update readme

README.md

@@ -73,25 +73,30 @@ certificate_key_file: "/etc/ssl/mongodb.pem"
 
 5. **Update `inspec.yml` for InSpec**
 
-   Update the `inspec.yml` file located at `spec/mongo-inspec-profile/inspec.yml` with any your values.
+   Update the `inspec.yml` file located at `spec/mongo-inspec-profile/inspec.yml` with your values.
+   Most values should remain unchanged; only modify them if you are certain about the changes to avoid causing issues with the Ansible playbook execution.
 
-6. **Initialize Packer**
+6. **Check Configuration Flags**
+
+   If you want to disable the `fips_mode` or `enterprise_edition` flags, ensure they are disabled in both `spec/ansible/mongo-stig-hardening-playbook.yml` and `spec/ansible/roles/mongo-stig/defaults/main.yml`.
+
+7. **Initialize Packer**
 
    Initialize Packer to install the required Ansible and Docker plugins:
 
    ```sh
    packer init .
    ```
 
-7. **Build the Hardened Image**
+8. **Build the Hardened Image**
 
    Execute the following command to build, test, and save the hardened Mongo image:
 
    ```sh
    packer build mongo-hardening.pkr.hcl
    ```
 
-8. **Run the Hardened Image**
+9. **Run the Hardened Image**
 
    Execute the following command to run the hardened Mongo image:
 
@@ -108,25 +113,31 @@ certificate_key_file: "/etc/ssl/mongodb.pem"
 
 ## Notes
 
-- You can add additional types of scanning beyond InSpec (or get InSpec to run more than one testing profile) by modifying the `scripts/scan.sh` file. See the [MITRE SAF(c) Validation Library](https://saf.mitre.org/#/validate) for more InSpec profiles, or use your favorite image scanning tool.
+### InSpec
 
-- The `verify_threshold.sh` script will tag the generated image as "passing" if it exceeds the compliance threshold set in `threshold.yml`, and "failing" if it does not. A real hardening pipeline would instead do something like push an image that passes the threshold to a registry, and simply ignore it if it does not.
+Full repository [here](https://github.com/mitre/mongodb-enterprise-advanced-4-stig-baseline).
 
-- To run the inspec seperately:
-
-  Full repository [here](https://github.com/mitre/mongodb-enterprise-advanced-4-stig-baseline).
+- Running InSpec Checks
 
   - Remove the `--controls` flag to run all inspec checks at once.
 
-    ```sh
-    inspec exec spec/mongo-inspec-profile/ -t docker://mongo-hardened --controls=SV-252134 --input-file=spec/mongo-inspec-profile/inputs.yml --no-create-lockfile --show-progress
-    ```
+  ```sh
+  inspec exec spec/mongo-inspec-profile/ -t docker://mongo-hardened --controls=SV-252134 --input-file=spec/mongo-inspec-profile/inputs.yml --no-create-lockfile --show-progress
+  ```
+
+- Deeper Testing with InSpec Shell
+
+  ```sh
+  inspec shell -t docker://mongo-hardened --depends=spec/mongo-inspec-profile/ --input-file=spec/mongo-inspec-profile/inputs.yml
+  ```
+
+- You can add additional types of scanning beyond InSpec (or get InSpec to run more than one testing profile) by modifying the `scripts/scan.sh` file. See the [MITRE SAF(c) Validation Library] (https://saf.mitre.org/#/validate) for more InSpec profiles, or use your favorite image scanning tool.
+
+### Certificates
 
-  - To get into the inspec shell for deeper testing
+For the full `README`, refer to the `certificates` folder.
 
-    ```sh
-    inspec shell -t docker://mongo-hardened --depends=spec/mongo-inspec-profile/ --input-file=spec/mongo-inspec-profile/inputs.yml
-    ```
+- If you encounter connection errors, ensure you have the latest OpenSSL version (last tested with OpenSSL 3.3.0).
 
 ## Authors
 

certificates/README.md

@@ -9,7 +9,11 @@
 5. [Configure MongoDB to Use the Local CA](#step-5-configure-mongodb-to-use-the-local-ca)
 6. [Use the Certificates to Login to MongoDB](#step-6-use-the-certificates-to-login-to-mongodb)
 
-**Note for Users**: If you only need to generate your own certificates, skip to [Step 4](#step-4-generate-and-sign-user-certificates-each-user) and follow the instructions there.
+## Notes
+
+- Ensure you have the latest OpenSSL version (last tested with OpenSSL 3.3.0) to avoid connection errors
+
+- To generate user certificates, skip to [Step 4](#step-4-generate-and-sign-user-certificates-each-user).
 
 ## Step 1: DoD CA Certificates Installation
 

spec/ansible/roles/mongo-stig/defaults/main.yml

@@ -1,4 +1,5 @@
 ---
+### CONFIGURATION FLAGS
 prep_conf: true
 enterprise_edition: true
 fips_mode: true
@@ -8,14 +9,19 @@ mongostig_cat2: true
 encryption_at_rest: false
 kmip_enabled: false
 
+### CONNECTION VARIABLES
 mongo_owner: root
 mongo_group: root
 mongo_dba: root
 mongo_dba_password: root
 mongo_host: localhost
 mongo_port: 27017
 mongo_auth_source: admin
-mongo_permissions: 0600
+max_incoming_connections: 800000
+authentication_mechanism: 
+  - SCRAM-SHA-256
+
+### ROLES AND USERS
 mongo_admin_roles:
   - "root"
 mongo_super_users:
@@ -27,31 +33,26 @@ inappropriate_mongo_privileges:
   - "changeStream"
   - "createCollection"
 
-authentication_mechanism: 
-  - SCRAM-SHA-256
-
+### FILE PATHS
+mongo_permissions: 0600
 mongod_config_path: /etc/mongod.conf
-
 # Set 'audit_log_destination' to either "file" or "syslog"
 audit_log_destination: file
 mongo_audit_directory_path: /var/log/mongodb/audit/
 mongo_audit_file_path: /var/log/mongodb/audit/auditLog.bson
-
 certificate_key_file_dest: /etc/ssl/mongodb.pem
 certificate_key_file_src: ../../../../certificates/mongodb.pem
 ca_file_dest: /etc/ssl/CA_bundle.pem
 ca_file_src: ../../../../certificates/dod_CAs.pem
-
 data_file_directory_path: /data/db/
 
-max_incoming_connections: 800000
-
-mongo_filter: "'{ atype: { $in: [ \"createCollection\", \"dropCollection\" ] } }'"
-
+### ENCRYPTION SETTINGS
 encryption_cipher_mode: AES256-GCM
 KMIP_server_host_name: 
 KMIP_server_port: 
 KMIP_server_ca_file: 
 KMIP_client_certificate_file: 
+security_encryption_key_file: 
 
-security_encryption_key_file: 
+### AUDIT SETTINGS
+mongo_filter: "'{ atype: { $in: [ \"createCollection\", \"dropCollection\" ] } }'"