added permissions variable

mitre · Mar 12, 2024 · 26a6aab · 26a6aab
1 parent a486f63
commit 26a6aab
Show file tree

Hide file tree

Showing 7 changed files with 28 additions and 14 deletions.
diff --git a/spec/ansible/roles/mongo-stig/defaults/main.yml b/spec/ansible/roles/mongo-stig/defaults/main.yml
@@ -8,6 +8,7 @@ mongo_owner: root
 mongo_group: root
 mongo_host: "localhost"
 mongo_port: 27017
+mongo_permissions: 600
 #audit_log_destination | "file" or "syslog"
 audit_log_destination: "file"
 mongod_config_path: "/etc/mongod.conf"

diff --git a/spec/ansible/roles/mongo-stig/tasks/cat1.yml b/spec/ansible/roles/mongo-stig/tasks/cat1.yml
@@ -109,9 +109,9 @@
 # - name: "HIGH | SV-252160 | MongoDB must enforce authorized access to all PKI private keys stored/utilized by MongoDB."
 #   ansible.builtin.shell: |
 #       chown {{ mongo_owner }}:{{ mongo_owner }} {{ certificate_key_file_path }}
-#       chmod 600 {{ certificate_key_file_path }}
+#       chmod {{ mongo_permissions }} {{ certificate_key_file_path }}
 #       chown {{ mongo_owner }}:{{ mongo_owner }} {{ ca_file_path }}
-#       chmod 600 {{ ca_file_path }}
+#       chmod {{ mongo_permissions }} {{ ca_file_path }}
 #   ignore_errors: true
 #   tags:
 #     - cat1

diff --git a/spec/ansible/roles/mongo-stig/tasks/cat2.yml b/spec/ansible/roles/mongo-stig/tasks/cat2.yml
@@ -40,7 +40,7 @@
 #   ansible.builtin.shell: |
 #       chown {{ mongo_owner }} {{ mongo_audit_directory_path }}
 #       chgrp {{ mongo_owner }} {{ mongo_audit_directory_path }}
-#       chmod 700 {{ mongo_audit_directory_path }}
+#       chmod {{ mongo_permissions }} {{ mongo_audit_directory_path }}
 #   when: audit_log_destination == "file"
 #   ignore_errors: true
 #   tags:
@@ -53,7 +53,7 @@
   ansible.builtin.shell: |
       chown {{ mongo_owner }} {{ mongod_config_path }}
       chgrp {{ mongo_owner }} {{ mongod_config_path }}
-      chmod 660 {{ mongod_config_path }}
+      chmod {{ mongo_permissions }} {{ mongod_config_path }}
   ignore_errors: true
   tags:
     - cat2
@@ -107,11 +107,11 @@
 # - name: "MEDIUM | SV-252142 | MongoDB must prevent unauthorized and unintended information transfer via shared system resources."
 #   ansible.builtin.shell: |
 #       chown {{ mongo_owner }}:{{ mongo_owner }} {{ mongod_config_path }}
-#       chmod 600 {{ mongod_config_path }}
+#       chmod {{ mongo_permissions }} {{ mongod_config_path }}
 #       chown -R mongod:mongod {{ data_file_directory_path }}
-#       chmod 755 {{ data_file_directory_path }}
-#       find {{ data_file_directory_path }}/* -type f | xargs  chmod 600
-#       find {{ data_file_directory_path }}/* -type d | xargs  chmod 700
+#       chmod {{ mongo_permissions }} {{ data_file_directory_path }}
+#       find {{ data_file_directory_path }}/* -type f | xargs  chmod {{ mongo_permissions }}
+#       find {{ data_file_directory_path }}/* -type d | xargs  chmod {{ mongo_permissions }}
 #   ignore_errors: true
 #   tags:
 #     - cat2

diff --git a/spec/mongo-inspec-profile/controls/SV-252136.rb b/spec/mongo-inspec-profile/controls/SV-252136.rb
@@ -78,7 +78,7 @@
     it { should exist }
     it { should be_owned_by input('mongo_owner') }
     it { should be_grouped_into input('mongo_group') }
-    it { should_not be_more_permissive_than('0660') }
+    it { should_not be_more_permissive_than(input('mongo_permissions')) }
   end
 
 end
diff --git a/spec/mongo-inspec-profile/controls/SV-252142.rb b/spec/mongo-inspec-profile/controls/SV-252142.rb
@@ -60,14 +60,22 @@
     it { should exist }
     it { should be_owned_by input('mongo_owner') }
     it { should be_grouped_into input('mongo_group') }
-    it { should_not be_more_permissive_than('0600') }
+    it { should_not be_more_permissive_than(input('mongo_permissions')) }
   end
 
   describe directory(input('data_file_directory_path')) do
     it { should exist }
     it { should be_owned_by input('mongo_owner') }
     it { should be_grouped_into input('mongo_group') }
-    it { should_not be_more_permissive_than('0755') }
+    it { should_not be_more_permissive_than(input('mongo_permissions')) }
   end
+
+  # ls -l /var/lib/mongo
+
+  # If the owner and group of  any file or sub-directory is not mongod, this is a finding.
+
+  # If the permission of any file in the main directory (/var/lib/mongo) or sub-directory of (/var/lib/mongo) is more permissive than 600, this is a finding.
+
+  # If the permission of any sub-directory of (/var/lib/mongo) is more permissive than 700, this is a finding.
 
 end
diff --git a/spec/mongo-inspec-profile/controls/SV-252160.rb b/spec/mongo-inspec-profile/controls/SV-252160.rb
@@ -56,21 +56,21 @@
     it { should exist }
     it { should be_owned_by input('mongo_owner') }
     it { should be_grouped_into input('mongo_group') }
-    it { should_not be_more_permissive_than('0600') }
+    it { should_not be_more_permissive_than(input('mongo_permissions')) }
   end
 
   describe file(input('certificate_key_file_path')) do
     it { should exist }
     it { should be_owned_by input('mongo_owner') }
     it { should be_grouped_into input('mongo_group') }
-    it { should_not be_more_permissive_than('0600') }
+    it { should_not be_more_permissive_than(input('mongo_permissions')) }
   end
 
   describe file(input('ca_file_path')) do
     it { should exist }
     it { should be_owned_by input('mongo_owner') }
     it { should be_grouped_into input('mongo_group') }
-    it { should_not be_more_permissive_than('0600') }
+    it { should_not be_more_permissive_than(input('mongo_permissions')) }
   end
 
 end
diff --git a/spec/mongo-inspec-profile/inspec.yml b/spec/mongo-inspec-profile/inspec.yml
@@ -60,6 +60,11 @@ inputs:
     value: "/etc/mongod.conf"
     required: true
 
+  - name: mongo_permissions
+    description: "File and directory permissions that should be granted to mongo"
+    type: numeric
+    value: 600
+
   - name: mongo_audit_directory_path
     description: "The path to the mongo audit directory"
     type: string