fixed 134,135

spec/ansible/roles/mongo-stig/defaults/main.yml

@@ -1,5 +1,4 @@
 ---
-# defaults file for mongo-stig
 prep_conf: true
 mongostig_cat1: true
 mongostig_cat2: true
@@ -11,27 +10,27 @@ mongo_dba: admin
 mongo_dba_password: admin
 mongo_host: localhost
 mongo_port: 27017
-mongo_permissions: 600
+mongo_permissions: 0600
 authentication_mechanism: 
   - SCRAM-SHA-256
 
-mongod_config_path: "/etc/mongod.conf"
+mongod_config_path: /etc/mongod.conf
 
 #audit_log_destination choose "file" or "syslog"
-audit_log_destination: "file"
-mongo_audit_directory_path: "/var/log/mongodb/audit"
-mongo_audit_file_path: "/var/log/mongodb/audit/auditLog.bson"
+audit_log_destination: file
+mongo_audit_directory_path: /var/log/mongodb/audit/
+mongo_audit_file_path: /var/log/mongodb/audit/auditLog.bson
 
-certificate_key_file_dest: "/etc/ssl/mongodb.pem"
-certificate_key_file_src: "../../../../certificates_pkcs7_v5_13_dod/dod_CAs.pem"
-ca_file_dest: "/etc/ssl/caToValidateClientCertificates.pem"
-ca_file_src: "../../../../certificates_pkcs7_v5_13_dod/dod_CAs.pem"
+certificate_key_file_dest: /etc/ssl/mongodb.pem
+certificate_key_file_src: ../../../../certificates_pkcs7_v5_13_dod/dod_CAs.pem
+ca_file_dest: /etc/ssl/caToValidateClientCertificates.pem
+ca_file_src: ../../../../certificates_pkcs7_v5_13_dod/dod_CAs.pem
 
-data_file_directory_path: "/var/lib/mongo"
+data_file_directory_path: /var/lib/mongo/
 
 max_incoming_connections: 800000
 
-KMIP_server_host_name: ""
-KMIP_server_port: ""
-KMIP_server_ca_file: ""
-KMIP_client_certificate_file: ""
+KMIP_server_host_name: 
+KMIP_server_port: 
+KMIP_server_ca_file: 
+KMIP_client_certificate_file: 

spec/ansible/roles/mongo-stig/tasks/cat2.yml

@@ -8,7 +8,13 @@
         value: "{{ audit_log_destination}}"
       when: audit_log_destination == "syslog"
 
-    #fatal: [localhost]: FAILED! => {"changed": false, "msg": "Error, could not touch target: [Errno 2] No such file or directory: b'/var/log/mongodb/audit/auditLog.bson'", "path": "/var/log/mongodb/audit/auditLog.bson"}
+    - name: "MEDIUM | SV-252134 | MongoDB must provide audit record generation for DoD-defined auditable events within all DBMS/database components. | check for file directory"
+      ansible.builtin.file:
+        path: "{{ mongo_audit_directory_path }}"
+        state: directory
+        mode: "{{ mongo_permissions }}"
+      when: audit_log_destination == "file"
+
     - name: "MEDIUM | SV-252134 | MongoDB must provide audit record generation for DoD-defined auditable events within all DBMS/database components. | check if file exists"
       ansible.builtin.file:
         path: "{{ mongo_audit_file_path }}"
@@ -34,13 +40,14 @@
     - SV-252134
     - enterprise
 
-#### DIRECTORIES DONT EXIST
 - name: "MEDIUM | SV-252135 | The audit information produced by MongoDB must be protected from unauthorized access."
   ansible.builtin.file: 
       path: "{{ mongo_audit_directory_path }}"
       owner: "{{ mongo_owner }}"
       group: "{{ mongo_group}}"
       mode: "{{ mongo_permissions }}"
+      state: directory
+      recurse: yes
   when: audit_log_destination == "file"
   ignore_errors: true
   tags:

spec/mongo-inspec-profile/controls/SV-252135.rb

@@ -102,8 +102,8 @@
   tag nist: ['AU-9 a', 'AU-9 a', 'AU-9 a']
 
   describe.one do
-    describe file(input('mongod_config_path')) do
-      it { should exist }
+    describe directory(input('mongo_audit_directory_path')) do
+      it { should be_directory}
       it { should be_owned_by input('mongo_owner') }
       it { should be_grouped_into input('mongo_group') }
       it { should_not be_more_permissive_than(input('mongo_permissions')) }

spec/mongo-inspec-profile/inspec.yml

@@ -101,7 +101,7 @@ inputs:
   - name: mongo_audit_directory_path
     description: "The path to the mongo audit directory"
     type: string
-    value: "/var/log/mongodb/audit"
+    value: "/var/log/mongodb/audit/"
     required: true
 
   # SV-252134, SV-252171
@@ -129,5 +129,5 @@ inputs:
   - name: data_file_directory_path
     description: "The path to the mongo data file directory"
     type: string
-    value: "/var/lib/mongo"
+    value: "/var/lib/mongo/"
     required: true