From 018797fc3bf012962eaeaa9af0f150c5f3f6a4b4 Mon Sep 17 00:00:00 2001 From: seanlongcc Date: Thu, 18 Apr 2024 14:46:02 -0400 Subject: [PATCH] updated certificates guide, now working --- .gitignore | 5 +- README.md | 9 +- certificates/README.md | 87 ++++++++++++++----- .../roles/mongo-stig/defaults/main.yml | 2 +- spec/ansible/roles/mongo-stig/tasks/cat1.yml | 40 ++++----- 5 files changed, 96 insertions(+), 47 deletions(-) diff --git a/.gitignore b/.gitignore index 981d535..68bab39 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,7 @@ reports/** inputs.yml local-test.yml -*.pem \ No newline at end of file +*.pem +*.csr +*.crt +*.key \ No newline at end of file diff --git a/README.md b/README.md index d3c02b8..ef99f6d 100644 --- a/README.md +++ b/README.md @@ -42,7 +42,14 @@ A workflow for hardening a MongoDB container against a STIG using Packer and Ans Execute the following command to run the hardened Mongo image: ``` - docker run -d --name mongo-hardened -p 27017:27017 -v mongodb_configdb:/data/configdb -v mongodb_db:/data/db mongo-hardened --config /etc/mongod.conf + docker run -d \ ─╯ + --name mongo-hardened \ + -p 27017:27017 \ + -v mongodb_configdb:/data/configdb \ + -v mongodb_db:/data/db \ + -e PATH="/usr/local/src/openssl-3.1.0/apps:$PATH" \ + -e LD_LIBRARY_PATH="LD_LIBRARY_PATH=/usr/local/src/openssl-3.1.0:$LD_LIBRARY_PATH" \ + mongo-hardened --config /etc/mongod.conf ``` ## Notes diff --git a/certificates/README.md b/certificates/README.md index 63a8c4e..5596cad 100644 --- a/certificates/README.md +++ b/certificates/README.md @@ -1,58 +1,97 @@ -# Certificates +# Certificates for MongoDB -## DoD Certificate Authority Certificates Installation +## DoD CA Certificates Installation -### Obtain Certificates +### Step 1: Download the PKI CA Certificate Bundles - **Download**: Access the PKI CA Certificate Bundles from the [DoD PKI/PKE Document Library](https://public.cyber.mil/pki-pke/pkipke-document-library/). - **Direct link**: For PKCS#7 Bundle V5.13, download [here](https://dl.dod.cyber.mil/wp-content/uploads/pki-pke/zip/unclass-certificates_pkcs7_DoD.zip). -### Installation +### Step 2: Extract and Convert the Certificates -1. **Extract Package**: Unzip the downloaded file and follow the README for usage instructions -2. **Place Certificates**: Move the certificate to the `certificates` folder. +Unzip the file and follow the README for detailed instructions or use the following commands to quickly extract and convert the certificates: -## Steps to Correctly Generate a Certificate and Key for MongoDB TLS/SSL: +```bash +cd certificates_pkcs7_v5_13_dod +openssl pkcs7 -in certificates_pkcs7_v5_13_dod_der.p7b -inform der -print_certs -out dod_CAs.pem +``` + +### Step 3: Place the Certificate + +Move the extracted `dod_CAs.pem` file to the `certificates` folder. + +This `dod_CAs.pem` file is what is required for the `net.tls.CAFile` option in the MongoDB configuration. + +**Note:** The file gets automatically renamed to `CA_bundle.pem` when the Ansible playbook gets run. -### 1. Generate a New Private Key +```yaml +net: + tls: + mode: requireTLS + CAFile: /etc/ssl/CA_bundle.pem +``` + +## MongoDB TLS/SSL Certificate and Key Generation + +### Step 1: Generate a New Private Key ```bash openssl genrsa -out mongodb-private.key 2048 ``` -This command creates a 2048-bit RSA private key. +This command generates a 2048-bit RSA private key, named `mongodb-private.key`, which is used for creating a CSR and signing the certificate. -### 2. Generate a Certificate Signing Request (CSR) +### Step 2: Generate a Certificate Signing Request (CSR) ```bash openssl req -new -key mongodb-private.key -out mongodb.csr ``` -You'll be prompted to enter details for the certificate; fill these out as they pertain to your organization or for testing purposes. - -### 3. Generate a Self-Signed Certificate +This command generates a CSR using the previously created private key. You'll specify the necessary details for the certificate, such as setting the `Common Name` to `localhost` for local testing. -If you're setting this up for testing purposes or internal use, you can generate a self-signed certificate: +### Step 3: Generate a Self-Signed Certificate ```bash -openssl x509 -req -days 365 -in mongodb.csr -signkey mongodb-private.key -out mongodb-cert.pem +openssl x509 -req -days 397 -in mongodb.csr -signkey mongodb-private.key -out mongodb-cert.crt ``` -This creates a certificate that's valid for 365 days. +This command creates a self-signed X.509 certificate using the CSR and the private key. The certificate is output as `mongodb-cert.crt`. -### 4. Combine Private Key and Certificate into One PEM File - -MongoDB expects the private key and the certificate to be in the same PEM file for `net.tls.certificateKeyFile`: +### Step 4: Combine Private Key and Certificate into One PEM File ```bash -cat mongodb-private.key mongodb-cert.pem > mongodb.pem +cat mongodb-private.key mongodb-cert.crt > mongodb.pem ``` -This `mongodb.pem` file is what you should reference in your MongoDB configuration: +This command concatenates the private key and the certificate into a single file called `mongodb.pem`, which MongoDB requires for its `net.tls.certificateKeyFile` configuration. + +This `mongodb.pem` file is what is being referenced in the MongoDB configuration: ```yaml net: - tls: - mode: requireTLS - certificateKeyFile: /etc/ssl/mongodb.pem + tls: + mode: requireTLS + certificateKeyFile: /etc/ssl/mongodb.pem +``` + +### Step 5: Append Certificate to Trusted CA Bundle and Move PEM File + +```bash +mv mongodb.pem mongodb-cert.crt certificates/ +cat mongodb-cert.crt >> dod_CAs.pem +``` + +Move the `mongodb.pem` and `mongodb-cert.crt` files to the designated `certificates` directory. Then, append the MongoDB certificate from `mongodb-cert.crt` to your list of trusted Certificate Authorities in `dod_CAs.pem`. This setup ensures that MongoDB utilizes the certificate for secure connections and that the system recognizes it as a trusted source. + +### Alternative Configuration: One-Command Setup + +For a streamlined setup, you can execute all steps with a single condensed command: + +```bash +openssl genrsa -out mongodb-private.key 2048 && \ +openssl req -new -key mongodb-private.key -out mongodb.csr -subj '/C=US/ST=VA/L=McLean/O=MITRE/OU=MITRE SAF/CN=localhost' && \ +openssl x509 -req -days 397 -in mongodb.csr -signkey mongodb-private.key -out mongodb-cert.crt && \ +cat mongodb-private.key mongodb-cert.crt > mongodb.pem && \ +mv mongodb.pem mongodb-cert.crt certificates/ && \ +cat certificates/mongodb-cert.crt >> certificates/dod_CAs.pem ``` diff --git a/spec/ansible/roles/mongo-stig/defaults/main.yml b/spec/ansible/roles/mongo-stig/defaults/main.yml index 0d970ab..973b008 100644 --- a/spec/ansible/roles/mongo-stig/defaults/main.yml +++ b/spec/ansible/roles/mongo-stig/defaults/main.yml @@ -24,7 +24,7 @@ mongo_audit_file_path: /var/log/mongodb/audit/auditLog.bson certificate_key_file_dest: /etc/ssl/mongodb.pem certificate_key_file_src: ../../../../certificates/mongodb.pem -ca_file_dest: /etc/ssl/caToValidateClientCertificates.pem +ca_file_dest: /etc/ssl/CA_bundle.pem ca_file_src: ../../../../certificates/dod_CAs.pem data_file_directory_path: /data/db/ diff --git a/spec/ansible/roles/mongo-stig/tasks/cat1.yml b/spec/ansible/roles/mongo-stig/tasks/cat1.yml index 2f52c27..c46c71a 100644 --- a/spec/ansible/roles/mongo-stig/tasks/cat1.yml +++ b/spec/ansible/roles/mongo-stig/tasks/cat1.yml @@ -1,24 +1,24 @@ --- -# - name: "HIGH | SV-252139 | If passwords are used for authentication, MongoDB must transmit only encrypted representations of passwords." -# yedit: -# src: "{{ mongod_config_path }}" -# edits: -# - key: net.tls.mode -# value: requireTLS -# - key: net.tls.certificateKeyFile -# value: "{{ certificate_key_file_dest }}" -# - key: net.tls.CAFile -# value: "{{ ca_file_dest }}" -# - key: net.tls.allowInvalidCertificates -# value: false -# - key: net.tls.allowConnectionsWithoutCertificates -# value: false -# ignore_errors: true -# tags: -# - cat1 -# - high -# - SV-252139 -# - enterprise +- name: "HIGH | SV-252139 | If passwords are used for authentication, MongoDB must transmit only encrypted representations of passwords." + yedit: + src: "{{ mongod_config_path }}" + edits: + - key: net.tls.mode + value: requireTLS + - key: net.tls.certificateKeyFile + value: "{{ certificate_key_file_dest }}" + - key: net.tls.CAFile + value: "{{ ca_file_dest }}" + - key: net.tls.allowInvalidCertificates + value: false + - key: net.tls.allowConnectionsWithoutCertificates + value: false + ignore_errors: true + tags: + - cat1 + - high + - SV-252139 + - enterprise # - name: "HIGH | SV-252146 | MongoDB must use NIST FIPS 140-2 or 140-3 validated cryptographic modules for cryptographic operations." # yedit: