Skip to content

Commit

Permalink
Correct the "No Such Event" behavior for Gmail policies with multiple…
Browse files Browse the repository at this point in the history 
… settings (#369)

* Invert no such event rule for 7.6

* Invert no such event rule for gmail 5.5

* Change to default per regal rule

* Add new test cases to cover partial no such event edge case
  • Loading branch information
@adhilto
adhilto authored Sep 5, 2024
1 parent 6b83703 commit 8fa9f97
Show file tree
Hide file tree
Showing 3 changed files with 195 additions and 71 deletions.
72 changes: 72 additions & 0 deletions Testing/RegoTests/gmail/gmail05_test.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1284,3 +1284,75 @@ test_AttachmentSafety_InCorrect_V2 if {
"Emails with encrypted attachments from untrusted senders are kept in the inbox</li></ul>"])
}

test_AttachmentSafety_Inorrect_V3 if {
# Test Spoofing and Authentication Protections when one setting is missing events
PolicyId := "GWS.GMAIL.5.5v0.3"
Output := tests with input as {
"gmail_logs": {"items": [
{
"id": {"time": "2022-12-20T00:02:24.672Z"},
"events": [{
"parameters": [
{
"name": "SETTING_NAME",
"value": "Attachment safety Encrypted attachment protection setting action"
},
{"name": "NEW_VALUE", "value": "Move to spam"},
{"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
]
}]
},
{
"id": {"time": "2022-12-20T00:02:25.672Z"},
"events": [{
"parameters": [
{
"name": "SETTING_NAME",
"value": "Attachment safety Attachment with scripts protection action"
},
{"name": "NEW_VALUE", "value": "Move to spam"},
{"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
]
}]
}
# Note: no event for "Attachment safety Anomalous attachment protection setting action"
]},
"tenant_info": {
"topLevelOU": ""
}
}

RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
count(RuleOutput) == 1
not RuleOutput[0].RequirementMet
RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == concat("", [
"No relevant event in the current logs for the top-level OU, Test Top-Level OU. ",
"While we are unable to determine the state from the logs, the default setting ",
"is non-compliant; manual check recommended."
])
}


test_AttachmentSafety_Inorrect_V4 if {
# Test Spoofing and Authentication Protections when all settings have no events
PolicyId := "GWS.GMAIL.5.5v0.3"
Output := tests with input as {
"gmail_logs": {"items": [

]},
"tenant_info": {
"topLevelOU": "Test Top-Level OU"
}
}

RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
count(RuleOutput) == 1
not RuleOutput[0].RequirementMet
RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == concat("", [
"No relevant event in the current logs for the top-level OU, Test Top-Level OU. ",
"While we are unable to determine the state from the logs, the default setting ",
"is non-compliant; manual check recommended."
])
}
90 changes: 87 additions & 3 deletions Testing/RegoTests/gmail/gmail07_test.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2421,6 +2421,90 @@ test_SpoofingAuthenticationProtectionFutureRecommendedSettings_Incorrect_V1 if {
}

test_SpoofingAuthenticationProtectionFutureRecommendedSettings_Incorrect_V2 if {
# Test Spoofing and Authentication Protections when only one setting doesn't have enents
PolicyId := "GWS.GMAIL.7.7v0.3"
Output := tests with input as {
"gmail_logs": {"items": [
{
"id": {"time": "2022-12-20T00:02:24.672Z"},
"events": [{
"parameters": [
{
"name": "SETTING_NAME",
"value": concat("", [
"Spoofing and authentication safety Protect against domain spoofing based on similar ",
"domain names action"
])
},
{"name": "NEW_VALUE", "value": "Quarantine"},
{"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
]
}]
},
{
"id": {"time": "2022-12-20T00:02:25.672Z"},
"events": [{
"parameters": [
{
"name": "SETTING_NAME",
"value":
"Spoofing and authentication safety Protect against spoofing of employee names action"
},
{"name": "NEW_VALUE", "value": "Move to spam"},
{"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
]
}]
},
{
"id": {"time": "2022-12-20T00:02:26.672Z"},
"events": [{
"parameters": [
{
"name": "SETTING_NAME",
"value": concat("", [
"Spoofing and authentication safety Protect against inbound emails spoofing your ",
"domain action"
])
},
{"name": "NEW_VALUE", "value": "Move to spam"},
{"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
]
}]
},
{
"id": {"time": "2022-12-20T00:02:27.672Z"},
"events": [{
"parameters": [
{
"name": "SETTING_NAME",
"value":
"Spoofing and authentication safety Protect against any unauthenticated emails action"
},
{"name": "NEW_VALUE", "value": "Move to spam"},
{"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
]
}]
},
# Note that "Spoofing and authentication safety Protect your Groups from inbound emails spoofing your
# domain action" is missing
]},
"tenant_info": {
"topLevelOU": ""
}
}

RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
count(RuleOutput) == 1
not RuleOutput[0].RequirementMet
RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == concat("", [
"No relevant event in the current logs for the top-level OU, Test Top-Level OU. ",
"While we are unable to determine the state from the logs, the default setting ",
"is non-compliant; manual check recommended."
])
}

test_SpoofingAuthenticationProtectionFutureRecommendedSettings_Incorrect_V3 if {
# Test Spoofing and Authentication Protections when there's only one event and it's wrong
PolicyId := "GWS.GMAIL.7.7v0.3"
Output := tests with input as {
Expand Down Expand Up @@ -2455,7 +2539,7 @@ test_SpoofingAuthenticationProtectionFutureRecommendedSettings_Incorrect_V2 if {
"Automatically enable all future added settings is set to disabled</li></ul>"])
}

test_SpoofingAuthenticationProtectionFutureRecommendedSettings_Incorrect_V3 if {
test_SpoofingAuthenticationProtectionFutureRecommendedSettings_Incorrect_V4 if {
# Test Spoofing and Authentication Protections when there are multiple events and the most recent is wrong
PolicyId := "GWS.GMAIL.7.7v0.3"
Output := tests with input as {
Expand Down Expand Up @@ -2506,7 +2590,7 @@ test_SpoofingAuthenticationProtectionFutureRecommendedSettings_Incorrect_V3 if {
"Automatically enable all future added settings is set to disabled</li></ul>"])
}

test_SpoofingAuthenticationProtectionFutureRecommendedSettings_Incorrect_V4 if {
test_SpoofingAuthenticationProtectionFutureRecommendedSettings_Incorrect_V5 if {
# Test Spoofing and Authentication Protections when there's only one event and it's wrong
PolicyId := "GWS.GMAIL.7.7v0.3"
Output := tests with input as {
Expand Down Expand Up @@ -2541,7 +2625,7 @@ test_SpoofingAuthenticationProtectionFutureRecommendedSettings_Incorrect_V4 if {
"Automatically enable all future added settings is set to disabled</li></ul>"])
}

test_SpoofingAuthenticationProtectionFutureRecommendedSettings_Incorrect_V5 if {
test_SpoofingAuthenticationProtectionFutureRecommendedSettings_Incorrect_V6 if {
# Test Spoofing and Authentication Protections when there are multiple events and the most recent is wrong
PolicyId := "GWS.GMAIL.7.7v0.3"
Output := tests with input as {
Expand Down
104 changes: 36 additions & 68 deletions rego/Gmail.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -500,27 +500,20 @@ if {
#
# Baseline GWS.GMAIL.5.5v0.3
#--
default NoSuchEvent5_5(_) := true

NoSuchEvent5_5(TopLevelOU) := false if {
# No such event...
default NoSuchEvent5_5 := false
NoSuchEvent5_5 := true if {
SettingName := "Attachment safety Encrypted attachment protection setting action"
Events := utils.FilterEventsOU(LogEvents, SettingName, TopLevelOU)
count(Events) != 0
}

NoSuchEvent5_5(TopLevelOU) := false if {
# No such event...
Events := utils.FilterEventsOU(LogEvents, SettingName, utils.TopLevelOU)
count(Events) == 0
} else := true if {
SettingName := "Attachment safety Attachment with scripts protection action"
Events := utils.FilterEventsOU(LogEvents, SettingName, TopLevelOU)
count(Events) != 0
}

NoSuchEvent5_5(TopLevelOU) := false if {
# No such event...
Events := utils.FilterEventsOU(LogEvents, SettingName, utils.TopLevelOU)
count(Events) == 0
} else := true if {
SettingName := "Attachment safety Anomalous attachment protection setting action"
Events := utils.FilterEventsOU(LogEvents, SettingName, TopLevelOU)
count(Events) != 0
Events := utils.FilterEventsOU(LogEvents, SettingName, utils.TopLevelOU)
count(Events) == 0
}

GetFriendlyValue5_5(NewValueA, NewValueB, NewValueC) :=
Expand Down Expand Up @@ -568,7 +561,7 @@ tests contains {
}
if {
DefaultSafe := false
NoSuchEvent5_5(utils.TopLevelOU)
NoSuchEvent5_5
}

tests contains {
Expand All @@ -580,7 +573,7 @@ tests contains {
"NoSuchEvent": false
}
if {
not NoSuchEvent5_5(utils.TopLevelOU)
not NoSuchEvent5_5
Status := count(NonCompliantOUs5_5) == 0
}
#--
Expand Down Expand Up @@ -1190,50 +1183,30 @@ if {
# Baseline GWS.GMAIL.7.6v0.3
#--

default NoSuchEvent7_6(_) := true

NoSuchEvent7_6(TopLevelOU) := false if {
# No such event...
SettingName := concat("", [
"Spoofing and authentication safety Protect against domain spoofing based on similar ",
"domain names action"
])
Events := utils.FilterEventsOU(LogEvents, SettingName, TopLevelOU)
count(Events) != 0
}

NoSuchEvent7_6(TopLevelOU) := false if {
# No such event...
# No such event is true if any of the revelant settings doesn't having any events
default NoSuchEvent7_6 := false
NoSuchEvent7_6 := true if {
SettingName :=
"Spoofing and authentication safety Protect against domain spoofing based on similar domain names action"
Events := utils.FilterEventsOU(LogEvents, SettingName, utils.TopLevelOU)
count(Events) == 0
} else := true if {
SettingName := "Spoofing and authentication safety Protect against spoofing of employee names action"
Events := utils.FilterEventsOU(LogEvents, SettingName, TopLevelOU)
count(Events) != 0
}

NoSuchEvent7_6(TopLevelOU) := false if {
# No such event...
SettingName := concat("", [
"Spoofing and authentication safety Protect against domain spoofing based on similar ",
"domain names action"
])
Events := utils.FilterEventsOU(LogEvents, SettingName, TopLevelOU)
count(Events) != 0
}

NoSuchEvent7_6(TopLevelOU) := false if {
# No such event...
Events := utils.FilterEventsOU(LogEvents, SettingName, utils.TopLevelOU)
count(Events) == 0
} else := true if {
SettingName := "Spoofing and authentication safety Protect against inbound emails spoofing your domain action"
Events := utils.FilterEventsOU(LogEvents, SettingName, utils.TopLevelOU)
count(Events) == 0
} else := true if {
SettingName := "Spoofing and authentication safety Protect against any unauthenticated emails action"
Events := utils.FilterEventsOU(LogEvents, SettingName, TopLevelOU)
count(Events) != 0
}

NoSuchEvent7_6(TopLevelOU) := false if {
# No such event...
SettingName := concat("", [
"Spoofing and authentication safety Protect your Groups from inbound emails spoofing ",
"your domain action"
])
Events := utils.FilterEventsOU(LogEvents, SettingName, TopLevelOU)
count(Events) != 0
Events := utils.FilterEventsOU(LogEvents, SettingName, utils.TopLevelOU)
count(Events) == 0
} else := true if {
SettingName :=
"Spoofing and authentication safety Protect your Groups from inbound emails spoofing your domain action"
Events := utils.FilterEventsOU(LogEvents, SettingName, utils.TopLevelOU)
count(Events) == 0
}

GetFriendlyValue7_6(NewValueA, NewValueB, NewValueC, NewValueD, NewValueE) :=
Expand Down Expand Up @@ -1264,30 +1237,25 @@ NonCompliantOUs7_6 contains {
"similar domain names action"
])
EventsA := utils.FilterEventsOU(LogEvents, SettingA, OU)
count(EventsA) > 0
LastEventA := utils.GetLastEvent(EventsA)

SettingB := "Spoofing and authentication safety Protect against spoofing of employee names action"
EventsB := utils.FilterEventsOU(LogEvents, SettingB, OU)
count(EventsB) > 0
LastEventB := utils.GetLastEvent(EventsB)

SettingC := "Spoofing and authentication safety Protect against inbound emails spoofing your domain action"
EventsC := utils.FilterEventsOU(LogEvents, SettingC, OU)
count(EventsC) > 0
LastEventC := utils.GetLastEvent(EventsC)

SettingD := "Spoofing and authentication safety Protect against any unauthenticated emails action"
EventsD := utils.FilterEventsOU(LogEvents, SettingD, OU)
count(EventsD) > 0
LastEventD := utils.GetLastEvent(EventsD)

SettingE := concat("", [
"Spoofing and authentication safety Protect your Groups from inbound emails spoofing ",
"your domain action"
])
EventsE := utils.FilterEventsOU(LogEvents, SettingE, OU)
count(EventsE) > 0
LastEventE := utils.GetLastEvent(EventsE)

# OU is non-compliant if any of the following are true
Expand All @@ -1311,7 +1279,7 @@ tests contains {
}
if {
DefaultSafe := false
NoSuchEvent7_6(utils.TopLevelOU)
NoSuchEvent7_6
}

tests contains {
Expand All @@ -1323,7 +1291,7 @@ tests contains {
"NoSuchEvent": false
}
if {
not NoSuchEvent7_6(utils.TopLevelOU)
not NoSuchEvent7_6
Status := count(NonCompliantOUs7_6) == 0
}
#--
Expand Down

0 comments on commit 8fa9f97

Please sign in to comment.