From 6030e098657ec20315b1c3925d140e53b55339c4 Mon Sep 17 00:00:00 2001 From: jkaufman-mitre Date: Thu, 4 Jan 2024 14:11:44 -0500 Subject: [PATCH 01/13] Addresses comments in issue 133 --- ...able Secure Configuration Baseline v0.1.md | 21 ------------------- 1 file changed, 21 deletions(-) diff --git a/baselines/Google Calendar Minimum Viable Secure Configuration Baseline v0.1.md b/baselines/Google Calendar Minimum Viable Secure Configuration Baseline v0.1.md index e04b853d..e1a409fb 100644 --- a/baselines/Google Calendar Minimum Viable Secure Configuration Baseline v0.1.md +++ b/baselines/Google Calendar Minimum Viable Secure Configuration Baseline v0.1.md @@ -43,16 +43,6 @@ External Sharing Options for Primary Calendars SHALL be configured to "Only free - Prevent data leakage by restricting the amount of information that is externally viewable when a user shares their calendar with someone external to your organization. - Last Modified: July 10, 2023 -- MITRE ATT&CK TTP Mapping - - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/) - -#### GWS.CALENDAR.1.2v0.1 -External sharing options for primary calendars between multiple components within an organization MAY be configured. - -- Rationale - - Prevent data leakage by restricting the information viewable by internal users when a user shares their calendar by configuring additional settings on shared information between components. -- Last Modified: November 14, 2023 - - MITRE ATT&CK TTP Mapping - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/) @@ -133,17 +123,6 @@ External sharing options for secondary calendars SHALL be configured to "Only fr - Prevent data leakage by restricting the amount of information that is externally viewable when a user shares their calendar with someone external to your organization. - Last Modified: July 10, 2023 -- MITRE ATT&CK TTP Mapping - - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/) - -#### GWS.CALENDAR.3.2v0.1 - -External sharing options for secondary calendars between multiple components within an organization MAY be configured. - -- Rationale - - Prevent data leakage by restricting the information viewable by internal users when a user shares their calendar by configuring additional settings on shared information between components. -- Last Modified: July 10, 2023 - - MITRE ATT&CK TTP Mapping - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/) From b91edb443e2675ac80792c70529fbe81a3df0802 Mon Sep 17 00:00:00 2001 From: jkaufman-mitre Date: Fri, 5 Jan 2024 12:32:33 -0500 Subject: [PATCH 02/13] Removed implementation --- ...ar Minimum Viable Secure Configuration Baseline v0.1.md | 7 ------- 1 file changed, 7 deletions(-) diff --git a/baselines/Google Calendar Minimum Viable Secure Configuration Baseline v0.1.md b/baselines/Google Calendar Minimum Viable Secure Configuration Baseline v0.1.md index e1a409fb..a65323c6 100644 --- a/baselines/Google Calendar Minimum Viable Secure Configuration Baseline v0.1.md +++ b/baselines/Google Calendar Minimum Viable Secure Configuration Baseline v0.1.md @@ -66,9 +66,6 @@ To configure the settings for External Sharing in Primary Calendar: 4. Select **Only free/busy information (hide event details)**. 5. Select **Save**. -#### GWS.CALENDAR.1.2v0.1 Instructions -1. There is no implementation for this policy - ## 2. External Invitations Warnings This section determines whether users are warned when inviting one or more guests from outside of their domain. @@ -147,10 +144,6 @@ To configure the settings for External Sharing in secondary calendars: 4. Select **Only free/busy information (hide event details)**. 5. Select **Save**. -#### GWS.CALENDAR.3.2v0.1 Instructions - -1. There is no implementation for this policy - ## 4. Calendar Interop Management This section determines whether Microsoft Exchange and Google Calendar can be configured to work together to allow users in both systems to share their availability status so they can view each other's schedules. The availability and event information that will be shared between Exchange and Calendar include availability for users, group or team calendars, and calendar resources (such as meeting rooms). Calendar Interop respects event-level privacy settings from either Exchange or Calendar. From b9abc1f2b1183c256584e779f55e116b31bfc6e5 Mon Sep 17 00:00:00 2001 From: jkaufman-mitre Date: Fri, 5 Jan 2024 12:37:43 -0500 Subject: [PATCH 03/13] Fixed the drift rules file --- drift-rules/GWS Drift Monitoring Rules - Calendar.csv | 2 -- 1 file changed, 2 deletions(-) diff --git a/drift-rules/GWS Drift Monitoring Rules - Calendar.csv b/drift-rules/GWS Drift Monitoring Rules - Calendar.csv index 9ecb93c6..2d80040c 100644 --- a/drift-rules/GWS Drift Monitoring Rules - Calendar.csv +++ b/drift-rules/GWS Drift Monitoring Rules - Calendar.csv @@ -1,9 +1,7 @@ PolicyId,Name,Data Source,Event (Is),Setting Name (Is),New Value (Is Not),Rule ID,Last Successful Test GWS.CALENDAR.1.1v0.1,"External Sharing Options for Primary Calendars SHALL be configured to ""Only free/busy information (hide event details)” to restrict information sharing and prevent data leakage.",Admin Log Event,Change Calendar Setting,SHARING_OUTSIDE_DOMAIN,SHOW_ONLY_FREE_BUSY_INFORMATION,rules/00gjdgxs1clzmpm,JK 07-28-23 @ 12:08 -GWS.CALENDAR.1.2v0.1,External sharing options for primary calendars between multiple components within an organization MAY be configured.,N/A,N/A,N/A,N/A,N/A,Not Alertable GWS.CALENDAR.2.1v0.1,External invitations warnings SHALL be enabled to prompt users before sending invitations.,Admin Log Event,Change Calendar Setting,ENABLE_EXTERNAL_GUEST_PROMPT,true,rules/00gjdgxs26jpj72,JK 07-28-23 @ 12:20 GWS.CALENDAR.3.1v0.1,"External sharing options for secondary calendars SHALL be configured to ""Only free/busy information (hide event details)” to restrict information sharing and prevent data leakage.",Admin Log Event,Change Calendar Setting,SHARING_OUTSIDE_DOMAIN_FOR_SECONDARY_CALENDAR,SHOW_ONLY_FREE_BUSY_INFORMATION,rules/00gjdgxs3ob14fv,JK 07-28-23 @ 12:32 -GWS.CALENDAR.3.2v0.1,External sharing options for secondary calendars between multiple components within an organization MAY be configured.,N/A,N/A,N/A,N/A,N/A,Not Alertable GWS.CALENDAR.4.1v0.1,Calendar Interop SHOULD be disabled unless agency mission fulfillment requires collaboration between users internal and external to an organization who use both Microsoft Exchange and Google Calendar.,Admin Log Event,Change Calendar Setting,ENABLE_EWS_INTEROP,false,rules/00gjdgxs3yipjmt,JK 07-28-23 @ 14:42 GWS.CALENDAR.4.2v0.1,OAuth 2.0 SHALL be used in lieu of basic authentication to establish connectivity between tenants or organizations in cases where Calendar Interop is deemed necessary for agency mission fulfillment.,N/A,N/A,N/A,N/A,N/A,"Not able to create rule due to bug in rule wizard. Applicable log event exists, but is not selectable within rule wizard." GWS.CALENDAR.5.1v0.1,Appointment Schedule with Payments SHALL be disabled.,Admin Log Event,Change Application Setting,CalendarAppointmentSlotAdminSettingsProto payments_enabled,false,rules/00gjdgxs3oppjwl,JK 09-08-23 @ 10:47 \ No newline at end of file From 1492f3d9fa6c779c04b63ce3824941bcd8c74f14 Mon Sep 17 00:00:00 2001 From: jkaufman-mitre Date: Thu, 4 Jan 2024 14:11:44 -0500 Subject: [PATCH 04/13] Addresses comments in issue 133 --- ...able Secure Configuration Baseline v0.1.md | 21 ------------------- 1 file changed, 21 deletions(-) diff --git a/baselines/Google Calendar Minimum Viable Secure Configuration Baseline v0.1.md b/baselines/Google Calendar Minimum Viable Secure Configuration Baseline v0.1.md index e04b853d..e1a409fb 100644 --- a/baselines/Google Calendar Minimum Viable Secure Configuration Baseline v0.1.md +++ b/baselines/Google Calendar Minimum Viable Secure Configuration Baseline v0.1.md @@ -43,16 +43,6 @@ External Sharing Options for Primary Calendars SHALL be configured to "Only free - Prevent data leakage by restricting the amount of information that is externally viewable when a user shares their calendar with someone external to your organization. - Last Modified: July 10, 2023 -- MITRE ATT&CK TTP Mapping - - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/) - -#### GWS.CALENDAR.1.2v0.1 -External sharing options for primary calendars between multiple components within an organization MAY be configured. - -- Rationale - - Prevent data leakage by restricting the information viewable by internal users when a user shares their calendar by configuring additional settings on shared information between components. -- Last Modified: November 14, 2023 - - MITRE ATT&CK TTP Mapping - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/) @@ -133,17 +123,6 @@ External sharing options for secondary calendars SHALL be configured to "Only fr - Prevent data leakage by restricting the amount of information that is externally viewable when a user shares their calendar with someone external to your organization. - Last Modified: July 10, 2023 -- MITRE ATT&CK TTP Mapping - - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/) - -#### GWS.CALENDAR.3.2v0.1 - -External sharing options for secondary calendars between multiple components within an organization MAY be configured. - -- Rationale - - Prevent data leakage by restricting the information viewable by internal users when a user shares their calendar by configuring additional settings on shared information between components. -- Last Modified: July 10, 2023 - - MITRE ATT&CK TTP Mapping - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/) From 190c8fa679af18318f1de931319f17fcf1240e73 Mon Sep 17 00:00:00 2001 From: jkaufman-mitre Date: Fri, 5 Jan 2024 12:32:33 -0500 Subject: [PATCH 05/13] Removed implementation --- ...ar Minimum Viable Secure Configuration Baseline v0.1.md | 7 ------- 1 file changed, 7 deletions(-) diff --git a/baselines/Google Calendar Minimum Viable Secure Configuration Baseline v0.1.md b/baselines/Google Calendar Minimum Viable Secure Configuration Baseline v0.1.md index e1a409fb..a65323c6 100644 --- a/baselines/Google Calendar Minimum Viable Secure Configuration Baseline v0.1.md +++ b/baselines/Google Calendar Minimum Viable Secure Configuration Baseline v0.1.md @@ -66,9 +66,6 @@ To configure the settings for External Sharing in Primary Calendar: 4. Select **Only free/busy information (hide event details)**. 5. Select **Save**. -#### GWS.CALENDAR.1.2v0.1 Instructions -1. There is no implementation for this policy - ## 2. External Invitations Warnings This section determines whether users are warned when inviting one or more guests from outside of their domain. @@ -147,10 +144,6 @@ To configure the settings for External Sharing in secondary calendars: 4. Select **Only free/busy information (hide event details)**. 5. Select **Save**. -#### GWS.CALENDAR.3.2v0.1 Instructions - -1. There is no implementation for this policy - ## 4. Calendar Interop Management This section determines whether Microsoft Exchange and Google Calendar can be configured to work together to allow users in both systems to share their availability status so they can view each other's schedules. The availability and event information that will be shared between Exchange and Calendar include availability for users, group or team calendars, and calendar resources (such as meeting rooms). Calendar Interop respects event-level privacy settings from either Exchange or Calendar. From b2bafd13cc184f83f83f0dbded5f6edc7e7afe71 Mon Sep 17 00:00:00 2001 From: jkaufman-mitre Date: Fri, 5 Jan 2024 12:37:43 -0500 Subject: [PATCH 06/13] Fixed the drift rules file --- drift-rules/GWS Drift Monitoring Rules - Calendar.csv | 2 -- 1 file changed, 2 deletions(-) diff --git a/drift-rules/GWS Drift Monitoring Rules - Calendar.csv b/drift-rules/GWS Drift Monitoring Rules - Calendar.csv index 9ecb93c6..2d80040c 100644 --- a/drift-rules/GWS Drift Monitoring Rules - Calendar.csv +++ b/drift-rules/GWS Drift Monitoring Rules - Calendar.csv @@ -1,9 +1,7 @@ PolicyId,Name,Data Source,Event (Is),Setting Name (Is),New Value (Is Not),Rule ID,Last Successful Test GWS.CALENDAR.1.1v0.1,"External Sharing Options for Primary Calendars SHALL be configured to ""Only free/busy information (hide event details)” to restrict information sharing and prevent data leakage.",Admin Log Event,Change Calendar Setting,SHARING_OUTSIDE_DOMAIN,SHOW_ONLY_FREE_BUSY_INFORMATION,rules/00gjdgxs1clzmpm,JK 07-28-23 @ 12:08 -GWS.CALENDAR.1.2v0.1,External sharing options for primary calendars between multiple components within an organization MAY be configured.,N/A,N/A,N/A,N/A,N/A,Not Alertable GWS.CALENDAR.2.1v0.1,External invitations warnings SHALL be enabled to prompt users before sending invitations.,Admin Log Event,Change Calendar Setting,ENABLE_EXTERNAL_GUEST_PROMPT,true,rules/00gjdgxs26jpj72,JK 07-28-23 @ 12:20 GWS.CALENDAR.3.1v0.1,"External sharing options for secondary calendars SHALL be configured to ""Only free/busy information (hide event details)” to restrict information sharing and prevent data leakage.",Admin Log Event,Change Calendar Setting,SHARING_OUTSIDE_DOMAIN_FOR_SECONDARY_CALENDAR,SHOW_ONLY_FREE_BUSY_INFORMATION,rules/00gjdgxs3ob14fv,JK 07-28-23 @ 12:32 -GWS.CALENDAR.3.2v0.1,External sharing options for secondary calendars between multiple components within an organization MAY be configured.,N/A,N/A,N/A,N/A,N/A,Not Alertable GWS.CALENDAR.4.1v0.1,Calendar Interop SHOULD be disabled unless agency mission fulfillment requires collaboration between users internal and external to an organization who use both Microsoft Exchange and Google Calendar.,Admin Log Event,Change Calendar Setting,ENABLE_EWS_INTEROP,false,rules/00gjdgxs3yipjmt,JK 07-28-23 @ 14:42 GWS.CALENDAR.4.2v0.1,OAuth 2.0 SHALL be used in lieu of basic authentication to establish connectivity between tenants or organizations in cases where Calendar Interop is deemed necessary for agency mission fulfillment.,N/A,N/A,N/A,N/A,N/A,"Not able to create rule due to bug in rule wizard. Applicable log event exists, but is not selectable within rule wizard." GWS.CALENDAR.5.1v0.1,Appointment Schedule with Payments SHALL be disabled.,Admin Log Event,Change Application Setting,CalendarAppointmentSlotAdminSettingsProto payments_enabled,false,rules/00gjdgxs3oppjwl,JK 09-08-23 @ 10:47 \ No newline at end of file From a982989fd80ea4e247cc5d997902df90c2a5c096 Mon Sep 17 00:00:00 2001 From: Alden Hilton Date: Mon, 15 Jan 2024 17:36:38 -0800 Subject: [PATCH 07/13] Removed the old 1.2 and 3.2 --- .../RegoTests/calendar/calendar01_test.rego | 24 +---------------- .../RegoTests/calendar/calendar03_test.rego | 24 +---------------- rego/Calendar.rego | 27 ------------------- 3 files changed, 2 insertions(+), 73 deletions(-) diff --git a/Testing/RegoTests/calendar/calendar01_test.rego b/Testing/RegoTests/calendar/calendar01_test.rego index fbff9263..2f375ef2 100644 --- a/Testing/RegoTests/calendar/calendar01_test.rego +++ b/Testing/RegoTests/calendar/calendar01_test.rego @@ -2,7 +2,7 @@ package calendar import future.keywords # -# Policy 1 +# GWS.CALENDAR.1.1v0.1 #-- test_ExtSharingPrimaryCal_Correct_V1 if { # Test external sharing for primary calendars when there's only one event @@ -391,26 +391,4 @@ test_ExtSharingPrimaryCal_Incorrect_V5 if { not RuleOutput[0].NoSuchEvent RuleOutput[0].ReportDetails == "Requirement failed in Secondary OU." } - -# -# GWS.CALENDAR.1.2v0.1 -#-- - -test_External_Sharing_Options_V1 if { - # Not-Implemented - PolicyId := "GWS.CALENDAR.1.2v0.1" - Output := tests with input as { - "calendar_logs": {"items": [ - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - not RuleOutput[0].RequirementMet - RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Currently not able to be tested automatically; please manually check." -} #-- \ No newline at end of file diff --git a/Testing/RegoTests/calendar/calendar03_test.rego b/Testing/RegoTests/calendar/calendar03_test.rego index 060d701b..3b1de973 100644 --- a/Testing/RegoTests/calendar/calendar03_test.rego +++ b/Testing/RegoTests/calendar/calendar03_test.rego @@ -2,7 +2,7 @@ package calendar import future.keywords # -# Policy 1 +# GWS.CALENDAR.3.1v0.1 #-- test_ExtSharingSecondaryCal_Correct_V1 if { # Test external sharing for secondary calendars when there's only one event @@ -186,26 +186,4 @@ test_ExtSharingSecondaryCal_Incorrect_V3 if { " is shared outside Test Top-Level Domain but outsiders cannot change calendars." ]) } - -# -# GWS.CALENDAR.3.2v0.1 -#-- - -test_ExternalSharingOptions_Secondary__Correct_V1 if { - # Not-Implemented - PolicyId := "GWS.CALENDAR.3.2v0.1" - Output := tests with input as { - "calendar_logs": {"items": [ - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - not RuleOutput[0].RequirementMet - RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Currently not able to be tested automatically; please manually check." -} #-- \ No newline at end of file diff --git a/rego/Calendar.rego b/rego/Calendar.rego index 12255e72..f239af0f 100644 --- a/rego/Calendar.rego +++ b/rego/Calendar.rego @@ -53,19 +53,6 @@ if { } #-- -# -# Baseline GWS.CALENDAR.1.2v0.1 -#-- -tests contains { - "PolicyId": "GWS.CALENDAR.1.2v0.1", - "Criticality": "May/Not-Implemented", - "ReportDetails": "Currently not able to be tested automatically; please manually check.", - "ActualValue": "", - "RequirementMet": false, - "NoSuchEvent": true -} -#-- - ################## # GWS.CALENDAR.2 # ################## @@ -186,20 +173,6 @@ if { } #-- -# -# Baseline GWS.CALENDAR.3.2v0.1 -#-- -tests contains { - "PolicyId": "GWS.CALENDAR.3.2v0.1", - "Criticality": "May/Not-Implemented", - "ReportDetails": "Currently not able to be tested automatically; please manually check.", - "ActualValue": "", - "RequirementMet": false, - "NoSuchEvent": true -} -#-- - - ################## # GWS.CALENDAR.4 # From c4a2adf65e4a0ec23a2b1e5e1c3192495541ae1f Mon Sep 17 00:00:00 2001 From: jkaufman-mitre Date: Tue, 16 Jan 2024 13:19:44 -0500 Subject: [PATCH 08/13] Merged 3.1 and 1.1 into 1 policy group --- ...able Secure Configuration Baseline v0.1.md | 59 +++++++------------ 1 file changed, 21 insertions(+), 38 deletions(-) diff --git a/baselines/Google Calendar Minimum Viable Secure Configuration Baseline v0.1.md b/baselines/Google Calendar Minimum Viable Secure Configuration Baseline v0.1.md index a65323c6..68885fb2 100644 --- a/baselines/Google Calendar Minimum Viable Secure Configuration Baseline v0.1.md +++ b/baselines/Google Calendar Minimum Viable Secure Configuration Baseline v0.1.md @@ -30,7 +30,7 @@ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "S # Baseline Policies -## 1. External Sharing Options for Primary Calendars +## 1. External Sharing Options This section determines what information is shared from primary calendars with external entities. @@ -43,6 +43,16 @@ External Sharing Options for Primary Calendars SHALL be configured to "Only free - Prevent data leakage by restricting the amount of information that is externally viewable when a user shares their calendar with someone external to your organization. - Last Modified: July 10, 2023 +- MITRE ATT&CK TTP Mapping + - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/) + +#### GWS.CALENDAR.1.2v0.1 +External sharing options for secondary calendars SHALL be configured to "Only free/busy information (hide event details)" to restrict information sharing and prevent data leakage. + +- Rationale + - Prevent data leakage by restricting the amount of information that is externally viewable when a user shares their calendar with someone external to your organization. +- Last Modified: July 10, 2023 + - MITRE ATT&CK TTP Mapping - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/) @@ -66,6 +76,16 @@ To configure the settings for External Sharing in Primary Calendar: 4. Select **Only free/busy information (hide event details)**. 5. Select **Save**. +#### GWS.CALENDAR.1.2v0.1 Instructions + +To configure the settings for External Sharing in secondary calendars: + +1. Sign in to the [Google Admin Console](https://admin.google.com). +2. Select **Apps -\> Google Workspace -\> Calendar**. +3. Select **General settings -\> External sharing options for secondary calendars**. +4. Select **Only free/busy information (hide event details)**. +5. Select **Save**. + ## 2. External Invitations Warnings This section determines whether users are warned when inviting one or more guests from outside of their domain. @@ -107,43 +127,6 @@ To configure the settings for Confidential Mode: 4. Check the **Warn users when inviting guests outside of the domain** checkbox. 5. Select **Save**. -## 3. External Sharing Options for Secondary Calendars - -This section determines what information is shared from secondary calendars with external entities. - -### Policies - -#### GWS.CALENDAR.3.1v0.1 -External sharing options for secondary calendars SHALL be configured to "Only free/busy information (hide event details)" to restrict information sharing and prevent data leakage. - -- Rationale - - Prevent data leakage by restricting the amount of information that is externally viewable when a user shares their calendar with someone external to your organization. -- Last Modified: July 10, 2023 - -- MITRE ATT&CK TTP Mapping - - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/) - -### Resources - -- [Google Workspace Admin Help: Set Calendar sharing options](https://support.google.com/a/answer/60765?hl=en#zippy=%2Cset-a-default-for-internal-sharing%2Callow-or-restrict-external-sharing) -- [CIS Google Workspace Foundations Benchmark](https://www.cisecurity.org/benchmark/google_workspace) - -### Prerequisites - -- N/A - -### Implementation - -#### GWS.CALENDAR.3.1v0.1 Instructions - -To configure the settings for External Sharing in secondary calendars: - -1. Sign in to the [Google Admin Console](https://admin.google.com). -2. Select **Apps -\> Google Workspace -\> Calendar**. -3. Select **General settings -\> External sharing options for secondary calendars**. -4. Select **Only free/busy information (hide event details)**. -5. Select **Save**. - ## 4. Calendar Interop Management This section determines whether Microsoft Exchange and Google Calendar can be configured to work together to allow users in both systems to share their availability status so they can view each other's schedules. The availability and event information that will be shared between Exchange and Calendar include availability for users, group or team calendars, and calendar resources (such as meeting rooms). Calendar Interop respects event-level privacy settings from either Exchange or Calendar. From a194def222cf34d4360cba66de04fd20c224e87d Mon Sep 17 00:00:00 2001 From: jkaufman-mitre Date: Tue, 16 Jan 2024 13:21:43 -0500 Subject: [PATCH 09/13] Re-numbered affected policies and fixed drift rules --- ... Viable Secure Configuration Baseline v0.1.md | 16 ++++++++-------- .../GWS Drift Monitoring Rules - Calendar.csv | 8 ++++---- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/baselines/Google Calendar Minimum Viable Secure Configuration Baseline v0.1.md b/baselines/Google Calendar Minimum Viable Secure Configuration Baseline v0.1.md index 68885fb2..ff7cc0b1 100644 --- a/baselines/Google Calendar Minimum Viable Secure Configuration Baseline v0.1.md +++ b/baselines/Google Calendar Minimum Viable Secure Configuration Baseline v0.1.md @@ -127,7 +127,7 @@ To configure the settings for Confidential Mode: 4. Check the **Warn users when inviting guests outside of the domain** checkbox. 5. Select **Save**. -## 4. Calendar Interop Management +## 3. Calendar Interop Management This section determines whether Microsoft Exchange and Google Calendar can be configured to work together to allow users in both systems to share their availability status so they can view each other's schedules. The availability and event information that will be shared between Exchange and Calendar include availability for users, group or team calendars, and calendar resources (such as meeting rooms). Calendar Interop respects event-level privacy settings from either Exchange or Calendar. @@ -135,7 +135,7 @@ Due to the added complexity and attack surface associated with configuring Calen ### Policies -#### GWS.CALENDAR.4.1v0.1 +#### GWS.CALENDAR.3.1v0.1 Calendar Interop SHOULD be disabled unless agency mission fulfillment requires collaboration between users internal and external to an organization who use both Microsoft Exchange and Google Calendar. - Rationale @@ -146,7 +146,7 @@ Calendar Interop SHOULD be disabled unless agency mission fulfillment requires c - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/) - [T1199: Trusted Relationship](https://attack.mitre.org/techniques/T1199/) -#### GWS.CALENDAR.4.2v0.1 +#### GWS.CALENDAR.3.2v0.1 OAuth 2.0 SHALL be used in lieu of basic authentication to establish connectivity between tenants or organizations in cases where Calendar Interop is deemed necessary for agency mission fulfillment. - Rationale @@ -166,7 +166,7 @@ OAuth 2.0 SHALL be used in lieu of basic authentication to establish connectivit ### Implementation -#### GWS.CALENDAR.4.1v0.1 Instructions +#### GWS.CALENDAR.3.1v0.1 Instructions To configure the settings for Calendar Interop: @@ -176,7 +176,7 @@ To configure the settings for Calendar Interop: 4. Uncheck the **Enable Interoperability for Calendar** checkbox. 5. Select **Save**. -#### GWS.CALENDAR.4.2v0.1 Instructions +#### GWS.CALENDAR.3.2v0.1 Instructions To configure the settings for Calendar Interop: @@ -186,13 +186,13 @@ To configure the settings for Calendar Interop: 4. Select **OAuth 2.0 client credentials** 5. Select **Save**. -## 5. Paid Appointments +## 4. Paid Appointments This section covers whether or not the paid appointment booking feature is enabled. ### Policies -#### GWS.CALENDAR.5.1v0.1 +#### GWS.CALENDAR.4.1v0.1 Appointment Schedule with Payments SHALL be disabled. - Rationale @@ -214,7 +214,7 @@ Appointment Schedule with Payments SHALL be disabled. ### Implementation -#### GWS.CALENDAR.5.1v0.1 Instructions +#### GWS.CALENDAR.4.1v0.1 Instructions 1. Sign in to the [Google Admin Console](https://admin.google.com). 2. Select **Apps -\> Google Workspace -\> Calendar**. diff --git a/drift-rules/GWS Drift Monitoring Rules - Calendar.csv b/drift-rules/GWS Drift Monitoring Rules - Calendar.csv index 2d80040c..cde91dc3 100644 --- a/drift-rules/GWS Drift Monitoring Rules - Calendar.csv +++ b/drift-rules/GWS Drift Monitoring Rules - Calendar.csv @@ -1,7 +1,7 @@ PolicyId,Name,Data Source,Event (Is),Setting Name (Is),New Value (Is Not),Rule ID,Last Successful Test GWS.CALENDAR.1.1v0.1,"External Sharing Options for Primary Calendars SHALL be configured to ""Only free/busy information (hide event details)” to restrict information sharing and prevent data leakage.",Admin Log Event,Change Calendar Setting,SHARING_OUTSIDE_DOMAIN,SHOW_ONLY_FREE_BUSY_INFORMATION,rules/00gjdgxs1clzmpm,JK 07-28-23 @ 12:08 +GWS.CALENDAR.1.2v0.1,"External sharing options for secondary calendars SHALL be configured to ""Only free/busy information (hide event details)” to restrict information sharing and prevent data leakage.",Admin Log Event,Change Calendar Setting,SHARING_OUTSIDE_DOMAIN_FOR_SECONDARY_CALENDAR,SHOW_ONLY_FREE_BUSY_INFORMATION,rules/00gjdgxs3ob14fv,JK 07-28-23 @ 12:32 GWS.CALENDAR.2.1v0.1,External invitations warnings SHALL be enabled to prompt users before sending invitations.,Admin Log Event,Change Calendar Setting,ENABLE_EXTERNAL_GUEST_PROMPT,true,rules/00gjdgxs26jpj72,JK 07-28-23 @ 12:20 -GWS.CALENDAR.3.1v0.1,"External sharing options for secondary calendars SHALL be configured to ""Only free/busy information (hide event details)” to restrict information sharing and prevent data leakage.",Admin Log Event,Change Calendar Setting,SHARING_OUTSIDE_DOMAIN_FOR_SECONDARY_CALENDAR,SHOW_ONLY_FREE_BUSY_INFORMATION,rules/00gjdgxs3ob14fv,JK 07-28-23 @ 12:32 -GWS.CALENDAR.4.1v0.1,Calendar Interop SHOULD be disabled unless agency mission fulfillment requires collaboration between users internal and external to an organization who use both Microsoft Exchange and Google Calendar.,Admin Log Event,Change Calendar Setting,ENABLE_EWS_INTEROP,false,rules/00gjdgxs3yipjmt,JK 07-28-23 @ 14:42 -GWS.CALENDAR.4.2v0.1,OAuth 2.0 SHALL be used in lieu of basic authentication to establish connectivity between tenants or organizations in cases where Calendar Interop is deemed necessary for agency mission fulfillment.,N/A,N/A,N/A,N/A,N/A,"Not able to create rule due to bug in rule wizard. Applicable log event exists, but is not selectable within rule wizard." -GWS.CALENDAR.5.1v0.1,Appointment Schedule with Payments SHALL be disabled.,Admin Log Event,Change Application Setting,CalendarAppointmentSlotAdminSettingsProto payments_enabled,false,rules/00gjdgxs3oppjwl,JK 09-08-23 @ 10:47 \ No newline at end of file +GWS.CALENDAR.3.1v0.1,Calendar Interop SHOULD be disabled unless agency mission fulfillment requires collaboration between users internal and external to an organization who use both Microsoft Exchange and Google Calendar.,Admin Log Event,Change Calendar Setting,ENABLE_EWS_INTEROP,false,rules/00gjdgxs3yipjmt,JK 07-28-23 @ 14:42 +GWS.CALENDAR.3.2v0.1,OAuth 2.0 SHALL be used in lieu of basic authentication to establish connectivity between tenants or organizations in cases where Calendar Interop is deemed necessary for agency mission fulfillment.,N/A,N/A,N/A,N/A,N/A,"Not able to create rule due to bug in rule wizard. Applicable log event exists, but is not selectable within rule wizard." +GWS.CALENDAR.4.1v0.1,Appointment Schedule with Payments SHALL be disabled.,Admin Log Event,Change Application Setting,CalendarAppointmentSlotAdminSettingsProto payments_enabled,false,rules/00gjdgxs3oppjwl,JK 09-08-23 @ 10:47 \ No newline at end of file From 34a30a18568260071fb280effe06c96b9cc9a4b5 Mon Sep 17 00:00:00 2001 From: Alden Hilton Date: Tue, 16 Jan 2024 10:55:56 -0800 Subject: [PATCH 10/13] Merge calendar sharing controls into a single group rego changes --- .../RegoTests/calendar/calendar01_test.rego | 187 ++++++++++++ .../RegoTests/calendar/calendar03_test.rego | 92 +++--- .../RegoTests/calendar/calendar04_test.rego | 157 +++++++--- .../RegoTests/calendar/calendar05_test.rego | 274 ------------------ rego/Calendar.rego | 136 +++++---- 5 files changed, 420 insertions(+), 426 deletions(-) delete mode 100644 Testing/RegoTests/calendar/calendar05_test.rego diff --git a/Testing/RegoTests/calendar/calendar01_test.rego b/Testing/RegoTests/calendar/calendar01_test.rego index 2f375ef2..2b53b7c5 100644 --- a/Testing/RegoTests/calendar/calendar01_test.rego +++ b/Testing/RegoTests/calendar/calendar01_test.rego @@ -391,4 +391,191 @@ test_ExtSharingPrimaryCal_Incorrect_V5 if { not RuleOutput[0].NoSuchEvent RuleOutput[0].ReportDetails == "Requirement failed in Secondary OU." } +#-- + +# +# GWS.CALENDAR.1.2v0.1 +#-- +test_ExtSharingSecondaryCal_Correct_V1 if { + # Test external sharing for secondary calendars when there's only one event + PolicyId := "GWS.CALENDAR.1.2v0.1" + Output := tests with input as { + "calendar_logs": {"items": [ + { + "id": {"time": "2022-12-20T00:02:28.672Z"}, + "events": [{ + "parameters": [ + {"name": "SETTING_NAME", "value": "SHARING_OUTSIDE_DOMAIN_FOR_SECONDARY_CALENDAR"}, + {"name": "NEW_VALUE", "value": "SHOW_ONLY_FREE_BUSY_INFORMATION"}, + {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, + {"name": "DOMAIN_NAME", "value": "Test Top-Level Domain"}, + ] + }] + } + ]}, + "tenant_info": { + "topLevelOU": "" + } + } + + RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] + count(RuleOutput) == 1 + RuleOutput[0].RequirementMet + not RuleOutput[0].NoSuchEvent + RuleOutput[0].ReportDetails == concat("", [ + "Only free busy/information for secondary calendars ", + " is shared outside Test Top-Level Domain" + ]) +} + +test_ExtSharingSecondaryCal_Correct_V2 if { + # Test external sharing for secondary calendars when there's multiple events and the most most recent is correct + PolicyId := "GWS.CALENDAR.1.2v0.1" + Output := tests with input as { + "calendar_logs": {"items": [ + { + "id": {"time": "2022-12-20T00:02:28.672Z"}, + "events": [{ + "parameters": [ + {"name": "SETTING_NAME", "value": "SHARING_OUTSIDE_DOMAIN_FOR_SECONDARY_CALENDAR"}, + {"name": "NEW_VALUE", "value": "SHOW_ONLY_FREE_BUSY_INFORMATION"}, + {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, + {"name": "DOMAIN_NAME", "value": "Test Top-Level Domain"}, + ] + }] + }, + { + "id": {"time": "2021-12-20T00:02:28.672Z"}, + "events": [{ + "parameters": [ + {"name": "SETTING_NAME", "value": "SHARING_OUTSIDE_DOMAIN_FOR_SECONDARY_CALENDAR"}, + {"name": "NEW_VALUE", "value": "READ_ONLY_ACCESS"}, + {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, + {"name": "DOMAIN_NAME", "value": "Test Top-Level Domain"}, + ] + }] + } + ]}, + "tenant_info": { + "topLevelOU": "" + } + } + + RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] + count(RuleOutput) == 1 + RuleOutput[0].RequirementMet + not RuleOutput[0].NoSuchEvent + RuleOutput[0].ReportDetails == concat("", [ + "Only free busy/information for secondary calendars ", + "is shared outside Test Top-Level Domain" + ]) +} + +test_ExtSharingSecondaryCal_Incorrect_V1 if { + # Test external sharing for secondary calendars when there are no relevant events + PolicyId := "GWS.CALENDAR.1.2v0.1" + Output := tests with input as { + "calendar_logs": {"items": [ + { + "id": {"time": "2022-12-20T00:02:28.672Z"}, + "events": [{ + "parameters": [ + {"name": "SETTING_NAME", "value": "Something else"}, + {"name": "NEW_VALUE", "value": "SAME_DOMAIN"}, + {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, + {"name": "DOMAIN_NAME", "value": "Test Top-Level Domain"}, + ] + }] + } + ]}, + "tenant_info": { + "topLevelOU": "" + } + } + + RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] + count(RuleOutput) == 1 + not RuleOutput[0].RequirementMet + RuleOutput[0].NoSuchEvent + RuleOutput[0].ReportDetails == concat("", [ + "No relevant event in the current logs for the top-level OU, Test Top-Level OU. ", + "While we are unable to determine the state from the logs, the default setting ", + "is non-compliant; manual check recommended." + ]) +} + +test_ExtSharingSecondaryCal_Incorrect_V2 if { + # Test external sharing for secondary calendars when there's only one event and it's wrong + PolicyId := "GWS.CALENDAR.1.2v0.1" + Output := tests with input as { + "calendar_logs": {"items": [ + { + "id": {"time": "2022-12-20T00:02:28.672Z"}, + "events": [{ + "parameters": [ + {"name": "SETTING_NAME", "value": "SHARING_OUTSIDE_DOMAIN_FOR_SECONDARY_CALENDAR"}, + {"name": "NEW_VALUE", "value": "READ_ONLY_ACCESS"}, + {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, + {"name": "DOMAIN_NAME", "value": "Test Top-Level Domain"}, + ] + }] + } + ]}, + "tenant_info": { + "topLevelOU": "" + } + } + + RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] + count(RuleOutput) == 1 + not RuleOutput[0].RequirementMet + not RuleOutput[0].NoSuchEvent + RuleOutput[0].ReportDetails == concat("", [ + "All information for secondary calendars ", + " is shared outside Test Top-Level Domain but outsiders cannot change calendars." + ]) +} + +test_ExtSharingSecondaryCal_Incorrect_V3 if { + # Test external sharing for secondary calendars when there are multiple events and the most recent is wrong + PolicyId := "GWS.CALENDAR.1.2v0.1" + Output := tests with input as { + "calendar_logs": {"items": [ + { + "id": {"time": "2022-12-20T00:02:28.672Z"}, + "events": [{ + "parameters": [ + {"name": "SETTING_NAME", "value": "SHARING_OUTSIDE_DOMAIN_FOR_SECONDARY_CALENDAR"}, + {"name": "NEW_VALUE", "value": "READ_ONLY_ACCESS"}, + {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, + {"name": "DOMAIN_NAME", "value": "Test Top-Level Domain"}, + ] + }] + }, + { + "id": {"time": "2021-12-20T00:02:28.672Z"}, + "events": [{ + "parameters": [ + {"name": "SETTING_NAME", "value": "SHARING_OUTSIDE_DOMAIN_FOR_SECONDARY_CALENDAR"}, + {"name": "NEW_VALUE", "value": "READ_WRITE_ACCESS"}, + {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, + {"name": "DOMAIN_NAME", "value": "Test Top-Level Domain"}, + ] + }] + } + ]}, + "tenant_info": { + "topLevelOU": "" + }, + } + + RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] + count(RuleOutput) == 1 + not RuleOutput[0].RequirementMet + not RuleOutput[0].NoSuchEvent + RuleOutput[0].ReportDetails == concat("", [ + "All information for secondary calendars ", + " is shared outside Test Top-Level Domain but outsiders cannot change calendars." + ]) +} #-- \ No newline at end of file diff --git a/Testing/RegoTests/calendar/calendar03_test.rego b/Testing/RegoTests/calendar/calendar03_test.rego index 3b1de973..d54def0c 100644 --- a/Testing/RegoTests/calendar/calendar03_test.rego +++ b/Testing/RegoTests/calendar/calendar03_test.rego @@ -1,11 +1,12 @@ package calendar import future.keywords + # -# GWS.CALENDAR.3.1v0.1 +# Policy 1 #-- -test_ExtSharingSecondaryCal_Correct_V1 if { - # Test external sharing for secondary calendars when there's only one event +test_CalInteropMan_Correct_V1 if { +# Test calendar interop management when there's only one event PolicyId := "GWS.CALENDAR.3.1v0.1" Output := tests with input as { "calendar_logs": {"items": [ @@ -13,8 +14,8 @@ test_ExtSharingSecondaryCal_Correct_V1 if { "id": {"time": "2022-12-20T00:02:28.672Z"}, "events": [{ "parameters": [ - {"name": "SETTING_NAME", "value": "SHARING_OUTSIDE_DOMAIN_FOR_SECONDARY_CALENDAR"}, - {"name": "NEW_VALUE", "value": "SHOW_ONLY_FREE_BUSY_INFORMATION"}, + {"name": "SETTING_NAME", "value": "ENABLE_EWS_INTEROP"}, + {"name": "NEW_VALUE", "value": "false"}, {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, {"name": "DOMAIN_NAME", "value": "Test Top-Level Domain"}, ] @@ -30,14 +31,12 @@ test_ExtSharingSecondaryCal_Correct_V1 if { count(RuleOutput) == 1 RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == concat("", [ - "Only free busy/information for secondary calendars ", - " is shared outside Test Top-Level Domain" - ]) + RuleOutput[0].ReportDetails == + "Calendar interop is not enabled for Test Top-Level Domain" } -test_ExtSharingSecondaryCal_Correct_V2 if { - # Test external sharing for secondary calendars when there's multiple events and the most most recent is correct +test_CalInteropMan_Correct_V2 if { + # Test calendar interop management when there's multiple events and the most most recent is correct PolicyId := "GWS.CALENDAR.3.1v0.1" Output := tests with input as { "calendar_logs": {"items": [ @@ -45,8 +44,8 @@ test_ExtSharingSecondaryCal_Correct_V2 if { "id": {"time": "2022-12-20T00:02:28.672Z"}, "events": [{ "parameters": [ - {"name": "SETTING_NAME", "value": "SHARING_OUTSIDE_DOMAIN_FOR_SECONDARY_CALENDAR"}, - {"name": "NEW_VALUE", "value": "SHOW_ONLY_FREE_BUSY_INFORMATION"}, + {"name": "SETTING_NAME", "value": "ENABLE_EWS_INTEROP"}, + {"name": "NEW_VALUE", "value": "false"}, {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, {"name": "DOMAIN_NAME", "value": "Test Top-Level Domain"}, ] @@ -56,8 +55,8 @@ test_ExtSharingSecondaryCal_Correct_V2 if { "id": {"time": "2021-12-20T00:02:28.672Z"}, "events": [{ "parameters": [ - {"name": "SETTING_NAME", "value": "SHARING_OUTSIDE_DOMAIN_FOR_SECONDARY_CALENDAR"}, - {"name": "NEW_VALUE", "value": "READ_ONLY_ACCESS"}, + {"name": "SETTING_NAME", "value": "ENABLE_EWS_INTEROP"}, + {"name": "NEW_VALUE", "value": "true"}, {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, {"name": "DOMAIN_NAME", "value": "Test Top-Level Domain"}, ] @@ -73,14 +72,12 @@ test_ExtSharingSecondaryCal_Correct_V2 if { count(RuleOutput) == 1 RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == concat("", [ - "Only free busy/information for secondary calendars ", - "is shared outside Test Top-Level Domain" - ]) + RuleOutput[0].ReportDetails == + "Calendar interop is not enabled for Test Top-Level Domain" } -test_ExtSharingSecondaryCal_Incorrect_V1 if { - # Test external sharing for secondary calendars when there are no relevant events +test_CalInteropMan_Incorrect_V1 if { + # Test calendar interop management when there are no relevant events PolicyId := "GWS.CALENDAR.3.1v0.1" Output := tests with input as { "calendar_logs": {"items": [ @@ -112,8 +109,8 @@ test_ExtSharingSecondaryCal_Incorrect_V1 if { ]) } -test_ExtSharingSecondaryCal_Incorrect_V2 if { - # Test external sharing for secondary calendars when there's only one event and it's wrong +test_CalInteropMan_Incorrect_V2 if { + # Test calendar interop management when there's only one event and it's wrong PolicyId := "GWS.CALENDAR.3.1v0.1" Output := tests with input as { "calendar_logs": {"items": [ @@ -121,8 +118,8 @@ test_ExtSharingSecondaryCal_Incorrect_V2 if { "id": {"time": "2022-12-20T00:02:28.672Z"}, "events": [{ "parameters": [ - {"name": "SETTING_NAME", "value": "SHARING_OUTSIDE_DOMAIN_FOR_SECONDARY_CALENDAR"}, - {"name": "NEW_VALUE", "value": "READ_ONLY_ACCESS"}, + {"name": "SETTING_NAME", "value": "ENABLE_EWS_INTEROP"}, + {"name": "NEW_VALUE", "value": "true"}, {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, {"name": "DOMAIN_NAME", "value": "Test Top-Level Domain"}, ] @@ -138,14 +135,11 @@ test_ExtSharingSecondaryCal_Incorrect_V2 if { count(RuleOutput) == 1 not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == concat("", [ - "All information for secondary calendars ", - " is shared outside Test Top-Level Domain but outsiders cannot change calendars." - ]) + RuleOutput[0].ReportDetails == "Calendar interop is enabled for Test Top-Level Domain" } -test_ExtSharingSecondaryCal_Incorrect_V3 if { - # Test external sharing for secondary calendars when there are multiple events and the most recent is wrong +test_CalInteropMan_Incorrect_V3 if { + # Test calendar interop management when there are multiple events and the most recent is wrong PolicyId := "GWS.CALENDAR.3.1v0.1" Output := tests with input as { "calendar_logs": {"items": [ @@ -153,8 +147,8 @@ test_ExtSharingSecondaryCal_Incorrect_V3 if { "id": {"time": "2022-12-20T00:02:28.672Z"}, "events": [{ "parameters": [ - {"name": "SETTING_NAME", "value": "SHARING_OUTSIDE_DOMAIN_FOR_SECONDARY_CALENDAR"}, - {"name": "NEW_VALUE", "value": "READ_ONLY_ACCESS"}, + {"name": "SETTING_NAME", "value": "ENABLE_EWS_INTEROP"}, + {"name": "NEW_VALUE", "value": "true"}, {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, {"name": "DOMAIN_NAME", "value": "Test Top-Level Domain"}, ] @@ -164,8 +158,8 @@ test_ExtSharingSecondaryCal_Incorrect_V3 if { "id": {"time": "2021-12-20T00:02:28.672Z"}, "events": [{ "parameters": [ - {"name": "SETTING_NAME", "value": "SHARING_OUTSIDE_DOMAIN_FOR_SECONDARY_CALENDAR"}, - {"name": "NEW_VALUE", "value": "READ_WRITE_ACCESS"}, + {"name": "SETTING_NAME", "value": "ENABLE_EWS_INTEROP"}, + {"name": "NEW_VALUE", "value": "false"}, {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, {"name": "DOMAIN_NAME", "value": "Test Top-Level Domain"}, ] @@ -181,9 +175,29 @@ test_ExtSharingSecondaryCal_Incorrect_V3 if { count(RuleOutput) == 1 not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == concat("", [ - "All information for secondary calendars ", - " is shared outside Test Top-Level Domain but outsiders cannot change calendars." - ]) + RuleOutput[0].ReportDetails == "Calendar interop is enabled for Test Top-Level Domain" +} +#-- + +# +# GWS.CALENDAR.3.2v0.1 +#-- + +test_OAuth_Correct_V1 if { + # Not-Implemented + PolicyId := "GWS.CALENDAR.3.2v0.1" + Output := tests with input as { + "calendar_logs": {"items": [ + ]}, + "tenant_info": { + "topLevelOU": "Test Top-Level OU" + } + } + + RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] + count(RuleOutput) == 1 + not RuleOutput[0].RequirementMet + RuleOutput[0].NoSuchEvent + RuleOutput[0].ReportDetails == "Currently not able to be tested automatically; please manually check." } #-- \ No newline at end of file diff --git a/Testing/RegoTests/calendar/calendar04_test.rego b/Testing/RegoTests/calendar/calendar04_test.rego index c13c334a..3bc6ed48 100644 --- a/Testing/RegoTests/calendar/calendar04_test.rego +++ b/Testing/RegoTests/calendar/calendar04_test.rego @@ -1,12 +1,11 @@ package calendar import future.keywords - # -# Policy 1 +# GWS.CALENDAR.4.1v0.1 #-- -test_CalInteropMan_Correct_V1 if { -# Test calendar interop management when there's only one event +test_CalendarAppointmentSlot_Correct_V1 if { + # Test Calendar Appointment Slot when there's only one event PolicyId := "GWS.CALENDAR.4.1v0.1" Output := tests with input as { "calendar_logs": {"items": [ @@ -14,10 +13,9 @@ test_CalInteropMan_Correct_V1 if { "id": {"time": "2022-12-20T00:02:28.672Z"}, "events": [{ "parameters": [ - {"name": "SETTING_NAME", "value": "ENABLE_EWS_INTEROP"}, + {"name": "SETTING_NAME", "value": "CalendarAppointmentSlotAdminSettingsProto payments_enabled"}, {"name": "NEW_VALUE", "value": "false"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "DOMAIN_NAME", "value": "Test Top-Level Domain"}, + {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"} ] }] } @@ -31,12 +29,11 @@ test_CalInteropMan_Correct_V1 if { count(RuleOutput) == 1 RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == - "Calendar interop is not enabled for Test Top-Level Domain" + RuleOutput[0].ReportDetails == "Requirement met in all OUs." } -test_CalInteropMan_Correct_V2 if { - # Test calendar interop management when there's multiple events and the most most recent is correct +test_CalendarAppointmentSlot_Correct_V2 if { + # Test Calendar Appointment Slot when there's multiple events and the most recent is correct PolicyId := "GWS.CALENDAR.4.1v0.1" Output := tests with input as { "calendar_logs": {"items": [ @@ -44,10 +41,9 @@ test_CalInteropMan_Correct_V2 if { "id": {"time": "2022-12-20T00:02:28.672Z"}, "events": [{ "parameters": [ - {"name": "SETTING_NAME", "value": "ENABLE_EWS_INTEROP"}, + {"name": "SETTING_NAME", "value": "CalendarAppointmentSlotAdminSettingsProto payments_enabled"}, {"name": "NEW_VALUE", "value": "false"}, {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "DOMAIN_NAME", "value": "Test Top-Level Domain"}, ] }] }, @@ -55,10 +51,9 @@ test_CalInteropMan_Correct_V2 if { "id": {"time": "2021-12-20T00:02:28.672Z"}, "events": [{ "parameters": [ - {"name": "SETTING_NAME", "value": "ENABLE_EWS_INTEROP"}, + {"name": "SETTING_NAME", "value": "CalendarAppointmentSlotAdminSettingsProto payments_enabled"}, {"name": "NEW_VALUE", "value": "true"}, {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "DOMAIN_NAME", "value": "Test Top-Level Domain"}, ] }] } @@ -72,12 +67,49 @@ test_CalInteropMan_Correct_V2 if { count(RuleOutput) == 1 RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == - "Calendar interop is not enabled for Test Top-Level Domain" + RuleOutput[0].ReportDetails == "Requirement met in all OUs." } -test_CalInteropMan_Incorrect_V1 if { - # Test calendar interop management when there are no relevant events +test_CalendarAppointmentSlot_Correct_V3 if { + # Test Calendar Appointment Slot when there's correct events in multiple OUs + PolicyId := "GWS.CALENDAR.4.1v0.1" + Output := tests with input as { + "calendar_logs": {"items": [ + { + "id": {"time": "2022-12-20T00:02:28.672Z"}, + "events": [{ + "parameters": [ + {"name": "SETTING_NAME", "value": "CalendarAppointmentSlotAdminSettingsProto payments_enabled"}, + {"name": "NEW_VALUE", "value": "false"}, + {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, + ] + }] + }, + { + "id": {"time": "2022-12-21T00:02:28.672Z"}, + "events": [{ + "parameters": [ + {"name": "SETTING_NAME", "value": "CalendarAppointmentSlotAdminSettingsProto payments_enabled"}, + {"name": "NEW_VALUE", "value": "false"}, + {"name": "ORG_UNIT_NAME", "value": "Secondary OU"}, + ] + }] + } + ]}, + "tenant_info": { + "topLevelOU": "Test Top-Level OU" + } + } + + RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] + count(RuleOutput) == 1 + RuleOutput[0].RequirementMet + not RuleOutput[0].NoSuchEvent + RuleOutput[0].ReportDetails == "Requirement met in all OUs." +} + +test_CalendarAppointmentSlot_Incorrect_V1 if { + # Test Calendar Appointment Slot when there are no relevant events PolicyId := "GWS.CALENDAR.4.1v0.1" Output := tests with input as { "calendar_logs": {"items": [ @@ -86,9 +118,8 @@ test_CalInteropMan_Incorrect_V1 if { "events": [{ "parameters": [ {"name": "SETTING_NAME", "value": "Something else"}, - {"name": "NEW_VALUE", "value": "SAME_DOMAIN"}, + {"name": "NEW_VALUE", "value": "false"}, {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "DOMAIN_NAME", "value": "Test Top-Level Domain"}, ] }] } @@ -109,8 +140,8 @@ test_CalInteropMan_Incorrect_V1 if { ]) } -test_CalInteropMan_Incorrect_V2 if { - # Test calendar interop management when there's only one event and it's wrong +test_CalendarAppointmentSlot_Incorrect_V2 if { + # Test Calendar Appointment Slot when there's only one event and it's wrong PolicyId := "GWS.CALENDAR.4.1v0.1" Output := tests with input as { "calendar_logs": {"items": [ @@ -118,10 +149,9 @@ test_CalInteropMan_Incorrect_V2 if { "id": {"time": "2022-12-20T00:02:28.672Z"}, "events": [{ "parameters": [ - {"name": "SETTING_NAME", "value": "ENABLE_EWS_INTEROP"}, + {"name": "SETTING_NAME", "value": "CalendarAppointmentSlotAdminSettingsProto payments_enabled"}, {"name": "NEW_VALUE", "value": "true"}, {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "DOMAIN_NAME", "value": "Test Top-Level Domain"}, ] }] } @@ -135,11 +165,11 @@ test_CalInteropMan_Incorrect_V2 if { count(RuleOutput) == 1 not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Calendar interop is enabled for Test Top-Level Domain" + RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU." } -test_CalInteropMan_Incorrect_V3 if { - # Test calendar interop management when there are multiple events and the most recent is wrong +test_CalendarAppointmentSlot_Incorrect_V3 if { + # Test Calendar Appointment Slot when there are multiple events and the most recent is wrong PolicyId := "GWS.CALENDAR.4.1v0.1" Output := tests with input as { "calendar_logs": {"items": [ @@ -147,10 +177,9 @@ test_CalInteropMan_Incorrect_V3 if { "id": {"time": "2022-12-20T00:02:28.672Z"}, "events": [{ "parameters": [ - {"name": "SETTING_NAME", "value": "ENABLE_EWS_INTEROP"}, + {"name": "SETTING_NAME", "value": "CalendarAppointmentSlotAdminSettingsProto payments_enabled"}, {"name": "NEW_VALUE", "value": "true"}, {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "DOMAIN_NAME", "value": "Test Top-Level Domain"}, ] }] }, @@ -158,10 +187,9 @@ test_CalInteropMan_Incorrect_V3 if { "id": {"time": "2021-12-20T00:02:28.672Z"}, "events": [{ "parameters": [ - {"name": "SETTING_NAME", "value": "ENABLE_EWS_INTEROP"}, + {"name": "SETTING_NAME", "value": "CalendarAppointmentSlotAdminSettingsProto payments_enabled"}, {"name": "NEW_VALUE", "value": "false"}, {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "DOMAIN_NAME", "value": "Test Top-Level Domain"}, ] }] } @@ -175,29 +203,72 @@ test_CalInteropMan_Incorrect_V3 if { count(RuleOutput) == 1 not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Calendar interop is enabled for Test Top-Level Domain" + RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU." } -#-- -# -# GWS.CALENDAR.4.2v0.1 -#-- +test_CalendarAppointmentSlot_Incorrect_V4 if { + # Test Calendar Appointment Slot when there's only one event and it's wrong + PolicyId := "GWS.CALENDAR.4.1v0.1" + Output := tests with input as { + "calendar_logs": {"items": [ + { + "id": {"time": "2022-12-20T00:02:28.672Z"}, + "events": [{ + "parameters": [ + {"name": "SETTING_NAME", "value": "CalendarAppointmentSlotAdminSettingsProto payments_enabled"}, + {"name": "NEW_VALUE", "value": "true"}, + {"name": "ORG_UNIT_NAME", "value": "Secondary OU"}, + ] + }] + } + ]}, + "tenant_info": { + "topLevelOU": "" + } + } + + RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] + count(RuleOutput) == 1 + not RuleOutput[0].RequirementMet + not RuleOutput[0].NoSuchEvent + RuleOutput[0].ReportDetails == "Requirement failed in Secondary OU." +} -test_OAuth_Correct_V1 if { - # Not-Implemented - PolicyId := "GWS.CALENDAR.4.2v0.1" +test_CalendarAppointmentSlot_Incorrect_V5 if { + # Test Calendar Appointment Slot when there are multiple events and the most recent is wrong + PolicyId := "GWS.CALENDAR.4.1v0.1" Output := tests with input as { "calendar_logs": {"items": [ + { + "id": {"time": "2022-12-20T00:02:28.672Z"}, + "events": [{ + "parameters": [ + {"name": "SETTING_NAME", "value": "CalendarAppointmentSlotAdminSettingsProto payments_enabled"}, + {"name": "NEW_VALUE", "value": "true"}, + {"name": "ORG_UNIT_NAME", "value": "Secondary OU"}, + ] + }] + }, + { + "id": {"time": "2021-12-20T00:02:28.672Z"}, + "events": [{ + "parameters": [ + {"name": "SETTING_NAME", "value": "CalendarAppointmentSlotAdminSettingsProto payments_enabled"}, + {"name": "NEW_VALUE", "value": "false"}, + {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, + ] + }] + } ]}, "tenant_info": { "topLevelOU": "Test Top-Level OU" - } + }, } RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] count(RuleOutput) == 1 not RuleOutput[0].RequirementMet - RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Currently not able to be tested automatically; please manually check." + not RuleOutput[0].NoSuchEvent + RuleOutput[0].ReportDetails == "Requirement failed in Secondary OU." } #-- \ No newline at end of file diff --git a/Testing/RegoTests/calendar/calendar05_test.rego b/Testing/RegoTests/calendar/calendar05_test.rego deleted file mode 100644 index 6700b74f..00000000 --- a/Testing/RegoTests/calendar/calendar05_test.rego +++ /dev/null @@ -1,274 +0,0 @@ -package calendar -import future.keywords - -# -# GWS.CALENDAR.5.1v0.1 -#-- -test_CalendarAppointmentSlot_Correct_V1 if { - # Test Calendar Appointment Slot when there's only one event - PolicyId := "GWS.CALENDAR.5.1v0.1" - Output := tests with input as { - "calendar_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "SETTING_NAME", "value": "CalendarAppointmentSlotAdminSettingsProto payments_enabled"}, - {"name": "NEW_VALUE", "value": "false"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"} - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "" - } - } - - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs." -} - -test_CalendarAppointmentSlot_Correct_V2 if { - # Test Calendar Appointment Slot when there's multiple events and the most recent is correct - PolicyId := "GWS.CALENDAR.5.1v0.1" - Output := tests with input as { - "calendar_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "SETTING_NAME", "value": "CalendarAppointmentSlotAdminSettingsProto payments_enabled"}, - {"name": "NEW_VALUE", "value": "false"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - }, - { - "id": {"time": "2021-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "SETTING_NAME", "value": "CalendarAppointmentSlotAdminSettingsProto payments_enabled"}, - {"name": "NEW_VALUE", "value": "true"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "" - } - } - - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs." -} - -test_CalendarAppointmentSlot_Correct_V3 if { - # Test Calendar Appointment Slot when there's correct events in multiple OUs - PolicyId := "GWS.CALENDAR.5.1v0.1" - Output := tests with input as { - "calendar_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "SETTING_NAME", "value": "CalendarAppointmentSlotAdminSettingsProto payments_enabled"}, - {"name": "NEW_VALUE", "value": "false"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - }, - { - "id": {"time": "2022-12-21T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "SETTING_NAME", "value": "CalendarAppointmentSlotAdminSettingsProto payments_enabled"}, - {"name": "NEW_VALUE", "value": "false"}, - {"name": "ORG_UNIT_NAME", "value": "Secondary OU"}, - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs." -} - -test_CalendarAppointmentSlot_Incorrect_V1 if { - # Test Calendar Appointment Slot when there are no relevant events - PolicyId := "GWS.CALENDAR.5.1v0.1" - Output := tests with input as { - "calendar_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "SETTING_NAME", "value": "Something else"}, - {"name": "NEW_VALUE", "value": "false"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "" - } - } - - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - not RuleOutput[0].RequirementMet - RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == concat("", [ - "No relevant event in the current logs for the top-level OU, Test Top-Level OU. ", - "While we are unable to determine the state from the logs, the default setting ", - "is non-compliant; manual check recommended." - ]) -} - -test_CalendarAppointmentSlot_Incorrect_V2 if { - # Test Calendar Appointment Slot when there's only one event and it's wrong - PolicyId := "GWS.CALENDAR.5.1v0.1" - Output := tests with input as { - "calendar_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "SETTING_NAME", "value": "CalendarAppointmentSlotAdminSettingsProto payments_enabled"}, - {"name": "NEW_VALUE", "value": "true"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "" - } - } - - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - not RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU." -} - -test_CalendarAppointmentSlot_Incorrect_V3 if { - # Test Calendar Appointment Slot when there are multiple events and the most recent is wrong - PolicyId := "GWS.CALENDAR.5.1v0.1" - Output := tests with input as { - "calendar_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "SETTING_NAME", "value": "CalendarAppointmentSlotAdminSettingsProto payments_enabled"}, - {"name": "NEW_VALUE", "value": "true"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - }, - { - "id": {"time": "2021-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "SETTING_NAME", "value": "CalendarAppointmentSlotAdminSettingsProto payments_enabled"}, - {"name": "NEW_VALUE", "value": "false"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "" - }, - } - - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - not RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU." -} - -test_CalendarAppointmentSlot_Incorrect_V4 if { - # Test Calendar Appointment Slot when there's only one event and it's wrong - PolicyId := "GWS.CALENDAR.5.1v0.1" - Output := tests with input as { - "calendar_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "SETTING_NAME", "value": "CalendarAppointmentSlotAdminSettingsProto payments_enabled"}, - {"name": "NEW_VALUE", "value": "true"}, - {"name": "ORG_UNIT_NAME", "value": "Secondary OU"}, - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "" - } - } - - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - not RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement failed in Secondary OU." -} - -test_CalendarAppointmentSlot_Incorrect_V5 if { - # Test Calendar Appointment Slot when there are multiple events and the most recent is wrong - PolicyId := "GWS.CALENDAR.5.1v0.1" - Output := tests with input as { - "calendar_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "SETTING_NAME", "value": "CalendarAppointmentSlotAdminSettingsProto payments_enabled"}, - {"name": "NEW_VALUE", "value": "true"}, - {"name": "ORG_UNIT_NAME", "value": "Secondary OU"}, - ] - }] - }, - { - "id": {"time": "2021-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "SETTING_NAME", "value": "CalendarAppointmentSlotAdminSettingsProto payments_enabled"}, - {"name": "NEW_VALUE", "value": "false"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - }, - } - - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - not RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement failed in Secondary OU." -} -#-- \ No newline at end of file diff --git a/rego/Calendar.rego b/rego/Calendar.rego index f239af0f..8e36fa56 100644 --- a/rego/Calendar.rego +++ b/rego/Calendar.rego @@ -53,58 +53,9 @@ if { } #-- -################## -# GWS.CALENDAR.2 # -################## - # -# Baseline GWS.CALENDAR.2.1v0.1 +# Baseline GWS.CALENDAR.1.2v0.1 #-- -NonCompliantOUs2_1 contains OU if { - some OU in utils.OUsWithEvents - Events := utils.FilterEvents(LogEvents, "ENABLE_EXTERNAL_GUEST_PROMPT", OU) - # Ignore OUs without any events. We're already asserting that the - # top-level OU has at least one event; for all other OUs we assume - # they inherit from a parent OU if they have no events. - count(Events) > 0 - LastEvent := utils.GetLastEvent(Events) - LastEvent.NewValue == "false" -} - -tests contains { - "PolicyId": "GWS.CALENDAR.2.1v0.1", - "Criticality": "Shall", - "ReportDetails": utils.NoSuchEventDetails(DefaultSafe, utils.TopLevelOU), - "ActualValue": "No relevant event for the top-level OU in the current logs", - "RequirementMet": DefaultSafe, - "NoSuchEvent": true -} -if { - DefaultSafe := false - Events := utils.FilterEvents(LogEvents, "ENABLE_EXTERNAL_GUEST_PROMPT", utils.TopLevelOU) - count(Events) == 0 -} - -tests contains { - "PolicyId": "GWS.CALENDAR.2.1v0.1", - "Criticality": "Shall", - "ReportDetails": utils.ReportDetailsOUs(NonCompliantOUs2_1), - "ActualValue": {"NonCompliantOUs": NonCompliantOUs2_1}, - "RequirementMet": Status, - "NoSuchEvent": false -} -if { - Events := utils.FilterEvents(LogEvents, "ENABLE_EXTERNAL_GUEST_PROMPT", utils.TopLevelOU) - count(Events) > 0 - Status := count(NonCompliantOUs2_1) == 0 -} -#-- - - -################## -# GWS.CALENDAR.3 # -################## - ExtSharingSecondaryCalSettingDetailsStr(LastEvent) := Description if { LastEvent.NewValue == "SHOW_ONLY_FREE_BUSY_INFORMATION" Description := concat("", [ @@ -140,11 +91,8 @@ ExtSharingSecondaryCalSettingDetailsStr(LastEvent) := Description if { ]) } -# -# Baseline GWS.CALENDAR.3.1v0.1 -#-- tests contains { - "PolicyId": "GWS.CALENDAR.3.1v0.1", + "PolicyId": "GWS.CALENDAR.1.2v0.1", "Criticality": "Shall", "ReportDetails": utils.NoSuchEventDetails(DefaultSafe, utils.TopLevelOU), "ActualValue": "No relevant event for the top-level OU in the current logs", @@ -158,7 +106,7 @@ if { } tests contains { - "PolicyId": "GWS.CALENDAR.3.1v0.1", + "PolicyId": "GWS.CALENDAR.1.2v0.1", "Criticality": "Shall", "ReportDetails": ExtSharingSecondaryCalSettingDetailsStr(LastEvent), "ActualValue": {LastEvent.Setting: LastEvent.NewValue}, @@ -175,7 +123,55 @@ if { ################## -# GWS.CALENDAR.4 # +# GWS.CALENDAR.2 # +################## + +# +# Baseline GWS.CALENDAR.2.1v0.1 +#-- +NonCompliantOUs2_1 contains OU if { + some OU in utils.OUsWithEvents + Events := utils.FilterEvents(LogEvents, "ENABLE_EXTERNAL_GUEST_PROMPT", OU) + # Ignore OUs without any events. We're already asserting that the + # top-level OU has at least one event; for all other OUs we assume + # they inherit from a parent OU if they have no events. + count(Events) > 0 + LastEvent := utils.GetLastEvent(Events) + LastEvent.NewValue == "false" +} + +tests contains { + "PolicyId": "GWS.CALENDAR.2.1v0.1", + "Criticality": "Shall", + "ReportDetails": utils.NoSuchEventDetails(DefaultSafe, utils.TopLevelOU), + "ActualValue": "No relevant event for the top-level OU in the current logs", + "RequirementMet": DefaultSafe, + "NoSuchEvent": true +} +if { + DefaultSafe := false + Events := utils.FilterEvents(LogEvents, "ENABLE_EXTERNAL_GUEST_PROMPT", utils.TopLevelOU) + count(Events) == 0 +} + +tests contains { + "PolicyId": "GWS.CALENDAR.2.1v0.1", + "Criticality": "Shall", + "ReportDetails": utils.ReportDetailsOUs(NonCompliantOUs2_1), + "ActualValue": {"NonCompliantOUs": NonCompliantOUs2_1}, + "RequirementMet": Status, + "NoSuchEvent": false +} +if { + Events := utils.FilterEvents(LogEvents, "ENABLE_EXTERNAL_GUEST_PROMPT", utils.TopLevelOU) + count(Events) > 0 + Status := count(NonCompliantOUs2_1) == 0 +} +#-- + + +################## +# GWS.CALENDAR.3 # ################## CalInteropManSettingDetailsStr(LastEvent) := Description if { @@ -195,10 +191,10 @@ CalInteropManSettingDetailsStr(LastEvent) := Description if { } # -# Baseline GWS.CALENDAR.4.1v0.1 +# Baseline GWS.CALENDAR.3.1v0.1 #-- tests contains { - "PolicyId": "GWS.CALENDAR.4.1v0.1", + "PolicyId": "GWS.CALENDAR.3.1v0.1", "Criticality": "Should", "ReportDetails": utils.NoSuchEventDetails(DefaultSafe, utils.TopLevelOU), "ActualValue": "No relevant event for the top-level OU in the current logs", @@ -212,7 +208,7 @@ if { } tests contains { - "PolicyId": "GWS.CALENDAR.4.1v0.1", + "PolicyId": "GWS.CALENDAR.3.1v0.1", "Criticality": "Should", "ReportDetails": CalInteropManSettingDetailsStr(LastEvent), "ActualValue": {LastEvent.Setting: LastEvent.NewValue}, @@ -229,10 +225,10 @@ if { # -# Baseline GWS.CALENDAR.4.2v0.1 +# Baseline GWS.CALENDAR.3.2v0.1 #-- tests contains { - "PolicyId": "GWS.CALENDAR.4.2v0.1", + "PolicyId": "GWS.CALENDAR.3.2v0.1", "Criticality": "Shall/Not-Implemented", "ReportDetails": "Currently not able to be tested automatically; please manually check.", "ActualValue": "", @@ -241,12 +237,12 @@ tests contains { } #-- + ################## -# GWS.CALENDAR.5 # +# GWS.CALENDAR.4 # ################## - -NonCompliantOUs5_1 contains OU if { +NonCompliantOUs4_1 contains OU if { some OU in utils.OUsWithEvents Events := utils.FilterEvents(LogEvents, "CalendarAppointmentSlotAdminSettingsProto payments_enabled", OU) # Ignore OUs without any events. We're already asserting that the @@ -258,10 +254,10 @@ NonCompliantOUs5_1 contains OU if { } # -# Baseline GWS.CALENDAR.5.1v0.1 +# Baseline GWS.CALENDAR.4.1v0.1 #-- tests contains { - "PolicyId": "GWS.CALENDAR.5.1v0.1", + "PolicyId": "GWS.CALENDAR.4.1v0.1", "Criticality": "Shall", "ReportDetails": utils.NoSuchEventDetails(DefaultSafe, utils.TopLevelOU), "ActualValue": "No relevant event for the top-level OU in the current logs.", @@ -276,10 +272,10 @@ if { } tests contains { - "PolicyId": "GWS.CALENDAR.5.1v0.1", + "PolicyId": "GWS.CALENDAR.4.1v0.1", "Criticality": "Shall", - "ReportDetails": utils.ReportDetailsOUs(NonCompliantOUs5_1), - "ActualValue": {"NonCompliantOUs": NonCompliantOUs5_1}, + "ReportDetails": utils.ReportDetailsOUs(NonCompliantOUs4_1), + "ActualValue": {"NonCompliantOUs": NonCompliantOUs4_1}, "RequirementMet": Status, "NoSuchEvent": false } @@ -287,6 +283,6 @@ if { SettingName := "CalendarAppointmentSlotAdminSettingsProto payments_enabled" Events := utils.FilterEvents(LogEvents, SettingName, utils.TopLevelOU) count(Events) > 0 - Status := count(NonCompliantOUs5_1) == 0 + Status := count(NonCompliantOUs4_1) == 0 } #-- \ No newline at end of file From bc8bba207b0ab6c03373e509fdf13b54ac83589f Mon Sep 17 00:00:00 2001 From: Alden Hilton <106177711+adhilto@users.noreply.github.com> Date: Tue, 16 Jan 2024 10:56:49 -0800 Subject: [PATCH 11/13] Update calendar sharing group description --- ...alendar Minimum Viable Secure Configuration Baseline v0.1.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/baselines/Google Calendar Minimum Viable Secure Configuration Baseline v0.1.md b/baselines/Google Calendar Minimum Viable Secure Configuration Baseline v0.1.md index ff7cc0b1..11e85085 100644 --- a/baselines/Google Calendar Minimum Viable Secure Configuration Baseline v0.1.md +++ b/baselines/Google Calendar Minimum Viable Secure Configuration Baseline v0.1.md @@ -32,7 +32,7 @@ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "S ## 1. External Sharing Options -This section determines what information is shared from primary calendars with external entities. +This section determines what information is shared from calendars with external entities. ### Policies From 9ddd5e4993dde14f55ac12fab269f4eece5d9eac Mon Sep 17 00:00:00 2001 From: jkaufman-mitre Date: Wed, 17 Jan 2024 11:37:01 -0500 Subject: [PATCH 12/13] Fixed TOC --- ...ndar Minimum Viable Secure Configuration Baseline v0.1.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/baselines/Google Calendar Minimum Viable Secure Configuration Baseline v0.1.md b/baselines/Google Calendar Minimum Viable Secure Configuration Baseline v0.1.md index ff7cc0b1..e984d020 100644 --- a/baselines/Google Calendar Minimum Viable Secure Configuration Baseline v0.1.md +++ b/baselines/Google Calendar Minimum Viable Secure Configuration Baseline v0.1.md @@ -12,9 +12,8 @@ This baseline is based on Google documentation available at [Google Workspace Ad - [External Sharing Options for Primary Calendars](#1-external-sharing-options-for-primary-calendars) - [External Invitations Warnings](#2-external-invitations-warnings) -- [External Sharing Options for Secondary Calendars](#3-external-sharing-options-for-secondary-calendars) -- [Calendar Interop Management](#4-calendar-interop-management) -- [Paid Appointments](#5-paid-appointments) +- [Calendar Interop Management](#3-calendar-interop-management) +- [Paid Appointments](#4-paid-appointments) Settings can be assigned to certain users within Google Workspace through organizational units, configuration groups, or individually. Before changing a setting, the user can select the organizational unit, configuration group, or individual users to which they want to apply changes. From fd477085351e5dbe9a2b979446eb4d4622303486 Mon Sep 17 00:00:00 2001 From: Alden Hilton <106177711+adhilto@users.noreply.github.com> Date: Wed, 17 Jan 2024 12:47:49 -0800 Subject: [PATCH 13/13] Correct the TOC link for group #1 --- ...alendar Minimum Viable Secure Configuration Baseline v0.1.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/baselines/Google Calendar Minimum Viable Secure Configuration Baseline v0.1.md b/baselines/Google Calendar Minimum Viable Secure Configuration Baseline v0.1.md index fd603ae0..17793a27 100644 --- a/baselines/Google Calendar Minimum Viable Secure Configuration Baseline v0.1.md +++ b/baselines/Google Calendar Minimum Viable Secure Configuration Baseline v0.1.md @@ -10,7 +10,7 @@ The information in this document is being provided "as is" for INFORMATIONAL PUR This baseline is based on Google documentation available at [Google Workspace Admin Help: Set Calendar sharing options](https://support.google.com/a/answer/60765?hl=en#zippy=%2Cset-a-default-for-internal-sharing%2Callow-or-restrict-external-sharing) and addresses the following: -- [External Sharing Options for Primary Calendars](#1-external-sharing-options-for-primary-calendars) +- [External Sharing Options for Primary Calendars](#1-external-sharing-options) - [External Invitations Warnings](#2-external-invitations-warnings) - [Calendar Interop Management](#3-calendar-interop-management) - [Paid Appointments](#4-paid-appointments)