InSpec profile to validate the secure configuration of MongoDB against DISA's MongoDB Enterprise Advanced 4.x Security Technical Implementation Guide (STIG) Version 1, Release 2. (Applies to database versions 4, 5, 6, & 7)
For the best security of the runner, always install on the runner the latest version of InSpec and supporting Ruby language components.
Latest versions and installation options are available at the InSpec site.
To ensure the profile runs correctly in your specific environment, you need to configure the inputs the inspec.yml and the inputs.yml file. A template file named inputs_template.yml is provided to help you get started. More information about InSpec inputs can be found in the InSpec Profile Documentation.
# The username for the MongoDB administrative account.
mongo_dba: "root"
# The password for the MongoDB administrative account.
mongo_dba_password: "root"
# The hostname or IP address of the MongoDB server.
mongo_host: "localhost"
# The port number on which the MongoDB server is listening.
mongo_port: "27017"
# The database to authenticate against.
mongo_auth_source: "admin"
# The path to the Certificate Authority (CA) bundle file for SSL/TLS connections.
ca_file: "/etc/ssl/CA_bundle.pem"
# The path to the MongoDB SSL/TLS certificate key file.
certificate_key_file: "/etc/ssl/mongodb.pem"Against a locally-hosted instance:
inspec exec https://github.com/mitre/mongodb-enterprise-advanced-4-stig-baseline.git --input-file=<your_inputs_file.yml> --reporter=cli json:<your_output_file.json> --no-create-lockfile --enhanced-outcomesAgainst a docker-containerized instance:
inspec exec https://github.com/mitre/mongodb-enterprise-advanced-4-stig-baseline.git -t docker://<instance_id> --input-file=<your_inputs_file.yml> --reporter=cli json:<your_output_file.json> --no-create-lockfile --enhanced-outcomesIf your runner is not always expected to have direct access to GitHub, use the following steps to create an archive bundle of this overlay and all of its dependent tests:
(Git is required to clone the InSpec profile using the instructions below. Git can be downloaded from the Git site.)
When the "runner" host uses this profile overlay for the first time, follow these steps:
mkdir profiles
cd profiles
git clone https://github.com/mitre/mongodb-enterprise-advanced-4-stig-baseline.git
inspec archive mongodb-enterprise-advanced-4-stig-baseline
inspec exec <name of generated archive> --input-file=<your_inputs_file.yml> --reporter=cli json:<your_output_file.json> --no-create-lockfile --enhanced-outcomesFor every successive run, follow these steps to always have the latest version of this overlay and dependent profiles:
cd mongodb-enterprise-advanced-4-stig-baseline
git pull
cd ..
inspec archive mongodb-enterprise-advanced-4-stig-baseline --overwrite
inspec exec <name of generated archive> --input-file=<your_inputs_file.yml> --reporter=cli json:<your_output_file.json> --no-create-lockfile --enhanced-outcomesThe JSON results output file can be loaded into heimdall-lite for a user-interactive, graphical view of the InSpec results.
The JSON InSpec results file may also be loaded into a full heimdall server, allowing for additional functionality such as to store and compare multiple profile runs.
Once the InSpec profile has finished running, clean up any test artifacts that were created during the validation process.
To automatically clean up these artifacts, run the cleanup file available here.
This script will remove all the databases, users, and roles that were generated during testing.
-
Databases:
products
-
Users:
test.myTesterproducts.myRoleTestUser
-
Roles:
products.myTestRole
For a complete list of potential databases, users, and roles created, refer to the inspec.yml.
- Sean Chacon Cai - seanlongcc
- Will Dower - wdower
- See the License
- See the Notice