updated 252134 inspec

mitre · Feb 27, 2024 · d7b253c · d7b253c
1 parent 26d0ef6
commit d7b253c
Show file tree

Hide file tree

Showing 4 changed files with 18 additions and 9 deletions.
diff --git a/spec/ansible/roles/mongo-stig/defaults/main.yml b/spec/ansible/roles/mongo-stig/defaults/main.yml
@@ -7,7 +7,7 @@ mongostig_cat3: true
 mongo_user: root
 mongo_group: root
 #audit_log_destination | "file" or "syslog"
-audit_log_destination: "syslog"
+audit_log_destination: "file"
 mongod_config_path: "/etc/mongod.conf"
 mongo_audit_directory_path: "/var/log/mongodb/audit"
 mongo_audit_file_path: "/var/log/mongodb/audit/auditLog.bson"

diff --git a/spec/ansible/roles/mongo-stig/tasks/cat2.yml b/spec/ansible/roles/mongo-stig/tasks/cat2.yml
@@ -34,17 +34,19 @@
     - SV-252134
     - enterprise
 
-##### FILES DONT EXIST
+##### DIRECTORIES DONT EXIST
 # - name: "MEDIUM | SV-252135 | The audit information produced by MongoDB must be protected from unauthorized access."
 #   ansible.builtin.shell: |
 #       chown {{ mongo_user }} {{ mongo_audit_directory_path }}
 #       chgrp {{ mongo_user }} {{ mongo_audit_directory_path }}
 #       chmod 700 {{ mongo_audit_directory_path }}
+#   when: audit_log_destination == "file"
 #   ignore_errors: true
 #   tags:
 #     - cat2
 #     - medium
 #     - SV-252135
+#     - enterprise
 
 - name: "MEDIUM | SV-252136 | MongoDB must protect its audit features from unauthorized access."
   ansible.builtin.shell: |

diff --git a/spec/mongo-inspec-profile/controls/SV-252134.rb b/spec/mongo-inspec-profile/controls/SV-252134.rb
@@ -77,11 +77,18 @@
   tag cci: ['CCI-000130', 'CCI-000131', 'CCI-000132', 'CCI-000133', 'CCI-000134', 'CCI-000135', 'CCI-000140', 'CCI-000166', 'CCI-000171', 'CCI-000172', 'CCI-001464', 'CCI-001487', 'CCI-001814', 'CCI-001844', 'CCI-001851', 'CCI-001858']
   tag nist: ['AU-3 a', 'AU-3 b', 'AU-3 c', 'AU-3 d', 'AU-3 e', 'AU-3 (1)', 'AU-5 b', 'AU-10', 'AU-12 b', 'AU-12 c', 'AU-14 (1)', 'AU-3 f', 'CM-5 (1)', 'AU-3 (2)', 'AU-4 (1)', 'AU-5 (2)']
 
-
-  describe yaml(input('mongod_config_path')) do
-    its(['auditLog','destination']){should eq "file"}
-    its(['auditLog','format']){should eq "BSON"}
-    its(['auditLog','path']){should match input('mongo_audit_file_path')}
+  mongo_audit_file_path = input('mongo_audit_file_path')
+
+  describe.one do
+    describe yaml(input('mongod_config_path')) do
+      its(['auditLog','destination']){should eq "file"}
+      its(['auditLog','format']){should eq "BSON"}
+      its(['auditLog','path']){should match mongo_audit_file_path}
+    end
+
+    describe yaml(input('mongod_config_path')) do
+      its(['auditLog', 'destination']) { should eq "syslog"}
+    end
   end
-
+  
 end
diff --git a/spec/mongo-inspec-profile/controls/SV-252136.rb b/spec/mongo-inspec-profile/controls/SV-252136.rb
@@ -75,7 +75,7 @@
   tag nist: ['AU-9 a', 'AU-9', 'AU-9']
 
   describe file(input('mongod_config_path')) do
-    it {should exist}
+    it { should exist }
     it { should be_owned_by input('mongo_user') }
     it { should be_grouped_into input('mongo_group') }
     it { should_not be_more_permissive_than('0660') }