diff --git a/spec/ansible/roles/mongo-stig/defaults/main.yml b/spec/ansible/roles/mongo-stig/defaults/main.yml index 2fdd1b0..808e3f3 100644 --- a/spec/ansible/roles/mongo-stig/defaults/main.yml +++ b/spec/ansible/roles/mongo-stig/defaults/main.yml @@ -6,6 +6,8 @@ mongostig_cat2: true mongostig_cat3: true mongo_user: root mongo_group: root +#audit_log_destination | "file" or "syslog" +audit_log_destination: "syslog" mongod_config_path: "/etc/mongod.conf" mongo_audit_directory_path: "/var/log/mongodb/audit" mongo_audit_file_path: "/var/log/mongodb/audit/auditLog.bson" diff --git a/spec/ansible/roles/mongo-stig/tasks/cat2.yml b/spec/ansible/roles/mongo-stig/tasks/cat2.yml index 6ef29fb..83a6a5b 100644 --- a/spec/ansible/roles/mongo-stig/tasks/cat2.yml +++ b/spec/ansible/roles/mongo-stig/tasks/cat2.yml @@ -1,15 +1,32 @@ --- ##### ENTERPRISE ONLY - name: "MEDIUM | SV-252134 | MongoDB must provide audit record generation for DoD-defined auditable events within all DBMS/database components." - yedit: - src: "{{ mongod_config_path }}" - edits: - - key: auditLog.destination - value: file - - key: auditLog.format - value: BSON - - key: auditLog.path - value: "{{ mongo_audit_file_path }}" + block: + - name: "MEDIUM | SV-252134 | MongoDB must provide audit record generation for DoD-defined auditable events within all DBMS/database components. | syslog option" + yedit: + src: "{{ mongod_config_path }}" + key: auditLog.destination + value: "{{ audit_log_destination}}" + when: audit_log_destination == "syslog" + + - name: "MEDIUM | SV-252134 | MongoDB must provide audit record generation for DoD-defined auditable events within all DBMS/database components. | check if file exists" + ansible.builtin.file: + path: "{{ mongo_audit_file_path }}" + state: touch + when: audit_log_destination == "file" + + - name: "MEDIUM | SV-252134 | MongoDB must provide audit record generation for DoD-defined auditable events within all DBMS/database components. | file option" + yedit: + src: "{{ mongod_config_path }}" + edits: + - key: auditLog.destination + value: file + - key: auditLog.format + value: BSON + - key: auditLog.path + value: "{{ mongo_audit_file_path }}" + when: audit_log_destination == "file" + ignore_errors: true tags: - cat2 @@ -29,29 +46,23 @@ # - medium # - SV-252135 -##### DONE BUT DOESNT WONT RUN CUZ PERMISSIONS ERROR???, maybe it requires the user to be mongod -# - name: "MEDIUM | SV-252136 | MongoDB must protect its audit features from unauthorized access." -# ansible.builtin.shell: | -# chown {{ mongo_user }} {{ mongod_config_path }} -# chgrp {{ mongo_user }} {{ mongod_config_path }} -# chmod 660 {{ mongod_config_path }} -# ignore_errors: true -# tags: -# - cat2 -# - medium -# - SV-252136 +- name: "MEDIUM | SV-252136 | MongoDB must protect its audit features from unauthorized access." + ansible.builtin.shell: | + chown {{ mongo_user }} {{ mongod_config_path }} + chgrp {{ mongo_user }} {{ mongod_config_path }} + chmod 660 {{ mongod_config_path }} + ignore_errors: true + tags: + - cat2 + - medium + - SV-252136 ##### Work around since removing multiple edits doesnt seem to work - name: "MEDIUM | SV-252137 | Unused database components that are integrated in MongoDB and cannot be uninstalled must be disabled." yedit: src: "{{ mongod_config_path }}" - edits: - - key: net.http.enabled - value: {} - - key: net.http.JSONPEnabled - value: {} - - key: net.http.RESTInterfaceEnabled - value: {} + key: net.http + state: absent ignore_errors: true tags: - cat2 @@ -245,16 +256,17 @@ # - medium # - SV-252163 -- name: "MEDIUM | SV-252164 | MongoDB must maintain the authenticity of communications sessions by guarding against man-in-the-middle attacks that guess at Session ID values." - yedit: - src: "{{ mongod_config_path }}" - key: net.tls.mode - value: requireTLS - ignore_errors: true - tags: - - cat2 - - medium - - SV-252164 +##### NEEDS SOME FILE I DONT HAVE +# - name: "MEDIUM | SV-252164 | MongoDB must maintain the authenticity of communications sessions by guarding against man-in-the-middle attacks that guess at Session ID values." +# yedit: +# src: "{{ mongod_config_path }}" +# key: net.tls.mode +# value: requireTLS +# ignore_errors: true +# tags: +# - cat2 +# - medium +# - SV-252164 ##### MANUAL # - name: "MEDIUM | SV-252166 | Database contents must be protected from unauthorized and unintended information transfer by enforcement of a data-transfer policy." @@ -318,8 +330,9 @@ value: BSON - key: auditLog.path value: "{{ mongo_audit_file_path }}" - - key: auditLog.filter - value: '{ atype: { $in: [ "createCollection", "dropCollection" ] } }' + # - key: auditLog.filter + # value: '{ atype: { $in: [ "createCollection", "dropCollection" ] } }' + when: audit_log_destination == "file" ignore_errors: true tags: - cat2 diff --git a/spec/mongo-inspec-profile/controls/SV-252136.rb b/spec/mongo-inspec-profile/controls/SV-252136.rb index 3ff2c55..d2fe9a7 100644 --- a/spec/mongo-inspec-profile/controls/SV-252136.rb +++ b/spec/mongo-inspec-profile/controls/SV-252136.rb @@ -73,4 +73,12 @@ tag 'documentable' tag cci: ['CCI-001493', 'CCI-001494', 'CCI-001495'] tag nist: ['AU-9 a', 'AU-9', 'AU-9'] + + describe file(input('mongod_config_path')) do + it {should exist} + it { should be_owned_by input('mongo_user') } + it { should be_grouped_into input('mongo_group') } + it { should_not be_more_permissive_than('0660') } + end + end diff --git a/spec/mongo-inspec-profile/controls/SV-252137.rb b/spec/mongo-inspec-profile/controls/SV-252137.rb index 0efd645..0266836 100644 --- a/spec/mongo-inspec-profile/controls/SV-252137.rb +++ b/spec/mongo-inspec-profile/controls/SV-252137.rb @@ -36,4 +36,9 @@ tag 'documentable' tag cci: ['CCI-000381'] tag nist: ['CM-7 a'] + + describe yaml(input('mongod_config_path')) do + its(['net','http']){should be nil} + end + end diff --git a/spec/mongo-inspec-profile/controls/SV-252138.rb b/spec/mongo-inspec-profile/controls/SV-252138.rb index 6d57849..fa86857 100644 --- a/spec/mongo-inspec-profile/controls/SV-252138.rb +++ b/spec/mongo-inspec-profile/controls/SV-252138.rb @@ -46,4 +46,8 @@ tag 'documentable' tag cci: ['CCI-000382'] tag nist: ['CM-7 b'] + describe yaml(input('mongod_config_path')) do + its(['net','http']){should be nil} + end + end diff --git a/spec/mongo-inspec-profile/controls/SV-252169.rb b/spec/mongo-inspec-profile/controls/SV-252169.rb index 414a87f..52c1f4f 100644 --- a/spec/mongo-inspec-profile/controls/SV-252169.rb +++ b/spec/mongo-inspec-profile/controls/SV-252169.rb @@ -1,6 +1,6 @@ control 'SV-252169' do title 'MongoDB must reveal detailed error messages only to the ISSO, ISSM, SA, and DBA.' - desc '(If MongoDB provides too much information in error logs and administrative messages to the screen, this could lead to compromise. The structure and content of error messages need to be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. + desc %q(If MongoDB provides too much information in error logs and administrative messages to the screen, this could lead to compromise. The structure and content of error messages need to be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. Some default DBMS error messages can contain information that could aid an attacker in, among other things, identifying the database type, host address, or state of the database. Custom errors may contain sensitive customer information.