finally able to add user, but its not persistent

mitre · Mar 8, 2024 · a486f63 · a486f63
1 parent ccfc2bb
commit a486f63
Show file tree

Hide file tree

Showing 4 changed files with 50 additions and 24 deletions.
diff --git a/mongo-hardening.pkr.hcl b/mongo-hardening.pkr.hcl
@@ -58,7 +58,7 @@ source "docker" "target" {
   image       = "${var.input_image.tag}:${var.input_image.version}"
   commit      = true
   pull        = false #change back to true in final
-  run_command = ["-d", "-it", "--name", var.output_image.name, "--user", "root","-p","27017:27017", "{{.Image}}"]
+  run_command = ["-d", "--name", var.output_image.name, "--user", "root","-p","27017:27017", "{{.Image}}"]
 }
 
 build {
@@ -124,7 +124,7 @@ build {
   //   scripts          = ["spec/scripts/verify_threshold.sh"]
   // }
 
-  ### TAG
+  ### TAG DOCKER IMAGE
   post-processor "docker-tag" {
     repository = "${var.output_image.name}"
     tags = ["latest"]

diff --git a/spec/ansible/roles/mongo-stig/tasks/cat1.yml b/spec/ansible/roles/mongo-stig/tasks/cat1.yml
@@ -34,16 +34,16 @@
 #     - enterprise
 
 ##### DISABLED FOR EASIER TESTING
-- name: "HIGH | SV-252149 | MongoDB must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals."
-  yedit:
-      src: "{{ mongod_config_path }}"
-      key: security.authorization
-      value: enabled
-  ignore_errors: true
-  tags:
-    - cat1
-    - high
-    - SV-252149
+# - name: "HIGH | SV-252149 | MongoDB must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals."
+#   yedit:
+#       src: "{{ mongod_config_path }}"
+#       key: security.authorization
+#       value: enabled
+#   ignore_errors: true
+#   tags:
+#     - cat1
+#     - high
+#     - SV-252149
 
 ##### MANUAL
 # - name: "HIGH | SV-252150 | MongoDB must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies."

diff --git a/spec/ansible/roles/mongo-stig/tasks/prep.yml b/spec/ansible/roles/mongo-stig/tasks/prep.yml
@@ -19,34 +19,59 @@
   tags:
     - prep
 
+##### add user and pw login details
 - name: Get list of databases
   ansible.builtin.command: |
     mongosh "mongodb://localhost:27017/" --quiet --eval "EJSON.stringify(db.adminCommand('listDatabases'))"
   register: database_list
+  tags:
+    - prep
+
+##### note: this is per database, not the cluster, might need have a method to check all roles in all databases, i think test db is default
+##### add user and pw
+- name: Get all the roles in a database
+  ansible.builtin.command: |
+    mongosh "mongodb://localhost:27017/" --quiet --eval "EJSON.stringify(db.getRoles({ showBuiltinRoles: true }))"
+  register: database_list
+  tags:
+    - prep
 
-- name: Display contents of mongod.conf
+- name: Display contents of database_list
   debug:
     msg: "{{ database_list.stdout }}"
 
-# - name: Create MongoDB admin user
-#   ansible.builtin.command: |
-#     mongosh "mongodb://localhost:27017/" --quiet --eval "db.getSiblingDB(\"admin\").createUser({user: \"admin\", pwd: \"admin\", roles: [{role: \"userAdminAnyDatabase\", db: \"admin\"}]});"
-#   register: database_list
-
-##### DOES NOT WORK 
 - name: Create MongoDB admin user
-  community.mongodb.mongodb_shell:
-    login_host: "{{ mongo_host }}"
-    login_port: "{{ mongo_port }}"
-    eval: "db.getSiblingDB('admin').createUser({user: 'admin', pwd: 'admin', roles: [{role: 'userAdminAnyDatabase', db: 'admin'}]})"
+  community.mongodb.mongodb_user:
+    database: admin
+    name: admin
+    password: admin
+    roles: dbOwner
+    state: present
+
+##### same note as previous get
+- name: Get all the users in a database
+  ansible.builtin.command: |
+    mongosh "mongodb://localhost:27017/test" --quiet --eval "EJSON.stringify(db.getUsers())"
+  register: users_list
   tags:
     - prep
 
+- name: Display contents of users_list
+  debug:
+    msg: "{{ users_list.stdout }}"
+
+
+##### CHANGE USER AND PW TO VARIABLES, this is a different method to add a user
+##### ALSO THIS NEEDS TO BE A BOOL TO SEE IF AN ADMIN ALREADY EXISTS
+# - name: Create MongoDB admin user
+#   ansible.builtin.command: |
+#     mongosh "mongodb://localhost:27017/" --quiet --eval "db.getSiblingDB('test').createUser({user: 'admin', pwd: 'admin', roles: [{role: 'dbOwner', db: 'admin'}]})"
+#   register: database_list
 
 # get these and register as fact minus what the user said shouldnt be hardened
+# create some roles and users for testing
 # json query filter
 # get databases command 
 # get roles
 # get users
 
-##create some roles and users for testing
diff --git a/spec/mongo-inspec-profile/controls/SV-252159.rb b/spec/mongo-inspec-profile/controls/SV-252159.rb
@@ -64,6 +64,7 @@
   tag nist: ['IA-5 (1) (c)']
 
   #authSchemaUpgrade command doesn't exist anymore since version 4, so part 2 is not doable
+  #WAIT https://www.mongodb.com/docs/manual/reference/privilege-actions/#mongodb-authaction-authSchemaUpgrade
   describe mongodb_conf(input('mongod_config_path')) do
     its(['setParameter','authenticationMechanisms']){should be_in ['SCRAM-SHA-1', 'SCRAM-SHA-256', 'MONGODB-X509', 'GSSAPI', 'PLAIN']}
   end