updated test container, added yedit(doesnt work)

mongo-hardening.pkr.hcl

@@ -24,7 +24,7 @@ variable "ansible_vars" {
 variable "input_image" {
   type = map(string)
   default = {
-    "tag"     = "mongo-ansible-ready"
+    "tag"     = "enterprise_ansible_ready"
     "version" = "latest"
   }
 }

spec/ansible/mongo-stig-hardening-playbook.yml

@@ -4,6 +4,7 @@
   roles:
     - roles/prep # basic update and config tasks
     #- rhel8STIG # apply STIG requirement controls
+    - yedit
     - mongo-stig # apply STIG requirement controls
   serial: 50
   user: 0

spec/ansible/requirements.yml

@@ -1,3 +1,6 @@
 - name: rhel8STIG
   src: https://github.com/ansible-lockdown/RHEL8-STIG
+
+- name: yedit
+  src: kwoodson.yedit
 

spec/ansible/roles/mongo-stig/files/conf.template

@@ -35,4 +35,4 @@ processManagement:
 
 ## Enterprise-Only Options:
 
-#auditLog:
+#auditLog:  

spec/ansible/roles/mongo-stig/tasks/cat1.yml

@@ -100,7 +100,7 @@
 #     - high
 #     - SV-252149
 
-##### this is currently just checking it, this part should be in the inspec, but what is the actual requirement
+##### MANUAL
 # - name: "HIGH | SV-252150 | MongoDB must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies."
 #   community.mongodb.mongodb_shell:
 #     db: "database"
@@ -112,7 +112,7 @@
 #     - SV-252150
 
 
-##### nothing to change with ansible?
+##### MANUAL
 # - name: "HIGH | SV-252152 | MongoDB software installation account must be restricted to authorized users."
 #   command: true
 #   ignore_errors: true
@@ -133,21 +133,33 @@
 
 ##### PART TWO OF THIS DOESNT EXIST IN NEWER MONGO
 ##### This whole rule seems out of date as the authSchemaUpgrade command was removed in mongo 4
-- name: "HIGH | SV-252159 | If passwords are used for authentication, MongoDB must store only hashed, salted representations of passwords."
-  blockinfile:
-    path: "{{ mongod_config_path }}"
-    marker: "#Rule ID SV-252159"
-    prepend_newline: true
-    insertafter: "EOF"
-    block: |
-      setParameter:
-        authenticationMechanisms: SCRAM-SHA-256
-    state: present
-  ignore_errors: true
-  tags:
-    - cat1
-    - high
-    - SV-252159
+# - name: "HIGH | SV-252159 | If passwords are used for authentication, MongoDB must store only hashed, salted representations of passwords."
+#   blockinfile:
+#     path: "{{ mongod_config_path }}"
+#     marker: "#Rule ID SV-252159"
+#     prepend_newline: true
+#     insertafter: "EOF"
+#     block: |
+#       setParameter:
+#         authenticationMechanisms: SCRAM-SHA-256
+#     state: present
+#   ignore_errors: true
+#   tags:
+#     - cat1
+#     - high
+#     - SV-252159
+
+# - name: "HIGH | SV-252159 | If passwords are used for authentication, MongoDB must store only hashed, salted representations of passwords."
+#   yedit:
+#       src: "{{ mongod_config_path }}"
+#       key: setParameter
+#       value: 
+#         authenticationMechanisms: SCRAM-SHA-256
+#   ignore_errors: true
+#   tags:
+#     - cat1
+#     - high
+#     - SV-252159
 
 ##### check text conflict with 252136?
 - name: "HIGH | SV-252160 | MongoDB must enforce authorized access to all PKI private keys stored/utilized by MongoDB."

spec/ansible/roles/mongo-stig/tasks/cat2.yml

@@ -31,7 +31,6 @@
       chown {{ mongo_user }} {{ mongod_config_path }}
       chgrp {{ mongo_user }} {{ mongod_config_path }}
       chmod 660 {{ mongod_config_path }}
-  
   ignore_errors: true
   tags:
     - cat2
@@ -48,7 +47,6 @@
     - { regexp: '^\s*enabled: true\s*$' }
     - { regexp: '^\s*JSONPEnabled: true\s*$' }
     - { regexp: '^\s*RESTInterfaceEnabled: true\s*$' }
-
   ignore_errors: true
   tags:
     - cat2