Skip to content

Commit

Permalink
Moving Common Controls 11.2 to Policy Group 10 (#487)
Browse files Browse the repository at this point in the history 
* moving 11.2 to Policy Group 10

* updating drift rules

* moving over resource links

* spacing fixes

* Move 11.5 to group 10

---------

Co-authored-by: Alden Hilton <[email protected]>
  • Loading branch information
@mdueltgen @adhilto
mdueltgen and adhilto authored Oct 31, 2024
1 parent 2b9a8bc commit 2cbbfa2
Show file tree
Hide file tree
Showing 5 changed files with 333 additions and 334 deletions.
242 changes: 242 additions & 0 deletions Testing/RegoTests/commoncontrols/commoncontrols10_test.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -854,4 +854,246 @@ test_Unconfigured_Incorrect_V3 if {
"to determine the state from the logs, the default setting ",
"is non-compliant; manual check recommended."
])}
#--


#
# GWS.COMMONCONTROLS.10.5v0.3
#--
test_Access_Correct_V1 if {
# Test 1 event
PolicyId := "GWS.COMMONCONTROLS.10.5v0.3"
Output := tests with input as {
"commoncontrols_logs": {"items": [
{
"id": {"time": "2022-12-20T00:02:28.672Z"},
"events": [{
"name": "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED",
"parameters": [
{"name": "NEW_VALUE", "value": "DENIED"},
{"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}
]
}]
}
]},
"tenant_info": {
"topLevelOU": "Test Top-Level OU"
}
}

RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
count(RuleOutput) == 1
RuleOutput[0].RequirementMet
not RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
}

test_Access_Correct_V2 if {
# Test multiple events
PolicyId := "GWS.COMMONCONTROLS.10.5v0.3"
Output := tests with input as {
"commoncontrols_logs": {"items": [
{
"id": {"time": "2022-12-20T00:02:28.672Z"},
"events": [{
"name": "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED",
"parameters": [
{"name": "NEW_VALUE", "value": "DENIED"},
{"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}
]
}]
},
{
"id": {"time": "2021-12-20T00:02:28.672Z"},
"events": [{
"name": "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED",
"parameters": [
{"name": "NEW_VALUE", "value": "ALLOWED"},
{"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}
]
}]
}
]},
"tenant_info": {
"topLevelOU": "Test Top-Level OU"
}
}

RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
count(RuleOutput) == 1
RuleOutput[0].RequirementMet
not RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
}

test_Access_Incorrect_V1 if {
# Test 1 event
PolicyId := "GWS.COMMONCONTROLS.10.5v0.3"
Output := tests with input as {
"commoncontrols_logs": {"items": [
{
"id": {"time": "2022-12-20T00:02:28.672Z"},
"events": [{
"name": "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED",
"parameters": [
{"name": "NEW_VALUE", "value": "ALLOWED"},
{"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}
]
}]
}
]},
"tenant_info": {
"topLevelOU": "Test Top-Level OU"
}
}

RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
count(RuleOutput) == 1
not RuleOutput[0].RequirementMet
not RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == concat("", [
"The following OUs are non-compliant:<ul>",
"<li>Test Top-Level OU: Allow users to manage their access to less secure apps is ON</li>",
"</ul>"
])
}

test_Access_Incorrect_V2 if {
# Test multiple events
PolicyId := "GWS.COMMONCONTROLS.10.5v0.3"
Output := tests with input as {
"commoncontrols_logs": {"items": [
{
"id": {"time": "2022-12-20T00:02:28.672Z"},
"events": [{
"name": "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED",
"parameters": [
{"name": "NEW_VALUE", "value": "ALLOWED"},
{"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}
]
}]
},
{
"id": {"time": "2021-12-20T00:02:28.672Z"},
"events": [{
"name": "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED",
"parameters": [
{"name": "NEW_VALUE", "value": "DENIED"},
{"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}
]
}]
}
]},
"tenant_info": {
"topLevelOU": "Test Top-Level OU"
}
}

RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
count(RuleOutput) == 1
not RuleOutput[0].RequirementMet
not RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == concat("", [
"The following OUs are non-compliant:<ul>",
"<li>Test Top-Level OU: Allow users to manage their access to less secure apps is ON</li>",
"</ul>"
])
}

test_Access_Incorrect_V3 if {
# Test no relevant events
PolicyId := "GWS.COMMONCONTROLS.10.5v0.3"
Output := tests with input as {
"commoncontrols_logs": {"items": [

]},
"tenant_info": {
"topLevelOU": "Test Top-Level OU"
}
}

RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
count(RuleOutput) == 1
RuleOutput[0].RequirementMet
RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == concat("", [
"No relevant event in the current logs for the top-level OU, ",
"Test Top-Level OU. While we are unable ",
"to determine the state from the logs, the default setting ",
"is compliant; manual check recommended."
])}

test_Access_Incorrect_V4 if {
# Test no relevant events in top-level OU
PolicyId := "GWS.COMMONCONTROLS.10.5v0.3"
Output := tests with input as {
"commoncontrols_logs": {"items": [
{
"id": {"time": "2021-12-20T00:02:28.672Z"},
"events": [{
"name": "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED",
"parameters": [
{"name": "NEW_VALUE", "value": "DENIED"},
{"name": "ORG_UNIT_NAME", "value": "Test Second-Level OU"}
]
}]
}
]},
"tenant_info": {
"topLevelOU": "Test Top-Level OU"
}
}

RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
count(RuleOutput) == 1
RuleOutput[0].RequirementMet
RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == concat("", [
"No relevant event in the current logs for the top-level OU, ",
"Test Top-Level OU. While we are unable ",
"to determine the state from the logs, the default setting ",
"is compliant; manual check recommended."
])}

test_Access_Incorrect_V5 if {
# Test multiple OUs
PolicyId := "GWS.COMMONCONTROLS.10.5v0.3"
Output := tests with input as {
"commoncontrols_logs": {"items": [
{
"id": {"time": "2021-12-20T00:02:28.672Z"},
"events": [{
"name": "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED",
"parameters": [
{"name": "NEW_VALUE", "value": "ALLOWED"},
{"name": "ORG_UNIT_NAME", "value": "Test Second-Level OU"}
]
}]
},
{
"id": {"time": "2021-12-20T00:02:28.672Z"},
"events": [{
"name": "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED",
"parameters": [
{"name": "NEW_VALUE", "value": "DENIED"},
{"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}
]
}]
}
]},
"tenant_info": {
"topLevelOU": "Test Top-Level OU"
}
}

RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
count(RuleOutput) == 1
not RuleOutput[0].RequirementMet
not RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == concat("", [
"The following OUs are non-compliant:<ul>",
"<li>Test Second-Level OU: Allow users to manage their access to less secure apps is ON</li>",
"</ul>"
])
}
#--
Loading

0 comments on commit 2cbbfa2

Please sign in to comment.