diff --git a/README.md b/README.md index 217ec3f..4e180cb 100644 --- a/README.md +++ b/README.md @@ -12,7 +12,7 @@ A workflow for hardening a MongoDB container against a STIG using Packer and Ans ## Tailoring Your Scan to Your Environment -To ensure the profile runs correctly in your specific environment, you need to configure the inputs in the `inputs.yml`. This will **OVERRIDE THE VALUE SET** in `inspec.yml`. A template file named `inputs_template.yml` is provided to help you get started. More information about InSpec inputs can be found in the [InSpec Profile Documentation](https://docs.chef.io/inspec/profiles/). +To ensure the profile runs correctly in your specific environment, you need to configure the inputs in the `inputs.yml`. This will **OVERRIDE THE VALUE SET** in `inspec.yml` located [here](https://github.com/mitre/mongodb-enterprise-advanced-4-stig-baseline/blob/main/inspec.yml). A template file named `inputs_template.yml` is provided to help you get started. More information about InSpec inputs can be found in the [InSpec Profile Documentation](https://docs.chef.io/inspec/profiles/). ### Verify Ansible Variables diff --git a/spec/mongo-inspec-profile/inspec.yml b/spec/mongo-inspec-profile/inspec.yml index b535ff8..e58f0af 100644 --- a/spec/mongo-inspec-profile/inspec.yml +++ b/spec/mongo-inspec-profile/inspec.yml @@ -1,4 +1,4 @@ -name: MongoDB_Enterprise_Advanced_4-x_STIG +name: MongoDB_Enterprise_Advanced_4-x_STIG_Overlay title: null maintainer: null copyright: null @@ -12,207 +12,4 @@ depends: - name: mongodb-enterprise-advanced-4-stig-baseline git: https://github.com/mitre/mongodb-enterprise-advanced-4-stig-baseline.git branch: main -inspec_version: null - -inputs: - # SV-252134, SV-252135, SV-252136, SV-252137, SV-252138, SV-252139, SV-252141, SV-252142, - # SV-252143, SV-252145, SV-252146, SV-252147, SV-252148, SV-252149, SV-252156, SV-252157, - # SV-252159, SV-252160, SV-252164, SV-252167, SV-252168, SV-252169, SV-252171, SV-252179, - # SV-252180 - - name: mongod_config_path - description: "The path to the mongod configuration file" - type: string - value: "/etc/mongod.conf" - required: true - - # SV-252135, SV-252136, SV-252142, SV-252160 - - name: mongo_owner - description: "The system user of the mongod process" - type: string - value: "root" - required: true - sensitive: true - - # SV-252135, SV-252136, SV-252142, SV-252160 - - name: mongo_group - description: "The system group of the mongod process" - type: string - value: "root" - required: true - sensitive: true - - # SV-252140, SV-252141, SV-252146, SV-252154, SV-252155, SV-252157, SV-252159, SV-252163, - # SV-252165, SV-252167, SV-252168, SV-252169, SV-252174, SV-252175, SV-252176, SV-252182 - - name: mongo_dba - description: "The mongo DBA user to access the test database" - type: string - required: true - sensitive: true - - # SV-252140, SV-252141, SV-252146, SV-252154, SV-252155, SV-252157, SV-252159, SV-252163, - # SV-252165, SV-252167, SV-252168, SV-252169, SV-252174, SV-252175, SV-252176, SV-252182 - - name: mongo_dba_password - description: "The password for the mongo DBA user" - type: string - required: true - sensitive: true - - # SV-252140, SV-252141, SV-252146, SV-252154, SV-252155, SV-252157, SV-252159, SV-252163, - # SV-252165, SV-252167, SV-252168, SV-252169, SV-252174, SV-252175, SV-252176, SV-252182 - - name: mongo_host - description: "The hostname or IP address used to connect to the database" - type: string - required: true - sensitive: true - - # SV-252140, SV-252141, SV-252146, SV-252154, SV-252155, SV-252157, SV-252159, SV-252163, - # SV-252165, SV-252167, SV-252168, SV-252169, SV-252174, SV-252175, SV-252176, SV-252182 - - name: mongo_port - description: "The port used to connect to the database" - type: numeric - required: true - sensitive: true - - # SV-252140,SV-252154, SV-252155, SV-252157, SV-252163, SV-252174 - - name: mongo_auth_source - description: "The database used to authorize users" - type: string - required: true - sensitive: true - - # SV-252134, SV-252171 - - name: mongo_filter - description: "The filter used in authLog" - type: string - value: "{ atype: { $in: [ \"createCollection\", \"dropCollection\" ] } }" - required: true - sensitive: true - - # SV-252139, SV-252140, SV-252141, SV-252146, SV-252147, SV-252154, SV-252155, SV-252157, - # SV-252159, SV-252160, SV-252163, SV-252165, SV-252167, SV-252168, SV-252169, SV-252174, - # SV-252175, SV-252176, SV-252179, SV-252180, SV-252182 - - name: ca_file - description: "The path to the CA file" - type: string - required: true - sensitive: true - - # SV-252139, SV-252140, SV-252141, SV-252146, SV-252147, SV-252154, SV-252155, SV-252157, - # SV-252159, SV-252160, SV-252163, SV-252165, SV-252167, SV-252168, SV-252169, SV-252174, - # SV-252175, SV-252176, SV-252179, SV-252180, SV-252182 - - name: certificate_key_file - description: "The path to the certificate key file" - type: string - required: true - sensitive: true - - # SV-252140, SV-252154, SV-252155, SV-252157, SV-252163, SV-252174 - - name: mongo_superusers - description: "Authorized superuser accounts" - type: array - value: - - "admin.root" - required: true - sensitive: true - - # SV-252155, SV-252157 - - name: mongo_users - description: "Authorized user accounts in the format of database.user" - type: array - value: - - "test.myTester" - - "products.myRoleTestUser" - required: true - sensitive: true - - # SV-252155 - - name: mongo_roles - description: "Authorized roles for MongoDB in the format of database.role" - type: array - value: - - "admin.root" - - "products.myTestRole" - - "test.read" - required: true - sensitive: true - - # SV-252140, SV-252163, SV-252174 - - name: inappropriate_mongo_privileges - description: "Inappropriate priveleges for all roles in MongoDB" - type: array - value: - - "changeStream" - - "createCollection" - required: true - sensitive: true - - # SV-252135, SV-252136, SV-252142, SV-252160 - - name: mongo_permissions - description: "File and directory permissions that should be granted to mongo" - type: string - value: "0600" - required: true - - # SV-252135 - - name: mongo_audit_directory_path - description: "The path to the mongo audit directory" - type: string - value: "/var/log/mongodb/audit/" - required: true - - # SV-252134, SV-252135, SV-252171 - - name: mongo_audit_file_path - description: "The path to the mongo audit file" - type: string - value: "/var/log/mongodb/audit/auditLog.bson" - required: true - - # SV-252139, SV-252160, SV-252179, SV-252180 - - name: certificate_key_file_dest - description: "The path to the mongo certificate key" - type: string - value: "/etc/ssl/mongodb.pem" - required: true - - # SV-252139, SV-252160, SV-252179, SV-252180 - - name: ca_file_dest - description: "The path to the mongo CA file" - type: string - value: "/etc/ssl/CA_bundle.pem" - required: true - - # SV-252142 - - name: data_file_directory_path - description: "The path to the mongo data file directory" - type: string - value: "/data/db/" - required: true - - # SV-252147, SV-252165 - - name: encryption_at_rest - description: "If any data is PII, classified or is deemed by the organization the need to be encrypted at rest" - type: boolean - value: false - required: true - - # SV-252149, SV-252157 - - name: ldap_enabled - description: "LDAP is used for authentication and authorization" - type: boolean - value: false - required: true - - # SV-252141, SV-252182 - - name: mongo_version - description: "The edition of MongoDB in use" - type: string - value: "7.0.11" - required: true - - # SV-252182 - - name: mongo_edition - description: "The edition of MongoDB in use" - type: string - value: mongodb-enterprise-server - required: true - \ No newline at end of file +inspec_version: null \ No newline at end of file