[#294, #295] Update Gmail policies 5 and 7 to include all instances o…

…f spoofing and authentication settings that are not complaint (#394) * [#295] Update policy 7 * [#295] Update policy 7 to handle multiple settings detailed report message * [#295] Cleanup * [#295] Update 7.6 and 5.5 * [#295] Update policy 5 and 7 * [#295] Format the report output * [#295] Fix formatting for policy 7 and rename variables with more logical names * [#295] Rename policy 5 and 7 variables and formatting updates * [#295] Unit tests updated * [#294] Fix linter issues * [#294] Linter formatting * [#294] More formatting * [#295] Try different format for linter * [#295] Remove if statement * [#295] Use different assignment operator * [#295] Update assignment operator for policy 5 * Linter fix * More linter fixes * Linter formatting * Linter again * Update array format * Remove comma * Remove array notation * Replace assignment operator * Refactor functions * Typo fixed * [#396] Updated the criticality for policy 5.5 * [#397] Update criticality for policy 7.6 * PR updates * Remove typo * Update message for setting * Update unit tests
cisagov · Sep 11, 2024 · 9a4bbc8 · 9a4bbc8
1 parent c40d46d
commit 9a4bbc8
Show file tree

Hide file tree

Showing 3 changed files with 257 additions and 74 deletions.
diff --git a/Testing/RegoTests/gmail/gmail05_test.rego b/Testing/RegoTests/gmail/gmail05_test.rego
@@ -1223,7 +1223,14 @@ test_AttachmentSafety_InCorrect_V1 if {
     not RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
     RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:<ul><li>Test Top-Level OU: ",
-        "Emails with attachments, with scripts from untrusted senders are kept in the inbox</li></ul>"])
+        concat("", [
+        "The following email types are kept in the inbox:",
+        "<ul>",
+        concat("", [concat("", [
+            "<li>",
+            "Emails with attachments, with scripts from untrusted senders",
+            "</li></ul>"]),]),
+            "</li></ul>"])])
 }
 
 test_AttachmentSafety_InCorrect_V2 if {
@@ -1281,7 +1288,14 @@ test_AttachmentSafety_InCorrect_V2 if {
     not RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
     RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:<ul><li>Secondary OU: ",
-        "Emails with encrypted attachments from untrusted senders are kept in the inbox</li></ul>"])
+        concat("", [
+        "The following email types are kept in the inbox:",
+        "<ul>",
+        concat("", [concat("", [
+            "<li>",
+            "Encrypted attachments from untrusted senders",
+            "</li></ul>"]),]),
+            "</li></ul>"])])
 }
 
 test_AttachmentSafety_Inorrect_V3 if {
@@ -1334,7 +1348,7 @@ test_AttachmentSafety_Inorrect_V3 if {
 }
 
 
-test_AttachmentSafety_Inorrect_V4 if {
+test_AttachmentSafety_Incorrect_V4 if {
     # Test Spoofing and Authentication Protections when all settings have no events
     PolicyId := "GWS.GMAIL.5.5v0.3"
     Output := tests with input as {
@@ -1355,4 +1369,72 @@ test_AttachmentSafety_Inorrect_V4 if {
         "While we are unable to determine the state from the logs, the default setting ",
         "is non-compliant; manual check recommended."
     ])
+}
+
+test_AttachmentSafety_InCorrect_V5 if {
+    # Test Spoofing and Authentication Protections when there are multiple events
+    PolicyId := "GWS.GMAIL.5.5v0.3"
+    Output := tests with input as {
+        "gmail_logs": {"items": [
+            {
+                "id": {"time": "2022-12-20T00:02:24.672Z"},
+                "events": [{
+                    "parameters": [
+                        {
+                            "name": "SETTING_NAME",
+                            "value": "Attachment safety Encrypted attachment protection setting action"
+                        },
+                        {"name": "NEW_VALUE", "value": "Show warning"},
+                        {"name": "ORG_UNIT_NAME", "value": "Secondary OU"},
+                    ]
+                }]
+            },
+            {
+                "id": {"time": "2022-12-20T00:02:25.672Z"},
+                "events": [{
+                    "parameters": [
+                        {
+                            "name": "SETTING_NAME",
+                            "value": "Attachment safety Attachment with scripts protection action"
+                        },
+                        {"name": "NEW_VALUE", "value": "Show warning"},
+                        {"name": "ORG_UNIT_NAME", "value": "Secondary OU"},
+                    ]
+                }]
+            },
+            {
+                "id": {"time": "2022-12-20T00:02:26.672Z"},
+                "events": [{
+                    "parameters": [
+                        {
+                            "name": "SETTING_NAME",
+                            "value": "Attachment safety Anomalous attachment protection setting action"
+                        },
+                        {"name": "NEW_VALUE", "value": "Move to spam"},
+                        {"name": "ORG_UNIT_NAME", "value": "Secondary OU"},
+                    ]
+                }]
+            }
+        ]},
+        "tenant_info": {
+            "topLevelOU": ""
+        }
+    }
+
+    RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
+    count(RuleOutput) == 1
+    not RuleOutput[0].RequirementMet
+    not RuleOutput[0].NoSuchEvent
+    RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:<ul><li>Secondary OU: ",
+        concat("", [
+        "The following email types are kept in the inbox:",
+        "<ul>",
+        concat("", [concat("", [
+            "<li>",
+            "Encrypted attachments from untrusted senders",
+            "</li>",
+            "<li>",
+            "Emails with attachments, with scripts from untrusted senders",
+            "</li></ul>"]),]),
+            "</li></ul>"])])
 }
diff --git a/Testing/RegoTests/gmail/gmail07_test.rego b/Testing/RegoTests/gmail/gmail07_test.rego
@@ -2102,7 +2102,17 @@ test_SpoofingAuthenticationProtection_InCorrect_V1 if {
     not RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
     RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:<ul><li>Test Top-Level OU: ",
-        "Inbound emails spoofing domain names are kept in the inbox</li></ul>"])
+        concat("", [
+        "The following email types are kept in the inbox:",
+        "<ul>",
+        concat("", [concat("", [
+            "<li>",
+            "Inbound emails spoofing similar domain names",
+            "</li>",
+            "<li>",
+            "Inbound spoofing emails addresed to groups",
+            "</li></ul>"]),]),
+            "</li></ul>"])])
 }
 
 test_SpoofingAuthenticationProtection_InCorrect_V2 if {
@@ -2197,7 +2207,17 @@ test_SpoofingAuthenticationProtection_InCorrect_V2 if {
     not RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
     RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:<ul><li>Secondary OU: ",
-        "Inbound emails spoofing domain names are kept in the inbox</li></ul>"])
+        concat("", [
+        "The following email types are kept in the inbox:",
+        "<ul>",
+        concat("", [concat("", [
+            "<li>",
+            "Inbound emails spoofing similar domain names",
+            "</li>",
+            "<li>",
+            "Inbound spoofing emails addresed to groups",
+            "</li></ul>"]),]),
+            "</li></ul>"])])
 }