diff --git a/spec/ansible/roles/mongo-stig/tasks/cat2.yml b/spec/ansible/roles/mongo-stig/tasks/cat2.yml index 3099181..9296a4a 100644 --- a/spec/ansible/roles/mongo-stig/tasks/cat2.yml +++ b/spec/ansible/roles/mongo-stig/tasks/cat2.yml @@ -59,7 +59,6 @@ - medium - SV-252136 -##### Work around since removing multiple edits doesnt seem to work - name: "MEDIUM | SV-252137 | Unused database components that are integrated in MongoDB and cannot be uninstalled must be disabled." yedit: src: "{{ mongod_config_path }}" @@ -95,7 +94,7 @@ # - name: "MEDIUM | SV-252141 | MongoDB must fail to a secure state if system initialization fails, shutdown fails, or aborts fail." # yedit: # src: "{{ mongod_config_path }}" -# key: storage.journale.enabled +# key: storage.journal.enabled # state: true # ignore_errors: true # tags: @@ -103,7 +102,7 @@ # - medium # - SV-252141 -##### UNTESTED, FILES DONT EXIST +##### DIRECTORY DOESNT EXIST # - name: "MEDIUM | SV-252142 | MongoDB must prevent unauthorized and unintended information transfer via shared system resources." # ansible.builtin.shell: | # chown {{ mongo_user }}:{{ mongo_user }} {{ mongod_config_path }} @@ -218,14 +217,16 @@ # - medium # - SV-252155 -##### THIS IS LITERALLY JUST 252137 and 252138 -# - name: "MEDIUM | SV-252156 | Unused database components that are integrated in MongoDB and cannot be uninstalled must be disabled." -# command: true -# ignore_errors: true -# tags: -# - cat2 -# - medium -# - SV-252156 +- name: "MEDIUM | SV-252156 | Unused database components that are integrated in MongoDB and cannot be uninstalled must be disabled." + yedit: + src: "{{ mongod_config_path }}" + key: net.http + state: absent + ignore_errors: true + tags: + - cat2 + - medium + - SV-252156 ##### IS THIS ALSO NOT 252149 and 252145 BUT WITH A MANUAL CHECK??? # - name: "MEDIUM | SV-252157 | MongoDB must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users)." @@ -321,7 +322,7 @@ # - medium # - SV-252170 -##### ENTERPRISE ONLY, NOT SO SURE ABOUT THAT KEY VALUE +##### KEY VALUE DOESNT WORKY - name: "MEDIUM | SV-252171 | MongoDB must utilize centralized management of the content captured in audit records generated by all components of MongoDB." yedit: src: "{{ mongod_config_path }}" @@ -333,7 +334,7 @@ - key: auditLog.path value: "{{ mongo_audit_file_path }}" # - key: auditLog.filter - # value: '{ atype: { $in: [ "createCollection", "dropCollection" ] } }' + # value: "{ atype: { $in: [ 'createCollection', 'dropCollection' ] } }" when: audit_log_destination == "file" ignore_errors: true tags: @@ -342,13 +343,18 @@ - SV-252171 - enterprise -# - name: "MEDIUM | SV-252172 | MongoDB must allocate audit record storage capacity in accordance with site audit record storage requirements." -# command: true -# ignore_errors: true -# tags: -# - cat2 -# - medium -# - SV-252172 +- name: "MEDIUM | SV-252172 | MongoDB must allocate audit record storage capacity in accordance with site audit record storage requirements." + yedit: + src: "{{ mongod_config_path }}" + key: auditLog.destination + value: "{{ audit_log_destination}}" + when: audit_log_destination == "syslog" + ignore_errors: true + tags: + - cat2 + - medium + - SV-252172 + - enterprise ##### MANUAL # - name: "MEDIUM | SV-252173 | MongoDB must provide a warning to appropriate support staff when allocated audit record storage volume reaches 75 percent of maximum audit record storage capacity." diff --git a/spec/mongo-inspec-profile/controls/SV-252135.rb b/spec/mongo-inspec-profile/controls/SV-252135.rb index 561e556..7e47db0 100644 --- a/spec/mongo-inspec-profile/controls/SV-252135.rb +++ b/spec/mongo-inspec-profile/controls/SV-252135.rb @@ -100,4 +100,12 @@ tag 'documentable' tag cci: ['CCI-000162', 'CCI-000163', 'CCI-000164'] tag nist: ['AU-9 a', 'AU-9 a', 'AU-9 a'] + + describe directory(input('mongod_config_path')) do + it { should exist } + it { should be_owned_by input('mongo_user') } + it { should be_grouped_into input('mongo_group') } + it { should_not be_more_permissive_than('0700') } + end + end diff --git a/spec/mongo-inspec-profile/controls/SV-252138.rb b/spec/mongo-inspec-profile/controls/SV-252138.rb index fa86857..5ec9421 100644 --- a/spec/mongo-inspec-profile/controls/SV-252138.rb +++ b/spec/mongo-inspec-profile/controls/SV-252138.rb @@ -46,6 +46,7 @@ tag 'documentable' tag cci: ['CCI-000382'] tag nist: ['CM-7 b'] + describe yaml(input('mongod_config_path')) do its(['net','http']){should be nil} end diff --git a/spec/mongo-inspec-profile/controls/SV-252142.rb b/spec/mongo-inspec-profile/controls/SV-252142.rb index a084bff..99c45ed 100644 --- a/spec/mongo-inspec-profile/controls/SV-252142.rb +++ b/spec/mongo-inspec-profile/controls/SV-252142.rb @@ -55,4 +55,19 @@ tag 'documentable' tag cci: ['CCI-001090'] tag nist: ['SC-4'] + + describe file(input('mongod_config_path')) do + it { should exist } + it { should be_owned_by input('mongo_user') } + it { should be_grouped_into input('mongo_group') } + it { should_not be_more_permissive_than('0600') } + end + + describe directory(input('data_file_directory_path')) do + it { should exist } + it { should be_owned_by input('mongo_user') } + it { should be_grouped_into input('mongo_group') } + it { should_not be_more_permissive_than('0755') } + end + end diff --git a/spec/mongo-inspec-profile/controls/SV-252144.rb b/spec/mongo-inspec-profile/controls/SV-252144.rb index 7e53cd6..32d3c86 100644 --- a/spec/mongo-inspec-profile/controls/SV-252144.rb +++ b/spec/mongo-inspec-profile/controls/SV-252144.rb @@ -123,7 +123,6 @@ tag cci: ['CCI-002262', 'CCI-002263', 'CCI-002264'] tag nist: ['AC-16 a', 'AC-16 a', 'AC-16 a'] - #not sure what goes here for this one describe 'Review the organizational or site-specific security labeling documentation to understand how documents in specific MongoDB collection(s) must be marked.This marking process should be applied as data is entered into the database.' do skip 'If security labeling is not required, this is not a finding.' diff --git a/spec/mongo-inspec-profile/controls/SV-252147.rb b/spec/mongo-inspec-profile/controls/SV-252147.rb index 6264759..cdfcda3 100644 --- a/spec/mongo-inspec-profile/controls/SV-252147.rb +++ b/spec/mongo-inspec-profile/controls/SV-252147.rb @@ -42,4 +42,14 @@ tag 'documentable' tag cci: ['CCI-002475', 'CCI-002476'] tag nist: ['SC-28 (1)', 'SC-28 (1)'] + + describe yaml(input('mongod_config_path')) do + its(['security','enableEncrypt']){should eq true} + + its(['kmip','serverName']){should match input('KMIP_server_host_name')} + its(['kmip','port']){should match input('KMIP_server_port')} + its(['kmip','ServerCAFile']){should match input('KMIP_server_ca_file')} + its(['kmip','clientCertificateFile']){should match input('KMIP_client_certificate_file')} + end + end diff --git a/spec/mongo-inspec-profile/controls/SV-252148.rb b/spec/mongo-inspec-profile/controls/SV-252148.rb index bfe1149..42d6836 100644 --- a/spec/mongo-inspec-profile/controls/SV-252148.rb +++ b/spec/mongo-inspec-profile/controls/SV-252148.rb @@ -36,4 +36,9 @@ tag 'documentable' tag cci: ['CCI-000054'] tag nist: ['AC-10'] + + describe yaml(input('mongod_config_path')) do + its(['net', 'maxIncomingConnections']) { should be_a_kind_of(Integer) } + end + end diff --git a/spec/mongo-inspec-profile/controls/SV-252156.rb b/spec/mongo-inspec-profile/controls/SV-252156.rb index ac6bde8..7975836 100644 --- a/spec/mongo-inspec-profile/controls/SV-252156.rb +++ b/spec/mongo-inspec-profile/controls/SV-252156.rb @@ -38,4 +38,9 @@ tag 'documentable' tag cci: ['CCI-000381'] tag nist: ['CM-7 a'] + + describe yaml(input('mongod_config_path')) do + its(['net','http']){should be nil} + end + end diff --git a/spec/mongo-inspec-profile/controls/SV-252160.rb b/spec/mongo-inspec-profile/controls/SV-252160.rb index 9fd975c..236e8c4 100644 --- a/spec/mongo-inspec-profile/controls/SV-252160.rb +++ b/spec/mongo-inspec-profile/controls/SV-252160.rb @@ -45,4 +45,32 @@ tag 'documentable' tag cci: ['CCI-000186'] tag nist: ['IA-5 (2) (a) (1)'] + + describe yaml(input('mongod_config_path')) do + its(['net','tls','mode']){should eq "requireTLS"} + its(['net','tls','certificateKeyFile']){should match input('certificate_key_file_path')} + its(['net','tls','CAFile']){should match input('ca_file_path')} + end + + describe file(input('mongod_config_path')) do + it { should exist } + it { should be_owned_by input('mongo_user') } + it { should be_grouped_into input('mongo_group') } + it { should_not be_more_permissive_than('0600') } + end + + describe file(input('certificate_key_file_path')) do + it { should exist } + it { should be_owned_by input('mongo_user') } + it { should be_grouped_into input('mongo_group') } + it { should_not be_more_permissive_than('0600') } + end + + describe file(input('ca_file_path')) do + it { should exist } + it { should be_owned_by input('mongo_user') } + it { should be_grouped_into input('mongo_group') } + it { should_not be_more_permissive_than('0600') } + end + end diff --git a/spec/mongo-inspec-profile/controls/SV-252171.rb b/spec/mongo-inspec-profile/controls/SV-252171.rb index 81cc988..603e7c7 100644 --- a/spec/mongo-inspec-profile/controls/SV-252171.rb +++ b/spec/mongo-inspec-profile/controls/SV-252171.rb @@ -63,4 +63,12 @@ tag 'documentable' tag cci: ['CCI-001844'] tag nist: ['AU-3 (2)'] + + describe yaml(input('mongod_config_path')) do + its(['auditLog','destination']){should eq "file"} + its(['auditLog','format']){should eq "BSON"} + its(['auditLog','path']){should match mongo_audit_file_path} + its(['auditLog','filter']){should match '{ atype: { $in: [ "createCollection", "dropCollection" ] } }'} + end + end diff --git a/spec/mongo-inspec-profile/controls/SV-252172.rb b/spec/mongo-inspec-profile/controls/SV-252172.rb index a98ed97..9f92d34 100644 --- a/spec/mongo-inspec-profile/controls/SV-252172.rb +++ b/spec/mongo-inspec-profile/controls/SV-252172.rb @@ -39,4 +39,9 @@ tag 'documentable' tag cci: ['CCI-001849'] tag nist: ['AU-4'] + + describe yaml(input('mongod_config_path')) do + its(['auditLog', 'destination']) { should eq "syslog"} + end + end