From 26a6aab0dfa406a0c3d89a3a5266eeea884eee51 Mon Sep 17 00:00:00 2001
From: seanlongcc <seanlongcc@gmail.com>
Date: Tue, 12 Mar 2024 12:21:40 -0400
Subject: [PATCH] added permissions variable

---
 spec/ansible/roles/mongo-stig/defaults/main.yml |  1 +
 spec/ansible/roles/mongo-stig/tasks/cat1.yml    |  4 ++--
 spec/ansible/roles/mongo-stig/tasks/cat2.yml    | 12 ++++++------
 spec/mongo-inspec-profile/controls/SV-252136.rb |  2 +-
 spec/mongo-inspec-profile/controls/SV-252142.rb | 12 ++++++++++--
 spec/mongo-inspec-profile/controls/SV-252160.rb |  6 +++---
 spec/mongo-inspec-profile/inspec.yml            |  5 +++++
 7 files changed, 28 insertions(+), 14 deletions(-)

diff --git a/spec/ansible/roles/mongo-stig/defaults/main.yml b/spec/ansible/roles/mongo-stig/defaults/main.yml
index 4298fb2..0c06320 100644
--- a/spec/ansible/roles/mongo-stig/defaults/main.yml
+++ b/spec/ansible/roles/mongo-stig/defaults/main.yml
@@ -8,6 +8,7 @@ mongo_owner: root
 mongo_group: root
 mongo_host: "localhost"
 mongo_port: 27017
+mongo_permissions: 600
 #audit_log_destination | "file" or "syslog"
 audit_log_destination: "file"
 mongod_config_path: "/etc/mongod.conf"
diff --git a/spec/ansible/roles/mongo-stig/tasks/cat1.yml b/spec/ansible/roles/mongo-stig/tasks/cat1.yml
index d864f89..052e126 100644
--- a/spec/ansible/roles/mongo-stig/tasks/cat1.yml
+++ b/spec/ansible/roles/mongo-stig/tasks/cat1.yml
@@ -109,9 +109,9 @@
 # - name: "HIGH | SV-252160 | MongoDB must enforce authorized access to all PKI private keys stored/utilized by MongoDB."
 #   ansible.builtin.shell: |
 #       chown {{ mongo_owner }}:{{ mongo_owner }} {{ certificate_key_file_path }}
-#       chmod 600 {{ certificate_key_file_path }}
+#       chmod {{ mongo_permissions }} {{ certificate_key_file_path }}
 #       chown {{ mongo_owner }}:{{ mongo_owner }} {{ ca_file_path }}
-#       chmod 600 {{ ca_file_path }}
+#       chmod {{ mongo_permissions }} {{ ca_file_path }}
 #   ignore_errors: true
 #   tags:
 #     - cat1
diff --git a/spec/ansible/roles/mongo-stig/tasks/cat2.yml b/spec/ansible/roles/mongo-stig/tasks/cat2.yml
index 28632cf..77a1e90 100644
--- a/spec/ansible/roles/mongo-stig/tasks/cat2.yml
+++ b/spec/ansible/roles/mongo-stig/tasks/cat2.yml
@@ -40,7 +40,7 @@
 #   ansible.builtin.shell: |
 #       chown {{ mongo_owner }} {{ mongo_audit_directory_path }}
 #       chgrp {{ mongo_owner }} {{ mongo_audit_directory_path }}
-#       chmod 700 {{ mongo_audit_directory_path }}
+#       chmod {{ mongo_permissions }} {{ mongo_audit_directory_path }}
 #   when: audit_log_destination == "file"
 #   ignore_errors: true
 #   tags:
@@ -53,7 +53,7 @@
   ansible.builtin.shell: |
       chown {{ mongo_owner }} {{ mongod_config_path }}
       chgrp {{ mongo_owner }} {{ mongod_config_path }}
-      chmod 660 {{ mongod_config_path }}
+      chmod {{ mongo_permissions }} {{ mongod_config_path }}
   ignore_errors: true
   tags:
     - cat2
@@ -107,11 +107,11 @@
 # - name: "MEDIUM | SV-252142 | MongoDB must prevent unauthorized and unintended information transfer via shared system resources."
 #   ansible.builtin.shell: |
 #       chown {{ mongo_owner }}:{{ mongo_owner }} {{ mongod_config_path }}
-#       chmod 600 {{ mongod_config_path }}
+#       chmod {{ mongo_permissions }} {{ mongod_config_path }}
 #       chown -R mongod:mongod {{ data_file_directory_path }}
-#       chmod 755 {{ data_file_directory_path }}
-#       find {{ data_file_directory_path }}/* -type f | xargs  chmod 600
-#       find {{ data_file_directory_path }}/* -type d | xargs  chmod 700
+#       chmod {{ mongo_permissions }} {{ data_file_directory_path }}
+#       find {{ data_file_directory_path }}/* -type f | xargs  chmod {{ mongo_permissions }}
+#       find {{ data_file_directory_path }}/* -type d | xargs  chmod {{ mongo_permissions }}
 #   ignore_errors: true
 #   tags:
 #     - cat2
diff --git a/spec/mongo-inspec-profile/controls/SV-252136.rb b/spec/mongo-inspec-profile/controls/SV-252136.rb
index 46afbb2..ddef04d 100644
--- a/spec/mongo-inspec-profile/controls/SV-252136.rb
+++ b/spec/mongo-inspec-profile/controls/SV-252136.rb
@@ -78,7 +78,7 @@
     it { should exist }
     it { should be_owned_by input('mongo_owner') }
     it { should be_grouped_into input('mongo_group') }
-    it { should_not be_more_permissive_than('0660') }
+    it { should_not be_more_permissive_than(input('mongo_permissions')) }
   end
 
 end
diff --git a/spec/mongo-inspec-profile/controls/SV-252142.rb b/spec/mongo-inspec-profile/controls/SV-252142.rb
index 79d41b2..553dc20 100644
--- a/spec/mongo-inspec-profile/controls/SV-252142.rb
+++ b/spec/mongo-inspec-profile/controls/SV-252142.rb
@@ -60,14 +60,22 @@
     it { should exist }
     it { should be_owned_by input('mongo_owner') }
     it { should be_grouped_into input('mongo_group') }
-    it { should_not be_more_permissive_than('0600') }
+    it { should_not be_more_permissive_than(input('mongo_permissions')) }
   end
 
   describe directory(input('data_file_directory_path')) do
     it { should exist }
     it { should be_owned_by input('mongo_owner') }
     it { should be_grouped_into input('mongo_group') }
-    it { should_not be_more_permissive_than('0755') }
+    it { should_not be_more_permissive_than(input('mongo_permissions')) }
   end
+
+  # ls -l /var/lib/mongo
+
+  # If the owner and group of  any file or sub-directory is not mongod, this is a finding.
+
+  # If the permission of any file in the main directory (/var/lib/mongo) or sub-directory of (/var/lib/mongo) is more permissive than 600, this is a finding.
+
+  # If the permission of any sub-directory of (/var/lib/mongo) is more permissive than 700, this is a finding.
   
 end
diff --git a/spec/mongo-inspec-profile/controls/SV-252160.rb b/spec/mongo-inspec-profile/controls/SV-252160.rb
index 862f154..bcbd469 100644
--- a/spec/mongo-inspec-profile/controls/SV-252160.rb
+++ b/spec/mongo-inspec-profile/controls/SV-252160.rb
@@ -56,21 +56,21 @@
     it { should exist }
     it { should be_owned_by input('mongo_owner') }
     it { should be_grouped_into input('mongo_group') }
-    it { should_not be_more_permissive_than('0600') }
+    it { should_not be_more_permissive_than(input('mongo_permissions')) }
   end
 
   describe file(input('certificate_key_file_path')) do
     it { should exist }
     it { should be_owned_by input('mongo_owner') }
     it { should be_grouped_into input('mongo_group') }
-    it { should_not be_more_permissive_than('0600') }
+    it { should_not be_more_permissive_than(input('mongo_permissions')) }
   end
 
   describe file(input('ca_file_path')) do
     it { should exist }
     it { should be_owned_by input('mongo_owner') }
     it { should be_grouped_into input('mongo_group') }
-    it { should_not be_more_permissive_than('0600') }
+    it { should_not be_more_permissive_than(input('mongo_permissions')) }
   end
 
 end
diff --git a/spec/mongo-inspec-profile/inspec.yml b/spec/mongo-inspec-profile/inspec.yml
index d9d2974..85424d4 100644
--- a/spec/mongo-inspec-profile/inspec.yml
+++ b/spec/mongo-inspec-profile/inspec.yml
@@ -60,6 +60,11 @@ inputs:
     value: "/etc/mongod.conf"
     required: true
 
+  - name: mongo_permissions
+    description: "File and directory permissions that should be granted to mongo"
+    type: numeric
+    value: 600
+
   - name: mongo_audit_directory_path
     description: "The path to the mongo audit directory"
     type: string