diff --git a/spec/ansible/roles/mongo-stig/tasks/cat1.yml b/spec/ansible/roles/mongo-stig/tasks/cat1.yml index 5e05b4b..1d66456 100644 --- a/spec/ansible/roles/mongo-stig/tasks/cat1.yml +++ b/spec/ansible/roles/mongo-stig/tasks/cat1.yml @@ -19,7 +19,6 @@ # - high # - SV-252139 -##### ENTERPRISE ONLY, DISABLED FOR EASIER TESTING # - name: "HIGH | SV-252146 | MongoDB must use NIST FIPS 140-2 or 140-3 validated cryptographic modules for cryptographic operations." # yedit: # src: "{{ mongod_config_path }}" @@ -85,9 +84,9 @@ - name: "HIGH | SV-252160 | MongoDB must enforce authorized access to all PKI private keys stored/utilized by MongoDB." ansible.builtin.shell: | - chown {{ mongo_owner }}:{{ mongo_owner }} {{ certificate_key_file_dest }} + chown {{ mongo_owner }}:{{ mongo_group }} {{ certificate_key_file_dest }} chmod {{ mongo_permissions }} {{ certificate_key_file_dest }} - chown {{ mongo_owner }}:{{ mongo_owner }} {{ ca_file_dest }} + chown {{ mongo_owner }}:{{ mongo_group }} {{ ca_file_dest }} chmod {{ mongo_permissions }} {{ ca_file_dest }} ignore_errors: true tags: @@ -104,7 +103,6 @@ # - high # - SV-252162 -##### ENTERPRISE ONLY # - name: "HIGH | SV-252165 | MongoDB must protect the confidentiality and integrity of all information at rest." # command: true # ignore_errors: true diff --git a/spec/ansible/roles/mongo-stig/tasks/cat2.yml b/spec/ansible/roles/mongo-stig/tasks/cat2.yml index 0ca1118..4554741 100644 --- a/spec/ansible/roles/mongo-stig/tasks/cat2.yml +++ b/spec/ansible/roles/mongo-stig/tasks/cat2.yml @@ -1,5 +1,4 @@ --- -##### ENTERPRISE ONLY - name: "MEDIUM | SV-252134 | MongoDB must provide audit record generation for DoD-defined auditable events within all DBMS/database components." block: - name: "MEDIUM | SV-252134 | MongoDB must provide audit record generation for DoD-defined auditable events within all DBMS/database components. | syslog option" @@ -35,19 +34,20 @@ - SV-252134 - enterprise -##### DIRECTORIES DONT EXIST -# - name: "MEDIUM | SV-252135 | The audit information produced by MongoDB must be protected from unauthorized access." -# ansible.builtin.shell: | -# chown {{ mongo_owner }} {{ mongo_audit_directory_path }} -# chgrp {{ mongo_owner }} {{ mongo_audit_directory_path }} -# chmod {{ mongo_permissions }} {{ mongo_audit_directory_path }} -# when: audit_log_destination == "file" -# ignore_errors: true -# tags: -# - cat2 -# - medium -# - SV-252135 -# - enterprise +#### DIRECTORIES DONT EXIST +- name: "MEDIUM | SV-252135 | The audit information produced by MongoDB must be protected from unauthorized access." + ansible.builtin.file: + path: "{{ mongo_audit_directory_path }}" + owner: "{{ mongo_owner }}" + group: "{{ mongo_group}}" + mode: "{{ mongo_permissions }}" + when: audit_log_destination == "file" + ignore_errors: true + tags: + - cat2 + - medium + - SV-252135 + - enterprise - name: "MEDIUM | SV-252136 | MongoDB must protect its audit features from unauthorized access." ansible.builtin.file: @@ -97,8 +97,8 @@ yedit: src: "{{ mongod_config_path }}" key: storage.journal.enabled - state: true - when: mongodb_version|float <= 6.1 + value: true + when: mongodb_version.stdout is version('6.1.0', '<=', 'version_type=semver') ignore_errors: true tags: - cat2 @@ -108,7 +108,7 @@ ##### DIRECTORY DOESNT EXIST - name: "MEDIUM | SV-252142 | MongoDB must prevent unauthorized and unintended information transfer via shared system resources." ansible.builtin.shell: | - chown {{ mongo_owner }}:{{ mongo_owner }} {{ mongod_config_path }} + chown {{ mongo_owner }}:{{ mongo_group }} {{ mongod_config_path }} chmod {{ mongo_permissions }} {{ mongod_config_path }} # chown -R mongod:mongod {{ data_file_directory_path }} # chmod {{ mongo_permissions }} {{ data_file_directory_path }} @@ -428,7 +428,6 @@ # value: false # - key: net.tls.FIPSMode # value: true -# command: true # ignore_errors: true # tags: # - cat2 diff --git a/spec/ansible/roles/mongo-stig/tasks/prep.yml b/spec/ansible/roles/mongo-stig/tasks/prep.yml index 550a476..a835321 100644 --- a/spec/ansible/roles/mongo-stig/tasks/prep.yml +++ b/spec/ansible/roles/mongo-stig/tasks/prep.yml @@ -56,11 +56,15 @@ - name: Get MongoDB version ansible.builtin.command: | - mongosh "mongodb://localhost:27017/test" --quiet --eval "EJSON.stringify(db.version())" + mongosh "mongodb://localhost:27017/test" --quiet --eval "db.version()" register: mongodb_version tags: - prep +- name: Display contents of mongodb_version + debug: + msg: "{{ mongodb_version.stdout }}" + # get these and register as fact minus what the user said shouldnt be hardened # create some roles and users for testing # json query filter diff --git a/spec/mongo-inspec-profile/controls/SV-252146.rb b/spec/mongo-inspec-profile/controls/SV-252146.rb index e026e26..0c3c825 100644 --- a/spec/mongo-inspec-profile/controls/SV-252146.rb +++ b/spec/mongo-inspec-profile/controls/SV-252146.rb @@ -54,16 +54,16 @@ tag cci: ['CCI-002450', 'CCI-000803'] tag nist: ['SC-13 b', 'IA-7'] - MONGO_COMMAND="EJSON.stringify(db.getSiblingDB('admin').runCommand({getCmdLineOpts: 1}).parsed.net.tls.FIPSMode)" + mongo_command="EJSON.stringify(db.getSiblingDB('admin').runCommand({getCmdLineOpts: 1}).parsed.net.tls.FIPSMode)" - RUN_COMMAND = "mongosh mongodb://#{input('mongo_dba')}:#{input('mongo_dba_password')}@#{input('mongo_host')}:#{input('mongo_port')} --quiet --eval \"#{MONGO_COMMAND}\"" + run_command = "mongosh mongodb://#{input('mongo_dba')}:#{input('mongo_dba_password')}@#{input('mongo_host')}:#{input('mongo_port')} --quiet --eval \"#{mongo_command}\"" describe mongodb_conf(input('mongod_config_path')) do its(['net','tls','FIPSMode']){should eq true} end #####UNTESTED - describe json({command: RUN_COMMAND}) do + describe json({command: run_command}) do its('ok') { should cmp 1 } end end diff --git a/spec/mongo-inspec-profile/controls/SV-252174.rb b/spec/mongo-inspec-profile/controls/SV-252174.rb index 2be7928..75d6f6c 100644 --- a/spec/mongo-inspec-profile/controls/SV-252174.rb +++ b/spec/mongo-inspec-profile/controls/SV-252174.rb @@ -63,4 +63,5 @@ tag 'documentable' tag cci: ['CCI-001812'] tag nist: ['CM-11 (2)'] + end