update readme, update ansible task names

mitre · May 10, 2024 · 46a3b12 · 46a3b12
1 parent 60939ca
commit 46a3b12
Show file tree

Hide file tree

Showing 8 changed files with 43 additions and 38 deletions.
diff --git a/README.md b/README.md
@@ -17,27 +17,39 @@ A workflow for hardening a MongoDB container against a STIG using Packer and Ans
    Start by cloning the `mongo-hardening` repository from GitHub to your local machine. Use the following command in your terminal:
 
    ```
-   https://github.com/mitre/mongo-hardening.git
+   git clone https://github.com/mitre/mongodb-enterprise-advanced-4-stig-baseline-hardening.git
    cd mongo-hardening
    ```
 
-2. **Initialize Packer**
+2. **Download the DoD Certificates PKI Bundle**
+
+   Download the DoD Certificates PKI Bundle by following the instructions in the README under the certificates directory.
+
+3. **Create `inputs.yml`**
+
+   Execute the following command to create the inputs.yml file under `spec/mongo-inspec-profile` by copying inputs_template.yml and renaming it to inputs.yml.
+
+   ```
+   cp spec/mongo-inspec-profile/inputs_template.yml spec/mongo-inspec-profile/inputs.yml
+   ```
+
+4. **Initialize Packer**
 
    Initialize Packer to install the required Ansible and Docker plugins. Run the following command:
 
    ```
    packer init .
    ```
 
-3. **Build the Hardened Image**
+5. **Build the Hardened Image**
 
    Execute the following command to build, test, and save the hardened Mongo image:
 
    ```
    packer build mongo-hardening.pkr.hcl
    ```
 
-4. **Run the Hardened Image**
+6. **Run the Hardened Image**
 
    Execute the following command to run the hardened Mongo image:
 

diff --git a/spec/ansible/roles/mongo-stig/meta/main.yml b/spec/ansible/roles/mongo-stig/meta/main.yml
@@ -1,6 +1,6 @@
 galaxy_info:
-  author: Sean Chacon Cai
-  description: Applies MongoDB STIG
+  author: Sean Chacon Cai, Will Dower
+  description: Apply the MongoDB Enterprise Advanced 5 STIG
   company: The MITRE Corporation
 
   # If the issue tracker for your role is not on github, uncomment the

diff --git a/spec/ansible/roles/mongo-stig/tasks/cat2.yml b/spec/ansible/roles/mongo-stig/tasks/cat2.yml
@@ -387,8 +387,7 @@
         mongosh "mongodb://localhost:27017/{{ databases_155[index] }}" --quiet --eval "EJSON.stringify(db.revokeRolesFromUser('{{ users_155[index]}}', ['{{ roles_155[index] }}']))"
       loop: "{{ range(0, users_155|length) }}"
       loop_control:
-        loop_var: index
-
+        loop_var: index 
   ignore_errors: true
   tags:
     - cat2
@@ -409,7 +408,7 @@
 
 - name: "MEDIUM | SV-252157 | MongoDB must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users)."
   vars:
-    non_mongo_users: []
+    non_mongo_users_157: []
     user_ids_157: []
     db_names_157: []
     user_names_157: []
@@ -431,23 +430,22 @@
 
     - name: "MEDIUM | SV-252157 | Enable authorization in MongoDB configuration | Filter out users not in mongo_users" 
       set_fact:
-        non_mongo_users: "{{ non_mongo_users + [item] }}"
+        non_mongo_users_157: "{{ non_mongo_users_157 + [item] }}"
       loop: "{{ user_ids_157 }}"
       when: item not in all_mongo_users
 
     - name: "MEDIUM | SV-252157 | Enable authorization in MongoDB configuration | Split each db.user in non_mongo_users"
       set_fact:
         db_names_157: "{{ db_names_157 + [item.split('.')[0]] }}"
         user_names_157: "{{ user_names_157 + [item.split('.')[1]] }}"
-      loop: "{{ non_mongo_users }}"
+      loop: "{{ non_mongo_users_157 }}"
 
     - name: "MEDIUM | SV-252157 | Enable authorization in MongoDB configuration | Drop non_mongo_users" 
       ansible.builtin.command: |
         mongosh "mongodb://localhost:27017/{{ db_names_157[index] }}" --quiet --eval "db.dropUser('{{ user_names_157[index] }}', {w: 'majority', wtimeout: 5000})"
       loop: "{{ range(0, user_names_157|length) }}"
       loop_control:
         loop_var: index
-
   ignore_errors: false
   tags:
     - cat2
@@ -532,7 +530,6 @@
       loop: "{{ range(0, users_163|length) }}"
       loop_control:
         loop_var: index
-
   ignore_errors: true
   tags:
     - cat2
@@ -782,7 +779,6 @@
       loop: "{{ range(0, dbs_filtered_174|length) }}"
       loop_control:
         loop_var: index
-
   ignore_errors: true
   tags:
     - cat2

diff --git a/spec/ansible/roles/mongo-stig/tasks/fips.yml b/spec/ansible/roles/mongo-stig/tasks/fips.yml
@@ -1,5 +1,5 @@
 ---
-- name: Download OpenSSL 3.0.0 tarball
+- name: "FIPS | Download OpenSSL 3.0.0 tarball"
   get_url:
     url: https://www.openssl.org/source/openssl-3.0.0.tar.gz
     dest: /usr/local/src/openssl-3.0.0.tar.gz
@@ -9,7 +9,7 @@
   retries: 10
   delay: 10
 
-- name: Download OpenSSL 3.1.0 tarball
+- name: "FIPS | Download OpenSSL 3.1.0 tarball"
   ansible.builtin.get_url:
     url: https://www.openssl.org/source/openssl-3.1.0.tar.gz
     dest: /usr/local/src/openssl-3.1.0.tar.gz
@@ -19,51 +19,51 @@
   retries: 10
   delay: 10
 
-- name: Extract OpenSSL 3.0.0 tarball
+- name: "FIPS | Extract OpenSSL 3.0.0 tarball"
   ansible.builtin.unarchive:
     src: /usr/local/src/openssl-3.0.0.tar.gz
     dest: /usr/local/src/
     remote_src: yes
     creates: /usr/local/src/openssl-3.0.0 
 
-- name: Configure OpenSSL 3.0.0 with FIPS enabled
+- name: "FIPS | Configure OpenSSL 3.0.0 with FIPS enabled"
   ansible.builtin.command: ./Configure enable-fips
   args:
     chdir: /usr/local/src/openssl-3.0.0
 
-- name: Build OpenSSL 3.0.0
+- name: "FIPS | Build OpenSSL 3.0.0"
   ansible.builtin.make:
     chdir: /usr/local/src/openssl-3.0.0
     target: all 
 
-- name: Extract OpenSSL 3.1.0 tarball
+- name: "FIPS | Extract OpenSSL 3.1.0 tarball"
   ansible.builtin.unarchive:
     src: /usr/local/src/openssl-3.1.0.tar.gz
     dest: /usr/local/src/
     remote_src: yes
     creates: /usr/local/src/openssl-3.1.0
 
-- name: Configure OpenSSL 3.1.0 with FIPS enabled
+- name: "FIPS | Configure OpenSSL 3.1.0 with FIPS enabled"
   ansible.builtin.command:
     cmd: ./Configure enable-fips
     chdir: /usr/local/src/openssl-3.1.0
 
-- name: Build OpenSSL 3.1.0
+- name: "FIPS | Build OpenSSL 3.1.0"
   ansible.builtin.make:
     chdir: /usr/local/src/openssl-3.1.0
     target: all
 
-- name: Install OpenSSL 3.1.0
+- name: "FIPS | Install OpenSSL 3.1.0"
   ansible.builtin.make:
     chdir: /usr/local/src/openssl-3.1.0
     target: install
 
-- name: Install OpenSSL 3.0.0 FIPS module
+- name: "FIPS | Install OpenSSL 3.0.0 FIPS module"
   ansible.builtin.make:
     chdir: /usr/local/src/openssl-3.0.0
     target: install_fips
 
-- name: Copy openssl.cnf file to container
+- name: "FIPS | Copy openssl.cnf file to container"
   ansible.builtin.copy:
     src: files/openssl.cnf
     dest: /usr/local/ssl/openssl.cnf

diff --git a/spec/ansible/roles/mongo-stig/tasks/prep.yml b/spec/ansible/roles/mongo-stig/tasks/prep.yml
@@ -1,11 +1,11 @@
 ---
-- name: "Check or create {{ mongod_config_path }} file"
+- name: "PREP | Check or create {{ mongod_config_path }} file"
   ansible.builtin.stat:
     path: "{{ mongod_config_path }}"
   register: conf
   changed_when: no
 
-- name: Copy mongod.conf file to container
+- name: "PREP | Copy mongod.conf file to container"
   ansible.builtin.copy:
     src: files/conf.template
     dest: "{{ mongod_config_path }}"
@@ -14,36 +14,36 @@
     mode: "{{ mongo_permissions }}"
   when: conf.stat.exists == false
 
-- name: Copy certificate key file to container
+- name: "PREP | Copy certificate key file to container"
   ansible.builtin.copy:
     src: "{{ certificate_key_file_src }}"
     dest: "{{ certificate_key_file_dest }}"
     owner: "{{ mongo_owner }}"
     group: "{{ mongo_group }}"
     mode: "{{ mongo_permissions }}"
 
-- name: Copy certificate authority file to container
+- name: "PREP | Copy certificate authority file to container"
   ansible.builtin.copy:
     src: "{{ ca_file_src }}"
     dest: "{{ ca_file_dest }}"
     owner: "{{ mongo_owner }}"
     group: "{{ mongo_group }}"
     mode: "{{ mongo_permissions }}"
 
-- name: Create MongoDB admin user
+- name: "PREP | Create MongoDB admin user"
   community.mongodb.mongodb_user:
     database: "{{ mongo_auth_source }}"
     name: "{{ mongo_dba }}"
     password: "{{ mongo_dba_password }}"
     roles: root
     state: present
 
-- name: Get all the users in a database
+- name: "PREP | Get all the users in a database"
   ansible.builtin.command: |
     mongosh "mongodb://localhost:27017/admin" --quiet --eval "EJSON.stringify(db.system.users.find().toArray())"
   register: user_list
 
-- name: Get MongoDB version
+- name: "PREP | Get MongoDB version"
   ansible.builtin.command: |
     mongosh "mongodb://localhost:27017/test" --quiet --eval "db.version()"
   register: mongodb_version
diff --git a/spec/ansible/roles/prep/defaults/main.yml b/spec/ansible/roles/prep/defaults/main.yml
diff --git a/spec/ansible/roles/prep/tasks/_packages.yml b/spec/ansible/roles/prep/tasks/_packages.yml
@@ -1,10 +1,10 @@
 ---
-- name: Upgrade all packages
+- name: "PREP | Upgrade all packages"
   apt:
     name: '*'
     state: latest
 
-- name: Install required packages
+- name: "PREP | Install required packages"
   apt:
     name:
       - jq
@@ -13,7 +13,7 @@
       - wget
     state: latest
 
-- name: Install required packages via pip
+- name: "PREP | Install required packages via pip"
   pip:
     name:
       - jmespath

diff --git a/spec/mongo-inspec-profile/inputs_template.yml b/spec/mongo-inspec-profile/inputs_template.yml
@@ -1,4 +1,3 @@
-#rename to inputs.yml
 mongo_dba: "admin"
 mongo_dba_password: "admin"
 mongo_host: "localhost"