From 1b92a5aac11adc704ff966120ac35d8c5a04d079 Mon Sep 17 00:00:00 2001 From: Mitchel Baker Date: Wed, 16 Oct 2024 22:40:06 +0000 Subject: [PATCH 1/6] write logic for noncompliant OUs and initial rule sets for common controls 16.2 --- rego/Commoncontrols.rego | 92 +++++++++++++++++++++++++++++++++++++--- 1 file changed, 87 insertions(+), 5 deletions(-) diff --git a/rego/Commoncontrols.rego b/rego/Commoncontrols.rego index b00b4cfb..7ff61d9f 100644 --- a/rego/Commoncontrols.rego +++ b/rego/Commoncontrols.rego @@ -74,6 +74,7 @@ if { ToggleServiceEvents contains { "Timestamp": time.parse_rfc3339_ns(Item.id.time), "TimestampStr": Item.id.time, + "ServiceName": ServiceName, "NewValue": NewValue, "OrgUnit": OrgUnit, "Group": Group @@ -91,7 +92,7 @@ if { OrgUnit := utils.GetEventOu(Event) Group := utils.GetEventGroup(Event) - ServiceName == "DISABLE_UNLISTED_SERVICES" + #ServiceName == "DISABLE_UNLISTED_SERVICES" } LogEvents := utils.GetEvents("commoncontrols_logs") @@ -1799,8 +1800,13 @@ NonCompliantOUs16_1 contains { "Value": "Access to additional services without individual control is turned on" } if { some OU in utils.OUsWithEvents - # Note that this setting requires the custom ToggleServiceEvents rule - Events := {Event | some Event in ToggleServiceEvents; Event.OrgUnit == OU} + # Note that this setting requires the custom ToggleServiceEvents rule. + # Filter based on the service name of the event, otherwise all events are returned. + Events := { + Event | some Event in ToggleServiceEvents; + Event.OrgUnit == OU; + Event.ServiceName == "DISABLE_UNLISTED_SERVICES" + } # Ignore OUs without any events. We're already asserting that the # top-level OU has at least one event; for all other OUs we assume # they inherit from a parent OU if they have no events. @@ -1819,7 +1825,12 @@ tests contains { } if { DefaultSafe := false - Events := {Event | some Event in ToggleServiceEvents; Event.OrgUnit == utils.TopLevelOU} + # Filter based on the service name of the event, otherwise all events are returned. + Events := { + Event | some Event in ToggleServiceEvents; + Event.OrgUnit == utils.TopLevelOU; + Event.ServiceName == "DISABLE_UNLISTED_SERVICES" + } count(Events) == 0 } @@ -1832,12 +1843,83 @@ tests contains { "NoSuchEvent": false } if { - Events := {Event | some Event in ToggleServiceEvents; Event.OrgUnit == utils.TopLevelOU} + # Filter based on the service name of the event, otherwise all events are returned. + Events := { + Event | some Event in ToggleServiceEvents; + Event.OrgUnit == utils.TopLevelOU; + Event.ServiceName == "DISABLE_UNLISTED_SERVICES" + } count(Events) > 0 Status := count(NonCompliantOUs16_1) == 0 } #-- +# +# Baseline GWS.COMMONCONTROLS.16.2v0.3 +#-- + +NonCompliantOUs16_2 contains { + "Name": OU, + "Value": "User access to Early Access Apps is turned on" +} if { + some OU in utils.OUsWithEvents + # Note that this setting requires the custom ToggleServiceEvents rule. + # Filter based on the service name of the event, otherwise all events are returned. + Events := { + Event | some Event in ToggleServiceEvents; + Event.OrgUnit == OU; + Event.ServiceName == "Early Access Apps" + } + # Ignore OUs without any events. We're already asserting that the + # top-level OU has at least one event; for all other OUs we assume + # they inherit from a parent OU if they have no events. + count(Events) > 0 + LastEvent := utils.GetLastEvent(Events) + # For the Early Access Apps service: + # If service status is set to "ON for everyone", then "NewValue" == true (non-compliant state) + # else, "NewValue" == false (compliant state) + LastEvent.NewValue == "true" +} + +tests contains { + "PolicyId": "GWS.COMMONCONTROLS.16.2v0.3", + "Criticality": "Should", + "ReportDetails": utils.NoSuchEventDetails(DefaultSafe, utils.TopLevelOU), + "ActualValue": "No relevant event for the top-level OU in the current logs", + "RequirementMet": DefaultSafe, + "NoSuchEvent": true +} +if { + DefaultSafe := false + # Filter based on the service name of the event, otherwise all events are returned. + Events := { + Event | some Event in ToggleServiceEvents; + Event.OrgUnit == utils.TopLevelOU; + Event.ServiceName == "Early Access Apps" + } + count(Events) == 0 +} + +tests contains { + "PolicyId": "GWS.COMMONCONTROLS.16.2v0.3", + "Criticality": "Should", + "ReportDetails": utils.ReportDetails(NonCompliantOUs16_2, []), + "ActualValue": {"NonCompliantOUs": NonCompliantOUs16_2}, + "RequirementMet": Status, + "NoSuchEvent": false +} if { + # Filter based on the service name of the event, otherwise all events are returned. + Events := { + Event | some Event in ToggleServiceEvents; + Event.OrgUnit == utils.TopLevelOU; + Event.ServiceName == "Early Access Apps" + } + print(Events) + count(Events) > 0 + Status := count(NonCompliantOUs16_2) == 0 +} +#-- + # # Baseline GWS.COMMONCONTROLS.17.1v0.3 #-- From d173907a841b6b166b64a15da2ac1187af8d9df7 Mon Sep 17 00:00:00 2001 From: Mitchel Baker Date: Wed, 16 Oct 2024 23:12:07 +0000 Subject: [PATCH 2/6] add non-compliant groups, make required changes in rule sets to accommodate change --- rego/Commoncontrols.rego | 37 ++++++++++++++++++++++++------------- 1 file changed, 24 insertions(+), 13 deletions(-) diff --git a/rego/Commoncontrols.rego b/rego/Commoncontrols.rego index 7ff61d9f..ff3b850e 100644 --- a/rego/Commoncontrols.rego +++ b/rego/Commoncontrols.rego @@ -91,8 +91,6 @@ if { NewValue := [Parameter.value | some Parameter in Event.parameters; Parameter.name == "NEW_VALUE"][0] OrgUnit := utils.GetEventOu(Event) Group := utils.GetEventGroup(Event) - - #ServiceName == "DISABLE_UNLISTED_SERVICES" } LogEvents := utils.GetEvents("commoncontrols_logs") @@ -1860,7 +1858,7 @@ if { NonCompliantOUs16_2 contains { "Name": OU, - "Value": "User access to Early Access Apps is turned on" + "Value": "Service status is ON" } if { some OU in utils.OUsWithEvents # Note that this setting requires the custom ToggleServiceEvents rule. @@ -1881,6 +1879,23 @@ NonCompliantOUs16_2 contains { LastEvent.NewValue == "true" } +NonCompliantGroups16_2 contains { + "Name": Group, + "Value": "Service status is ON" +} if { + some Group in utils.GroupsWithEvents + # Note that this setting requires the custom ToggleServiceEvents rule. + Events := { + Event | some Event in ToggleServiceEvents; + Event.Group == Group; + Event.ServiceName == "Early Access Apps" + } + # Ignore groups without any events. + count(Events) > 0 + LastEvent := utils.GetLastEvent(Events) + LastEvent.NewValue == "true" +} + tests contains { "PolicyId": "GWS.COMMONCONTROLS.16.2v0.3", "Criticality": "Should", @@ -1903,20 +1918,16 @@ if { tests contains { "PolicyId": "GWS.COMMONCONTROLS.16.2v0.3", "Criticality": "Should", - "ReportDetails": utils.ReportDetails(NonCompliantOUs16_2, []), - "ActualValue": {"NonCompliantOUs": NonCompliantOUs16_2}, + "ReportDetails": utils.ReportDetails(NonCompliantOUs16_2, NonCompliantGroups16_2), + "ActualValue": {"NonCompliantOUs": NonCompliantOUs16_2, "NonCompliantGroups": NonCompliantGroups16_2}, "RequirementMet": Status, "NoSuchEvent": false } if { - # Filter based on the service name of the event, otherwise all events are returned. - Events := { - Event | some Event in ToggleServiceEvents; - Event.OrgUnit == utils.TopLevelOU; - Event.ServiceName == "Early Access Apps" + Conditions := { + count(NonCompliantOUs16_2) == 0, + count(NonCompliantGroups16_2) == 0 } - print(Events) - count(Events) > 0 - Status := count(NonCompliantOUs16_2) == 0 + Status := (false in Conditions) == false } #-- From f59928b8b5c3f5b1ddfd94a965b32cb2a0b03323 Mon Sep 17 00:00:00 2001 From: Mitchel Baker Date: Thu, 17 Oct 2024 00:44:14 +0000 Subject: [PATCH 3/6] add unit tests to check correct/incorrect OU/Group settings --- .../commoncontrols/commoncontrols16_test.rego | 315 +++++++++++++++++- 1 file changed, 314 insertions(+), 1 deletion(-) diff --git a/Testing/RegoTests/commoncontrols/commoncontrols16_test.rego b/Testing/RegoTests/commoncontrols/commoncontrols16_test.rego index 88daf16d..a4ffccea 100644 --- a/Testing/RegoTests/commoncontrols/commoncontrols16_test.rego +++ b/Testing/RegoTests/commoncontrols/commoncontrols16_test.rego @@ -128,4 +128,317 @@ test_Unlisted_Incorrect_V2 if { "is non-compliant; manual check recommended." ]) } -#-- \ No newline at end of file +#-- + +# +# GWS.COMMONCONTROLS.16.2v0.3 +#-- + +test_EarlyAccessApps_OUs_Correct_V1 if { + # Test 1 correct event + PolicyId := "GWS.COMMONCONTROLS.16.2v0.3" + Output := tests with input as { + "commoncontrols_logs": {"items": [ + { + "id": {"time": "2024-10-15T00:02:28.672Z"}, + "events": [{ + "name": "TOGGLE_SERVICE_ENABLED", + "parameters": [ + {"name": "SERVICE_NAME", "value": "Early Access Apps"}, + {"name": "NEW_VALUE", "value": "false"}, + {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, + ] + }] + } + ]}, + "tenant_info": { + "topLevelOU": "Test Top-Level OU" + } + } + + RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] + count(RuleOutput) == 1 + RuleOutput[0].RequirementMet + not RuleOutput[0].NoSuchEvent + RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." +} + +test_EarlyAccessApps_OUs_Correct_V2 if { + # Test inheritance + PolicyId := "GWS.COMMONCONTROLS.16.2v0.3" + Output := tests with input as { + "commoncontrols_logs": {"items": [ + { + "id": {"time": "2022-12-20T00:02:28.672Z"}, + "events": [{ + "name": "TOGGLE_SERVICE_ENABLED", + "parameters": [ + {"name": "SERVICE_NAME", "value": "Early Access Apps"}, + {"name": "NEW_VALUE", "value": "false"}, + {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, + ] + }] + }, + { + "id": {"time": "2022-12-20T00:02:28.672Z"}, + "events": [{ + "name": "TOGGLE_SERVICE_ENABLED", + "parameters": [ + {"name": "SERVICE_NAME", "value": "Early Access Apps"}, + {"name": "NEW_VALUE", "value": "INHERIT_FROM_PARENT"}, + {"name": "ORG_UNIT_NAME", "value": "Test Second-Level OU"}, + ] + }] + } + ]}, + "tenant_info": { + "topLevelOU": "Test Top-Level OU" + } + } + + RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] + count(RuleOutput) == 1 + RuleOutput[0].RequirementMet + not RuleOutput[0].NoSuchEvent + RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." +} + +test_EarlyAccessApps_OUs_Incorrect_V1 if { + # Test 1 incorrect event + PolicyId := "GWS.COMMONCONTROLS.16.2v0.3" + Output := tests with input as { + "commoncontrols_logs": {"items": [ + { + "id": {"time": "2024-05-20T00:02:28.672Z"}, + "events": [{ + "name": "TOGGLE_SERVICE_ENABLED", + "parameters": [ + {"name": "SERVICE_NAME", "value": "Early Access Apps"}, + {"name": "NEW_VALUE", "value": "true"}, + {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, + ] + }] + } + ]}, + "tenant_info": { + "topLevelOU": "Test Top-Level OU" + } + } + + RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] + count(RuleOutput) == 1 + not RuleOutput[0].RequirementMet + not RuleOutput[0].NoSuchEvent + RuleOutput[0].ReportDetails == concat("", [ + "The following OUs are non-compliant:
    ", + "
  • Test Top-Level OU: Service status is ON
    • ", + "
" + ]) +} + +test_EarlyAccessApps_OUs_Incorrect_V2 if { + # Test incorrect second-level OU + PolicyId := "GWS.COMMONCONTROLS.16.2v0.3" + Output := tests with input as { + "commoncontrols_logs": {"items": [ + { + "id": {"time": "2022-12-20T00:02:28.672Z"}, + "events": [{ + "name": "TOGGLE_SERVICE_ENABLED", + "parameters": [ + {"name": "SERVICE_NAME", "value": "Early Access Apps"}, + {"name": "NEW_VALUE", "value": "false"}, + {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, + ] + }] + }, + { + "id": {"time": "2022-12-20T00:02:28.672Z"}, + "events": [{ + "name": "TOGGLE_SERVICE_ENABLED", + "parameters": [ + {"name": "SERVICE_NAME", "value": "Early Access Apps"}, + {"name": "NEW_VALUE", "value": "true"}, + {"name": "ORG_UNIT_NAME", "value": "Test Second-Level OU"}, + ] + }] + } + ]}, + "tenant_info": { + "topLevelOU": "Test Top-Level OU" + } + } + + RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] + count(RuleOutput) == 1 + not RuleOutput[0].RequirementMet + not RuleOutput[0].NoSuchEvent + RuleOutput[0].ReportDetails == concat("", [ + "The following OUs are non-compliant:
    ", + "
  • Test Second-Level OU: Service status is ON
    • ", + "
" + ]) +} + +test_EarlyAccessApps_OUs_Correct_Groups_Incorrect_V3 if { + # Test for correct OUs but with an incorrect group event + PolicyId := "GWS.COMMONCONTROLS.16.2v0.3" + Output := tests with input as { + "commoncontrols_logs": {"items": [ + { + "id": {"time": "2022-12-20T00:02:28.672Z"}, + "events": [{ + "name": "TOGGLE_SERVICE_ENABLED", + "parameters": [ + {"name": "SERVICE_NAME", "value": "Early Access Apps"}, + {"name": "NEW_VALUE", "value": "false"}, + {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, + ] + }] + }, + { + "id": {"time": "2022-12-20T00:02:28.672Z"}, + "events": [{ + "name": "TOGGLE_SERVICE_ENABLED", + "parameters": [ + {"name": "SERVICE_NAME", "value": "Early Access Apps"}, + {"name": "NEW_VALUE", "value": "true"}, + {"name": "GROUP_EMAIL", "value": "Test Group 1"}, + ] + }] + } + ]}, + "tenant_info": { + "topLevelOU": "Test Top-Level OU" + } + } + + RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] + count(RuleOutput) == 1 + not RuleOutput[0].RequirementMet + not RuleOutput[0].NoSuchEvent + RuleOutput[0].ReportDetails == concat("", [ + "The following groups are non-compliant:
    ", + "
  • Test Group 1: Service status is ON
    • ", + "
" + ]) +} + +test_EarlyAccessApps_OUs_Correct_Groups_Incorrect_V3 if { + # Test for correct OUs but with incorrect group events + PolicyId := "GWS.COMMONCONTROLS.16.2v0.3" + Output := tests with input as { + "commoncontrols_logs": {"items": [ + { + "id": {"time": "2022-12-20T00:02:28.672Z"}, + "events": [{ + "name": "TOGGLE_SERVICE_ENABLED", + "parameters": [ + {"name": "SERVICE_NAME", "value": "Early Access Apps"}, + {"name": "NEW_VALUE", "value": "false"}, + {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, + ] + }] + }, + { + "id": {"time": "2022-12-20T00:02:28.672Z"}, + "events": [{ + "name": "TOGGLE_SERVICE_ENABLED", + "parameters": [ + {"name": "SERVICE_NAME", "value": "Early Access Apps"}, + {"name": "NEW_VALUE", "value": "true"}, + {"name": "GROUP_EMAIL", "value": "Test Group 1"}, + ] + }] + }, + { + "id": {"time": "2022-12-20T00:02:28.672Z"}, + "events": [{ + "name": "TOGGLE_SERVICE_ENABLED", + "parameters": [ + {"name": "SERVICE_NAME", "value": "Early Access Apps"}, + {"name": "NEW_VALUE", "value": "true"}, + {"name": "GROUP_EMAIL", "value": "Test Group 2"}, + ] + }] + } + ]}, + "tenant_info": { + "topLevelOU": "Test Top-Level OU" + } + } + + RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] + count(RuleOutput) == 1 + not RuleOutput[0].RequirementMet + not RuleOutput[0].NoSuchEvent + RuleOutput[0].ReportDetails == concat("", [ + "The following groups are non-compliant:
    ", + "
  • Test Group 1: Service status is ON
    • ", + "
  • Test Group 2: Service status is ON
    • ", + "
" + ]) +} + +test_EarlyAccessApps_OUs_Groups_Incorrect_V3 if { + # Test for both incorrect OUs and group events + PolicyId := "GWS.COMMONCONTROLS.16.2v0.3" + Output := tests with input as { + "commoncontrols_logs": {"items": [ + { + "id": {"time": "2022-12-20T00:02:28.672Z"}, + "events": [{ + "name": "TOGGLE_SERVICE_ENABLED", + "parameters": [ + {"name": "SERVICE_NAME", "value": "Early Access Apps"}, + {"name": "NEW_VALUE", "value": "true"}, + {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, + ] + }] + }, + { + "id": {"time": "2022-12-20T00:02:28.672Z"}, + "events": [{ + "name": "TOGGLE_SERVICE_ENABLED", + "parameters": [ + {"name": "SERVICE_NAME", "value": "Early Access Apps"}, + {"name": "NEW_VALUE", "value": "true"}, + {"name": "GROUP_EMAIL", "value": "Test Group 1"}, + ] + }] + }, + { + "id": {"time": "2022-12-20T00:02:28.672Z"}, + "events": [{ + "name": "TOGGLE_SERVICE_ENABLED", + "parameters": [ + {"name": "SERVICE_NAME", "value": "Early Access Apps"}, + {"name": "NEW_VALUE", "value": "true"}, + {"name": "GROUP_EMAIL", "value": "Test Group 2"}, + ] + }] + } + ]}, + "tenant_info": { + "topLevelOU": "Test Top-Level OU" + } + } + + RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] + count(RuleOutput) == 1 + not RuleOutput[0].RequirementMet + not RuleOutput[0].NoSuchEvent + RuleOutput[0].ReportDetails == concat("", [ + "The following OUs are non-compliant:
    ", + "
  • Test Top-Level OU: Service status is ON
    • ", + #"
  • Test Second-Level OU: Service status is ON
    • ", + "

", + "The following groups are non-compliant:
    ", + "
  • Test Group 1: Service status is ON
    • ", + "
  • Test Group 2: Service status is ON
    • ", + "
" + ]) +} +#-- + +#"The following OUs are non-compliant:
  • DHS-CISA: Service status is ON

The following groups are non-compliant:
  • Test Google Services: Service status is ON
  • Test Group: Service status is ON
" \ No newline at end of file From dd781625e753fb87418e87cda4f62d8e0ee15394 Mon Sep 17 00:00:00 2001 From: Mitchel Baker Date: Thu, 17 Oct 2024 00:52:08 +0000 Subject: [PATCH 4/6] fix linter --- .../commoncontrols/commoncontrols16_test.rego | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/Testing/RegoTests/commoncontrols/commoncontrols16_test.rego b/Testing/RegoTests/commoncontrols/commoncontrols16_test.rego index a4ffccea..74c6493a 100644 --- a/Testing/RegoTests/commoncontrols/commoncontrols16_test.rego +++ b/Testing/RegoTests/commoncontrols/commoncontrols16_test.rego @@ -280,7 +280,7 @@ test_EarlyAccessApps_OUs_Incorrect_V2 if { ]) } -test_EarlyAccessApps_OUs_Correct_Groups_Incorrect_V3 if { +test_EarlyAccessApps_OUs_Correct_Groups_Incorrect_V1 if { # Test for correct OUs but with an incorrect group event PolicyId := "GWS.COMMONCONTROLS.16.2v0.3" Output := tests with input as { @@ -324,7 +324,7 @@ test_EarlyAccessApps_OUs_Correct_Groups_Incorrect_V3 if { ]) } -test_EarlyAccessApps_OUs_Correct_Groups_Incorrect_V3 if { +test_EarlyAccessApps_OUs_Correct_Groups_Incorrect_V2 if { # Test for correct OUs but with incorrect group events PolicyId := "GWS.COMMONCONTROLS.16.2v0.3" Output := tests with input as { @@ -380,7 +380,7 @@ test_EarlyAccessApps_OUs_Correct_Groups_Incorrect_V3 if { ]) } -test_EarlyAccessApps_OUs_Groups_Incorrect_V3 if { +test_EarlyAccessApps_OUs_Groups_Incorrect_V1 if { # Test for both incorrect OUs and group events PolicyId := "GWS.COMMONCONTROLS.16.2v0.3" Output := tests with input as { @@ -431,7 +431,6 @@ test_EarlyAccessApps_OUs_Groups_Incorrect_V3 if { RuleOutput[0].ReportDetails == concat("", [ "The following OUs are non-compliant:
    ", "
  • Test Top-Level OU: Service status is ON
    • ", - #"
  • Test Second-Level OU: Service status is ON
    • ", "

", "The following groups are non-compliant:
    ", "
  • Test Group 1: Service status is ON
    • ", @@ -439,6 +438,4 @@ test_EarlyAccessApps_OUs_Groups_Incorrect_V3 if { "
" ]) } -#-- - -#"The following OUs are non-compliant:
  • DHS-CISA: Service status is ON

The following groups are non-compliant:
  • Test Google Services: Service status is ON
  • Test Group: Service status is ON
" \ No newline at end of file +#-- \ No newline at end of file From fa68247c3c9d6ff541c6f53cd281de3dc895855f Mon Sep 17 00:00:00 2001 From: Mitchel Baker Date: Thu, 17 Oct 2024 00:58:03 +0000 Subject: [PATCH 5/6] cleanup comments --- .../RegoTests/commoncontrols/commoncontrols16_test.rego | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Testing/RegoTests/commoncontrols/commoncontrols16_test.rego b/Testing/RegoTests/commoncontrols/commoncontrols16_test.rego index 74c6493a..6e015a3e 100644 --- a/Testing/RegoTests/commoncontrols/commoncontrols16_test.rego +++ b/Testing/RegoTests/commoncontrols/commoncontrols16_test.rego @@ -164,7 +164,7 @@ test_EarlyAccessApps_OUs_Correct_V1 if { } test_EarlyAccessApps_OUs_Correct_V2 if { - # Test inheritance + # Test inheritance with root and sub OUs PolicyId := "GWS.COMMONCONTROLS.16.2v0.3" Output := tests with input as { "commoncontrols_logs": {"items": [ @@ -204,7 +204,7 @@ test_EarlyAccessApps_OUs_Correct_V2 if { } test_EarlyAccessApps_OUs_Incorrect_V1 if { - # Test 1 incorrect event + # Test incorrect root OU PolicyId := "GWS.COMMONCONTROLS.16.2v0.3" Output := tests with input as { "commoncontrols_logs": {"items": [ @@ -281,7 +281,7 @@ test_EarlyAccessApps_OUs_Incorrect_V2 if { } test_EarlyAccessApps_OUs_Correct_Groups_Incorrect_V1 if { - # Test for correct OUs but with an incorrect group event + # Test for correct root OU but with an incorrect group event PolicyId := "GWS.COMMONCONTROLS.16.2v0.3" Output := tests with input as { "commoncontrols_logs": {"items": [ @@ -325,7 +325,7 @@ test_EarlyAccessApps_OUs_Correct_Groups_Incorrect_V1 if { } test_EarlyAccessApps_OUs_Correct_Groups_Incorrect_V2 if { - # Test for correct OUs but with incorrect group events + # Test for correct root OU but with incorrect group events PolicyId := "GWS.COMMONCONTROLS.16.2v0.3" Output := tests with input as { "commoncontrols_logs": {"items": [ From 06048259cfa0c8d8cd8aa440753bc5aecbb7ac9d Mon Sep 17 00:00:00 2001 From: Mitchel Baker Date: Thu, 24 Oct 2024 03:14:24 +0000 Subject: [PATCH 6/6] add count(Events) > 0 condition to ensure correct execution of rulesets --- rego/Commoncontrols.rego | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/rego/Commoncontrols.rego b/rego/Commoncontrols.rego index ff3b850e..2bf5b64b 100644 --- a/rego/Commoncontrols.rego +++ b/rego/Commoncontrols.rego @@ -1923,6 +1923,14 @@ tests contains { "RequirementMet": Status, "NoSuchEvent": false } if { + # This rule should execute only when log events exist + Events := { + Event | some Event in ToggleServiceEvents; + Event.OrgUnit == utils.TopLevelOU; + Event.ServiceName == "Early Access Apps" + } + count(Events) > 0 + Conditions := { count(NonCompliantOUs16_2) == 0, count(NonCompliantGroups16_2) == 0