Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Moving Common Controls 11.2 to Policy Group 10 #487

Merged
merged 5 commits into from
Oct 31, 2024
Merged

Moving Common Controls 11.2 to Policy Group 10 #487

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
766f8e8
moving 11.2 to Policy Group 10
mdueltgen Oct 30, 2024
4d98ca4
updating drift rules
mdueltgen Oct 30, 2024
ceda44c
moving over resource links
mdueltgen Oct 31, 2024
1baf81f
spacing fixes
mdueltgen Oct 31, 2024
bec2b00
Move 11.5 to group 10
adhilto Oct 31, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
242 changes: 242 additions & 0 deletions Testing/RegoTests/commoncontrols/commoncontrols10_test.rego
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -854,4 +854,246 @@ test_Unconfigured_Incorrect_V3 if {
"to determine the state from the logs, the default setting ",
"is non-compliant; manual check recommended."
])}
#--


#
# GWS.COMMONCONTROLS.10.5v0.3
#--
test_Access_Correct_V1 if {
# Test 1 event
PolicyId := "GWS.COMMONCONTROLS.10.5v0.3"
Output := tests with input as {
"commoncontrols_logs": {"items": [
{
"id": {"time": "2022-12-20T00:02:28.672Z"},
"events": [{
"name": "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED",
"parameters": [
{"name": "NEW_VALUE", "value": "DENIED"},
{"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}
]
}]
}
]},
"tenant_info": {
"topLevelOU": "Test Top-Level OU"
}
}

RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
count(RuleOutput) == 1
RuleOutput[0].RequirementMet
not RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
}

test_Access_Correct_V2 if {
# Test multiple events
PolicyId := "GWS.COMMONCONTROLS.10.5v0.3"
Output := tests with input as {
"commoncontrols_logs": {"items": [
{
"id": {"time": "2022-12-20T00:02:28.672Z"},
"events": [{
"name": "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED",
"parameters": [
{"name": "NEW_VALUE", "value": "DENIED"},
{"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}
]
}]
},
{
"id": {"time": "2021-12-20T00:02:28.672Z"},
"events": [{
"name": "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED",
"parameters": [
{"name": "NEW_VALUE", "value": "ALLOWED"},
{"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}
]
}]
}
]},
"tenant_info": {
"topLevelOU": "Test Top-Level OU"
}
}

RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
count(RuleOutput) == 1
RuleOutput[0].RequirementMet
not RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
}

test_Access_Incorrect_V1 if {
# Test 1 event
PolicyId := "GWS.COMMONCONTROLS.10.5v0.3"
Output := tests with input as {
"commoncontrols_logs": {"items": [
{
"id": {"time": "2022-12-20T00:02:28.672Z"},
"events": [{
"name": "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED",
"parameters": [
{"name": "NEW_VALUE", "value": "ALLOWED"},
{"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}
]
}]
}
]},
"tenant_info": {
"topLevelOU": "Test Top-Level OU"
}
}

RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
count(RuleOutput) == 1
not RuleOutput[0].RequirementMet
not RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == concat("", [
"The following OUs are non-compliant:<ul>",
"<li>Test Top-Level OU: Allow users to manage their access to less secure apps is ON</li>",
"</ul>"
])
}

test_Access_Incorrect_V2 if {
# Test multiple events
PolicyId := "GWS.COMMONCONTROLS.10.5v0.3"
Output := tests with input as {
"commoncontrols_logs": {"items": [
{
"id": {"time": "2022-12-20T00:02:28.672Z"},
"events": [{
"name": "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED",
"parameters": [
{"name": "NEW_VALUE", "value": "ALLOWED"},
{"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}
]
}]
},
{
"id": {"time": "2021-12-20T00:02:28.672Z"},
"events": [{
"name": "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED",
"parameters": [
{"name": "NEW_VALUE", "value": "DENIED"},
{"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}
]
}]
}
]},
"tenant_info": {
"topLevelOU": "Test Top-Level OU"
}
}

RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
count(RuleOutput) == 1
not RuleOutput[0].RequirementMet
not RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == concat("", [
"The following OUs are non-compliant:<ul>",
"<li>Test Top-Level OU: Allow users to manage their access to less secure apps is ON</li>",
"</ul>"
])
}

test_Access_Incorrect_V3 if {
# Test no relevant events
PolicyId := "GWS.COMMONCONTROLS.10.5v0.3"
Output := tests with input as {
"commoncontrols_logs": {"items": [

]},
"tenant_info": {
"topLevelOU": "Test Top-Level OU"
}
}

RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
count(RuleOutput) == 1
RuleOutput[0].RequirementMet
RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == concat("", [
"No relevant event in the current logs for the top-level OU, ",
"Test Top-Level OU. While we are unable ",
"to determine the state from the logs, the default setting ",
"is compliant; manual check recommended."
])}

test_Access_Incorrect_V4 if {
# Test no relevant events in top-level OU
PolicyId := "GWS.COMMONCONTROLS.10.5v0.3"
Output := tests with input as {
"commoncontrols_logs": {"items": [
{
"id": {"time": "2021-12-20T00:02:28.672Z"},
"events": [{
"name": "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED",
"parameters": [
{"name": "NEW_VALUE", "value": "DENIED"},
{"name": "ORG_UNIT_NAME", "value": "Test Second-Level OU"}
]
}]
}
]},
"tenant_info": {
"topLevelOU": "Test Top-Level OU"
}
}

RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
count(RuleOutput) == 1
RuleOutput[0].RequirementMet
RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == concat("", [
"No relevant event in the current logs for the top-level OU, ",
"Test Top-Level OU. While we are unable ",
"to determine the state from the logs, the default setting ",
"is compliant; manual check recommended."
])}

test_Access_Incorrect_V5 if {
# Test multiple OUs
PolicyId := "GWS.COMMONCONTROLS.10.5v0.3"
Output := tests with input as {
"commoncontrols_logs": {"items": [
{
"id": {"time": "2021-12-20T00:02:28.672Z"},
"events": [{
"name": "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED",
"parameters": [
{"name": "NEW_VALUE", "value": "ALLOWED"},
{"name": "ORG_UNIT_NAME", "value": "Test Second-Level OU"}
]
}]
},
{
"id": {"time": "2021-12-20T00:02:28.672Z"},
"events": [{
"name": "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED",
"parameters": [
{"name": "NEW_VALUE", "value": "DENIED"},
{"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}
]
}]
}
]},
"tenant_info": {
"topLevelOU": "Test Top-Level OU"
}
}

RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
count(RuleOutput) == 1
not RuleOutput[0].RequirementMet
not RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == concat("", [
"The following OUs are non-compliant:<ul>",
"<li>Test Second-Level OU: Allow users to manage their access to less secure apps is ON</li>",
"</ul>"
])
}
#--
Loading
Loading