inspec spacing

spec/ansible/roles/mongo-stig/tasks/cat2.yml

@@ -162,9 +162,9 @@
 
 - name: "MEDIUM | SV-252148 | MongoDB must limit the total number of concurrent connections to the database."
   yedit:
-      src: "{{ mongod_config_path }}"
-      key: net.maxIncomingConnections
-      value: "{{ max_incoming_connections }}"
+    src: "{{ mongod_config_path }}"
+    key: net.maxIncomingConnections
+    value: "{{ max_incoming_connections }}"
   ignore_errors: true
   tags:
     - cat2
@@ -236,6 +236,7 @@
 #     - medium
 #     - SV-252161
 
+##### in postgres the wording is the same but it seems like they check super users, but i dont think this one is checking for that? https://github.com/mitre/crunchy-data-postgresql-stig-baseline/blob/ca4a37b5179926d0e2b076d48125524b0faa0c3a/controls/V-233524.rb#L8
 # - name: "MEDIUM | SV-252163 | MongoDB must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users)."
 #   command: true
 #   ignore_errors: true
@@ -244,14 +245,18 @@
 #     - medium
 #     - SV-252163
 
-# - name: "MEDIUM | SV-252164 | MongoDB must maintain the authenticity of communications sessions by guarding against man-in-the-middle attacks that guess at Session ID values."
-#   command: true
-#   ignore_errors: true
-#   tags:
-#     - cat2
-#     - medium
-#     - SV-252164
+- name: "MEDIUM | SV-252164 | MongoDB must maintain the authenticity of communications sessions by guarding against man-in-the-middle attacks that guess at Session ID values."
+  yedit:
+    src: "{{ mongod_config_path }}"
+    key: net.tls.mode
+    value: requireTLS
+  ignore_errors: true
+  tags:
+    - cat2
+    - medium
+    - SV-252164
 
+##### MANUAL
 # - name: "MEDIUM | SV-252166 | Database contents must be protected from unauthorized and unintended information transfer by enforcement of a data-transfer policy."
 #   command: true
 #   ignore_errors: true
@@ -260,29 +265,39 @@
 #     - medium
 #     - SV-252166
 
-# - name: "MEDIUM | SV-252167 | MongoDB must check the validity of all data inputs except those specifically identified by the organization."
-#   command: true
-#   ignore_errors: true
-#   tags:
-#     - cat2
-#     - medium
-#     - SV-252167
+##### SAME AS 252143?
+- name: "MEDIUM | SV-252167 | MongoDB must check the validity of all data inputs except those specifically identified by the organization."
+  yedit:
+      src: "{{ mongod_config_path }}"
+      key: security.javascriptEnabled
+      value: false
+  ignore_errors: true
+  tags:
+    - cat2
+    - medium
+    - SV-252167
 
-# - name: "MEDIUM | SV-252168 | MongoDB must provide non-privileged users with error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries."
-#   command: true
-#   ignore_errors: true
-#   tags:
-#     - cat2
-#     - medium
-#     - SV-252168
+- name: "MEDIUM | SV-252168 | MongoDB must provide non-privileged users with error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries."
+  yedit:
+      src: "{{ mongod_config_path }}"
+      key: security.redactClientLogData
+      value: true
+  ignore_errors: true
+  tags:
+    - cat2
+    - medium
+    - SV-252168
 
-# - name: "MEDIUM | SV-252169 | MongoDB must reveal detailed error messages only to the ISSO, ISSM, SA, and DBA."
-#   command: true
-#   ignore_errors: true
-#   tags:
-#     - cat2
-#     - medium
-#     - SV-252169
+- name: "MEDIUM | SV-252169 | MongoDB must reveal detailed error messages only to the ISSO, ISSM, SA, and DBA."
+  yedit:
+      src: "{{ mongod_config_path }}"
+      key: security.redactClientLogData
+      value: true
+  ignore_errors: true
+  tags:
+    - cat2
+    - medium
+    - SV-252169
 
 # - name: "MEDIUM | SV-252170 | MongoDB must automatically terminate a user session after organization-defined conditions or trigger events requiring session disconnect."
 #   command: true
@@ -292,13 +307,25 @@
 #     - medium
 #     - SV-252170
 
-# - name: "MEDIUM | SV-252171 | MongoDB must utilize centralized management of the content captured in audit records generated by all components of MongoDB."
-#   command: true
-#   ignore_errors: true
-#   tags:
-#     - cat2
-#     - medium
-#     - SV-252171
+##### ENTERPRISE ONLY, NOT SO SURE ABOUT THAT KEY VALUE
+- name: "MEDIUM | SV-252171 | MongoDB must utilize centralized management of the content captured in audit records generated by all components of MongoDB."
+  yedit:
+    src: "{{ mongod_config_path }}"
+    edits:
+    - key: auditLog.destination
+      value: file
+    - key: auditLog.format
+      value: BSON
+    - key: auditLog.path
+      value: "{{ mongo_audit_file_path }}"
+    - key: auditLog.filter
+      value: '{ atype: { $in: [ "createCollection", "dropCollection" ] } }'
+  ignore_errors: true
+  tags:
+    - cat2
+    - medium
+    - SV-252171
+    - enterprise
 
 # - name: "MEDIUM | SV-252172 | MongoDB must allocate audit record storage capacity in accordance with site audit record storage requirements."
 #   command: true

spec/mongo-inspec-profile/controls/SV-252134.rb

@@ -79,9 +79,9 @@
 
 
   describe yaml(input('mongod_config_path')) do
-        its(['auditLog','destination']){should eq "file"}
-        its(['auditLog','format']){should eq "BSON"}
-        its(['auditLog','path']){should match input('mongo_audit_file_path')}
-    end
+    its(['auditLog','destination']){should eq "file"}
+    its(['auditLog','format']){should eq "BSON"}
+    its(['auditLog','path']){should match input('mongo_audit_file_path')}
+  end
 
 end

spec/mongo-inspec-profile/controls/SV-252139.rb

@@ -57,11 +57,11 @@
   tag nist: ['IA-5 (1) (c)', 'IA-5 (2) (b) (1)']
 
   describe yaml(input('mongod_config_path')) do
-        its(['net','tls','mode']){should eq "requireTLS"}
-        its(['net','tls','certificateKeyFile']){should match input('certificate_key_file_path')}
-        its(['net','tls','CAFile']){should match input('ca_file_path')}
-        its(['net','tls','allowInvalidCertificates']){should eq false}
-        its(['net','tls','allowConnectionsWithoutCertificates']){should eq false}
-    end
+    its(['net','tls','mode']){should eq "requireTLS"}
+    its(['net','tls','certificateKeyFile']){should match input('certificate_key_file_path')}
+    its(['net','tls','CAFile']){should match input('ca_file_path')}
+    its(['net','tls','allowInvalidCertificates']){should eq false}
+    its(['net','tls','allowConnectionsWithoutCertificates']){should eq false}
+  end
 
 end

spec/mongo-inspec-profile/controls/SV-252143.rb

@@ -34,7 +34,7 @@
   tag nist: ['SI-10']
 
   describe yaml(input('mongod_config_path')) do
-        its(['security','javascriptEnabled']){should eq false}
-    end
+    its(['security','javascriptEnabled']){should eq false}
+  end
 
 end

spec/mongo-inspec-profile/controls/SV-252145.rb

@@ -56,7 +56,7 @@
   tag nist: ['AC-3 (4)', 'AC-6 (10)']
 
   describe yaml(input('mongod_config_path')) do
-        its(['security','authorization']){should eq "enabled"}
-    end
+    its(['security','authorization']){should eq "enabled"}
+  end
 
 end

spec/mongo-inspec-profile/controls/SV-252146.rb

@@ -55,7 +55,7 @@
   tag nist: ['SC-13 b', 'IA-7']
 
   describe yaml(input('mongod_config_path')) do
-        its(['net','tls','FIPSMode']){should eq true}
-    end
+    its(['net','tls','FIPSMode']){should eq true}
+  end
 
 end

spec/mongo-inspec-profile/controls/SV-252149.rb

@@ -49,7 +49,7 @@
   tag nist: ['AC-2 (1)']
 
   describe yaml(input('mongod_config_path')) do
-        its(['security','authorization']){should eq "enabled"}
-    end
+    its(['security','authorization']){should eq "enabled"}
+  end
 
 end

spec/mongo-inspec-profile/controls/SV-252159.rb

@@ -65,7 +65,7 @@
 
   #authSchemaUpgrade command doesn't exist anymore since version 4, so part 2 is not doable
   describe yaml(input('mongod_config_path')) do
-        its(['setParameter','authenticationMechanisms']){should be_in ['SCRAM-SHA-1', 'SCRAM-SHA-256', 'MONGODB-X509', 'GSSAPI', 'PLAIN']}
-    end
+    its(['setParameter','authenticationMechanisms']){should be_in ['SCRAM-SHA-1', 'SCRAM-SHA-256', 'MONGODB-X509', 'GSSAPI', 'PLAIN']}
+  end
 
 end

spec/mongo-inspec-profile/controls/SV-252164.rb

@@ -36,4 +36,9 @@
   tag 'documentable'
   tag cci: ['CCI-001188']
   tag nist: ['SC-23 (3)']
+
+  describe yaml(input('mongod_config_path')) do
+    its(['net','tls','mode']){should eq "requireTLS"}
+  end
+
 end

spec/mongo-inspec-profile/controls/SV-252166.rb

@@ -25,4 +25,9 @@
   tag 'documentable'
   tag cci: ['CCI-001090']
   tag nist: ['SC-4']
+
+  describe 'Review the procedures for the refreshing of development/test data from production.' do
+    skip 'If code for data movement does not comply with the organization-defined data transfer policy and/or fails to remove any copies of production data from unprotected locations, this is a finding.'
+  end
+
 end

spec/mongo-inspec-profile/controls/SV-252167.rb

@@ -42,4 +42,9 @@
   tag 'documentable'
   tag cci: ['CCI-001310']
   tag nist: ['SI-10']
+
+  describe yaml(input('mongod_config_path')) do
+    its(['security','javascriptEnabled']){should eq false}
+  end
+
 end

spec/mongo-inspec-profile/controls/SV-252168.rb

@@ -46,4 +46,9 @@
   tag 'documentable'
   tag cci: ['CCI-001312']
   tag nist: ['SI-11 a']
+
+  describe yaml(input('mongod_config_path')) do
+    its(['security','redactClientLogData']){should eq true}
+  end
+
 end

spec/mongo-inspec-profile/controls/SV-252169.rb

@@ -1,6 +1,6 @@
 control 'SV-252169' do
   title 'MongoDB must reveal detailed error messages only to the ISSO, ISSM, SA, and DBA.'
-  desc %q(If MongoDB provides too much information in error logs and administrative messages to the screen, this could lead to compromise. The structure and content of error messages need to be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.
+  desc '(If MongoDB provides too much information in error logs and administrative messages to the screen, this could lead to compromise. The structure and content of error messages need to be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.
 
 Some default DBMS error messages can contain information that could aid an attacker in, among other things, identifying the database type, host address, or state of the database. Custom errors may contain sensitive customer information.
 
@@ -47,4 +47,9 @@
   tag 'documentable'
   tag cci: ['CCI-001314']
   tag nist: ['SI-11 b']
+
+  describe yaml(input('mongod_config_path')) do
+    its(['security','redactClientLogData']){should eq true}
+  end
+
 end

spec/mongo-inspec-profile/controls/SV-252184.rb

@@ -32,8 +32,7 @@
   tag cci: ['CCI-002605']
   tag nist: ['SI-2 c']
 
-  describe 'Review the system documentation and interview the database administrator.
-    Identify all database software components. Review the version and release information.' do
+  describe 'Review the system documentation and interview the database administrator. Identify all database software components. Review the version and release information.' do
     skip 'If the DBMS or any of the software components are not supported by MongoDB, this is a finding.'
     skip 'Remove or decommission all unsupported software products.'
     skip 'Upgrade unsupported DBMS or unsupported components to a supported version of the product.'