medium
+    - SV-252172
+    - enterprise
 
 ##### MANUAL
 # - name: "MEDIUM | SV-252173 | MongoDB must provide a warning to appropriate support staff when allocated audit record storage volume reaches 75 percent of maximum audit record storage capacity."

spec/mongo-inspec-profile/controls/SV-252135.rb

@@ -100,4 +100,12 @@
   tag 'documentable'
   tag cci: ['CCI-000162', 'CCI-000163', 'CCI-000164']
   tag nist: ['AU-9 a', 'AU-9 a', 'AU-9 a']
+
+  describe directory(input('mongod_config_path')) do
+    it { should exist }
+    it { should be_owned_by input('mongo_user') }
+    it { should be_grouped_into input('mongo_group') }
+    it { should_not be_more_permissive_than('0700') }
+  end
+
 end

spec/mongo-inspec-profile/controls/SV-252138.rb

@@ -46,6 +46,7 @@
   tag 'documentable'
   tag cci: ['CCI-000382']
   tag nist: ['CM-7 b']
+
   describe yaml(input('mongod_config_path')) do
     its(['net','http']){should be nil}
   end

spec/mongo-inspec-profile/controls/SV-252142.rb

@@ -55,4 +55,19 @@
   tag 'documentable'
   tag cci: ['CCI-001090']
   tag nist: ['SC-4']
+
+  describe file(input('mongod_config_path')) do
+    it { should exist }
+    it { should be_owned_by input('mongo_user') }
+    it { should be_grouped_into input('mongo_group') }
+    it { should_not be_more_permissive_than('0600') }
+  end
+
+  describe directory(input('data_file_directory_path')) do
+    it { should exist }
+    it { should be_owned_by input('mongo_user') }
+    it { should be_grouped_into input('mongo_group') }
+    it { should_not be_more_permissive_than('0755') }
+  end
+
 end

spec/mongo-inspec-profile/controls/SV-252144.rb

@@ -123,7 +123,6 @@
   tag cci: ['CCI-002262', 'CCI-002263', 'CCI-002264']
   tag nist: ['AC-16 a', 'AC-16 a', 'AC-16 a']
 
-
   #not sure what goes here for this one
   describe 'Review the organizational or site-specific security labeling documentation to understand how documents in specific MongoDB collection(s) must be marked.This marking process should be applied as data is entered into the database.' do
     skip 'If security labeling is not required, this is not a finding.'

spec/mongo-inspec-profile/controls/SV-252147.rb

@@ -42,4 +42,14 @@
   tag 'documentable'
   tag cci: ['CCI-002475', 'CCI-002476']
   tag nist: ['SC-28 (1)', 'SC-28 (1)']
+
+  describe yaml(input('mongod_config_path')) do
+    its(['security','enableEncrypt']){should eq true}
+
+    its(['kmip','serverName']){should match input('KMIP_server_host_name')}
+    its(['kmip','port']){should match input('KMIP_server_port')}
+    its(['kmip','ServerCAFile']){should match input('KMIP_server_ca_file')}
+    its(['kmip','clientCertificateFile']){should match input('KMIP_client_certificate_file')}
+  end
+
 end

spec/mongo-inspec-profile/controls/SV-252148.rb

@@ -36,4 +36,9 @@
   tag 'documentable'
   tag cci: ['CCI-000054']
   tag nist: ['AC-10']
+
+  describe yaml(input('mongod_config_path')) do
+    its(['net', 'maxIncomingConnections']) { should be_a_kind_of(Integer) }
+  end
+
 end

spec/mongo-inspec-profile/controls/SV-252156.rb

@@ -38,4 +38,9 @@
   tag 'documentable'
   tag cci: ['CCI-000381']
   tag nist: ['CM-7 a']
+
+  describe yaml(input('mongod_config_path')) do
+    its(['net','http']){should be nil}
+  end
+
 end

spec/mongo-inspec-profile/controls/SV-252160.rb

@@ -45,4 +45,32 @@
   tag 'documentable'
   tag cci: ['CCI-000186']
   tag nist: ['IA-5 (2) (a) (1)']
+
+  describe yaml(input('mongod_config_path')) do
+    its(['net','tls','mode']){should eq "requireTLS"}
+    its(['net','tls','certificateKeyFile']){should match input('certificate_key_file_path')}
+    its(['net','tls','CAFile']){should match input('ca_file_path')}
+  end
+
+  describe file(input('mongod_config_path')) do
+    it { should exist }
+    it { should be_owned_by input('mongo_user') }
+    it { should be_grouped_into input('mongo_group') }
+    it { should_not be_more_permissive_than('0600') }
+  end
+
+  describe file(input('certificate_key_file_path')) do
+    it { should exist }
+    it { should be_owned_by input('mongo_user') }
+    it { should be_grouped_into input('mongo_group') }
+    it { should_not be_more_permissive_than('0600') }
+  end
+
+  describe file(input('ca_file_path')) do
+    it { should exist }
+    it { should be_owned_by input('mongo_user') }
+    it { should be_grouped_into input('mongo_group') }
+    it { should_not be_more_permissive_than('0600') }
+  end
+
 end

spec/mongo-inspec-profile/controls/SV-252171.rb

@@ -63,4 +63,12 @@
   tag 'documentable'
   tag cci: ['CCI-001844']
   tag nist: ['AU-3 (2)']
+
+  describe yaml(input('mongod_config_path')) do
+      its(['auditLog','destination']){should eq "file"}
+      its(['auditLog','format']){should eq "BSON"}
+      its(['auditLog','path']){should match mongo_audit_file_path}
+      its(['auditLog','filter']){should match '{ atype: { $in: [ "createCollection", "dropCollection" ] } }'}
+    end
+
 end

spec/mongo-inspec-profile/controls/SV-252172.rb

@@ -39,4 +39,9 @@
   tag 'documentable'
   tag cci: ['CCI-001849']
   tag nist: ['AU-4']
+
+  describe yaml(input('mongod_config_path')) do
+      its(['auditLog', 'destination']) { should eq "syslog"}
+    end
+
 end