Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow policies to be omitted from ScubaGear #1200

Merged
merged 22 commits into from
Jul 18, 2024

Conversation

adhilto
Copy link
Collaborator

@adhilto adhilto commented Jul 5, 2024

🗣 Description

Make it so that policies can be omitted from the ScubaGear reports.

💭 Motivation and context

Closes #740.
Closes #739.
Closes #738.

🧪 Testing

I'd recommend that the reviewers start by reading the documentation I added for this feature, to get a good overview of the approach taken: https://github.com/cisagov/ScubaGear/blob/739-allow-any-given-policy-to-be-ignored/docs/configuration/configuration.md#omit-policies.

Testing I've done:

  • Added 8 new Pester cases to cover these changes
  • Manually tested without a config file to ensure normal executions is unchanged
  • Manually tested excluding several policies without expiration dates
  • Manually tested excluding policies without specifying the rationale
  • Manually tested excluding policies with expirations date, both in the past and future
  • Manually tested excluding policies with a malformed expiration date
  • Manually tested generating a config file with policy omissions via New-Config, including some edge cases, such as malformed policy ids, variations in capitalization, and unexpected product names in the policy IDs.

✅ Pre-approval checklist

  • This PR has an informative and human-readable title.
  • PR targets the correct parent branch (e.g., main or release-name) for merge.
  • Changes are limited to a single goal - eschew scope creep!
  • Changes are sized such that they do not touch excessive number of files.
  • All future TODOs are captured in issues, which are referenced in code comments.
  • These code changes follow the ScubaGear content style guide.
  • Related issues these changes resolve are linked preferably via closing keywords.
  • All relevant type-of-change labels added.
  • All relevant project fields are set.
  • All relevant repo and/or project documentation updated to reflect these changes.
  • Unit tests added/updated to cover PowerShell and Rego changes.
  • Functional tests added/updated to cover PowerShell and Rego changes.
  • All relevant functional tests passed.
  • All automated checks (e.g., linting, static analysis, unit/smoke tests) passed.

✅ Pre-merge checklist

  • PR passed smoke test check.

  • Feature branch has been rebased against changes from parent branch, as needed

    Use Rebase branch button below or use this reference to rebase from the command line.

  • Resolved all merge conflicts on branch

  • Notified merge coordinator that PR is ready for merge via comment mention

✅ Post-merge checklist

  • Feature branch deleted after merge to clean up repository.
  • Verified that all checks pass on parent branch (e.g., main or release-name) after merge.

@adhilto adhilto added the enhancement This issue or pull request will add new or improve existing functionality label Jul 5, 2024
@adhilto adhilto added this to the Iceberg milestone Jul 5, 2024
@adhilto adhilto self-assigned this Jul 5, 2024
@adhilto adhilto linked an issue Jul 5, 2024 that may be closed by this pull request
2 tasks
@tkol2022
Copy link
Collaborator

Feedback on example config file

The example MS.TEAMS.6.1v1 provided in the sample config file is confusing with respect to the sample rationale. If the service is provided by M365 Defender and the Defender baseline checks for the implementation of this policy, then what is the purpose of having this policy in Teams to begin with? I believe this has a good chance of confusing users.
Instead I recommend you provide an example rationale such as "The DLP capability required for Teams is implemented by third party product X which ScubaGear does not have the ability to check" or something like that.

I also recommend that you trim the number of example policy IDs that you have. I think by the time the user gets to policy 7.1 in the example config they will get the point so you could get rid of examples 7.2, 8.1, 8.2 and we wouldn't lose anything.

@adhilto
Copy link
Collaborator Author

adhilto commented Jul 11, 2024

Feedback on example config file

The example MS.TEAMS.6.1v1 provided in the sample config file is confusing with respect to the sample rationale. If the service is provided by M365 Defender and the Defender baseline checks for the implementation of this policy, then what is the purpose of having this policy in Teams to begin with? I believe this has a good chance of confusing users. Instead I recommend you provide an example rationale such as "The DLP capability required for Teams is implemented by third party product X which ScubaGear does not have the ability to check" or something like that.

I also recommend that you trim the number of example policy IDs that you have. I think by the time the user gets to policy 7.1 in the example config they will get the point so you could get rid of examples 7.2, 8.1, 8.2 and we wouldn't lose anything.

Done

@adhilto adhilto force-pushed the 739-allow-any-given-policy-to-be-ignored branch from 5719c53 to ee4cb3d Compare July 11, 2024 21:25
…onfuse with AAD exclusions in a different section of the documentation
@tkol2022
Copy link
Collaborator

I made a few tweaks to the configuration.md because i felt the term "excluded" could get conflated with AAD conditional access policy exclusions. we should stick with the term "omitted" and omissions.

@tkol2022
Copy link
Collaborator

In configuration.md, I think we can delete this paragraph. It is confusing and I don't think it adds anything. Do you think anyone is likely to send policy ids as command line arguments to New-Config? It is easier to just modify the yaml config file in my opinion.

"Policy omissions can be provided to the New-Config function as a comma-separated list of policy IDs under the OmitPolicy parameter. However, the New-Config function does not allow you to specify the rationales or expiration dates via the commandline; these must be manually entered into the resulting config file."

@tkol2022
Copy link
Collaborator

The expiration date feature is a nice touch!

@tkol2022
Copy link
Collaborator

What are your thoughts on changing the following?
Test disabled by user.
to
Test omitted by user.

@tkol2022
Copy link
Collaborator

Bug

If the user accidentally provides two Rationale fields ScubaGear crashes. The same problem occurs if you have more than one omit policy entry for the same policy id.

image
image

image

@tkol2022
Copy link
Collaborator

Will the following line perform a case-insensitive match? If not, should we make is so that case does not matter?

if ($Config.OmitPolicy.psobject.properties.name -Contains $ControlId)

I tested this. It ignores case which is great for flexibility. No change needed.
image

@tkol2022
Copy link
Collaborator

Test summary

  • Tested prior date, today and future date for the Expiration field and the tool behaved as expected.
  • Tested single quote in Rationale field and tool behaved as expected.
  • Tested rationale missing and tool behaved as expected.
  • Tested malformed date and the tool behaved as expected.
  • Tested without rationale and without date and the tool behaved as expected.
  • The only test that produced a bug was when you have more than one of the same policy or you have multiple rationales. See separate comment with details.

Copy link
Collaborator

@tkol2022 tkol2022 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I found one bug and left some comments for a couple of other tweaks. If you can address those I think we are in good shape. Nice work. Overall the system behaved as expected under various conditions. Also I asked a related question on Slack which was answered by the team about how the downstream system interprets the outputs from this new functionality.

Copy link
Collaborator

@mitchelbaker-cisa mitchelbaker-cisa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Testing:

Ran ScubaGear without a config file, runs as expected.
Ran ScubaGear with a config file:

  • with valid policy ID, rationale, expiration
  • with invalid policy ID
  • with null Expiration value (results in skipped omission for given policy)
  • with non-string Expiration value (results in skipped omission for given policy)

Verified "OmitPolicy" is included in ProviderSettingsExport
Verified Result: "Omitted" is in individual report json and in combined json with -mergeJson flag

Left one comment to consider but otherwise looks good.

@adhilto
Copy link
Collaborator Author

adhilto commented Jul 15, 2024

In configuration.md, I think we can delete this paragraph. It is confusing and I don't think it adds anything. Do you think anyone is likely to send policy ids as command line arguments to New-Config? It is easier to just modify the yaml config file in my opinion.

"Policy omissions can be provided to the New-Config function as a comma-separated list of policy IDs under the OmitPolicy parameter. However, the New-Config function does not allow you to specify the rationales or expiration dates via the commandline; these must be manually entered into the resulting config file."

I agree that it's probably easier to reference the example config and modify their config file manually. I'm ok with deleting the paragraph.

@adhilto
Copy link
Collaborator Author

adhilto commented Jul 15, 2024

Bug

If the user accidentally provides two Rationale fields ScubaGear crashes. The same problem occurs if you have more than one omit policy entry for the same policy id.

I think this bug is out of scope for this PR, I recommend opening a separate issue for it. This bug is in the orchestrator and/or the ScubaConfig.psm1 LoadConfig function. The YAML specification actually does not allow duplicate keys, so in your test, you've engineered invalid yaml. The problem this surfaces is that the orchestrator does not catch that invalid yaml was provided. The first error message in your screenshot is a bit cryptic, but the fix might be to wrap this line (in ScubaConfig.psm1) in a try/catch:
image

Additionally, for whatever reason, this if in Orchestraror.psm1 failed to detect that the config failed to load.
image

@adhilto
Copy link
Collaborator Author

adhilto commented Jul 15, 2024

What are your thoughts on changing the following? Test disabled by user. to Test omitted by user.

I'm 100% ok with either. If you have a preference for "Test omitted" I'll change it to that.

@tkol2022
Copy link
Collaborator

Additionally, for whatever reason, this if in Orchestraror.psm1 failed to detect that the config failed to load. image

I opened an issue. BTW, from what I can tell, the reason that code in Orchestrator does not work as expected is because when the LoadConfig function produces an error, Orchestrator will not execute the if statement you mentioned. Instead it will go to the nearest catch () block, right?

@adhilto
Copy link
Collaborator Author

adhilto commented Jul 15, 2024

Additionally, for whatever reason, this if in Orchestraror.psm1 failed to detect that the config failed to load. image

I opened an issue. BTW, from what I can tell, the reason that code in Orchestrator does not work as expected is because when the LoadConfig function produces an error, Orchestrator will not execute the if statement you mentioned. Instead it will go to the nearest catch () block, right?

Honestly, I'm not really sure what will happen. Unless I'm just not looking deep enough, this block of code isn't within a try at all. Definitely more digging needed here.

@adhilto
Copy link
Collaborator Author

adhilto commented Jul 15, 2024

What are your thoughts on changing the following? Test disabled by user. to Test omitted by user.

Changed

@adhilto
Copy link
Collaborator Author

adhilto commented Jul 16, 2024

@nanda-katikaneni Looks like this one is good to go

@nanda-katikaneni nanda-katikaneni merged commit 98bc8fc into main Jul 18, 2024
22 checks passed
@nanda-katikaneni nanda-katikaneni deleted the 739-allow-any-given-policy-to-be-ignored branch July 18, 2024 16:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement This issue or pull request will add new or improve existing functionality
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Report on ignored policies Allow any given policy to be ignored Policy item toggling feature
5 participants