update with the conf changes that work

mongo-hardening.pkr.hcl

@@ -70,7 +70,6 @@ build {
   #ansible needs python and pip to be installed on the target
   // provisioner "shell" {
   //   inline = [
-  //     "cp /etc/mongod.conf.orig /etc/mongod.conf"
   //     // "apt-get update",
   //     // "apt-get install -y python${var.ansible_vars.python_version} python3-pip",
   //     // "ln -s /usr/bin/python3 /usr/bin/python",

spec/ansible/roles/mongo-stig/tasks/cat1.yml

@@ -33,49 +33,49 @@
 #     - high
 #     - SV-252146
 
-# - name: Check if 'security:' exists and is not commented out
-#   shell: "grep -P '^security:' {{ mongod_config_path }} || true"
-#   register: security_check
-#   changed_when: false
-#   ignore_errors: true
-#   tags:
-#     - SV-252149
-
-# - name: "HIGH | SV-252149 | MongoDB must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals. | Security block does not exist."
-#   blockinfile:
-#     path: "{{ mongod_config_path }}"
-#     marker: "#Rule ID SV-252149"
-#     prepend_newline: true
-#     insertafter: "^#security:"
-#     block: |
-#       security:
-#         authorization: enabled
-#   when: security_check.stdout == ""      
-#   register: result
-#   changed_when: no
-#   ignore_errors: true
-#   tags:
-#     - cat1
-#     - high
-#     - SV-252149
-
-# - name: "HIGH | SV-252149 | MongoDB must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals. | Security block exists."
-#   blockinfile:
-#     path: "{{ mongod_config_path }}"
-#     marker: "#Rule ID SV-252149"
-#     prepend_newline: true
-#     insertafter: "^security:"
-#     block: |
-#       #
-#         authorization: enabled
-#   when: security_check.stdout != ""      
-#   register: result
-#   changed_when: no
-#   ignore_errors: true
-#   tags:
-#     - cat1
-#     - high
-#     - SV-252149
+- name: Check if 'security:' exists and is not commented out
+  shell: "grep -P '^security:' {{ mongod_config_path }} || true"
+  register: security_check
+  changed_when: false
+  ignore_errors: true
+  tags:
+    - SV-252149
+
+- name: "HIGH | SV-252149 | MongoDB must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals. | Security block does not exist."
+  blockinfile:
+    path: "{{ mongod_config_path }}"
+    marker: "#Rule ID SV-252149"
+    prepend_newline: true
+    insertafter: "^#security:"
+    block: |
+      security:
+        authorization: enabled
+  when: security_check.stdout == ""      
+  register: result
+  changed_when: no
+  ignore_errors: true
+  tags:
+    - cat1
+    - high
+    - SV-252149
+
+- name: "HIGH | SV-252149 | MongoDB must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals. | Security block exists."
+  blockinfile:
+    path: "{{ mongod_config_path }}"
+    marker: "#Rule ID SV-252149"
+    prepend_newline: true
+    insertafter: "^security:"
+    block: |
+      #
+        authorization: enabled
+  when: security_check.stdout != ""      
+  register: result
+  changed_when: no
+  ignore_errors: true
+  tags:
+    - cat1
+    - high
+    - SV-252149
 
 # - name: "HIGH | SV-252150 | MongoDB must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies."
 #   community.mongodb.mongodb_shell: #works but unsure what output is

spec/ansible/roles/mongo-stig/tasks/cat2.yml

@@ -73,8 +73,9 @@
 #     - medium
 #     - SV-252140
 
+###DOES NOT EXIST IN MONGO 6+
+#need to add check text and if else statement
 # - name: "MEDIUM | SV-252141 | MongoDB must fail to a secure state if system initialization fails, shutdown fails, or aborts fail."
-#   #need to add check text and if else statement
 #   blockinfile:
 #     path: "{{ mongod_config_path }}"
 #     marker: "#Rule ID SV-252141"
@@ -102,49 +103,49 @@
 #     - medium
 #     - SV-252142
 
-# - name: Check if 'security:' exists and is not commented out
-#   shell: "grep -P '^security:' {{ mongod_config_path }} || true"
-#   register: security_check
-#   changed_when: false
-#   ignore_errors: true
-#   tags:
-#     - SV-252143
-
-# - name: "MEDIUM | SV-252143 | MongoDB and associated applications must reserve the use of dynamic code execution for situations that require it. | Security block does not exist."
-#   blockinfile:
-#     path: "{{ mongod_config_path }}"
-#     marker: "#Rule ID SV-252143"
-#     prepend_newline: true
-#     insertafter: "^#security:"
-#     block: |
-#       security:
-#         javascriptEnabled: false
-#   when: security_check.stdout == ""
-#   register: result
-#   changed_when: no
-#   ignore_errors: true
-#   tags:
-#     - cat2
-#     - medium
-#     - SV-252143
-
-# - name: "MEDIUM | SV-252143 | MongoDB and associated applications must reserve the use of dynamic code execution for situations that require it. | Security block exists."
-#   blockinfile:
-#     path: "{{ mongod_config_path }}"
-#     marker: "#Rule ID SV-252143"
-#     prepend_newline: true
-#     insertafter: "^security:"
-#     block: |
-#       #
-#         javascriptEnabled: false
-#   when: security_check.stdout != ""
-#   register: result
-#   changed_when: no
-#   ignore_errors: true
-#   tags:
-#     - cat2
-#     - medium
-#     - SV-252143
+- name: Check if 'security:' exists and is not commented out
+  shell: "grep -P '^security:' {{ mongod_config_path }} || true"
+  register: security_check
+  changed_when: false
+  ignore_errors: true
+  tags:
+    - SV-252143
+
+- name: "MEDIUM | SV-252143 | MongoDB and associated applications must reserve the use of dynamic code execution for situations that require it. | Security block does not exist."
+  blockinfile:
+    path: "{{ mongod_config_path }}"
+    marker: "#Rule ID SV-252143"
+    prepend_newline: true
+    insertafter: "^#security:"
+    block: |
+      security:
+        javascriptEnabled: false
+  when: security_check.stdout == ""
+  register: result
+  changed_when: no
+  ignore_errors: true
+  tags:
+    - cat2
+    - medium
+    - SV-252143
+
+- name: "MEDIUM | SV-252143 | MongoDB and associated applications must reserve the use of dynamic code execution for situations that require it. | Security block exists."
+  blockinfile:
+    path: "{{ mongod_config_path }}"
+    marker: "#Rule ID SV-252143"
+    prepend_newline: true
+    insertafter: "^security:"
+    block: |
+      #
+        javascriptEnabled: false
+  when: security_check.stdout != ""
+  register: result
+  changed_when: no
+  ignore_errors: true
+  tags:
+    - cat2
+    - medium
+    - SV-252143
 
 # - name: "MEDIUM | SV-252144 | MongoDB must associate organization-defined types of security labels having organization-defined security label values with information in storage and transmission."
 #   command: true

spec/ansible/roles/mongo-stig/tasks/prep.yml

@@ -15,4 +15,6 @@
     owner: "{{ mongo_user }}"
     group: "{{ mongo_group }}"
     mode: '755'
-  when: conf.stat.exists == false
+  when: conf.stat.exists == false
+  tags:
+    - prep