From deef6411060a1d9523ed8cb3252509a4570ccccf Mon Sep 17 00:00:00 2001 From: Roy Lane Date: Thu, 5 Dec 2024 14:27:58 -0500 Subject: [PATCH 1/4] commoncontrols: implement 1.1 - 1.3 & 16.2 --- .../commoncontrols/commoncontrols16_test.rego | 124 +++------- .../commoncontrols_api01_test.rego | 151 ++++++++++++ .../commoncontrols_api04_test.rego | 4 +- .../commoncontrols_api16_test.rego | 66 ++++++ scubagoggles/baselines/commoncontrols.md | 8 +- scubagoggles/rego/Commoncontrols.rego | 223 ++++++++++++++---- scubagoggles/rego/Utils.rego | 17 ++ 7 files changed, 449 insertions(+), 144 deletions(-) create mode 100644 scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols_api01_test.rego create mode 100644 scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols_api16_test.rego diff --git a/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols16_test.rego b/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols16_test.rego index f251cf5c..9279c075 100644 --- a/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols16_test.rego +++ b/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols16_test.rego @@ -1,5 +1,11 @@ package commoncontrols + import future.keywords +import data.utils.FailTestBothNonCompliant +import data.utils.FailTestGroupNonCompliant +import data.utils.FailTestNoEvent +import data.utils.FailTestOUNonCompliant +import data.utils.PassTestResult # # GWS.COMMONCONTROLS.16.1 @@ -27,11 +33,7 @@ test_Unlisted_Correct_V1 if { } } - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." + PassTestResult(PolicyId, Output) } test_Unlisted_Correct_V2 if { @@ -67,11 +69,7 @@ test_Unlisted_Correct_V2 if { } } - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." + PassTestResult(PolicyId, Output) } test_Unlisted_Incorrect_V1 if { @@ -95,15 +93,9 @@ test_Unlisted_Incorrect_V1 if { } } - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - not RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == concat("", [ - "The following OUs are non-compliant:" - ]) + failedOU := [{"Name": "Test Top-Level OU", + "Value": NonComplianceMessage16_1}] + FailTestOUNonCompliant(PolicyId, Output, failedOU) } test_Unlisted_Incorrect_V2 if { @@ -118,15 +110,7 @@ test_Unlisted_Incorrect_V2 if { } } - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - not RuleOutput[0].RequirementMet - RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == concat("", [ - "No relevant event in the current logs for the top-level OU, Test Top-Level OU. While we are unable ", - "to determine the state from the logs, the default setting ", - "is non-compliant; manual check recommended." - ]) + FailTestNoEvent(PolicyId, Output, "Test Top-Level OU", false) } #-- @@ -156,11 +140,7 @@ test_EarlyAccessApps_OUs_Correct_V1 if { } } - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." + PassTestResult(PolicyId, Output) } test_EarlyAccessApps_OUs_Correct_V2 if { @@ -196,11 +176,7 @@ test_EarlyAccessApps_OUs_Correct_V2 if { } } - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." + PassTestResult(PolicyId, Output) } test_EarlyAccessApps_OUs_Incorrect_V1 if { @@ -225,15 +201,9 @@ test_EarlyAccessApps_OUs_Incorrect_V1 if { } } - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - not RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == concat("", [ - "The following OUs are non-compliant:" - ]) + failedOU := [{"Name": "Test Top-Level OU", + "Value": NonComplianceMessage16_2}] + FailTestOUNonCompliant(PolicyId, Output, failedOU) } test_EarlyAccessApps_OUs_Incorrect_V2 if { @@ -269,15 +239,9 @@ test_EarlyAccessApps_OUs_Incorrect_V2 if { } } - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - not RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == concat("", [ - "The following OUs are non-compliant:" - ]) + failedOU := [{"Name": "Test Second-Level OU", + "Value": NonComplianceMessage16_2}] + FailTestOUNonCompliant(PolicyId, Output, failedOU) } test_EarlyAccessApps_OUs_Correct_Groups_Incorrect_V1 if { @@ -313,15 +277,9 @@ test_EarlyAccessApps_OUs_Correct_Groups_Incorrect_V1 if { } } - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - not RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == concat("", [ - "The following groups are non-compliant:" - ]) + failedGroup := [{"Name": "Test Group 1", + "Value": NonComplianceMessage16_2}] + FailTestGroupNonCompliant(PolicyId, Output, failedGroup) } test_EarlyAccessApps_OUs_Correct_Groups_Incorrect_V2 if { @@ -368,16 +326,11 @@ test_EarlyAccessApps_OUs_Correct_Groups_Incorrect_V2 if { } } - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - not RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == concat("", [ - "The following groups are non-compliant:" - ]) + failedGroup := [{"Name": "Test Group 1", + "Value": NonComplianceMessage16_2}, + {"Name": "Test Group 2", + "Value": NonComplianceMessage16_2}] + FailTestGroupNonCompliant(PolicyId, Output, failedGroup) } test_EarlyAccessApps_OUs_Groups_Incorrect_V1 if { @@ -424,18 +377,13 @@ test_EarlyAccessApps_OUs_Groups_Incorrect_V1 if { } } - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - not RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == concat("", [ - "The following OUs are non-compliant:
", - "The following groups are non-compliant:" - ]) + + failedGroup := [{"Name": "Test Group 1", + "Value": NonComplianceMessage16_2}, + {"Name": "Test Group 2", + "Value": NonComplianceMessage16_2}] + failedOU := [{"Name": "Test Top-Level OU", + "Value": NonComplianceMessage16_2}] + FailTestBothNonCompliant(PolicyId, Output, failedOU, failedGroup) } #-- diff --git a/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols_api01_test.rego b/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols_api01_test.rego new file mode 100644 index 00000000..245c0be5 --- /dev/null +++ b/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols_api01_test.rego @@ -0,0 +1,151 @@ +package commoncontrols + +import future.keywords +import data.utils +import data.utils.FailTestOUNonCompliant +import data.utils.PassTestResult + +GoodCaseInputApi01 := { + "policies": { + "topOU": { + "security_two_step_verification_device_trust": { + "allowTrustingDevice": false + }, + "security_two_step_verification_enforcement": { + "enforcedFrom": "2024-02-16T23:22:21.732Z" + }, + "security_two_step_verification_enforcement_factor": { + "allowedSignInFactorSet": "PASSKEY_ONLY" + }, + "security_two_step_verification_enrollment": { + "allowEnrollment": true + }, + "security_two_step_verification_grace_period": { + "enrollmentGracePeriod": "168h"} + }, + "nextOU": { + "security_two_step_verification_grace_period": { + "enrollmentGracePeriod": "604800s"} + } + }, + "tenant_info": { + "topLevelOU": "topOU" + } +} + +BadCaseInputApi01 := { + "policies": { + "topOU": { + "security_two_step_verification_device_trust": { + "allowTrustingDevice": true + }, + "security_two_step_verification_enforcement": { + "enforcedFrom": "2025-02-16T23:22:21.732Z" + }, + "security_two_step_verification_enforcement_factor": { + "allowedSignInFactorSet": "ALL" + }, + "security_two_step_verification_enrollment": { + "allowEnrollment": false + }, + "security_two_step_verification_grace_period": { + "enrollmentGracePeriod": "0s"} + }, + "nextOU": { + "security_two_step_verification_enforcement": { + "enforcedFrom": "2028-02-16T23:22:21.732Z" + }, + "security_two_step_verification_enforcement_factor": { + "allowedSignInFactorSet": "ALL" + }, + "security_two_step_verification_enrollment": { + "allowEnrollment": true + } + }, + "thirdOU": { + "security_two_step_verification_enforcement": { + "enforcedFrom": "2035-02-16T23:22:21.732Z" + }, + "security_two_step_verification_enforcement_factor": { + "allowedSignInFactorSet": "PASSKEY_ONLY" + }, + "security_two_step_verification_enrollment": { + "allowEnrollment": true + } + } + }, + "tenant_info": { + "topLevelOU": "topOU" + } +} + +BadCaseInputApi01a := { + "policies": { + "topOU": { + "security_login_challenges": { + "enableEmployeeIdChallenge": true + } + }, + "nextOU": { + "security_login_challenges": { + "enableEmployeeIdChallenge": false + } + } + }, + "tenant_info": { + "topLevelOU": "topOU" + } +} + +test_2SV_Correct_1 if { + PolicyId := CommonControlsId1_1 + Output := tests with input as GoodCaseInputApi01 + + PassTestResult(PolicyId, Output) +} + +test_2SV_Incorrect_1 if { + PolicyId := CommonControlsId1_1 + Output := tests with input as BadCaseInputApi01 + + failedOU := [{"Name": "nextOU", + "Value": NonComplianceMessage1_1b(GetFriendlyMethods("ALL"))}, + {"Name": "thirdOU", + "Value": NonComplianceMessage1_1c}, + {"Name": "topOU", + "Value": NonComplianceMessage1_1a}] + FailTestOUNonCompliant(PolicyId, Output, failedOU) +} + +test_EnrollPeriod_Correct_1 if { + PolicyId := CommonControlsId1_2 + Output := tests with input as GoodCaseInputApi01 + + PassTestResult(PolicyId, Output) +} + +test_EnrollPeriod_Incorrect_1 if { + PolicyId := CommonControlsId1_2 + Output := tests with input as BadCaseInputApi01 + + failedOU := [{"Name": "topOU", + "Value": NonComplianceMessage1_2(0, + utils.DurationToSeconds("7d"))}] + FailTestOUNonCompliant(PolicyId, Output, failedOU) +} + +test_DeviceTrust_Correct_1 if { + PolicyId := CommonControlsId1_3 + Output := tests with input as GoodCaseInputApi01 + + PassTestResult(PolicyId, Output) +} + +test_DeviceTrust_Incorrect_1 if { + PolicyId := CommonControlsId1_3 + Output := tests with input as BadCaseInputApi01 + + failedOU := [{"Name": "topOU", + "Value": NonComplianceMessage1_3}] + FailTestOUNonCompliant(PolicyId, Output, failedOU) +} diff --git a/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols_api04_test.rego b/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols_api04_test.rego index 39c7d038..6aa43b55 100644 --- a/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols_api04_test.rego +++ b/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols_api04_test.rego @@ -29,7 +29,7 @@ GoodCaseInputApi04 := { } } -BaseCaseInputApi04 := { +BadCaseInputApi04 := { "policies": { "topOU": { "security_session_controls": { @@ -56,7 +56,7 @@ test_CCAPI_ReAuth_Comply_1 if { test_CCAPI_ReAuth_NonComply_1 if { PolicyId := CommonControlsId4_1 - Output := tests with input as BaseCaseInputApi04 + Output := tests with input as BadCaseInputApi04 failedOU := [{"Name": "nextOU", "Value": NonComplianceMessage4_1(GetFriendlyValue4_1(800 * 60))}] diff --git a/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols_api16_test.rego b/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols_api16_test.rego new file mode 100644 index 00000000..c81248a7 --- /dev/null +++ b/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols_api16_test.rego @@ -0,0 +1,66 @@ +package commoncontrols + +import future.keywords +import data.utils.FailTestOUNonCompliant +import data.utils.PassTestResult + +GoodCaseInputApi16 := { + "policies": { + "topOU": { + "early_access_apps_service_status": {"serviceState": "DISABLED"} + } + }, + "tenant_info": { + "topLevelOU": "topOU" + } +} + +BadCaseInputApi16 := { + "policies": { + "topOU": { + "early_access_apps_service_status": {"serviceState": "ENABLED"} + } + }, + "tenant_info": { + "topLevelOU": "topOU" + } +} + +BadCaseInputApi16a := { + "policies": { + "topOU": { + "early_access_apps_service_status": {"serviceState": "DISABLED"} + }, + "nextOU": { + "early_access_apps_service_status": {"serviceState": "ENABLED"} + }, + }, + "tenant_info": { + "topLevelOU": "topOU" + } +} + +test_EarlyAccess_Correct_1 if { + PolicyId := CommonControlsId16_2 + Output := tests with input as GoodCaseInputApi16 + + PassTestResult(PolicyId, Output) +} + +test_EarlyAccess_Incorrect_1 if { + PolicyId := CommonControlsId16_2 + Output := tests with input as BadCaseInputApi16 + + failedOU := [{"Name": "topOU", + "Value": NonComplianceMessage16_2}] + FailTestOUNonCompliant(PolicyId, Output, failedOU) +} + +test_EarlyAccess_Incorrect_2 if { + PolicyId := CommonControlsId16_2 + Output := tests with input as BadCaseInputApi16a + + failedOU := [{"Name": "nextOU", + "Value": NonComplianceMessage16_2}] + FailTestOUNonCompliant(PolicyId, Output, failedOU) +} diff --git a/scubagoggles/baselines/commoncontrols.md b/scubagoggles/baselines/commoncontrols.md index d3cd1d92..1ba842e9 100644 --- a/scubagoggles/baselines/commoncontrols.md +++ b/scubagoggles/baselines/commoncontrols.md @@ -1306,6 +1306,8 @@ A custom policy SHALL be configured for Gmail to protect PII and sensitive infor - [T1048:002: Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](https://attack.mitre.org/techniques/T1048/002/) - [T1213: Data from Information Repositories](https://attack.mitre.org/techniques/T1213/) +[//]: # (Keep the version suffix out of the anchor.) + #### GWS.COMMONCONTROLS.18.4v0.3 The action for the above DLP policies SHOULD be set to block external sharing. @@ -1347,7 +1349,7 @@ Drive DLP and Chat DLP are available to Cloud Identity Premium users with a Goog 2. Click **Add Condition**. For **Content type to scan** select **All content**. For **What to scan for** select **Matches predefined data type**. For **Select data type** select **United States - Individual Taxpayer Identification Number**. Select the remaining condition properties according to agency need. 3. Click **Add Condition**. For **Content type to scan** select **All content**. For **What to scan for** select **Matches predefined data type**. For **Select data type** select **United States - Social Security Number***. Select the remaining condition properties according to agency need. 4. Configure other appropriate content and condition definition(s) based upon the agency's individual requirements and click **Continue**. -5. In the **Actions** section, select **Block external sharing** (per [GWS.COMMONCONTROLS.18.4v0.3](#gwscommoncontrols184v03)). +5. In the **Actions** section, select **Block external sharing** (per [GWS.COMMONCONTROLS.18.4](#commoncontrols184)). 6. In the **Alerting** section, choose a severity level, and optionally, check **Send to alert center to trigger notifications**. 7. Review the rule details, mark the rule as **Active**, and click **Create.** @@ -1360,7 +1362,7 @@ Drive DLP and Chat DLP are available to Cloud Identity Premium users with a Goog 2. Click **Add Condition**. For **Content type to scan** select **All content**. For **What to scan for** select **Matches predefined data type**. For **Select data type** select **United States - Individual Taxpayer Identification Number**. Select the remaining condition properties according to agency need. 3. Click **Add Condition**. For **Content type to scan** select **All content**. For **What to scan for** select **Matches predefined data type**. For **Select data type** select **United States - Social Security Number***. Select the remaining condition properties according to agency need. 4. Configure other appropriate content and condition definition(s) based upon the agency's individual requirements and click **Continue**. -5. In the **Actions** section, select **Block**. Under **Select when this action should apply**, select **External Conversations**, **Spaces**, **Group chats**, and **1:1 chats** (See [GWS.COMMONCONTROLS.18.4v0.3](#gwscommoncontrols184v03)). +5. In the **Actions** section, select **Block**. Under **Select when this action should apply**, select **External Conversations**, **Spaces**, **Group chats**, and **1:1 chats** (See [GWS.COMMONCONTROLS.18.4](#commoncontrols184)). 6. In the **Alerting** section, choose a severity level, and optionally, check **Send to alert center to trigger notifications**. 7. Review the rule details, mark the rule as **Active**, and click **Create.** @@ -1373,7 +1375,7 @@ Drive DLP and Chat DLP are available to Cloud Identity Premium users with a Goog 2. Click **Add Condition**. For **Content type to scan** select **All content**. For **What to scan for** select **Matches predefined data type**. For **Select data type** select **United States - Individual Taxpayer Identification Number**. Select the remaining condition properties according to agency need. 3. Click **Add Condition**. For **Content type to scan** select **All content**. For **What to scan for** select **Matches predefined data type**. For **Select data type** select **United States - Social Security Number***. Select the remaining condition properties according to agency need. 4. Configure other appropriate content and condition definition(s) based upon the agency's individual requirements and click **Continue**. -5. In the **Actions** section, select **Block message**. Under **Select when this action should apply**, check **Messages sent to external recipients** (See [GWS.COMMONCONTROLS.18.4v0.3](#gwscommoncontrols184v03)). +5. In the **Actions** section, select **Block message**. Under **Select when this action should apply**, check **Messages sent to external recipients** (See [GWS.COMMONCONTROLS.18.4](#commoncontrols184)). 6. In the **Alerting** section, choose a severity level, and optionally, check **Send to alert center to trigger notifications**. 7. Review the rule details, mark the rule as **Active**, and click **Create.** diff --git a/scubagoggles/rego/Commoncontrols.rego b/scubagoggles/rego/Commoncontrols.rego index eb4f54d7..94c5b1a2 100644 --- a/scubagoggles/rego/Commoncontrols.rego +++ b/scubagoggles/rego/Commoncontrols.rego @@ -131,21 +131,36 @@ NoSuchEvent1_1 := true if { count(Events) == 0 } +Check1_1_OK if { + not PolicyApiInUse + not NoSuchEvent1_1 +} + +Check1_1_OK if {PolicyApiInUse} + GetFriendlyMethods(Value) := "Any" if { - Value == "ANY" + Value in {"ALL", "ANY"} } else := "Any except verification codes via text, phone call" if { Value == "NO_TELEPHONY" } else := "Only security key and allow security codes without remote access" if { - Value == "SECURITY_KEY_AND_IP_BOUND_SECURITY_CODE" + Value in {"PASSKEY_PLUS_IP_BOUND_SECURITY_CODE", "SECURITY_KEY_AND_IP_BOUND_SECURITY_CODE"} } else := "Only security key and allow security codes with remote access" if { - Value == "SECURITY_KEY_AND_SECURITY_CODE" + Value in {"PASSKEY_PLUS_SECURITY_CODE", "SECURITY_KEY_AND_SECURITY_CODE"} } else := Value +NonComplianceMessage1_1a := "Users cannot enable 2-step verification (2SV)." + +NonComplianceMessage1_1b(value) := sprintf("Allowed methods is set to %s", + [value]) + +NonComplianceMessage1_1c := "2-step verification (2SV) is not enforced." + NonCompliantOUs1_1 contains { "Name": OU, "Value": "Allow users to turn on 2-Step Verification is OFF" } if { + not PolicyApiInUse some OU in utils.OUsWithEvents Events := FilterEventsOU("ALLOW_STRONG_AUTHENTICATION", OU) # Ignore OUs without any events. We're already asserting that the @@ -161,6 +176,7 @@ NonCompliantOUs1_1 contains { "Value": "2-Step Verification Enforcement is OFF" } if { + not PolicyApiInUse some OU in utils.OUsWithEvents Events := FilterEventsOU("ENFORCE_STRONG_AUTHENTICATION", OU) # Ignore OUs without any events. We're already asserting that the @@ -173,9 +189,10 @@ if { NonCompliantOUs1_1 contains { "Name": OU, - "Value": concat("", ["Allowed methods is set to ", GetFriendlyMethods(LastEvent.NewValue)]) + "Value": NonComplianceMessage1_1b(GetFriendlyMethods(LastEvent.NewValue)) } if { + not PolicyApiInUse some OU in utils.OUsWithEvents Events := FilterEventsOU("CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS", OU) # Ignore OUs without any events. We're already asserting that the @@ -192,6 +209,7 @@ NonCompliantGroups1_1 contains { "Value": "Allow users to turn on 2-Step Verification is Off" } if { + not PolicyApiInUse some Group in utils.GroupsWithEvents Events := FilterEventsGroup("ALLOW_STRONG_AUTHENTICATION", Group) # Ignore Groups without any events. @@ -205,6 +223,7 @@ NonCompliantGroups1_1 contains { "Value": "2-Step Verification Enforcement is Off" } if { + not PolicyApiInUse some Group in utils.GroupsWithEvents Events := FilterEventsGroup("ENFORCE_STRONG_AUTHENTICATION", Group) # Ignore Groups without any events. @@ -215,9 +234,10 @@ if { NonCompliantGroups1_1 contains { "Name": Group, - "Value": concat("", ["Allowed methods is set to ", GetFriendlyMethods(LastEvent.NewValue)]) + "Value": NonComplianceMessage1_1b(GetFriendlyMethods(LastEvent.NewValue)) } if { + not PolicyApiInUse some Group in utils.GroupsWithEvents Events := FilterEventsGroup("CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS", Group) # Ignore Groups without any events. @@ -227,6 +247,51 @@ if { LastEvent.NewValue != "INHERIT_FROM_PARENT" } +# There are 3 items to check for this baseline. First, users must be allowed to +# enroll in 2SV. If they have been enrolled, then the passkey (aka security +# key) is the only allowed 2SV method. If the method is also OK, 2SV +# enforcement must be enabled, and this is determined by ensuring the date +# of enforcement is in the past (before today). + +NonCompliantOUs1_1 contains { + "Name": OU, + "Value": NonComplianceMessage1_1a +} +if { + some OU, settings in input.policies + enable2SV := settings.security_two_step_verification_enrollment.allowEnrollment + not enable2SV +} + +NonCompliantOUs1_1 contains { + "Name": OU, + "Value": NonComplianceMessage1_1b(GetFriendlyMethods(enforceMethod)) +} +if { + some OU, settings in input.policies + enable2SV := settings.security_two_step_verification_enrollment.allowEnrollment + enable2SV + enforceMethod := settings.security_two_step_verification_enforcement_factor.allowedSignInFactorSet + enforceMethod != "PASSKEY_ONLY" +} + +NonCompliantOUs1_1 contains { + "Name": OU, + "Value": NonComplianceMessage1_1c +} +if { + today := time.now_ns() + RFC3339 := "2006-01-02T15:04:05Z07:00" + some OU, settings in input.policies + enable2SV := settings.security_two_step_verification_enrollment.allowEnrollment + enable2SV + enforceMethod := settings.security_two_step_verification_enforcement_factor.allowedSignInFactorSet + enforceMethod == "PASSKEY_ONLY" + enforce2SV := settings.security_two_step_verification_enforcement.enforcedFrom + enforceValue := time.parse_ns(RFC3339, enforce2SV) + enforceValue > today +} + tests contains { "PolicyId": CommonControlsId1_1, "Criticality": "Shall", @@ -236,8 +301,9 @@ tests contains { "NoSuchEvent": true } if { + not PolicyApiInUse DefaultSafe := false - NoSuchEvent1_1 == true + not Check1_1_OK } tests contains { @@ -249,7 +315,7 @@ tests contains { "NoSuchEvent": false } if { - NoSuchEvent1_1 == false + Check1_1_OK Conditions := {count(NonCompliantOUs1_1) == 0, count(NonCompliantGroups1_1) == 0} Status := (false in Conditions) == false } @@ -261,13 +327,29 @@ if { CommonControlsId1_2 := utils.PolicyIdWithSuffix("GWS.COMMONCONTROLS.1.2") +LogMessage1_2 := "CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION" + +Check1_2_OK if { + not PolicyApiInUse + events := FilterEventsOU(LogMessage1_2, utils.TopLevelOU) + count(events) > 0 +} + +Check1_2_OK if {PolicyApiInUse} + +NonComplianceMessage1_2(value, expected) := sprintf("New user enrollment period (%ds) %s (%ds)", + [value, + "doesn't match expected", + expected]) + NonCompliantOUs1_2 contains { "Name": OU, "Value": concat("", ["New user enrollment period is set to ", LastEvent.NewValue]) } if { + not PolicyApiInUse some OU in utils.OUsWithEvents - Events := FilterEventsOU("CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION", OU) + Events := FilterEventsOU(LogMessage1_2, OU) # Ignore OUs without any events. We're already asserting that the # top-level OU has at least one event; for all other OUs we assume # they inherit from a parent OU if they have no events. @@ -282,8 +364,9 @@ NonCompliantGroups1_2 contains { "Value": concat("", ["New user enrollment period is set to ", LastEvent.NewValue]) } if { + not PolicyApiInUse some Group in utils.GroupsWithEvents - Events := FilterEventsGroup("CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION", Group) + Events := FilterEventsGroup(LogMessage1_2, Group) # Ignore groups without any events. count(Events) > 0 LastEvent := utils.GetLastEvent(Events) @@ -291,6 +374,18 @@ if { LastEvent.NewValue != "INHERIT_FROM_PARENT" } +NonCompliantOUs1_2 contains { + "Name": OU, + "Value": NonComplianceMessage1_2(enrollSeconds, expectedPeriod) +} +if { + expectedPeriod := utils.DurationToSeconds("7d") + some OU, settings in input.policies + enrollPeriod := settings.security_two_step_verification_grace_period.enrollmentGracePeriod + enrollSeconds := utils.DurationToSeconds(enrollPeriod) + enrollSeconds != expectedPeriod +} + tests contains { "PolicyId": CommonControlsId1_2, "Criticality": "Shall", @@ -300,9 +395,9 @@ tests contains { "NoSuchEvent": true } if { + not PolicyApiInUse DefaultSafe := false - Events := FilterEventsOU("CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION", utils.TopLevelOU) - count(Events) == 0 + not Check1_2_OK } tests contains { @@ -314,8 +409,7 @@ tests contains { "NoSuchEvent": false } if { - Events := FilterEventsOU("CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION", utils.TopLevelOU) - count(Events) > 0 + Check1_2_OK Conditions := {count(NonCompliantOUs1_2) == 0, count(NonCompliantGroups1_2) == 0} Status := (false in Conditions) == false } @@ -327,6 +421,18 @@ if { CommonControlsId1_3 := utils.PolicyIdWithSuffix("GWS.COMMONCONTROLS.1.3") +LogMessage1_3 := "CHANGE_TWO_STEP_VERIFICATION_FREQUENCY" + +Check1_3_OK if { + not PolicyApiInUse + events := FilterEventsOU(LogMessage1_3, utils.TopLevelOU) + count(events) > 0 +} + +Check1_3_OK if {PolicyApiInUse} + +NonComplianceMessage1_3 := "User is allowed to trust device." + GetFriendlyValue1_3(Value) := "ON" if { Value == "ENABLE_USERS_TO_TRUST_DEVICE" } else := Value @@ -336,6 +442,7 @@ NonCompliantOUs1_3 contains { "Value": concat("", ["Allow user to trust the device is ", GetFriendlyValue1_3(LastEvent.NewValue)]) } if { + not PolicyApiInUse some OU in utils.OUsWithEvents Events := FilterEventsOU("CHANGE_TWO_STEP_VERIFICATION_FREQUENCY", OU) # Ignore OUs without any events. We're already asserting that the @@ -352,8 +459,9 @@ NonCompliantGroups1_3 contains { "Value": concat("", ["Allow user to trust the device is ", GetFriendlyValue1_3(LastEvent.NewValue)]) } if { + not PolicyApiInUse some Group in utils.GroupsWithEvents - Events := FilterEventsGroup("CHANGE_TWO_STEP_VERIFICATION_FREQUENCY", Group) + Events := FilterEventsGroup(LogMessage1_3, Group) # Ignore groups without any events. count(Events) > 0 LastEvent := utils.GetLastEvent(Events) @@ -361,6 +469,16 @@ if { LastEvent.NewValue != "INHERIT_FROM_PARENT" } +NonCompliantOUs1_3 contains { + "Name": OU, + "Value": NonComplianceMessage1_3 +} +if { + some OU, settings in input.policies + trustDevice := settings.security_two_step_verification_device_trust.allowTrustingDevice + trustDevice +} + tests contains { "PolicyId": CommonControlsId1_3, "Criticality": "Shall", @@ -370,9 +488,9 @@ tests contains { "NoSuchEvent": true } if { + not PolicyApiInUse DefaultSafe := false - Events := FilterEventsOU("CHANGE_TWO_STEP_VERIFICATION_FREQUENCY", utils.TopLevelOU) - count(Events) == 0 + not Check1_3_OK } tests contains { @@ -384,8 +502,7 @@ tests contains { "NoSuchEvent": false } if { - Events := FilterEventsOU("CHANGE_TWO_STEP_VERIFICATION_FREQUENCY", utils.TopLevelOU) - count(Events) > 0 + Check1_3_OK Conditions := {count(NonCompliantOUs1_3) == 0, count(NonCompliantGroups1_3) == 0} Status := (false in Conditions) == false } @@ -657,19 +774,11 @@ NonCompliantOUs4_1 contains { "Value": NonComplianceMessage4_1(GetFriendlyValue4_1(durationSeconds)) } if { - multipliers := {"s": 1, "m": 60, "h": 3600} # This is the requirement limit for session duration: - webSessionMax := 12 * multipliers["h"] + webSessionMax := utils.DurationToSeconds("12h") some OU, settings in input.policies duration := settings.security_session_controls.webSessionDuration - result := regex.find_all_string_submatch_n(`(?i)^(\d+)([hms])$`, - duration, - 1) - firstMatch := result[0] - value := to_number(firstMatch[1]) - unit := firstMatch[2] - multiplier := multipliers[lower(unit)] - durationSeconds := value * multiplier + durationSeconds := utils.DurationToSeconds(duration) durationSeconds > webSessionMax } @@ -1113,11 +1222,7 @@ NonCompliantOUs5_6 contains { if { some OU, settings in input.policies passwordExpiration := settings.security_password.expirationDuration - result := regex.find_all_string_submatch_n(`(?i)^(\d+)[hms]$`, - passwordExpiration, - -1) - firstMatch := result[0] - expirationValue := to_number(firstMatch[1]) + expirationValue := utils.DurationToSeconds(passwordExpiration) expirationValue != 0 } @@ -2344,11 +2449,13 @@ if { CommonControlsId16_1 := utils.PolicyIdWithSuffix("GWS.COMMONCONTROLS.16.1") +NonComplianceMessage16_1 := "Access to additional services without individual control is turned on" + # NOTE: This setting cannot be controlled at the group level NonCompliantOUs16_1 contains { "Name": OU, - "Value": "Access to additional services without individual control is turned on" + "Value": NonComplianceMessage16_1 } if { some OU in utils.OUsWithEvents @@ -2412,11 +2519,26 @@ if { CommonControlsId16_2 := utils.PolicyIdWithSuffix("GWS.COMMONCONTROLS.16.2") +NonComplianceMessage16_2 := "Early access apps are ENABLED" + +Check16_2_OK if { + not PolicyApiInUse + Events := { + Event | some Event in ToggleServiceEvents; + Event.OrgUnit == utils.TopLevelOU; + Event.ServiceName == "Early Access Apps" + } + count(Events) > 0 +} + +Check16_2_OK if {PolicyApiInUse} + NonCompliantOUs16_2 contains { "Name": OU, - "Value": "Service status is ON" + "Value": NonComplianceMessage16_2 } if { + not PolicyApiInUse some OU in utils.OUsWithEvents # Note that this setting requires the custom ToggleServiceEvents rule. # Filter based on the service name of the event, otherwise all events are returned. @@ -2438,9 +2560,10 @@ if { NonCompliantGroups16_2 contains { "Name": Group, - "Value": "Service status is ON" + "Value": NonComplianceMessage16_2 } if { + not PolicyApiInUse some Group in utils.GroupsWithEvents # Note that this setting requires the custom ToggleServiceEvents rule. Events := { @@ -2454,6 +2577,16 @@ if { LastEvent.NewValue == "true" } +NonCompliantOUs16_2 contains { + "Name": OU, + "Value": NonComplianceMessage16_2 +} +if { + some OU, settings in input.policies + appsEnabled := utils.AppEnabled(input.policies, "early_access_apps", OU) + appsEnabled +} + tests contains { "PolicyId": CommonControlsId16_2, "Criticality": "Should", @@ -2463,14 +2596,9 @@ tests contains { "NoSuchEvent": true } if { + not PolicyApiInUse DefaultSafe := false - # Filter based on the service name of the event, otherwise all events are returned. - Events := { - Event | some Event in ToggleServiceEvents; - Event.OrgUnit == utils.TopLevelOU; - Event.ServiceName == "Early Access Apps" - } - count(Events) == 0 + not Check16_2_OK } tests contains { @@ -2482,14 +2610,7 @@ tests contains { "NoSuchEvent": false } if { - # This rule should execute only when log events exist - Events := { - Event | some Event in ToggleServiceEvents; - Event.OrgUnit == utils.TopLevelOU; - Event.ServiceName == "Early Access Apps" - } - count(Events) > 0 - + Check16_2_OK Conditions := { count(NonCompliantOUs16_2) == 0, count(NonCompliantGroups16_2) == 0 diff --git a/scubagoggles/rego/Utils.rego b/scubagoggles/rego/Utils.rego index 333a41b8..2696663b 100644 --- a/scubagoggles/rego/Utils.rego +++ b/scubagoggles/rego/Utils.rego @@ -564,3 +564,20 @@ GetFriendlyEnabledValue(Value) := "enabled" if { } else := "disabled" if { Value in {false, "false"} } else := Value + +# This function will convert a "duration string" (e.g., "18m" for 18 minutes) +# to an integer representing the time in seconds. This may be used for +# comparing string durations. Typically, Google's Policy API returns duration +# values in seconds. See CC 1.2 & CC 4.1 for examples of usage. + +DurationToSeconds(duration) := durationSeconds if { + multipliers := {"s": 1, "m": 60, "h": 3600, "d": 86400} + result := regex.find_all_string_submatch_n(`(?i)^(\d+)([dhms])$`, + duration, + 1) + firstMatch := result[0] + value := to_number(firstMatch[1]) + unit := firstMatch[2] + multiplier := multipliers[lower(unit)] + durationSeconds := value * multiplier +} From 67abc58a17d418544fcc573700d6e8ac016f7a91 Mon Sep 17 00:00:00 2001 From: Roy Lane Date: Mon, 23 Dec 2024 10:47:51 -0500 Subject: [PATCH 2/4] gmail: implement 1.1, 8.1, 9.1, 10.1, & 12.1 --- .../Testing/RegoTests/gmail/gmail01_test.rego | 68 ++--- .../Testing/RegoTests/gmail/gmail08_test.rego | 68 ++--- .../Testing/RegoTests/gmail/gmail09_test.rego | 36 +-- .../Testing/RegoTests/gmail/gmail10_test.rego | 74 ++--- .../Testing/RegoTests/gmail/gmail12_test.rego | 68 ++--- .../RegoTests/gmail/gmail_api01_test.rego | 73 +++++ .../RegoTests/gmail/gmail_api08_test.rego | 46 ++++ .../RegoTests/gmail/gmail_api09_test.rego | 61 +++++ .../RegoTests/gmail/gmail_api10_test.rego | 48 ++++ .../RegoTests/gmail/gmail_api12_test.rego | 48 ++++ scubagoggles/policy_api.py | 22 ++ scubagoggles/rego/Commoncontrols.rego | 22 +- scubagoggles/rego/Gmail.rego | 257 +++++++++++++----- scubagoggles/rego/Utils.rego | 28 ++ 14 files changed, 618 insertions(+), 301 deletions(-) create mode 100644 scubagoggles/Testing/RegoTests/gmail/gmail_api01_test.rego create mode 100644 scubagoggles/Testing/RegoTests/gmail/gmail_api08_test.rego create mode 100644 scubagoggles/Testing/RegoTests/gmail/gmail_api09_test.rego create mode 100644 scubagoggles/Testing/RegoTests/gmail/gmail_api10_test.rego create mode 100644 scubagoggles/Testing/RegoTests/gmail/gmail_api12_test.rego diff --git a/scubagoggles/Testing/RegoTests/gmail/gmail01_test.rego b/scubagoggles/Testing/RegoTests/gmail/gmail01_test.rego index cfb15db5..5821a148 100644 --- a/scubagoggles/Testing/RegoTests/gmail/gmail01_test.rego +++ b/scubagoggles/Testing/RegoTests/gmail/gmail01_test.rego @@ -1,5 +1,9 @@ package gmail + import future.keywords +import data.utils.FailTestNoEvent +import data.utils.FailTestOUNonCompliant +import data.utils.PassTestResult # # GWS.GMAIL.1.1 @@ -25,11 +29,7 @@ test_MailDelegation_Correct_V1 if { } } - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." + PassTestResult(PolicyId, Output) } test_MailDelegation_Correct_V2 if { @@ -63,11 +63,7 @@ test_MailDelegation_Correct_V2 if { } } - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." + PassTestResult(PolicyId, Output) } test_MailDelegation_Correct_V3 if { @@ -101,11 +97,7 @@ test_MailDelegation_Correct_V3 if { } } - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." + PassTestResult(PolicyId, Output) } test_MailDelegation_Incorrect_V1 if { @@ -129,15 +121,7 @@ test_MailDelegation_Incorrect_V1 if { } } - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - RuleOutput[0].RequirementMet - RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == concat("", [ - "No relevant event in the current logs for the top-level OU, Test Top-Level OU. ", - "While we are unable to determine the state from the logs, the default setting ", - "is compliant; manual check recommended." - ]) + FailTestNoEvent(PolicyId, Output, "Test Top-Level OU", true) } test_MailDelegation_Incorrect_V2 if { @@ -161,12 +145,9 @@ test_MailDelegation_Incorrect_V2 if { } } - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - not RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:"]) + failedOU := [{"Name": "Test Top-Level OU", + "Value": NonComplianceMessage1_1("enabled")}] + FailTestOUNonCompliant(PolicyId, Output, failedOU) } test_MailDelegation_Incorrect_V3 if { @@ -200,12 +181,9 @@ test_MailDelegation_Incorrect_V3 if { }, } - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - not RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:"]) + failedOU := [{"Name": "Test Top-Level OU", + "Value": NonComplianceMessage1_1("enabled")}] + FailTestOUNonCompliant(PolicyId, Output, failedOU) } test_MailDelegation_Incorrect_V4 if { @@ -229,12 +207,9 @@ test_MailDelegation_Incorrect_V4 if { } } - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - not RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:"]) + failedOU := [{"Name": "Secondary OU", + "Value": NonComplianceMessage1_1("enabled")}] + FailTestOUNonCompliant(PolicyId, Output, failedOU) } test_MailDelegation_Incorrect_V5 if { @@ -268,11 +243,8 @@ test_MailDelegation_Incorrect_V5 if { }, } - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - not RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:"]) + failedOU := [{"Name": "Secondary OU", + "Value": NonComplianceMessage1_1("enabled")}] + FailTestOUNonCompliant(PolicyId, Output, failedOU) } #-- diff --git a/scubagoggles/Testing/RegoTests/gmail/gmail08_test.rego b/scubagoggles/Testing/RegoTests/gmail/gmail08_test.rego index 52bab032..dc5059a2 100644 --- a/scubagoggles/Testing/RegoTests/gmail/gmail08_test.rego +++ b/scubagoggles/Testing/RegoTests/gmail/gmail08_test.rego @@ -1,5 +1,9 @@ package gmail + import future.keywords +import data.utils.FailTestNoEvent +import data.utils.FailTestOUNonCompliant +import data.utils.PassTestResult # # GWS.GMAIL.8.1 @@ -25,11 +29,7 @@ test_UserEmailUploads_Correct_V1 if { } } - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." + PassTestResult(PolicyId, Output) } test_UserEmailUploads_Correct_V2 if { @@ -63,11 +63,7 @@ test_UserEmailUploads_Correct_V2 if { } } - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." + PassTestResult(PolicyId, Output) } test_UserEmailUploads_Correct_V3 if { @@ -101,11 +97,7 @@ test_UserEmailUploads_Correct_V3 if { } } - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." + PassTestResult(PolicyId, Output) } test_UserEmailUploads_Incorrect_V1 if { @@ -129,15 +121,7 @@ test_UserEmailUploads_Incorrect_V1 if { } } - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - RuleOutput[0].RequirementMet - RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == concat("", [ - "No relevant event in the current logs for the top-level OU, Test Top-Level OU. ", - "While we are unable to determine the state from the logs, the default setting ", - "is compliant; manual check recommended." - ]) + FailTestNoEvent(PolicyId, Output, "Test Top-Level OU", true) } test_UserEmailUploads_Incorrect_V2 if { @@ -161,12 +145,9 @@ test_UserEmailUploads_Incorrect_V2 if { } } - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - not RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:"]) + failedOU := [{"Name": "Test Top-Level OU", + "Value": NonComplianceMessage8_1("enabled")}] + FailTestOUNonCompliant(PolicyId, Output, failedOU) } test_UserEmailUploads_Incorrect_V3 if { @@ -200,12 +181,9 @@ test_UserEmailUploads_Incorrect_V3 if { }, } - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - not RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:"]) + failedOU := [{"Name": "Test Top-Level OU", + "Value": NonComplianceMessage8_1("enabled")}] + FailTestOUNonCompliant(PolicyId, Output, failedOU) } test_UserEmailUploads_Incorrect_V4 if { @@ -229,12 +207,9 @@ test_UserEmailUploads_Incorrect_V4 if { } } - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - not RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:"]) + failedOU := [{"Name": "Secondary OU", + "Value": NonComplianceMessage8_1("enabled")}] + FailTestOUNonCompliant(PolicyId, Output, failedOU) } test_UserEmailUploads_Incorrect_V5 if { @@ -268,11 +243,8 @@ test_UserEmailUploads_Incorrect_V5 if { }, } - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - not RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:"]) + failedOU := [{"Name": "Secondary OU", + "Value": NonComplianceMessage8_1("enabled")}] + FailTestOUNonCompliant(PolicyId, Output, failedOU) } #-- diff --git a/scubagoggles/Testing/RegoTests/gmail/gmail09_test.rego b/scubagoggles/Testing/RegoTests/gmail/gmail09_test.rego index 50a6638b..199b8621 100644 --- a/scubagoggles/Testing/RegoTests/gmail/gmail09_test.rego +++ b/scubagoggles/Testing/RegoTests/gmail/gmail09_test.rego @@ -1,5 +1,8 @@ package gmail + import future.keywords +import data.utils.FailTestOUNonCompliant +import data.utils.PassTestResult # # GWS.GMAIL.9.1 @@ -36,11 +39,7 @@ test_ImapAccess_Correct_V1 if { } } - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." + PassTestResult(PolicyId, Output) } test_ImapAccess_Incorrect_V1 if { @@ -74,12 +73,9 @@ test_ImapAccess_Incorrect_V1 if { } } - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - not RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:"]) + failedOU := [{"Name": "Test Top-Level OU", + "Value": GetFriendlyValue9_1(true, true)}] + FailTestOUNonCompliant(PolicyId, Output, failedOU) } test_ImapAccess_Incorrect_V2 if { @@ -113,12 +109,9 @@ test_ImapAccess_Incorrect_V2 if { } } - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - not RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:"]) + failedOU := [{"Name": "Secondary OU", + "Value": GetFriendlyValue9_1(true, true)}] + FailTestOUNonCompliant(PolicyId, Output, failedOU) } test_ImapAccess_Incorrect_V3 if { @@ -172,11 +165,8 @@ test_ImapAccess_Incorrect_V3 if { }, } - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - not RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:"]) + failedOU := [{"Name": "Secondary OU", + "Value": GetFriendlyValue9_1(true, false)}] + FailTestOUNonCompliant(PolicyId, Output, failedOU) } #-- diff --git a/scubagoggles/Testing/RegoTests/gmail/gmail10_test.rego b/scubagoggles/Testing/RegoTests/gmail/gmail10_test.rego index 6c5f3e76..f0d41cb9 100644 --- a/scubagoggles/Testing/RegoTests/gmail/gmail10_test.rego +++ b/scubagoggles/Testing/RegoTests/gmail/gmail10_test.rego @@ -1,5 +1,9 @@ package gmail + import future.keywords +import data.utils.FailTestNoEvent +import data.utils.FailTestOUNonCompliant +import data.utils.PassTestResult # # GWS.GMAIL.10.1 @@ -25,11 +29,7 @@ test_GoogleWorkspaceSync_Correct_V1 if { } } - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." + PassTestResult(PolicyId, Output) } test_GoogleWorkspaceSync_Correct_V2 if { @@ -63,11 +63,7 @@ test_GoogleWorkspaceSync_Correct_V2 if { } } - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." + PassTestResult(PolicyId, Output) } test_GoogleWorkspaceSync_Correct_V3 if { @@ -101,11 +97,7 @@ test_GoogleWorkspaceSync_Correct_V3 if { } } - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." + PassTestResult(PolicyId, Output) } test_GoogleWorkspaceSync_Correct_V4 if { @@ -139,11 +131,7 @@ test_GoogleWorkspaceSync_Correct_V4 if { } } - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." + PassTestResult(PolicyId, Output) } test_GoogleWorkspaceSync_Incorrect_V1 if { @@ -167,15 +155,7 @@ test_GoogleWorkspaceSync_Incorrect_V1 if { } } - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - not RuleOutput[0].RequirementMet - RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == concat("", [ - "No relevant event in the current logs for the top-level OU, Test Top-Level OU. ", - "While we are unable to determine the state from the logs, the default setting ", - "is non-compliant; manual check recommended." - ]) + FailTestNoEvent(PolicyId, Output, "Test Top-Level OU", false) } test_GoogleWorkspaceSync_Incorrect_V2 if { @@ -199,12 +179,9 @@ test_GoogleWorkspaceSync_Incorrect_V2 if { } } - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - not RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:"]) + failedOU := [{"Name": "Test Top-Level OU", + "Value": NonComplianceMessage10_1("enabled")}] + FailTestOUNonCompliant(PolicyId, Output, failedOU) } test_GoogleWorkspaceSync_Incorrect_V3 if { @@ -238,12 +215,9 @@ test_GoogleWorkspaceSync_Incorrect_V3 if { }, } - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - not RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:"]) + failedOU := [{"Name": "Test Top-Level OU", + "Value": NonComplianceMessage10_1("enabled")}] + FailTestOUNonCompliant(PolicyId, Output, failedOU) } test_GoogleWorkspaceSync_Incorrect_V4 if { @@ -267,12 +241,9 @@ test_GoogleWorkspaceSync_Incorrect_V4 if { } } - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - not RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:"]) + failedOU := [{"Name": "Secondary OU", + "Value": NonComplianceMessage10_1("enabled")}] + FailTestOUNonCompliant(PolicyId, Output, failedOU) } test_GoogleWorkspaceSync_Incorrect_V5 if { @@ -306,12 +277,9 @@ test_GoogleWorkspaceSync_Incorrect_V5 if { }, } - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - not RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:"]) + failedOU := [{"Name": "Secondary OU", + "Value": NonComplianceMessage10_1("enabled")}] + FailTestOUNonCompliant(PolicyId, Output, failedOU) } #-- diff --git a/scubagoggles/Testing/RegoTests/gmail/gmail12_test.rego b/scubagoggles/Testing/RegoTests/gmail/gmail12_test.rego index ffdf175c..d277566c 100644 --- a/scubagoggles/Testing/RegoTests/gmail/gmail12_test.rego +++ b/scubagoggles/Testing/RegoTests/gmail/gmail12_test.rego @@ -1,5 +1,9 @@ package gmail + import future.keywords +import data.utils.FailTestNoEvent +import data.utils.FailTestOUNonCompliant +import data.utils.PassTestResult # # GWS.GMAIL.12.1 @@ -25,11 +29,7 @@ test_PerUserOutboundGateway_Correct_V1 if { } } - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." + PassTestResult(PolicyId, Output) } test_PerUserOutboundGateway_Correct_V2 if { @@ -63,11 +63,7 @@ test_PerUserOutboundGateway_Correct_V2 if { } } - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." + PassTestResult(PolicyId, Output) } test_PerUserOutboundGateway_Correct_V3 if { @@ -101,11 +97,7 @@ test_PerUserOutboundGateway_Correct_V3 if { } } - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." + PassTestResult(PolicyId, Output) } test_PerUserOutboundGateway_Incorrect_V1 if { @@ -129,15 +121,7 @@ test_PerUserOutboundGateway_Incorrect_V1 if { } } - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - RuleOutput[0].RequirementMet - RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == concat("", [ - "No relevant event in the current logs for the top-level OU, Test Top-Level OU. ", - "While we are unable to determine the state from the logs, the default setting ", - "is compliant; manual check recommended." - ]) + FailTestNoEvent(PolicyId, Output, "Test Top-Level OU", true) } test_PerUserOutboundGateway_Incorrect_V2 if { @@ -161,12 +145,9 @@ test_PerUserOutboundGateway_Incorrect_V2 if { } } - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - not RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:"]) + failedOU := [{"Name": "Test Top-Level OU", + "Value": NonComplianceMessage12_1("enabled")}] + FailTestOUNonCompliant(PolicyId, Output, failedOU) } test_PerUserOutboundGateway_Incorrect_V3 if { @@ -200,12 +181,9 @@ test_PerUserOutboundGateway_Incorrect_V3 if { }, } - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - not RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:"]) + failedOU := [{"Name": "Test Top-Level OU", + "Value": NonComplianceMessage12_1("enabled")}] + FailTestOUNonCompliant(PolicyId, Output, failedOU) } test_PerUserOutboundGateway_Incorrect_V4 if { @@ -229,12 +207,9 @@ test_PerUserOutboundGateway_Incorrect_V4 if { } } - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - not RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:"]) + failedOU := [{"Name": "Secondary OU", + "Value": NonComplianceMessage12_1("enabled")}] + FailTestOUNonCompliant(PolicyId, Output, failedOU) } test_PerUserOutboundGateway_Incorrect_V5 if { @@ -268,11 +243,8 @@ test_PerUserOutboundGateway_Incorrect_V5 if { }, } - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - not RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:"]) + failedOU := [{"Name": "Secondary OU", + "Value": NonComplianceMessage12_1("enabled")}] + FailTestOUNonCompliant(PolicyId, Output, failedOU) } #-- diff --git a/scubagoggles/Testing/RegoTests/gmail/gmail_api01_test.rego b/scubagoggles/Testing/RegoTests/gmail/gmail_api01_test.rego new file mode 100644 index 00000000..42b0c82a --- /dev/null +++ b/scubagoggles/Testing/RegoTests/gmail/gmail_api01_test.rego @@ -0,0 +1,73 @@ +package gmail + +import future.keywords +import data.utils.FailTestOUNonCompliant +import data.utils.PassTestResult + +GoodGmailApi01 := { + "policies": { + "topOU": { + "gmail_mail_delegation": {"enableMailDelegation": false}, + "gmail_service_status": {"serviceState": "ENABLED"} + }, + "nextOU": { + "gmail_mail_delegation": {"enableMailDelegation": true}, + "gmail_service_status": {"serviceState": "DISABLED"} + } + }, + "tenant_info": { + "topLevelOU": "topOU" + } +} + +BadGmailApi01 := { + "policies": { + "topOU": { + "gmail_mail_delegation": {"enableMailDelegation": true}, + "gmail_service_status": {"serviceState": "ENABLED"} + } + }, + "tenant_info": { + "topLevelOU": "topOU" + } +} + +BadGmailApi01a := { + "policies": { + "topOU": { + "gmail_mail_delegation": {"enableMailDelegation": false}, + "gmail_service_status": {"serviceState": "ENABLED"} + }, + "nextOU": { + "gmail_mail_delegation": {"enableMailDelegation": true} + } + }, + "tenant_info": { + "topLevelOU": "topOU" + } +} + +test_MailDelegation_Correct_1 if { + PolicyId := GmailId1_1 + Output := tests with input as GoodGmailApi01 + + PassTestResult(PolicyId, Output) +} + +test_MailDelegation_Incorrect_1 if { + PolicyId := GmailId1_1 + Output := tests with input as BadGmailApi01 + + failedOU := [{"Name": "topOU", + "Value": NonComplianceMessage1_1("enabled")}] + FailTestOUNonCompliant(PolicyId, Output, failedOU) +} + +test_MailDelegation_Incorrect_2 if { + PolicyId := GmailId1_1 + Output := tests with input as BadGmailApi01a + + failedOU := [{"Name": "nextOU", + "Value": NonComplianceMessage1_1("enabled")}] + FailTestOUNonCompliant(PolicyId, Output, failedOU) +} diff --git a/scubagoggles/Testing/RegoTests/gmail/gmail_api08_test.rego b/scubagoggles/Testing/RegoTests/gmail/gmail_api08_test.rego new file mode 100644 index 00000000..cd69deba --- /dev/null +++ b/scubagoggles/Testing/RegoTests/gmail/gmail_api08_test.rego @@ -0,0 +1,46 @@ +package gmail + +import future.keywords +import data.utils.FailTestOUNonCompliant +import data.utils.PassTestResult + +GoodGmailApi08 := { + "policies": { + "topOU": { + "gmail_user_email_uploads": {"enableMailAndContactsImport": false}, + "gmail_service_status": {"serviceState": "ENABLED"}, + } + }, + "tenant_info": { + "topLevelOU": "topOU" + } +} + +BadGmailApi08 := { + "policies": { + "topOU": { + "gmail_user_email_uploads": {"enableMailAndContactsImport": true}, + "gmail_service_status": {"serviceState": "ENABLED" + } + } + }, + "tenant_info": { + "topLevelOU": "topOU" + } +} + +test_EmailUploads_Correct_1 if { + PolicyId := GmailId8_1 + Output := tests with input as GoodGmailApi08 + + PassTestResult(PolicyId, Output) +} + +test_EmailUploads_Incorrect_1 if { + PolicyId := GmailId8_1 + Output := tests with input as BadGmailApi08 + + failedOU := [{"Name": "topOU", + "Value": NonComplianceMessage8_1("enabled")}] + FailTestOUNonCompliant(PolicyId, Output, failedOU) +} diff --git a/scubagoggles/Testing/RegoTests/gmail/gmail_api09_test.rego b/scubagoggles/Testing/RegoTests/gmail/gmail_api09_test.rego new file mode 100644 index 00000000..97c996d4 --- /dev/null +++ b/scubagoggles/Testing/RegoTests/gmail/gmail_api09_test.rego @@ -0,0 +1,61 @@ +package gmail + +import future.keywords +import data.utils.FailTestOUNonCompliant +import data.utils.PassTestResult + +GoodGmailApi09 := { + "policies": { + "topOU": { + "gmail_pop_access": {"enablePopAccess": false}, + "gmail_imap_access": {"enableImapAccess": false}, + "gmail_service_status": {"serviceState": "ENABLED"}, + } + }, + "tenant_info": { + "topLevelOU": "topOU" + } +} + +BadGmailApi09 := { + "policies": { + "topOU": { + "gmail_pop_access": {"enablePopAccess": true}, + "gmail_imap_access": {"enableImapAccess": true}, + "gmail_service_status": {"serviceState": "ENABLED"} + }, + "nextOU": { + "gmail_imap_access": {"enableImapAccess": false} + }, + "thirdOU": { + "gmail_pop_access": {"enablePopAccess": false} + }, + "fourthOU": { + "gmail_imap_access": {"enableImapAccess": false}, + "gmail_pop_access": {"enablePopAccess": false} + } + }, + "tenant_info": { + "topLevelOU": "topOU" + } +} + +test_ImapPopEnable_Correct_1 if { + PolicyId := GmailId9_1 + Output := tests with input as GoodGmailApi09 + + PassTestResult(PolicyId, Output) +} + +test_ImapPopEnable_Incorrect_1 if { + PolicyId := GmailId9_1 + Output := tests with input as BadGmailApi09 + + failedOU := [{"Name": "nextOU", + "Value": GetFriendlyValue9_1(false, true)}, + {"Name": "thirdOU", + "Value": GetFriendlyValue9_1(true, false)}, + {"Name": "topOU", + "Value": GetFriendlyValue9_1(true, true)}] + FailTestOUNonCompliant(PolicyId, Output, failedOU) +} diff --git a/scubagoggles/Testing/RegoTests/gmail/gmail_api10_test.rego b/scubagoggles/Testing/RegoTests/gmail/gmail_api10_test.rego new file mode 100644 index 00000000..77049d03 --- /dev/null +++ b/scubagoggles/Testing/RegoTests/gmail/gmail_api10_test.rego @@ -0,0 +1,48 @@ +package gmail + +import future.keywords +import data.utils.FailTestOUNonCompliant +import data.utils.PassTestResult + +GoodGmailApi10 := { + "policies": { + "topOU": { + "gmail_workspace_sync_for_outlook": { + "enableGoogleWorkspaceSyncForMicrosoftOutlook": false}, + "gmail_service_status": {"serviceState": "ENABLED"}, + } + }, + "tenant_info": { + "topLevelOU": "topOU" + } +} + +BadGmailApi10 := { + "policies": { + "topOU": { + "gmail_workspace_sync_for_outlook": { + "enableGoogleWorkspaceSyncForMicrosoftOutlook": true}, + "gmail_service_status": {"serviceState": "ENABLED" + } + } + }, + "tenant_info": { + "topLevelOU": "topOU" + } +} + +test_SyncEnable_Correct_1 if { + PolicyId := GmailId10_1 + Output := tests with input as GoodGmailApi10 + + PassTestResult(PolicyId, Output) +} + +test_SyncEnable_Incorrect_1 if { + PolicyId := GmailId10_1 + Output := tests with input as BadGmailApi10 + + failedOU := [{"Name": "topOU", + "Value": NonComplianceMessage10_1("enabled")}] + FailTestOUNonCompliant(PolicyId, Output, failedOU) +} diff --git a/scubagoggles/Testing/RegoTests/gmail/gmail_api12_test.rego b/scubagoggles/Testing/RegoTests/gmail/gmail_api12_test.rego new file mode 100644 index 00000000..307e2036 --- /dev/null +++ b/scubagoggles/Testing/RegoTests/gmail/gmail_api12_test.rego @@ -0,0 +1,48 @@ +package gmail + +import future.keywords +import data.utils.FailTestOUNonCompliant +import data.utils.PassTestResult + +GoodGmailApi12 := { + "policies": { + "topOU": { + "gmail_per_user_outbound_gateway": { + "allowUsersToUseExternalSmtpServers": false}, + "gmail_service_status": {"serviceState": "ENABLED"}, + } + }, + "tenant_info": { + "topLevelOU": "topOU" + } +} + +BadGmailApi12 := { + "policies": { + "topOU": { + "gmail_per_user_outbound_gateway": { + "allowUsersToUseExternalSmtpServers": true}, + "gmail_service_status": {"serviceState": "ENABLED" + } + } + }, + "tenant_info": { + "topLevelOU": "topOU" + } +} + +test_OutGateways_Correct_1 if { + PolicyId := GmailId12_1 + Output := tests with input as GoodGmailApi12 + + PassTestResult(PolicyId, Output) +} + +test_OutGateways_Incorrect_1 if { + PolicyId := GmailId12_1 + Output := tests with input as BadGmailApi12 + + failedOU := [{"Name": "topOU", + "Value": NonComplianceMessage12_1("enabled")}] + FailTestOUNonCompliant(PolicyId, Output, failedOU) +} diff --git a/scubagoggles/policy_api.py b/scubagoggles/policy_api.py index 863a9f1f..265a2887 100644 --- a/scubagoggles/policy_api.py +++ b/scubagoggles/policy_api.py @@ -57,6 +57,11 @@ class PolicyAPI: isDuration = lambda x: isinstance(x, str) and re.match(r'(?i)^\d+[hms]$', x) + isTimestamp = lambda x: (isinstance(x, str) + and re.match(r'(?i)^\d{4}(?:-\d{2}){2}T\d{2}' + r'(?::\d{2}){2}(?:\.\d+)?z$', + x)) + # There may be duplicate policies returned for an orgunit/group and # section. The policies must be "reduced" to single settings using # a method. The default "reducer" method is to select the policy with the @@ -178,11 +183,14 @@ class PolicyAPI: 'allowedIpAddresses': isListStrings}}, 'gmail_enhanced_pre_delivery_message_scanning': {'settings': { 'enableImprovedSuspiciousContentDetection': isBool}}, + 'gmail_imap_access': {'settings': {'enableImapAccess': isBool}}, 'gmail_links_and_external_images': {'settings': { 'applyFutureSettingsAutomatically': isBool, 'enableAggressiveWarningsOnUntrustedLinks': isBool, 'enableExternalImageScanning': isBool, 'enableShortenerScanning': isBool}}, + 'gmail_mail_delegation': {'settings': {'enableMailDelegation': isBool}}, + 'gmail_pop_access': {'settings': {'enablePopAccess': isBool}}, 'gmail_service_status': {'settings': {'serviceState': isState}}, 'gmail_spoofing_and_authentication': {'settings': { 'applyFutureSettingsAutomatically': isBool, @@ -196,6 +204,10 @@ class PolicyAPI: 'employeeNameSpoofingConsequence': isEnum, 'groupsSpoofingConsequence': isEnum, 'unauthenticatedEmailConsequence': isEnum}}, + 'gmail_user_email_uploads': {'settings': { + 'enableMailAndContactsImport': isBool}}, + 'gmail_workspace_sync_for_outlook': {'settings': { + 'enableGoogleWorkspaceSyncForMicrosoftOutlook': isBool}}, 'groups_for_business_groups_sharing': {'reducer': _merge_reducer, 'settings': { 'collaborationCapability': isEnum, @@ -245,6 +257,16 @@ class PolicyAPI: 'security_super_admin_account_recovery': {'reducer': _merge_reducer, 'settings': { 'enableAccountRecovery': isBool}}, + 'security_two_step_verification_device_trust': {'settings': { + 'allowTrustingDevice': isBool}}, + 'security_two_step_verification_enforcement': {'settings': { + 'enforcedFrom': isTimestamp}}, + 'security_two_step_verification_enforcement_factor': {'settings': { + 'allowedSignInFactorSet': isEnum}}, + 'security_two_step_verification_enrollment': {'settings': { + 'allowEnrollment': isBool}}, + 'security_two_step_verification_grace_period': {'settings': { + 'enrollmentGracePeriod': isDuration}}, 'security_user_account_recovery': {'reducer': _merge_reducer, 'settings': { 'enableAccountRecovery': isBool}}, diff --git a/scubagoggles/rego/Commoncontrols.rego b/scubagoggles/rego/Commoncontrols.rego index 94c5b1a2..6292347a 100644 --- a/scubagoggles/rego/Commoncontrols.rego +++ b/scubagoggles/rego/Commoncontrols.rego @@ -337,10 +337,10 @@ Check1_2_OK if { Check1_2_OK if {PolicyApiInUse} -NonComplianceMessage1_2(value, expected) := sprintf("New user enrollment period (%ds) %s (%ds)", - [value, +NonComplianceMessage1_2(value, expected) := sprintf("New user enrollment period (%s) %s (%s)", + [utils.GetFriendlyDuration(value), "doesn't match expected", - expected]) + utils.GetFriendlyDuration(expected)]) NonCompliantOUs1_2 contains { "Name": OU, @@ -740,17 +740,7 @@ NonComplianceMessage4_1(Value) := sprintf("Web session duration: %s", GetFriendlyValue4_1(Value) := "Session never expires" if { Value == 63072000 -} else := "30 days" if { - Value == 2592000 -} else := "14 days" if { - Value == 1209600 -} else := "7 days" if { - Value == 604800 -} else := "24 hours" if { - Value == 86400 -} else := "20 hours" if { - Value == 72000 -} else := sprintf("%d seconds", [Value]) +} else := utils.GetFriendlyDuration(Value) NonCompliantOUs4_1 contains { "Name": OU, @@ -2583,8 +2573,8 @@ NonCompliantOUs16_2 contains { } if { some OU, settings in input.policies - appsEnabled := utils.AppEnabled(input.policies, "early_access_apps", OU) - appsEnabled + appState := utils.AppExplicitStatus(input.policies, "early_access_apps", OU) + appState == "ENABLED" } tests contains { diff --git a/scubagoggles/rego/Gmail.rego b/scubagoggles/rego/Gmail.rego index 77307f25..7354a769 100644 --- a/scubagoggles/rego/Gmail.rego +++ b/scubagoggles/rego/Gmail.rego @@ -37,23 +37,44 @@ LogEvents := utils.GetEvents("gmail_logs") GmailId1_1 := utils.PolicyIdWithSuffix("GWS.GMAIL.1.1") +LogMessage1_1 := "ENABLE_MAIL_DELEGATION_WITHIN_DOMAIN" + +Check1_1_OK if { + not PolicyApiInUse + events := utils.FilterEventsOU(LogEvents, LogMessage1_1, utils.TopLevelOU) + count(events) > 0 +} + +Check1_1_OK if {PolicyApiInUse} + +NonComplianceMessage1_1(value) := sprintf("Mail delegation is %s", [value]) + # Cannot be controlled at group level NonCompliantOUs1_1 contains { "Name": OU, - "Value": concat(" ", [ - "Mail delegation is set to", - GetFriendlyEnabledValue(LastEvent.NewValue) - ]) + "Value": NonComplianceMessage1_1(GetFriendlyEnabledValue(LastEvent.NewValue)) } if { + not PolicyApiInUse some OU in utils.OUsWithEvents - Events := utils.FilterEventsOU(LogEvents, "ENABLE_MAIL_DELEGATION_WITHIN_DOMAIN", OU) + Events := utils.FilterEventsOU(LogEvents, LogMessage1_1, OU) count(Events) > 0 LastEvent := utils.GetLastEvent(Events) LastEvent.NewValue == "true" } +NonCompliantOUs1_1 contains { + "Name": OU, + "Value": NonComplianceMessage1_1(GetFriendlyEnabledValue(mailDelegation)) +} +if { + some OU, settings in input.policies + GmailEnabled(OU) + mailDelegation := settings.gmail_mail_delegation.enableMailDelegation + mailDelegation +} + tests contains { "PolicyId": GmailId1_1, "Criticality": "Should", @@ -63,9 +84,9 @@ tests contains { "NoSuchEvent": true } if { + not PolicyApiInUse DefaultSafe := true - Events := utils.FilterEventsOU(LogEvents, "ENABLE_MAIL_DELEGATION_WITHIN_DOMAIN", utils.TopLevelOU) - count(Events) == 0 + not Check1_1_OK } tests contains { @@ -77,8 +98,7 @@ tests contains { "NoSuchEvent": false } if { - Events := utils.FilterEventsOU(LogEvents, "ENABLE_MAIL_DELEGATION_WITHIN_DOMAIN", utils.TopLevelOU) - count(Events) > 0 + Check1_1_OK Status := count(NonCompliantOUs1_1) == 0 } #-- @@ -318,7 +338,8 @@ if { NonCompliantOUs5_1 contains { "Name": OU, "Value": NonComplianceMessage5_1(GetFriendlyEnabledValue(noEncrypt)) -} if { +} +if { some OU, settings in input.policies GmailEnabled(OU) noEncrypt := settings.gmail_email_attachment_safety.enableEncryptedAttachmentProtection @@ -332,7 +353,8 @@ tests contains { "ActualValue": "No relevant event in the current logs", "RequirementMet": DefaultSafe, "NoSuchEvent": true -} if { +} +if { not PolicyApiInUse DefaultSafe := true not Check5_1_OK @@ -389,7 +411,8 @@ if { NonCompliantOUs5_2 contains { "Name": OU, "Value": NonComplianceMessage5_2(GetFriendlyEnabledValue(noEncrypt)) -} if { +} +if { some OU, settings in input.policies GmailEnabled(OU) noEncrypt := settings.gmail_email_attachment_safety.enableAttachmentWithScriptsProtection @@ -462,7 +485,8 @@ if { NonCompliantOUs5_3 contains { "Name": OU, "Value": NonComplianceMessage5_3(GetFriendlyEnabledValue(protectAtt)) -} if { +} +if { some OU, settings in input.policies GmailEnabled(OU) protectAtt := settings.gmail_email_attachment_safety.enableAnomalousAttachmentProtection @@ -534,7 +558,8 @@ if { NonCompliantOUs5_4 contains { "Name": OU, "Value": NonComplianceMessage5_4(GetFriendlyEnabledValue(futureAtt)) -} if { +} +if { some OU, settings in input.policies GmailEnabled(OU) futureAtt := settings.gmail_email_attachment_safety.applyFutureRecommendedSettingsAutomatically @@ -647,7 +672,8 @@ NonCompliantOUs5_5 contains { "Value": GetFriendlyValue5_5(LastEventEncryptedAttachment.NewValue, LastEventAttachmentWithScripts.NewValue, LastEventAnomalousAttachment.NewValue) -} if { +} +if { not PolicyApiInUse some OU in utils.OUsWithEvents EncryptedAttachmentEvents := utils.FilterEventsOU(LogEvents, @@ -685,7 +711,8 @@ AttachConfigs := [ NonCompliantOUs5_5 contains { "Name": OU, "Value": NonComplianceMessage5_5(types) -} if { +} +if { some OU, settings in input.policies GmailEnabled(OU) types := [config.type | @@ -769,7 +796,8 @@ NonComplianceMessage6_1(value) := sprintf("Identify links behind shortened URLs NonCompliantOUs6_1 contains { "Name": OU, "Value": NonComplianceMessage6_1(GetFriendlyEnabledValue(LastEvent.NewValue)) -} if { +} +if { not PolicyApiInUse some OU in utils.OUsWithEvents Events := utils.FilterEventsOU(LogEvents, LogMessage6_1, OU) @@ -782,7 +810,8 @@ NonCompliantOUs6_1 contains { NonCompliantOUs6_1 contains { "Name": OU, "Value": NonComplianceMessage6_1(GetFriendlyEnabledValue(shortLinks)) -} if { +} +if { some OU, settings in input.policies GmailEnabled(OU) shortLinks := settings.gmail_links_and_external_images.enableShortenerScanning @@ -853,7 +882,8 @@ if { NonCompliantOUs6_2 contains { "Name": OU, "Value": NonComplianceMessage6_2(GetFriendlyEnabledValue(scanImages)) -} if { +} +if { some OU, settings in input.policies GmailEnabled(OU) scanImages := settings.gmail_links_and_external_images.enableExternalImageScanning @@ -927,7 +957,8 @@ if { NonCompliantOUs6_3 contains { "Name": OU, "Value": NonComplianceMessage6_3(GetFriendlyEnabledValue(warnEnabled)) -} if { +} +if { some OU, settings in input.policies GmailEnabled(OU) warnEnabled := settings.gmail_links_and_external_images.enableAggressiveWarningsOnUntrustedLinks @@ -1000,7 +1031,8 @@ if { NonCompliantOUs6_4 contains { "Name": OU, "Value": NonComplianceMessage6_4(GetFriendlyEnabledValue(applyFuture)) -} if { +} +if { some OU, settings in input.policies GmailEnabled(OU) applyFuture := settings.gmail_links_and_external_images.applyFutureSettingsAutomatically @@ -1095,7 +1127,8 @@ if { NonCompliantOUs7_1 contains { "Name": OU, "Value": NonComplianceMessage7_1(GetFriendlyEnabledValue(spoofProtect)) -} if { +} +if { some OU, settings in input.policies GmailEnabled(OU) spoofProtect := settings.gmail_spoofing_and_authentication.detectDomainNameSpoofing @@ -1168,7 +1201,8 @@ if { NonCompliantOUs7_2 contains { "Name": OU, "Value": NonComplianceMessage7_2(GetFriendlyEnabledValue(spoofProtect)) -} if { +} +if { some OU, settings in input.policies GmailEnabled(OU) spoofProtect := settings.gmail_spoofing_and_authentication.detectEmployeeNameSpoofing @@ -1241,7 +1275,8 @@ if { NonCompliantOUs7_3 contains { "Name": OU, "Value": NonComplianceMessage7_3(GetFriendlyEnabledValue(spoofProtect)) -} if { +} +if { some OU, settings in input.policies GmailEnabled(OU) spoofProtect := settings.gmail_spoofing_and_authentication.detectDomainSpoofingFromUnauthenticatedSenders @@ -1314,7 +1349,8 @@ if { NonCompliantOUs7_4 contains { "Name": OU, "Value": NonComplianceMessage7_4(GetFriendlyEnabledValue(unauthEmail)) -} if { +} +if { some OU, settings in input.policies GmailEnabled(OU) unauthEmail := settings.gmail_spoofing_and_authentication.detectUnauthenticatedEmails @@ -1387,7 +1423,8 @@ if { NonCompliantOUs7_5 contains { "Name": OU, "Value": NonComplianceMessage7_5(GetFriendlyEnabledValue(detectSpoof)) -} if { +} +if { some OU, settings in input.policies GmailEnabled(OU) detectSpoof := settings.gmail_spoofing_and_authentication.detectDomainSpoofingFromUnauthenticatedSenders @@ -1515,7 +1552,8 @@ NonCompliantOUs7_6 contains { "Value": GetFriendlyValue7_6(LastEventDomainNames.NewValue, LastEventEmployeeNames.NewValue, LastEventInboundEmails.NewValue, LastEventUnauthenticatedEmails.NewValue, LastEventGroupEmails.NewValue) -} if { +} +if { not PolicyApiInUse some OU in utils.OUsWithEvents @@ -1570,7 +1608,8 @@ SpoofConfigs := [ NonCompliantOUs7_6 contains { "Name": OU, "Value": NonComplianceMessage7_6(types) -} if { +} +if { some OU, settings in input.policies GmailEnabled(OU) types := [config.type | @@ -1647,7 +1686,8 @@ if { NonCompliantOUs7_7 contains { "Name": OU, "Value": NonComplianceMessage7_7(GetFriendlyEnabledValue(applyFuture)) -} if { +} +if { some OU, settings in input.policies GmailEnabled(OU) applyFuture := settings.gmail_spoofing_and_authentication.applyFutureSettingsAutomatically @@ -1710,21 +1750,42 @@ tests contains { GmailId8_1 := utils.PolicyIdWithSuffix("GWS.GMAIL.8.1") +LogMessage8_1 := "ENABLE_EMAIL_USER_IMPORT" + +Check8_1_OK if { + not PolicyApiInUse + events := utils.FilterEventsOU(LogEvents, LogMessage8_1, utils.TopLevelOU) + count(events) > 0 +} + +Check8_1_OK if {PolicyApiInUse} + +NonComplianceMessage8_1(value) := sprintf("User email uploads is %s", [value]) + NonCompliantOUs8_1 contains { "Name": OU, - "Value": concat(" ", [ - "User email uploads is set to", - GetFriendlyEnabledValue(LastEvent.NewValue) - ]) + "Value": NonComplianceMessage8_1(GetFriendlyEnabledValue(LastEvent.NewValue)) } if { + not PolicyApiInUse some OU in utils.OUsWithEvents - Events := utils.FilterEventsOU(LogEvents, "ENABLE_EMAIL_USER_IMPORT", OU) + Events := utils.FilterEventsOU(LogEvents, LogMessage8_1, OU) count(Events) > 0 LastEvent := utils.GetLastEvent(Events) LastEvent.NewValue == "true" } +NonCompliantOUs8_1 contains { + "Name": OU, + "Value": NonComplianceMessage8_1(GetFriendlyEnabledValue(emailUploads)) +} +if { + some OU, settings in input.policies + GmailEnabled(OU) + emailUploads := settings.gmail_user_email_uploads.enableMailAndContactsImport + emailUploads +} + tests contains { "PolicyId": GmailId8_1, "Criticality": "Shall", @@ -1734,9 +1795,9 @@ tests contains { "NoSuchEvent": true } if { + not PolicyApiInUse DefaultSafe := true - Events := utils.FilterEventsOU(LogEvents, "ENABLE_EMAIL_USER_IMPORT", utils.TopLevelOU) - count(Events) == 0 + not Check8_1_OK } tests contains { @@ -1748,8 +1809,7 @@ tests contains { "NoSuchEvent": false } if { - Events := utils.FilterEventsOU(LogEvents, "ENABLE_EMAIL_USER_IMPORT", utils.TopLevelOU) - count(Events) > 0 + Check8_1_OK Status := count(NonCompliantOUs8_1) == 0 } #-- @@ -1764,6 +1824,12 @@ if { GmailId9_1 := utils.PolicyIdWithSuffix("GWS.GMAIL.9.1") +Check9_1_OK if { + not NoSuchEvent9_1(utils.TopLevelOU) +} + +Check9_1_OK if {PolicyApiInUse} + default NoSuchEvent9_1(_) := false NoSuchEvent9_1(TopLevelOU) := true if { @@ -1779,7 +1845,7 @@ NoSuchEvent9_1(TopLevelOU) := true if { GetFriendlyValue9_1(ImapEnabled, PopEnabled) := Description if { ImapEnabled == true PopEnabled == true - Description := "POP and IMAP access are enabled" + Description := "IMAP and POP access are enabled" } else := Description if { ImapEnabled == true PopEnabled == false @@ -1788,7 +1854,7 @@ GetFriendlyValue9_1(ImapEnabled, PopEnabled) := Description if { ImapEnabled == false PopEnabled == true Description := "POP access is enabled" -} else := "Both POP and IMAP access are disabled" +} else := "Both IMAP and POP access are disabled" NonCompliantOUs9_1 contains { @@ -1796,6 +1862,7 @@ NonCompliantOUs9_1 contains { "Value": GetFriendlyValue9_1(ImapEnabled, PopEnabled) } if { + not PolicyApiInUse some OU in utils.OUsWithEvents ImapEvents := utils.FilterEventsOU(LogEvents, "IMAP_ACCESS", OU) @@ -1819,6 +1886,7 @@ NonCompliantGroups9_1 contains { "Value": GetFriendlyValue9_1(ImapEnabled, PopEnabled) } if { + not PolicyApiInUse some Group in utils.GroupsWithEvents ImapEvents := utils.FilterEventsGroup(LogEvents, "IMAP_ACCESS", Group) @@ -1837,6 +1905,25 @@ if { } } +NonCompliantOUs9_1 contains { + "Name": OU, + "Value": GetFriendlyValue9_1(imapEnable, popEnable) +} +if { + some OU, settings in input.policies + GmailEnabled(OU) + imapSection := "gmail_imap_access" + imapSetting := "enableImapAccess" + popSection := "gmail_pop_access" + popSetting := "enablePopAccess" + imapSet := utils.ApiSettingExists(imapSection, imapSetting, OU) + popSet := utils.ApiSettingExists(popSection, popSetting, OU) + true in {imapSet, popSet} + imapEnable := utils.GetApiSettingValue(imapSection, imapSetting, OU) + popEnable := utils.GetApiSettingValue(popSection, popSetting, OU) + true in {imapEnable, popEnable} +} + tests contains { "PolicyId": GmailId9_1, "Criticality": "Shall", @@ -1846,8 +1933,9 @@ tests contains { "NoSuchEvent": true } if { + not PolicyApiInUse DefaultSafe := false - NoSuchEvent9_1(utils.TopLevelOU) + not Check9_1_OK } tests contains { @@ -1859,8 +1947,7 @@ tests contains { "NoSuchEvent": false } if { - not NoSuchEvent9_1(utils.TopLevelOU) - + Check9_1_OK Conditions := {count(NonCompliantOUs9_1) == 0, count(NonCompliantGroups9_1) == 0} Status := (false in Conditions) == false } @@ -1876,22 +1963,44 @@ if { GmailId10_1 := utils.PolicyIdWithSuffix("GWS.GMAIL.10.1") +LogMessage10_1 := "ENABLE_OUTLOOK_SYNC" + +Check10_1_OK if { + not PolicyApiInUse + events := utils.FilterEventsOU(LogEvents, LogMessage10_1, utils.TopLevelOU) + count(events) > 0 +} + +Check10_1_OK if {PolicyApiInUse} + +NonComplianceMessage10_1(value) := sprintf("Google Workspace Sync is %s", + [value]) + NonCompliantOUs10_1 contains { "Name": OU, - "Value": concat(" ", [ - "Automatically enable outlook sync is set to", - GetFriendlyEnabledValue(LastEvent.NewValue) - ]) + "Value": NonComplianceMessage10_1(GetFriendlyEnabledValue(LastEvent.NewValue)) } if { + not PolicyApiInUse some OU in utils.OUsWithEvents - Events := utils.FilterEventsOU(LogEvents, "ENABLE_OUTLOOK_SYNC", OU) + Events := utils.FilterEventsOU(LogEvents, LogMessage10_1, OU) count(Events) > 0 LastEvent := utils.GetLastEvent(Events) LastEvent.NewValue == "true" LastEvent.NewValue != "INHERIT_FROM_PARENT" } +NonCompliantOUs10_1 contains { + "Name": OU, + "Value": NonComplianceMessage10_1(GetFriendlyEnabledValue(syncEnable)) +} +if { + some OU, settings in input.policies + GmailEnabled(OU) + syncEnable := settings.gmail_workspace_sync_for_outlook.enableGoogleWorkspaceSyncForMicrosoftOutlook + syncEnable +} + tests contains { "PolicyId": GmailId10_1, "Criticality": "Shall", @@ -1901,9 +2010,9 @@ tests contains { "NoSuchEvent": true } if { + not PolicyApiInUse DefaultSafe := false - Events := utils.FilterEventsOU(LogEvents, "ENABLE_OUTLOOK_SYNC", utils.TopLevelOU) - count(Events) == 0 + not Check10_1_OK } tests contains { @@ -1915,8 +2024,7 @@ tests contains { "NoSuchEvent": false } if { - Events := utils.FilterEventsOU(LogEvents, "ENABLE_OUTLOOK_SYNC", utils.TopLevelOU) - count(Events) > 0 + Check10_1_OK Status := count(NonCompliantOUs10_1) == 0 } #-- @@ -2014,7 +2122,6 @@ if { } #-- - ################ # GWS.GMAIL.12 # ################ @@ -2025,21 +2132,43 @@ if { GmailId12_1 := utils.PolicyIdWithSuffix("GWS.GMAIL.12.1") +LogMessage12_1 := "OUTBOUND_RELAY_ENABLED" + +Check12_1_OK if { + not PolicyApiInUse + events := utils.FilterEventsOU(LogEvents, LogMessage12_1, utils.TopLevelOU) + count(events) > 0 +} + +Check12_1_OK if {PolicyApiInUse} + +NonComplianceMessage12_1(value) := sprintf("Per-user Outbound Gateways are %s", + [value]) + NonCompliantOUs12_1 contains { "Name": OU, - "Value": concat(" ", [ - "Allow per-user outbound gateways is set to", - GetFriendlyEnabledValue(LastEvent.NewValue) - ]) + "Value": NonComplianceMessage12_1(GetFriendlyEnabledValue(LastEvent.NewValue)) } if { + not PolicyApiInUse some OU in utils.OUsWithEvents - Events := utils.FilterEventsOU(LogEvents, "OUTBOUND_RELAY_ENABLED", OU) + Events := utils.FilterEventsOU(LogEvents, LogMessage12_1, OU) count(Events) > 0 LastEvent := utils.GetLastEvent(Events) LastEvent.NewValue == "true" } +NonCompliantOUs12_1 contains { + "Name": OU, + "Value": NonComplianceMessage12_1(GetFriendlyEnabledValue(outGatewayEnable)) +} +if { + some OU, settings in input.policies + GmailEnabled(OU) + outGatewayEnable := settings.gmail_per_user_outbound_gateway.allowUsersToUseExternalSmtpServers + outGatewayEnable +} + tests contains { "PolicyId": GmailId12_1, "Criticality": "Shall", @@ -2049,9 +2178,9 @@ tests contains { "NoSuchEvent": true } if { + not PolicyApiInUse DefaultSafe := true - Events := utils.FilterEventsOU(LogEvents, "OUTBOUND_RELAY_ENABLED", utils.TopLevelOU) - count(Events) == 0 + not Check12_1_OK } tests contains { @@ -2063,13 +2192,11 @@ tests contains { "NoSuchEvent": false } if { - Events := utils.FilterEventsOU(LogEvents, "OUTBOUND_RELAY_ENABLED", utils.TopLevelOU) - count(Events) > 0 + Check12_1_OK Status := count(NonCompliantOUs12_1) == 0 } #-- - ################ # GWS.GMAIL.13 # ################ @@ -2133,7 +2260,6 @@ if { } #-- - ################ # GWS.GMAIL.14 # ################ @@ -2269,7 +2395,8 @@ if { NonCompliantOUs15_1 contains { "Name": OU, "Value": NonComplianceMessage15_1(GetFriendlyValue15_1(preScanning)) -} if { +} +if { some OU, settings in input.policies GmailEnabled(OU) preDelivery := settings.gmail_enhanced_pre_delivery_message_scanning diff --git a/scubagoggles/rego/Utils.rego b/scubagoggles/rego/Utils.rego index 2696663b..bfe4313a 100644 --- a/scubagoggles/rego/Utils.rego +++ b/scubagoggles/rego/Utils.rego @@ -554,6 +554,17 @@ AppEnabled(policies, appName, orgunit) if { upper(appState) == "ENABLED" } +# Use the following function if you need to know if the app enable state has +# been explicitly set in the given orgunit or group. The above functions will +# tell you whether the app is enabled, but its state may be due to inheriting +# the state from the top-level orgunit. In some cases, you need to know +# whether the state has been explicitly set (not inherited). + +AppExplicitStatus(policies, appName, orgunit) := appState if { + serviceStatusName := AppServiceStatusName(appName) + appState := upper(policies[orgunit][serviceStatusName].serviceState) +} else := "" + # There are a lot of policies that have enabled/disabled states. The states # (values) in the log events are strings ("true", "false), while the states # in the Policy API are booleans (true, false). This is a common function @@ -581,3 +592,20 @@ DurationToSeconds(duration) := durationSeconds if { multiplier := multipliers[lower(unit)] durationSeconds := value * multiplier } + +# Google will often return durations in seconds, but the values correspond to +# a "common" duration (that is usually a choice in the UI). This function +# will convert the given seconds to a duration other than seconds that will +# (hopefully) make more sense to the user. + +GetFriendlyDuration(Seconds) := "30 days" if { + Seconds == 2592000 +} else := "14 days" if { + Seconds == 1209600 +} else := "7 days" if { + Seconds == 604800 +} else := "24 hours" if { + Seconds == 86400 +} else := "20 hours" if { + Seconds == 72000 +} else := sprintf("%d seconds", [Seconds]) From ae641ea402e6072d2c29869ea1f33e2a49f87226 Mon Sep 17 00:00:00 2001 From: Roy Lane Date: Sun, 22 Dec 2024 16:10:11 -0500 Subject: [PATCH 3/4] commoncontrols 12.1: correct Policy API implementation --- .../commoncontrols_api12_test.rego | 15 ++++++++---- scubagoggles/rego/Commoncontrols.rego | 24 +++++++++++++------ scubagoggles/rego/Utils.rego | 5 ++-- 3 files changed, 30 insertions(+), 14 deletions(-) diff --git a/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols_api12_test.rego b/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols_api12_test.rego index 31a7eda7..e10f736d 100644 --- a/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols_api12_test.rego +++ b/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols_api12_test.rego @@ -7,7 +7,7 @@ import data.utils.PassTestResult GoodCaseInputApi12 := { "policies": { "topOU": { - "takeout_service_status": {"serviceState": "ENABLED"}, + "takeout_service_status": {"serviceState": "DISABLED"}, "blogger_user_takeout": {"takeoutStatus": "DISABLED"}, "books_user_takeout": {"takeoutStatus": "DISABLED"}, "location_history_user_takeout": {"takeoutStatus": "DISABLED"}, @@ -20,7 +20,7 @@ GoodCaseInputApi12 := { }, "nextOU": { "takeout_service_status": {"serviceState": "DISABLED"}, - "blogger_user_takeout": {"takeoutStatus": "ENABLED"} + "blogger_user_takeout": {"takeoutStatus": "DISABLED"} } }, "tenant_info": { @@ -63,11 +63,12 @@ BadCaseInputApi12a := { "youtube_user_takeout": {"takeoutStatus": "DISABLED"} }, "nextOU": { - "location_history_user_takeout": {"takeoutStatus": "ENABLED"}, + "takeout_service_status": {"serviceState": "DISABLED"}, "play_console_user_takeout": {"takeoutStatus": "ENABLED"}, "youtube_user_takeout": {"takeoutStatus": "ENABLED"} }, "thirdOU": { + "takeout_service_status": {"serviceState": "ENABLED"}, "blogger_user_takeout": {"takeoutStatus": "ENABLED"}, "maps_user_takeout": {"takeoutStatus": "ENABLED"}, "play_user_takeout": {"takeoutStatus": "ENABLED"}, @@ -102,6 +103,8 @@ test_Takeout_Incorrect_1 if { "play", "youtube"] failedOU := [{"Name": "topOU", + "Value": NonComplianceMessage12_1a}, + {"Name": "topOU", "Value": NonComplianceMessage12_1(TakeoutApps(EnabledApps))}] FailTestOUNonCompliant(PolicyId, Output, failedOU) } @@ -110,11 +113,13 @@ test_Takeout_Incorrect_2 if { PolicyId := CommonControlsId12_1 Output := tests with input as BadCaseInputApi12a - EnabledApps1 := ["location_history", "play_console", "youtube"] + EnabledApps1 := ["play_console", "youtube"] EnabledApps2 := ["blogger", "maps", "play"] failedOU := [{"Name": "nextOU", "Value": NonComplianceMessage12_1(TakeoutApps(EnabledApps1))}, + {"Name": "thirdOU", "Value": NonComplianceMessage12_1a}, {"Name": "thirdOU", - "Value": NonComplianceMessage12_1(TakeoutApps(EnabledApps2))}] + "Value": NonComplianceMessage12_1(TakeoutApps(EnabledApps2))}, + {"Name": "topOU", "Value": NonComplianceMessage12_1a}] FailTestOUNonCompliant(PolicyId, Output, failedOU) } diff --git a/scubagoggles/rego/Commoncontrols.rego b/scubagoggles/rego/Commoncontrols.rego index 6292347a..97792776 100644 --- a/scubagoggles/rego/Commoncontrols.rego +++ b/scubagoggles/rego/Commoncontrols.rego @@ -2022,6 +2022,12 @@ if { # GWS.COMMONCONTROLS.12 # ######################### +# +# Baseline GWS.COMMONCONTROLS.12.1 +#-- + +CommonControlsId12_1 := utils.PolicyIdWithSuffix("GWS.COMMONCONTROLS.12.1") + LogMessage12_1 := "UserTakeoutSettingsProto User Takeout " Msg12_1 := "The following apps with individual admin control have Takeout enabled: %s" @@ -2153,10 +2159,6 @@ if { count(EnabledApps) > 0 } -# -# Baseline GWS.COMMONCONTROLS.12.1 -#-- - default NoSuchEvent12_1 := false NoSuchEvent12_1 := true if { @@ -2169,8 +2171,6 @@ NoSuchEvent12_1 := true if { count(Events) == 0 } -CommonControlsId12_1 := utils.PolicyIdWithSuffix("GWS.COMMONCONTROLS.12.1") - Check12_1_OK if { not PolicyApiInUse not NoSuchEvent12_1 @@ -2178,6 +2178,17 @@ Check12_1_OK if { Check12_1_OK if {PolicyApiInUse} +NonCompliantOUs12_1 contains { + "Name": OU, + "Value": NonComplianceMessage12_1a + +} +if { + some OU, _ in input.policies + takeoutStatus := utils.AppExplicitStatus(input.policies, "takeout", OU) + takeoutStatus != "DISABLED" +} + Takeout := {"blogger": "Blogger", "books": "Google Books", "location_history": "Timeline - Location History", @@ -2195,7 +2206,6 @@ NonCompliantOUs12_1 contains { } if { some OU, settings in input.policies - utils.AppEnabled(input.policies, "takeout", OU) EnabledApps :=[value | some key, value in Takeout section := sprintf("%s_user_takeout", [key]) diff --git a/scubagoggles/rego/Utils.rego b/scubagoggles/rego/Utils.rego index bfe4313a..b9e00118 100644 --- a/scubagoggles/rego/Utils.rego +++ b/scubagoggles/rego/Utils.rego @@ -558,12 +558,13 @@ AppEnabled(policies, appName, orgunit) if { # been explicitly set in the given orgunit or group. The above functions will # tell you whether the app is enabled, but its state may be due to inheriting # the state from the top-level orgunit. In some cases, you need to know -# whether the state has been explicitly set (not inherited). +# whether the state has been explicitly set (not inherited). This function +# returns "ENABLED", "DISABLED" if explicitly set; it's undefined otherwise. AppExplicitStatus(policies, appName, orgunit) := appState if { serviceStatusName := AppServiceStatusName(appName) appState := upper(policies[orgunit][serviceStatusName].serviceState) -} else := "" +} # There are a lot of policies that have enabled/disabled states. The states # (values) in the log events are strings ("true", "false), while the states From ff2e82e2d3ca5b056a00da086e519a4cefdd0c2f Mon Sep 17 00:00:00 2001 From: Roy Lane Date: Tue, 7 Jan 2025 11:58:36 -0500 Subject: [PATCH 4/4] common controls rego: remove log event implementation for 1.1 - 1.3, 4.1, 5.1 - 5.6, 8.1, 10.5, 11.1, 12.1, & 16.2 --- .../commoncontrols/commoncontrols01_test.rego | 880 ----------- .../commoncontrols/commoncontrols04_test.rego | 316 ---- .../commoncontrols/commoncontrols05_test.rego | 1384 ----------------- .../commoncontrols/commoncontrols08_test.rego | 345 ---- .../commoncontrols/commoncontrols10_test.rego | 200 --- .../commoncontrols/commoncontrols11_test.rego | 450 ------ .../commoncontrols/commoncontrols12_test.rego | 224 --- .../commoncontrols/commoncontrols16_test.rego | 277 ---- scubagoggles/rego/Commoncontrols.rego | 1093 +------------ 9 files changed, 34 insertions(+), 5135 deletions(-) delete mode 100644 scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols04_test.rego delete mode 100644 scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols05_test.rego delete mode 100644 scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols08_test.rego delete mode 100644 scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols11_test.rego delete mode 100644 scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols12_test.rego diff --git a/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols01_test.rego b/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols01_test.rego index c689f1b5..29e7c172 100644 --- a/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols01_test.rego +++ b/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols01_test.rego @@ -1,886 +1,6 @@ package commoncontrols import future.keywords -# -# GWS.COMMONCONTROLS.1.1 -#-- -test_EnforceMFA_Correct_V1 if { - # Test enforcing MFA when there's only one event - PolicyId := CommonControlsId1_1 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "ALLOW_STRONG_AUTHENTICATION", - "parameters": [ - {"name": "NEW_VALUE", "value": "true"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - }, - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "ENFORCE_STRONG_AUTHENTICATION", - "parameters": [ - {"name": "NEW_VALUE", "value": "true"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - }, - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS", - "parameters": [ - {"name": "ALLOWED_TWO_STEP_VERIFICATION_METHOD", "value": "ONLY_SECURITY_KEY"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." -} - -test_EnforceMFA_Correct_V2 if { - # Test enforcing MFA when there's multiple events, with the chronological latest - # correct but not last in json list - PolicyId := CommonControlsId1_1 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "ENFORCE_STRONG_AUTHENTICATION", - "parameters": [ - {"name": "NEW_VALUE", "value": "true"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - }, - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "ALLOW_STRONG_AUTHENTICATION", - "parameters": [ - {"name": "NEW_VALUE", "value": "true"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - }, - { - "id": {"time": "2021-12-20T00:02:28.672Z"}, - "events": [{ - "name": "ENFORCE_STRONG_AUTHENTICATION", - "parameters": [ - {"name": "NEW_VALUE", "value": "false"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - }, - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS", - "parameters": [ - {"name": "ALLOWED_TWO_STEP_VERIFICATION_METHOD", "value": "ONLY_SECURITY_KEY"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." -} - -test_EnforceMFA_Incorrect_V1 if { - # Test enforcing MFA when there's only one event and it's wrong - PolicyId := CommonControlsId1_1 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "ENFORCE_STRONG_AUTHENTICATION", - "parameters": [ - {"name": "NEW_VALUE", "value": "false"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - }, - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "ALLOW_STRONG_AUTHENTICATION", - "parameters": [ - {"name": "NEW_VALUE", "value": "true"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - }, - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS", - "parameters": [ - {"name": "ALLOWED_TWO_STEP_VERIFICATION_METHOD", "value": "ONLY_SECURITY_KEY"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - not RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == concat("", [ - "The following OUs are non-compliant:
    ", - "
  • Test Top-Level OU: 2-Step Verification Enforcement is OFF
    • ", - "
" - ]) -} - -test_EnforceMFA_Incorrect_V2 if { - # Test enforcing MFA when there's multiple events, with the chronological latest - # incorrect but not last in json list - PolicyId := CommonControlsId1_1 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "ENFORCE_STRONG_AUTHENTICATION", - "parameters": [ - {"name": "NEW_VALUE", "value": "false"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - }, - { - "id": {"time": "2021-12-20T00:02:28.672Z"}, - "events": [{ - "name": "ENFORCE_STRONG_AUTHENTICATION", - "parameters": [ - {"name": "NEW_VALUE", "value": "true"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - }, - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "ALLOW_STRONG_AUTHENTICATION", - "parameters": [ - {"name": "NEW_VALUE", "value": "true"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - }, - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS", - "parameters": [ - {"name": "ALLOWED_TWO_STEP_VERIFICATION_METHOD", "value": "ONLY_SECURITY_KEY"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - not RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == concat("", [ - "The following OUs are non-compliant:
    ", - "
  • Test Top-Level OU: 2-Step Verification Enforcement is OFF
    • ", - "
" - ]) -} - - -test_EnforceMFA_Incorrect_V3 if { - # Test enforcing MFA when there's no enforce mfa event - PolicyId := CommonControlsId1_1 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS", - "parameters": [ - {"name": "NEW_VALUE", "value": "false"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - not RuleOutput[0].RequirementMet - RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == concat("", [ - "No relevant event in the current logs for the top-level OU, ", - "Test Top-Level OU. While we are unable ", - "to determine the state from the logs, the default setting ", - "is non-compliant; manual check recommended." - ])} - -test_EnforceMFA_Incorrect_V4 if { - # Test enforcing MFA when there's no change methods event - PolicyId := CommonControlsId1_1 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "ENFORCE_STRONG_AUTHENTICATION", - "parameters": [ - {"name": "NEW_VALUE", "value": "true"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - not RuleOutput[0].RequirementMet - RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == concat("", [ - "No relevant event in the current logs for the top-level OU, ", - "Test Top-Level OU. While we are unable ", - "to determine the state from the logs, the default setting ", - "is non-compliant; manual check recommended." - ]) -} - -test_EnforceMFA_Incorrect_V5 if { - # Test, mfa not allowed - PolicyId := CommonControlsId1_1 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "ENFORCE_STRONG_AUTHENTICATION", - "parameters": [ - {"name": "NEW_VALUE", "value": "true"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - }, - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "ALLOW_STRONG_AUTHENTICATION", - "parameters": [ - {"name": "NEW_VALUE", "value": "false"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - }, - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS", - "parameters": [ - {"name": "ALLOWED_TWO_STEP_VERIFICATION_METHOD", "value": "ONLY_SECURITY_KEY"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - not RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == concat("", [ - "The following OUs are non-compliant:
    ", - "
  • Test Top-Level OU: Allow users to turn on 2-Step Verification is OFF
    • ", - "
" - ]) -} - -test_EnforceMFA_Incorrect_V6 if { - # Test, mfa not phishing resistant - PolicyId := CommonControlsId1_1 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "ENFORCE_STRONG_AUTHENTICATION", - "parameters": [ - {"name": "NEW_VALUE", "value": "true"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - }, - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "ALLOW_STRONG_AUTHENTICATION", - "parameters": [ - {"name": "NEW_VALUE", "value": "true"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - }, - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS", - "parameters": [ - { - "name": "ALLOWED_TWO_STEP_VERIFICATION_METHOD", - "value": "NO_TELEPHONY" - }, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - not RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == concat("", [ - "The following OUs are non-compliant:
    ", - "
  • Test Top-Level OU: Allowed methods is set to Any except verification codes via text, phone call
    • ", - "
" - ]) -} - -test_EnforceMFA_Incorrect_V7 if { - # Test, mfa not phishing resistant - PolicyId := CommonControlsId1_1 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "ENFORCE_STRONG_AUTHENTICATION", - "parameters": [ - {"name": "NEW_VALUE", "value": "true"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - }, - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "ALLOW_STRONG_AUTHENTICATION", - "parameters": [ - {"name": "NEW_VALUE", "value": "true"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - }, - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS", - "parameters": [ - { - "name": "ALLOWED_TWO_STEP_VERIFICATION_METHOD", - "value": "NO_TELEPHONY" - }, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - }, - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS", - "parameters": [ - { - "name": "ALLOWED_TWO_STEP_VERIFICATION_METHOD", - "value": "NO_TELEPHONY" - }, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "GROUP_EMAIL", "value": "test@test.com"} - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - not RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == concat("", [ - "The following OUs are non-compliant:
    ", - "
  • Test Top-Level OU: Allowed methods is set to Any except verification codes via text, phone call
    • ", - "
", - "
", - "The following groups are non-compliant:
    ", - "
  • test@test.com: Allowed methods is set to Any except verification codes via text, phone call
    • ", - "
", - ]) -} -#-- - -# -# GWS.COMMONCONTROLS.1.2 -#-- -test_Enforcement_Correct_V1 if { - # Test enforcing MFA when there's only one event - PolicyId := CommonControlsId1_2 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION", - "parameters": [ - {"name": "NEW_VALUE", "value": "1 week"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." -} - -test_Enforcement_Correct_V2 if { - # Test enforcing MFA when there's multiple events, with the chronological latest - # correct but not last in json list - PolicyId := CommonControlsId1_2 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION", - "parameters": [ - {"name": "NEW_VALUE", "value": "1 week"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - }, - { - "id": {"time": "2021-12-20T00:02:28.672Z"}, - "events": [{ - "name": "ENFORCE_STRONG_AUTHENTICATION", - "parameters": [ - {"name": "NEW_VALUE", "value": "1 day"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." -} - -test_Enforcement_Correct_V3 if { - # Test enforcing MFA inheritance - PolicyId := CommonControlsId1_2 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION", - "parameters": [ - {"name": "NEW_VALUE", "value": "1 week"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - }, - { - "id": {"time": "2021-12-20T00:02:28.672Z"}, - "events": [{ - "name": "CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION", - "parameters": [ - {"name": "NEW_VALUE", "value": "2 weeks"}, - {"name": "ORG_UNIT_NAME", "value": "Second OU"}, - ] - }] - }, - { - "id": {"time": "2023-12-20T00:02:28.672Z"}, - "events": [{ - "name": "CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION", - "parameters": [ - {"name": "NEW_VALUE", "value": "INHERIT_FROM_PARENT"}, - {"name": "ORG_UNIT_NAME", "value": "Second OU"}, - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." -} - -test_Enforcement_Incorrect_V1 if { - # Test enforcing MFA when there's only one event and it's wrong - PolicyId := CommonControlsId1_2 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION", - "parameters": [ - {"name": "NEW_VALUE", "value": "2 weeks"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - not RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == concat("", [ - "The following OUs are non-compliant:
    ", - "
  • Test Top-Level OU: New user enrollment period is set to 2 weeks
    • ", - "
" - ]) -} - -test_Enforcement_Incorrect_V2 if { - # Test enforcing MFA when there's multiple events, with the chronological latest - # incorrect but not last in json list - PolicyId := CommonControlsId1_2 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION", - "parameters": [ - {"name": "NEW_VALUE", "value": "2 weeks"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - }, - { - "id": {"time": "2021-12-20T00:02:28.672Z"}, - "events": [{ - "name": "CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION", - "parameters": [ - {"name": "NEW_VALUE", "value": "1 week"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - not RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == concat("", [ - "The following OUs are non-compliant:
    ", - "
  • Test Top-Level OU: New user enrollment period is set to 2 weeks
    • ", - "
" - ]) -} - - -test_Enforcement_Incorrect_V3 if { - # Test enforcing MFA when there no applicable event - PolicyId := CommonControlsId1_2 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "SOMETHING_ELSE", - "parameters": [ - {"name": "NEW_VALUE", "value": "false"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - not RuleOutput[0].RequirementMet - RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == concat("", [ - "No relevant event in the current logs for the top-level OU, ", - "Test Top-Level OU. While we are unable ", - "to determine the state from the logs, the default setting ", - "is non-compliant; manual check recommended." - ]) -} - -# -# GWS.COMMONCONTROLS.1.3 -#-- - -test_Disable_Trusted_Device_Correct_V1 if { - # Test disable trusted device when there's only one event - PolicyId := CommonControlsId1_3 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "CHANGE_TWO_STEP_VERIFICATION_FREQUENCY", - "parameters": [ - {"name": "NEW_VALUE", "value": "DISABLE_USERS_TO_TRUST_DEVICE"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." -} - -test_Disable_Trusted_Device_Correct_V2 if { - # Test disabled trusted device when there's multiple events, with the chronological latest - # correct but not last in json list - PolicyId := CommonControlsId1_3 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "CHANGE_TWO_STEP_VERIFICATION_FREQUENCY", - "parameters": [ - {"name": "NEW_VALUE", "value": "DISABLE_USERS_TO_TRUST_DEVICE"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - }, - { - "id": {"time": "2021-12-20T00:02:28.672Z"}, - "events": [{ - "name": "CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION", - "parameters": [ - {"name": "NEW_VALUE", "value": "ENABLE_USERS_TO_TRUST_DEVICE"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." -} - -test_Disable_Trusted_Device_Incorrect_V1 if { - # Test disable trusted device when there's only one event and it's wrong - PolicyId := CommonControlsId1_3 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "CHANGE_TWO_STEP_VERIFICATION_FREQUENCY", - "parameters": [ - {"name": "NEW_VALUE", "value": "ENABLE_USERS_TO_TRUST_DEVICE"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - not RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == concat("", [ - "The following OUs are non-compliant:
    ", - "
  • Test Top-Level OU: Allow user to trust the device is ON
    • ", - "
" - ]) -} - -test_Disable_Trusted_Device_Incorrect_V2 if { - # Test disabled trusted device when there's multiple events, with the chronological latest - # incorrect but not last in json list - PolicyId := CommonControlsId1_3 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "CHANGE_TWO_STEP_VERIFICATION_FREQUENCY", - "parameters": [ - {"name": "NEW_VALUE", "value": "ENABLE_USERS_TO_TRUST_DEVICE"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - }, - { - "id": {"time": "2021-12-20T00:02:28.672Z"}, - "events": [{ - "name": "CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION", - "parameters": [ - {"name": "NEW_VALUE", "value": "DISABLE_USERS_TO_TRUST_DEVICE"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - not RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == concat("", [ - "The following OUs are non-compliant:
    ", - "
  • Test Top-Level OU: Allow user to trust the device is ON
    • ", - "
" - ]) -} - - -test_Disable_Trusted_Device_Incorrect_V3 if { - # Test disabled trusted device when there no applicable event - PolicyId := CommonControlsId1_3 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "SOMETHING_ELSE", - "parameters": [ - {"name": "NEW_VALUE", "value": "false"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - not RuleOutput[0].RequirementMet - RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == concat("", [ - "No relevant event in the current logs for the top-level OU, ", - "Test Top-Level OU. While we are unable ", - "to determine the state from the logs, the default setting ", - "is non-compliant; manual check recommended." - ]) -} -#-- - # # GWS.COMMONCONTROLS.1.4 #-- diff --git a/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols04_test.rego b/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols04_test.rego deleted file mode 100644 index 8da28392..00000000 --- a/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols04_test.rego +++ /dev/null @@ -1,316 +0,0 @@ -package commoncontrols - -import future.keywords -import data.utils.FailTestNoEvent -import data.utils.FailTestOUNonCompliant -import data.utils.PassTestResult - -# -# GWS.COMMONCONTROLS.4.1 -#-- -test_Limit_Correct_V1 if { - # Test 1 event - PolicyId := CommonControlsId4_1 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "43200"}, - {"name": "SETTING_NAME", "value": "Session management settings - Session length in seconds"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - PassTestResult(PolicyId, Output) -} - -test_Limit_Correct_V2 if { - # Test 1 event, smaller limit than needed - PolicyId := CommonControlsId4_1 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "3600"}, - {"name": "SETTING_NAME", "value": "Session management settings - Session length in seconds"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - PassTestResult(PolicyId, Output) -} - -test_Limit_Correct_V3 if { - # Test multiple events - PolicyId := CommonControlsId4_1 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "3600"}, - {"name": "SETTING_NAME", "value": "Session management settings - Session length in seconds"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - }, - { - "id": {"time": "2021-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "86400"}, - {"name": "SETTING_NAME", "value": "Session management settings - Session length in seconds"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - PassTestResult(PolicyId, Output) -} - -test_Limit_Correct_V4 if { - # Test 1 event, tenant_info["topLevelOU"] empty - PolicyId := CommonControlsId4_1 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "3600"}, - {"name": "SETTING_NAME", "value": "Session management settings - Session length in seconds"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "" # The rego should needs to be able to infer the top-level OU if it's not provided here - # input.tenant_info.topLevelOU will be empty when - # no custom OUs have been created, as in this case - # the top-level OU cannot be determined via the API. - # Fortunately, in this case, we know there's literally - # only one OU, so we can grab the OU listed on any of - # the events and know that it is the top-level OU - } - } - - PassTestResult(PolicyId, Output) -} - -test_Limit_Correct_V5 if { - # Test inheritance - PolicyId := CommonControlsId4_1 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2020-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "43200"}, - {"name": "SETTING_NAME", "value": "Session management settings - Session length in seconds"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - }, - { - "id": {"time": "2021-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "4320000"}, - {"name": "SETTING_NAME", "value": "Session management settings - Session length in seconds"}, - {"name": "ORG_UNIT_NAME", "value": "Second OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - }, - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "DELETE_APPLICATION_SETTING", - "parameters": [ - {"name": "SETTING_NAME", "value": "Session management settings - Session length in seconds"}, - {"name": "ORG_UNIT_NAME", "value": "Second OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - PassTestResult(PolicyId, Output) -} - -test_Limit_Incorrect_V1 if { - # Test 1 event - PolicyId := CommonControlsId4_1 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "86400"}, - {"name": "SETTING_NAME", "value": "Session management settings - Session length in seconds"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - failedOU := [{"Name": "Test Top-Level OU", - "Value": NonComplianceMessage4_1(GetFriendlyValue4_1(86400))}] - FailTestOUNonCompliant(PolicyId, Output, failedOU) -} - -test_Limit_Incorrect_V2 if { - # Test multiple events - PolicyId := CommonControlsId4_1 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "86400"}, - {"name": "SETTING_NAME", "value": "Session management settings - Session length in seconds"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - }, - { - "id": {"time": "2021-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "43200"}, - {"name": "SETTING_NAME", "value": "Session management settings - Session length in seconds"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - failedOU := [{"Name": "Test Top-Level OU", - "Value": NonComplianceMessage4_1(GetFriendlyValue4_1(86400))}] - FailTestOUNonCompliant(PolicyId, Output, failedOU) -} - -test_Limit_Incorrect_V3 if { - # Test multiple OUs - PolicyId := CommonControlsId4_1 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "86400"}, - {"name": "SETTING_NAME", "value": "Session management settings - Session length in seconds"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - }, - { - "id": {"time": "2023-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "43200"}, - {"name": "SETTING_NAME", "value": "Session management settings - Session length in seconds"}, - {"name": "ORG_UNIT_NAME", "value": "Custom OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - failedOU := [{"Name": "Test Top-Level OU", - "Value": NonComplianceMessage4_1(GetFriendlyValue4_1(86400))}] - FailTestOUNonCompliant(PolicyId, Output, failedOU) -} - -test_Limit_Incorrect_V4 if { - # Test no relevant events - PolicyId := CommonControlsId4_1 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - FailTestNoEvent(PolicyId, Output, "Test Top-Level OU", false) -} - -test_Limit_Incorrect_V5 if { - # Test no relevant events in top-level OU - PolicyId := CommonControlsId4_1 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2023-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "43200"}, - {"name": "SETTING_NAME", "value": "Session management settings - Session length in seconds"}, - {"name": "ORG_UNIT_NAME", "value": "Custom OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - FailTestNoEvent(PolicyId, Output, "Test Top-Level OU", false) -} -#-- diff --git a/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols05_test.rego b/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols05_test.rego deleted file mode 100644 index 7b8bb728..00000000 --- a/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols05_test.rego +++ /dev/null @@ -1,1384 +0,0 @@ -package commoncontrols - -import future.keywords -import data.utils.FailTestNoEvent -import data.utils.FailTestOUNonCompliant -import data.utils.PassTestResult - -# -# GWS.COMMONCONTROLS.5.1 -#-- - -test_Strength_Correct_V1 if { - # Test 1 event - PolicyId := CommonControlsId5_1 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "on"}, - {"name": "SETTING_NAME", "value": "Password Management - Enforce strong password"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - PassTestResult(PolicyId, Output) -} - -test_Strength_Correct_V2 if { - # Test multiple events - PolicyId := CommonControlsId5_1 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "on"}, - {"name": "SETTING_NAME", "value": "Password Management - Enforce strong password"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - }, - { - "id": {"time": "2021-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "off"}, - {"name": "SETTING_NAME", "value": "Password Management - Enforce strong password"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - PassTestResult(PolicyId, Output) -} - -test_Strength_Correct_V3 if { - # Test inheritance - PolicyId := CommonControlsId5_1 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2020-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "on"}, - {"name": "SETTING_NAME", "value": "Password Management - Enforce strong password"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - }, - { - "id": {"time": "2021-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "off"}, - {"name": "SETTING_NAME", "value": "Password Management - Enforce strong password"}, - {"name": "ORG_UNIT_NAME", "value": "Second OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - }, - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "DELETE_APPLICATION_SETTING", - "parameters": [ - {"name": "SETTING_NAME", "value": "Password Management - Enforce strong password"}, - {"name": "ORG_UNIT_NAME", "value": "Second OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - PassTestResult(PolicyId, Output) -} - -test_Strength_Incorrect_V1 if { - # Test 1 event - PolicyId := CommonControlsId5_1 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "off"}, - {"name": "SETTING_NAME", "value": "Password Management - Enforce strong password"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - failedOU := [{"Name": "Test Top-Level OU", - "Value": "Enforce strong password is OFF"}] - FailTestOUNonCompliant(PolicyId, Output, failedOU) -} - -test_Strength_Incorrect_V2 if { - # Test multiple events - PolicyId := CommonControlsId5_1 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "off"}, - {"name": "SETTING_NAME", "value": "Password Management - Enforce strong password"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - }, - { - "id": {"time": "2021-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "on"}, - {"name": "SETTING_NAME", "value": "Password Management - Enforce strong password"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - failedOU := [{"Name": "Test Top-Level OU", - "Value": "Enforce strong password is OFF"}] - FailTestOUNonCompliant(PolicyId, Output, failedOU) -} - -test_Strength_Incorrect_V3 if { - # Test no relevant events - PolicyId := CommonControlsId5_1 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - FailTestNoEvent(PolicyId, Output, "Test Top-Level OU", true) -} - -test_Strength_Incorrect_V4 if { - # Test no relevant events for top-level ou - PolicyId := CommonControlsId5_1 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2021-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "on"}, - {"name": "SETTING_NAME", "value": "Password Management - Enforce strong password"}, - {"name": "ORG_UNIT_NAME", "value": "Test Second-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - FailTestNoEvent(PolicyId, Output, "Test Top-Level OU", true) -} - -test_Strength_Incorrect_V5 if { - # Test multiple OUs - PolicyId := CommonControlsId5_1 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2021-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "off"}, - {"name": "SETTING_NAME", "value": "Password Management - Enforce strong password"}, - {"name": "ORG_UNIT_NAME", "value": "Test Second-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - }, - { - "id": {"time": "2021-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "on"}, - {"name": "SETTING_NAME", "value": "Password Management - Enforce strong password"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - failedOU := [{"Name": "Test Second-Level OU", - "Value": "Enforce strong password is OFF"}] - FailTestOUNonCompliant(PolicyId, Output, failedOU) -} -#-- - -# -# GWS.COMMONCONTROLS.5.2 -#-- -test_Length_Correct_V1 if { - # Test 1 event - PolicyId := CommonControlsId5_2 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "12"}, - {"name": "SETTING_NAME", "value": "Password Management - Minimum password length"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - PassTestResult(PolicyId, Output) -} - -test_Length_Correct_V2 if { - # Test multiple events - PolicyId := CommonControlsId5_2 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "12"}, - {"name": "SETTING_NAME", "value": "Password Management - Minimum password length"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - }, - { - "id": {"time": "2021-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "8"}, - {"name": "SETTING_NAME", "value": "Password Management - Minimum password length"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - PassTestResult(PolicyId, Output) -} - -test_Length_Correct_V3 if { - # Test longer than needed - PolicyId := CommonControlsId5_2 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "15"}, - {"name": "SETTING_NAME", "value": "Password Management - Minimum password length"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - PassTestResult(PolicyId, Output) -} - -test_Length_Incorrect_V1 if { - # Test 1 event - PolicyId := CommonControlsId5_2 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "8"}, - {"name": "SETTING_NAME", "value": "Password Management - Minimum password length"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - failedOU := [{"Name": "Test Top-Level OU", - "Value": NonComplianceMessage5_2(8)}] - FailTestOUNonCompliant(PolicyId, Output, failedOU) -} - -test_Length_Incorrect_V2 if { - # Test multiple events - PolicyId := CommonControlsId5_2 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "8"}, - {"name": "SETTING_NAME", "value": "Password Management - Minimum password length"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - }, - { - "id": {"time": "2021-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "12"}, - {"name": "SETTING_NAME", "value": "Password Management - Minimum password length"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - failedOU := [{"Name": "Test Top-Level OU", - "Value": NonComplianceMessage5_2(8)}] - FailTestOUNonCompliant(PolicyId, Output, failedOU) -} - -test_Length_Incorrect_V3 if { - # Test no relevant events - PolicyId := CommonControlsId5_2 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - FailTestNoEvent(PolicyId, Output, "Test Top-Level OU", false) -} - -test_Length_Incorrect_V4 if { - # Test no relevant events in top-level ou - PolicyId := CommonControlsId5_2 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2021-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "12"}, - {"name": "SETTING_NAME", "value": "Password Management - Minimum password length"}, - {"name": "ORG_UNIT_NAME", "value": "Test Second-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - FailTestNoEvent(PolicyId, Output, "Test Top-Level OU", false) -} - -test_Length_Incorrect_V5 if { - # Test multiple OUs - PolicyId := CommonControlsId5_2 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2021-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "12"}, - {"name": "SETTING_NAME", "value": "Password Management - Minimum password length"}, - {"name": "ORG_UNIT_NAME", "value": "Test Second-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - }, - { - "id": {"time": "2021-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "10"}, - {"name": "SETTING_NAME", "value": "Password Management - Minimum password length"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - failedOU := [{"Name": "Test Top-Level OU", - "Value": NonComplianceMessage5_2(10)}] - FailTestOUNonCompliant(PolicyId, Output, failedOU) -} -#-- - -# -# GWS.COMMONCONTROLS.5.3 -#-- - -test_Length15_Correct_V1 if { - # Test 1 event - PolicyId := CommonControlsId5_3 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "15"}, - {"name": "SETTING_NAME", "value": "Password Management - Minimum password length"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - PassTestResult(PolicyId, Output) -} - -test_Length15_Correct_V2 if { - # Test multiple events - PolicyId := CommonControlsId5_3 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "15"}, - {"name": "SETTING_NAME", "value": "Password Management - Minimum password length"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - }, - { - "id": {"time": "2021-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "12"}, - {"name": "SETTING_NAME", "value": "Password Management - Minimum password length"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - PassTestResult(PolicyId, Output) -} - -test_Length15_Correct_V3 if { - # Test longer than needed - PolicyId := CommonControlsId5_3 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "20"}, - {"name": "SETTING_NAME", "value": "Password Management - Minimum password length"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - PassTestResult(PolicyId, Output) -} - -test_Length15_Incorrect_V1 if { - # Test 1 event - PolicyId := CommonControlsId5_3 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "12"}, - {"name": "SETTING_NAME", "value": "Password Management - Minimum password length"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - failedOU := [{"Name": "Test Top-Level OU", - "Value": NonComplianceMessage5_3(12)}] - FailTestOUNonCompliant(PolicyId, Output, failedOU) -} - -test_Length15_Incorrect_V2 if { - # Test multiple events - PolicyId := CommonControlsId5_3 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "12"}, - {"name": "SETTING_NAME", "value": "Password Management - Minimum password length"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - }, - { - "id": {"time": "2021-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "15"}, - {"name": "SETTING_NAME", "value": "Password Management - Minimum password length"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - failedOU := [{"Name": "Test Top-Level OU", - "Value": NonComplianceMessage5_3(12)}] - FailTestOUNonCompliant(PolicyId, Output, failedOU) -} - -test_Length15_Incorrect_V3 if { - # Test no relevant events - PolicyId := CommonControlsId5_3 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - FailTestNoEvent(PolicyId, Output, "Test Top-Level OU", false) -} - -test_Length15_Incorrect_V4 if { - # Test no relevant events in top-level ou - PolicyId := CommonControlsId5_3 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2021-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "12"}, - {"name": "SETTING_NAME", "value": "Password Management - Minimum password length"}, - {"name": "ORG_UNIT_NAME", "value": "Test Second-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - FailTestNoEvent(PolicyId, Output, "Test Top-Level OU", false) -} - -test_Length15_Incorrect_V5 if { - # Test multiple OUs - PolicyId := CommonControlsId5_3 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2021-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "15"}, - {"name": "SETTING_NAME", "value": "Password Management - Minimum password length"}, - {"name": "ORG_UNIT_NAME", "value": "Test Second-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - }, - { - "id": {"time": "2021-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "12"}, - {"name": "SETTING_NAME", "value": "Password Management - Minimum password length"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - failedOU := [{"Name": "Test Top-Level OU", - "Value": NonComplianceMessage5_3(12)}] - FailTestOUNonCompliant(PolicyId, Output, failedOU) -} -#-- - -# -# GWS.COMMONCONTROLS.5.4 -#-- -test_Enforce_Correct_V1 if { - # Test 1 event - PolicyId := CommonControlsId5_4 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "true"}, - { - "name": "SETTING_NAME", - "value": "Password Management - Enforce password policy at next login" - }, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - PassTestResult(PolicyId, Output) -} - -test_Enforce_Correct_V2 if { - # Test multiple events - PolicyId := CommonControlsId5_4 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "true"}, - { - "name": "SETTING_NAME", - "value": "Password Management - Enforce password policy at next login" - }, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - }, - { - "id": {"time": "2021-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "false"}, - { - "name": "SETTING_NAME", - "value": "Password Management - Enforce password policy at next login" - }, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - PassTestResult(PolicyId, Output) -} - -test_Enforce_Incorrect_V1 if { - # Test 1 event - PolicyId := CommonControlsId5_4 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "false"}, - { - "name": "SETTING_NAME", - "value": "Password Management - Enforce password policy at next login" - }, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - failedOU := [{"Name": "Test Top-Level OU", - "Value": "Enforce password policy at next sign-in is OFF"}] - FailTestOUNonCompliant(PolicyId, Output, failedOU) -} - -test_Enforce_Incorrect_V2 if { - # Test multiple events - PolicyId := CommonControlsId5_4 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "false"}, - { - "name": "SETTING_NAME", - "value": "Password Management - Enforce password policy at next login" - }, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - }, - { - "id": {"time": "2021-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "true"}, - { - "name": "SETTING_NAME", - "value": "Password Management - Enforce password policy at next login" - }, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - failedOU := [{"Name": "Test Top-Level OU", - "Value": "Enforce password policy at next sign-in is OFF"}] - FailTestOUNonCompliant(PolicyId, Output, failedOU) -} - -test_Enforce_Incorrect_V3 if { - # Test no relevant events - PolicyId := CommonControlsId5_4 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - FailTestNoEvent(PolicyId, Output, "Test Top-Level OU", false) -} - -test_Enforce_Incorrect_V4 if { - # Test no relevant events in top-level OU - PolicyId := CommonControlsId5_4 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2021-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "true"}, - { - "name": "SETTING_NAME", - "value": "Password Management - Enforce password policy at next login" - }, - {"name": "ORG_UNIT_NAME", "value": "Test Second-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - FailTestNoEvent(PolicyId, Output, "Test Top-Level OU", false) -} - -test_Enforce_Incorrect_V5 if { - # Test multiple OUs - PolicyId := CommonControlsId5_4 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2021-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "false"}, - { - "name": "SETTING_NAME", - "value": "Password Management - Enforce password policy at next login" - }, - {"name": "ORG_UNIT_NAME", "value": "Test Second-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - }, - { - "id": {"time": "2021-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "false"}, - { - "name": "SETTING_NAME", - "value": "Password Management - Enforce password policy at next login" - }, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - failedOU := [{"Name": "Test Second-Level OU", - "Value": "Enforce password policy at next sign-in is OFF"}, - {"Name": "Test Top-Level OU", - "Value": "Enforce password policy at next sign-in is OFF"}] - FailTestOUNonCompliant(PolicyId, Output, failedOU) -} -#-- - -# -# GWS.COMMONCONTROLS.5.5 -#-- - -test_Reuse_Correct_V1 if { - # Test 1 event - PolicyId := CommonControlsId5_5 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "false"}, - {"name": "SETTING_NAME", "value": "Password Management - Enable password reuse"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - PassTestResult(PolicyId, Output) -} - -test_Reuse_Correct_V2 if { - # Test multiple events - PolicyId := CommonControlsId5_5 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "false"}, - {"name": "SETTING_NAME", "value": "Password Management - Enable password reuse"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - }, - { - "id": {"time": "2021-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "true"}, - {"name": "SETTING_NAME", "value": "Password Management - Enable password reuse"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - PassTestResult(PolicyId, Output) -} - -test_Reuse_Incorrect_V1 if { - # Test 1 event - PolicyId := CommonControlsId5_5 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "true"}, - {"name": "SETTING_NAME", "value": "Password Management - Enable password reuse"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - failedOU := [{"Name": "Test Top-Level OU", - "Value": "Allow password reuse is ON"}] - FailTestOUNonCompliant(PolicyId, Output, failedOU) -} - -test_Reuse_Incorrect_V2 if { - # Test multiple events - PolicyId := CommonControlsId5_5 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "true"}, - {"name": "SETTING_NAME", "value": "Password Management - Enable password reuse"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - }, - { - "id": {"time": "2021-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "false"}, - {"name": "SETTING_NAME", "value": "Password Management - Enable password reuse"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - failedOU := [{"Name": "Test Top-Level OU", - "Value": "Allow password reuse is ON"}] - FailTestOUNonCompliant(PolicyId, Output, failedOU) -} - -test_Reuse_Incorrect_V3 if { - # Test no relevant events - PolicyId := CommonControlsId5_5 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - FailTestNoEvent(PolicyId, Output, "Test Top-Level OU", true) -} - -test_Reuse_Incorrect_V4 if { - # Test no relevant events for top-level OU - PolicyId := CommonControlsId5_5 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2021-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "false"}, - {"name": "SETTING_NAME", "value": "Password Management - Enable password reuse"}, - {"name": "ORG_UNIT_NAME", "value": "Test Second-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - FailTestNoEvent(PolicyId, Output, "Test Top-Level OU", true) -} - -test_Reuse_Incorrect_V5 if { - # Test multiple OUs - PolicyId := CommonControlsId5_5 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2021-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "false"}, - {"name": "SETTING_NAME", "value": "Password Management - Enable password reuse"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - }, - { - "id": {"time": "2021-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "true"}, - {"name": "SETTING_NAME", "value": "Password Management - Enable password reuse"}, - {"name": "ORG_UNIT_NAME", "value": "Test Second-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - failedOU := [{"Name": "Test Second-Level OU", - "Value": "Allow password reuse is ON"}] - FailTestOUNonCompliant(PolicyId, Output, failedOU) -} -#-- - -# -# GWS.COMMONCONTROLS.5.6 -#-- - -test_Expire_Correct_V1 if { - # Test 1 event - PolicyId := CommonControlsId5_6 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "0"}, - {"name": "SETTING_NAME", "value": "Password Management - Password reset frequency"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - PassTestResult(PolicyId, Output) -} - -test_Expire_Correct_V2 if { - # Test multiple events - PolicyId := CommonControlsId5_6 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "0"}, - {"name": "SETTING_NAME", "value": "Password Management - Password reset frequency"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - }, - { - "id": {"time": "2021-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "1"}, - {"name": "SETTING_NAME", "value": "Password Management - Password reset frequency"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - PassTestResult(PolicyId, Output) -} - -test_Expire_Incorrect_V1 if { - # Test 1 event - PolicyId := CommonControlsId5_6 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "1"}, - {"name": "SETTING_NAME", "value": "Password Management - Password reset frequency"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - failedOU := [{"Name": "Test Top-Level OU", - "Value": "Password reset frequency is 1 days"}] - FailTestOUNonCompliant(PolicyId, Output, failedOU) -} - -test_Expire_Incorrect_V2 if { - # Test multiple events - PolicyId := CommonControlsId5_6 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "1"}, - {"name": "SETTING_NAME", "value": "Password Management - Password reset frequency"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - }, - { - "id": {"time": "2021-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "0"}, - {"name": "SETTING_NAME", "value": "Password Management - Password reset frequency"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - failedOU := [{"Name": "Test Top-Level OU", - "Value": "Password reset frequency is 1 days"}] - FailTestOUNonCompliant(PolicyId, Output, failedOU) -} - -test_Expire_Incorrect_V3 if { - # Test no relevant events - PolicyId := CommonControlsId5_6 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - FailTestNoEvent(PolicyId, Output, "Test Top-Level OU", true) -} - -test_Expire_Incorrect_V4 if { - # Test no relevant events in top-level OU - PolicyId := CommonControlsId5_6 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2021-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "0"}, - {"name": "SETTING_NAME", "value": "Password Management - Password reset frequency"}, - {"name": "ORG_UNIT_NAME", "value": "Test Second-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - FailTestNoEvent(PolicyId, Output, "Test Top-Level OU", true) -} - -test_Expire_Incorrect_V5 if { - # Test multiple OUs - PolicyId := CommonControlsId5_6 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2021-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "0"}, - {"name": "SETTING_NAME", "value": "Password Management - Password reset frequency"}, - {"name": "ORG_UNIT_NAME", "value": "Test Second-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - }, - { - "id": {"time": "2021-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "1"}, - {"name": "SETTING_NAME", "value": "Password Management - Password reset frequency"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - failedOU := [{"Name": "Test Top-Level OU", - "Value": "Password reset frequency is 1 days"}] - FailTestOUNonCompliant(PolicyId, Output, failedOU) -} -#-- diff --git a/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols08_test.rego b/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols08_test.rego deleted file mode 100644 index ce552538..00000000 --- a/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols08_test.rego +++ /dev/null @@ -1,345 +0,0 @@ -package commoncontrols - -import future.keywords -import data.utils.FailTestNoEvent -import data.utils.FailTestGroupNonCompliant -import data.utils.FailTestOUNonCompliant -import data.utils.PassTestResult - -# -# GWS.COMMONCONTROLS.8.1 -#-- -test_SelfRecovery_Correct_V1 if { - # Test 1 event - PolicyId := CommonControlsId8_1 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "false"}, - { - "name": "SETTING_NAME", - "value": "AdminAccountRecoverySettingsProto Enable admin account recovery" - }, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - PassTestResult(PolicyId, Output) -} - -test_SelfRecovery_Correct_V2 if { - # Test 1 event - PolicyId := CommonControlsId8_1 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "false"}, - { - "name": "SETTING_NAME", - "value": "AdminAccountRecoverySettingsProto Enable admin account recovery" - }, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - }, - { - "id": {"time": "2021-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "true"}, - { - "name": "SETTING_NAME", - "value": "AdminAccountRecoverySettingsProto Enable admin account recovery" - }, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - PassTestResult(PolicyId, Output) -} - -test_SelfRecovery_Correct_V3 if { - # Test inheritance - PolicyId := CommonControlsId8_1 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2020-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "false"}, - { - "name": "SETTING_NAME", - "value": "AdminAccountRecoverySettingsProto Enable admin account recovery" - }, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - }, - { - "id": {"time": "2021-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "true"}, - { - "name": "SETTING_NAME", - "value": "AdminAccountRecoverySettingsProto Enable admin account recovery" - }, - {"name": "ORG_UNIT_NAME", "value": "Second OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - }, - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "DELETE_APPLICATION_SETTING", - "parameters": [ - { - "name": "SETTING_NAME", - "value": "AdminAccountRecoverySettingsProto Enable admin account recovery" - }, - {"name": "ORG_UNIT_NAME", "value": "Second OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - PassTestResult(PolicyId, Output) -} - -test_SelfRecovery_Incorrect_V1 if { - # Test 1 event - PolicyId := CommonControlsId8_1 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "true"}, - { - "name": "SETTING_NAME", - "value": "AdminAccountRecoverySettingsProto Enable admin account recovery" - }, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - failedOU := [{"Name": "Test Top-Level OU", - "Value": "Allow super admins to recover their account is ON"}] - FailTestOUNonCompliant(PolicyId, Output, failedOU) -} - -test_SelfRecovery_Incorrect_V2 if { - # Test multiple events - PolicyId := CommonControlsId8_1 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "true"}, - { - "name": "SETTING_NAME", - "value": "AdminAccountRecoverySettingsProto Enable admin account recovery" - }, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - }, - { - "id": {"time": "2021-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "false"}, - { - "name": "SETTING_NAME", - "value": "AdminAccountRecoverySettingsProto Enable admin account recovery" - }, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - failedOU := [{"Name": "Test Top-Level OU", - "Value": "Allow super admins to recover their account is ON"}] - FailTestOUNonCompliant(PolicyId, Output, failedOU) -} - -test_SelfRecovery_Incorrect_V3 if { - # Test no relevant events - PolicyId := CommonControlsId8_1 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - FailTestNoEvent(PolicyId, Output, "Test Top-Level OU", false) -} - -test_SelfRecovery_Incorrect_V4 if { - # Test no relevant events in the top-level OU - PolicyId := CommonControlsId8_1 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2021-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "false"}, - { - "name": "SETTING_NAME", - "value": "AdminAccountRecoverySettingsProto Enable admin account recovery" - }, - {"name": "ORG_UNIT_NAME", "value": "Test Second-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - FailTestNoEvent(PolicyId, Output, "Test Top-Level OU", false) -} - -test_SelfRecovery_Incorrect_V5 if { - # Test multiple OUs - PolicyId := CommonControlsId8_1 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2021-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "true"}, - { - "name": "SETTING_NAME", - "value": "AdminAccountRecoverySettingsProto Enable admin account recovery" - }, - {"name": "ORG_UNIT_NAME", "value": "Test Second-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - }, - { - "id": {"time": "2021-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "true"}, - { - "name": "SETTING_NAME", - "value": "AdminAccountRecoverySettingsProto Enable admin account recovery" - }, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - failedOU := [{"Name": "Test Second-Level OU", - "Value": "Allow super admins to recover their account is ON"}, - {"Name": "Test Top-Level OU", - "Value": "Allow super admins to recover their account is ON"}] - FailTestOUNonCompliant(PolicyId, Output, failedOU) -} - -test_SelfRecovery_Incorrect_V6 if { - # Test group - PolicyId := CommonControlsId8_1 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2021-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "false"}, - { - "name": "SETTING_NAME", - "value": "AdminAccountRecoverySettingsProto Enable admin account recovery" - }, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - }, - { - "id": {"time": "2021-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "true"}, - { - "name": "SETTING_NAME", - "value": "AdminAccountRecoverySettingsProto Enable admin account recovery" - }, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "GROUP_EMAIL", "value": "test@test"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - failedOU := [{"Name": "test@test", - "Value": "Allow super admins to recover their account is ON"}] - FailTestGroupNonCompliant(PolicyId, Output, failedOU) -} -#-- diff --git a/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols10_test.rego b/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols10_test.rego index a5e4855a..7fc8a326 100644 --- a/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols10_test.rego +++ b/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols10_test.rego @@ -806,203 +806,3 @@ test_Unconfigured_Incorrect_V3 if { FailTestNoEvent(PolicyId, Output, "Test Top-Level OU", false) } #-- - -# -# GWS.COMMONCONTROLS.10.5 -#-- - -test_Access_Correct_V1 if { - # Test 1 event - PolicyId := CommonControlsId10_5 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED", - "parameters": [ - {"name": "NEW_VALUE", "value": "DENIED"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"} - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - PassTestResult(PolicyId, Output) -} - -test_Access_Correct_V2 if { - # Test multiple events - PolicyId := CommonControlsId10_5 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED", - "parameters": [ - {"name": "NEW_VALUE", "value": "DENIED"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"} - ] - }] - }, - { - "id": {"time": "2021-12-20T00:02:28.672Z"}, - "events": [{ - "name": "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED", - "parameters": [ - {"name": "NEW_VALUE", "value": "ALLOWED"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"} - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - PassTestResult(PolicyId, Output) -} - -test_Access_Incorrect_V1 if { - # Test 1 event - PolicyId := CommonControlsId10_5 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED", - "parameters": [ - {"name": "NEW_VALUE", "value": "ALLOWED"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"} - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - failedOU := [{"Name": "Test Top-Level OU", - "Value": NonComplianceMessage10_5}] - FailTestOUNonCompliant(PolicyId, Output, failedOU) -} - -test_Access_Incorrect_V2 if { - # Test multiple events - PolicyId := CommonControlsId10_5 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED", - "parameters": [ - {"name": "NEW_VALUE", "value": "ALLOWED"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"} - ] - }] - }, - { - "id": {"time": "2021-12-20T00:02:28.672Z"}, - "events": [{ - "name": "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED", - "parameters": [ - {"name": "NEW_VALUE", "value": "DENIED"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"} - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - failedOU := [{"Name": "Test Top-Level OU", - "Value": NonComplianceMessage10_5}] - FailTestOUNonCompliant(PolicyId, Output, failedOU) -} - -test_Access_Incorrect_V3 if { - # Test no relevant events - PolicyId := CommonControlsId10_5 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - FailTestNoEvent(PolicyId, Output, "Test Top-Level OU", true) -} - -test_Access_Incorrect_V4 if { - # Test no relevant events in top-level OU - PolicyId := CommonControlsId10_5 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2021-12-20T00:02:28.672Z"}, - "events": [{ - "name": "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED", - "parameters": [ - {"name": "NEW_VALUE", "value": "DENIED"}, - {"name": "ORG_UNIT_NAME", "value": "Test Second-Level OU"} - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - FailTestNoEvent(PolicyId, Output, "Test Top-Level OU", true) -} - -test_Access_Incorrect_V5 if { - # Test multiple OUs - PolicyId := CommonControlsId10_5 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2021-12-20T00:02:28.672Z"}, - "events": [{ - "name": "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED", - "parameters": [ - {"name": "NEW_VALUE", "value": "ALLOWED"}, - {"name": "ORG_UNIT_NAME", "value": "Test Second-Level OU"} - ] - }] - }, - { - "id": {"time": "2021-12-20T00:02:28.672Z"}, - "events": [{ - "name": "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED", - "parameters": [ - {"name": "NEW_VALUE", "value": "DENIED"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"} - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - failedOU := [{"Name": "Test Second-Level OU", - "Value": NonComplianceMessage10_5}] - FailTestOUNonCompliant(PolicyId, Output, failedOU) -} -#-- diff --git a/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols11_test.rego b/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols11_test.rego deleted file mode 100644 index 08095fb7..00000000 --- a/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols11_test.rego +++ /dev/null @@ -1,450 +0,0 @@ -package commoncontrols - -import future.keywords -import data.utils.FailTestNoEvent -import data.utils.FailTestGroupNonCompliant -import data.utils.FailTestOUNonCompliant -import data.utils.PassTestResult - -# -# GWS.COMMONCONTROLS.11.1 -#-- - -test_Installation_Correct_V1 if { - # Test 1 event - PolicyId := CommonControlsId11_1 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-11-20T00:02:28.672Z"}, - "events": [ - { - "parameters": [ - {"name": "NEW_VALUE", "value": "ALLOW_SPECIFIED"}, - {"name": "SETTING_NAME", "value": "Apps Access Setting Allowlist access"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }, - ] - }, - { - "id": {"time": "2022-11-20T00:02:28.672Z"}, - "events": [ - { - "parameters": [ - {"name": "NEW_VALUE", "value": "false"}, - {"name": "SETTING_NAME", "value": "Apps Access Setting allow_all_internal_apps"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }, - ] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - PassTestResult(PolicyId, Output) -} - -test_Installation_Correct_V2 if { - # Test multiple events - PolicyId := CommonControlsId11_1 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-11-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "ALLOW_SPECIFIED"}, - {"name": "SETTING_NAME", "value": "Apps Access Setting Allowlist access"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - }, - { - "id": {"time": "2021-11-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "SOMETHING_ELSE"}, - {"name": "SETTING_NAME", "value": "Apps Access Setting Allowlist access"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - }, - { - "id": {"time": "2022-11-20T00:02:28.672Z"}, - "events": [ - { - "parameters": [ - {"name": "NEW_VALUE", "value": "false"}, - {"name": "SETTING_NAME", "value": "Apps Access Setting allow_all_internal_apps"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }, - ] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - PassTestResult(PolicyId, Output) -} - -test_Installation_Correct_V3 if { - # Test inheritance - PolicyId := CommonControlsId11_1 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2020-11-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "ALLOW_SPECIFIED"}, - {"name": "SETTING_NAME", "value": "Apps Access Setting Allowlist access"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - }, - { - "id": {"time": "2021-11-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "ALLOW_ALL"}, - {"name": "SETTING_NAME", "value": "Apps Access Setting Allowlist access"}, - {"name": "ORG_UNIT_NAME", "value": "Second OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - }, - { - "id": {"time": "2022-11-20T00:02:28.672Z"}, - "events": [{ - "name": "DELETE_APPLICATION_SETTING", - "parameters": [ - {"name": "SETTING_NAME", "value": "Apps Access Setting Allowlist access"}, - {"name": "ORG_UNIT_NAME", "value": "Second OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - }, - { - "id": {"time": "2022-11-20T00:02:28.672Z"}, - "events": [ - { - "parameters": [ - {"name": "NEW_VALUE", "value": "false"}, - {"name": "SETTING_NAME", "value": "Apps Access Setting allow_all_internal_apps"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }, - ] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - PassTestResult(PolicyId, Output) -} - -test_Installation_Incorrect_V1 if { - # Test 1 event - PolicyId := CommonControlsId11_1 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-11-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "SOMETHING_ELSE"}, - {"name": "SETTING_NAME", "value": "Apps Access Setting Allowlist access"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - }, - { - "id": {"time": "2022-11-20T00:02:28.672Z"}, - "events": [ - { - "parameters": [ - {"name": "NEW_VALUE", "value": "false"}, - {"name": "SETTING_NAME", "value": "Apps Access Setting allow_all_internal_apps"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }, - ] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - failedOU := [{"Name": "Test Top-Level OU", - "Value": NonComplianceMessage11_1(true)}] - FailTestOUNonCompliant(PolicyId, Output, failedOU) -} - -test_Installation_Incorrect_V2 if { - # Test multiple events - PolicyId := CommonControlsId11_1 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-11-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "SOMETHING_ELSE"}, - {"name": "SETTING_NAME", "value": "Apps Access Setting Allowlist access"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - }, - { - "id": {"time": "2021-11-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "ALLOW_SPECIFIED"}, - {"name": "SETTING_NAME", "value": "Apps Access Setting Allowlist access"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - }, - { - "id": {"time": "2022-11-20T00:02:28.672Z"}, - "events": [ - { - "parameters": [ - {"name": "NEW_VALUE", "value": "false"}, - {"name": "SETTING_NAME", "value": "Apps Access Setting allow_all_internal_apps"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }, - ] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - failedOU := [{"Name": "Test Top-Level OU", - "Value": NonComplianceMessage11_1(true)}] - FailTestOUNonCompliant(PolicyId, Output, failedOU) -} - -test_Installation_Incorrect_V3 if { - # Test no relevant events - PolicyId := CommonControlsId11_1 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - FailTestNoEvent(PolicyId, Output, "Test Top-Level OU", false) -} - -test_Installation_Incorrect_V4 if { - # Test no relevant events in top-level OU - PolicyId := CommonControlsId11_1 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2021-11-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "ALLOW_SPECIFIED"}, - {"name": "SETTING_NAME", "value": "Apps Access Setting Allowlist access"}, - {"name": "ORG_UNIT_NAME", "value": "Test Second-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - FailTestNoEvent(PolicyId, Output, "Test Top-Level OU", false) -} - -test_Installation_Incorrect_V5 if { - # Test multiple OUs - PolicyId := CommonControlsId11_1 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2021-11-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "something else"}, - {"name": "SETTING_NAME", "value": "Apps Access Setting Allowlist access"}, - {"name": "ORG_UNIT_NAME", "value": "Test Second-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - }, - { - "id": {"time": "2021-11-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "ALLOW_SPECIFIED"}, - {"name": "SETTING_NAME", "value": "Apps Access Setting Allowlist access"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - }, - { - "id": {"time": "2022-11-20T00:02:28.672Z"}, - "events": [ - { - "parameters": [ - {"name": "NEW_VALUE", "value": "false"}, - {"name": "SETTING_NAME", "value": "Apps Access Setting allow_all_internal_apps"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }, - ] - }, - { - "id": {"time": "2022-11-20T00:02:28.672Z"}, - "events": [ - { - "parameters": [ - {"name": "NEW_VALUE", "value": "false"}, - {"name": "SETTING_NAME", "value": "Apps Access Setting allow_all_internal_apps"}, - {"name": "ORG_UNIT_NAME", "value": "Test Second-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }, - ] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - failedOU := [{"Name": "Test Second-Level OU", - "Value": NonComplianceMessage11_1(true)}] - FailTestOUNonCompliant(PolicyId, Output, failedOU) -} - -test_Installation_Incorrect_V6 if { - # Test internal allowed - PolicyId := CommonControlsId11_1 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-11-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "ALLOW_SPECIFIED"}, - {"name": "SETTING_NAME", "value": "Apps Access Setting Allowlist access"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - }, - { - "id": {"time": "2022-11-20T00:02:28.672Z"}, - "events": [ - { - "parameters": [ - {"name": "NEW_VALUE", "value": "true"}, - {"name": "SETTING_NAME", "value": "Apps Access Setting allow_all_internal_apps"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }, - ] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - failedOU := [{"Name": "Test Top-Level OU", - "Value": NonComplianceMessage11_1(false)}] - FailTestOUNonCompliant(PolicyId, Output, failedOU) -} - -test_Installation_Incorrect_V7 if { - # Test group - PolicyId := CommonControlsId11_1 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-11-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "ALLOW_SPECIFIED"}, - {"name": "SETTING_NAME", "value": "Apps Access Setting Allowlist access"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }] - }, - { - "id": {"time": "2022-11-20T00:02:28.672Z"}, - "events": [ - { - "parameters": [ - {"name": "NEW_VALUE", "value": "false"}, - {"name": "SETTING_NAME", "value": "Apps Access Setting allow_all_internal_apps"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }, - ] - }, - { - "id": {"time": "2022-11-20T00:02:28.672Z"}, - "events": [ - { - "parameters": [ - {"name": "NEW_VALUE", "value": "true"}, - {"name": "SETTING_NAME", "value": "Apps Access Setting allow_all_internal_apps"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "GROUP_EMAIL", "value": "test@test"}, - {"name": "APPLICATION_NAME", "value": "Security"} - ] - }, - ] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - failedGroup := [{"Name": "test@test", - "Value": NonComplianceMessage11_1(false)}] - FailTestGroupNonCompliant(PolicyId, Output, failedGroup) -} -#-- diff --git a/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols12_test.rego b/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols12_test.rego deleted file mode 100644 index 84be48dc..00000000 --- a/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols12_test.rego +++ /dev/null @@ -1,224 +0,0 @@ -package commoncontrols - -import future.keywords -import data.utils.FailTestGroupNonCompliant -import data.utils.FailTestOUNonCompliant -import data.utils.PassTestResult - -# -# GWS.COMMONCONTROLS.12.1 -#-- - -test_Takeout_Correct_V1 if { - # Test basic correct - PolicyId := CommonControlsId12_1 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "Disabled"}, - {"name": "SETTING_NAME", "value": "UserTakeoutSettingsProto User Takeout "}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Blogger"} - ] - }] - }, - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "TOGGLE_SERVICE_ENABLED", - "parameters": [ - {"name": "SERVICE_NAME", "value": "Google Takeout"}, - {"name": "NEW_VALUE", "value": "false"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - PassTestResult(PolicyId, Output) -} - -test_Takeout_Incorrect_V1 if { - # Test specifc apps allowed, ou - PolicyId := CommonControlsId12_1 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "Enabled"}, - {"name": "SETTING_NAME", "value": "UserTakeoutSettingsProto User Takeout "}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Blogger"} - ] - }] - }, - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "Enabled"}, - {"name": "SETTING_NAME", "value": "UserTakeoutSettingsProto User Takeout "}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Google Maps"} - ] - }] - }, - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "TOGGLE_SERVICE_ENABLED", - "parameters": [ - {"name": "SERVICE_NAME", "value": "Google Takeout"}, - {"name": "NEW_VALUE", "value": "false"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - failedOU := [{"Name": "Test Top-Level OU", - "Value": NonComplianceMessage12_1(["Blogger", "Google Maps"])}] - FailTestOUNonCompliant(PolicyId, Output, failedOU) -} - -test_Takeout_Incorrect_V2 if { - # Test nonspecific apps allowed, ou - PolicyId := CommonControlsId12_1 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "Disabled"}, - {"name": "SETTING_NAME", "value": "UserTakeoutSettingsProto User Takeout "}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Blogger"} - ] - }] - }, - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "TOGGLE_SERVICE_ENABLED", - "parameters": [ - {"name": "SERVICE_NAME", "value": "Google Takeout"}, - {"name": "NEW_VALUE", "value": "true"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - failedOU := [{"Name": "Test Top-Level OU", - "Value": NonComplianceMessage12_1a}] - FailTestOUNonCompliant(PolicyId, Output, failedOU) -} - -test_Takeout_Incorrect_V3 if { - # Test nonspecific apps and specific apps allowed, ou - PolicyId := CommonControlsId12_1 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "Enabled"}, - {"name": "SETTING_NAME", "value": "UserTakeoutSettingsProto User Takeout "}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Blogger"} - ] - }] - }, - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "TOGGLE_SERVICE_ENABLED", - "parameters": [ - {"name": "SERVICE_NAME", "value": "Google Takeout"}, - {"name": "NEW_VALUE", "value": "true"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - failedOU := [{"Name": "Test Top-Level OU", - "Value": NonComplianceMessage12_1a}, - {"Name": "Test Top-Level OU", - "Value": NonComplianceMessage12_1(["Blogger"])}] - FailTestOUNonCompliant(PolicyId, Output, failedOU) -} - -test_Takeout_Incorrect_V4 if { - # Test nonspecific apps allowed, group - PolicyId := CommonControlsId12_1 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "NEW_VALUE", "value": "Disabled"}, - {"name": "SETTING_NAME", "value": "UserTakeoutSettingsProto User Takeout "}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "APPLICATION_NAME", "value": "Blogger"} - ] - }] - }, - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "TOGGLE_SERVICE_ENABLED", - "parameters": [ - {"name": "SERVICE_NAME", "value": "Google Takeout"}, - {"name": "NEW_VALUE", "value": "false"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - }, - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "TOGGLE_SERVICE_ENABLED", - "parameters": [ - {"name": "SERVICE_NAME", "value": "Google Takeout"}, - {"name": "NEW_VALUE", "value": "true"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - {"name": "GROUP_EMAIL", "value": "test@test"} - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - failedGroup := [{"Name": "test@test", - "Value": NonComplianceMessage12_1a}] - FailTestGroupNonCompliant(PolicyId, Output, failedGroup) -} -#-- diff --git a/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols16_test.rego b/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols16_test.rego index 9279c075..e9c5cfa1 100644 --- a/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols16_test.rego +++ b/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols16_test.rego @@ -1,8 +1,6 @@ package commoncontrols import future.keywords -import data.utils.FailTestBothNonCompliant -import data.utils.FailTestGroupNonCompliant import data.utils.FailTestNoEvent import data.utils.FailTestOUNonCompliant import data.utils.PassTestResult @@ -112,278 +110,3 @@ test_Unlisted_Incorrect_V2 if { FailTestNoEvent(PolicyId, Output, "Test Top-Level OU", false) } -#-- - -# -# GWS.COMMONCONTROLS.16.2 -#-- - -test_EarlyAccessApps_OUs_Correct_V1 if { - # Test 1 correct event - PolicyId := CommonControlsId16_2 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2024-10-15T00:02:28.672Z"}, - "events": [{ - "name": "TOGGLE_SERVICE_ENABLED", - "parameters": [ - {"name": "SERVICE_NAME", "value": "Early Access Apps"}, - {"name": "NEW_VALUE", "value": "false"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - PassTestResult(PolicyId, Output) -} - -test_EarlyAccessApps_OUs_Correct_V2 if { - # Test inheritance with root and sub OUs - PolicyId := CommonControlsId16_2 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "TOGGLE_SERVICE_ENABLED", - "parameters": [ - {"name": "SERVICE_NAME", "value": "Early Access Apps"}, - {"name": "NEW_VALUE", "value": "false"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - }, - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "TOGGLE_SERVICE_ENABLED", - "parameters": [ - {"name": "SERVICE_NAME", "value": "Early Access Apps"}, - {"name": "NEW_VALUE", "value": "INHERIT_FROM_PARENT"}, - {"name": "ORG_UNIT_NAME", "value": "Test Second-Level OU"}, - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - PassTestResult(PolicyId, Output) -} - -test_EarlyAccessApps_OUs_Incorrect_V1 if { - # Test incorrect root OU - PolicyId := CommonControlsId16_2 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2024-05-20T00:02:28.672Z"}, - "events": [{ - "name": "TOGGLE_SERVICE_ENABLED", - "parameters": [ - {"name": "SERVICE_NAME", "value": "Early Access Apps"}, - {"name": "NEW_VALUE", "value": "true"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - failedOU := [{"Name": "Test Top-Level OU", - "Value": NonComplianceMessage16_2}] - FailTestOUNonCompliant(PolicyId, Output, failedOU) -} - -test_EarlyAccessApps_OUs_Incorrect_V2 if { - # Test incorrect second-level OU - PolicyId := CommonControlsId16_2 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "TOGGLE_SERVICE_ENABLED", - "parameters": [ - {"name": "SERVICE_NAME", "value": "Early Access Apps"}, - {"name": "NEW_VALUE", "value": "false"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - }, - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "TOGGLE_SERVICE_ENABLED", - "parameters": [ - {"name": "SERVICE_NAME", "value": "Early Access Apps"}, - {"name": "NEW_VALUE", "value": "true"}, - {"name": "ORG_UNIT_NAME", "value": "Test Second-Level OU"}, - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - failedOU := [{"Name": "Test Second-Level OU", - "Value": NonComplianceMessage16_2}] - FailTestOUNonCompliant(PolicyId, Output, failedOU) -} - -test_EarlyAccessApps_OUs_Correct_Groups_Incorrect_V1 if { - # Test for correct root OU but with an incorrect group event - PolicyId := CommonControlsId16_2 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "TOGGLE_SERVICE_ENABLED", - "parameters": [ - {"name": "SERVICE_NAME", "value": "Early Access Apps"}, - {"name": "NEW_VALUE", "value": "false"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - }, - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "TOGGLE_SERVICE_ENABLED", - "parameters": [ - {"name": "SERVICE_NAME", "value": "Early Access Apps"}, - {"name": "NEW_VALUE", "value": "true"}, - {"name": "GROUP_EMAIL", "value": "Test Group 1"}, - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - failedGroup := [{"Name": "Test Group 1", - "Value": NonComplianceMessage16_2}] - FailTestGroupNonCompliant(PolicyId, Output, failedGroup) -} - -test_EarlyAccessApps_OUs_Correct_Groups_Incorrect_V2 if { - # Test for correct root OU but with incorrect group events - PolicyId := CommonControlsId16_2 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "TOGGLE_SERVICE_ENABLED", - "parameters": [ - {"name": "SERVICE_NAME", "value": "Early Access Apps"}, - {"name": "NEW_VALUE", "value": "false"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - }, - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "TOGGLE_SERVICE_ENABLED", - "parameters": [ - {"name": "SERVICE_NAME", "value": "Early Access Apps"}, - {"name": "NEW_VALUE", "value": "true"}, - {"name": "GROUP_EMAIL", "value": "Test Group 1"}, - ] - }] - }, - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "TOGGLE_SERVICE_ENABLED", - "parameters": [ - {"name": "SERVICE_NAME", "value": "Early Access Apps"}, - {"name": "NEW_VALUE", "value": "true"}, - {"name": "GROUP_EMAIL", "value": "Test Group 2"}, - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - failedGroup := [{"Name": "Test Group 1", - "Value": NonComplianceMessage16_2}, - {"Name": "Test Group 2", - "Value": NonComplianceMessage16_2}] - FailTestGroupNonCompliant(PolicyId, Output, failedGroup) -} - -test_EarlyAccessApps_OUs_Groups_Incorrect_V1 if { - # Test for both incorrect OUs and group events - PolicyId := CommonControlsId16_2 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "TOGGLE_SERVICE_ENABLED", - "parameters": [ - {"name": "SERVICE_NAME", "value": "Early Access Apps"}, - {"name": "NEW_VALUE", "value": "true"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - }, - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "TOGGLE_SERVICE_ENABLED", - "parameters": [ - {"name": "SERVICE_NAME", "value": "Early Access Apps"}, - {"name": "NEW_VALUE", "value": "true"}, - {"name": "GROUP_EMAIL", "value": "Test Group 1"}, - ] - }] - }, - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "TOGGLE_SERVICE_ENABLED", - "parameters": [ - {"name": "SERVICE_NAME", "value": "Early Access Apps"}, - {"name": "NEW_VALUE", "value": "true"}, - {"name": "GROUP_EMAIL", "value": "Test Group 2"}, - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - - failedGroup := [{"Name": "Test Group 1", - "Value": NonComplianceMessage16_2}, - {"Name": "Test Group 2", - "Value": NonComplianceMessage16_2}] - failedOU := [{"Name": "Test Top-Level OU", - "Value": NonComplianceMessage16_2}] - FailTestBothNonCompliant(PolicyId, Output, failedOU, failedGroup) -} -#-- diff --git a/scubagoggles/rego/Commoncontrols.rego b/scubagoggles/rego/Commoncontrols.rego index 97792776..63845bba 100644 --- a/scubagoggles/rego/Commoncontrols.rego +++ b/scubagoggles/rego/Commoncontrols.rego @@ -2,7 +2,6 @@ package commoncontrols import future.keywords import data.utils -import data.utils.PolicyApiInUse # Note that we need to implement custom FilterEvents and SettingChangeEvents # rules here, instead of importing the standard ones from utils. @@ -106,46 +105,14 @@ LogEvents := utils.GetEvents("commoncontrols_logs") CommonControlsId1_1 := utils.PolicyIdWithSuffix("GWS.COMMONCONTROLS.1.1") -# For 1.1, we need to assert three different things: -# - MFA is allowed -# - MFA is enforced -# - Allowed methods is set to only security key - -# Custom NoSuchEvent function needed as we're checking -# three different settings simultaneously. No such event -# if any are missing -default NoSuchEvent1_1 := false - -NoSuchEvent1_1 := true if { - Events := FilterEventsOU("ALLOW_STRONG_AUTHENTICATION", utils.TopLevelOU) - count(Events) == 0 -} - -NoSuchEvent1_1 := true if { - Events := FilterEventsOU("ENFORCE_STRONG_AUTHENTICATION", utils.TopLevelOU) - count(Events) == 0 -} - -NoSuchEvent1_1 := true if { - Events := FilterEventsOU("CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS", utils.TopLevelOU) - count(Events) == 0 -} - -Check1_1_OK if { - not PolicyApiInUse - not NoSuchEvent1_1 -} - -Check1_1_OK if {PolicyApiInUse} - GetFriendlyMethods(Value) := "Any" if { - Value in {"ALL", "ANY"} + Value == "ALL" } else := "Any except verification codes via text, phone call" if { Value == "NO_TELEPHONY" } else := "Only security key and allow security codes without remote access" if { - Value in {"PASSKEY_PLUS_IP_BOUND_SECURITY_CODE", "SECURITY_KEY_AND_IP_BOUND_SECURITY_CODE"} + Value == "PASSKEY_PLUS_IP_BOUND_SECURITY_CODE" } else := "Only security key and allow security codes with remote access" if { - Value in {"PASSKEY_PLUS_SECURITY_CODE", "SECURITY_KEY_AND_SECURITY_CODE"} + Value == "PASSKEY_PLUS_SECURITY_CODE" } else := Value NonComplianceMessage1_1a := "Users cannot enable 2-step verification (2SV)." @@ -155,98 +122,6 @@ NonComplianceMessage1_1b(value) := sprintf("Allowed methods is set to %s", NonComplianceMessage1_1c := "2-step verification (2SV) is not enforced." -NonCompliantOUs1_1 contains { - "Name": OU, - "Value": "Allow users to turn on 2-Step Verification is OFF" -} -if { - not PolicyApiInUse - some OU in utils.OUsWithEvents - Events := FilterEventsOU("ALLOW_STRONG_AUTHENTICATION", OU) - # Ignore OUs without any events. We're already asserting that the - # top-level OU has at least one event; for all other OUs we assume - # they inherit from a parent OU if they have no events. - count(Events) > 0 - LastEvent := utils.GetLastEvent(Events) - LastEvent.NewValue == "false" -} - -NonCompliantOUs1_1 contains { - "Name": OU, - "Value": "2-Step Verification Enforcement is OFF" -} -if { - not PolicyApiInUse - some OU in utils.OUsWithEvents - Events := FilterEventsOU("ENFORCE_STRONG_AUTHENTICATION", OU) - # Ignore OUs without any events. We're already asserting that the - # top-level OU has at least one event; for all other OUs we assume - # they inherit from a parent OU if they have no events. - count(Events) > 0 - LastEvent := utils.GetLastEvent(Events) - LastEvent.NewValue == "false" -} - -NonCompliantOUs1_1 contains { - "Name": OU, - "Value": NonComplianceMessage1_1b(GetFriendlyMethods(LastEvent.NewValue)) -} -if { - not PolicyApiInUse - some OU in utils.OUsWithEvents - Events := FilterEventsOU("CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS", OU) - # Ignore OUs without any events. We're already asserting that the - # top-level OU has at least one event; for all other OUs we assume - # they inherit from a parent OU if they have no events. - count(Events) > 0 - LastEvent := utils.GetLastEvent(Events) - LastEvent.NewValue != "ONLY_SECURITY_KEY" - LastEvent.NewValue != "INHERIT_FROM_PARENT" -} - -NonCompliantGroups1_1 contains { - "Name": Group, - "Value": "Allow users to turn on 2-Step Verification is Off" -} -if { - not PolicyApiInUse - some Group in utils.GroupsWithEvents - Events := FilterEventsGroup("ALLOW_STRONG_AUTHENTICATION", Group) - # Ignore Groups without any events. - count(Events) > 0 - LastEvent := utils.GetLastEvent(Events) - LastEvent.NewValue == "false" -} - -NonCompliantGroups1_1 contains { - "Name": Group, - "Value": "2-Step Verification Enforcement is Off" -} -if { - not PolicyApiInUse - some Group in utils.GroupsWithEvents - Events := FilterEventsGroup("ENFORCE_STRONG_AUTHENTICATION", Group) - # Ignore Groups without any events. - count(Events) > 0 - LastEvent := utils.GetLastEvent(Events) - LastEvent.NewValue == "false" -} - -NonCompliantGroups1_1 contains { - "Name": Group, - "Value": NonComplianceMessage1_1b(GetFriendlyMethods(LastEvent.NewValue)) -} -if { - not PolicyApiInUse - some Group in utils.GroupsWithEvents - Events := FilterEventsGroup("CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS", Group) - # Ignore Groups without any events. - count(Events) > 0 - LastEvent := utils.GetLastEvent(Events) - LastEvent.NewValue != "ONLY_SECURITY_KEY" - LastEvent.NewValue != "INHERIT_FROM_PARENT" -} - # There are 3 items to check for this baseline. First, users must be allowed to # enroll in 2SV. If they have been enrolled, then the passkey (aka security # key) is the only allowed 2SV method. If the method is also OK, 2SV @@ -295,29 +170,13 @@ if { tests contains { "PolicyId": CommonControlsId1_1, "Criticality": "Shall", - "ReportDetails": utils.NoSuchEventDetails(DefaultSafe, utils.TopLevelOU), - "ActualValue": "No relevant event for the top-level OU in the current logs", - "RequirementMet": DefaultSafe, - "NoSuchEvent": true -} -if { - not PolicyApiInUse - DefaultSafe := false - not Check1_1_OK -} - -tests contains { - "PolicyId": CommonControlsId1_1, - "Criticality": "Shall", - "ReportDetails": utils.ReportDetails(NonCompliantOUs1_1, NonCompliantGroups1_1), - "ActualValue": {"NonCompliantOUs": NonCompliantOUs1_1, "NonCompliantGroups": NonCompliantGroups1_1}, + "ReportDetails": utils.ReportDetails(NonCompliantOUs1_1, []), + "ActualValue": {"NonCompliantOUs": NonCompliantOUs1_1}, "RequirementMet": Status, "NoSuchEvent": false } if { - Check1_1_OK - Conditions := {count(NonCompliantOUs1_1) == 0, count(NonCompliantGroups1_1) == 0} - Status := (false in Conditions) == false + Status := count(NonCompliantOUs1_1) == 0 } #-- @@ -327,53 +186,11 @@ if { CommonControlsId1_2 := utils.PolicyIdWithSuffix("GWS.COMMONCONTROLS.1.2") -LogMessage1_2 := "CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION" - -Check1_2_OK if { - not PolicyApiInUse - events := FilterEventsOU(LogMessage1_2, utils.TopLevelOU) - count(events) > 0 -} - -Check1_2_OK if {PolicyApiInUse} - NonComplianceMessage1_2(value, expected) := sprintf("New user enrollment period (%s) %s (%s)", [utils.GetFriendlyDuration(value), "doesn't match expected", utils.GetFriendlyDuration(expected)]) -NonCompliantOUs1_2 contains { - "Name": OU, - "Value": concat("", ["New user enrollment period is set to ", LastEvent.NewValue]) -} -if { - not PolicyApiInUse - some OU in utils.OUsWithEvents - Events := FilterEventsOU(LogMessage1_2, OU) - # Ignore OUs without any events. We're already asserting that the - # top-level OU has at least one event; for all other OUs we assume - # they inherit from a parent OU if they have no events. - count(Events) > 0 - LastEvent := utils.GetLastEvent(Events) - LastEvent.NewValue != "1 week" - LastEvent.NewValue != "INHERIT_FROM_PARENT" -} - -NonCompliantGroups1_2 contains { - "Name": Group, - "Value": concat("", ["New user enrollment period is set to ", LastEvent.NewValue]) -} -if { - not PolicyApiInUse - some Group in utils.GroupsWithEvents - Events := FilterEventsGroup(LogMessage1_2, Group) - # Ignore groups without any events. - count(Events) > 0 - LastEvent := utils.GetLastEvent(Events) - LastEvent.NewValue != "1 week" - LastEvent.NewValue != "INHERIT_FROM_PARENT" -} - NonCompliantOUs1_2 contains { "Name": OU, "Value": NonComplianceMessage1_2(enrollSeconds, expectedPeriod) @@ -389,29 +206,13 @@ if { tests contains { "PolicyId": CommonControlsId1_2, "Criticality": "Shall", - "ReportDetails": utils.NoSuchEventDetails(DefaultSafe, utils.TopLevelOU), - "ActualValue": "No relevant event for the top-level OU in the current logs", - "RequirementMet": DefaultSafe, - "NoSuchEvent": true -} -if { - not PolicyApiInUse - DefaultSafe := false - not Check1_2_OK -} - -tests contains { - "PolicyId": CommonControlsId1_2, - "Criticality": "Shall", - "ReportDetails": utils.ReportDetails(NonCompliantOUs1_2, NonCompliantGroups1_2), - "ActualValue": {"NonCompliantOUs": NonCompliantOUs1_2, "NonCompliantGroups": NonCompliantGroups1_2}, + "ReportDetails": utils.ReportDetails(NonCompliantOUs1_2, []), + "ActualValue": {"NonCompliantOUs": NonCompliantOUs1_2}, "RequirementMet": Status, "NoSuchEvent": false } if { - Check1_2_OK - Conditions := {count(NonCompliantOUs1_2) == 0, count(NonCompliantGroups1_2) == 0} - Status := (false in Conditions) == false + Status := count(NonCompliantOUs1_2) == 0 } #-- @@ -421,54 +222,8 @@ if { CommonControlsId1_3 := utils.PolicyIdWithSuffix("GWS.COMMONCONTROLS.1.3") -LogMessage1_3 := "CHANGE_TWO_STEP_VERIFICATION_FREQUENCY" - -Check1_3_OK if { - not PolicyApiInUse - events := FilterEventsOU(LogMessage1_3, utils.TopLevelOU) - count(events) > 0 -} - -Check1_3_OK if {PolicyApiInUse} - NonComplianceMessage1_3 := "User is allowed to trust device." -GetFriendlyValue1_3(Value) := "ON" if { - Value == "ENABLE_USERS_TO_TRUST_DEVICE" -} else := Value - -NonCompliantOUs1_3 contains { - "Name": OU, - "Value": concat("", ["Allow user to trust the device is ", GetFriendlyValue1_3(LastEvent.NewValue)]) -} -if { - not PolicyApiInUse - some OU in utils.OUsWithEvents - Events := FilterEventsOU("CHANGE_TWO_STEP_VERIFICATION_FREQUENCY", OU) - # Ignore OUs without any events. We're already asserting that the - # top-level OU has at least one event; for all other OUs we assume - # they inherit from a parent OU if they have no events. - count(Events) > 0 - LastEvent := utils.GetLastEvent(Events) - LastEvent.NewValue != "DISABLE_USERS_TO_TRUST_DEVICE" - LastEvent.NewValue != "INHERIT_FROM_PARENT" -} - -NonCompliantGroups1_3 contains { - "Name": Group, - "Value": concat("", ["Allow user to trust the device is ", GetFriendlyValue1_3(LastEvent.NewValue)]) -} -if { - not PolicyApiInUse - some Group in utils.GroupsWithEvents - Events := FilterEventsGroup(LogMessage1_3, Group) - # Ignore groups without any events. - count(Events) > 0 - LastEvent := utils.GetLastEvent(Events) - LastEvent.NewValue != "DISABLE_USERS_TO_TRUST_DEVICE" - LastEvent.NewValue != "INHERIT_FROM_PARENT" -} - NonCompliantOUs1_3 contains { "Name": OU, "Value": NonComplianceMessage1_3 @@ -482,29 +237,13 @@ if { tests contains { "PolicyId": CommonControlsId1_3, "Criticality": "Shall", - "ReportDetails": utils.NoSuchEventDetails(DefaultSafe, utils.TopLevelOU), - "ActualValue": "No relevant event for the top-level OU in the current logs", - "RequirementMet": DefaultSafe, - "NoSuchEvent": true -} -if { - not PolicyApiInUse - DefaultSafe := false - not Check1_3_OK -} - -tests contains { - "PolicyId": CommonControlsId1_3, - "Criticality": "Shall", - "ReportDetails": utils.ReportDetails(NonCompliantOUs1_3, NonCompliantGroups1_3), - "ActualValue": {"NonCompliantOUs": NonCompliantOUs1_3, "NonCompliantGroups": NonCompliantGroups1_3}, + "ReportDetails": utils.ReportDetails(NonCompliantOUs1_3, []), + "ActualValue": {"NonCompliantOUs": NonCompliantOUs1_3}, "RequirementMet": Status, "NoSuchEvent": false } if { - Check1_3_OK - Conditions := {count(NonCompliantOUs1_3) == 0, count(NonCompliantGroups1_3) == 0} - Status := (false in Conditions) == false + Status := count(NonCompliantOUs1_3) == 0 } #-- @@ -712,29 +451,6 @@ tests contains { CommonControlsId4_1 := utils.PolicyIdWithSuffix("GWS.COMMONCONTROLS.4.1") -# NOTE: this setting cannot be controlled at the group-level, -# so only a check at the OU-level is implemented here. - -GoodLimits := {"3600", "14400", "28800", "43200"} - -LogMessage4_1 := "Session management settings - Session length in seconds" - -Check4_1_OK if { - not PolicyApiInUse - events := utils.FilterEventsOU(LogEvents, LogMessage4_1, utils.TopLevelOU) - count(events) > 0 -} - -Check4_1_OK if {PolicyApiInUse} - -IsGoodLimit(ActualLim) := true if { - count({GoodLim | some GoodLim in GoodLimits; GoodLim == ActualLim}) > 0 -} - -IsGoodLimit(ActualLim) := false if { - count({GoodLim | some GoodLim in GoodLimits; GoodLim == ActualLim}) == 0 -} - NonComplianceMessage4_1(Value) := sprintf("Web session duration: %s", [Value]) @@ -742,23 +458,6 @@ GetFriendlyValue4_1(Value) := "Session never expires" if { Value == 63072000 } else := utils.GetFriendlyDuration(Value) -NonCompliantOUs4_1 contains { - "Name": OU, - "Value": NonComplianceMessage4_1(GetFriendlyValue4_1(to_number(LastEvent.NewValue))) -} -if { - not PolicyApiInUse - some OU in utils.OUsWithEvents - Events := utils.FilterEventsOU(LogEvents, LogMessage4_1, OU) - # Ignore OUs without any events. We're already asserting that the - # top-level OU has at least one event; for all other OUs we assume - # they inherit from a parent OU if they have no events. - count(Events) > 0 - LastEvent := utils.GetLastEvent(Events) - LastEvent.NewValue != "DELETE_APPLICATION_SETTING" - not IsGoodLimit(LastEvent.NewValue) -} - NonCompliantOUs4_1 contains { "Name": OU, "Value": NonComplianceMessage4_1(GetFriendlyValue4_1(durationSeconds)) @@ -772,20 +471,6 @@ if { durationSeconds > webSessionMax } -tests contains { - "PolicyId": CommonControlsId4_1, - "Criticality": "Shall", - "ReportDetails": utils.NoSuchEventDetails(DefaultSafe, utils.TopLevelOU), - "ActualValue": "No relevant event for the top-level OU in the current logs", - "RequirementMet": DefaultSafe, - "NoSuchEvent": true -} -if { - not PolicyApiInUse - DefaultSafe := false - not Check4_1_OK -} - tests contains { "PolicyId": CommonControlsId4_1, "Criticality": "Shall", @@ -795,7 +480,6 @@ tests contains { "NoSuchEvent": false } if { - Check4_1_OK Status := count(NonCompliantOUs4_1) == 0 } #-- @@ -812,33 +496,8 @@ if { #-- CommonControlsId5_1 := utils.PolicyIdWithSuffix("GWS.COMMONCONTROLS.5.1") -LogMessage5_1 := "Password Management - Enforce strong password" -PasswordStrength := "STRONG" -Check5_1_OK if { - not PolicyApiInUse - events := utils.FilterEventsOU(LogEvents, LogMessage5_1, utils.TopLevelOU) - count(events) > 0 -} - -Check5_1_OK if {PolicyApiInUse} - -NonCompliantOUs5_1 contains { - "Name": OU, - "Value": "Enforce strong password is OFF" -} -if { - not PolicyApiInUse - some OU in utils.OUsWithEvents - Events := utils.FilterEventsOU(LogEvents, LogMessage5_1, OU) - # Ignore OUs without any events. We're already asserting that the - # top-level OU has at least one event; for all other OUs we assume - # they inherit from a parent OU if they have no events. - count(Events) > 0 - LastEvent := utils.GetLastEvent(Events) - LastEvent.NewValue != "on" - LastEvent.NewValue != "DELETE_APPLICATION_SETTING" -} +PasswordStrength := "STRONG" NonCompliantOUs5_1 contains { "Name": OU, @@ -851,20 +510,6 @@ if { CurrentStrength != PasswordStrength } -tests contains { - "PolicyId": CommonControlsId5_1, - "Criticality": "Shall", - "ReportDetails": utils.NoSuchEventDetails(DefaultSafe, utils.TopLevelOU), - "ActualValue": "No relevant event for the top-level OU in the current logs", - "RequirementMet": DefaultSafe, - "NoSuchEvent": true -} -if { - not PolicyApiInUse - DefaultSafe := true - not Check5_1_OK -} - tests contains { "PolicyId": CommonControlsId5_1, "Criticality": "Shall", @@ -874,7 +519,6 @@ tests contains { "NoSuchEvent": false } if { - Check5_1_OK Status := count(NonCompliantOUs5_1) == 0 } #-- @@ -885,40 +529,12 @@ if { CommonControlsId5_2 := utils.PolicyIdWithSuffix("GWS.COMMONCONTROLS.5.2") -LogMessageMinPassword := "Password Management - Minimum password length" - MinimumPasswordLength := 12 -Check5_2_OK if { - not PolicyApiInUse - events := utils.FilterEventsOU(LogEvents, LogMessageMinPassword, utils.TopLevelOU) - count(events) > 0 -} - -Check5_2_OK if {PolicyApiInUse} - FormatMessage5_2 := "Minimum password length: %d, less than %d" NonComplianceMessage5_2(Value) := sprintf(FormatMessage5_2, [Value, MinimumPasswordLength]) -NonCompliantOUs5_2 contains { - "Name": OU, - "Value": NonComplianceMessage5_2(Minimum) -} -if { - not PolicyApiInUse - some OU in utils.OUsWithEvents - Events := utils.FilterEventsOU(LogEvents, LogMessageMinPassword, OU) - # Ignore OUs without any events. We're already asserting that the - # top-level OU has at least one event; for all other OUs we assume - # they inherit from a parent OU if they have no events. - count(Events) > 0 - LastEvent := utils.GetLastEvent(Events) - LastEvent.NewValue != "DELETE_APPLICATION_SETTING" - Minimum := to_number(LastEvent.NewValue) - Minimum < MinimumPasswordLength -} - NonCompliantOUs5_2 contains { "Name": OU, "Value": NonComplianceMessage5_2(CurrentLength) @@ -929,20 +545,6 @@ if { CurrentLength < MinimumPasswordLength } -tests contains { - "PolicyId": CommonControlsId5_2, - "Criticality": "Shall", - "ReportDetails": utils.NoSuchEventDetails(DefaultSafe, utils.TopLevelOU), - "ActualValue": "No relevant event for the top-level OU in the current logs", - "RequirementMet": DefaultSafe, - "NoSuchEvent": true -} -if { - not PolicyApiInUse - DefaultSafe := false - not Check5_2_OK -} - tests contains { "PolicyId": CommonControlsId5_2, "Criticality": "Shall", @@ -952,7 +554,6 @@ tests contains { "NoSuchEvent": false } if { - Check5_2_OK Status := count(NonCompliantOUs5_2) == 0 } #-- @@ -965,36 +566,10 @@ CommonControlsId5_3 := utils.PolicyIdWithSuffix("GWS.COMMONCONTROLS.5.3") SuggestedPasswordLength := 15 -Check5_3_OK if { - not PolicyApiInUse - events := utils.FilterEventsOU(LogEvents, LogMessageMinPassword, utils.TopLevelOU) - count(events) > 0 -} - -Check5_3_OK if {PolicyApiInUse} - FormatMessage5_3 := "Minimum password length: %d, recommended is at least %d" NonComplianceMessage5_3(Value) := sprintf(FormatMessage5_3, [Value, SuggestedPasswordLength]) -NonCompliantOUs5_3 contains { - "Name": OU, - "Value": NonComplianceMessage5_3(Minimum) -} -if { - not PolicyApiInUse - some OU in utils.OUsWithEvents - Events := utils.FilterEventsOU(LogEvents, LogMessageMinPassword, OU) - # Ignore OUs without any events. We're already asserting that the - # top-level OU has at least one event; for all other OUs we assume - # they inherit from a parent OU if they have no events. - count(Events) > 0 - LastEvent := utils.GetLastEvent(Events) - LastEvent.NewValue != "DELETE_APPLICATION_SETTING" - Minimum := to_number(LastEvent.NewValue) - Minimum < SuggestedPasswordLength -} - NonCompliantOUs5_3 contains { "Name": OU, "Value": NonComplianceMessage5_3(CurrentLength) @@ -1005,20 +580,6 @@ if { CurrentLength < SuggestedPasswordLength } -tests contains { - "PolicyId": CommonControlsId5_3, - "Criticality": "Should", - "ReportDetails": utils.NoSuchEventDetails(DefaultSafe, utils.TopLevelOU), - "ActualValue": "No relevant event for the top-level OU in the current logs", - "RequirementMet": DefaultSafe, - "NoSuchEvent": true -} -if { - not PolicyApiInUse - DefaultSafe := false - not Check5_3_OK -} - tests contains { "PolicyId": CommonControlsId5_3, "Criticality": "Should", @@ -1028,7 +589,6 @@ tests contains { "NoSuchEvent": false } if { - Check5_3_OK Status := count(NonCompliantOUs5_3) == 0 } #-- @@ -1038,33 +598,8 @@ if { #-- CommonControlsId5_4 := utils.PolicyIdWithSuffix("GWS.COMMONCONTROLS.5.4") -LogMessage5_4 := "Password Management - Enforce password policy at next login" -NonComplianceMessage5_4 := "Enforce password policy at next sign-in is OFF" -Check5_4_OK if { - not PolicyApiInUse - events := utils.FilterEventsOU(LogEvents, LogMessage5_4, utils.TopLevelOU) - count(events) > 0 -} - -Check5_4_OK if {PolicyApiInUse} - -NonCompliantOUs5_4 contains { - "Name": OU, - "Value": NonComplianceMessage5_4 -} -if { - not PolicyApiInUse - some OU in utils.OUsWithEvents - Events := utils.FilterEventsOU(LogEvents, LogMessage5_4, OU) - # Ignore OUs without any events. We're already asserting that the - # top-level OU has at least one event; for all other OUs we assume - # they inherit from a parent OU if they have no events. - count(Events) > 0 - LastEvent := utils.GetLastEvent(Events) - LastEvent.NewValue != "true" - LastEvent.NewValue != "DELETE_APPLICATION_SETTING" -} +NonComplianceMessage5_4 := "Enforce password policy at next sign-in is OFF" NonCompliantOUs5_4 contains { "Name": OU, @@ -1075,20 +610,6 @@ if { settings.security_password.enforceRequirementsAtLogin != true } -tests contains { - "PolicyId": CommonControlsId5_4, - "Criticality": "Shall", - "ReportDetails": utils.NoSuchEventDetails(DefaultSafe, utils.TopLevelOU), - "ActualValue": "No relevant event for the top-level OU in the current logs", - "RequirementMet": DefaultSafe, - "NoSuchEvent": true -} -if { - not PolicyApiInUse - DefaultSafe := false - not Check5_4_OK -} - tests contains { "PolicyId": CommonControlsId5_4, "Criticality": "Shall", @@ -1098,7 +619,6 @@ tests contains { "NoSuchEvent": false } if { - Check5_4_OK Status := count(NonCompliantOUs5_4) == 0 } #-- @@ -1108,33 +628,8 @@ if { #-- CommonControlsId5_5 := utils.PolicyIdWithSuffix("GWS.COMMONCONTROLS.5.5") -LogMessage5_5 := "Password Management - Enable password reuse" -NonComplianceMessage5_5 := "Allow password reuse is ON" - -Check5_5_OK if { - not PolicyApiInUse - events := utils.FilterEventsOU(LogEvents, LogMessage5_5, utils.TopLevelOU) - count(events) > 0 -} - -Check5_5_OK if {PolicyApiInUse} -NonCompliantOUs5_5 contains { - "Name": OU, - "Value": NonComplianceMessage5_5 -} -if { - not PolicyApiInUse - some OU in utils.OUsWithEvents - Events := utils.FilterEventsOU(LogEvents, LogMessage5_5, OU) - # Ignore OUs without any events. We're already asserting that the - # top-level OU has at least one event; for all other OUs we assume - # they inherit from a parent OU if they have no events. - count(Events) > 0 - LastEvent := utils.GetLastEvent(Events) - LastEvent.NewValue != "false" - LastEvent.NewValue != "DELETE_APPLICATION_SETTING" -} +NonComplianceMessage5_5 := "Allow password reuse is ON" NonCompliantOUs5_5 contains { "Name": OU, @@ -1145,20 +640,6 @@ if { settings.security_password.allowReuse == true } -tests contains { - "PolicyId": CommonControlsId5_5, - "Criticality": "Shall", - "ReportDetails": utils.NoSuchEventDetails(DefaultSafe, utils.TopLevelOU), - "ActualValue": "No relevant event for the top-level OU in the current logs", - "RequirementMet": DefaultSafe, - "NoSuchEvent": true -} -if { - not PolicyApiInUse - DefaultSafe := true - not Check5_5_OK -} - tests contains { "PolicyId": CommonControlsId5_5, "Criticality": "Shall", @@ -1168,7 +649,6 @@ tests contains { "NoSuchEvent": false } if { - Check5_5_OK Status := count(NonCompliantOUs5_5) == 0 } #-- @@ -1178,32 +658,6 @@ if { #-- CommonControlsId5_6 := utils.PolicyIdWithSuffix("GWS.COMMONCONTROLS.5.6") -LogMessage5_6 := "Password Management - Password reset frequency" - -Check5_6_OK if { - not PolicyApiInUse - events := utils.FilterEventsOU(LogEvents, LogMessage5_6, utils.TopLevelOU) - count(events) > 0 -} - -Check5_6_OK if {PolicyApiInUse} - -NonCompliantOUs5_6 contains { - "Name": OU, - "Value": concat(" ", ["Password reset frequency is", LastEvent.NewValue, "days"]) -} -if { - not PolicyApiInUse - some OU in utils.OUsWithEvents - Events := utils.FilterEventsOU(LogEvents, LogMessage5_6, OU) - # Ignore OUs without any events. We're already asserting that the - # top-level OU has at least one event; for all other OUs we assume - # they inherit from a parent OU if they have no events. - count(Events) > 0 - LastEvent := utils.GetLastEvent(Events) - LastEvent.NewValue != "0" - LastEvent.NewValue != "DELETE_APPLICATION_SETTING" -} NonCompliantOUs5_6 contains { "Name": OU, @@ -1216,20 +670,6 @@ if { expirationValue != 0 } -tests contains { - "PolicyId": CommonControlsId5_6, - "Criticality": "Shall", - "ReportDetails": utils.NoSuchEventDetails(DefaultSafe, utils.TopLevelOU), - "ActualValue": "No relevant event for the top-level OU in the current logs", - "RequirementMet": DefaultSafe, - "NoSuchEvent": true -} -if { - not PolicyApiInUse - DefaultSafe := true - not Check5_6_OK -} - tests contains { "PolicyId": CommonControlsId5_6, "Criticality": "Shall", @@ -1239,7 +679,6 @@ tests contains { "NoSuchEvent": false } if { - Check5_6_OK Status := count(NonCompliantOUs5_6) == 0 } #-- @@ -1319,50 +758,8 @@ tests contains { #-- CommonControlsId8_1 := utils.PolicyIdWithSuffix("GWS.COMMONCONTROLS.8.1") -LogMessage8_1 := "AdminAccountRecoverySettingsProto Enable admin account recovery" -NonComplianceMessage8_1 := "Allow super admins to recover their account is ON" - -Check8_1_OK if { - not PolicyApiInUse - events := utils.FilterEventsOU(LogEvents, LogMessage8_1, utils.TopLevelOU) - count(events) > 0 -} -Check8_1_OK if {PolicyApiInUse} - -NonCompliantOUs8_1 contains { - "Name": OU, - "Value": NonComplianceMessage8_1 -} -if { - not PolicyApiInUse - some OU in utils.OUsWithEvents - SettingName := LogMessage8_1 - Events := utils.FilterEventsOU(LogEvents, SettingName, OU) - # Ignore OUs without any events. We're already asserting that the - # top-level OU has at least one event; for all other OUs we assume - # they inherit from a parent OU if they have no events. - count(Events) > 0 - LastEvent := utils.GetLastEvent(Events) - LastEvent.NewValue != "false" - LastEvent.NewValue != "DELETE_APPLICATION_SETTING" -} - -NonCompliantGroups8_1 contains { - "Name": Group, - "Value": NonComplianceMessage8_1 -} -if { - not PolicyApiInUse - some Group in utils.GroupsWithEvents - SettingName := LogMessage8_1 - Events := utils.FilterEventsGroup(LogEvents, SettingName, Group) - # Ignore groups without any events. - count(Events) > 0 - LastEvent := utils.GetLastEvent(Events) - LastEvent.NewValue != "false" - LastEvent.NewValue != "DELETE_APPLICATION_SETTING" -} +NonComplianceMessage8_1 := "Allow super admins to recover their account is ON" NonCompliantOUs8_1 contains { "Name": OU, @@ -1376,29 +773,13 @@ if { tests contains { "PolicyId": CommonControlsId8_1, "Criticality": "Shall", - "ReportDetails": utils.NoSuchEventDetails(DefaultSafe, utils.TopLevelOU), - "ActualValue": "No relevant event for the top-level OU in the current logs", - "RequirementMet": DefaultSafe, - "NoSuchEvent": true -} -if { - not PolicyApiInUse - DefaultSafe := false - not Check8_1_OK -} - -tests contains { - "PolicyId": CommonControlsId8_1, - "Criticality": "Shall", - "ReportDetails": utils.ReportDetails(NonCompliantOUs8_1, NonCompliantGroups8_1), - "ActualValue": {"NonCompliantOUs": NonCompliantOUs8_1, "NonCompliantGroups": NonCompliantGroups8_1}, + "ReportDetails": utils.ReportDetails(NonCompliantOUs8_1, []), + "ActualValue": {"NonCompliantOUs": NonCompliantOUs8_1}, "RequirementMet": Status, "NoSuchEvent": false } if { - Check8_1_OK - Conditions := {count(NonCompliantOUs8_1) == 0, count(NonCompliantGroups8_1) == 0} - Status := (false in Conditions) == false + Status := count(NonCompliantOUs8_1) == 0 } #-- @@ -1765,57 +1146,9 @@ if { # Baseline GWS.COMMONCONTROLS.10.5 #-- -CommonControlsId10_5 := utils.PolicyIdWithSuffix("GWS.COMMONCONTROLS.10.5") - -EventName10_5 := "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED" - -Check10_5_OK if { - not PolicyApiInUse - events := FilterEventsOU(EventName10_5, utils.TopLevelOU) - count(events) > 0 -} - -Check10_5_OK if {PolicyApiInUse} - -NonComplianceMessage10_5 := "Users are allowed to manage access to less secure apps." - -NonCompliantOUs10_5 contains { - "Name": OU, - "Value": NonComplianceMessage10_5 -} -if { - not PolicyApiInUse - some OU in utils.OUsWithEvents - Events := FilterEventsOU(EventName10_5, OU) - # Ignore OUs without any events. We're already asserting that the - # top-level OU has at least one event; for all other OUs we assume - # they inherit from a parent OU if they have no events. - count(Events) > 0 - LastEvent := utils.GetLastEvent(Events) - LastEvent.NewValue != "DENIED" - LastEvent.NewValue != "INHERIT_FROM_PARENT" -} -# NOTE: When WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED for a child OU -# is set to inherit from parent, apparently NO EVENT IS PRODUCED IN -# THE ADMIN LOGS. When you later override the setting, it shows -# "INHERIT_FROM_PARENT" as the "OLD_VALUE", so I'm putting that above -# for completeness, but this appears to be a case where we won't be -# able to detect setting inheritance, as least for now. - -NonCompliantGroups10_5 contains { - "Name": Group, - "Value": NonComplianceMessage10_5 -} -if { - not PolicyApiInUse - some Group in utils.GroupsWithEvents - Events := FilterEventsGroup(EventName10_5, Group) - # Ignore groups without any events. - count(Events) > 0 - LastEvent := utils.GetLastEvent(Events) - LastEvent.NewValue != "DENIED" - LastEvent.NewValue != "INHERIT_FROM_PARENT" -} +CommonControlsId10_5 := utils.PolicyIdWithSuffix("GWS.COMMONCONTROLS.10.5") + +NonComplianceMessage10_5 := "Users are allowed to manage access to less secure apps." NonCompliantOUs10_5 contains { "Name": OU, @@ -1827,32 +1160,16 @@ if { lessSecure != false } -tests contains { - "PolicyId": CommonControlsId10_5, - "Criticality": "Should", - "ReportDetails": utils.NoSuchEventDetails(DefaultSafe, utils.TopLevelOU), - "ActualValue": "No relevant event for the top-level OU in the current logs", - "RequirementMet": DefaultSafe, - "NoSuchEvent": true -} -if { - not PolicyApiInUse - DefaultSafe := true - not Check10_5_OK -} - tests contains { "PolicyId": CommonControlsId10_5, "Criticality": "Shall", - "ReportDetails": utils.ReportDetails(NonCompliantOUs10_5, NonCompliantGroups10_5), - "ActualValue": {"NonCompliantOUs": NonCompliantOUs10_5, "NonCompliantGroups": NonCompliantGroups10_5}, + "ReportDetails": utils.ReportDetails(NonCompliantOUs10_5, []), + "ActualValue": {"NonCompliantOUs": NonCompliantOUs10_5}, "RequirementMet": Status, "NoSuchEvent": false } if { - Check10_5_OK - Conditions := {count(NonCompliantOUs10_5) == 0, count(NonCompliantGroups10_5) == 0} - Status := (false in Conditions) == false + Status := count(NonCompliantOUs10_5) == 0 } #-- @@ -1876,97 +1193,6 @@ NonComplianceMessage11_1(anyApp) := sprintf("%s app from the Marketplace.", } else := sprintf("%s internal app, even if it's not allowlisted.", [NonCompliancePrefix11_1]) -# For 11.1, we need to assert two different things: -# - Users can only allow whitelisted apps -# - Exceptions aren't allowed for internal apps - -# Custom NoSuchEvent function needed as we're checking -# two different settings simultaneously. - -default NoSuchEvent11_1 := false - -NoSuchEvent11_1 := true if { - Events := utils.FilterEventsOU(LogEvents, LogMessage11_1_A, utils.TopLevelOU) - count(Events) == 0 -} - -NoSuchEvent11_1 := true if { - Events := utils.FilterEventsOU(LogEvents, LogMessage11_1_B, utils.TopLevelOU) - count(Events) == 0 -} - -Check11_1_OK if { - not PolicyApiInUse - not NoSuchEvent11_1 -} - -Check11_1_OK if {PolicyApiInUse} - -NonCompliantOUs11_1 contains { - "Name": OU, - "Value": NonComplianceMessage11_1(true) -} -if { - not PolicyApiInUse - some OU in utils.OUsWithEvents - Events := utils.FilterEventsOU(LogEvents, LogMessage11_1_A, OU) - # Ignore OUs without any events. We're already asserting that the - # top-level OU has at least one event; for all other OUs we assume - # they inherit from a parent OU if they have no events. - count(Events) > 0 - LastEvent := utils.GetLastEvent(Events) - LastEvent.NewValue != "ALLOW_SPECIFIED" - LastEvent.NewValue != "ALLOW_NONE" - LastEvent.NewValue != "DELETE_APPLICATION_SETTING" -} - -NonCompliantGroups11_1 contains { - "Name": Group, - "Value": NonComplianceMessage11_1(true) -} -if { - not PolicyApiInUse - some Group in utils.GroupsWithEvents - Events := utils.FilterEventsGroup(LogEvents, LogMessage11_1_A, Group) - # Ignore groups without any events. - count(Events) > 0 - LastEvent := utils.GetLastEvent(Events) - LastEvent.NewValue != "ALLOW_SPECIFIED" - LastEvent.NewValue != "DELETE_APPLICATION_SETTING" -} - -NonCompliantOUs11_1 contains { - "Name": OU, - "Value": NonComplianceMessage11_1(false) -} -if { - not PolicyApiInUse - some OU in utils.OUsWithEvents - Events := utils.FilterEventsOU(LogEvents, LogMessage11_1_B, OU) - # Ignore OUs without any events. We're already asserting that the - # top-level OU has at least one event; for all other OUs we assume - # they inherit from a parent OU if they have no events. - count(Events) > 0 - LastEvent := utils.GetLastEvent(Events) - LastEvent.NewValue != "false" - LastEvent.NewValue != "DELETE_APPLICATION_SETTING" -} - -NonCompliantGroups11_1 contains { - "Name": Group, - "Value": NonComplianceMessage11_1(false) -} -if { - not PolicyApiInUse - some Group in utils.GroupsWithEvents - Events := utils.FilterEventsGroup(LogEvents, LogMessage11_1_B, Group) - # Ignore groups without any events. - count(Events) > 0 - LastEvent := utils.GetLastEvent(Events) - LastEvent.NewValue != "false" - LastEvent.NewValue != "DELETE_APPLICATION_SETTING" -} - NonCompliantOUs11_1 contains { "Name": OU, "Value": NonComplianceMessage11_1(true) @@ -1992,29 +1218,13 @@ if { tests contains { "PolicyId": CommonControlsId11_1, "Criticality": "Shall", - "ReportDetails": utils.NoSuchEventDetails(DefaultSafe, utils.TopLevelOU), - "ActualValue": "No relevant event for the top-level OU in the current logs", - "RequirementMet": DefaultSafe, - "NoSuchEvent": true -} -if { - not PolicyApiInUse - DefaultSafe := false - not Check11_1_OK -} - -tests contains { - "PolicyId": CommonControlsId11_1, - "Criticality": "Shall", - "ReportDetails": utils.ReportDetails(NonCompliantOUs11_1, NonCompliantGroups11_1), - "ActualValue": {"NonCompliantOUs": NonCompliantOUs11_1, "NonCompliantGroups": NonCompliantGroups11_1}, + "ReportDetails": utils.ReportDetails(NonCompliantOUs11_1, []), + "ActualValue": {"NonCompliantOUs": NonCompliantOUs11_1}, "RequirementMet": Status, "NoSuchEvent": false } if { - Check11_1_OK - Conditions := {count(NonCompliantOUs11_1) == 0, count(NonCompliantGroups11_1) == 0} - Status := (false in Conditions) == false + Status := count(NonCompliantOUs11_1) == 0 } #-- @@ -2028,156 +1238,12 @@ if { CommonControlsId12_1 := utils.PolicyIdWithSuffix("GWS.COMMONCONTROLS.12.1") -LogMessage12_1 := "UserTakeoutSettingsProto User Takeout " - Msg12_1 := "The following apps with individual admin control have Takeout enabled: %s" NonComplianceMessage12_1(EnabledApps) := sprintf(Msg12_1, [concat(", ", sort(EnabledApps))]) -#### Part 1: detecting service toggle events for OUs/groups *without* an individual admin control -TakeoutServiceEnableEvents contains { - "Timestamp": time.parse_rfc3339_ns(Item.id.time), - "TimestampStr": Item.id.time, - "NewValue": NewValue, - "OrgUnit": OrgUnit, - "Group": Group -} -if { - not PolicyApiInUse - some Item in input.commoncontrols_logs.items - some Event in Item.events - Event.name == "TOGGLE_SERVICE_ENABLED" - - "SERVICE_NAME" in {Parameter.name | some Parameter in Event.parameters} - "NEW_VALUE" in {Parameter.name | some Parameter in Event.parameters} - - ServiceName := [Parameter.value | some Parameter in Event.parameters; Parameter.name == "SERVICE_NAME"][0] - NewValue := [Parameter.value | some Parameter in Event.parameters; Parameter.name == "NEW_VALUE"][0] - OrgUnit := utils.GetEventOu(Event) - Group := utils.GetEventGroup(Event) - - ServiceName == "Google Takeout" -} - NonComplianceMessage12_1a := "Takeout is enabled for services without an individual admin control." -NonCompliantOUs12_1 contains { - "Name": OU, - "Value": NonComplianceMessage12_1a -} -if { - not PolicyApiInUse - some OU in utils.OUsWithEvents - Events := { - Event | some Event in TakeoutServiceEnableEvents; - Event.OrgUnit == OU; - Event.Group == "" - } - # Ignore OUs without any events. We're already asserting that the - # top-level OU has at least one event; for all other OUs we assume - # they inherit from a parent OU if they have no events. - count(Events) > 0 - LastEvent = utils.GetLastEvent(Events) - LastEvent.NewValue == "true" -} - -NonCompliantGroups12_1 contains { - "Name": Group, - "Value": NonComplianceMessage12_1a -} -if { - not PolicyApiInUse - some Group in utils.GroupsWithEvents - Events := { - Event | some Event in TakeoutServiceEnableEvents; - Event.Group == Group - } - # Ignore groups without any events. - count(Events) > 0 - LastEvent = utils.GetLastEvent(Events) - LastEvent.NewValue == "true" -} - -#### Part 2: detecting services *with* an individual admin control -Apps := {"Blogger", "Google Books", "Google Maps", "Google Pay", "Google Photos", "Google Play", - "Google Play Console", "Timeline - Location History", "YouTube"} - -AppsAllowingTakoutOU contains App if { - not PolicyApiInUse - Events := utils.FilterEventsNoOU(LogEvents, LogMessage12_1) - some App in Apps - Filtered := {Event | some Event in Events; Event.AppName == App; Event.OrgUnit == data.OrgUnit} - # Note the data.OrgUnit. This means this - # rule will only work if called like this: - # AppsAllowingTakoutOU with data.OrgUnit as ExampleOrgUnit - LastEvent := utils.GetLastEvent(Filtered) - LastEvent.NewValue != "Disabled" - LastEvent.NewValue != "DELETE_APPLICATION_SETTING" -} - -AppsAllowingTakoutGroup contains App if { - not PolicyApiInUse - Events := utils.FilterEventsNoOU(LogEvents, LogMessage12_1) - some App in Apps - Filtered := {Event | some Event in Events; Event.AppName == App; Event.Group == data.Group} - # Note the data.Group. This means this - # rule will only work if called like this: - # AppsAllowingTakoutGroup with data.Group as ExampleGroup - LastEvent := utils.GetLastEvent(Filtered) - LastEvent.NewValue != "Disabled" - LastEvent.NewValue != "DELETE_APPLICATION_SETTING" -} - -NonCompliantOUs12_1 contains { - "Name": OU, - "Value": NonComplianceMessage12_1(EnabledApps) -} -if { - not PolicyApiInUse - some OU in utils.OUsWithEvents - Events := utils.FilterEventsOU(LogEvents, LogMessage12_1, OU) - # Ignore OUs without any events. We're already asserting that the - # top-level OU has at least one event; for all other OUs we assume - # they inherit from a parent OU if they have no events. - count(Events) > 0 - EnabledApps := AppsAllowingTakoutOU with data.OrgUnit as OU - count(EnabledApps) > 0 -} - -NonCompliantGroups12_1 contains { - "Name": Group, - "Value": NonComplianceMessage12_1(EnabledApps) - -} -if { - not PolicyApiInUse - some Group in utils.GroupsWithEvents - Events := utils.FilterEventsGroup(LogEvents, LogMessage12_1, Group) - # Ignore groups without any events. - count(Events) > 0 - EnabledApps := AppsAllowingTakoutGroup with data.Group as Group - count(EnabledApps) > 0 -} - -default NoSuchEvent12_1 := false - -NoSuchEvent12_1 := true if { - Events := utils.FilterEventsOU(LogEvents, LogMessage12_1, utils.TopLevelOU) - count(Events) == 0 -} - -NoSuchEvent12_1 := true if { - Events := {Event | some Event in TakeoutServiceEnableEvents; Event.OrgUnit == utils.TopLevelOU} - count(Events) == 0 -} - -Check12_1_OK if { - not PolicyApiInUse - not NoSuchEvent12_1 -} - -Check12_1_OK if {PolicyApiInUse} - NonCompliantOUs12_1 contains { "Name": OU, "Value": NonComplianceMessage12_1a @@ -2218,29 +1284,13 @@ if { tests contains { "PolicyId": CommonControlsId12_1, "Criticality": "Shall", - "ReportDetails": utils.NoSuchEventDetails(DefaultSafe, utils.TopLevelOU), - "ActualValue": "No relevant event for the top-level OU in the current logs", - "RequirementMet": DefaultSafe, - "NoSuchEvent": true -} -if { - not PolicyApiInUse - DefaultSafe := false - not Check12_1_OK -} - -tests contains { - "PolicyId": CommonControlsId12_1, - "Criticality": "Shall", - "ReportDetails": utils.ReportDetails(NonCompliantOUs12_1, NonCompliantGroups12_1), - "ActualValue": {"NonCompliantOUs": NonCompliantOUs12_1, "NonCompliantGroups": NonCompliantGroups12_1}, + "ReportDetails": utils.ReportDetails(NonCompliantOUs12_1, []), + "ActualValue": {"NonCompliantOUs": NonCompliantOUs12_1}, "RequirementMet": Status, "NoSuchEvent": false } if { - Check12_1_OK - Conditions := {count(NonCompliantOUs12_1) == 0, count(NonCompliantGroups12_1) == 0} - Status := (false in Conditions) == false + Status := count(NonCompliantOUs12_1) == 0 } #-- @@ -2521,62 +1571,6 @@ CommonControlsId16_2 := utils.PolicyIdWithSuffix("GWS.COMMONCONTROLS.16.2") NonComplianceMessage16_2 := "Early access apps are ENABLED" -Check16_2_OK if { - not PolicyApiInUse - Events := { - Event | some Event in ToggleServiceEvents; - Event.OrgUnit == utils.TopLevelOU; - Event.ServiceName == "Early Access Apps" - } - count(Events) > 0 -} - -Check16_2_OK if {PolicyApiInUse} - -NonCompliantOUs16_2 contains { - "Name": OU, - "Value": NonComplianceMessage16_2 -} -if { - not PolicyApiInUse - some OU in utils.OUsWithEvents - # Note that this setting requires the custom ToggleServiceEvents rule. - # Filter based on the service name of the event, otherwise all events are returned. - Events := { - Event | some Event in ToggleServiceEvents; - Event.OrgUnit == OU; - Event.ServiceName == "Early Access Apps" - } - # Ignore OUs without any events. We're already asserting that the - # top-level OU has at least one event; for all other OUs we assume - # they inherit from a parent OU if they have no events. - count(Events) > 0 - LastEvent := utils.GetLastEvent(Events) - # For the Early Access Apps service: - # If service status is set to "ON for everyone", then "NewValue" == true (non-compliant state) - # else, "NewValue" == false (compliant state) - LastEvent.NewValue == "true" -} - -NonCompliantGroups16_2 contains { - "Name": Group, - "Value": NonComplianceMessage16_2 -} -if { - not PolicyApiInUse - some Group in utils.GroupsWithEvents - # Note that this setting requires the custom ToggleServiceEvents rule. - Events := { - Event | some Event in ToggleServiceEvents; - Event.Group == Group; - Event.ServiceName == "Early Access Apps" - } - # Ignore groups without any events. - count(Events) > 0 - LastEvent := utils.GetLastEvent(Events) - LastEvent.NewValue == "true" -} - NonCompliantOUs16_2 contains { "Name": OU, "Value": NonComplianceMessage16_2 @@ -2590,32 +1584,13 @@ if { tests contains { "PolicyId": CommonControlsId16_2, "Criticality": "Should", - "ReportDetails": utils.NoSuchEventDetails(DefaultSafe, utils.TopLevelOU), - "ActualValue": "No relevant event for the top-level OU in the current logs", - "RequirementMet": DefaultSafe, - "NoSuchEvent": true -} -if { - not PolicyApiInUse - DefaultSafe := false - not Check16_2_OK -} - -tests contains { - "PolicyId": CommonControlsId16_2, - "Criticality": "Should", - "ReportDetails": utils.ReportDetails(NonCompliantOUs16_2, NonCompliantGroups16_2), - "ActualValue": {"NonCompliantOUs": NonCompliantOUs16_2, "NonCompliantGroups": NonCompliantGroups16_2}, + "ReportDetails": utils.ReportDetails(NonCompliantOUs16_2, []), + "ActualValue": {"NonCompliantOUs": NonCompliantOUs16_2}, "RequirementMet": Status, "NoSuchEvent": false } if { - Check16_2_OK - Conditions := { - count(NonCompliantOUs16_2) == 0, - count(NonCompliantGroups16_2) == 0 - } - Status := (false in Conditions) == false + Status := count(NonCompliantOUs16_2) == 0 } #--