From d7b253c73aa97060595cd0e24bcfae7a5f36ab4c Mon Sep 17 00:00:00 2001 From: seanlongcc Date: Tue, 27 Feb 2024 13:44:29 -0500 Subject: [PATCH] updated 252134 inspec --- .../roles/mongo-stig/defaults/main.yml | 2 +- spec/ansible/roles/mongo-stig/tasks/cat2.yml | 4 +++- .../controls/SV-252134.rb | 19 +++++++++++++------ .../controls/SV-252136.rb | 2 +- 4 files changed, 18 insertions(+), 9 deletions(-) diff --git a/spec/ansible/roles/mongo-stig/defaults/main.yml b/spec/ansible/roles/mongo-stig/defaults/main.yml index 808e3f3..23e33bb 100644 --- a/spec/ansible/roles/mongo-stig/defaults/main.yml +++ b/spec/ansible/roles/mongo-stig/defaults/main.yml @@ -7,7 +7,7 @@ mongostig_cat3: true mongo_user: root mongo_group: root #audit_log_destination | "file" or "syslog" -audit_log_destination: "syslog" +audit_log_destination: "file" mongod_config_path: "/etc/mongod.conf" mongo_audit_directory_path: "/var/log/mongodb/audit" mongo_audit_file_path: "/var/log/mongodb/audit/auditLog.bson" diff --git a/spec/ansible/roles/mongo-stig/tasks/cat2.yml b/spec/ansible/roles/mongo-stig/tasks/cat2.yml index 207fddf..3099181 100644 --- a/spec/ansible/roles/mongo-stig/tasks/cat2.yml +++ b/spec/ansible/roles/mongo-stig/tasks/cat2.yml @@ -34,17 +34,19 @@ - SV-252134 - enterprise -##### FILES DONT EXIST +##### DIRECTORIES DONT EXIST # - name: "MEDIUM | SV-252135 | The audit information produced by MongoDB must be protected from unauthorized access." # ansible.builtin.shell: | # chown {{ mongo_user }} {{ mongo_audit_directory_path }} # chgrp {{ mongo_user }} {{ mongo_audit_directory_path }} # chmod 700 {{ mongo_audit_directory_path }} +# when: audit_log_destination == "file" # ignore_errors: true # tags: # - cat2 # - medium # - SV-252135 +# - enterprise - name: "MEDIUM | SV-252136 | MongoDB must protect its audit features from unauthorized access." ansible.builtin.shell: | diff --git a/spec/mongo-inspec-profile/controls/SV-252134.rb b/spec/mongo-inspec-profile/controls/SV-252134.rb index f302bb4..5737e27 100644 --- a/spec/mongo-inspec-profile/controls/SV-252134.rb +++ b/spec/mongo-inspec-profile/controls/SV-252134.rb @@ -77,11 +77,18 @@ tag cci: ['CCI-000130', 'CCI-000131', 'CCI-000132', 'CCI-000133', 'CCI-000134', 'CCI-000135', 'CCI-000140', 'CCI-000166', 'CCI-000171', 'CCI-000172', 'CCI-001464', 'CCI-001487', 'CCI-001814', 'CCI-001844', 'CCI-001851', 'CCI-001858'] tag nist: ['AU-3 a', 'AU-3 b', 'AU-3 c', 'AU-3 d', 'AU-3 e', 'AU-3 (1)', 'AU-5 b', 'AU-10', 'AU-12 b', 'AU-12 c', 'AU-14 (1)', 'AU-3 f', 'CM-5 (1)', 'AU-3 (2)', 'AU-4 (1)', 'AU-5 (2)'] - - describe yaml(input('mongod_config_path')) do - its(['auditLog','destination']){should eq "file"} - its(['auditLog','format']){should eq "BSON"} - its(['auditLog','path']){should match input('mongo_audit_file_path')} + mongo_audit_file_path = input('mongo_audit_file_path') + + describe.one do + describe yaml(input('mongod_config_path')) do + its(['auditLog','destination']){should eq "file"} + its(['auditLog','format']){should eq "BSON"} + its(['auditLog','path']){should match mongo_audit_file_path} + end + + describe yaml(input('mongod_config_path')) do + its(['auditLog', 'destination']) { should eq "syslog"} + end end - + end diff --git a/spec/mongo-inspec-profile/controls/SV-252136.rb b/spec/mongo-inspec-profile/controls/SV-252136.rb index d2fe9a7..a2e9093 100644 --- a/spec/mongo-inspec-profile/controls/SV-252136.rb +++ b/spec/mongo-inspec-profile/controls/SV-252136.rb @@ -75,7 +75,7 @@ tag nist: ['AU-9 a', 'AU-9', 'AU-9'] describe file(input('mongod_config_path')) do - it {should exist} + it { should exist } it { should be_owned_by input('mongo_user') } it { should be_grouped_into input('mongo_group') } it { should_not be_more_permissive_than('0660') }