diff --git a/mongo-hardening.pkr.hcl b/mongo-hardening.pkr.hcl index 4d3b02a..67c3cae 100644 --- a/mongo-hardening.pkr.hcl +++ b/mongo-hardening.pkr.hcl @@ -70,9 +70,10 @@ build { #ansible needs python and pip to be installed on the target // provisioner "shell" { // inline = [ - // "apt-get update", - // "apt-get install -y python${var.ansible_vars.python_version} python3-pip", - // "ln -s /usr/bin/python3 /usr/bin/python", + // "cp /etc/mongod.conf.orig /etc/mongod.conf" + // // "apt-get update", + // // "apt-get install -y python${var.ansible_vars.python_version} python3-pip", + // // "ln -s /usr/bin/python3 /usr/bin/python", // ] // } diff --git a/spec/ansible/roles/mongo-stig/defaults/main.yml b/spec/ansible/roles/mongo-stig/defaults/main.yml index cfd4609..238b490 100644 --- a/spec/ansible/roles/mongo-stig/defaults/main.yml +++ b/spec/ansible/roles/mongo-stig/defaults/main.yml @@ -1,6 +1,9 @@ --- # defaults file for mongo-stig +prep_conf: true mongostig_cat1: true mongostig_cat2: true mongostig_cat3: true -mongod_config_path: "/etc/mongod.conf.orig" \ No newline at end of file +mongod_config_path: "/etc/mongod.conf" +mongo_user: root +mongo_group: root \ No newline at end of file diff --git a/spec/ansible/roles/mongo-stig/files/conf.template b/spec/ansible/roles/mongo-stig/files/conf.template new file mode 100644 index 0000000..0720b44 --- /dev/null +++ b/spec/ansible/roles/mongo-stig/files/conf.template @@ -0,0 +1,38 @@ +# mongod.conf + +# for documentation of all options, see: +# http://docs.mongodb.org/manual/reference/configuration-options/ + +# Where and how to store data. +#storage: +# dbPath: /var/lib/mongodb +# engine: +# wiredTiger: + +# where to write logging data. +#systemLog: +# destination: file +# logAppend: true +# path: /var/log/mongodb/mongod.log + +# network interfaces +net: + port: 27017 + bindIp: 127.0.0.1 + + +# how the process runs +processManagement: + timeZoneInfo: /usr/share/zoneinfo + +#security: + +#operationProfiling: + +#replication: + +#sharding: + +## Enterprise-Only Options: + +#auditLog: \ No newline at end of file diff --git a/spec/ansible/roles/mongo-stig/tasks/cat1.yml b/spec/ansible/roles/mongo-stig/tasks/cat1.yml index 33beac6..327fe00 100644 --- a/spec/ansible/roles/mongo-stig/tasks/cat1.yml +++ b/spec/ansible/roles/mongo-stig/tasks/cat1.yml @@ -1,27 +1,27 @@ --- -- name: "HIGH | SV-252139 | If passwords are used for authentication, MongoDB must transmit only encrypted representations of passwords." - #change to SV - blockinfile: - path: "{{ mongod_config_path }}" - marker: "#Rule ID SV-252139" - prepend_newline: true - insertafter: "^net:" - block: | #need the ID as a placeholder for the space - # - tls: - mode: requireTLS - certificateKeyFile: /etc/ssl/mongodb.pem - CAFile: /etc/ssl/caToValidateClientCertificates.pem - allowInvalidCertificates: false - allowConnectionsWithoutCertificates: false - register: result - changed_when: no - ignore_errors: true - tags: - - cat1 - - high - - SV-252139 +# - name: "HIGH | SV-252139 | If passwords are used for authentication, MongoDB must transmit only encrypted representations of passwords." +# blockinfile: +# path: "{{ mongod_config_path }}" +# marker: "#Rule ID SV-252139" +# prepend_newline: true +# insertafter: "^net:" +# block: | #need the ID as a placeholder for the space +# # +# tls: +# mode: requireTLS +# certificateKeyFile: /etc/ssl/mongodb.pem +# CAFile: /etc/ssl/caToValidateClientCertificates.pem +# allowInvalidCertificates: false +# allowConnectionsWithoutCertificates: false +# register: result +# changed_when: no +# ignore_errors: true +# tags: +# - cat1 +# - high +# - SV-252139 +##### ENTERPRISE ONLY # - name: "HIGH | SV-252146 | MongoDB must use NIST FIPS 140-2 or 140-3 validated cryptographic modules for cryptographic operations." # command: true # register: result @@ -33,61 +33,61 @@ # - high # - SV-252146 -- name: Check if 'security:' exists and is not commented out - shell: "grep -P '^security:' {{ mongod_config_path }} || true" - register: security_check - changed_when: false - ignore_errors: true - tags: - - SV-252149 - -- name: "HIGH | SV-252149 | MongoDB must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals. | Security block does not exist." - blockinfile: - path: "{{ mongod_config_path }}" - marker: "#Rule ID SV-252149" - prepend_newline: true - insertafter: "^#security:" - block: | - security: - authorization: enabled - when: security_check.stdout == "" - register: result - changed_when: no - ignore_errors: true - tags: - - cat1 - - high - - SV-252149 - -- name: "HIGH | SV-252149 | MongoDB must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals. | Security block exists." - blockinfile: - path: "{{ mongod_config_path }}" - marker: "#Rule ID SV-252149" - prepend_newline: true - insertafter: "^security:" - block: | - # - authorization: enabled - when: security_check.stdout != "" - register: result - changed_when: no - ignore_errors: true - tags: - - cat1 - - high - - SV-252149 - -- name: "HIGH | SV-252150 | MongoDB must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies." - community.mongodb.mongodb_shell: #works but unsure what output is - db: "database" - eval: "db.getRoles({rolesInfo: 1, showPrivileges:true, showBuiltinRoles: true })" - register: result - changed_when: no - ignore_errors: true - tags: - - cat1 - - high - - SV-252150 +# - name: Check if 'security:' exists and is not commented out +# shell: "grep -P '^security:' {{ mongod_config_path }} || true" +# register: security_check +# changed_when: false +# ignore_errors: true +# tags: +# - SV-252149 + +# - name: "HIGH | SV-252149 | MongoDB must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals. | Security block does not exist." +# blockinfile: +# path: "{{ mongod_config_path }}" +# marker: "#Rule ID SV-252149" +# prepend_newline: true +# insertafter: "^#security:" +# block: | +# security: +# authorization: enabled +# when: security_check.stdout == "" +# register: result +# changed_when: no +# ignore_errors: true +# tags: +# - cat1 +# - high +# - SV-252149 + +# - name: "HIGH | SV-252149 | MongoDB must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals. | Security block exists." +# blockinfile: +# path: "{{ mongod_config_path }}" +# marker: "#Rule ID SV-252149" +# prepend_newline: true +# insertafter: "^security:" +# block: | +# # +# authorization: enabled +# when: security_check.stdout != "" +# register: result +# changed_when: no +# ignore_errors: true +# tags: +# - cat1 +# - high +# - SV-252149 + +# - name: "HIGH | SV-252150 | MongoDB must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies." +# community.mongodb.mongodb_shell: #works but unsure what output is +# db: "database" +# eval: "db.getRoles({rolesInfo: 1, showPrivileges:true, showBuiltinRoles: true })" +# register: result +# changed_when: no +# ignore_errors: true +# tags: +# - cat1 +# - high +# - SV-252150 # - name: "HIGH | SV-252152 | MongoDB software installation account must be restricted to authorized users." # command: true @@ -109,24 +109,24 @@ # - high # - SV-252158 -- name: "HIGH | SV-252159 | If passwords are used for authentication, MongoDB must store only hashed, salted representations of passwords." - #THERE IS A PART TWO THATS NOT COMPLETED - blockinfile: - path: "{{ mongod_config_path }}" - marker: "#Rule ID SV-252159" - prepend_newline: true - insertafter: "EOF" - block: | - setParameter: - authenticationMechanisms: SCRAM-SHA-256 - state: present - register: result - changed_when: no - ignore_errors: true - tags: - - cat1 - - high - - SV-252159 +# - name: "HIGH | SV-252159 | If passwords are used for authentication, MongoDB must store only hashed, salted representations of passwords." +# #THERE IS A PART TWO THATS NOT COMPLETED +# blockinfile: +# path: "{{ mongod_config_path }}" +# marker: "#Rule ID SV-252159" +# prepend_newline: true +# insertafter: "EOF" +# block: | +# setParameter: +# authenticationMechanisms: SCRAM-SHA-256 +# state: present +# register: result +# changed_when: no +# ignore_errors: true +# tags: +# - cat1 +# - high +# - SV-252159 # - name: "HIGH | SV-252159 | If passwords are used for authentication, MongoDB must store only hashed, salted representations of passwords." # #the command for part two of this Rule ID no longer exists in recent versions of mongo diff --git a/spec/ansible/roles/mongo-stig/tasks/cat2.yml b/spec/ansible/roles/mongo-stig/tasks/cat2.yml index 1277496..00b6ad1 100644 --- a/spec/ansible/roles/mongo-stig/tasks/cat2.yml +++ b/spec/ansible/roles/mongo-stig/tasks/cat2.yml @@ -1,22 +1,23 @@ # --- -- name: "MEDIUM | SV-252134 | MongoDB must provide audit record generation for DoD-defined auditable events within all DBMS/database components." - blockinfile: - path: "{{ mongod_config_path }}" - marker: "#Rule ID SV-242134" - prepend_newline: true - insertafter: "^#auditLog:" - block: | - auditLog: - destination: file - format: BSON - path: /var/log/mongodb/audit/auditLog.bson - register: result - changed_when: no - ignore_errors: true - tags: - - cat2 - - medium - - SV-252134 +#####ENTERPRISE ONLY +# - name: "MEDIUM | SV-252134 | MongoDB must provide audit record generation for DoD-defined auditable events within all DBMS/database components." +# blockinfile: +# path: "{{ mongod_config_path }}" +# marker: "#Rule ID SV-242134" +# prepend_newline: true +# insertafter: "^#auditLog:" +# block: | +# auditLog: +# destination: file +# format: BSON +# path: /var/log/mongodb/audit/auditLog.bson +# register: result +# changed_when: no +# ignore_errors: true +# tags: +# - cat2 +# - medium +# - SV-252134 # - name: "MEDIUM | SV-252135 | The audit information produced by MongoDB must be protected from unauthorized access." # command: true @@ -72,24 +73,24 @@ # - medium # - SV-252140 -- name: "MEDIUM | SV-252141 | MongoDB must fail to a secure state if system initialization fails, shutdown fails, or aborts fail." - #need to add check text - blockinfile: - path: "{{ mongod_config_path }}" - marker: "#Rule ID SV-252141" - prepend_newline: true - insertafter: "EOF" - block: | - storage: - journal: - enabled: true - register: result - changed_when: no - ignore_errors: true - tags: - - cat2 - - medium - - SV-252141 +# - name: "MEDIUM | SV-252141 | MongoDB must fail to a secure state if system initialization fails, shutdown fails, or aborts fail." +# #need to add check text and if else statement +# blockinfile: +# path: "{{ mongod_config_path }}" +# marker: "#Rule ID SV-252141" +# prepend_newline: true +# insertafter: "^storage:" +# block: | +# # +# journal: +# enabled: true +# register: result +# changed_when: no +# ignore_errors: true +# tags: +# - cat2 +# - medium +# - SV-252141 # - name: "MEDIUM | SV-252142 | MongoDB must prevent unauthorized and unintended information transfer via shared system resources." # command: true @@ -101,49 +102,49 @@ # - medium # - SV-252142 -- name: Check if 'security:' exists and is not commented out - shell: "grep -P '^security:' {{ mongod_config_path }} || true" - register: security_check - changed_when: false - ignore_errors: true - tags: - - SV-252143 - -- name: "MEDIUM | SV-252143 | MongoDB and associated applications must reserve the use of dynamic code execution for situations that require it. | Security block does not exist." - blockinfile: - path: "{{ mongod_config_path }}" - marker: "#Rule ID SV-252143" - prepend_newline: true - insertafter: "^#security:" - block: | - security: - javascriptEnabled: false - when: security_check.stdout == "" - register: result - changed_when: no - ignore_errors: true - tags: - - cat2 - - medium - - SV-252143 - -- name: "MEDIUM | SV-252143 | MongoDB and associated applications must reserve the use of dynamic code execution for situations that require it. | Security block exists." - blockinfile: - path: "{{ mongod_config_path }}" - marker: "#Rule ID SV-252143" - prepend_newline: true - insertafter: "^security:" - block: | - # - javascriptEnabled: false - when: security_check.stdout != "" - register: result - changed_when: no - ignore_errors: true - tags: - - cat2 - - medium - - SV-252143 +# - name: Check if 'security:' exists and is not commented out +# shell: "grep -P '^security:' {{ mongod_config_path }} || true" +# register: security_check +# changed_when: false +# ignore_errors: true +# tags: +# - SV-252143 + +# - name: "MEDIUM | SV-252143 | MongoDB and associated applications must reserve the use of dynamic code execution for situations that require it. | Security block does not exist." +# blockinfile: +# path: "{{ mongod_config_path }}" +# marker: "#Rule ID SV-252143" +# prepend_newline: true +# insertafter: "^#security:" +# block: | +# security: +# javascriptEnabled: false +# when: security_check.stdout == "" +# register: result +# changed_when: no +# ignore_errors: true +# tags: +# - cat2 +# - medium +# - SV-252143 + +# - name: "MEDIUM | SV-252143 | MongoDB and associated applications must reserve the use of dynamic code execution for situations that require it. | Security block exists." +# blockinfile: +# path: "{{ mongod_config_path }}" +# marker: "#Rule ID SV-252143" +# prepend_newline: true +# insertafter: "^security:" +# block: | +# # +# javascriptEnabled: false +# when: security_check.stdout != "" +# register: result +# changed_when: no +# ignore_errors: true +# tags: +# - cat2 +# - medium +# - SV-252143 # - name: "MEDIUM | SV-252144 | MongoDB must associate organization-defined types of security labels having organization-defined security label values with information in storage and transmission." # command: true diff --git a/spec/ansible/roles/mongo-stig/tasks/cat3.yml b/spec/ansible/roles/mongo-stig/tasks/cat3.yml deleted file mode 100644 index ed97d53..0000000 --- a/spec/ansible/roles/mongo-stig/tasks/cat3.yml +++ /dev/null @@ -1 +0,0 @@ ---- diff --git a/spec/ansible/roles/mongo-stig/tasks/main.yml b/spec/ansible/roles/mongo-stig/tasks/main.yml index 1a65e49..f271c7a 100644 --- a/spec/ansible/roles/mongo-stig/tasks/main.yml +++ b/spec/ansible/roles/mongo-stig/tasks/main.yml @@ -1,4 +1,10 @@ --- +- name: Mongo.conf Prep + ansible.builtin.import_tasks: prep.yml + when: prep_conf + tags: + - prep + # tasks file for mongo-stig - name: Include CAT I ansible.builtin.import_tasks: cat1.yml @@ -12,11 +18,4 @@ when: mongostig_cat2 tags: - CAT2 - - medium - -- name: Include CAT III - ansible.builtin.import_tasks: cat3.yml - when: mongostig_cat3 - tags: - - CAT3 - - low \ No newline at end of file + - medium \ No newline at end of file diff --git a/spec/ansible/roles/mongo-stig/tasks/prep.yml b/spec/ansible/roles/mongo-stig/tasks/prep.yml new file mode 100644 index 0000000..7748033 --- /dev/null +++ b/spec/ansible/roles/mongo-stig/tasks/prep.yml @@ -0,0 +1,18 @@ +--- +- name: "Check or create {{ mongod_config_path }} file" + ansible.builtin.stat: + path: "{{ mongod_config_path }}" + register: conf + changed_when: no + ignore_errors: true + tags: + - prep + +- name: Copy file with owner and permissions + ansible.builtin.copy: + src: files/conf.template + dest: "{{ mongod_config_path }}" + owner: "{{ mongo_user }}" + group: "{{ mongo_group }}" + mode: '755' + when: conf.stat.exists == false \ No newline at end of file diff --git a/spec/mongo-inspec-profile/controls/SV-252134.rb b/spec/mongo-inspec-profile/controls/SV-252134.rb index 5c70efa..a3372e3 100644 --- a/spec/mongo-inspec-profile/controls/SV-252134.rb +++ b/spec/mongo-inspec-profile/controls/SV-252134.rb @@ -78,7 +78,7 @@ tag nist: ['AU-3 a', 'AU-3 b', 'AU-3 c', 'AU-3 d', 'AU-3 e', 'AU-3 (1)', 'AU-5 b', 'AU-10', 'AU-12 b', 'AU-12 c', 'AU-14 (1)', 'AU-3 f', 'CM-5 (1)', 'AU-3 (2)', 'AU-4 (1)', 'AU-5 (2)'] - describe yaml('/etc/mongod.conf.orig') do + describe yaml('/etc/mongod.conf') do its(['auditLog','destination']){should eq "file"} its(['auditLog','format']){should eq "BSON"} its(['auditLog','path']){should eq "/var/log/mongodb/audit/auditLog.bson"} diff --git a/spec/mongo-inspec-profile/controls/SV-252139.rb b/spec/mongo-inspec-profile/controls/SV-252139.rb index 5a8e894..82f49a2 100644 --- a/spec/mongo-inspec-profile/controls/SV-252139.rb +++ b/spec/mongo-inspec-profile/controls/SV-252139.rb @@ -56,7 +56,7 @@ tag cci: ['CCI-000197', 'CCI-000185'] tag nist: ['IA-5 (1) (c)', 'IA-5 (2) (b) (1)'] - describe yaml('/etc/mongod.conf.orig') do + describe yaml('/etc/mongod.conf') do its(['net','tls','mode']){should eq "requireTLS"} its(['net','tls','certificateKeyFile']){should eq "/etc/ssl/mongodb.pem"} its(['net','tls','CAFile']){should eq "/etc/ssl/caToValidateClientCertificates.pem"} diff --git a/spec/mongo-inspec-profile/controls/SV-252141.rb b/spec/mongo-inspec-profile/controls/SV-252141.rb index bc79d03..c3819aa 100644 --- a/spec/mongo-inspec-profile/controls/SV-252141.rb +++ b/spec/mongo-inspec-profile/controls/SV-252141.rb @@ -47,7 +47,7 @@ tag cci: ['CCI-001190', 'CCI-001665'] tag nist: ['SC-24', 'SC-24'] - describe yaml('/etc/mongod.conf.orig') do + describe yaml('/etc/mongod.conf') do its(['storage','journal','enabled']){should eq true} end diff --git a/spec/mongo-inspec-profile/controls/SV-252143.rb b/spec/mongo-inspec-profile/controls/SV-252143.rb index 6bcdbea..49a90d7 100644 --- a/spec/mongo-inspec-profile/controls/SV-252143.rb +++ b/spec/mongo-inspec-profile/controls/SV-252143.rb @@ -33,7 +33,7 @@ tag cci: ['CCI-001310'] tag nist: ['SI-10'] - describe yaml('/etc/mongod.conf.orig') do + describe yaml('/etc/mongod.conf') do its(['security','javascriptEnabled']){should eq false} end diff --git a/spec/mongo-inspec-profile/controls/SV-252149.rb b/spec/mongo-inspec-profile/controls/SV-252149.rb index db36261..eb96df8 100644 --- a/spec/mongo-inspec-profile/controls/SV-252149.rb +++ b/spec/mongo-inspec-profile/controls/SV-252149.rb @@ -48,7 +48,7 @@ tag cci: ['CCI-000015'] tag nist: ['AC-2 (1)'] - describe yaml('/etc/mongod.conf.orig') do + describe yaml('/etc/mongod.conf') do its(['security','authorization']){should eq "enabled"} end diff --git a/spec/mongo-inspec-profile/controls/SV-252159.rb b/spec/mongo-inspec-profile/controls/SV-252159.rb index 4992d4d..8dea077 100644 --- a/spec/mongo-inspec-profile/controls/SV-252159.rb +++ b/spec/mongo-inspec-profile/controls/SV-252159.rb @@ -64,7 +64,7 @@ tag nist: ['IA-5 (1) (c)'] #THERE IS A PART TWO THATS NOT COMPLETED - describe yaml('/etc/mongod.conf.orig') do + describe yaml('/etc/mongod.conf') do its(['setParameter','authenticationMechanisms']){should eq "SCRAM-SHA-256"} end