Running PR for Profile review and Fix

Review.md

@@ -23,4 +23,5 @@
 
 Another tip is to cat all the controls into a single file so you don't have to open every individaul file and try to keep track of where you are and which one is next.
 
+
 *** A completion date is entered in a row when all non-enhancement issues are resolved for that review row.

controls/V-81849.rb

@@ -101,18 +101,18 @@
   tag "documentable": false
   tag "severity_override_guidance": false
 
-  if file(input('mongod_auditlog')).exist?
-    mongodb_auditlog_dir = command("dirname #{input('mongod_auditlog')}").stdout.strip
-    describe file(mongodb_auditlog_dir) do
-      it { should_not be_more_permissive_than('0700') } 
-      its('owner') { should be_in input('mongodb_service_account') }
-      its('group') { should be_in input('mongodb_service_group') }
-    end
-  else
-    describe file('/var/log') do
-      it { should_not be_more_permissive_than('0755') } 
-      its('owner') { should eq 'root' }
-      its('group') { should eq 'root' }
-    end
+  mongodb_auditlog_dir = yaml(input('mongod_conf'))['auditLog', 'path']
+  mongodb_service_account = input('mongodb_service_account')
+  mongodb_service_group = input('mongodb_service_group')
+
+  describe file(mongodb_auditlog_dir) do
+    it { should exist }
+  end
+
+  describe file(mongodb_auditlog_dir) do
+    it { should_not be_more_permissive_than('0700') } 
+    its('owner') { should be_in mongodb_service_account }
+    its('group') { should be_in mongodb_service_group }
   end
+
 end

controls/V-81851.rb

@@ -67,10 +67,13 @@
   tag "nist": ["AU-9"]
   tag "documentable": false
   tag "severity_override_guidance": false
+
+  mongodb_service_account = input('mongodb_service_account')
+  mongodb_service_group = input('mongodb_service_group')
 
   describe file(input('mongod_conf')) do
     it { should_not be_more_permissive_than('0700') } 
-    its('owner') { should be_in input('mongodb_service_account') }
-    its('group') { should be_in input('mongodb_service_group') }
+    its('owner') { should be_in mongodb_service_account }
+    its('group') { should be_in mongodb_service_group }
   end
 end

controls/V-81855.rb

@@ -47,12 +47,9 @@
   tag "documentable": false
   tag "severity_override_guidance": false
 
-  if input('is_docker') == 'true'
-    describe "The MongoDB is installed within a Docker container so it is 
-    separate from the host OS, therefore this is not a finding." do
-      subject { virtualization.system }
-      it {should cmp 'docker'}
-    end
+  if virtualization.system.eql?('docker')
+    impact 0.0
+    desc 'caveat', 'This is Not Applicable since the MongoDB is installed within a Docker container so it is separate from the host OS'
   else
     describe "This test requires a Manual Review: Ensure all database software, 
     including DBMS configuration files, is stored in dedicated directories, or 

controls/V-81861.rb

@@ -57,30 +57,30 @@
   tag "documentable": false
   tag "severity_override_guidance": false
 
-  mongo_conf_file = input('mongod_conf')
+  mongo_conf_file = input('mongod_conf').to_s
   describe.one do
-    describe yaml(mongo_conf_file.to_s) do
+    describe yaml(mongo_conf_file) do
       its(%w{net http enabled}) { should cmp 'false' }
     end
-    describe yaml(mongo_conf_file.to_s) do
+    describe yaml(mongo_conf_file) do
       its(%w{net http enabled}) { should be_nil }
     end
   end
 
   describe.one do
-    describe yaml(mongo_conf_file.to_s) do
+    describe yaml(mongo_conf_file) do
       its(%w{net http JSONPEnabled}) { should cmp 'false' }
     end
-    describe yaml(mongo_conf_file.to_s) do
+    describe yaml(mongo_conf_file) do
       its(%w{net http JSONPEnabled}) { should be_nil }
     end
   end
 
   describe.one do
-    describe yaml(mongo_conf_file.to_s) do
+    describe yaml(mongo_conf_file) do
       its(%w{net http RESTInterfaceEnabled}) { should cmp 'false' }
     end
-    describe yaml(mongo_conf_file.to_s) do
+    describe yaml(mongo_conf_file) do
       its(%w{net http RESTInterfaceEnabled}) { should be_nil }
     end
   end

controls/V-81871.rb

@@ -58,32 +58,30 @@
   tag "nist": ["IA-5 (2) (b)"]
   tag "documentable": false
   tag "severity_override_guidance": false
+
+  mongod_pem = yaml(input('mongod_conf'))['net', 'ssl', 'PEMKeyFile']
+  mongod_cafile = yaml(input('mongod_conf'))['net', 'ssl', 'CAFile']
+  mongodb_service_account = input('mongodb_service_account')
+  mongodb_service_group = input('mongodb_service_group')
 
-  if file(input('mongod_pem')).exist?
-    describe file(input('mongod_pem')) do
-      it { should_not be_more_permissive_than('0600') } 
-      its('owner') { should be_in input('mongodb_service_account') }
-      its('group') { should be_in input('mongodb_service_group') }
-    end
-  else
-    describe 'This control must be reviewed manually because the pem file is not found 
-    at the location specified.' do
-      skip 'This control must be reviewed manually because the pem file is not found 
-      at the location specified.'
-    end 
-  end 
+  describe file(mongod_pem) do
+    it { should exist }
+  end
+
+  describe file(mongod_pem) do
+    it { should_not be_more_permissive_than('0600') } 
+    its('owner') { should be_in mongodb_service_account }
+    its('group') { should be_in mongodb_service_group }
+  end
+
+  describe file(mongod_cafile) do
+    it { should exist }
+  end
 
-  if file(input('mongod_cafile')).exist?
-    describe file(input('mongod_cafile')) do
-      it { should_not be_more_permissive_than('0600') } 
-      its('owner') { should be_in input('mongodb_service_account') }
-      its('group') { should be_in input('mongodb_service_group') }
-    end
-  else 
-    describe 'This control must be reviewed manually because the CA file is not found 
-    at the location specified.' do
-      skip 'This control must be reviewed manually because the CA file is not found 
-      at the location specified.'
-    end 
+  describe file(mongod_cafile) do
+    it { should_not be_more_permissive_than('0600') } 
+    its('owner') { should be_in mongodb_service_account }
+    its('group') { should be_in mongodb_service_group }
   end
+
 end

inputs.yml

@@ -1,11 +1,8 @@
 mongod_conf: '/etc/mongod.conf'
 mongo_data_dir: '/var/lib/mongo'
 
-mongod_pem: '/etc/ssl/mongodb.pem'
-mongod_cafile: '/etc/ssl/mongodbca.pem'
 mongod_client_pem: '/etc/ssl/client.pem'
 
-mongod_auditlog: '/var/lib/mongo/auditLog.bson'
 saslauthd: '/etc/sysconfig/saslauthd'
 
 mongod_hostname: 'MONGODB'

inspec.yml

@@ -21,30 +21,12 @@ inputs:
     value: '/var/lib/mongo'
     required: true
 
-  - name: mongod_pem
-    description: 'MongoDB Server PEM File'
-    type: string
-    value: '/etc/ssl/mongodb.pem'
-    required: true
-
-  - name: mongod_cafile
-    description: 'MongoDB CA File'
-    type: string
-    value: '/etc/ssl/mongodbca.pem'
-    required: true
-
   - name: mongod_client_pem
     description: 'MongoDB Client PEM File'
     type: string
     value: '/etc/ssl/client.pem'
     required: true
 
-  - name: mongod_auditlog
-    description: 'MongoDB Audit Log File'
-    type: string
-    value: '/var/lib/mongo/auditLog.bson'
-    required: true
-
   - name: saslauthd
     description: 'MongoDB SASLAUTHD File'
     type: string
@@ -155,3 +137,12 @@ inputs:
     type: array
     value: ['[ { "role" : "clusterAdmin", "db" : "admin" }, { "role" : "readAnyDatabase", "db" : "admin" }, { "role" : "readWrite", "db" : "config" } ] }']
 
+  - name: mongodb_service_account
+    description: Mongodb Service Account
+    type: array
+    value: ["mongodb", "mongod"]
+
+  - name: mongodb_service_group
+    description: Mongodb Service Group
+    type: array
+    value: ["mongodb", "mongod"]