variable inspec paths

spec/ansible/roles/mongo-stig/defaults/main.yml

@@ -8,7 +8,7 @@ mongo_user: root
 mongo_group: root
 mongod_config_path: "/etc/mongod.conf"
 mongo_audit_directory_path: "/var/log/mongodb/audit"
-mongo_audit_file_path: "/var/log/mongodb/audit/auditlog.bson"
+mongo_audit_file_path: "/var/log/mongodb/audit/auditLog.bson"
 certificate_key_file_path: "/etc/ssl/mongodb.pem"
 ca_file_path: "/etc/ssl/caToValidateClientCertificates.pem"
 data_file_directory_path: "/var/lib/mongo"

spec/ansible/roles/mongo-stig/tasks/cat2.yml

@@ -226,6 +226,8 @@
 #     - medium
 #     - SV-252157
 
+
+##### manual??? this one is manual is postgres, but its also less specific 
 # - name: "MEDIUM | SV-252161 | MongoDB must map the PKI-authenticated identity to an associated user account."
 #   command: true
 #   ignore_errors: true

spec/mongo-inspec-profile/controls/SV-252134.rb

@@ -78,10 +78,10 @@
   tag nist: ['AU-3 a', 'AU-3 b', 'AU-3 c', 'AU-3 d', 'AU-3 e', 'AU-3 (1)', 'AU-5 b', 'AU-10', 'AU-12 b', 'AU-12 c', 'AU-14 (1)', 'AU-3 f', 'CM-5 (1)', 'AU-3 (2)', 'AU-4 (1)', 'AU-5 (2)']
 
 
-  describe yaml('/etc/mongod.conf') do
+  describe yaml(input('mongod_config_path')) do
         its(['auditLog','destination']){should eq "file"}
         its(['auditLog','format']){should eq "BSON"}
-        its(['auditLog','path']){should eq "/var/log/mongodb/audit/auditLog.bson"}
+        its(['auditLog','path']){should match input('mongo_audit_file_path')}
     end
 
 end

spec/mongo-inspec-profile/controls/SV-252139.rb

@@ -56,10 +56,10 @@
   tag cci: ['CCI-000197', 'CCI-000185']
   tag nist: ['IA-5 (1) (c)', 'IA-5 (2) (b) (1)']
 
-  describe yaml('/etc/mongod.conf') do
+  describe yaml(input('mongod_config_path')) do
         its(['net','tls','mode']){should eq "requireTLS"}
-        its(['net','tls','certificateKeyFile']){should eq "/etc/ssl/mongodb.pem"}
-        its(['net','tls','CAFile']){should eq "/etc/ssl/caToValidateClientCertificates.pem"}
+        its(['net','tls','certificateKeyFile']){should match input('certificate_key_file_path')}
+        its(['net','tls','CAFile']){should match input('ca_file_path')}
         its(['net','tls','allowInvalidCertificates']){should eq false}
         its(['net','tls','allowConnectionsWithoutCertificates']){should eq false}
     end

spec/mongo-inspec-profile/controls/SV-252141.rb

@@ -47,7 +47,7 @@
   tag cci: ['CCI-001190', 'CCI-001665']
   tag nist: ['SC-24', 'SC-24']
 
-  describe yaml('/etc/mongod.conf') do
+  describe yaml(input('mongod_config_path')) do
           its(['storage','journal','enabled']){should eq true}
       end
 

spec/mongo-inspec-profile/controls/SV-252143.rb

@@ -33,7 +33,7 @@
   tag cci: ['CCI-001310']
   tag nist: ['SI-10']
 
-  describe yaml('/etc/mongod.conf') do
+  describe yaml(input('mongod_config_path')) do
         its(['security','javascriptEnabled']){should eq false}
     end
 

spec/mongo-inspec-profile/controls/SV-252144.rb

@@ -125,10 +125,9 @@
 
 
   #not sure what goes here for this one
-  describe 'Review the organizational or site-specific security labeling documentation to understand how documents in specific MongoDB collection(s) must be marked.
-  This marking process should be applied as data is entered into the database.' do
-    skip 'If security labeling is not required, this is not a finding.
-    If security labeling is required, then there must be organizational or site-specific documentation on what the security labeling policy is and guidance on how and where to apply it.'
+  describe 'Review the organizational or site-specific security labeling documentation to understand how documents in specific MongoDB collection(s) must be marked.This marking process should be applied as data is entered into the database.' do
+    skip 'If security labeling is not required, this is not a finding.'
+    skip 'If security labeling is required, then there must be organizational or site-specific documentation on what the security labeling policy is and guidance on how and where to apply it.'
   end
 
-end
+end 

spec/mongo-inspec-profile/controls/SV-252145.rb

@@ -55,7 +55,7 @@
   tag cci: ['CCI-002165', 'CCI-002235']
   tag nist: ['AC-3 (4)', 'AC-6 (10)']
 
-  describe yaml('/etc/mongod.conf') do
+  describe yaml(input('mongod_config_path')) do
         its(['security','authorization']){should eq "enabled"}
     end
 

spec/mongo-inspec-profile/controls/SV-252146.rb

@@ -54,7 +54,7 @@
   tag cci: ['CCI-002450', 'CCI-000803']
   tag nist: ['SC-13 b', 'IA-7']
 
-  describe yaml('/etc/mongod.conf') do
+  describe yaml(input('mongod_config_path')) do
         its(['net','tls','FIPSMode']){should eq true}
     end
 

spec/mongo-inspec-profile/controls/SV-252149.rb

@@ -48,7 +48,7 @@
   tag cci: ['CCI-000015']
   tag nist: ['AC-2 (1)']
 
-  describe yaml('/etc/mongod.conf') do
+  describe yaml(input('mongod_config_path')) do
         its(['security','authorization']){should eq "enabled"}
     end
 

spec/mongo-inspec-profile/controls/SV-252150.rb

@@ -40,8 +40,8 @@
   tag nist: ['AC-3']
 
   describe 'The MongoDB administrator must ensure that additional application access control is enforced.' do
-    skip 'Review the system documentation to determine the required levels of protection for MongoDB server securables by type of login. 
-    Review the permissions actually in place on the server. If the actual permissions do not match the documented requirements, this is a finding.'
+    skip 'Review the system documentation to determine the required levels of protection for MongoDB server securables by type of login.'
+    skip 'Review the permissions actually in place on the server. If the actual permissions do not match the documented requirements, this is a finding.'
   end
 
 end

spec/mongo-inspec-profile/controls/SV-252151.rb

@@ -29,8 +29,8 @@
   tag nist: ['CM-5 (6)']
 
   describe 'Review monitoring procedures and implementation evidence to verify monitoring of changes to database software libraries, related applications, and configuration files occurs.' do
-    skip 'Implement procedures to monitor for unauthorized changes to DBMS software libraries, related software application libraries, and configuration files.
-    If a third-party automated tool is not employed, an automated job that reports file information on the directories and files of interest and compares them to the baseline report for the same will meet the requirement.'
+    skip 'Implement procedures to monitor for unauthorized changes to DBMS software libraries, related software application libraries, and configuration files.'
+    skip 'If a third-party automated tool is not employed, an automated job that reports file information on the directories and files of interest and compares them to the baseline report for the same will meet the requirement.'
   end
 
 end

spec/mongo-inspec-profile/controls/SV-252158.rb

@@ -35,9 +35,9 @@
   tag nist: ['IA-5 (1) (a)']
 
   describe 'Password complexity and lifetime must be enforced by an external authentication source such as LDAP, Active Directory, or Kerberos.' do
-    skip 'If MongoDB is using Native LDAP authentication where the LDAP server is configured to enforce password complexity and lifetime, this is not a finding.
-    If MongoDB is using Kerberos authentication where Kerberos is configured to enforce password complexity and lifetime, this is not a finding.
-    If MongoDB is not configured for SCRAM-SHA1, MONGODB-CR, or LDAP authentication, this is a finding.'
+    skip 'If MongoDB is using Native LDAP authentication where the LDAP server is configured to enforce password complexity and lifetime, this is not a finding.'
+    skip 'If MongoDB is using Kerberos authentication where Kerberos is configured to enforce password complexity and lifetime, this is not a finding.'
+    skip 'If MongoDB is not configured for SCRAM-SHA1, MONGODB-CR, or LDAP authentication, this is a finding.'
   end
 
 end

spec/mongo-inspec-profile/controls/SV-252159.rb

@@ -64,7 +64,7 @@
   tag nist: ['IA-5 (1) (c)']
 
   #authSchemaUpgrade command doesn't exist anymore since version 4, so part 2 is not doable
-  describe yaml('/etc/mongod.conf') do
+  describe yaml(input('mongod_config_path')) do
         its(['setParameter','authenticationMechanisms']){should be_in ['SCRAM-SHA-1', 'SCRAM-SHA-256', 'MONGODB-X509', 'GSSAPI', 'PLAIN']}
     end
 

spec/mongo-inspec-profile/controls/SV-252161.rb

@@ -86,4 +86,9 @@
   tag 'documentable'
   tag cci: ['CCI-000187']
   tag nist: ['IA-5 (2) (a) (2)']
+
+  describe 'Each unique x.509 client certificate corresponds to a single MongoDB user; meaning it cannot use a single-client certificate to authenticate more than one MongoDB user.' do
+    skip 'If using LDAP for authentication, this is not applicable.'
+    skip 'If the authenticated MongoDB user displayed does not have a user value equal to the x.509 certs Subject Name, this is a finding.'
+  end
 end

spec/mongo-inspec-profile/controls/SV-252162.rb

@@ -39,10 +39,8 @@
   tag nist: ['IA-6']
 
   describe 'To prevent the compromise of authentication information such as passwords and PINs during the authentication process, the feedback from the system must not provide any information that would allow an unauthorized user to compromise the authentication mechanism.' do
-    skip 'For the MongoDB command-line tools mongo shell, mongodump, mongorestore, mongoimport, mongoexport, which cannot be configured not to obfuscate a plain-text password, and any other essential tool with the same limitation; verify that the system documentation explains the need for the tool, who uses it, and any relevant mitigations and that AO approval has been obtained.
-    If it is not documented, this is a finding.
-    Request evidence that all users of MongoDB command-line tools are trained in the use of the -p option/plain-text password option and how to keep the password protected from unauthorized viewing/capture, and that they adhere to this practice.
-    If evidence of training does not exist, this is a finding.'
+    skip 'For the MongoDB command-line tools mongo shell, mongodump, mongorestore, mongoimport, mongoexport, which cannot be configured not to obfuscate a plain-text password, and any other essential tool with the same limitation; verify that the system documentation explains the need for the tool, who uses it, and any relevant mitigations and that AO approval has been obtained. If it is not documented, this is a finding.'
+    skip 'Request evidence that all users of MongoDB command-line tools are trained in the use of the -p option/plain-text password option and how to keep the password protected from unauthorized viewing/capture, and that they adhere to this practice. If evidence of training does not exist, this is a finding.'
   end
 
 end

spec/mongo-inspec-profile/controls/SV-252184.rb

@@ -34,9 +34,9 @@
 
   describe 'Review the system documentation and interview the database administrator.
     Identify all database software components. Review the version and release information.' do
-    skip 'If the DBMS or any of the software components are not supported by MongoDB, this is a finding. 
-    Remove or decommission all unsupported software products.
-    Upgrade unsupported DBMS or unsupported components to a supported version of the product.'
+    skip 'If the DBMS or any of the software components are not supported by MongoDB, this is a finding.'
+    skip 'Remove or decommission all unsupported software products.'
+    skip 'Upgrade unsupported DBMS or unsupported components to a supported version of the product.'
   end
 
 end

spec/mongo-inspec-profile/inspec.yml

@@ -10,3 +10,54 @@ version: 1.0.0
 supports: []
 depends: []
 inspec_version: null
+
+inputs:
+  - name: mongo_user
+    description: "The system user of the mongod process"
+    type: string
+    value: "root"
+    required: true
+    sensitive: true
+
+  - name: mongo_group
+    description: "The system group of the mongod process"
+    type: string
+    value: "root"
+    required: true
+    sensitive: true
+
+  - name: mongod_config_path
+    description: "The path to the mongod configuration file"
+    type: string
+    value: "/etc/mongod.conf"
+    required: true
+
+  - name: mongo_audit_directory_path
+    description: "The path to the mongo audit directory"
+    type: string
+    value: "/var/log/mongodb/audit"
+    required: true
+
+  - name: mongo_audit_file_path
+    description: "The path to the mongo audit file"
+    type: string
+    value: "/var/log/mongodb/audit/auditLog.bson"
+    required: true
+
+  - name: certificate_key_file_path
+    description: "The path to the mongo certificate key"
+    type: string
+    value: "/etc/ssl/mongodb.pem"
+    required: true
+
+  - name: ca_file_path
+    description: "The path to the mongo CA file"
+    type: string
+    value: "/etc/ssl/caToValidateClientCertificates.pem"
+    required: true
+
+  - name: data_file_directory_path
+    description: "The path to the mongo data file directory"
+    type: string
+    value: "/var/lib/mongo"
+    required: true