yaml to mongodb_conf, 252175 half works

mongo-hardening.pkr.hcl

@@ -24,7 +24,7 @@ variable "ansible_vars" {
 variable "input_image" {
   type = map(string)
   default = {
-    "tag"     = "enterprise_ansible_ready"
+    "tag"     = "enterprise-ansible-ready"
     "version" = "latest"
   }
 }

spec/ansible/roles/mongo-stig/defaults/main.yml

@@ -4,8 +4,10 @@ prep_conf: true
 mongostig_cat1: true
 mongostig_cat2: true
 mongostig_cat3: true 
-mongo_user: root
+mongo_owner: root
 mongo_group: root
+mongo_host: "localhost"
+mongo_port: 27017
 #audit_log_destination | "file" or "syslog"
 audit_log_destination: "file"
 mongod_config_path: "/etc/mongod.conf"

spec/ansible/roles/mongo-stig/tasks/cat1.yml

@@ -34,16 +34,16 @@
 #     - enterprise
 
 ##### DISABLED FOR EASIER TESTING
-# - name: "HIGH | SV-252149 | MongoDB must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals."
-#   yedit:
-#       src: "{{ mongod_config_path }}"
-#       key: security.authorization
-#       value: enabled
-#   ignore_errors: true
-#   tags:
-#     - cat1
-#     - high
-#     - SV-252149
+- name: "HIGH | SV-252149 | MongoDB must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals."
+  yedit:
+      src: "{{ mongod_config_path }}"
+      key: security.authorization
+      value: enabled
+  ignore_errors: true
+  tags:
+    - cat1
+    - high
+    - SV-252149
 
 ##### MANUAL
 # - name: "HIGH | SV-252150 | MongoDB must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies."
@@ -108,9 +108,9 @@
 ##### FILES DONT EXIST check text conflict with 252136? 
 # - name: "HIGH | SV-252160 | MongoDB must enforce authorized access to all PKI private keys stored/utilized by MongoDB."
 #   ansible.builtin.shell: |
-#       chown {{ mongo_user }}:{{ mongo_user }} {{ certificate_key_file_path }}
+#       chown {{ mongo_owner }}:{{ mongo_owner }} {{ certificate_key_file_path }}
 #       chmod 600 {{ certificate_key_file_path }}
-#       chown {{ mongo_user }}:{{ mongo_user }} {{ ca_file_path }}
+#       chown {{ mongo_owner }}:{{ mongo_owner }} {{ ca_file_path }}
 #       chmod 600 {{ ca_file_path }}
 #   ignore_errors: true
 #   tags:

spec/ansible/roles/mongo-stig/tasks/cat2.yml

@@ -9,6 +9,7 @@
         value: "{{ audit_log_destination}}"
       when: audit_log_destination == "syslog"
 
+    #fatal: [localhost]: FAILED! => {"changed": false, "msg": "Error, could not touch target: [Errno 2] No such file or directory: b'/var/log/mongodb/audit/auditLog.bson'", "path": "/var/log/mongodb/audit/auditLog.bson"}
     - name: "MEDIUM | SV-252134 | MongoDB must provide audit record generation for DoD-defined auditable events within all DBMS/database components. | check if file exists"
       ansible.builtin.file:
         path: "{{ mongo_audit_file_path }}"
@@ -37,8 +38,8 @@
 ##### DIRECTORIES DONT EXIST
 # - name: "MEDIUM | SV-252135 | The audit information produced by MongoDB must be protected from unauthorized access."
 #   ansible.builtin.shell: |
-#       chown {{ mongo_user }} {{ mongo_audit_directory_path }}
-#       chgrp {{ mongo_user }} {{ mongo_audit_directory_path }}
+#       chown {{ mongo_owner }} {{ mongo_audit_directory_path }}
+#       chgrp {{ mongo_owner }} {{ mongo_audit_directory_path }}
 #       chmod 700 {{ mongo_audit_directory_path }}
 #   when: audit_log_destination == "file"
 #   ignore_errors: true
@@ -50,8 +51,8 @@
 
 - name: "MEDIUM | SV-252136 | MongoDB must protect its audit features from unauthorized access."
   ansible.builtin.shell: |
-      chown {{ mongo_user }} {{ mongod_config_path }}
-      chgrp {{ mongo_user }} {{ mongod_config_path }}
+      chown {{ mongo_owner }} {{ mongod_config_path }}
+      chgrp {{ mongo_owner }} {{ mongod_config_path }}
       chmod 660 {{ mongod_config_path }}
   ignore_errors: true
   tags:
@@ -105,7 +106,7 @@
 ##### DIRECTORY DOESNT EXIST
 # - name: "MEDIUM | SV-252142 | MongoDB must prevent unauthorized and unintended information transfer via shared system resources."
 #   ansible.builtin.shell: |
-#       chown {{ mongo_user }}:{{ mongo_user }} {{ mongod_config_path }}
+#       chown {{ mongo_owner }}:{{ mongo_owner }} {{ mongod_config_path }}
 #       chmod 600 {{ mongod_config_path }}
 #       chown -R mongod:mongod {{ data_file_directory_path }}
 #       chmod 755 {{ data_file_directory_path }}

spec/ansible/roles/mongo-stig/tasks/prep.yml

@@ -12,13 +12,37 @@
   ansible.builtin.copy:
     src: files/conf.template
     dest: "{{ mongod_config_path }}"
-    owner: "{{ mongo_user }}"
+    owner: "{{ mongo_owner }}"
     group: "{{ mongo_group }}"
     mode: '755'
   when: conf.stat.exists == false
   tags:
     - prep
 
+- name: Get list of databases
+  ansible.builtin.command: |
+    mongosh "mongodb://localhost:27017/" --quiet --eval "EJSON.stringify(db.adminCommand('listDatabases'))"
+  register: database_list
+
+- name: Display contents of mongod.conf
+  debug:
+    msg: "{{ database_list.stdout }}"
+
+# - name: Create MongoDB admin user
+#   ansible.builtin.command: |
+#     mongosh "mongodb://localhost:27017/" --quiet --eval "db.getSiblingDB(\"admin\").createUser({user: \"admin\", pwd: \"admin\", roles: [{role: \"userAdminAnyDatabase\", db: \"admin\"}]});"
+#   register: database_list
+
+##### DOES NOT WORK 
+- name: Create MongoDB admin user
+  community.mongodb.mongodb_shell:
+    login_host: "{{ mongo_host }}"
+    login_port: "{{ mongo_port }}"
+    eval: "db.getSiblingDB('admin').createUser({user: 'admin', pwd: 'admin', roles: [{role: 'userAdminAnyDatabase', db: 'admin'}]})"
+  tags:
+    - prep
+
+
 # get these and register as fact minus what the user said shouldnt be hardened
 # json query filter
 # get databases command 

spec/mongo-inspec-profile/controls/SV-252134.rb

@@ -80,13 +80,13 @@
   mongo_audit_file_path = input('mongo_audit_file_path')
 
   describe.one do
-    describe yaml(input('mongod_config_path')) do
+    describe mongodb_conf(input('mongod_config_path')) do
       its(['auditLog','destination']){should eq "file"}
       its(['auditLog','format']){should eq "BSON"}
       its(['auditLog','path']){should match mongo_audit_file_path}
     end
 
-    describe yaml(input('mongod_config_path')) do
+    describe mongodb_conf(input('mongod_config_path')) do
       its(['auditLog', 'destination']) { should eq "syslog"}
     end
   end

spec/mongo-inspec-profile/controls/SV-252135.rb

@@ -103,7 +103,7 @@
 
   describe directory(input('mongod_config_path')) do
     it { should exist }
-    it { should be_owned_by input('mongo_user') }
+    it { should be_owned_by input('mongo_owner') }
     it { should be_grouped_into input('mongo_group') }
     it { should_not be_more_permissive_than('0700') }
   end

spec/mongo-inspec-profile/controls/SV-252136.rb

@@ -76,7 +76,7 @@
 
   describe file(input('mongod_config_path')) do
     it { should exist }
-    it { should be_owned_by input('mongo_user') }
+    it { should be_owned_by input('mongo_owner') }
     it { should be_grouped_into input('mongo_group') }
     it { should_not be_more_permissive_than('0660') }
   end

spec/mongo-inspec-profile/controls/SV-252137.rb

@@ -37,7 +37,7 @@
   tag cci: ['CCI-000381']
   tag nist: ['CM-7 a']
 
-  describe yaml(input('mongod_config_path')) do
+  describe mongodb_conf(input('mongod_config_path')) do
     its(['net','http']){should be nil}
   end
 

spec/mongo-inspec-profile/controls/SV-252138.rb

@@ -47,7 +47,7 @@
   tag cci: ['CCI-000382']
   tag nist: ['CM-7 b']
 
-  describe yaml(input('mongod_config_path')) do
+  describe mongodb_conf(input('mongod_config_path')) do
     its(['net','http']){should be nil}
   end
 

spec/mongo-inspec-profile/controls/SV-252139.rb

@@ -56,7 +56,7 @@
   tag cci: ['CCI-000197', 'CCI-000185']
   tag nist: ['IA-5 (1) (c)', 'IA-5 (2) (b) (1)']
 
-  describe yaml(input('mongod_config_path')) do
+  describe mongodb_conf(input('mongod_config_path')) do
     its(['net','tls','mode']){should eq "requireTLS"}
     its(['net','tls','certificateKeyFile']){should match input('certificate_key_file_path')}
     its(['net','tls','CAFile']){should match input('ca_file_path')}

spec/mongo-inspec-profile/controls/SV-252141.rb

@@ -47,7 +47,7 @@
   tag cci: ['CCI-001190', 'CCI-001665']
   tag nist: ['SC-24', 'SC-24']
 
-  describe yaml(input('mongod_config_path')) do
+  describe mongodb_conf(input('mongod_config_path')) do
           its(['storage','journal','enabled']){should eq true}
       end
 

spec/mongo-inspec-profile/controls/SV-252142.rb

@@ -58,14 +58,14 @@
 
   describe file(input('mongod_config_path')) do
     it { should exist }
-    it { should be_owned_by input('mongo_user') }
+    it { should be_owned_by input('mongo_owner') }
     it { should be_grouped_into input('mongo_group') }
     it { should_not be_more_permissive_than('0600') }
   end
 
   describe directory(input('data_file_directory_path')) do
     it { should exist }
-    it { should be_owned_by input('mongo_user') }
+    it { should be_owned_by input('mongo_owner') }
     it { should be_grouped_into input('mongo_group') }
     it { should_not be_more_permissive_than('0755') }
   end

spec/mongo-inspec-profile/controls/SV-252143.rb

@@ -33,7 +33,7 @@
   tag cci: ['CCI-001310']
   tag nist: ['SI-10']
 
-  describe yaml(input('mongod_config_path')) do
+  describe mongodb_conf(input('mongod_config_path')) do
     its(['security','javascriptEnabled']){should eq false}
   end
 

spec/mongo-inspec-profile/controls/SV-252145.rb

@@ -55,7 +55,7 @@
   tag cci: ['CCI-002165', 'CCI-002235']
   tag nist: ['AC-3 (4)', 'AC-6 (10)']
 
-  describe yaml(input('mongod_config_path')) do
+  describe mongodb_conf(input('mongod_config_path')) do
     its(['security','authorization']){should eq "enabled"}
   end
 

spec/mongo-inspec-profile/controls/SV-252146.rb

@@ -54,7 +54,7 @@
   tag cci: ['CCI-002450', 'CCI-000803']
   tag nist: ['SC-13 b', 'IA-7']
 
-  describe yaml(input('mongod_config_path')) do
+  describe mongodb_conf(input('mongod_config_path')) do
     its(['net','tls','FIPSMode']){should eq true}
   end
 

spec/mongo-inspec-profile/controls/SV-252147.rb

@@ -43,7 +43,7 @@
   tag cci: ['CCI-002475', 'CCI-002476']
   tag nist: ['SC-28 (1)', 'SC-28 (1)']
 
-  describe yaml(input('mongod_config_path')) do
+  describe mongodb_conf(input('mongod_config_path')) do
     its(['security','enableEncrypt']){should eq true}
 
     its(['kmip','serverName']){should match input('KMIP_server_host_name')}

spec/mongo-inspec-profile/controls/SV-252148.rb

@@ -37,7 +37,7 @@
   tag cci: ['CCI-000054']
   tag nist: ['AC-10']
 
-  describe yaml(input('mongod_config_path')) do
+  describe mongodb_conf(input('mongod_config_path')) do
     its(['net', 'maxIncomingConnections']) { should be_a_kind_of(Integer) }
   end
 

spec/mongo-inspec-profile/controls/SV-252149.rb

@@ -48,7 +48,7 @@
   tag cci: ['CCI-000015']
   tag nist: ['AC-2 (1)']
 
-  describe yaml(input('mongod_config_path')) do
+  describe mongodb_conf(input('mongod_config_path')) do
     its(['security','authorization']){should eq "enabled"}
   end
 

spec/mongo-inspec-profile/controls/SV-252156.rb

@@ -39,7 +39,7 @@
   tag cci: ['CCI-000381']
   tag nist: ['CM-7 a']
 
-  describe yaml(input('mongod_config_path')) do
+  describe mongodb_conf(input('mongod_config_path')) do
     its(['net','http']){should be nil}
   end
 

spec/mongo-inspec-profile/controls/SV-252159.rb

@@ -64,7 +64,7 @@
   tag nist: ['IA-5 (1) (c)']
 
   #authSchemaUpgrade command doesn't exist anymore since version 4, so part 2 is not doable
-  describe yaml(input('mongod_config_path')) do
+  describe mongodb_conf(input('mongod_config_path')) do
     its(['setParameter','authenticationMechanisms']){should be_in ['SCRAM-SHA-1', 'SCRAM-SHA-256', 'MONGODB-X509', 'GSSAPI', 'PLAIN']}
   end
 

spec/mongo-inspec-profile/controls/SV-252160.rb

@@ -46,29 +46,29 @@
   tag cci: ['CCI-000186']
   tag nist: ['IA-5 (2) (a) (1)']
 
-  describe yaml(input('mongod_config_path')) do
+  describe mongodb_conf(input('mongod_config_path')) do
     its(['net','tls','mode']){should eq "requireTLS"}
     its(['net','tls','certificateKeyFile']){should match input('certificate_key_file_path')}
     its(['net','tls','CAFile']){should match input('ca_file_path')}
   end
 
   describe file(input('mongod_config_path')) do
     it { should exist }
-    it { should be_owned_by input('mongo_user') }
+    it { should be_owned_by input('mongo_owner') }
     it { should be_grouped_into input('mongo_group') }
     it { should_not be_more_permissive_than('0600') }
   end
 
   describe file(input('certificate_key_file_path')) do
     it { should exist }
-    it { should be_owned_by input('mongo_user') }
+    it { should be_owned_by input('mongo_owner') }
     it { should be_grouped_into input('mongo_group') }
     it { should_not be_more_permissive_than('0600') }
   end
 
   describe file(input('ca_file_path')) do
     it { should exist }
-    it { should be_owned_by input('mongo_user') }
+    it { should be_owned_by input('mongo_owner') }
     it { should be_grouped_into input('mongo_group') }
     it { should_not be_more_permissive_than('0600') }
   end

spec/mongo-inspec-profile/controls/SV-252164.rb

@@ -37,7 +37,7 @@
   tag cci: ['CCI-001188']
   tag nist: ['SC-23 (3)']
 
-  describe yaml(input('mongod_config_path')) do
+  describe mongodb_conf(input('mongod_config_path')) do
     its(['net','tls','mode']){should eq "requireTLS"}
   end
 

spec/mongo-inspec-profile/controls/SV-252167.rb

@@ -43,7 +43,7 @@
   tag cci: ['CCI-001310']
   tag nist: ['SI-10']
 
-  describe yaml(input('mongod_config_path')) do
+  describe mongodb_conf(input('mongod_config_path')) do
     its(['security','javascriptEnabled']){should eq false}
   end
 

spec/mongo-inspec-profile/controls/SV-252168.rb

@@ -47,7 +47,7 @@
   tag cci: ['CCI-001312']
   tag nist: ['SI-11 a']
 
-  describe yaml(input('mongod_config_path')) do
+  describe mongodb_conf(input('mongod_config_path')) do
     its(['security','redactClientLogData']){should eq true}
   end
 

spec/mongo-inspec-profile/controls/SV-252169.rb

@@ -48,7 +48,7 @@
   tag cci: ['CCI-001314']
   tag nist: ['SI-11 b']
 
-  describe yaml(input('mongod_config_path')) do
+  describe mongodb_conf(input('mongod_config_path')) do
     its(['security','redactClientLogData']){should eq true}
   end
 

spec/mongo-inspec-profile/controls/SV-252171.rb

@@ -35,7 +35,7 @@
 Review the system documentation for a description of how audit records are off-loaded and how local audit log space is managed.
 
 If the DBMS audit records are not written directly to or systematically transferred to a centralized log management system, this is a finding.'
-  desc 'fix', %q(If audit operations filters are not configured in the MongoDB configuration file (default location: /etc/mongod.conf), configure them according to application requirements, but at a minimum, ensure destination and filter are set in a mongod.conf YAML auditLog configuration setting.
+  desc 'fix', %q(If audit operations filters are not configured in the MongoDB configuration file (default location: /etc/mongod.conf), configure them according to application requirements, but at a minimum, ensure destination and filter are set in a mongod.conf mongodb_conf auditLog configuration setting.
 
 For example, to audit all database operations involving creating or dropping a collection, the %MongoDB configuration file% (by default /etc/mongod.conf) auditLog section would read as follows:
 
@@ -64,7 +64,7 @@
   tag cci: ['CCI-001844']
   tag nist: ['AU-3 (2)']
 
-  describe yaml(input('mongod_config_path')) do
+  describe mongodb_conf(input('mongod_config_path')) do
       its(['auditLog','destination']){should eq "file"}
       its(['auditLog','format']){should eq "BSON"}
       its(['auditLog','path']){should match input('mongo_audit_file_path')}

spec/mongo-inspec-profile/controls/SV-252172.rb

@@ -40,7 +40,7 @@
   tag cci: ['CCI-001849']
   tag nist: ['AU-4']
 
-  describe yaml(input('mongod_config_path')) do
+  describe mongodb_conf(input('mongod_config_path')) do
       its(['auditLog', 'destination']) { should eq "syslog"}
     end