diff --git a/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols01_test.rego b/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols01_test.rego
index c689f1b5..29e7c172 100644
--- a/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols01_test.rego
+++ b/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols01_test.rego
@@ -1,886 +1,6 @@
package commoncontrols
import future.keywords
-#
-# GWS.COMMONCONTROLS.1.1
-#--
-test_EnforceMFA_Correct_V1 if {
- # Test enforcing MFA when there's only one event
- PolicyId := CommonControlsId1_1
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "name": "ALLOW_STRONG_AUTHENTICATION",
- "parameters": [
- {"name": "NEW_VALUE", "value": "true"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- ]
- }]
- },
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "name": "ENFORCE_STRONG_AUTHENTICATION",
- "parameters": [
- {"name": "NEW_VALUE", "value": "true"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- ]
- }]
- },
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "name": "CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS",
- "parameters": [
- {"name": "ALLOWED_TWO_STEP_VERIFICATION_METHOD", "value": "ONLY_SECURITY_KEY"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
- count(RuleOutput) == 1
- RuleOutput[0].RequirementMet
- not RuleOutput[0].NoSuchEvent
- RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
-}
-
-test_EnforceMFA_Correct_V2 if {
- # Test enforcing MFA when there's multiple events, with the chronological latest
- # correct but not last in json list
- PolicyId := CommonControlsId1_1
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "name": "ENFORCE_STRONG_AUTHENTICATION",
- "parameters": [
- {"name": "NEW_VALUE", "value": "true"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- ]
- }]
- },
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "name": "ALLOW_STRONG_AUTHENTICATION",
- "parameters": [
- {"name": "NEW_VALUE", "value": "true"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- ]
- }]
- },
- {
- "id": {"time": "2021-12-20T00:02:28.672Z"},
- "events": [{
- "name": "ENFORCE_STRONG_AUTHENTICATION",
- "parameters": [
- {"name": "NEW_VALUE", "value": "false"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- ]
- }]
- },
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "name": "CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS",
- "parameters": [
- {"name": "ALLOWED_TWO_STEP_VERIFICATION_METHOD", "value": "ONLY_SECURITY_KEY"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
- count(RuleOutput) == 1
- RuleOutput[0].RequirementMet
- not RuleOutput[0].NoSuchEvent
- RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
-}
-
-test_EnforceMFA_Incorrect_V1 if {
- # Test enforcing MFA when there's only one event and it's wrong
- PolicyId := CommonControlsId1_1
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "name": "ENFORCE_STRONG_AUTHENTICATION",
- "parameters": [
- {"name": "NEW_VALUE", "value": "false"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- ]
- }]
- },
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "name": "ALLOW_STRONG_AUTHENTICATION",
- "parameters": [
- {"name": "NEW_VALUE", "value": "true"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- ]
- }]
- },
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "name": "CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS",
- "parameters": [
- {"name": "ALLOWED_TWO_STEP_VERIFICATION_METHOD", "value": "ONLY_SECURITY_KEY"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
- count(RuleOutput) == 1
- not RuleOutput[0].RequirementMet
- not RuleOutput[0].NoSuchEvent
- RuleOutput[0].ReportDetails == concat("", [
- "The following OUs are non-compliant:",
- "- Test Top-Level OU: 2-Step Verification Enforcement is OFF
",
- "
"
- ])
-}
-
-test_EnforceMFA_Incorrect_V2 if {
- # Test enforcing MFA when there's multiple events, with the chronological latest
- # incorrect but not last in json list
- PolicyId := CommonControlsId1_1
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "name": "ENFORCE_STRONG_AUTHENTICATION",
- "parameters": [
- {"name": "NEW_VALUE", "value": "false"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- ]
- }]
- },
- {
- "id": {"time": "2021-12-20T00:02:28.672Z"},
- "events": [{
- "name": "ENFORCE_STRONG_AUTHENTICATION",
- "parameters": [
- {"name": "NEW_VALUE", "value": "true"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- ]
- }]
- },
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "name": "ALLOW_STRONG_AUTHENTICATION",
- "parameters": [
- {"name": "NEW_VALUE", "value": "true"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- ]
- }]
- },
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "name": "CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS",
- "parameters": [
- {"name": "ALLOWED_TWO_STEP_VERIFICATION_METHOD", "value": "ONLY_SECURITY_KEY"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
- count(RuleOutput) == 1
- not RuleOutput[0].RequirementMet
- not RuleOutput[0].NoSuchEvent
- RuleOutput[0].ReportDetails == concat("", [
- "The following OUs are non-compliant:",
- "- Test Top-Level OU: 2-Step Verification Enforcement is OFF
",
- "
"
- ])
-}
-
-
-test_EnforceMFA_Incorrect_V3 if {
- # Test enforcing MFA when there's no enforce mfa event
- PolicyId := CommonControlsId1_1
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "name": "CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS",
- "parameters": [
- {"name": "NEW_VALUE", "value": "false"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
- count(RuleOutput) == 1
- not RuleOutput[0].RequirementMet
- RuleOutput[0].NoSuchEvent
- RuleOutput[0].ReportDetails == concat("", [
- "No relevant event in the current logs for the top-level OU, ",
- "Test Top-Level OU. While we are unable ",
- "to determine the state from the logs, the default setting ",
- "is non-compliant; manual check recommended."
- ])}
-
-test_EnforceMFA_Incorrect_V4 if {
- # Test enforcing MFA when there's no change methods event
- PolicyId := CommonControlsId1_1
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "name": "ENFORCE_STRONG_AUTHENTICATION",
- "parameters": [
- {"name": "NEW_VALUE", "value": "true"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
- count(RuleOutput) == 1
- not RuleOutput[0].RequirementMet
- RuleOutput[0].NoSuchEvent
- RuleOutput[0].ReportDetails == concat("", [
- "No relevant event in the current logs for the top-level OU, ",
- "Test Top-Level OU. While we are unable ",
- "to determine the state from the logs, the default setting ",
- "is non-compliant; manual check recommended."
- ])
-}
-
-test_EnforceMFA_Incorrect_V5 if {
- # Test, mfa not allowed
- PolicyId := CommonControlsId1_1
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "name": "ENFORCE_STRONG_AUTHENTICATION",
- "parameters": [
- {"name": "NEW_VALUE", "value": "true"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- ]
- }]
- },
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "name": "ALLOW_STRONG_AUTHENTICATION",
- "parameters": [
- {"name": "NEW_VALUE", "value": "false"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- ]
- }]
- },
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "name": "CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS",
- "parameters": [
- {"name": "ALLOWED_TWO_STEP_VERIFICATION_METHOD", "value": "ONLY_SECURITY_KEY"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
- count(RuleOutput) == 1
- not RuleOutput[0].RequirementMet
- not RuleOutput[0].NoSuchEvent
- RuleOutput[0].ReportDetails == concat("", [
- "The following OUs are non-compliant:",
- "- Test Top-Level OU: Allow users to turn on 2-Step Verification is OFF
",
- "
"
- ])
-}
-
-test_EnforceMFA_Incorrect_V6 if {
- # Test, mfa not phishing resistant
- PolicyId := CommonControlsId1_1
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "name": "ENFORCE_STRONG_AUTHENTICATION",
- "parameters": [
- {"name": "NEW_VALUE", "value": "true"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- ]
- }]
- },
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "name": "ALLOW_STRONG_AUTHENTICATION",
- "parameters": [
- {"name": "NEW_VALUE", "value": "true"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- ]
- }]
- },
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "name": "CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS",
- "parameters": [
- {
- "name": "ALLOWED_TWO_STEP_VERIFICATION_METHOD",
- "value": "NO_TELEPHONY"
- },
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
- count(RuleOutput) == 1
- not RuleOutput[0].RequirementMet
- not RuleOutput[0].NoSuchEvent
- RuleOutput[0].ReportDetails == concat("", [
- "The following OUs are non-compliant:",
- "- Test Top-Level OU: Allowed methods is set to Any except verification codes via text, phone call
",
- "
"
- ])
-}
-
-test_EnforceMFA_Incorrect_V7 if {
- # Test, mfa not phishing resistant
- PolicyId := CommonControlsId1_1
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "name": "ENFORCE_STRONG_AUTHENTICATION",
- "parameters": [
- {"name": "NEW_VALUE", "value": "true"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- ]
- }]
- },
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "name": "ALLOW_STRONG_AUTHENTICATION",
- "parameters": [
- {"name": "NEW_VALUE", "value": "true"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- ]
- }]
- },
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "name": "CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS",
- "parameters": [
- {
- "name": "ALLOWED_TWO_STEP_VERIFICATION_METHOD",
- "value": "NO_TELEPHONY"
- },
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- ]
- }]
- },
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "name": "CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS",
- "parameters": [
- {
- "name": "ALLOWED_TWO_STEP_VERIFICATION_METHOD",
- "value": "NO_TELEPHONY"
- },
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "GROUP_EMAIL", "value": "test@test.com"}
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
- count(RuleOutput) == 1
- not RuleOutput[0].RequirementMet
- not RuleOutput[0].NoSuchEvent
- RuleOutput[0].ReportDetails == concat("", [
- "The following OUs are non-compliant:",
- "- Test Top-Level OU: Allowed methods is set to Any except verification codes via text, phone call
",
- "
",
- "
",
- "The following groups are non-compliant:",
- "- test@test.com: Allowed methods is set to Any except verification codes via text, phone call
",
- "
",
- ])
-}
-#--
-
-#
-# GWS.COMMONCONTROLS.1.2
-#--
-test_Enforcement_Correct_V1 if {
- # Test enforcing MFA when there's only one event
- PolicyId := CommonControlsId1_2
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "name": "CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION",
- "parameters": [
- {"name": "NEW_VALUE", "value": "1 week"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
- count(RuleOutput) == 1
- RuleOutput[0].RequirementMet
- not RuleOutput[0].NoSuchEvent
- RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
-}
-
-test_Enforcement_Correct_V2 if {
- # Test enforcing MFA when there's multiple events, with the chronological latest
- # correct but not last in json list
- PolicyId := CommonControlsId1_2
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "name": "CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION",
- "parameters": [
- {"name": "NEW_VALUE", "value": "1 week"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- ]
- }]
- },
- {
- "id": {"time": "2021-12-20T00:02:28.672Z"},
- "events": [{
- "name": "ENFORCE_STRONG_AUTHENTICATION",
- "parameters": [
- {"name": "NEW_VALUE", "value": "1 day"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
- count(RuleOutput) == 1
- RuleOutput[0].RequirementMet
- not RuleOutput[0].NoSuchEvent
- RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
-}
-
-test_Enforcement_Correct_V3 if {
- # Test enforcing MFA inheritance
- PolicyId := CommonControlsId1_2
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "name": "CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION",
- "parameters": [
- {"name": "NEW_VALUE", "value": "1 week"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- ]
- }]
- },
- {
- "id": {"time": "2021-12-20T00:02:28.672Z"},
- "events": [{
- "name": "CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION",
- "parameters": [
- {"name": "NEW_VALUE", "value": "2 weeks"},
- {"name": "ORG_UNIT_NAME", "value": "Second OU"},
- ]
- }]
- },
- {
- "id": {"time": "2023-12-20T00:02:28.672Z"},
- "events": [{
- "name": "CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION",
- "parameters": [
- {"name": "NEW_VALUE", "value": "INHERIT_FROM_PARENT"},
- {"name": "ORG_UNIT_NAME", "value": "Second OU"},
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
- count(RuleOutput) == 1
- RuleOutput[0].RequirementMet
- not RuleOutput[0].NoSuchEvent
- RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
-}
-
-test_Enforcement_Incorrect_V1 if {
- # Test enforcing MFA when there's only one event and it's wrong
- PolicyId := CommonControlsId1_2
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "name": "CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION",
- "parameters": [
- {"name": "NEW_VALUE", "value": "2 weeks"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
- count(RuleOutput) == 1
- not RuleOutput[0].RequirementMet
- not RuleOutput[0].NoSuchEvent
- RuleOutput[0].ReportDetails == concat("", [
- "The following OUs are non-compliant:",
- "- Test Top-Level OU: New user enrollment period is set to 2 weeks
",
- "
"
- ])
-}
-
-test_Enforcement_Incorrect_V2 if {
- # Test enforcing MFA when there's multiple events, with the chronological latest
- # incorrect but not last in json list
- PolicyId := CommonControlsId1_2
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "name": "CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION",
- "parameters": [
- {"name": "NEW_VALUE", "value": "2 weeks"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- ]
- }]
- },
- {
- "id": {"time": "2021-12-20T00:02:28.672Z"},
- "events": [{
- "name": "CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION",
- "parameters": [
- {"name": "NEW_VALUE", "value": "1 week"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
- count(RuleOutput) == 1
- not RuleOutput[0].RequirementMet
- not RuleOutput[0].NoSuchEvent
- RuleOutput[0].ReportDetails == concat("", [
- "The following OUs are non-compliant:",
- "- Test Top-Level OU: New user enrollment period is set to 2 weeks
",
- "
"
- ])
-}
-
-
-test_Enforcement_Incorrect_V3 if {
- # Test enforcing MFA when there no applicable event
- PolicyId := CommonControlsId1_2
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "name": "SOMETHING_ELSE",
- "parameters": [
- {"name": "NEW_VALUE", "value": "false"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
- count(RuleOutput) == 1
- not RuleOutput[0].RequirementMet
- RuleOutput[0].NoSuchEvent
- RuleOutput[0].ReportDetails == concat("", [
- "No relevant event in the current logs for the top-level OU, ",
- "Test Top-Level OU. While we are unable ",
- "to determine the state from the logs, the default setting ",
- "is non-compliant; manual check recommended."
- ])
-}
-
-#
-# GWS.COMMONCONTROLS.1.3
-#--
-
-test_Disable_Trusted_Device_Correct_V1 if {
- # Test disable trusted device when there's only one event
- PolicyId := CommonControlsId1_3
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "name": "CHANGE_TWO_STEP_VERIFICATION_FREQUENCY",
- "parameters": [
- {"name": "NEW_VALUE", "value": "DISABLE_USERS_TO_TRUST_DEVICE"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
- count(RuleOutput) == 1
- RuleOutput[0].RequirementMet
- not RuleOutput[0].NoSuchEvent
- RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
-}
-
-test_Disable_Trusted_Device_Correct_V2 if {
- # Test disabled trusted device when there's multiple events, with the chronological latest
- # correct but not last in json list
- PolicyId := CommonControlsId1_3
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "name": "CHANGE_TWO_STEP_VERIFICATION_FREQUENCY",
- "parameters": [
- {"name": "NEW_VALUE", "value": "DISABLE_USERS_TO_TRUST_DEVICE"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- ]
- }]
- },
- {
- "id": {"time": "2021-12-20T00:02:28.672Z"},
- "events": [{
- "name": "CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION",
- "parameters": [
- {"name": "NEW_VALUE", "value": "ENABLE_USERS_TO_TRUST_DEVICE"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
- count(RuleOutput) == 1
- RuleOutput[0].RequirementMet
- not RuleOutput[0].NoSuchEvent
- RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
-}
-
-test_Disable_Trusted_Device_Incorrect_V1 if {
- # Test disable trusted device when there's only one event and it's wrong
- PolicyId := CommonControlsId1_3
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "name": "CHANGE_TWO_STEP_VERIFICATION_FREQUENCY",
- "parameters": [
- {"name": "NEW_VALUE", "value": "ENABLE_USERS_TO_TRUST_DEVICE"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
- count(RuleOutput) == 1
- not RuleOutput[0].RequirementMet
- not RuleOutput[0].NoSuchEvent
- RuleOutput[0].ReportDetails == concat("", [
- "The following OUs are non-compliant:",
- "- Test Top-Level OU: Allow user to trust the device is ON
",
- "
"
- ])
-}
-
-test_Disable_Trusted_Device_Incorrect_V2 if {
- # Test disabled trusted device when there's multiple events, with the chronological latest
- # incorrect but not last in json list
- PolicyId := CommonControlsId1_3
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "name": "CHANGE_TWO_STEP_VERIFICATION_FREQUENCY",
- "parameters": [
- {"name": "NEW_VALUE", "value": "ENABLE_USERS_TO_TRUST_DEVICE"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- ]
- }]
- },
- {
- "id": {"time": "2021-12-20T00:02:28.672Z"},
- "events": [{
- "name": "CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION",
- "parameters": [
- {"name": "NEW_VALUE", "value": "DISABLE_USERS_TO_TRUST_DEVICE"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
- count(RuleOutput) == 1
- not RuleOutput[0].RequirementMet
- not RuleOutput[0].NoSuchEvent
- RuleOutput[0].ReportDetails == concat("", [
- "The following OUs are non-compliant:",
- "- Test Top-Level OU: Allow user to trust the device is ON
",
- "
"
- ])
-}
-
-
-test_Disable_Trusted_Device_Incorrect_V3 if {
- # Test disabled trusted device when there no applicable event
- PolicyId := CommonControlsId1_3
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "name": "SOMETHING_ELSE",
- "parameters": [
- {"name": "NEW_VALUE", "value": "false"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
- count(RuleOutput) == 1
- not RuleOutput[0].RequirementMet
- RuleOutput[0].NoSuchEvent
- RuleOutput[0].ReportDetails == concat("", [
- "No relevant event in the current logs for the top-level OU, ",
- "Test Top-Level OU. While we are unable ",
- "to determine the state from the logs, the default setting ",
- "is non-compliant; manual check recommended."
- ])
-}
-#--
-
#
# GWS.COMMONCONTROLS.1.4
#--
diff --git a/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols04_test.rego b/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols04_test.rego
deleted file mode 100644
index 8da28392..00000000
--- a/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols04_test.rego
+++ /dev/null
@@ -1,316 +0,0 @@
-package commoncontrols
-
-import future.keywords
-import data.utils.FailTestNoEvent
-import data.utils.FailTestOUNonCompliant
-import data.utils.PassTestResult
-
-#
-# GWS.COMMONCONTROLS.4.1
-#--
-test_Limit_Correct_V1 if {
- # Test 1 event
- PolicyId := CommonControlsId4_1
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "43200"},
- {"name": "SETTING_NAME", "value": "Session management settings - Session length in seconds"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- PassTestResult(PolicyId, Output)
-}
-
-test_Limit_Correct_V2 if {
- # Test 1 event, smaller limit than needed
- PolicyId := CommonControlsId4_1
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "3600"},
- {"name": "SETTING_NAME", "value": "Session management settings - Session length in seconds"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- PassTestResult(PolicyId, Output)
-}
-
-test_Limit_Correct_V3 if {
- # Test multiple events
- PolicyId := CommonControlsId4_1
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "3600"},
- {"name": "SETTING_NAME", "value": "Session management settings - Session length in seconds"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- },
- {
- "id": {"time": "2021-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "86400"},
- {"name": "SETTING_NAME", "value": "Session management settings - Session length in seconds"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- PassTestResult(PolicyId, Output)
-}
-
-test_Limit_Correct_V4 if {
- # Test 1 event, tenant_info["topLevelOU"] empty
- PolicyId := CommonControlsId4_1
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "3600"},
- {"name": "SETTING_NAME", "value": "Session management settings - Session length in seconds"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "" # The rego should needs to be able to infer the top-level OU if it's not provided here
- # input.tenant_info.topLevelOU will be empty when
- # no custom OUs have been created, as in this case
- # the top-level OU cannot be determined via the API.
- # Fortunately, in this case, we know there's literally
- # only one OU, so we can grab the OU listed on any of
- # the events and know that it is the top-level OU
- }
- }
-
- PassTestResult(PolicyId, Output)
-}
-
-test_Limit_Correct_V5 if {
- # Test inheritance
- PolicyId := CommonControlsId4_1
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2020-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "43200"},
- {"name": "SETTING_NAME", "value": "Session management settings - Session length in seconds"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- },
- {
- "id": {"time": "2021-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "4320000"},
- {"name": "SETTING_NAME", "value": "Session management settings - Session length in seconds"},
- {"name": "ORG_UNIT_NAME", "value": "Second OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- },
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "name": "DELETE_APPLICATION_SETTING",
- "parameters": [
- {"name": "SETTING_NAME", "value": "Session management settings - Session length in seconds"},
- {"name": "ORG_UNIT_NAME", "value": "Second OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- PassTestResult(PolicyId, Output)
-}
-
-test_Limit_Incorrect_V1 if {
- # Test 1 event
- PolicyId := CommonControlsId4_1
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "86400"},
- {"name": "SETTING_NAME", "value": "Session management settings - Session length in seconds"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- failedOU := [{"Name": "Test Top-Level OU",
- "Value": NonComplianceMessage4_1(GetFriendlyValue4_1(86400))}]
- FailTestOUNonCompliant(PolicyId, Output, failedOU)
-}
-
-test_Limit_Incorrect_V2 if {
- # Test multiple events
- PolicyId := CommonControlsId4_1
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "86400"},
- {"name": "SETTING_NAME", "value": "Session management settings - Session length in seconds"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- },
- {
- "id": {"time": "2021-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "43200"},
- {"name": "SETTING_NAME", "value": "Session management settings - Session length in seconds"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- failedOU := [{"Name": "Test Top-Level OU",
- "Value": NonComplianceMessage4_1(GetFriendlyValue4_1(86400))}]
- FailTestOUNonCompliant(PolicyId, Output, failedOU)
-}
-
-test_Limit_Incorrect_V3 if {
- # Test multiple OUs
- PolicyId := CommonControlsId4_1
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "86400"},
- {"name": "SETTING_NAME", "value": "Session management settings - Session length in seconds"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- },
- {
- "id": {"time": "2023-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "43200"},
- {"name": "SETTING_NAME", "value": "Session management settings - Session length in seconds"},
- {"name": "ORG_UNIT_NAME", "value": "Custom OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- failedOU := [{"Name": "Test Top-Level OU",
- "Value": NonComplianceMessage4_1(GetFriendlyValue4_1(86400))}]
- FailTestOUNonCompliant(PolicyId, Output, failedOU)
-}
-
-test_Limit_Incorrect_V4 if {
- # Test no relevant events
- PolicyId := CommonControlsId4_1
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- FailTestNoEvent(PolicyId, Output, "Test Top-Level OU", false)
-}
-
-test_Limit_Incorrect_V5 if {
- # Test no relevant events in top-level OU
- PolicyId := CommonControlsId4_1
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2023-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "43200"},
- {"name": "SETTING_NAME", "value": "Session management settings - Session length in seconds"},
- {"name": "ORG_UNIT_NAME", "value": "Custom OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- FailTestNoEvent(PolicyId, Output, "Test Top-Level OU", false)
-}
-#--
diff --git a/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols05_test.rego b/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols05_test.rego
deleted file mode 100644
index 7b8bb728..00000000
--- a/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols05_test.rego
+++ /dev/null
@@ -1,1384 +0,0 @@
-package commoncontrols
-
-import future.keywords
-import data.utils.FailTestNoEvent
-import data.utils.FailTestOUNonCompliant
-import data.utils.PassTestResult
-
-#
-# GWS.COMMONCONTROLS.5.1
-#--
-
-test_Strength_Correct_V1 if {
- # Test 1 event
- PolicyId := CommonControlsId5_1
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "on"},
- {"name": "SETTING_NAME", "value": "Password Management - Enforce strong password"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- PassTestResult(PolicyId, Output)
-}
-
-test_Strength_Correct_V2 if {
- # Test multiple events
- PolicyId := CommonControlsId5_1
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "on"},
- {"name": "SETTING_NAME", "value": "Password Management - Enforce strong password"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- },
- {
- "id": {"time": "2021-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "off"},
- {"name": "SETTING_NAME", "value": "Password Management - Enforce strong password"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- PassTestResult(PolicyId, Output)
-}
-
-test_Strength_Correct_V3 if {
- # Test inheritance
- PolicyId := CommonControlsId5_1
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2020-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "on"},
- {"name": "SETTING_NAME", "value": "Password Management - Enforce strong password"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- },
- {
- "id": {"time": "2021-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "off"},
- {"name": "SETTING_NAME", "value": "Password Management - Enforce strong password"},
- {"name": "ORG_UNIT_NAME", "value": "Second OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- },
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "name": "DELETE_APPLICATION_SETTING",
- "parameters": [
- {"name": "SETTING_NAME", "value": "Password Management - Enforce strong password"},
- {"name": "ORG_UNIT_NAME", "value": "Second OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- PassTestResult(PolicyId, Output)
-}
-
-test_Strength_Incorrect_V1 if {
- # Test 1 event
- PolicyId := CommonControlsId5_1
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "off"},
- {"name": "SETTING_NAME", "value": "Password Management - Enforce strong password"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- failedOU := [{"Name": "Test Top-Level OU",
- "Value": "Enforce strong password is OFF"}]
- FailTestOUNonCompliant(PolicyId, Output, failedOU)
-}
-
-test_Strength_Incorrect_V2 if {
- # Test multiple events
- PolicyId := CommonControlsId5_1
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "off"},
- {"name": "SETTING_NAME", "value": "Password Management - Enforce strong password"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- },
- {
- "id": {"time": "2021-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "on"},
- {"name": "SETTING_NAME", "value": "Password Management - Enforce strong password"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- failedOU := [{"Name": "Test Top-Level OU",
- "Value": "Enforce strong password is OFF"}]
- FailTestOUNonCompliant(PolicyId, Output, failedOU)
-}
-
-test_Strength_Incorrect_V3 if {
- # Test no relevant events
- PolicyId := CommonControlsId5_1
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
-
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- FailTestNoEvent(PolicyId, Output, "Test Top-Level OU", true)
-}
-
-test_Strength_Incorrect_V4 if {
- # Test no relevant events for top-level ou
- PolicyId := CommonControlsId5_1
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2021-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "on"},
- {"name": "SETTING_NAME", "value": "Password Management - Enforce strong password"},
- {"name": "ORG_UNIT_NAME", "value": "Test Second-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- FailTestNoEvent(PolicyId, Output, "Test Top-Level OU", true)
-}
-
-test_Strength_Incorrect_V5 if {
- # Test multiple OUs
- PolicyId := CommonControlsId5_1
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2021-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "off"},
- {"name": "SETTING_NAME", "value": "Password Management - Enforce strong password"},
- {"name": "ORG_UNIT_NAME", "value": "Test Second-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- },
- {
- "id": {"time": "2021-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "on"},
- {"name": "SETTING_NAME", "value": "Password Management - Enforce strong password"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- failedOU := [{"Name": "Test Second-Level OU",
- "Value": "Enforce strong password is OFF"}]
- FailTestOUNonCompliant(PolicyId, Output, failedOU)
-}
-#--
-
-#
-# GWS.COMMONCONTROLS.5.2
-#--
-test_Length_Correct_V1 if {
- # Test 1 event
- PolicyId := CommonControlsId5_2
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "12"},
- {"name": "SETTING_NAME", "value": "Password Management - Minimum password length"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- PassTestResult(PolicyId, Output)
-}
-
-test_Length_Correct_V2 if {
- # Test multiple events
- PolicyId := CommonControlsId5_2
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "12"},
- {"name": "SETTING_NAME", "value": "Password Management - Minimum password length"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- },
- {
- "id": {"time": "2021-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "8"},
- {"name": "SETTING_NAME", "value": "Password Management - Minimum password length"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- PassTestResult(PolicyId, Output)
-}
-
-test_Length_Correct_V3 if {
- # Test longer than needed
- PolicyId := CommonControlsId5_2
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "15"},
- {"name": "SETTING_NAME", "value": "Password Management - Minimum password length"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- PassTestResult(PolicyId, Output)
-}
-
-test_Length_Incorrect_V1 if {
- # Test 1 event
- PolicyId := CommonControlsId5_2
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "8"},
- {"name": "SETTING_NAME", "value": "Password Management - Minimum password length"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- failedOU := [{"Name": "Test Top-Level OU",
- "Value": NonComplianceMessage5_2(8)}]
- FailTestOUNonCompliant(PolicyId, Output, failedOU)
-}
-
-test_Length_Incorrect_V2 if {
- # Test multiple events
- PolicyId := CommonControlsId5_2
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "8"},
- {"name": "SETTING_NAME", "value": "Password Management - Minimum password length"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- },
- {
- "id": {"time": "2021-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "12"},
- {"name": "SETTING_NAME", "value": "Password Management - Minimum password length"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- failedOU := [{"Name": "Test Top-Level OU",
- "Value": NonComplianceMessage5_2(8)}]
- FailTestOUNonCompliant(PolicyId, Output, failedOU)
-}
-
-test_Length_Incorrect_V3 if {
- # Test no relevant events
- PolicyId := CommonControlsId5_2
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
-
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- FailTestNoEvent(PolicyId, Output, "Test Top-Level OU", false)
-}
-
-test_Length_Incorrect_V4 if {
- # Test no relevant events in top-level ou
- PolicyId := CommonControlsId5_2
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2021-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "12"},
- {"name": "SETTING_NAME", "value": "Password Management - Minimum password length"},
- {"name": "ORG_UNIT_NAME", "value": "Test Second-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- FailTestNoEvent(PolicyId, Output, "Test Top-Level OU", false)
-}
-
-test_Length_Incorrect_V5 if {
- # Test multiple OUs
- PolicyId := CommonControlsId5_2
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2021-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "12"},
- {"name": "SETTING_NAME", "value": "Password Management - Minimum password length"},
- {"name": "ORG_UNIT_NAME", "value": "Test Second-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- },
- {
- "id": {"time": "2021-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "10"},
- {"name": "SETTING_NAME", "value": "Password Management - Minimum password length"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- failedOU := [{"Name": "Test Top-Level OU",
- "Value": NonComplianceMessage5_2(10)}]
- FailTestOUNonCompliant(PolicyId, Output, failedOU)
-}
-#--
-
-#
-# GWS.COMMONCONTROLS.5.3
-#--
-
-test_Length15_Correct_V1 if {
- # Test 1 event
- PolicyId := CommonControlsId5_3
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "15"},
- {"name": "SETTING_NAME", "value": "Password Management - Minimum password length"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- PassTestResult(PolicyId, Output)
-}
-
-test_Length15_Correct_V2 if {
- # Test multiple events
- PolicyId := CommonControlsId5_3
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "15"},
- {"name": "SETTING_NAME", "value": "Password Management - Minimum password length"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- },
- {
- "id": {"time": "2021-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "12"},
- {"name": "SETTING_NAME", "value": "Password Management - Minimum password length"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- PassTestResult(PolicyId, Output)
-}
-
-test_Length15_Correct_V3 if {
- # Test longer than needed
- PolicyId := CommonControlsId5_3
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "20"},
- {"name": "SETTING_NAME", "value": "Password Management - Minimum password length"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- PassTestResult(PolicyId, Output)
-}
-
-test_Length15_Incorrect_V1 if {
- # Test 1 event
- PolicyId := CommonControlsId5_3
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "12"},
- {"name": "SETTING_NAME", "value": "Password Management - Minimum password length"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- failedOU := [{"Name": "Test Top-Level OU",
- "Value": NonComplianceMessage5_3(12)}]
- FailTestOUNonCompliant(PolicyId, Output, failedOU)
-}
-
-test_Length15_Incorrect_V2 if {
- # Test multiple events
- PolicyId := CommonControlsId5_3
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "12"},
- {"name": "SETTING_NAME", "value": "Password Management - Minimum password length"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- },
- {
- "id": {"time": "2021-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "15"},
- {"name": "SETTING_NAME", "value": "Password Management - Minimum password length"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- failedOU := [{"Name": "Test Top-Level OU",
- "Value": NonComplianceMessage5_3(12)}]
- FailTestOUNonCompliant(PolicyId, Output, failedOU)
-}
-
-test_Length15_Incorrect_V3 if {
- # Test no relevant events
- PolicyId := CommonControlsId5_3
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
-
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- FailTestNoEvent(PolicyId, Output, "Test Top-Level OU", false)
-}
-
-test_Length15_Incorrect_V4 if {
- # Test no relevant events in top-level ou
- PolicyId := CommonControlsId5_3
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2021-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "12"},
- {"name": "SETTING_NAME", "value": "Password Management - Minimum password length"},
- {"name": "ORG_UNIT_NAME", "value": "Test Second-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- FailTestNoEvent(PolicyId, Output, "Test Top-Level OU", false)
-}
-
-test_Length15_Incorrect_V5 if {
- # Test multiple OUs
- PolicyId := CommonControlsId5_3
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2021-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "15"},
- {"name": "SETTING_NAME", "value": "Password Management - Minimum password length"},
- {"name": "ORG_UNIT_NAME", "value": "Test Second-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- },
- {
- "id": {"time": "2021-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "12"},
- {"name": "SETTING_NAME", "value": "Password Management - Minimum password length"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- failedOU := [{"Name": "Test Top-Level OU",
- "Value": NonComplianceMessage5_3(12)}]
- FailTestOUNonCompliant(PolicyId, Output, failedOU)
-}
-#--
-
-#
-# GWS.COMMONCONTROLS.5.4
-#--
-test_Enforce_Correct_V1 if {
- # Test 1 event
- PolicyId := CommonControlsId5_4
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "true"},
- {
- "name": "SETTING_NAME",
- "value": "Password Management - Enforce password policy at next login"
- },
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- PassTestResult(PolicyId, Output)
-}
-
-test_Enforce_Correct_V2 if {
- # Test multiple events
- PolicyId := CommonControlsId5_4
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "true"},
- {
- "name": "SETTING_NAME",
- "value": "Password Management - Enforce password policy at next login"
- },
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- },
- {
- "id": {"time": "2021-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "false"},
- {
- "name": "SETTING_NAME",
- "value": "Password Management - Enforce password policy at next login"
- },
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- PassTestResult(PolicyId, Output)
-}
-
-test_Enforce_Incorrect_V1 if {
- # Test 1 event
- PolicyId := CommonControlsId5_4
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "false"},
- {
- "name": "SETTING_NAME",
- "value": "Password Management - Enforce password policy at next login"
- },
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- failedOU := [{"Name": "Test Top-Level OU",
- "Value": "Enforce password policy at next sign-in is OFF"}]
- FailTestOUNonCompliant(PolicyId, Output, failedOU)
-}
-
-test_Enforce_Incorrect_V2 if {
- # Test multiple events
- PolicyId := CommonControlsId5_4
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "false"},
- {
- "name": "SETTING_NAME",
- "value": "Password Management - Enforce password policy at next login"
- },
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- },
- {
- "id": {"time": "2021-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "true"},
- {
- "name": "SETTING_NAME",
- "value": "Password Management - Enforce password policy at next login"
- },
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- failedOU := [{"Name": "Test Top-Level OU",
- "Value": "Enforce password policy at next sign-in is OFF"}]
- FailTestOUNonCompliant(PolicyId, Output, failedOU)
-}
-
-test_Enforce_Incorrect_V3 if {
- # Test no relevant events
- PolicyId := CommonControlsId5_4
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
-
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- FailTestNoEvent(PolicyId, Output, "Test Top-Level OU", false)
-}
-
-test_Enforce_Incorrect_V4 if {
- # Test no relevant events in top-level OU
- PolicyId := CommonControlsId5_4
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2021-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "true"},
- {
- "name": "SETTING_NAME",
- "value": "Password Management - Enforce password policy at next login"
- },
- {"name": "ORG_UNIT_NAME", "value": "Test Second-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- FailTestNoEvent(PolicyId, Output, "Test Top-Level OU", false)
-}
-
-test_Enforce_Incorrect_V5 if {
- # Test multiple OUs
- PolicyId := CommonControlsId5_4
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2021-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "false"},
- {
- "name": "SETTING_NAME",
- "value": "Password Management - Enforce password policy at next login"
- },
- {"name": "ORG_UNIT_NAME", "value": "Test Second-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- },
- {
- "id": {"time": "2021-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "false"},
- {
- "name": "SETTING_NAME",
- "value": "Password Management - Enforce password policy at next login"
- },
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- failedOU := [{"Name": "Test Second-Level OU",
- "Value": "Enforce password policy at next sign-in is OFF"},
- {"Name": "Test Top-Level OU",
- "Value": "Enforce password policy at next sign-in is OFF"}]
- FailTestOUNonCompliant(PolicyId, Output, failedOU)
-}
-#--
-
-#
-# GWS.COMMONCONTROLS.5.5
-#--
-
-test_Reuse_Correct_V1 if {
- # Test 1 event
- PolicyId := CommonControlsId5_5
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "false"},
- {"name": "SETTING_NAME", "value": "Password Management - Enable password reuse"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- PassTestResult(PolicyId, Output)
-}
-
-test_Reuse_Correct_V2 if {
- # Test multiple events
- PolicyId := CommonControlsId5_5
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "false"},
- {"name": "SETTING_NAME", "value": "Password Management - Enable password reuse"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- },
- {
- "id": {"time": "2021-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "true"},
- {"name": "SETTING_NAME", "value": "Password Management - Enable password reuse"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- PassTestResult(PolicyId, Output)
-}
-
-test_Reuse_Incorrect_V1 if {
- # Test 1 event
- PolicyId := CommonControlsId5_5
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "true"},
- {"name": "SETTING_NAME", "value": "Password Management - Enable password reuse"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- failedOU := [{"Name": "Test Top-Level OU",
- "Value": "Allow password reuse is ON"}]
- FailTestOUNonCompliant(PolicyId, Output, failedOU)
-}
-
-test_Reuse_Incorrect_V2 if {
- # Test multiple events
- PolicyId := CommonControlsId5_5
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "true"},
- {"name": "SETTING_NAME", "value": "Password Management - Enable password reuse"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- },
- {
- "id": {"time": "2021-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "false"},
- {"name": "SETTING_NAME", "value": "Password Management - Enable password reuse"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- failedOU := [{"Name": "Test Top-Level OU",
- "Value": "Allow password reuse is ON"}]
- FailTestOUNonCompliant(PolicyId, Output, failedOU)
-}
-
-test_Reuse_Incorrect_V3 if {
- # Test no relevant events
- PolicyId := CommonControlsId5_5
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
-
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- FailTestNoEvent(PolicyId, Output, "Test Top-Level OU", true)
-}
-
-test_Reuse_Incorrect_V4 if {
- # Test no relevant events for top-level OU
- PolicyId := CommonControlsId5_5
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2021-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "false"},
- {"name": "SETTING_NAME", "value": "Password Management - Enable password reuse"},
- {"name": "ORG_UNIT_NAME", "value": "Test Second-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- FailTestNoEvent(PolicyId, Output, "Test Top-Level OU", true)
-}
-
-test_Reuse_Incorrect_V5 if {
- # Test multiple OUs
- PolicyId := CommonControlsId5_5
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2021-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "false"},
- {"name": "SETTING_NAME", "value": "Password Management - Enable password reuse"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- },
- {
- "id": {"time": "2021-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "true"},
- {"name": "SETTING_NAME", "value": "Password Management - Enable password reuse"},
- {"name": "ORG_UNIT_NAME", "value": "Test Second-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- failedOU := [{"Name": "Test Second-Level OU",
- "Value": "Allow password reuse is ON"}]
- FailTestOUNonCompliant(PolicyId, Output, failedOU)
-}
-#--
-
-#
-# GWS.COMMONCONTROLS.5.6
-#--
-
-test_Expire_Correct_V1 if {
- # Test 1 event
- PolicyId := CommonControlsId5_6
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "0"},
- {"name": "SETTING_NAME", "value": "Password Management - Password reset frequency"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- PassTestResult(PolicyId, Output)
-}
-
-test_Expire_Correct_V2 if {
- # Test multiple events
- PolicyId := CommonControlsId5_6
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "0"},
- {"name": "SETTING_NAME", "value": "Password Management - Password reset frequency"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- },
- {
- "id": {"time": "2021-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "1"},
- {"name": "SETTING_NAME", "value": "Password Management - Password reset frequency"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- PassTestResult(PolicyId, Output)
-}
-
-test_Expire_Incorrect_V1 if {
- # Test 1 event
- PolicyId := CommonControlsId5_6
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "1"},
- {"name": "SETTING_NAME", "value": "Password Management - Password reset frequency"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- failedOU := [{"Name": "Test Top-Level OU",
- "Value": "Password reset frequency is 1 days"}]
- FailTestOUNonCompliant(PolicyId, Output, failedOU)
-}
-
-test_Expire_Incorrect_V2 if {
- # Test multiple events
- PolicyId := CommonControlsId5_6
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "1"},
- {"name": "SETTING_NAME", "value": "Password Management - Password reset frequency"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- },
- {
- "id": {"time": "2021-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "0"},
- {"name": "SETTING_NAME", "value": "Password Management - Password reset frequency"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- failedOU := [{"Name": "Test Top-Level OU",
- "Value": "Password reset frequency is 1 days"}]
- FailTestOUNonCompliant(PolicyId, Output, failedOU)
-}
-
-test_Expire_Incorrect_V3 if {
- # Test no relevant events
- PolicyId := CommonControlsId5_6
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
-
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- FailTestNoEvent(PolicyId, Output, "Test Top-Level OU", true)
-}
-
-test_Expire_Incorrect_V4 if {
- # Test no relevant events in top-level OU
- PolicyId := CommonControlsId5_6
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2021-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "0"},
- {"name": "SETTING_NAME", "value": "Password Management - Password reset frequency"},
- {"name": "ORG_UNIT_NAME", "value": "Test Second-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- FailTestNoEvent(PolicyId, Output, "Test Top-Level OU", true)
-}
-
-test_Expire_Incorrect_V5 if {
- # Test multiple OUs
- PolicyId := CommonControlsId5_6
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2021-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "0"},
- {"name": "SETTING_NAME", "value": "Password Management - Password reset frequency"},
- {"name": "ORG_UNIT_NAME", "value": "Test Second-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- },
- {
- "id": {"time": "2021-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "1"},
- {"name": "SETTING_NAME", "value": "Password Management - Password reset frequency"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- failedOU := [{"Name": "Test Top-Level OU",
- "Value": "Password reset frequency is 1 days"}]
- FailTestOUNonCompliant(PolicyId, Output, failedOU)
-}
-#--
diff --git a/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols08_test.rego b/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols08_test.rego
deleted file mode 100644
index ce552538..00000000
--- a/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols08_test.rego
+++ /dev/null
@@ -1,345 +0,0 @@
-package commoncontrols
-
-import future.keywords
-import data.utils.FailTestNoEvent
-import data.utils.FailTestGroupNonCompliant
-import data.utils.FailTestOUNonCompliant
-import data.utils.PassTestResult
-
-#
-# GWS.COMMONCONTROLS.8.1
-#--
-test_SelfRecovery_Correct_V1 if {
- # Test 1 event
- PolicyId := CommonControlsId8_1
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "false"},
- {
- "name": "SETTING_NAME",
- "value": "AdminAccountRecoverySettingsProto Enable admin account recovery"
- },
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- PassTestResult(PolicyId, Output)
-}
-
-test_SelfRecovery_Correct_V2 if {
- # Test 1 event
- PolicyId := CommonControlsId8_1
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "false"},
- {
- "name": "SETTING_NAME",
- "value": "AdminAccountRecoverySettingsProto Enable admin account recovery"
- },
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- },
- {
- "id": {"time": "2021-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "true"},
- {
- "name": "SETTING_NAME",
- "value": "AdminAccountRecoverySettingsProto Enable admin account recovery"
- },
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- PassTestResult(PolicyId, Output)
-}
-
-test_SelfRecovery_Correct_V3 if {
- # Test inheritance
- PolicyId := CommonControlsId8_1
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2020-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "false"},
- {
- "name": "SETTING_NAME",
- "value": "AdminAccountRecoverySettingsProto Enable admin account recovery"
- },
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- },
- {
- "id": {"time": "2021-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "true"},
- {
- "name": "SETTING_NAME",
- "value": "AdminAccountRecoverySettingsProto Enable admin account recovery"
- },
- {"name": "ORG_UNIT_NAME", "value": "Second OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- },
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "name": "DELETE_APPLICATION_SETTING",
- "parameters": [
- {
- "name": "SETTING_NAME",
- "value": "AdminAccountRecoverySettingsProto Enable admin account recovery"
- },
- {"name": "ORG_UNIT_NAME", "value": "Second OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- PassTestResult(PolicyId, Output)
-}
-
-test_SelfRecovery_Incorrect_V1 if {
- # Test 1 event
- PolicyId := CommonControlsId8_1
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "true"},
- {
- "name": "SETTING_NAME",
- "value": "AdminAccountRecoverySettingsProto Enable admin account recovery"
- },
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- failedOU := [{"Name": "Test Top-Level OU",
- "Value": "Allow super admins to recover their account is ON"}]
- FailTestOUNonCompliant(PolicyId, Output, failedOU)
-}
-
-test_SelfRecovery_Incorrect_V2 if {
- # Test multiple events
- PolicyId := CommonControlsId8_1
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "true"},
- {
- "name": "SETTING_NAME",
- "value": "AdminAccountRecoverySettingsProto Enable admin account recovery"
- },
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- },
- {
- "id": {"time": "2021-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "false"},
- {
- "name": "SETTING_NAME",
- "value": "AdminAccountRecoverySettingsProto Enable admin account recovery"
- },
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- failedOU := [{"Name": "Test Top-Level OU",
- "Value": "Allow super admins to recover their account is ON"}]
- FailTestOUNonCompliant(PolicyId, Output, failedOU)
-}
-
-test_SelfRecovery_Incorrect_V3 if {
- # Test no relevant events
- PolicyId := CommonControlsId8_1
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
-
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- FailTestNoEvent(PolicyId, Output, "Test Top-Level OU", false)
-}
-
-test_SelfRecovery_Incorrect_V4 if {
- # Test no relevant events in the top-level OU
- PolicyId := CommonControlsId8_1
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2021-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "false"},
- {
- "name": "SETTING_NAME",
- "value": "AdminAccountRecoverySettingsProto Enable admin account recovery"
- },
- {"name": "ORG_UNIT_NAME", "value": "Test Second-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- FailTestNoEvent(PolicyId, Output, "Test Top-Level OU", false)
-}
-
-test_SelfRecovery_Incorrect_V5 if {
- # Test multiple OUs
- PolicyId := CommonControlsId8_1
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2021-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "true"},
- {
- "name": "SETTING_NAME",
- "value": "AdminAccountRecoverySettingsProto Enable admin account recovery"
- },
- {"name": "ORG_UNIT_NAME", "value": "Test Second-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- },
- {
- "id": {"time": "2021-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "true"},
- {
- "name": "SETTING_NAME",
- "value": "AdminAccountRecoverySettingsProto Enable admin account recovery"
- },
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- failedOU := [{"Name": "Test Second-Level OU",
- "Value": "Allow super admins to recover their account is ON"},
- {"Name": "Test Top-Level OU",
- "Value": "Allow super admins to recover their account is ON"}]
- FailTestOUNonCompliant(PolicyId, Output, failedOU)
-}
-
-test_SelfRecovery_Incorrect_V6 if {
- # Test group
- PolicyId := CommonControlsId8_1
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2021-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "false"},
- {
- "name": "SETTING_NAME",
- "value": "AdminAccountRecoverySettingsProto Enable admin account recovery"
- },
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- },
- {
- "id": {"time": "2021-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "true"},
- {
- "name": "SETTING_NAME",
- "value": "AdminAccountRecoverySettingsProto Enable admin account recovery"
- },
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "GROUP_EMAIL", "value": "test@test"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- failedOU := [{"Name": "test@test",
- "Value": "Allow super admins to recover their account is ON"}]
- FailTestGroupNonCompliant(PolicyId, Output, failedOU)
-}
-#--
diff --git a/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols10_test.rego b/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols10_test.rego
index a5e4855a..7fc8a326 100644
--- a/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols10_test.rego
+++ b/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols10_test.rego
@@ -806,203 +806,3 @@ test_Unconfigured_Incorrect_V3 if {
FailTestNoEvent(PolicyId, Output, "Test Top-Level OU", false)
}
#--
-
-#
-# GWS.COMMONCONTROLS.10.5
-#--
-
-test_Access_Correct_V1 if {
- # Test 1 event
- PolicyId := CommonControlsId10_5
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "name": "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED",
- "parameters": [
- {"name": "NEW_VALUE", "value": "DENIED"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- PassTestResult(PolicyId, Output)
-}
-
-test_Access_Correct_V2 if {
- # Test multiple events
- PolicyId := CommonControlsId10_5
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "name": "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED",
- "parameters": [
- {"name": "NEW_VALUE", "value": "DENIED"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}
- ]
- }]
- },
- {
- "id": {"time": "2021-12-20T00:02:28.672Z"},
- "events": [{
- "name": "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED",
- "parameters": [
- {"name": "NEW_VALUE", "value": "ALLOWED"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- PassTestResult(PolicyId, Output)
-}
-
-test_Access_Incorrect_V1 if {
- # Test 1 event
- PolicyId := CommonControlsId10_5
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "name": "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED",
- "parameters": [
- {"name": "NEW_VALUE", "value": "ALLOWED"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- failedOU := [{"Name": "Test Top-Level OU",
- "Value": NonComplianceMessage10_5}]
- FailTestOUNonCompliant(PolicyId, Output, failedOU)
-}
-
-test_Access_Incorrect_V2 if {
- # Test multiple events
- PolicyId := CommonControlsId10_5
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "name": "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED",
- "parameters": [
- {"name": "NEW_VALUE", "value": "ALLOWED"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}
- ]
- }]
- },
- {
- "id": {"time": "2021-12-20T00:02:28.672Z"},
- "events": [{
- "name": "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED",
- "parameters": [
- {"name": "NEW_VALUE", "value": "DENIED"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- failedOU := [{"Name": "Test Top-Level OU",
- "Value": NonComplianceMessage10_5}]
- FailTestOUNonCompliant(PolicyId, Output, failedOU)
-}
-
-test_Access_Incorrect_V3 if {
- # Test no relevant events
- PolicyId := CommonControlsId10_5
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
-
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- FailTestNoEvent(PolicyId, Output, "Test Top-Level OU", true)
-}
-
-test_Access_Incorrect_V4 if {
- # Test no relevant events in top-level OU
- PolicyId := CommonControlsId10_5
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2021-12-20T00:02:28.672Z"},
- "events": [{
- "name": "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED",
- "parameters": [
- {"name": "NEW_VALUE", "value": "DENIED"},
- {"name": "ORG_UNIT_NAME", "value": "Test Second-Level OU"}
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- FailTestNoEvent(PolicyId, Output, "Test Top-Level OU", true)
-}
-
-test_Access_Incorrect_V5 if {
- # Test multiple OUs
- PolicyId := CommonControlsId10_5
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2021-12-20T00:02:28.672Z"},
- "events": [{
- "name": "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED",
- "parameters": [
- {"name": "NEW_VALUE", "value": "ALLOWED"},
- {"name": "ORG_UNIT_NAME", "value": "Test Second-Level OU"}
- ]
- }]
- },
- {
- "id": {"time": "2021-12-20T00:02:28.672Z"},
- "events": [{
- "name": "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED",
- "parameters": [
- {"name": "NEW_VALUE", "value": "DENIED"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- failedOU := [{"Name": "Test Second-Level OU",
- "Value": NonComplianceMessage10_5}]
- FailTestOUNonCompliant(PolicyId, Output, failedOU)
-}
-#--
diff --git a/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols11_test.rego b/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols11_test.rego
deleted file mode 100644
index 08095fb7..00000000
--- a/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols11_test.rego
+++ /dev/null
@@ -1,450 +0,0 @@
-package commoncontrols
-
-import future.keywords
-import data.utils.FailTestNoEvent
-import data.utils.FailTestGroupNonCompliant
-import data.utils.FailTestOUNonCompliant
-import data.utils.PassTestResult
-
-#
-# GWS.COMMONCONTROLS.11.1
-#--
-
-test_Installation_Correct_V1 if {
- # Test 1 event
- PolicyId := CommonControlsId11_1
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-11-20T00:02:28.672Z"},
- "events": [
- {
- "parameters": [
- {"name": "NEW_VALUE", "value": "ALLOW_SPECIFIED"},
- {"name": "SETTING_NAME", "value": "Apps Access Setting Allowlist access"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- },
- ]
- },
- {
- "id": {"time": "2022-11-20T00:02:28.672Z"},
- "events": [
- {
- "parameters": [
- {"name": "NEW_VALUE", "value": "false"},
- {"name": "SETTING_NAME", "value": "Apps Access Setting allow_all_internal_apps"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- },
- ]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- PassTestResult(PolicyId, Output)
-}
-
-test_Installation_Correct_V2 if {
- # Test multiple events
- PolicyId := CommonControlsId11_1
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-11-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "ALLOW_SPECIFIED"},
- {"name": "SETTING_NAME", "value": "Apps Access Setting Allowlist access"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- },
- {
- "id": {"time": "2021-11-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "SOMETHING_ELSE"},
- {"name": "SETTING_NAME", "value": "Apps Access Setting Allowlist access"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- },
- {
- "id": {"time": "2022-11-20T00:02:28.672Z"},
- "events": [
- {
- "parameters": [
- {"name": "NEW_VALUE", "value": "false"},
- {"name": "SETTING_NAME", "value": "Apps Access Setting allow_all_internal_apps"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- },
- ]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- PassTestResult(PolicyId, Output)
-}
-
-test_Installation_Correct_V3 if {
- # Test inheritance
- PolicyId := CommonControlsId11_1
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2020-11-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "ALLOW_SPECIFIED"},
- {"name": "SETTING_NAME", "value": "Apps Access Setting Allowlist access"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- },
- {
- "id": {"time": "2021-11-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "ALLOW_ALL"},
- {"name": "SETTING_NAME", "value": "Apps Access Setting Allowlist access"},
- {"name": "ORG_UNIT_NAME", "value": "Second OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- },
- {
- "id": {"time": "2022-11-20T00:02:28.672Z"},
- "events": [{
- "name": "DELETE_APPLICATION_SETTING",
- "parameters": [
- {"name": "SETTING_NAME", "value": "Apps Access Setting Allowlist access"},
- {"name": "ORG_UNIT_NAME", "value": "Second OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- },
- {
- "id": {"time": "2022-11-20T00:02:28.672Z"},
- "events": [
- {
- "parameters": [
- {"name": "NEW_VALUE", "value": "false"},
- {"name": "SETTING_NAME", "value": "Apps Access Setting allow_all_internal_apps"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- },
- ]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- PassTestResult(PolicyId, Output)
-}
-
-test_Installation_Incorrect_V1 if {
- # Test 1 event
- PolicyId := CommonControlsId11_1
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-11-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "SOMETHING_ELSE"},
- {"name": "SETTING_NAME", "value": "Apps Access Setting Allowlist access"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- },
- {
- "id": {"time": "2022-11-20T00:02:28.672Z"},
- "events": [
- {
- "parameters": [
- {"name": "NEW_VALUE", "value": "false"},
- {"name": "SETTING_NAME", "value": "Apps Access Setting allow_all_internal_apps"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- },
- ]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- failedOU := [{"Name": "Test Top-Level OU",
- "Value": NonComplianceMessage11_1(true)}]
- FailTestOUNonCompliant(PolicyId, Output, failedOU)
-}
-
-test_Installation_Incorrect_V2 if {
- # Test multiple events
- PolicyId := CommonControlsId11_1
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-11-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "SOMETHING_ELSE"},
- {"name": "SETTING_NAME", "value": "Apps Access Setting Allowlist access"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- },
- {
- "id": {"time": "2021-11-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "ALLOW_SPECIFIED"},
- {"name": "SETTING_NAME", "value": "Apps Access Setting Allowlist access"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- },
- {
- "id": {"time": "2022-11-20T00:02:28.672Z"},
- "events": [
- {
- "parameters": [
- {"name": "NEW_VALUE", "value": "false"},
- {"name": "SETTING_NAME", "value": "Apps Access Setting allow_all_internal_apps"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- },
- ]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- failedOU := [{"Name": "Test Top-Level OU",
- "Value": NonComplianceMessage11_1(true)}]
- FailTestOUNonCompliant(PolicyId, Output, failedOU)
-}
-
-test_Installation_Incorrect_V3 if {
- # Test no relevant events
- PolicyId := CommonControlsId11_1
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
-
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- FailTestNoEvent(PolicyId, Output, "Test Top-Level OU", false)
-}
-
-test_Installation_Incorrect_V4 if {
- # Test no relevant events in top-level OU
- PolicyId := CommonControlsId11_1
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2021-11-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "ALLOW_SPECIFIED"},
- {"name": "SETTING_NAME", "value": "Apps Access Setting Allowlist access"},
- {"name": "ORG_UNIT_NAME", "value": "Test Second-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- FailTestNoEvent(PolicyId, Output, "Test Top-Level OU", false)
-}
-
-test_Installation_Incorrect_V5 if {
- # Test multiple OUs
- PolicyId := CommonControlsId11_1
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2021-11-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "something else"},
- {"name": "SETTING_NAME", "value": "Apps Access Setting Allowlist access"},
- {"name": "ORG_UNIT_NAME", "value": "Test Second-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- },
- {
- "id": {"time": "2021-11-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "ALLOW_SPECIFIED"},
- {"name": "SETTING_NAME", "value": "Apps Access Setting Allowlist access"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- },
- {
- "id": {"time": "2022-11-20T00:02:28.672Z"},
- "events": [
- {
- "parameters": [
- {"name": "NEW_VALUE", "value": "false"},
- {"name": "SETTING_NAME", "value": "Apps Access Setting allow_all_internal_apps"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- },
- ]
- },
- {
- "id": {"time": "2022-11-20T00:02:28.672Z"},
- "events": [
- {
- "parameters": [
- {"name": "NEW_VALUE", "value": "false"},
- {"name": "SETTING_NAME", "value": "Apps Access Setting allow_all_internal_apps"},
- {"name": "ORG_UNIT_NAME", "value": "Test Second-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- },
- ]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- failedOU := [{"Name": "Test Second-Level OU",
- "Value": NonComplianceMessage11_1(true)}]
- FailTestOUNonCompliant(PolicyId, Output, failedOU)
-}
-
-test_Installation_Incorrect_V6 if {
- # Test internal allowed
- PolicyId := CommonControlsId11_1
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-11-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "ALLOW_SPECIFIED"},
- {"name": "SETTING_NAME", "value": "Apps Access Setting Allowlist access"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- },
- {
- "id": {"time": "2022-11-20T00:02:28.672Z"},
- "events": [
- {
- "parameters": [
- {"name": "NEW_VALUE", "value": "true"},
- {"name": "SETTING_NAME", "value": "Apps Access Setting allow_all_internal_apps"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- },
- ]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- failedOU := [{"Name": "Test Top-Level OU",
- "Value": NonComplianceMessage11_1(false)}]
- FailTestOUNonCompliant(PolicyId, Output, failedOU)
-}
-
-test_Installation_Incorrect_V7 if {
- # Test group
- PolicyId := CommonControlsId11_1
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-11-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "ALLOW_SPECIFIED"},
- {"name": "SETTING_NAME", "value": "Apps Access Setting Allowlist access"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- }]
- },
- {
- "id": {"time": "2022-11-20T00:02:28.672Z"},
- "events": [
- {
- "parameters": [
- {"name": "NEW_VALUE", "value": "false"},
- {"name": "SETTING_NAME", "value": "Apps Access Setting allow_all_internal_apps"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- },
- ]
- },
- {
- "id": {"time": "2022-11-20T00:02:28.672Z"},
- "events": [
- {
- "parameters": [
- {"name": "NEW_VALUE", "value": "true"},
- {"name": "SETTING_NAME", "value": "Apps Access Setting allow_all_internal_apps"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "GROUP_EMAIL", "value": "test@test"},
- {"name": "APPLICATION_NAME", "value": "Security"}
- ]
- },
- ]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- failedGroup := [{"Name": "test@test",
- "Value": NonComplianceMessage11_1(false)}]
- FailTestGroupNonCompliant(PolicyId, Output, failedGroup)
-}
-#--
diff --git a/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols12_test.rego b/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols12_test.rego
deleted file mode 100644
index 84be48dc..00000000
--- a/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols12_test.rego
+++ /dev/null
@@ -1,224 +0,0 @@
-package commoncontrols
-
-import future.keywords
-import data.utils.FailTestGroupNonCompliant
-import data.utils.FailTestOUNonCompliant
-import data.utils.PassTestResult
-
-#
-# GWS.COMMONCONTROLS.12.1
-#--
-
-test_Takeout_Correct_V1 if {
- # Test basic correct
- PolicyId := CommonControlsId12_1
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "Disabled"},
- {"name": "SETTING_NAME", "value": "UserTakeoutSettingsProto User Takeout "},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Blogger"}
- ]
- }]
- },
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "name": "TOGGLE_SERVICE_ENABLED",
- "parameters": [
- {"name": "SERVICE_NAME", "value": "Google Takeout"},
- {"name": "NEW_VALUE", "value": "false"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- PassTestResult(PolicyId, Output)
-}
-
-test_Takeout_Incorrect_V1 if {
- # Test specifc apps allowed, ou
- PolicyId := CommonControlsId12_1
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "Enabled"},
- {"name": "SETTING_NAME", "value": "UserTakeoutSettingsProto User Takeout "},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Blogger"}
- ]
- }]
- },
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "Enabled"},
- {"name": "SETTING_NAME", "value": "UserTakeoutSettingsProto User Takeout "},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Google Maps"}
- ]
- }]
- },
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "name": "TOGGLE_SERVICE_ENABLED",
- "parameters": [
- {"name": "SERVICE_NAME", "value": "Google Takeout"},
- {"name": "NEW_VALUE", "value": "false"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- failedOU := [{"Name": "Test Top-Level OU",
- "Value": NonComplianceMessage12_1(["Blogger", "Google Maps"])}]
- FailTestOUNonCompliant(PolicyId, Output, failedOU)
-}
-
-test_Takeout_Incorrect_V2 if {
- # Test nonspecific apps allowed, ou
- PolicyId := CommonControlsId12_1
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "Disabled"},
- {"name": "SETTING_NAME", "value": "UserTakeoutSettingsProto User Takeout "},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Blogger"}
- ]
- }]
- },
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "name": "TOGGLE_SERVICE_ENABLED",
- "parameters": [
- {"name": "SERVICE_NAME", "value": "Google Takeout"},
- {"name": "NEW_VALUE", "value": "true"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- failedOU := [{"Name": "Test Top-Level OU",
- "Value": NonComplianceMessage12_1a}]
- FailTestOUNonCompliant(PolicyId, Output, failedOU)
-}
-
-test_Takeout_Incorrect_V3 if {
- # Test nonspecific apps and specific apps allowed, ou
- PolicyId := CommonControlsId12_1
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "Enabled"},
- {"name": "SETTING_NAME", "value": "UserTakeoutSettingsProto User Takeout "},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Blogger"}
- ]
- }]
- },
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "name": "TOGGLE_SERVICE_ENABLED",
- "parameters": [
- {"name": "SERVICE_NAME", "value": "Google Takeout"},
- {"name": "NEW_VALUE", "value": "true"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- failedOU := [{"Name": "Test Top-Level OU",
- "Value": NonComplianceMessage12_1a},
- {"Name": "Test Top-Level OU",
- "Value": NonComplianceMessage12_1(["Blogger"])}]
- FailTestOUNonCompliant(PolicyId, Output, failedOU)
-}
-
-test_Takeout_Incorrect_V4 if {
- # Test nonspecific apps allowed, group
- PolicyId := CommonControlsId12_1
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "parameters": [
- {"name": "NEW_VALUE", "value": "Disabled"},
- {"name": "SETTING_NAME", "value": "UserTakeoutSettingsProto User Takeout "},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "APPLICATION_NAME", "value": "Blogger"}
- ]
- }]
- },
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "name": "TOGGLE_SERVICE_ENABLED",
- "parameters": [
- {"name": "SERVICE_NAME", "value": "Google Takeout"},
- {"name": "NEW_VALUE", "value": "false"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- ]
- }]
- },
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "name": "TOGGLE_SERVICE_ENABLED",
- "parameters": [
- {"name": "SERVICE_NAME", "value": "Google Takeout"},
- {"name": "NEW_VALUE", "value": "true"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- {"name": "GROUP_EMAIL", "value": "test@test"}
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- failedGroup := [{"Name": "test@test",
- "Value": NonComplianceMessage12_1a}]
- FailTestGroupNonCompliant(PolicyId, Output, failedGroup)
-}
-#--
diff --git a/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols16_test.rego b/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols16_test.rego
index 9279c075..e9c5cfa1 100644
--- a/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols16_test.rego
+++ b/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols16_test.rego
@@ -1,8 +1,6 @@
package commoncontrols
import future.keywords
-import data.utils.FailTestBothNonCompliant
-import data.utils.FailTestGroupNonCompliant
import data.utils.FailTestNoEvent
import data.utils.FailTestOUNonCompliant
import data.utils.PassTestResult
@@ -112,278 +110,3 @@ test_Unlisted_Incorrect_V2 if {
FailTestNoEvent(PolicyId, Output, "Test Top-Level OU", false)
}
-#--
-
-#
-# GWS.COMMONCONTROLS.16.2
-#--
-
-test_EarlyAccessApps_OUs_Correct_V1 if {
- # Test 1 correct event
- PolicyId := CommonControlsId16_2
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2024-10-15T00:02:28.672Z"},
- "events": [{
- "name": "TOGGLE_SERVICE_ENABLED",
- "parameters": [
- {"name": "SERVICE_NAME", "value": "Early Access Apps"},
- {"name": "NEW_VALUE", "value": "false"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- PassTestResult(PolicyId, Output)
-}
-
-test_EarlyAccessApps_OUs_Correct_V2 if {
- # Test inheritance with root and sub OUs
- PolicyId := CommonControlsId16_2
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "name": "TOGGLE_SERVICE_ENABLED",
- "parameters": [
- {"name": "SERVICE_NAME", "value": "Early Access Apps"},
- {"name": "NEW_VALUE", "value": "false"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- ]
- }]
- },
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "name": "TOGGLE_SERVICE_ENABLED",
- "parameters": [
- {"name": "SERVICE_NAME", "value": "Early Access Apps"},
- {"name": "NEW_VALUE", "value": "INHERIT_FROM_PARENT"},
- {"name": "ORG_UNIT_NAME", "value": "Test Second-Level OU"},
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- PassTestResult(PolicyId, Output)
-}
-
-test_EarlyAccessApps_OUs_Incorrect_V1 if {
- # Test incorrect root OU
- PolicyId := CommonControlsId16_2
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2024-05-20T00:02:28.672Z"},
- "events": [{
- "name": "TOGGLE_SERVICE_ENABLED",
- "parameters": [
- {"name": "SERVICE_NAME", "value": "Early Access Apps"},
- {"name": "NEW_VALUE", "value": "true"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- failedOU := [{"Name": "Test Top-Level OU",
- "Value": NonComplianceMessage16_2}]
- FailTestOUNonCompliant(PolicyId, Output, failedOU)
-}
-
-test_EarlyAccessApps_OUs_Incorrect_V2 if {
- # Test incorrect second-level OU
- PolicyId := CommonControlsId16_2
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "name": "TOGGLE_SERVICE_ENABLED",
- "parameters": [
- {"name": "SERVICE_NAME", "value": "Early Access Apps"},
- {"name": "NEW_VALUE", "value": "false"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- ]
- }]
- },
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "name": "TOGGLE_SERVICE_ENABLED",
- "parameters": [
- {"name": "SERVICE_NAME", "value": "Early Access Apps"},
- {"name": "NEW_VALUE", "value": "true"},
- {"name": "ORG_UNIT_NAME", "value": "Test Second-Level OU"},
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- failedOU := [{"Name": "Test Second-Level OU",
- "Value": NonComplianceMessage16_2}]
- FailTestOUNonCompliant(PolicyId, Output, failedOU)
-}
-
-test_EarlyAccessApps_OUs_Correct_Groups_Incorrect_V1 if {
- # Test for correct root OU but with an incorrect group event
- PolicyId := CommonControlsId16_2
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "name": "TOGGLE_SERVICE_ENABLED",
- "parameters": [
- {"name": "SERVICE_NAME", "value": "Early Access Apps"},
- {"name": "NEW_VALUE", "value": "false"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- ]
- }]
- },
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "name": "TOGGLE_SERVICE_ENABLED",
- "parameters": [
- {"name": "SERVICE_NAME", "value": "Early Access Apps"},
- {"name": "NEW_VALUE", "value": "true"},
- {"name": "GROUP_EMAIL", "value": "Test Group 1"},
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- failedGroup := [{"Name": "Test Group 1",
- "Value": NonComplianceMessage16_2}]
- FailTestGroupNonCompliant(PolicyId, Output, failedGroup)
-}
-
-test_EarlyAccessApps_OUs_Correct_Groups_Incorrect_V2 if {
- # Test for correct root OU but with incorrect group events
- PolicyId := CommonControlsId16_2
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "name": "TOGGLE_SERVICE_ENABLED",
- "parameters": [
- {"name": "SERVICE_NAME", "value": "Early Access Apps"},
- {"name": "NEW_VALUE", "value": "false"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- ]
- }]
- },
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "name": "TOGGLE_SERVICE_ENABLED",
- "parameters": [
- {"name": "SERVICE_NAME", "value": "Early Access Apps"},
- {"name": "NEW_VALUE", "value": "true"},
- {"name": "GROUP_EMAIL", "value": "Test Group 1"},
- ]
- }]
- },
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "name": "TOGGLE_SERVICE_ENABLED",
- "parameters": [
- {"name": "SERVICE_NAME", "value": "Early Access Apps"},
- {"name": "NEW_VALUE", "value": "true"},
- {"name": "GROUP_EMAIL", "value": "Test Group 2"},
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- failedGroup := [{"Name": "Test Group 1",
- "Value": NonComplianceMessage16_2},
- {"Name": "Test Group 2",
- "Value": NonComplianceMessage16_2}]
- FailTestGroupNonCompliant(PolicyId, Output, failedGroup)
-}
-
-test_EarlyAccessApps_OUs_Groups_Incorrect_V1 if {
- # Test for both incorrect OUs and group events
- PolicyId := CommonControlsId16_2
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "name": "TOGGLE_SERVICE_ENABLED",
- "parameters": [
- {"name": "SERVICE_NAME", "value": "Early Access Apps"},
- {"name": "NEW_VALUE", "value": "true"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
- ]
- }]
- },
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "name": "TOGGLE_SERVICE_ENABLED",
- "parameters": [
- {"name": "SERVICE_NAME", "value": "Early Access Apps"},
- {"name": "NEW_VALUE", "value": "true"},
- {"name": "GROUP_EMAIL", "value": "Test Group 1"},
- ]
- }]
- },
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "name": "TOGGLE_SERVICE_ENABLED",
- "parameters": [
- {"name": "SERVICE_NAME", "value": "Early Access Apps"},
- {"name": "NEW_VALUE", "value": "true"},
- {"name": "GROUP_EMAIL", "value": "Test Group 2"},
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
-
- failedGroup := [{"Name": "Test Group 1",
- "Value": NonComplianceMessage16_2},
- {"Name": "Test Group 2",
- "Value": NonComplianceMessage16_2}]
- failedOU := [{"Name": "Test Top-Level OU",
- "Value": NonComplianceMessage16_2}]
- FailTestBothNonCompliant(PolicyId, Output, failedOU, failedGroup)
-}
-#--
diff --git a/scubagoggles/rego/Commoncontrols.rego b/scubagoggles/rego/Commoncontrols.rego
index 97792776..63845bba 100644
--- a/scubagoggles/rego/Commoncontrols.rego
+++ b/scubagoggles/rego/Commoncontrols.rego
@@ -2,7 +2,6 @@ package commoncontrols
import future.keywords
import data.utils
-import data.utils.PolicyApiInUse
# Note that we need to implement custom FilterEvents and SettingChangeEvents
# rules here, instead of importing the standard ones from utils.
@@ -106,46 +105,14 @@ LogEvents := utils.GetEvents("commoncontrols_logs")
CommonControlsId1_1 := utils.PolicyIdWithSuffix("GWS.COMMONCONTROLS.1.1")
-# For 1.1, we need to assert three different things:
-# - MFA is allowed
-# - MFA is enforced
-# - Allowed methods is set to only security key
-
-# Custom NoSuchEvent function needed as we're checking
-# three different settings simultaneously. No such event
-# if any are missing
-default NoSuchEvent1_1 := false
-
-NoSuchEvent1_1 := true if {
- Events := FilterEventsOU("ALLOW_STRONG_AUTHENTICATION", utils.TopLevelOU)
- count(Events) == 0
-}
-
-NoSuchEvent1_1 := true if {
- Events := FilterEventsOU("ENFORCE_STRONG_AUTHENTICATION", utils.TopLevelOU)
- count(Events) == 0
-}
-
-NoSuchEvent1_1 := true if {
- Events := FilterEventsOU("CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS", utils.TopLevelOU)
- count(Events) == 0
-}
-
-Check1_1_OK if {
- not PolicyApiInUse
- not NoSuchEvent1_1
-}
-
-Check1_1_OK if {PolicyApiInUse}
-
GetFriendlyMethods(Value) := "Any" if {
- Value in {"ALL", "ANY"}
+ Value == "ALL"
} else := "Any except verification codes via text, phone call" if {
Value == "NO_TELEPHONY"
} else := "Only security key and allow security codes without remote access" if {
- Value in {"PASSKEY_PLUS_IP_BOUND_SECURITY_CODE", "SECURITY_KEY_AND_IP_BOUND_SECURITY_CODE"}
+ Value == "PASSKEY_PLUS_IP_BOUND_SECURITY_CODE"
} else := "Only security key and allow security codes with remote access" if {
- Value in {"PASSKEY_PLUS_SECURITY_CODE", "SECURITY_KEY_AND_SECURITY_CODE"}
+ Value == "PASSKEY_PLUS_SECURITY_CODE"
} else := Value
NonComplianceMessage1_1a := "Users cannot enable 2-step verification (2SV)."
@@ -155,98 +122,6 @@ NonComplianceMessage1_1b(value) := sprintf("Allowed methods is set to %s",
NonComplianceMessage1_1c := "2-step verification (2SV) is not enforced."
-NonCompliantOUs1_1 contains {
- "Name": OU,
- "Value": "Allow users to turn on 2-Step Verification is OFF"
-}
-if {
- not PolicyApiInUse
- some OU in utils.OUsWithEvents
- Events := FilterEventsOU("ALLOW_STRONG_AUTHENTICATION", OU)
- # Ignore OUs without any events. We're already asserting that the
- # top-level OU has at least one event; for all other OUs we assume
- # they inherit from a parent OU if they have no events.
- count(Events) > 0
- LastEvent := utils.GetLastEvent(Events)
- LastEvent.NewValue == "false"
-}
-
-NonCompliantOUs1_1 contains {
- "Name": OU,
- "Value": "2-Step Verification Enforcement is OFF"
-}
-if {
- not PolicyApiInUse
- some OU in utils.OUsWithEvents
- Events := FilterEventsOU("ENFORCE_STRONG_AUTHENTICATION", OU)
- # Ignore OUs without any events. We're already asserting that the
- # top-level OU has at least one event; for all other OUs we assume
- # they inherit from a parent OU if they have no events.
- count(Events) > 0
- LastEvent := utils.GetLastEvent(Events)
- LastEvent.NewValue == "false"
-}
-
-NonCompliantOUs1_1 contains {
- "Name": OU,
- "Value": NonComplianceMessage1_1b(GetFriendlyMethods(LastEvent.NewValue))
-}
-if {
- not PolicyApiInUse
- some OU in utils.OUsWithEvents
- Events := FilterEventsOU("CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS", OU)
- # Ignore OUs without any events. We're already asserting that the
- # top-level OU has at least one event; for all other OUs we assume
- # they inherit from a parent OU if they have no events.
- count(Events) > 0
- LastEvent := utils.GetLastEvent(Events)
- LastEvent.NewValue != "ONLY_SECURITY_KEY"
- LastEvent.NewValue != "INHERIT_FROM_PARENT"
-}
-
-NonCompliantGroups1_1 contains {
- "Name": Group,
- "Value": "Allow users to turn on 2-Step Verification is Off"
-}
-if {
- not PolicyApiInUse
- some Group in utils.GroupsWithEvents
- Events := FilterEventsGroup("ALLOW_STRONG_AUTHENTICATION", Group)
- # Ignore Groups without any events.
- count(Events) > 0
- LastEvent := utils.GetLastEvent(Events)
- LastEvent.NewValue == "false"
-}
-
-NonCompliantGroups1_1 contains {
- "Name": Group,
- "Value": "2-Step Verification Enforcement is Off"
-}
-if {
- not PolicyApiInUse
- some Group in utils.GroupsWithEvents
- Events := FilterEventsGroup("ENFORCE_STRONG_AUTHENTICATION", Group)
- # Ignore Groups without any events.
- count(Events) > 0
- LastEvent := utils.GetLastEvent(Events)
- LastEvent.NewValue == "false"
-}
-
-NonCompliantGroups1_1 contains {
- "Name": Group,
- "Value": NonComplianceMessage1_1b(GetFriendlyMethods(LastEvent.NewValue))
-}
-if {
- not PolicyApiInUse
- some Group in utils.GroupsWithEvents
- Events := FilterEventsGroup("CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS", Group)
- # Ignore Groups without any events.
- count(Events) > 0
- LastEvent := utils.GetLastEvent(Events)
- LastEvent.NewValue != "ONLY_SECURITY_KEY"
- LastEvent.NewValue != "INHERIT_FROM_PARENT"
-}
-
# There are 3 items to check for this baseline. First, users must be allowed to
# enroll in 2SV. If they have been enrolled, then the passkey (aka security
# key) is the only allowed 2SV method. If the method is also OK, 2SV
@@ -295,29 +170,13 @@ if {
tests contains {
"PolicyId": CommonControlsId1_1,
"Criticality": "Shall",
- "ReportDetails": utils.NoSuchEventDetails(DefaultSafe, utils.TopLevelOU),
- "ActualValue": "No relevant event for the top-level OU in the current logs",
- "RequirementMet": DefaultSafe,
- "NoSuchEvent": true
-}
-if {
- not PolicyApiInUse
- DefaultSafe := false
- not Check1_1_OK
-}
-
-tests contains {
- "PolicyId": CommonControlsId1_1,
- "Criticality": "Shall",
- "ReportDetails": utils.ReportDetails(NonCompliantOUs1_1, NonCompliantGroups1_1),
- "ActualValue": {"NonCompliantOUs": NonCompliantOUs1_1, "NonCompliantGroups": NonCompliantGroups1_1},
+ "ReportDetails": utils.ReportDetails(NonCompliantOUs1_1, []),
+ "ActualValue": {"NonCompliantOUs": NonCompliantOUs1_1},
"RequirementMet": Status,
"NoSuchEvent": false
}
if {
- Check1_1_OK
- Conditions := {count(NonCompliantOUs1_1) == 0, count(NonCompliantGroups1_1) == 0}
- Status := (false in Conditions) == false
+ Status := count(NonCompliantOUs1_1) == 0
}
#--
@@ -327,53 +186,11 @@ if {
CommonControlsId1_2 := utils.PolicyIdWithSuffix("GWS.COMMONCONTROLS.1.2")
-LogMessage1_2 := "CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION"
-
-Check1_2_OK if {
- not PolicyApiInUse
- events := FilterEventsOU(LogMessage1_2, utils.TopLevelOU)
- count(events) > 0
-}
-
-Check1_2_OK if {PolicyApiInUse}
-
NonComplianceMessage1_2(value, expected) := sprintf("New user enrollment period (%s) %s (%s)",
[utils.GetFriendlyDuration(value),
"doesn't match expected",
utils.GetFriendlyDuration(expected)])
-NonCompliantOUs1_2 contains {
- "Name": OU,
- "Value": concat("", ["New user enrollment period is set to ", LastEvent.NewValue])
-}
-if {
- not PolicyApiInUse
- some OU in utils.OUsWithEvents
- Events := FilterEventsOU(LogMessage1_2, OU)
- # Ignore OUs without any events. We're already asserting that the
- # top-level OU has at least one event; for all other OUs we assume
- # they inherit from a parent OU if they have no events.
- count(Events) > 0
- LastEvent := utils.GetLastEvent(Events)
- LastEvent.NewValue != "1 week"
- LastEvent.NewValue != "INHERIT_FROM_PARENT"
-}
-
-NonCompliantGroups1_2 contains {
- "Name": Group,
- "Value": concat("", ["New user enrollment period is set to ", LastEvent.NewValue])
-}
-if {
- not PolicyApiInUse
- some Group in utils.GroupsWithEvents
- Events := FilterEventsGroup(LogMessage1_2, Group)
- # Ignore groups without any events.
- count(Events) > 0
- LastEvent := utils.GetLastEvent(Events)
- LastEvent.NewValue != "1 week"
- LastEvent.NewValue != "INHERIT_FROM_PARENT"
-}
-
NonCompliantOUs1_2 contains {
"Name": OU,
"Value": NonComplianceMessage1_2(enrollSeconds, expectedPeriod)
@@ -389,29 +206,13 @@ if {
tests contains {
"PolicyId": CommonControlsId1_2,
"Criticality": "Shall",
- "ReportDetails": utils.NoSuchEventDetails(DefaultSafe, utils.TopLevelOU),
- "ActualValue": "No relevant event for the top-level OU in the current logs",
- "RequirementMet": DefaultSafe,
- "NoSuchEvent": true
-}
-if {
- not PolicyApiInUse
- DefaultSafe := false
- not Check1_2_OK
-}
-
-tests contains {
- "PolicyId": CommonControlsId1_2,
- "Criticality": "Shall",
- "ReportDetails": utils.ReportDetails(NonCompliantOUs1_2, NonCompliantGroups1_2),
- "ActualValue": {"NonCompliantOUs": NonCompliantOUs1_2, "NonCompliantGroups": NonCompliantGroups1_2},
+ "ReportDetails": utils.ReportDetails(NonCompliantOUs1_2, []),
+ "ActualValue": {"NonCompliantOUs": NonCompliantOUs1_2},
"RequirementMet": Status,
"NoSuchEvent": false
}
if {
- Check1_2_OK
- Conditions := {count(NonCompliantOUs1_2) == 0, count(NonCompliantGroups1_2) == 0}
- Status := (false in Conditions) == false
+ Status := count(NonCompliantOUs1_2) == 0
}
#--
@@ -421,54 +222,8 @@ if {
CommonControlsId1_3 := utils.PolicyIdWithSuffix("GWS.COMMONCONTROLS.1.3")
-LogMessage1_3 := "CHANGE_TWO_STEP_VERIFICATION_FREQUENCY"
-
-Check1_3_OK if {
- not PolicyApiInUse
- events := FilterEventsOU(LogMessage1_3, utils.TopLevelOU)
- count(events) > 0
-}
-
-Check1_3_OK if {PolicyApiInUse}
-
NonComplianceMessage1_3 := "User is allowed to trust device."
-GetFriendlyValue1_3(Value) := "ON" if {
- Value == "ENABLE_USERS_TO_TRUST_DEVICE"
-} else := Value
-
-NonCompliantOUs1_3 contains {
- "Name": OU,
- "Value": concat("", ["Allow user to trust the device is ", GetFriendlyValue1_3(LastEvent.NewValue)])
-}
-if {
- not PolicyApiInUse
- some OU in utils.OUsWithEvents
- Events := FilterEventsOU("CHANGE_TWO_STEP_VERIFICATION_FREQUENCY", OU)
- # Ignore OUs without any events. We're already asserting that the
- # top-level OU has at least one event; for all other OUs we assume
- # they inherit from a parent OU if they have no events.
- count(Events) > 0
- LastEvent := utils.GetLastEvent(Events)
- LastEvent.NewValue != "DISABLE_USERS_TO_TRUST_DEVICE"
- LastEvent.NewValue != "INHERIT_FROM_PARENT"
-}
-
-NonCompliantGroups1_3 contains {
- "Name": Group,
- "Value": concat("", ["Allow user to trust the device is ", GetFriendlyValue1_3(LastEvent.NewValue)])
-}
-if {
- not PolicyApiInUse
- some Group in utils.GroupsWithEvents
- Events := FilterEventsGroup(LogMessage1_3, Group)
- # Ignore groups without any events.
- count(Events) > 0
- LastEvent := utils.GetLastEvent(Events)
- LastEvent.NewValue != "DISABLE_USERS_TO_TRUST_DEVICE"
- LastEvent.NewValue != "INHERIT_FROM_PARENT"
-}
-
NonCompliantOUs1_3 contains {
"Name": OU,
"Value": NonComplianceMessage1_3
@@ -482,29 +237,13 @@ if {
tests contains {
"PolicyId": CommonControlsId1_3,
"Criticality": "Shall",
- "ReportDetails": utils.NoSuchEventDetails(DefaultSafe, utils.TopLevelOU),
- "ActualValue": "No relevant event for the top-level OU in the current logs",
- "RequirementMet": DefaultSafe,
- "NoSuchEvent": true
-}
-if {
- not PolicyApiInUse
- DefaultSafe := false
- not Check1_3_OK
-}
-
-tests contains {
- "PolicyId": CommonControlsId1_3,
- "Criticality": "Shall",
- "ReportDetails": utils.ReportDetails(NonCompliantOUs1_3, NonCompliantGroups1_3),
- "ActualValue": {"NonCompliantOUs": NonCompliantOUs1_3, "NonCompliantGroups": NonCompliantGroups1_3},
+ "ReportDetails": utils.ReportDetails(NonCompliantOUs1_3, []),
+ "ActualValue": {"NonCompliantOUs": NonCompliantOUs1_3},
"RequirementMet": Status,
"NoSuchEvent": false
}
if {
- Check1_3_OK
- Conditions := {count(NonCompliantOUs1_3) == 0, count(NonCompliantGroups1_3) == 0}
- Status := (false in Conditions) == false
+ Status := count(NonCompliantOUs1_3) == 0
}
#--
@@ -712,29 +451,6 @@ tests contains {
CommonControlsId4_1 := utils.PolicyIdWithSuffix("GWS.COMMONCONTROLS.4.1")
-# NOTE: this setting cannot be controlled at the group-level,
-# so only a check at the OU-level is implemented here.
-
-GoodLimits := {"3600", "14400", "28800", "43200"}
-
-LogMessage4_1 := "Session management settings - Session length in seconds"
-
-Check4_1_OK if {
- not PolicyApiInUse
- events := utils.FilterEventsOU(LogEvents, LogMessage4_1, utils.TopLevelOU)
- count(events) > 0
-}
-
-Check4_1_OK if {PolicyApiInUse}
-
-IsGoodLimit(ActualLim) := true if {
- count({GoodLim | some GoodLim in GoodLimits; GoodLim == ActualLim}) > 0
-}
-
-IsGoodLimit(ActualLim) := false if {
- count({GoodLim | some GoodLim in GoodLimits; GoodLim == ActualLim}) == 0
-}
-
NonComplianceMessage4_1(Value) := sprintf("Web session duration: %s",
[Value])
@@ -742,23 +458,6 @@ GetFriendlyValue4_1(Value) := "Session never expires" if {
Value == 63072000
} else := utils.GetFriendlyDuration(Value)
-NonCompliantOUs4_1 contains {
- "Name": OU,
- "Value": NonComplianceMessage4_1(GetFriendlyValue4_1(to_number(LastEvent.NewValue)))
-}
-if {
- not PolicyApiInUse
- some OU in utils.OUsWithEvents
- Events := utils.FilterEventsOU(LogEvents, LogMessage4_1, OU)
- # Ignore OUs without any events. We're already asserting that the
- # top-level OU has at least one event; for all other OUs we assume
- # they inherit from a parent OU if they have no events.
- count(Events) > 0
- LastEvent := utils.GetLastEvent(Events)
- LastEvent.NewValue != "DELETE_APPLICATION_SETTING"
- not IsGoodLimit(LastEvent.NewValue)
-}
-
NonCompliantOUs4_1 contains {
"Name": OU,
"Value": NonComplianceMessage4_1(GetFriendlyValue4_1(durationSeconds))
@@ -772,20 +471,6 @@ if {
durationSeconds > webSessionMax
}
-tests contains {
- "PolicyId": CommonControlsId4_1,
- "Criticality": "Shall",
- "ReportDetails": utils.NoSuchEventDetails(DefaultSafe, utils.TopLevelOU),
- "ActualValue": "No relevant event for the top-level OU in the current logs",
- "RequirementMet": DefaultSafe,
- "NoSuchEvent": true
-}
-if {
- not PolicyApiInUse
- DefaultSafe := false
- not Check4_1_OK
-}
-
tests contains {
"PolicyId": CommonControlsId4_1,
"Criticality": "Shall",
@@ -795,7 +480,6 @@ tests contains {
"NoSuchEvent": false
}
if {
- Check4_1_OK
Status := count(NonCompliantOUs4_1) == 0
}
#--
@@ -812,33 +496,8 @@ if {
#--
CommonControlsId5_1 := utils.PolicyIdWithSuffix("GWS.COMMONCONTROLS.5.1")
-LogMessage5_1 := "Password Management - Enforce strong password"
-PasswordStrength := "STRONG"
-Check5_1_OK if {
- not PolicyApiInUse
- events := utils.FilterEventsOU(LogEvents, LogMessage5_1, utils.TopLevelOU)
- count(events) > 0
-}
-
-Check5_1_OK if {PolicyApiInUse}
-
-NonCompliantOUs5_1 contains {
- "Name": OU,
- "Value": "Enforce strong password is OFF"
-}
-if {
- not PolicyApiInUse
- some OU in utils.OUsWithEvents
- Events := utils.FilterEventsOU(LogEvents, LogMessage5_1, OU)
- # Ignore OUs without any events. We're already asserting that the
- # top-level OU has at least one event; for all other OUs we assume
- # they inherit from a parent OU if they have no events.
- count(Events) > 0
- LastEvent := utils.GetLastEvent(Events)
- LastEvent.NewValue != "on"
- LastEvent.NewValue != "DELETE_APPLICATION_SETTING"
-}
+PasswordStrength := "STRONG"
NonCompliantOUs5_1 contains {
"Name": OU,
@@ -851,20 +510,6 @@ if {
CurrentStrength != PasswordStrength
}
-tests contains {
- "PolicyId": CommonControlsId5_1,
- "Criticality": "Shall",
- "ReportDetails": utils.NoSuchEventDetails(DefaultSafe, utils.TopLevelOU),
- "ActualValue": "No relevant event for the top-level OU in the current logs",
- "RequirementMet": DefaultSafe,
- "NoSuchEvent": true
-}
-if {
- not PolicyApiInUse
- DefaultSafe := true
- not Check5_1_OK
-}
-
tests contains {
"PolicyId": CommonControlsId5_1,
"Criticality": "Shall",
@@ -874,7 +519,6 @@ tests contains {
"NoSuchEvent": false
}
if {
- Check5_1_OK
Status := count(NonCompliantOUs5_1) == 0
}
#--
@@ -885,40 +529,12 @@ if {
CommonControlsId5_2 := utils.PolicyIdWithSuffix("GWS.COMMONCONTROLS.5.2")
-LogMessageMinPassword := "Password Management - Minimum password length"
-
MinimumPasswordLength := 12
-Check5_2_OK if {
- not PolicyApiInUse
- events := utils.FilterEventsOU(LogEvents, LogMessageMinPassword, utils.TopLevelOU)
- count(events) > 0
-}
-
-Check5_2_OK if {PolicyApiInUse}
-
FormatMessage5_2 := "Minimum password length: %d, less than %d"
NonComplianceMessage5_2(Value) := sprintf(FormatMessage5_2,
[Value, MinimumPasswordLength])
-NonCompliantOUs5_2 contains {
- "Name": OU,
- "Value": NonComplianceMessage5_2(Minimum)
-}
-if {
- not PolicyApiInUse
- some OU in utils.OUsWithEvents
- Events := utils.FilterEventsOU(LogEvents, LogMessageMinPassword, OU)
- # Ignore OUs without any events. We're already asserting that the
- # top-level OU has at least one event; for all other OUs we assume
- # they inherit from a parent OU if they have no events.
- count(Events) > 0
- LastEvent := utils.GetLastEvent(Events)
- LastEvent.NewValue != "DELETE_APPLICATION_SETTING"
- Minimum := to_number(LastEvent.NewValue)
- Minimum < MinimumPasswordLength
-}
-
NonCompliantOUs5_2 contains {
"Name": OU,
"Value": NonComplianceMessage5_2(CurrentLength)
@@ -929,20 +545,6 @@ if {
CurrentLength < MinimumPasswordLength
}
-tests contains {
- "PolicyId": CommonControlsId5_2,
- "Criticality": "Shall",
- "ReportDetails": utils.NoSuchEventDetails(DefaultSafe, utils.TopLevelOU),
- "ActualValue": "No relevant event for the top-level OU in the current logs",
- "RequirementMet": DefaultSafe,
- "NoSuchEvent": true
-}
-if {
- not PolicyApiInUse
- DefaultSafe := false
- not Check5_2_OK
-}
-
tests contains {
"PolicyId": CommonControlsId5_2,
"Criticality": "Shall",
@@ -952,7 +554,6 @@ tests contains {
"NoSuchEvent": false
}
if {
- Check5_2_OK
Status := count(NonCompliantOUs5_2) == 0
}
#--
@@ -965,36 +566,10 @@ CommonControlsId5_3 := utils.PolicyIdWithSuffix("GWS.COMMONCONTROLS.5.3")
SuggestedPasswordLength := 15
-Check5_3_OK if {
- not PolicyApiInUse
- events := utils.FilterEventsOU(LogEvents, LogMessageMinPassword, utils.TopLevelOU)
- count(events) > 0
-}
-
-Check5_3_OK if {PolicyApiInUse}
-
FormatMessage5_3 := "Minimum password length: %d, recommended is at least %d"
NonComplianceMessage5_3(Value) := sprintf(FormatMessage5_3,
[Value, SuggestedPasswordLength])
-NonCompliantOUs5_3 contains {
- "Name": OU,
- "Value": NonComplianceMessage5_3(Minimum)
-}
-if {
- not PolicyApiInUse
- some OU in utils.OUsWithEvents
- Events := utils.FilterEventsOU(LogEvents, LogMessageMinPassword, OU)
- # Ignore OUs without any events. We're already asserting that the
- # top-level OU has at least one event; for all other OUs we assume
- # they inherit from a parent OU if they have no events.
- count(Events) > 0
- LastEvent := utils.GetLastEvent(Events)
- LastEvent.NewValue != "DELETE_APPLICATION_SETTING"
- Minimum := to_number(LastEvent.NewValue)
- Minimum < SuggestedPasswordLength
-}
-
NonCompliantOUs5_3 contains {
"Name": OU,
"Value": NonComplianceMessage5_3(CurrentLength)
@@ -1005,20 +580,6 @@ if {
CurrentLength < SuggestedPasswordLength
}
-tests contains {
- "PolicyId": CommonControlsId5_3,
- "Criticality": "Should",
- "ReportDetails": utils.NoSuchEventDetails(DefaultSafe, utils.TopLevelOU),
- "ActualValue": "No relevant event for the top-level OU in the current logs",
- "RequirementMet": DefaultSafe,
- "NoSuchEvent": true
-}
-if {
- not PolicyApiInUse
- DefaultSafe := false
- not Check5_3_OK
-}
-
tests contains {
"PolicyId": CommonControlsId5_3,
"Criticality": "Should",
@@ -1028,7 +589,6 @@ tests contains {
"NoSuchEvent": false
}
if {
- Check5_3_OK
Status := count(NonCompliantOUs5_3) == 0
}
#--
@@ -1038,33 +598,8 @@ if {
#--
CommonControlsId5_4 := utils.PolicyIdWithSuffix("GWS.COMMONCONTROLS.5.4")
-LogMessage5_4 := "Password Management - Enforce password policy at next login"
-NonComplianceMessage5_4 := "Enforce password policy at next sign-in is OFF"
-Check5_4_OK if {
- not PolicyApiInUse
- events := utils.FilterEventsOU(LogEvents, LogMessage5_4, utils.TopLevelOU)
- count(events) > 0
-}
-
-Check5_4_OK if {PolicyApiInUse}
-
-NonCompliantOUs5_4 contains {
- "Name": OU,
- "Value": NonComplianceMessage5_4
-}
-if {
- not PolicyApiInUse
- some OU in utils.OUsWithEvents
- Events := utils.FilterEventsOU(LogEvents, LogMessage5_4, OU)
- # Ignore OUs without any events. We're already asserting that the
- # top-level OU has at least one event; for all other OUs we assume
- # they inherit from a parent OU if they have no events.
- count(Events) > 0
- LastEvent := utils.GetLastEvent(Events)
- LastEvent.NewValue != "true"
- LastEvent.NewValue != "DELETE_APPLICATION_SETTING"
-}
+NonComplianceMessage5_4 := "Enforce password policy at next sign-in is OFF"
NonCompliantOUs5_4 contains {
"Name": OU,
@@ -1075,20 +610,6 @@ if {
settings.security_password.enforceRequirementsAtLogin != true
}
-tests contains {
- "PolicyId": CommonControlsId5_4,
- "Criticality": "Shall",
- "ReportDetails": utils.NoSuchEventDetails(DefaultSafe, utils.TopLevelOU),
- "ActualValue": "No relevant event for the top-level OU in the current logs",
- "RequirementMet": DefaultSafe,
- "NoSuchEvent": true
-}
-if {
- not PolicyApiInUse
- DefaultSafe := false
- not Check5_4_OK
-}
-
tests contains {
"PolicyId": CommonControlsId5_4,
"Criticality": "Shall",
@@ -1098,7 +619,6 @@ tests contains {
"NoSuchEvent": false
}
if {
- Check5_4_OK
Status := count(NonCompliantOUs5_4) == 0
}
#--
@@ -1108,33 +628,8 @@ if {
#--
CommonControlsId5_5 := utils.PolicyIdWithSuffix("GWS.COMMONCONTROLS.5.5")
-LogMessage5_5 := "Password Management - Enable password reuse"
-NonComplianceMessage5_5 := "Allow password reuse is ON"
-
-Check5_5_OK if {
- not PolicyApiInUse
- events := utils.FilterEventsOU(LogEvents, LogMessage5_5, utils.TopLevelOU)
- count(events) > 0
-}
-
-Check5_5_OK if {PolicyApiInUse}
-NonCompliantOUs5_5 contains {
- "Name": OU,
- "Value": NonComplianceMessage5_5
-}
-if {
- not PolicyApiInUse
- some OU in utils.OUsWithEvents
- Events := utils.FilterEventsOU(LogEvents, LogMessage5_5, OU)
- # Ignore OUs without any events. We're already asserting that the
- # top-level OU has at least one event; for all other OUs we assume
- # they inherit from a parent OU if they have no events.
- count(Events) > 0
- LastEvent := utils.GetLastEvent(Events)
- LastEvent.NewValue != "false"
- LastEvent.NewValue != "DELETE_APPLICATION_SETTING"
-}
+NonComplianceMessage5_5 := "Allow password reuse is ON"
NonCompliantOUs5_5 contains {
"Name": OU,
@@ -1145,20 +640,6 @@ if {
settings.security_password.allowReuse == true
}
-tests contains {
- "PolicyId": CommonControlsId5_5,
- "Criticality": "Shall",
- "ReportDetails": utils.NoSuchEventDetails(DefaultSafe, utils.TopLevelOU),
- "ActualValue": "No relevant event for the top-level OU in the current logs",
- "RequirementMet": DefaultSafe,
- "NoSuchEvent": true
-}
-if {
- not PolicyApiInUse
- DefaultSafe := true
- not Check5_5_OK
-}
-
tests contains {
"PolicyId": CommonControlsId5_5,
"Criticality": "Shall",
@@ -1168,7 +649,6 @@ tests contains {
"NoSuchEvent": false
}
if {
- Check5_5_OK
Status := count(NonCompliantOUs5_5) == 0
}
#--
@@ -1178,32 +658,6 @@ if {
#--
CommonControlsId5_6 := utils.PolicyIdWithSuffix("GWS.COMMONCONTROLS.5.6")
-LogMessage5_6 := "Password Management - Password reset frequency"
-
-Check5_6_OK if {
- not PolicyApiInUse
- events := utils.FilterEventsOU(LogEvents, LogMessage5_6, utils.TopLevelOU)
- count(events) > 0
-}
-
-Check5_6_OK if {PolicyApiInUse}
-
-NonCompliantOUs5_6 contains {
- "Name": OU,
- "Value": concat(" ", ["Password reset frequency is", LastEvent.NewValue, "days"])
-}
-if {
- not PolicyApiInUse
- some OU in utils.OUsWithEvents
- Events := utils.FilterEventsOU(LogEvents, LogMessage5_6, OU)
- # Ignore OUs without any events. We're already asserting that the
- # top-level OU has at least one event; for all other OUs we assume
- # they inherit from a parent OU if they have no events.
- count(Events) > 0
- LastEvent := utils.GetLastEvent(Events)
- LastEvent.NewValue != "0"
- LastEvent.NewValue != "DELETE_APPLICATION_SETTING"
-}
NonCompliantOUs5_6 contains {
"Name": OU,
@@ -1216,20 +670,6 @@ if {
expirationValue != 0
}
-tests contains {
- "PolicyId": CommonControlsId5_6,
- "Criticality": "Shall",
- "ReportDetails": utils.NoSuchEventDetails(DefaultSafe, utils.TopLevelOU),
- "ActualValue": "No relevant event for the top-level OU in the current logs",
- "RequirementMet": DefaultSafe,
- "NoSuchEvent": true
-}
-if {
- not PolicyApiInUse
- DefaultSafe := true
- not Check5_6_OK
-}
-
tests contains {
"PolicyId": CommonControlsId5_6,
"Criticality": "Shall",
@@ -1239,7 +679,6 @@ tests contains {
"NoSuchEvent": false
}
if {
- Check5_6_OK
Status := count(NonCompliantOUs5_6) == 0
}
#--
@@ -1319,50 +758,8 @@ tests contains {
#--
CommonControlsId8_1 := utils.PolicyIdWithSuffix("GWS.COMMONCONTROLS.8.1")
-LogMessage8_1 := "AdminAccountRecoverySettingsProto Enable admin account recovery"
-NonComplianceMessage8_1 := "Allow super admins to recover their account is ON"
-
-Check8_1_OK if {
- not PolicyApiInUse
- events := utils.FilterEventsOU(LogEvents, LogMessage8_1, utils.TopLevelOU)
- count(events) > 0
-}
-Check8_1_OK if {PolicyApiInUse}
-
-NonCompliantOUs8_1 contains {
- "Name": OU,
- "Value": NonComplianceMessage8_1
-}
-if {
- not PolicyApiInUse
- some OU in utils.OUsWithEvents
- SettingName := LogMessage8_1
- Events := utils.FilterEventsOU(LogEvents, SettingName, OU)
- # Ignore OUs without any events. We're already asserting that the
- # top-level OU has at least one event; for all other OUs we assume
- # they inherit from a parent OU if they have no events.
- count(Events) > 0
- LastEvent := utils.GetLastEvent(Events)
- LastEvent.NewValue != "false"
- LastEvent.NewValue != "DELETE_APPLICATION_SETTING"
-}
-
-NonCompliantGroups8_1 contains {
- "Name": Group,
- "Value": NonComplianceMessage8_1
-}
-if {
- not PolicyApiInUse
- some Group in utils.GroupsWithEvents
- SettingName := LogMessage8_1
- Events := utils.FilterEventsGroup(LogEvents, SettingName, Group)
- # Ignore groups without any events.
- count(Events) > 0
- LastEvent := utils.GetLastEvent(Events)
- LastEvent.NewValue != "false"
- LastEvent.NewValue != "DELETE_APPLICATION_SETTING"
-}
+NonComplianceMessage8_1 := "Allow super admins to recover their account is ON"
NonCompliantOUs8_1 contains {
"Name": OU,
@@ -1376,29 +773,13 @@ if {
tests contains {
"PolicyId": CommonControlsId8_1,
"Criticality": "Shall",
- "ReportDetails": utils.NoSuchEventDetails(DefaultSafe, utils.TopLevelOU),
- "ActualValue": "No relevant event for the top-level OU in the current logs",
- "RequirementMet": DefaultSafe,
- "NoSuchEvent": true
-}
-if {
- not PolicyApiInUse
- DefaultSafe := false
- not Check8_1_OK
-}
-
-tests contains {
- "PolicyId": CommonControlsId8_1,
- "Criticality": "Shall",
- "ReportDetails": utils.ReportDetails(NonCompliantOUs8_1, NonCompliantGroups8_1),
- "ActualValue": {"NonCompliantOUs": NonCompliantOUs8_1, "NonCompliantGroups": NonCompliantGroups8_1},
+ "ReportDetails": utils.ReportDetails(NonCompliantOUs8_1, []),
+ "ActualValue": {"NonCompliantOUs": NonCompliantOUs8_1},
"RequirementMet": Status,
"NoSuchEvent": false
}
if {
- Check8_1_OK
- Conditions := {count(NonCompliantOUs8_1) == 0, count(NonCompliantGroups8_1) == 0}
- Status := (false in Conditions) == false
+ Status := count(NonCompliantOUs8_1) == 0
}
#--
@@ -1765,57 +1146,9 @@ if {
# Baseline GWS.COMMONCONTROLS.10.5
#--
-CommonControlsId10_5 := utils.PolicyIdWithSuffix("GWS.COMMONCONTROLS.10.5")
-
-EventName10_5 := "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED"
-
-Check10_5_OK if {
- not PolicyApiInUse
- events := FilterEventsOU(EventName10_5, utils.TopLevelOU)
- count(events) > 0
-}
-
-Check10_5_OK if {PolicyApiInUse}
-
-NonComplianceMessage10_5 := "Users are allowed to manage access to less secure apps."
-
-NonCompliantOUs10_5 contains {
- "Name": OU,
- "Value": NonComplianceMessage10_5
-}
-if {
- not PolicyApiInUse
- some OU in utils.OUsWithEvents
- Events := FilterEventsOU(EventName10_5, OU)
- # Ignore OUs without any events. We're already asserting that the
- # top-level OU has at least one event; for all other OUs we assume
- # they inherit from a parent OU if they have no events.
- count(Events) > 0
- LastEvent := utils.GetLastEvent(Events)
- LastEvent.NewValue != "DENIED"
- LastEvent.NewValue != "INHERIT_FROM_PARENT"
-}
-# NOTE: When WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED for a child OU
-# is set to inherit from parent, apparently NO EVENT IS PRODUCED IN
-# THE ADMIN LOGS. When you later override the setting, it shows
-# "INHERIT_FROM_PARENT" as the "OLD_VALUE", so I'm putting that above
-# for completeness, but this appears to be a case where we won't be
-# able to detect setting inheritance, as least for now.
-
-NonCompliantGroups10_5 contains {
- "Name": Group,
- "Value": NonComplianceMessage10_5
-}
-if {
- not PolicyApiInUse
- some Group in utils.GroupsWithEvents
- Events := FilterEventsGroup(EventName10_5, Group)
- # Ignore groups without any events.
- count(Events) > 0
- LastEvent := utils.GetLastEvent(Events)
- LastEvent.NewValue != "DENIED"
- LastEvent.NewValue != "INHERIT_FROM_PARENT"
-}
+CommonControlsId10_5 := utils.PolicyIdWithSuffix("GWS.COMMONCONTROLS.10.5")
+
+NonComplianceMessage10_5 := "Users are allowed to manage access to less secure apps."
NonCompliantOUs10_5 contains {
"Name": OU,
@@ -1827,32 +1160,16 @@ if {
lessSecure != false
}
-tests contains {
- "PolicyId": CommonControlsId10_5,
- "Criticality": "Should",
- "ReportDetails": utils.NoSuchEventDetails(DefaultSafe, utils.TopLevelOU),
- "ActualValue": "No relevant event for the top-level OU in the current logs",
- "RequirementMet": DefaultSafe,
- "NoSuchEvent": true
-}
-if {
- not PolicyApiInUse
- DefaultSafe := true
- not Check10_5_OK
-}
-
tests contains {
"PolicyId": CommonControlsId10_5,
"Criticality": "Shall",
- "ReportDetails": utils.ReportDetails(NonCompliantOUs10_5, NonCompliantGroups10_5),
- "ActualValue": {"NonCompliantOUs": NonCompliantOUs10_5, "NonCompliantGroups": NonCompliantGroups10_5},
+ "ReportDetails": utils.ReportDetails(NonCompliantOUs10_5, []),
+ "ActualValue": {"NonCompliantOUs": NonCompliantOUs10_5},
"RequirementMet": Status,
"NoSuchEvent": false
}
if {
- Check10_5_OK
- Conditions := {count(NonCompliantOUs10_5) == 0, count(NonCompliantGroups10_5) == 0}
- Status := (false in Conditions) == false
+ Status := count(NonCompliantOUs10_5) == 0
}
#--
@@ -1876,97 +1193,6 @@ NonComplianceMessage11_1(anyApp) := sprintf("%s app from the Marketplace.",
} else := sprintf("%s internal app, even if it's not allowlisted.",
[NonCompliancePrefix11_1])
-# For 11.1, we need to assert two different things:
-# - Users can only allow whitelisted apps
-# - Exceptions aren't allowed for internal apps
-
-# Custom NoSuchEvent function needed as we're checking
-# two different settings simultaneously.
-
-default NoSuchEvent11_1 := false
-
-NoSuchEvent11_1 := true if {
- Events := utils.FilterEventsOU(LogEvents, LogMessage11_1_A, utils.TopLevelOU)
- count(Events) == 0
-}
-
-NoSuchEvent11_1 := true if {
- Events := utils.FilterEventsOU(LogEvents, LogMessage11_1_B, utils.TopLevelOU)
- count(Events) == 0
-}
-
-Check11_1_OK if {
- not PolicyApiInUse
- not NoSuchEvent11_1
-}
-
-Check11_1_OK if {PolicyApiInUse}
-
-NonCompliantOUs11_1 contains {
- "Name": OU,
- "Value": NonComplianceMessage11_1(true)
-}
-if {
- not PolicyApiInUse
- some OU in utils.OUsWithEvents
- Events := utils.FilterEventsOU(LogEvents, LogMessage11_1_A, OU)
- # Ignore OUs without any events. We're already asserting that the
- # top-level OU has at least one event; for all other OUs we assume
- # they inherit from a parent OU if they have no events.
- count(Events) > 0
- LastEvent := utils.GetLastEvent(Events)
- LastEvent.NewValue != "ALLOW_SPECIFIED"
- LastEvent.NewValue != "ALLOW_NONE"
- LastEvent.NewValue != "DELETE_APPLICATION_SETTING"
-}
-
-NonCompliantGroups11_1 contains {
- "Name": Group,
- "Value": NonComplianceMessage11_1(true)
-}
-if {
- not PolicyApiInUse
- some Group in utils.GroupsWithEvents
- Events := utils.FilterEventsGroup(LogEvents, LogMessage11_1_A, Group)
- # Ignore groups without any events.
- count(Events) > 0
- LastEvent := utils.GetLastEvent(Events)
- LastEvent.NewValue != "ALLOW_SPECIFIED"
- LastEvent.NewValue != "DELETE_APPLICATION_SETTING"
-}
-
-NonCompliantOUs11_1 contains {
- "Name": OU,
- "Value": NonComplianceMessage11_1(false)
-}
-if {
- not PolicyApiInUse
- some OU in utils.OUsWithEvents
- Events := utils.FilterEventsOU(LogEvents, LogMessage11_1_B, OU)
- # Ignore OUs without any events. We're already asserting that the
- # top-level OU has at least one event; for all other OUs we assume
- # they inherit from a parent OU if they have no events.
- count(Events) > 0
- LastEvent := utils.GetLastEvent(Events)
- LastEvent.NewValue != "false"
- LastEvent.NewValue != "DELETE_APPLICATION_SETTING"
-}
-
-NonCompliantGroups11_1 contains {
- "Name": Group,
- "Value": NonComplianceMessage11_1(false)
-}
-if {
- not PolicyApiInUse
- some Group in utils.GroupsWithEvents
- Events := utils.FilterEventsGroup(LogEvents, LogMessage11_1_B, Group)
- # Ignore groups without any events.
- count(Events) > 0
- LastEvent := utils.GetLastEvent(Events)
- LastEvent.NewValue != "false"
- LastEvent.NewValue != "DELETE_APPLICATION_SETTING"
-}
-
NonCompliantOUs11_1 contains {
"Name": OU,
"Value": NonComplianceMessage11_1(true)
@@ -1992,29 +1218,13 @@ if {
tests contains {
"PolicyId": CommonControlsId11_1,
"Criticality": "Shall",
- "ReportDetails": utils.NoSuchEventDetails(DefaultSafe, utils.TopLevelOU),
- "ActualValue": "No relevant event for the top-level OU in the current logs",
- "RequirementMet": DefaultSafe,
- "NoSuchEvent": true
-}
-if {
- not PolicyApiInUse
- DefaultSafe := false
- not Check11_1_OK
-}
-
-tests contains {
- "PolicyId": CommonControlsId11_1,
- "Criticality": "Shall",
- "ReportDetails": utils.ReportDetails(NonCompliantOUs11_1, NonCompliantGroups11_1),
- "ActualValue": {"NonCompliantOUs": NonCompliantOUs11_1, "NonCompliantGroups": NonCompliantGroups11_1},
+ "ReportDetails": utils.ReportDetails(NonCompliantOUs11_1, []),
+ "ActualValue": {"NonCompliantOUs": NonCompliantOUs11_1},
"RequirementMet": Status,
"NoSuchEvent": false
}
if {
- Check11_1_OK
- Conditions := {count(NonCompliantOUs11_1) == 0, count(NonCompliantGroups11_1) == 0}
- Status := (false in Conditions) == false
+ Status := count(NonCompliantOUs11_1) == 0
}
#--
@@ -2028,156 +1238,12 @@ if {
CommonControlsId12_1 := utils.PolicyIdWithSuffix("GWS.COMMONCONTROLS.12.1")
-LogMessage12_1 := "UserTakeoutSettingsProto User Takeout "
-
Msg12_1 := "The following apps with individual admin control have Takeout enabled: %s"
NonComplianceMessage12_1(EnabledApps) := sprintf(Msg12_1,
[concat(", ", sort(EnabledApps))])
-#### Part 1: detecting service toggle events for OUs/groups *without* an individual admin control
-TakeoutServiceEnableEvents contains {
- "Timestamp": time.parse_rfc3339_ns(Item.id.time),
- "TimestampStr": Item.id.time,
- "NewValue": NewValue,
- "OrgUnit": OrgUnit,
- "Group": Group
-}
-if {
- not PolicyApiInUse
- some Item in input.commoncontrols_logs.items
- some Event in Item.events
- Event.name == "TOGGLE_SERVICE_ENABLED"
-
- "SERVICE_NAME" in {Parameter.name | some Parameter in Event.parameters}
- "NEW_VALUE" in {Parameter.name | some Parameter in Event.parameters}
-
- ServiceName := [Parameter.value | some Parameter in Event.parameters; Parameter.name == "SERVICE_NAME"][0]
- NewValue := [Parameter.value | some Parameter in Event.parameters; Parameter.name == "NEW_VALUE"][0]
- OrgUnit := utils.GetEventOu(Event)
- Group := utils.GetEventGroup(Event)
-
- ServiceName == "Google Takeout"
-}
-
NonComplianceMessage12_1a := "Takeout is enabled for services without an individual admin control."
-NonCompliantOUs12_1 contains {
- "Name": OU,
- "Value": NonComplianceMessage12_1a
-}
-if {
- not PolicyApiInUse
- some OU in utils.OUsWithEvents
- Events := {
- Event | some Event in TakeoutServiceEnableEvents;
- Event.OrgUnit == OU;
- Event.Group == ""
- }
- # Ignore OUs without any events. We're already asserting that the
- # top-level OU has at least one event; for all other OUs we assume
- # they inherit from a parent OU if they have no events.
- count(Events) > 0
- LastEvent = utils.GetLastEvent(Events)
- LastEvent.NewValue == "true"
-}
-
-NonCompliantGroups12_1 contains {
- "Name": Group,
- "Value": NonComplianceMessage12_1a
-}
-if {
- not PolicyApiInUse
- some Group in utils.GroupsWithEvents
- Events := {
- Event | some Event in TakeoutServiceEnableEvents;
- Event.Group == Group
- }
- # Ignore groups without any events.
- count(Events) > 0
- LastEvent = utils.GetLastEvent(Events)
- LastEvent.NewValue == "true"
-}
-
-#### Part 2: detecting services *with* an individual admin control
-Apps := {"Blogger", "Google Books", "Google Maps", "Google Pay", "Google Photos", "Google Play",
- "Google Play Console", "Timeline - Location History", "YouTube"}
-
-AppsAllowingTakoutOU contains App if {
- not PolicyApiInUse
- Events := utils.FilterEventsNoOU(LogEvents, LogMessage12_1)
- some App in Apps
- Filtered := {Event | some Event in Events; Event.AppName == App; Event.OrgUnit == data.OrgUnit}
- # Note the data.OrgUnit. This means this
- # rule will only work if called like this:
- # AppsAllowingTakoutOU with data.OrgUnit as ExampleOrgUnit
- LastEvent := utils.GetLastEvent(Filtered)
- LastEvent.NewValue != "Disabled"
- LastEvent.NewValue != "DELETE_APPLICATION_SETTING"
-}
-
-AppsAllowingTakoutGroup contains App if {
- not PolicyApiInUse
- Events := utils.FilterEventsNoOU(LogEvents, LogMessage12_1)
- some App in Apps
- Filtered := {Event | some Event in Events; Event.AppName == App; Event.Group == data.Group}
- # Note the data.Group. This means this
- # rule will only work if called like this:
- # AppsAllowingTakoutGroup with data.Group as ExampleGroup
- LastEvent := utils.GetLastEvent(Filtered)
- LastEvent.NewValue != "Disabled"
- LastEvent.NewValue != "DELETE_APPLICATION_SETTING"
-}
-
-NonCompliantOUs12_1 contains {
- "Name": OU,
- "Value": NonComplianceMessage12_1(EnabledApps)
-}
-if {
- not PolicyApiInUse
- some OU in utils.OUsWithEvents
- Events := utils.FilterEventsOU(LogEvents, LogMessage12_1, OU)
- # Ignore OUs without any events. We're already asserting that the
- # top-level OU has at least one event; for all other OUs we assume
- # they inherit from a parent OU if they have no events.
- count(Events) > 0
- EnabledApps := AppsAllowingTakoutOU with data.OrgUnit as OU
- count(EnabledApps) > 0
-}
-
-NonCompliantGroups12_1 contains {
- "Name": Group,
- "Value": NonComplianceMessage12_1(EnabledApps)
-
-}
-if {
- not PolicyApiInUse
- some Group in utils.GroupsWithEvents
- Events := utils.FilterEventsGroup(LogEvents, LogMessage12_1, Group)
- # Ignore groups without any events.
- count(Events) > 0
- EnabledApps := AppsAllowingTakoutGroup with data.Group as Group
- count(EnabledApps) > 0
-}
-
-default NoSuchEvent12_1 := false
-
-NoSuchEvent12_1 := true if {
- Events := utils.FilterEventsOU(LogEvents, LogMessage12_1, utils.TopLevelOU)
- count(Events) == 0
-}
-
-NoSuchEvent12_1 := true if {
- Events := {Event | some Event in TakeoutServiceEnableEvents; Event.OrgUnit == utils.TopLevelOU}
- count(Events) == 0
-}
-
-Check12_1_OK if {
- not PolicyApiInUse
- not NoSuchEvent12_1
-}
-
-Check12_1_OK if {PolicyApiInUse}
-
NonCompliantOUs12_1 contains {
"Name": OU,
"Value": NonComplianceMessage12_1a
@@ -2218,29 +1284,13 @@ if {
tests contains {
"PolicyId": CommonControlsId12_1,
"Criticality": "Shall",
- "ReportDetails": utils.NoSuchEventDetails(DefaultSafe, utils.TopLevelOU),
- "ActualValue": "No relevant event for the top-level OU in the current logs",
- "RequirementMet": DefaultSafe,
- "NoSuchEvent": true
-}
-if {
- not PolicyApiInUse
- DefaultSafe := false
- not Check12_1_OK
-}
-
-tests contains {
- "PolicyId": CommonControlsId12_1,
- "Criticality": "Shall",
- "ReportDetails": utils.ReportDetails(NonCompliantOUs12_1, NonCompliantGroups12_1),
- "ActualValue": {"NonCompliantOUs": NonCompliantOUs12_1, "NonCompliantGroups": NonCompliantGroups12_1},
+ "ReportDetails": utils.ReportDetails(NonCompliantOUs12_1, []),
+ "ActualValue": {"NonCompliantOUs": NonCompliantOUs12_1},
"RequirementMet": Status,
"NoSuchEvent": false
}
if {
- Check12_1_OK
- Conditions := {count(NonCompliantOUs12_1) == 0, count(NonCompliantGroups12_1) == 0}
- Status := (false in Conditions) == false
+ Status := count(NonCompliantOUs12_1) == 0
}
#--
@@ -2521,62 +1571,6 @@ CommonControlsId16_2 := utils.PolicyIdWithSuffix("GWS.COMMONCONTROLS.16.2")
NonComplianceMessage16_2 := "Early access apps are ENABLED"
-Check16_2_OK if {
- not PolicyApiInUse
- Events := {
- Event | some Event in ToggleServiceEvents;
- Event.OrgUnit == utils.TopLevelOU;
- Event.ServiceName == "Early Access Apps"
- }
- count(Events) > 0
-}
-
-Check16_2_OK if {PolicyApiInUse}
-
-NonCompliantOUs16_2 contains {
- "Name": OU,
- "Value": NonComplianceMessage16_2
-}
-if {
- not PolicyApiInUse
- some OU in utils.OUsWithEvents
- # Note that this setting requires the custom ToggleServiceEvents rule.
- # Filter based on the service name of the event, otherwise all events are returned.
- Events := {
- Event | some Event in ToggleServiceEvents;
- Event.OrgUnit == OU;
- Event.ServiceName == "Early Access Apps"
- }
- # Ignore OUs without any events. We're already asserting that the
- # top-level OU has at least one event; for all other OUs we assume
- # they inherit from a parent OU if they have no events.
- count(Events) > 0
- LastEvent := utils.GetLastEvent(Events)
- # For the Early Access Apps service:
- # If service status is set to "ON for everyone", then "NewValue" == true (non-compliant state)
- # else, "NewValue" == false (compliant state)
- LastEvent.NewValue == "true"
-}
-
-NonCompliantGroups16_2 contains {
- "Name": Group,
- "Value": NonComplianceMessage16_2
-}
-if {
- not PolicyApiInUse
- some Group in utils.GroupsWithEvents
- # Note that this setting requires the custom ToggleServiceEvents rule.
- Events := {
- Event | some Event in ToggleServiceEvents;
- Event.Group == Group;
- Event.ServiceName == "Early Access Apps"
- }
- # Ignore groups without any events.
- count(Events) > 0
- LastEvent := utils.GetLastEvent(Events)
- LastEvent.NewValue == "true"
-}
-
NonCompliantOUs16_2 contains {
"Name": OU,
"Value": NonComplianceMessage16_2
@@ -2590,32 +1584,13 @@ if {
tests contains {
"PolicyId": CommonControlsId16_2,
"Criticality": "Should",
- "ReportDetails": utils.NoSuchEventDetails(DefaultSafe, utils.TopLevelOU),
- "ActualValue": "No relevant event for the top-level OU in the current logs",
- "RequirementMet": DefaultSafe,
- "NoSuchEvent": true
-}
-if {
- not PolicyApiInUse
- DefaultSafe := false
- not Check16_2_OK
-}
-
-tests contains {
- "PolicyId": CommonControlsId16_2,
- "Criticality": "Should",
- "ReportDetails": utils.ReportDetails(NonCompliantOUs16_2, NonCompliantGroups16_2),
- "ActualValue": {"NonCompliantOUs": NonCompliantOUs16_2, "NonCompliantGroups": NonCompliantGroups16_2},
+ "ReportDetails": utils.ReportDetails(NonCompliantOUs16_2, []),
+ "ActualValue": {"NonCompliantOUs": NonCompliantOUs16_2},
"RequirementMet": Status,
"NoSuchEvent": false
}
if {
- Check16_2_OK
- Conditions := {
- count(NonCompliantOUs16_2) == 0,
- count(NonCompliantGroups16_2) == 0
- }
- Status := (false in Conditions) == false
+ Status := count(NonCompliantOUs16_2) == 0
}
#--