working mongod.conf

mitre · Feb 13, 2024 · 9cf5cff · 9cf5cff
1 parent d60326f
commit 9cf5cff
Show file tree

Hide file tree

Showing 14 changed files with 252 additions and 193 deletions.
diff --git a/mongo-hardening.pkr.hcl b/mongo-hardening.pkr.hcl
@@ -70,9 +70,10 @@ build {
   #ansible needs python and pip to be installed on the target
   // provisioner "shell" {
   //   inline = [
-  //     "apt-get update",
-  //     "apt-get install -y python${var.ansible_vars.python_version} python3-pip",
-  //     "ln -s /usr/bin/python3 /usr/bin/python",
+  //     "cp /etc/mongod.conf.orig /etc/mongod.conf"
+  //     // "apt-get update",
+  //     // "apt-get install -y python${var.ansible_vars.python_version} python3-pip",
+  //     // "ln -s /usr/bin/python3 /usr/bin/python",
   //   ]
   // }
 

diff --git a/spec/ansible/roles/mongo-stig/defaults/main.yml b/spec/ansible/roles/mongo-stig/defaults/main.yml
@@ -1,6 +1,9 @@
 ---
 # defaults file for mongo-stig
+prep_conf: true
 mongostig_cat1: true
 mongostig_cat2: true
 mongostig_cat3: true 
-mongod_config_path: "/etc/mongod.conf.orig"
+mongod_config_path: "/etc/mongod.conf"
+mongo_user: root
+mongo_group: root
diff --git a/spec/ansible/roles/mongo-stig/files/conf.template b/spec/ansible/roles/mongo-stig/files/conf.template
@@ -0,0 +1,38 @@
+# mongod.conf
+
+# for documentation of all options, see:
+#   http://docs.mongodb.org/manual/reference/configuration-options/
+
+# Where and how to store data.
+#storage:
+#  dbPath: /var/lib/mongodb
+#  engine:
+#  wiredTiger:
+
+# where to write logging data.
+#systemLog:
+#  destination: file
+#  logAppend: true
+#  path: /var/log/mongodb/mongod.log
+
+# network interfaces
+net:
+  port: 27017
+  bindIp: 127.0.0.1
+
+
+# how the process runs
+processManagement:
+  timeZoneInfo: /usr/share/zoneinfo
+
+#security:
+
+#operationProfiling:
+
+#replication:
+
+#sharding:
+
+## Enterprise-Only Options:
+
+#auditLog:
diff --git a/spec/ansible/roles/mongo-stig/tasks/cat1.yml b/spec/ansible/roles/mongo-stig/tasks/cat1.yml
@@ -1,27 +1,27 @@
 ---
-- name: "HIGH | SV-252139 | If passwords are used for authentication, MongoDB must transmit only encrypted representations of passwords."
-  #change to SV
-  blockinfile:
-    path: "{{ mongod_config_path }}"
-    marker: "#Rule ID SV-252139"
-    prepend_newline: true
-    insertafter: "^net:"
-    block: | #need the ID as a placeholder for the space
-      #
-        tls:
-          mode: requireTLS
-          certificateKeyFile: /etc/ssl/mongodb.pem
-          CAFile: /etc/ssl/caToValidateClientCertificates.pem
-          allowInvalidCertificates: false
-          allowConnectionsWithoutCertificates: false
-  register: result
-  changed_when: no
-  ignore_errors: true
-  tags:
-    - cat1
-    - high
-    - SV-252139
+# - name: "HIGH | SV-252139 | If passwords are used for authentication, MongoDB must transmit only encrypted representations of passwords."
+#   blockinfile:
+#     path: "{{ mongod_config_path }}"
+#     marker: "#Rule ID SV-252139"
+#     prepend_newline: true
+#     insertafter: "^net:"
+#     block: | #need the ID as a placeholder for the space
+#       #
+#         tls:
+#           mode: requireTLS
+#           certificateKeyFile: /etc/ssl/mongodb.pem
+#           CAFile: /etc/ssl/caToValidateClientCertificates.pem
+#           allowInvalidCertificates: false
+#           allowConnectionsWithoutCertificates: false
+#   register: result
+#   changed_when: no
+#   ignore_errors: true
+#   tags:
+#     - cat1
+#     - high
+#     - SV-252139
 
+##### ENTERPRISE ONLY
 # - name: "HIGH | SV-252146 | MongoDB must use NIST FIPS 140-2 or 140-3 validated cryptographic modules for cryptographic operations."
 #   command: true
 #   register: result
@@ -33,61 +33,61 @@
 #     - high
 #     - SV-252146
 
-- name: Check if 'security:' exists and is not commented out
-  shell: "grep -P '^security:' {{ mongod_config_path }} || true"
-  register: security_check
-  changed_when: false
-  ignore_errors: true
-  tags:
-    - SV-252149
-
-- name: "HIGH | SV-252149 | MongoDB must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals. | Security block does not exist."
-  blockinfile:
-    path: "{{ mongod_config_path }}"
-    marker: "#Rule ID SV-252149"
-    prepend_newline: true
-    insertafter: "^#security:"
-    block: |
-      security:
-        authorization: enabled
-  when: security_check.stdout == ""      
-  register: result
-  changed_when: no
-  ignore_errors: true
-  tags:
-    - cat1
-    - high
-    - SV-252149
-
-- name: "HIGH | SV-252149 | MongoDB must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals. | Security block exists."
-  blockinfile:
-    path: "{{ mongod_config_path }}"
-    marker: "#Rule ID SV-252149"
-    prepend_newline: true
-    insertafter: "^security:"
-    block: |
-      #
-        authorization: enabled
-  when: security_check.stdout != ""      
-  register: result
-  changed_when: no
-  ignore_errors: true
-  tags:
-    - cat1
-    - high
-    - SV-252149
-
-- name: "HIGH | SV-252150 | MongoDB must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies."
-  community.mongodb.mongodb_shell: #works but unsure what output is
-    db: "database"
-    eval: "db.getRoles({rolesInfo: 1, showPrivileges:true, showBuiltinRoles: true })"
-  register: result
-  changed_when: no
-  ignore_errors: true
-  tags:
-    - cat1
-    - high
-    - SV-252150
+# - name: Check if 'security:' exists and is not commented out
+#   shell: "grep -P '^security:' {{ mongod_config_path }} || true"
+#   register: security_check
+#   changed_when: false
+#   ignore_errors: true
+#   tags:
+#     - SV-252149
+
+# - name: "HIGH | SV-252149 | MongoDB must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals. | Security block does not exist."
+#   blockinfile:
+#     path: "{{ mongod_config_path }}"
+#     marker: "#Rule ID SV-252149"
+#     prepend_newline: true
+#     insertafter: "^#security:"
+#     block: |
+#       security:
+#         authorization: enabled
+#   when: security_check.stdout == ""      
+#   register: result
+#   changed_when: no
+#   ignore_errors: true
+#   tags:
+#     - cat1
+#     - high
+#     - SV-252149
+
+# - name: "HIGH | SV-252149 | MongoDB must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals. | Security block exists."
+#   blockinfile:
+#     path: "{{ mongod_config_path }}"
+#     marker: "#Rule ID SV-252149"
+#     prepend_newline: true
+#     insertafter: "^security:"
+#     block: |
+#       #
+#         authorization: enabled
+#   when: security_check.stdout != ""      
+#   register: result
+#   changed_when: no
+#   ignore_errors: true
+#   tags:
+#     - cat1
+#     - high
+#     - SV-252149
+
+# - name: "HIGH | SV-252150 | MongoDB must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies."
+#   community.mongodb.mongodb_shell: #works but unsure what output is
+#     db: "database"
+#     eval: "db.getRoles({rolesInfo: 1, showPrivileges:true, showBuiltinRoles: true })"
+#   register: result
+#   changed_when: no
+#   ignore_errors: true
+#   tags:
+#     - cat1
+#     - high
+#     - SV-252150
 
 # - name: "HIGH | SV-252152 | MongoDB software installation account must be restricted to authorized users."
 #   command: true
@@ -109,24 +109,24 @@
 #     - high
 #     - SV-252158
 
-- name: "HIGH | SV-252159 | If passwords are used for authentication, MongoDB must store only hashed, salted representations of passwords."
-  #THERE IS A PART TWO THATS NOT COMPLETED
-  blockinfile:
-    path: "{{ mongod_config_path }}"
-    marker: "#Rule ID SV-252159"
-    prepend_newline: true
-    insertafter: "EOF"
-    block: |
-      setParameter:
-        authenticationMechanisms: SCRAM-SHA-256
-    state: present
-  register: result
-  changed_when: no
-  ignore_errors: true
-  tags:
-    - cat1
-    - high
-    - SV-252159
+# - name: "HIGH | SV-252159 | If passwords are used for authentication, MongoDB must store only hashed, salted representations of passwords."
+#   #THERE IS A PART TWO THATS NOT COMPLETED
+#   blockinfile:
+#     path: "{{ mongod_config_path }}"
+#     marker: "#Rule ID SV-252159"
+#     prepend_newline: true
+#     insertafter: "EOF"
+#     block: |
+#       setParameter:
+#         authenticationMechanisms: SCRAM-SHA-256
+#     state: present
+#   register: result
+#   changed_when: no
+#   ignore_errors: true
+#   tags:
+#     - cat1
+#     - high
+#     - SV-252159
 
 # - name: "HIGH | SV-252159 | If passwords are used for authentication, MongoDB must store only hashed, salted representations of passwords."
 #   #the command for part two of this Rule ID no longer exists in recent versions of mongo