started mongo role development

spec/ansible/rhel8-stig-hardening-playbook.yml

@@ -3,7 +3,8 @@
     - localhost
   roles:
     - roles/prep # basic update and config tasks
-    - rhel8STIG # apply STIG requirement controls
+    #- rhel8STIG # apply STIG requirement controls
+    - mongo-stig
   serial: 50
   user: 0
   vars:

spec/ansible/roles/mongo-stig/defaults/main.yml

@@ -1,2 +1,5 @@
 ---
 # defaults file for mongo-stig
+mongostig_cat1: true
+mongostig_cat2: true
+mongostig_cat3: true 

spec/ansible/roles/mongo-stig/tasks/cat1.yml

@@ -0,0 +1,217 @@
+---
+- name: "HIGH | V-252139 | If passwords are used for authentication, MongoDB must transmit only encrypted representations of passwords."
+  community.mongodb.mongodb_parameter:
+    login_user: root
+    login_password: admin
+    param: tlsMode
+    value: requireTLS
+    param_type: str
+  register: result
+  changed_when: no
+  ignore_errors: yes
+  tags:
+    - cat1
+    - high
+    - V-252139
+    - audit
+
+# - name: "HIGH | V-252146 | AUDIT | MongoDB must use NIST FIPS 140-2 or 140-3 validated cryptographic modules for cryptographic operations."
+#   command: true
+#   register: result
+#   always_run: yes
+#   changed_when: no
+#   ignore_errors: yes
+#   tags:
+#     - cat1
+#     - high
+#     - V-252146
+#     - audit
+
+# - name: "HIGH | V-252146 | PATCH | MongoDB must use NIST FIPS 140-2 or 140-3 validated cryptographic modules for cryptographic operations."
+#   command: true
+#   tags:
+#     - cat1
+#     - high
+#     - V-252146
+#     - patch
+
+# - name: "HIGH | V-252149 | AUDIT | MongoDB must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals."
+#   command: true
+#   register: result
+#   always_run: yes
+#   changed_when: no
+#   ignore_errors: yes
+#   tags:
+#     - cat1
+#     - high
+#     - V-252149
+#     - audit
+
+# - name: "HIGH | V-252149 | PATCH | MongoDB must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals."
+#   command: true
+#   tags:
+#     - cat1
+#     - high
+#     - V-252149
+#     - patch
+
+# - name: "HIGH | V-252150 | AUDIT | MongoDB must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies."
+#   command: true
+#   register: result
+#   always_run: yes
+#   changed_when: no
+#   ignore_errors: yes
+#   tags:
+#     - cat1
+#     - high
+#     - V-252150
+#     - audit
+
+# - name: "HIGH | V-252150 | PATCH | MongoDB must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies."
+#   command: true
+#   tags:
+#     - cat1
+#     - high
+#     - V-252150
+#     - patch
+
+# - name: "HIGH | V-252152 | AUDIT | MongoDB software installation account must be restricted to authorized users."
+#   command: true
+#   register: result
+#   always_run: yes
+#   changed_when: no
+#   ignore_errors: yes
+#   tags:
+#     - cat1
+#     - high
+#     - V-252152
+#     - audit
+
+# - name: "HIGH | V-252152 | PATCH | MongoDB software installation account must be restricted to authorized users."
+#   command: true
+#   tags:
+#     - cat1
+#     - high
+#     - V-252152
+#     - patch
+
+# - name: "HIGH | V-252158 | AUDIT | If passwords are used for authentication, MongoDB must implement LDAP or Kerberos for authentication to enforce the DoD standards for password complexity and lifetime."
+#   command: true
+#   register: result
+#   always_run: yes
+#   changed_when: no
+#   ignore_errors: yes
+#   tags:
+#     - cat1
+#     - high
+#     - V-252158
+#     - audit
+
+# - name: "HIGH | V-252158 | PATCH | If passwords are used for authentication, MongoDB must implement LDAP or Kerberos for authentication to enforce the DoD standards for password complexity and lifetime."
+#   command: true
+#   tags:
+#     - cat1
+#     - high
+#     - V-252158
+#     - patch
+
+# - name: "HIGH | V-252159 | AUDIT | If passwords are used for authentication, MongoDB must store only hashed, salted representations of passwords."
+#   command: true
+#   register: result
+#   always_run: yes
+#   changed_when: no
+#   ignore_errors: yes
+#   tags:
+#     - cat1
+#     - high
+#     - V-252159
+#     - audit
+
+# - name: "HIGH | V-252159 | PATCH | If passwords are used for authentication, MongoDB must store only hashed, salted representations of passwords."
+#   command: true
+#   tags:
+#     - cat1
+#     - high
+#     - V-252159
+#     - patch
+
+# - name: "HIGH | V-252160 | AUDIT | MongoDB must enforce authorized access to all PKI private keys stored/utilized by MongoDB."
+#   command: true
+#   register: result
+#   always_run: yes
+#   changed_when: no
+#   ignore_errors: yes
+#   tags:
+#     - cat1
+#     - high
+#     - V-252160
+#     - audit
+
+# - name: "HIGH | V-252160 | PATCH | MongoDB must enforce authorized access to all PKI private keys stored/utilized by MongoDB."
+#   command: true
+#   tags:
+#     - cat1
+#     - high
+#     - V-252160
+#     - patch
+
+# - name: "HIGH | V-252162 | AUDIT | MongoDB must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals."
+#   command: true
+#   register: result
+#   always_run: yes
+#   changed_when: no
+#   ignore_errors: yes
+#   tags:
+#     - cat1
+#     - high
+#     - V-252162
+#     - audit
+
+# - name: "HIGH | V-252162 | PATCH | MongoDB must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals."
+#   command: true
+#   tags:
+#     - cat1
+#     - high
+#     - V-252162
+#     - patch
+
+# - name: "HIGH | V-252165 | AUDIT | MongoDB must protect the confidentiality and integrity of all information at rest."
+#   command: true
+#   register: result
+#   always_run: yes
+#   changed_when: no
+#   ignore_errors: yes
+#   tags:
+#     - cat1
+#     - high
+#     - V-252165
+#     - audit
+
+# - name: "HIGH | V-252165 | PATCH | MongoDB must protect the confidentiality and integrity of all information at rest."
+#   command: true
+#   tags:
+#     - cat1
+#     - high
+#     - V-252165
+#     - patch
+
+# - name: "HIGH | V-252184 | AUDIT | MongoDB products must be a version supported by the vendor."
+#   command: true
+#   register: result
+#   always_run: yes
+#   changed_when: no
+#   ignore_errors: yes
+#   tags:
+#     - cat1
+#     - high
+#     - V-252184
+#     - audit
+
+# - name: "HIGH | V-252184 | PATCH | MongoDB products must be a version supported by the vendor."
+#   command: true
+#   tags:
+#     - cat1
+#     - high
+#     - V-252184
+#     - patch
+