diff --git a/spec/ansible/roles/mongo-stig/tasks/cat2.yml b/spec/ansible/roles/mongo-stig/tasks/cat2.yml index 288a03f..6ef29fb 100644 --- a/spec/ansible/roles/mongo-stig/tasks/cat2.yml +++ b/spec/ansible/roles/mongo-stig/tasks/cat2.yml @@ -162,9 +162,9 @@ - name: "MEDIUM | SV-252148 | MongoDB must limit the total number of concurrent connections to the database." yedit: - src: "{{ mongod_config_path }}" - key: net.maxIncomingConnections - value: "{{ max_incoming_connections }}" + src: "{{ mongod_config_path }}" + key: net.maxIncomingConnections + value: "{{ max_incoming_connections }}" ignore_errors: true tags: - cat2 @@ -236,6 +236,7 @@ # - medium # - SV-252161 +##### in postgres the wording is the same but it seems like they check super users, but i dont think this one is checking for that? https://github.com/mitre/crunchy-data-postgresql-stig-baseline/blob/ca4a37b5179926d0e2b076d48125524b0faa0c3a/controls/V-233524.rb#L8 # - name: "MEDIUM | SV-252163 | MongoDB must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users)." # command: true # ignore_errors: true @@ -244,14 +245,18 @@ # - medium # - SV-252163 -# - name: "MEDIUM | SV-252164 | MongoDB must maintain the authenticity of communications sessions by guarding against man-in-the-middle attacks that guess at Session ID values." -# command: true -# ignore_errors: true -# tags: -# - cat2 -# - medium -# - SV-252164 +- name: "MEDIUM | SV-252164 | MongoDB must maintain the authenticity of communications sessions by guarding against man-in-the-middle attacks that guess at Session ID values." + yedit: + src: "{{ mongod_config_path }}" + key: net.tls.mode + value: requireTLS + ignore_errors: true + tags: + - cat2 + - medium + - SV-252164 +##### MANUAL # - name: "MEDIUM | SV-252166 | Database contents must be protected from unauthorized and unintended information transfer by enforcement of a data-transfer policy." # command: true # ignore_errors: true @@ -260,29 +265,39 @@ # - medium # - SV-252166 -# - name: "MEDIUM | SV-252167 | MongoDB must check the validity of all data inputs except those specifically identified by the organization." -# command: true -# ignore_errors: true -# tags: -# - cat2 -# - medium -# - SV-252167 +##### SAME AS 252143? +- name: "MEDIUM | SV-252167 | MongoDB must check the validity of all data inputs except those specifically identified by the organization." + yedit: + src: "{{ mongod_config_path }}" + key: security.javascriptEnabled + value: false + ignore_errors: true + tags: + - cat2 + - medium + - SV-252167 -# - name: "MEDIUM | SV-252168 | MongoDB must provide non-privileged users with error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries." -# command: true -# ignore_errors: true -# tags: -# - cat2 -# - medium -# - SV-252168 +- name: "MEDIUM | SV-252168 | MongoDB must provide non-privileged users with error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries." + yedit: + src: "{{ mongod_config_path }}" + key: security.redactClientLogData + value: true + ignore_errors: true + tags: + - cat2 + - medium + - SV-252168 -# - name: "MEDIUM | SV-252169 | MongoDB must reveal detailed error messages only to the ISSO, ISSM, SA, and DBA." -# command: true -# ignore_errors: true -# tags: -# - cat2 -# - medium -# - SV-252169 +- name: "MEDIUM | SV-252169 | MongoDB must reveal detailed error messages only to the ISSO, ISSM, SA, and DBA." + yedit: + src: "{{ mongod_config_path }}" + key: security.redactClientLogData + value: true + ignore_errors: true + tags: + - cat2 + - medium + - SV-252169 # - name: "MEDIUM | SV-252170 | MongoDB must automatically terminate a user session after organization-defined conditions or trigger events requiring session disconnect." # command: true @@ -292,13 +307,25 @@ # - medium # - SV-252170 -# - name: "MEDIUM | SV-252171 | MongoDB must utilize centralized management of the content captured in audit records generated by all components of MongoDB." -# command: true -# ignore_errors: true -# tags: -# - cat2 -# - medium -# - SV-252171 +##### ENTERPRISE ONLY, NOT SO SURE ABOUT THAT KEY VALUE +- name: "MEDIUM | SV-252171 | MongoDB must utilize centralized management of the content captured in audit records generated by all components of MongoDB." + yedit: + src: "{{ mongod_config_path }}" + edits: + - key: auditLog.destination + value: file + - key: auditLog.format + value: BSON + - key: auditLog.path + value: "{{ mongo_audit_file_path }}" + - key: auditLog.filter + value: '{ atype: { $in: [ "createCollection", "dropCollection" ] } }' + ignore_errors: true + tags: + - cat2 + - medium + - SV-252171 + - enterprise # - name: "MEDIUM | SV-252172 | MongoDB must allocate audit record storage capacity in accordance with site audit record storage requirements." # command: true diff --git a/spec/mongo-inspec-profile/controls/SV-252134.rb b/spec/mongo-inspec-profile/controls/SV-252134.rb index 3424d24..f302bb4 100644 --- a/spec/mongo-inspec-profile/controls/SV-252134.rb +++ b/spec/mongo-inspec-profile/controls/SV-252134.rb @@ -79,9 +79,9 @@ describe yaml(input('mongod_config_path')) do - its(['auditLog','destination']){should eq "file"} - its(['auditLog','format']){should eq "BSON"} - its(['auditLog','path']){should match input('mongo_audit_file_path')} - end + its(['auditLog','destination']){should eq "file"} + its(['auditLog','format']){should eq "BSON"} + its(['auditLog','path']){should match input('mongo_audit_file_path')} + end end diff --git a/spec/mongo-inspec-profile/controls/SV-252139.rb b/spec/mongo-inspec-profile/controls/SV-252139.rb index 3f91b18..d47a067 100644 --- a/spec/mongo-inspec-profile/controls/SV-252139.rb +++ b/spec/mongo-inspec-profile/controls/SV-252139.rb @@ -57,11 +57,11 @@ tag nist: ['IA-5 (1) (c)', 'IA-5 (2) (b) (1)'] describe yaml(input('mongod_config_path')) do - its(['net','tls','mode']){should eq "requireTLS"} - its(['net','tls','certificateKeyFile']){should match input('certificate_key_file_path')} - its(['net','tls','CAFile']){should match input('ca_file_path')} - its(['net','tls','allowInvalidCertificates']){should eq false} - its(['net','tls','allowConnectionsWithoutCertificates']){should eq false} - end + its(['net','tls','mode']){should eq "requireTLS"} + its(['net','tls','certificateKeyFile']){should match input('certificate_key_file_path')} + its(['net','tls','CAFile']){should match input('ca_file_path')} + its(['net','tls','allowInvalidCertificates']){should eq false} + its(['net','tls','allowConnectionsWithoutCertificates']){should eq false} + end end diff --git a/spec/mongo-inspec-profile/controls/SV-252143.rb b/spec/mongo-inspec-profile/controls/SV-252143.rb index 8890c0f..f124968 100644 --- a/spec/mongo-inspec-profile/controls/SV-252143.rb +++ b/spec/mongo-inspec-profile/controls/SV-252143.rb @@ -34,7 +34,7 @@ tag nist: ['SI-10'] describe yaml(input('mongod_config_path')) do - its(['security','javascriptEnabled']){should eq false} - end + its(['security','javascriptEnabled']){should eq false} + end end diff --git a/spec/mongo-inspec-profile/controls/SV-252145.rb b/spec/mongo-inspec-profile/controls/SV-252145.rb index 54e3a4d..fbaa17e 100644 --- a/spec/mongo-inspec-profile/controls/SV-252145.rb +++ b/spec/mongo-inspec-profile/controls/SV-252145.rb @@ -56,7 +56,7 @@ tag nist: ['AC-3 (4)', 'AC-6 (10)'] describe yaml(input('mongod_config_path')) do - its(['security','authorization']){should eq "enabled"} - end + its(['security','authorization']){should eq "enabled"} + end end diff --git a/spec/mongo-inspec-profile/controls/SV-252146.rb b/spec/mongo-inspec-profile/controls/SV-252146.rb index 41bef4a..4f4df72 100644 --- a/spec/mongo-inspec-profile/controls/SV-252146.rb +++ b/spec/mongo-inspec-profile/controls/SV-252146.rb @@ -55,7 +55,7 @@ tag nist: ['SC-13 b', 'IA-7'] describe yaml(input('mongod_config_path')) do - its(['net','tls','FIPSMode']){should eq true} - end + its(['net','tls','FIPSMode']){should eq true} + end end diff --git a/spec/mongo-inspec-profile/controls/SV-252149.rb b/spec/mongo-inspec-profile/controls/SV-252149.rb index d9f450a..712e2a9 100644 --- a/spec/mongo-inspec-profile/controls/SV-252149.rb +++ b/spec/mongo-inspec-profile/controls/SV-252149.rb @@ -49,7 +49,7 @@ tag nist: ['AC-2 (1)'] describe yaml(input('mongod_config_path')) do - its(['security','authorization']){should eq "enabled"} - end + its(['security','authorization']){should eq "enabled"} + end end diff --git a/spec/mongo-inspec-profile/controls/SV-252159.rb b/spec/mongo-inspec-profile/controls/SV-252159.rb index 7f9f97a..a08274a 100644 --- a/spec/mongo-inspec-profile/controls/SV-252159.rb +++ b/spec/mongo-inspec-profile/controls/SV-252159.rb @@ -65,7 +65,7 @@ #authSchemaUpgrade command doesn't exist anymore since version 4, so part 2 is not doable describe yaml(input('mongod_config_path')) do - its(['setParameter','authenticationMechanisms']){should be_in ['SCRAM-SHA-1', 'SCRAM-SHA-256', 'MONGODB-X509', 'GSSAPI', 'PLAIN']} - end + its(['setParameter','authenticationMechanisms']){should be_in ['SCRAM-SHA-1', 'SCRAM-SHA-256', 'MONGODB-X509', 'GSSAPI', 'PLAIN']} + end end diff --git a/spec/mongo-inspec-profile/controls/SV-252164.rb b/spec/mongo-inspec-profile/controls/SV-252164.rb index 8af7f76..66bcdeb 100644 --- a/spec/mongo-inspec-profile/controls/SV-252164.rb +++ b/spec/mongo-inspec-profile/controls/SV-252164.rb @@ -36,4 +36,9 @@ tag 'documentable' tag cci: ['CCI-001188'] tag nist: ['SC-23 (3)'] + + describe yaml(input('mongod_config_path')) do + its(['net','tls','mode']){should eq "requireTLS"} + end + end diff --git a/spec/mongo-inspec-profile/controls/SV-252166.rb b/spec/mongo-inspec-profile/controls/SV-252166.rb index 02102c8..fd1e40c 100644 --- a/spec/mongo-inspec-profile/controls/SV-252166.rb +++ b/spec/mongo-inspec-profile/controls/SV-252166.rb @@ -25,4 +25,9 @@ tag 'documentable' tag cci: ['CCI-001090'] tag nist: ['SC-4'] + + describe 'Review the procedures for the refreshing of development/test data from production.' do + skip 'If code for data movement does not comply with the organization-defined data transfer policy and/or fails to remove any copies of production data from unprotected locations, this is a finding.' + end + end diff --git a/spec/mongo-inspec-profile/controls/SV-252167.rb b/spec/mongo-inspec-profile/controls/SV-252167.rb index c7bf443..c010725 100644 --- a/spec/mongo-inspec-profile/controls/SV-252167.rb +++ b/spec/mongo-inspec-profile/controls/SV-252167.rb @@ -42,4 +42,9 @@ tag 'documentable' tag cci: ['CCI-001310'] tag nist: ['SI-10'] + + describe yaml(input('mongod_config_path')) do + its(['security','javascriptEnabled']){should eq false} + end + end diff --git a/spec/mongo-inspec-profile/controls/SV-252168.rb b/spec/mongo-inspec-profile/controls/SV-252168.rb index 4472b42..9325d68 100644 --- a/spec/mongo-inspec-profile/controls/SV-252168.rb +++ b/spec/mongo-inspec-profile/controls/SV-252168.rb @@ -46,4 +46,9 @@ tag 'documentable' tag cci: ['CCI-001312'] tag nist: ['SI-11 a'] + + describe yaml(input('mongod_config_path')) do + its(['security','redactClientLogData']){should eq true} + end + end diff --git a/spec/mongo-inspec-profile/controls/SV-252169.rb b/spec/mongo-inspec-profile/controls/SV-252169.rb index 5c9faa7..414a87f 100644 --- a/spec/mongo-inspec-profile/controls/SV-252169.rb +++ b/spec/mongo-inspec-profile/controls/SV-252169.rb @@ -1,6 +1,6 @@ control 'SV-252169' do title 'MongoDB must reveal detailed error messages only to the ISSO, ISSM, SA, and DBA.' - desc %q(If MongoDB provides too much information in error logs and administrative messages to the screen, this could lead to compromise. The structure and content of error messages need to be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. + desc '(If MongoDB provides too much information in error logs and administrative messages to the screen, this could lead to compromise. The structure and content of error messages need to be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. Some default DBMS error messages can contain information that could aid an attacker in, among other things, identifying the database type, host address, or state of the database. Custom errors may contain sensitive customer information. @@ -47,4 +47,9 @@ tag 'documentable' tag cci: ['CCI-001314'] tag nist: ['SI-11 b'] + + describe yaml(input('mongod_config_path')) do + its(['security','redactClientLogData']){should eq true} + end + end diff --git a/spec/mongo-inspec-profile/controls/SV-252184.rb b/spec/mongo-inspec-profile/controls/SV-252184.rb index ba360b7..e9f8f4f 100644 --- a/spec/mongo-inspec-profile/controls/SV-252184.rb +++ b/spec/mongo-inspec-profile/controls/SV-252184.rb @@ -32,8 +32,7 @@ tag cci: ['CCI-002605'] tag nist: ['SI-2 c'] - describe 'Review the system documentation and interview the database administrator. - Identify all database software components. Review the version and release information.' do + describe 'Review the system documentation and interview the database administrator. Identify all database software components. Review the version and release information.' do skip 'If the DBMS or any of the software components are not supported by MongoDB, this is a finding.' skip 'Remove or decommission all unsupported software products.' skip 'Upgrade unsupported DBMS or unsupported components to a supported version of the product.'