147, 165 updated

mitre · May 2, 2024 · 4cc513e · 4cc513e
1 parent 86c21f4
commit 4cc513e
Show file tree

Hide file tree

Showing 3 changed files with 78 additions and 24 deletions.
diff --git a/spec/ansible/roles/mongo-stig/defaults/main.yml b/spec/ansible/roles/mongo-stig/defaults/main.yml
@@ -4,8 +4,9 @@ enterprise_edition: true
 fips_mode: true
 mongostig_cat1: true
 mongostig_cat2: true
-# If any data is PII, classified or is deemed by the organization the need to be encrypted at rest. Set to true if using KMIP.
+# If any data is PII, classified or is deemed by the organization the need to be encrypted at rest.
 encryption_at_rest: false
+kmip_enabled: false
 
 mongo_owner: root
 mongo_group: root
@@ -44,7 +45,10 @@ max_incoming_connections: 800000
 
 mongo_filter: "'{ atype: { $in: [ \"createCollection\", \"dropCollection\" ] } }'"
 
+encryption_cipher_mode: AES256-GCM
 KMIP_server_host_name: 
 KMIP_server_port: 
 KMIP_server_ca_file: 
-KMIP_client_certificate_file: 
+KMIP_client_certificate_file: 
+
+security_encryption_key_file: 
diff --git a/spec/ansible/roles/mongo-stig/tasks/cat1.yml b/spec/ansible/roles/mongo-stig/tasks/cat1.yml
@@ -120,15 +120,48 @@
 #     - high
 #     - SV-252162
 
-# - name: "HIGH | SV-252165 | MongoDB must protect the confidentiality and integrity of all information at rest."
-#   command: true
-#   ignore_errors: true
-#   when: enterprise_edition and encryption_at_rest
-#   tags:
-#     - cat1
-#     - high
-#     - SV-252165
-#     - enterprise
+- name: "HIGH | SV-252165 | MongoDB must protect the confidentiality and integrity of all information at rest."
+  block: 
+  - name: "HIGH | SV-252165 | MongoDB must protect the confidentiality and integrity of all information at rest. | KMIP Enabled"
+    yedit:
+      src: "{{ mongod_config_path }}"
+      edits:
+      - key: net.tls.FIPSMode
+        value: true
+      - key: security.encryptionCipherMode
+        value: "{{ encryption_cipher_mode }}"
+      - key: security.enableEncryption
+        value: true
+      - key: kmip.serverName
+        value: "{{ KMIP_server_host_name }}"
+      - key: kmip.port
+        value: "{{ KMIP_server_port }}"
+      - key: kimp.ServerCAFile
+        value: "{{ KMIP_server_ca_file }}"
+      - key: kmip.clientCertificationFile
+        value: "{{ KMIP_client_certificate_file }}"
+      when: kmip_enabled
+
+  - name: "HIGH | SV-252165 | MongoDB must protect the confidentiality and integrity of all information at rest. | Local Encryption Key File"    
+    yedit:
+      src: "{{ mongod_config_path }}"
+      edits:
+      - key: net.tls.FIPSMode
+        value: true
+      - key: security.enableEncryption
+        value: true
+      - key: security.encryptionCipherMode
+        value: "{{ encryption_cipher_mode }}"
+      - key: security.encryptionKeyFile
+        value: "{{ security_encryption_key_file }}"
+      when: not kmip_enabled
+  ignore_errors: true
+  when: enterprise_edition and encryption_at_rest
+  tags:
+    - cat1
+    - high
+    - SV-252165
+    - enterprise
 
 ##### MANUAL
 # - name: "HIGH | SV-252184 | MongoDB products must be a version supported by the vendor."

diff --git a/spec/ansible/roles/mongo-stig/tasks/cat2.yml b/spec/ansible/roles/mongo-stig/tasks/cat2.yml
@@ -172,19 +172,36 @@
     - SV-252145
 
 - name: "MEDIUM | SV-252147 | MongoDB must implement cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest (to include, at a minimum, PII and classified information) on organization-defined information system components."
-  yedit:
-    src: "{{ mongod_config_path }}"
-    edits:
-    - key: security.enableEncryption
-      value: true
-    - key: kmip.serverName
-      value: "{{ KMIP_server_host_name }}"
-    - key: kmip.port
-      value: "{{ KMIP_server_port }}"
-    - key: kimp.ServerCAFile
-      value: "{{ KMIP_server_ca_file }}"
-    - key: kmip.clientCertificationFile
-      value: "{{ KMIP_client_certificate_file }}"
+  block: 
+  - name: "MEDIUM | SV-252147 | MongoDB must implement cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest (to include, at a minimum, PII and classified information) on organization-defined information system components. | KMIP Enabled"
+    yedit:
+      src: "{{ mongod_config_path }}"
+      edits:
+      - key: net.tls.FIPSMode
+        value: true
+      - key: security.enableEncryption
+        value: true
+      - key: kmip.serverName
+        value: "{{ KMIP_server_host_name }}"
+      - key: kmip.port
+        value: "{{ KMIP_server_port }}"
+      - key: kimp.ServerCAFile
+        value: "{{ KMIP_server_ca_file }}"
+      - key: kmip.clientCertificationFile
+        value: "{{ KMIP_client_certificate_file }}"
+      when: kmip_enabled
+
+  - name: "MEDIUM | SV-252147 | MongoDB must implement cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest (to include, at a minimum, PII and classified information) on organization-defined information system components. | Local Encryption Key File"
+    yedit:
+      src: "{{ mongod_config_path }}"
+      edits:
+      - key: net.tls.FIPSMode
+        value: true
+      - key: security.enableEncryption
+        value: true
+      - key: security.encryptionKeyFile
+        value: "{{ security_encryption_key_file }}"
+      when: not kmip_enabled
   ignore_errors: true
   when: enterprise_edition and encryption_at_rest
   tags: