update controls, remove scripts, docker volume create

mongo-hardening.pkr.hcl

@@ -57,16 +57,32 @@ variable "report" {
 source "docker" "target" {
   image       = "${var.input_image.tag}:${var.input_image.version}"
   commit      = true
-  pull        = false #change back to true in final
-  run_command = ["-d", "--name", var.output_image.name, "--user", "root","-p","27017:27017", "{{.Image}}"]
+  pull        = false # Change back to true in final
+  run_command = [
+    "-d",
+    "--name", "${var.output_image.name}",
+    "--user", "root",
+    "-p", "27017:27017",
+    "{{.Image}}",
+    // "-v", "mongodb_configdb:/data/configdb",
+    // "-v", "mongodb_db:/data/db",
+  ]
 }
 
+
 build {
   name = "harden"
   sources = [
     "source.docker.target"
   ]
 
+  provisioner "shell-local" {
+    inline = [
+      "docker volume create mongodb_configdb",
+      "docker volume create mongodb_db",
+    ]
+  }
+
   #ansible needs python and pip to be installed on the target
   // provisioner "shell" {
   //   inline = [

spec/ansible/roles/mongo-stig/tasks/cat1.yml

@@ -75,7 +75,6 @@
 
 
 ##### PART TWO OF THIS DOESNT EXIST IN MONGO 4+
-##### This whole rule seems out of date as the authSchemaUpgrade command was removed in mongo 4
 # - name: "HIGH | SV-252159 | If passwords are used for authentication, MongoDB must store only hashed, salted representations of passwords."
 #   blockinfile:
 #     path: "{{ mongod_config_path }}"
@@ -105,7 +104,7 @@
     - SV-252159
     - enterprise
 
-##### FILES DONT EXIST check text conflict with 252136? 
+##### FILES DONT EXIST
 # - name: "HIGH | SV-252160 | MongoDB must enforce authorized access to all PKI private keys stored/utilized by MongoDB."
 #   ansible.builtin.shell: |
 #       chown {{ mongo_owner }}:{{ mongo_owner }} {{ certificate_key_file_path }}

spec/ansible/roles/mongo-stig/tasks/cat2.yml

@@ -315,6 +315,8 @@
     - medium
     - SV-252169
 
+
+##### MANUAL
 # - name: "MEDIUM | SV-252170 | MongoDB must automatically terminate a user session after organization-defined conditions or trigger events requiring session disconnect."
 #   command: true
 #   ignore_errors: true

spec/ansible/roles/mongo-stig/tasks/prep.yml

@@ -41,12 +41,17 @@
     msg: "{{ database_list.stdout }}"
 
 - name: Create MongoDB admin user
-  community.mongodb.mongodb_user:
-    database: admin
-    name: admin
-    password: admin
-    roles: dbOwner
-    state: present
+  ansible.builtin.command: |
+    mongosh "mongodb://localhost:27017/" --quiet --eval "db.getSiblingDB('test').createUser({user: 'admin', pwd: 'admin', roles: [{role: 'dbOwner', db: 'admin'}]})"
+  register: database_list
+
+# - name: Create MongoDB admin user
+#   community.mongodb.mongodb_user:
+#     database: admin
+#     name: admin
+#     password: admin
+#     roles: dbOwner
+#     state: present
 
 ##### same note as previous get
 - name: Get all the users in a database

spec/mongo-inspec-profile/controls/SV-252159.rb

@@ -64,7 +64,6 @@
   tag nist: ['IA-5 (1) (c)']
 
   #authSchemaUpgrade command doesn't exist anymore since version 4, so part 2 is not doable
-  #WAIT https://www.mongodb.com/docs/manual/reference/privilege-actions/#mongodb-authaction-authSchemaUpgrade
   describe mongodb_conf(input('mongod_config_path')) do
     its(['setParameter','authenticationMechanisms']){should be_in ['SCRAM-SHA-1', 'SCRAM-SHA-256', 'MONGODB-X509', 'GSSAPI', 'PLAIN']}
   end