You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This repository contains an Ansible role for hardening MongoDB based on DISA's MongoDB Enterprise Advanced 4.x Security Technical
Implementation Guide (STIG) Version 1, Release 2. (Applies to database versions 4, 5, 6, & 7)
Requirements
Ansible
Python 3.9+
MongoDB Enterprise 4.x, 5.x, 6.x, 7.x
Install
You can install the mitre.mongo-stig role via Ansible Galaxy:
ansible-galaxy install mitre.mongo-stig
Alternatively, you can link directly to the GitHub repository in your requirements.yml:
# requirements.ymlroles:
- name: mitre.mongo-stigsrc: https://github.com/mitre/ansible-mongodb-enterprise-advanced-4-stig-hardeningversion: main
Role Variables
These variables offer additional configuration options during the installation of the role, which are located in defaults/main.yml. Any changes to these variables should be specified in the vars section of your playbook.
CONFIGURATION FLAGS
Variable
Description
prep_conf
Enable preparation of configuration files. Defaults to true.
enterprise_edition
Enable Enterprise Edition features. Defaults to true.
fips_mode
Enable FIPS mode. Defaults to true.
mongostig_cat1
Enable MongoDB STIG Category 1 settings. Defaults to true.
mongostig_cat2
Enable MongoDB STIG Category 2 settings. Defaults to true.
encryption_at_rest
Enable encryption at rest. Set to true if any data is PII, classified, or deemed necessary to encrypt.
kmip_enabled
Enable KMIP for encryption at rest. Defaults to false.
CONNECTION VARIABLES
Variable
Description
mongo_owner
Owner of MongoDB files. Defaults to root.
mongo_group
Group of MongoDB files. Defaults to root.
mongo_dba
MongoDB DBA user. Defaults to root.
mongo_dba_password
Password for MongoDB DBA user. Defaults to root.
mongo_host
Hostname for MongoDB. Defaults to localhost.
mongo_port
Port for MongoDB. Defaults to 27017.
mongo_auth_source
Authentication database for MongoDB. Defaults to admin.
max_incoming_connections
Maximum number of incoming connections. Defaults to 800000.
authentication_mechanism
Authentication mechanisms for MongoDB. Defaults toSCRAM-SHA-256. Other possible values here.
ROLES AND USERS
Variable
Description
mongo_admin_roles
Roles for MongoDB admin. Example: ["root"].
mongo_super_users
Super users for MongoDB. Example: ["admin.root"].
mongo_users
Users for MongoDB. Example: ["test.myTester", "products.myRoleTestUser"].
inappropriate_mongo_privileges
List of inappropriate privileges. Example: ["changeStream", "createCollection"].
FILE PATHS
Variable
Description
mongo_permissions
Permissions for MongoDB files. Defaults to 0600.
mongod_config_path
Path to MongoDB configuration file. Defaults to /etc/mongod.conf.
audit_log_destination
Destination for audit logs. Set to either file or syslog. Defaults to file.
mongo_audit_directory_path
Directory path for MongoDB audit logs. Defaults to /var/log/mongodb/audit/.
mongo_audit_file_path
File path for MongoDB audit logs. Defaults to /var/log/mongodb/audit/auditLog.bson.
certificate_key_file_dest
Destination path for MongoDB certificate key file. Defaults to /etc/ssl/mongodb.pem.
certificate_key_file_src
Source path for MongoDB certificate key file. Defaults to ../../certificates/mongodb.pem.
ca_file_dest
Destination path for CA bundle file. Defaults to /etc/ssl/CA_bundle.pem.
ca_file_src
Source path for CA bundle file. Defaults to ../../certificates/dod_CAs.pem.
data_file_directory_path
Directory path for MongoDB data files. Defaults to /data/db/.
ENCRYPTION SETTINGS
Variable
Description
encryption_cipher_mode
Cipher mode for encryption. Defaults to AES256-GCM.
KMIP_server_host_name
KMIP server hostname.
KMIP_server_port
KMIP server port.
KMIP_server_ca_file
CA file for KMIP server.
KMIP_client_certificate_file
Client certificate file for KMIP.
security_encryption_key_file
Path to encryption key file.
AUDIT SETTINGS
Variable
Description
mongo_filter
Filter for MongoDB auditing. Example: '{ atype: { $in: [ "createCollection", "dropCollection" ] } }'. More information here.