conditional for audit log

mitre · Feb 22, 2024 · 3ef658b · 3ef658b
1 parent bfbca05
commit 3ef658b
Show file tree

Hide file tree

Showing 6 changed files with 72 additions and 40 deletions.
diff --git a/spec/ansible/roles/mongo-stig/defaults/main.yml b/spec/ansible/roles/mongo-stig/defaults/main.yml
@@ -6,6 +6,8 @@ mongostig_cat2: true
 mongostig_cat3: true 
 mongo_user: root
 mongo_group: root
+#audit_log_destination | "file" or "syslog"
+audit_log_destination: "syslog"
 mongod_config_path: "/etc/mongod.conf"
 mongo_audit_directory_path: "/var/log/mongodb/audit"
 mongo_audit_file_path: "/var/log/mongodb/audit/auditLog.bson"

diff --git a/spec/ansible/roles/mongo-stig/tasks/cat2.yml b/spec/ansible/roles/mongo-stig/tasks/cat2.yml
@@ -1,15 +1,32 @@
 ---
 ##### ENTERPRISE ONLY
 - name: "MEDIUM | SV-252134 | MongoDB must provide audit record generation for DoD-defined auditable events within all DBMS/database components."
-  yedit:
-    src: "{{ mongod_config_path }}"
-    edits:
-    - key: auditLog.destination
-      value: file
-    - key: auditLog.format
-      value: BSON
-    - key: auditLog.path
-      value: "{{ mongo_audit_file_path }}"
+  block:
+    - name: "MEDIUM | SV-252134 | MongoDB must provide audit record generation for DoD-defined auditable events within all DBMS/database components. | syslog option"
+      yedit:
+        src: "{{ mongod_config_path }}"
+        key: auditLog.destination
+        value: "{{ audit_log_destination}}"
+      when: audit_log_destination == "syslog"
+
+    - name: "MEDIUM | SV-252134 | MongoDB must provide audit record generation for DoD-defined auditable events within all DBMS/database components. | check if file exists"
+      ansible.builtin.file:
+        path: "{{ mongo_audit_file_path }}"
+        state: touch
+      when: audit_log_destination == "file"
+
+    - name: "MEDIUM | SV-252134 | MongoDB must provide audit record generation for DoD-defined auditable events within all DBMS/database components. | file option"
+      yedit:
+        src: "{{ mongod_config_path }}"
+        edits:
+        - key: auditLog.destination
+          value: file
+        - key: auditLog.format
+          value: BSON
+        - key: auditLog.path
+          value: "{{ mongo_audit_file_path }}"
+      when: audit_log_destination == "file"
+
   ignore_errors: true
   tags:
     - cat2
@@ -29,29 +46,23 @@
 #     - medium
 #     - SV-252135
 
-##### DONE BUT DOESNT WONT RUN CUZ PERMISSIONS ERROR???, maybe it requires the user to be mongod
-# - name: "MEDIUM | SV-252136 | MongoDB must protect its audit features from unauthorized access."
-#   ansible.builtin.shell: |
-#       chown {{ mongo_user }} {{ mongod_config_path }}
-#       chgrp {{ mongo_user }} {{ mongod_config_path }}
-#       chmod 660 {{ mongod_config_path }}
-#   ignore_errors: true
-#   tags:
-#     - cat2
-#     - medium
-#     - SV-252136
+- name: "MEDIUM | SV-252136 | MongoDB must protect its audit features from unauthorized access."
+  ansible.builtin.shell: |
+      chown {{ mongo_user }} {{ mongod_config_path }}
+      chgrp {{ mongo_user }} {{ mongod_config_path }}
+      chmod 660 {{ mongod_config_path }}
+  ignore_errors: true
+  tags:
+    - cat2
+    - medium
+    - SV-252136
 
 ##### Work around since removing multiple edits doesnt seem to work
 - name: "MEDIUM | SV-252137 | Unused database components that are integrated in MongoDB and cannot be uninstalled must be disabled."
   yedit:
     src: "{{ mongod_config_path }}"
-    edits:
-    - key: net.http.enabled
-      value: {}
-    - key: net.http.JSONPEnabled
-      value: {}
-    - key: net.http.RESTInterfaceEnabled
-      value: {}
+    key: net.http
+    state: absent
   ignore_errors: true
   tags:
     - cat2
@@ -245,16 +256,17 @@
 #     - medium
 #     - SV-252163
 
-- name: "MEDIUM | SV-252164 | MongoDB must maintain the authenticity of communications sessions by guarding against man-in-the-middle attacks that guess at Session ID values."
-  yedit:
-    src: "{{ mongod_config_path }}"
-    key: net.tls.mode
-    value: requireTLS
-  ignore_errors: true
-  tags:
-    - cat2
-    - medium
-    - SV-252164
+##### NEEDS SOME FILE I DONT HAVE
+# - name: "MEDIUM | SV-252164 | MongoDB must maintain the authenticity of communications sessions by guarding against man-in-the-middle attacks that guess at Session ID values."
+#   yedit:
+#     src: "{{ mongod_config_path }}"
+#     key: net.tls.mode
+#     value: requireTLS
+#   ignore_errors: true
+#   tags:
+#     - cat2
+#     - medium
+#     - SV-252164
 
 ##### MANUAL
 # - name: "MEDIUM | SV-252166 | Database contents must be protected from unauthorized and unintended information transfer by enforcement of a data-transfer policy."
@@ -318,8 +330,9 @@
       value: BSON
     - key: auditLog.path
       value: "{{ mongo_audit_file_path }}"
-    - key: auditLog.filter
-      value: '{ atype: { $in: [ "createCollection", "dropCollection" ] } }'
+    # - key: auditLog.filter
+    #   value: '{ atype: { $in: [ "createCollection", "dropCollection" ] } }'
+  when: audit_log_destination == "file"
   ignore_errors: true
   tags:
     - cat2

diff --git a/spec/mongo-inspec-profile/controls/SV-252136.rb b/spec/mongo-inspec-profile/controls/SV-252136.rb
@@ -73,4 +73,12 @@
   tag 'documentable'
   tag cci: ['CCI-001493', 'CCI-001494', 'CCI-001495']
   tag nist: ['AU-9 a', 'AU-9', 'AU-9']
+
+  describe file(input('mongod_config_path')) do
+    it {should exist}
+    it { should be_owned_by input('mongo_user') }
+    it { should be_grouped_into input('mongo_group') }
+    it { should_not be_more_permissive_than('0660') }
+  end
+
 end
diff --git a/spec/mongo-inspec-profile/controls/SV-252137.rb b/spec/mongo-inspec-profile/controls/SV-252137.rb
@@ -36,4 +36,9 @@
   tag 'documentable'
   tag cci: ['CCI-000381']
   tag nist: ['CM-7 a']
+
+  describe yaml(input('mongod_config_path')) do
+    its(['net','http']){should be nil}
+  end
+
 end
diff --git a/spec/mongo-inspec-profile/controls/SV-252138.rb b/spec/mongo-inspec-profile/controls/SV-252138.rb
@@ -46,4 +46,8 @@
   tag 'documentable'
   tag cci: ['CCI-000382']
   tag nist: ['CM-7 b']
+  describe yaml(input('mongod_config_path')) do
+    its(['net','http']){should be nil}
+  end
+
 end
diff --git a/spec/mongo-inspec-profile/controls/SV-252169.rb b/spec/mongo-inspec-profile/controls/SV-252169.rb
@@ -1,6 +1,6 @@
 control 'SV-252169' do
   title 'MongoDB must reveal detailed error messages only to the ISSO, ISSM, SA, and DBA.'
-  desc '(If MongoDB provides too much information in error logs and administrative messages to the screen, this could lead to compromise. The structure and content of error messages need to be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.
+  desc %q(If MongoDB provides too much information in error logs and administrative messages to the screen, this could lead to compromise. The structure and content of error messages need to be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.
 
 Some default DBMS error messages can contain information that could aid an attacker in, among other things, identifying the database type, host address, or state of the database. Custom errors may contain sensitive customer information.