fixed 141

spec/ansible/roles/mongo-stig/tasks/cat1.yml

@@ -19,7 +19,6 @@
 #     - high
 #     - SV-252139
 
-##### ENTERPRISE ONLY, DISABLED FOR EASIER TESTING
 # - name: "HIGH | SV-252146 | MongoDB must use NIST FIPS 140-2 or 140-3 validated cryptographic modules for cryptographic operations."
 #   yedit:
 #       src: "{{ mongod_config_path }}"
@@ -85,9 +84,9 @@
 
 - name: "HIGH | SV-252160 | MongoDB must enforce authorized access to all PKI private keys stored/utilized by MongoDB."
   ansible.builtin.shell: |
-      chown {{ mongo_owner }}:{{ mongo_owner }} {{ certificate_key_file_dest }}
+      chown {{ mongo_owner }}:{{ mongo_group }} {{ certificate_key_file_dest }}
       chmod {{ mongo_permissions }} {{ certificate_key_file_dest }}
-      chown {{ mongo_owner }}:{{ mongo_owner }} {{ ca_file_dest }}
+      chown {{ mongo_owner }}:{{ mongo_group }} {{ ca_file_dest }}
       chmod {{ mongo_permissions }} {{ ca_file_dest }}
   ignore_errors: true
   tags:
@@ -104,7 +103,6 @@
 #     - high
 #     - SV-252162
 
-##### ENTERPRISE ONLY
 # - name: "HIGH | SV-252165 | MongoDB must protect the confidentiality and integrity of all information at rest."
 #   command: true
 #   ignore_errors: true

spec/ansible/roles/mongo-stig/tasks/cat2.yml

@@ -1,5 +1,4 @@
 ---
-##### ENTERPRISE ONLY
 - name: "MEDIUM | SV-252134 | MongoDB must provide audit record generation for DoD-defined auditable events within all DBMS/database components."
   block:
     - name: "MEDIUM | SV-252134 | MongoDB must provide audit record generation for DoD-defined auditable events within all DBMS/database components. | syslog option"
@@ -35,19 +34,20 @@
     - SV-252134
     - enterprise
 
-##### DIRECTORIES DONT EXIST
-# - name: "MEDIUM | SV-252135 | The audit information produced by MongoDB must be protected from unauthorized access."
-#   ansible.builtin.shell: |
-#       chown {{ mongo_owner }} {{ mongo_audit_directory_path }}
-#       chgrp {{ mongo_owner }} {{ mongo_audit_directory_path }}
-#       chmod {{ mongo_permissions }} {{ mongo_audit_directory_path }}
-#   when: audit_log_destination == "file"
-#   ignore_errors: true
-#   tags:
-#     - cat2
-#     - medium
-#     - SV-252135
-#     - enterprise
+#### DIRECTORIES DONT EXIST
+- name: "MEDIUM | SV-252135 | The audit information produced by MongoDB must be protected from unauthorized access."
+  ansible.builtin.file: 
+      path: "{{ mongo_audit_directory_path }}"
+      owner: "{{ mongo_owner }}"
+      group: "{{ mongo_group}}"
+      mode: "{{ mongo_permissions }}"
+  when: audit_log_destination == "file"
+  ignore_errors: true
+  tags:
+    - cat2
+    - medium
+    - SV-252135
+    - enterprise
 
 - name: "MEDIUM | SV-252136 | MongoDB must protect its audit features from unauthorized access."
   ansible.builtin.file: 
@@ -97,8 +97,8 @@
   yedit:
     src: "{{ mongod_config_path }}"
     key: storage.journal.enabled
-    state: true
-  when: mongodb_version|float <= 6.1
+    value: true
+  when: mongodb_version.stdout is version('6.1.0', '<=', 'version_type=semver')
   ignore_errors: true
   tags:
     - cat2
@@ -108,7 +108,7 @@
 ##### DIRECTORY DOESNT EXIST
 - name: "MEDIUM | SV-252142 | MongoDB must prevent unauthorized and unintended information transfer via shared system resources."
   ansible.builtin.shell: |
-      chown {{ mongo_owner }}:{{ mongo_owner }} {{ mongod_config_path }}
+      chown {{ mongo_owner }}:{{ mongo_group }} {{ mongod_config_path }}
       chmod {{ mongo_permissions }} {{ mongod_config_path }}
   # chown -R mongod:mongod {{ data_file_directory_path }}
   # chmod {{ mongo_permissions }} {{ data_file_directory_path }}
@@ -428,7 +428,6 @@
 #       value: false
 #     - key: net.tls.FIPSMode
 #       value: true
-#   command: true
 #   ignore_errors: true
 #   tags:
 #     - cat2

spec/ansible/roles/mongo-stig/tasks/prep.yml

@@ -56,11 +56,15 @@
 
 - name: Get MongoDB version
   ansible.builtin.command: |
-    mongosh "mongodb://localhost:27017/test" --quiet --eval "EJSON.stringify(db.version())"
+    mongosh "mongodb://localhost:27017/test" --quiet --eval "db.version()"
   register: mongodb_version
   tags:
     - prep
 
+- name: Display contents of mongodb_version
+  debug:
+    msg: "{{ mongodb_version.stdout }}"
+
 # get these and register as fact minus what the user said shouldnt be hardened
 # create some roles and users for testing
 # json query filter

spec/mongo-inspec-profile/controls/SV-252146.rb

@@ -54,16 +54,16 @@
   tag cci: ['CCI-002450', 'CCI-000803']
   tag nist: ['SC-13 b', 'IA-7']
 
-  MONGO_COMMAND="EJSON.stringify(db.getSiblingDB('admin').runCommand({getCmdLineOpts: 1}).parsed.net.tls.FIPSMode)"
+  mongo_command="EJSON.stringify(db.getSiblingDB('admin').runCommand({getCmdLineOpts: 1}).parsed.net.tls.FIPSMode)"
 
-  RUN_COMMAND = "mongosh mongodb://#{input('mongo_dba')}:#{input('mongo_dba_password')}@#{input('mongo_host')}:#{input('mongo_port')} --quiet --eval \"#{MONGO_COMMAND}\""
+  run_command = "mongosh mongodb://#{input('mongo_dba')}:#{input('mongo_dba_password')}@#{input('mongo_host')}:#{input('mongo_port')} --quiet --eval \"#{mongo_command}\""
 
   describe mongodb_conf(input('mongod_config_path')) do
     its(['net','tls','FIPSMode']){should eq true}
   end
 
   #####UNTESTED
-  describe json({command: RUN_COMMAND}) do
+  describe json({command: run_command}) do
     its('ok') { should cmp 1 }
   end
 end

spec/mongo-inspec-profile/controls/SV-252174.rb

@@ -63,4 +63,5 @@
   tag 'documentable'
   tag cci: ['CCI-001812']
   tag nist: ['CM-11 (2)']
+
 end