From 46a3b1244462b53f6fe4bd1044959a2e9df6f891 Mon Sep 17 00:00:00 2001 From: seanlongcc Date: Fri, 10 May 2024 11:46:23 -0400 Subject: [PATCH] update readme, update ansible task names --- README.md | 20 +++++++++++++---- spec/ansible/roles/mongo-stig/meta/main.yml | 4 ++-- spec/ansible/roles/mongo-stig/tasks/cat2.yml | 12 ++++------ spec/ansible/roles/mongo-stig/tasks/fips.yml | 22 +++++++++---------- spec/ansible/roles/mongo-stig/tasks/prep.yml | 14 ++++++------ spec/ansible/roles/prep/defaults/main.yml | 2 -- spec/ansible/roles/prep/tasks/_packages.yml | 6 ++--- spec/mongo-inspec-profile/inputs_template.yml | 1 - 8 files changed, 43 insertions(+), 38 deletions(-) delete mode 100644 spec/ansible/roles/prep/defaults/main.yml diff --git a/README.md b/README.md index d7cae02..98efafd 100644 --- a/README.md +++ b/README.md @@ -17,11 +17,23 @@ A workflow for hardening a MongoDB container against a STIG using Packer and Ans Start by cloning the `mongo-hardening` repository from GitHub to your local machine. Use the following command in your terminal: ``` - https://github.com/mitre/mongo-hardening.git + git clone https://github.com/mitre/mongodb-enterprise-advanced-4-stig-baseline-hardening.git cd mongo-hardening ``` -2. **Initialize Packer** +2. **Download the DoD Certificates PKI Bundle** + + Download the DoD Certificates PKI Bundle by following the instructions in the README under the certificates directory. + +3. **Create `inputs.yml`** + + Execute the following command to create the inputs.yml file under `spec/mongo-inspec-profile` by copying inputs_template.yml and renaming it to inputs.yml. + + ``` + cp spec/mongo-inspec-profile/inputs_template.yml spec/mongo-inspec-profile/inputs.yml + ``` + +4. **Initialize Packer** Initialize Packer to install the required Ansible and Docker plugins. Run the following command: @@ -29,7 +41,7 @@ A workflow for hardening a MongoDB container against a STIG using Packer and Ans packer init . ``` -3. **Build the Hardened Image** +5. **Build the Hardened Image** Execute the following command to build, test, and save the hardened Mongo image: @@ -37,7 +49,7 @@ A workflow for hardening a MongoDB container against a STIG using Packer and Ans packer build mongo-hardening.pkr.hcl ``` -4. **Run the Hardened Image** +6. **Run the Hardened Image** Execute the following command to run the hardened Mongo image: diff --git a/spec/ansible/roles/mongo-stig/meta/main.yml b/spec/ansible/roles/mongo-stig/meta/main.yml index d77a0a8..e11875b 100644 --- a/spec/ansible/roles/mongo-stig/meta/main.yml +++ b/spec/ansible/roles/mongo-stig/meta/main.yml @@ -1,6 +1,6 @@ galaxy_info: - author: Sean Chacon Cai - description: Applies MongoDB STIG + author: Sean Chacon Cai, Will Dower + description: Apply the MongoDB Enterprise Advanced 5 STIG company: The MITRE Corporation # If the issue tracker for your role is not on github, uncomment the diff --git a/spec/ansible/roles/mongo-stig/tasks/cat2.yml b/spec/ansible/roles/mongo-stig/tasks/cat2.yml index e8f2402..f5a8770 100644 --- a/spec/ansible/roles/mongo-stig/tasks/cat2.yml +++ b/spec/ansible/roles/mongo-stig/tasks/cat2.yml @@ -387,8 +387,7 @@ mongosh "mongodb://localhost:27017/{{ databases_155[index] }}" --quiet --eval "EJSON.stringify(db.revokeRolesFromUser('{{ users_155[index]}}', ['{{ roles_155[index] }}']))" loop: "{{ range(0, users_155|length) }}" loop_control: - loop_var: index - + loop_var: index ignore_errors: true tags: - cat2 @@ -409,7 +408,7 @@ - name: "MEDIUM | SV-252157 | MongoDB must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users)." vars: - non_mongo_users: [] + non_mongo_users_157: [] user_ids_157: [] db_names_157: [] user_names_157: [] @@ -431,7 +430,7 @@ - name: "MEDIUM | SV-252157 | Enable authorization in MongoDB configuration | Filter out users not in mongo_users" set_fact: - non_mongo_users: "{{ non_mongo_users + [item] }}" + non_mongo_users_157: "{{ non_mongo_users_157 + [item] }}" loop: "{{ user_ids_157 }}" when: item not in all_mongo_users @@ -439,7 +438,7 @@ set_fact: db_names_157: "{{ db_names_157 + [item.split('.')[0]] }}" user_names_157: "{{ user_names_157 + [item.split('.')[1]] }}" - loop: "{{ non_mongo_users }}" + loop: "{{ non_mongo_users_157 }}" - name: "MEDIUM | SV-252157 | Enable authorization in MongoDB configuration | Drop non_mongo_users" ansible.builtin.command: | @@ -447,7 +446,6 @@ loop: "{{ range(0, user_names_157|length) }}" loop_control: loop_var: index - ignore_errors: false tags: - cat2 @@ -532,7 +530,6 @@ loop: "{{ range(0, users_163|length) }}" loop_control: loop_var: index - ignore_errors: true tags: - cat2 @@ -782,7 +779,6 @@ loop: "{{ range(0, dbs_filtered_174|length) }}" loop_control: loop_var: index - ignore_errors: true tags: - cat2 diff --git a/spec/ansible/roles/mongo-stig/tasks/fips.yml b/spec/ansible/roles/mongo-stig/tasks/fips.yml index e44455f..94ec508 100644 --- a/spec/ansible/roles/mongo-stig/tasks/fips.yml +++ b/spec/ansible/roles/mongo-stig/tasks/fips.yml @@ -1,5 +1,5 @@ --- -- name: Download OpenSSL 3.0.0 tarball +- name: "FIPS | Download OpenSSL 3.0.0 tarball" get_url: url: https://www.openssl.org/source/openssl-3.0.0.tar.gz dest: /usr/local/src/openssl-3.0.0.tar.gz @@ -9,7 +9,7 @@ retries: 10 delay: 10 -- name: Download OpenSSL 3.1.0 tarball +- name: "FIPS | Download OpenSSL 3.1.0 tarball" ansible.builtin.get_url: url: https://www.openssl.org/source/openssl-3.1.0.tar.gz dest: /usr/local/src/openssl-3.1.0.tar.gz @@ -19,51 +19,51 @@ retries: 10 delay: 10 -- name: Extract OpenSSL 3.0.0 tarball +- name: "FIPS | Extract OpenSSL 3.0.0 tarball" ansible.builtin.unarchive: src: /usr/local/src/openssl-3.0.0.tar.gz dest: /usr/local/src/ remote_src: yes creates: /usr/local/src/openssl-3.0.0 -- name: Configure OpenSSL 3.0.0 with FIPS enabled +- name: "FIPS | Configure OpenSSL 3.0.0 with FIPS enabled" ansible.builtin.command: ./Configure enable-fips args: chdir: /usr/local/src/openssl-3.0.0 -- name: Build OpenSSL 3.0.0 +- name: "FIPS | Build OpenSSL 3.0.0" ansible.builtin.make: chdir: /usr/local/src/openssl-3.0.0 target: all -- name: Extract OpenSSL 3.1.0 tarball +- name: "FIPS | Extract OpenSSL 3.1.0 tarball" ansible.builtin.unarchive: src: /usr/local/src/openssl-3.1.0.tar.gz dest: /usr/local/src/ remote_src: yes creates: /usr/local/src/openssl-3.1.0 -- name: Configure OpenSSL 3.1.0 with FIPS enabled +- name: "FIPS | Configure OpenSSL 3.1.0 with FIPS enabled" ansible.builtin.command: cmd: ./Configure enable-fips chdir: /usr/local/src/openssl-3.1.0 -- name: Build OpenSSL 3.1.0 +- name: "FIPS | Build OpenSSL 3.1.0" ansible.builtin.make: chdir: /usr/local/src/openssl-3.1.0 target: all -- name: Install OpenSSL 3.1.0 +- name: "FIPS | Install OpenSSL 3.1.0" ansible.builtin.make: chdir: /usr/local/src/openssl-3.1.0 target: install -- name: Install OpenSSL 3.0.0 FIPS module +- name: "FIPS | Install OpenSSL 3.0.0 FIPS module" ansible.builtin.make: chdir: /usr/local/src/openssl-3.0.0 target: install_fips -- name: Copy openssl.cnf file to container +- name: "FIPS | Copy openssl.cnf file to container" ansible.builtin.copy: src: files/openssl.cnf dest: /usr/local/ssl/openssl.cnf diff --git a/spec/ansible/roles/mongo-stig/tasks/prep.yml b/spec/ansible/roles/mongo-stig/tasks/prep.yml index a2f14fc..3a0ef59 100644 --- a/spec/ansible/roles/mongo-stig/tasks/prep.yml +++ b/spec/ansible/roles/mongo-stig/tasks/prep.yml @@ -1,11 +1,11 @@ --- -- name: "Check or create {{ mongod_config_path }} file" +- name: "PREP | Check or create {{ mongod_config_path }} file" ansible.builtin.stat: path: "{{ mongod_config_path }}" register: conf changed_when: no -- name: Copy mongod.conf file to container +- name: "PREP | Copy mongod.conf file to container" ansible.builtin.copy: src: files/conf.template dest: "{{ mongod_config_path }}" @@ -14,7 +14,7 @@ mode: "{{ mongo_permissions }}" when: conf.stat.exists == false -- name: Copy certificate key file to container +- name: "PREP | Copy certificate key file to container" ansible.builtin.copy: src: "{{ certificate_key_file_src }}" dest: "{{ certificate_key_file_dest }}" @@ -22,7 +22,7 @@ group: "{{ mongo_group }}" mode: "{{ mongo_permissions }}" -- name: Copy certificate authority file to container +- name: "PREP | Copy certificate authority file to container" ansible.builtin.copy: src: "{{ ca_file_src }}" dest: "{{ ca_file_dest }}" @@ -30,7 +30,7 @@ group: "{{ mongo_group }}" mode: "{{ mongo_permissions }}" -- name: Create MongoDB admin user +- name: "PREP | Create MongoDB admin user" community.mongodb.mongodb_user: database: "{{ mongo_auth_source }}" name: "{{ mongo_dba }}" @@ -38,12 +38,12 @@ roles: root state: present -- name: Get all the users in a database +- name: "PREP | Get all the users in a database" ansible.builtin.command: | mongosh "mongodb://localhost:27017/admin" --quiet --eval "EJSON.stringify(db.system.users.find().toArray())" register: user_list -- name: Get MongoDB version +- name: "PREP | Get MongoDB version" ansible.builtin.command: | mongosh "mongodb://localhost:27017/test" --quiet --eval "db.version()" register: mongodb_version diff --git a/spec/ansible/roles/prep/defaults/main.yml b/spec/ansible/roles/prep/defaults/main.yml deleted file mode 100644 index ae699a4..0000000 --- a/spec/ansible/roles/prep/defaults/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -# defaults file for prep role diff --git a/spec/ansible/roles/prep/tasks/_packages.yml b/spec/ansible/roles/prep/tasks/_packages.yml index db4b043..92e9b54 100644 --- a/spec/ansible/roles/prep/tasks/_packages.yml +++ b/spec/ansible/roles/prep/tasks/_packages.yml @@ -1,10 +1,10 @@ --- -- name: Upgrade all packages +- name: "PREP | Upgrade all packages" apt: name: '*' state: latest -- name: Install required packages +- name: "PREP | Install required packages" apt: name: - jq @@ -13,7 +13,7 @@ - wget state: latest -- name: Install required packages via pip +- name: "PREP | Install required packages via pip" pip: name: - jmespath diff --git a/spec/mongo-inspec-profile/inputs_template.yml b/spec/mongo-inspec-profile/inputs_template.yml index fb29cd1..57ad9cc 100644 --- a/spec/mongo-inspec-profile/inputs_template.yml +++ b/spec/mongo-inspec-profile/inputs_template.yml @@ -1,4 +1,3 @@ -#rename to inputs.yml mongo_dba: "admin" mongo_dba_password: "admin" mongo_host: "localhost"