Changes to Common Controls Baseline (#315)

* Made all Common Controls Changes * Increased max super admins to 8 * Removed Policy 10.1 * Fixed Date for Policy 16.1 * Update baselines/Common Controls Minimum Viable Secure Configuration Baseline v0.2.md Co-authored-by: Alden Hilton <106177711+adhilto@users.noreply.github.com> * Update baselines/Common Controls Minimum Viable Secure Configuration Baseline v0.2.md Co-authored-by: Alden Hilton <106177711+adhilto@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Alden Hilton <106177711+adhilto@users.noreply.github.com> * udpated resources and implementation steps * Added policy group 17 * Apply suggestions from code review Co-authored-by: Alden Hilton <106177711+adhilto@users.noreply.github.com> * Fixed most PR comment changes * Made COMMONCONTROLS.11.1v0.2 a SHALL * Added Pending TTP Mappings * updated 2.1 implemetation steps for Coast * [#315] Rego update - remove 10.1 rego and unit tests and update numbering * [#315] Change 11.1 to Shall * [#315] Fix error in unit test * Remove 2.2 from Rego * Implement 16.1 rego * Implement 17.1 Rego * Adjust admin count rego check --------- Co-authored-by: Max Dueltgen (MITRE) <148897369+mdueltgen@users.noreply.github.com> Co-authored-by: Alden Hilton <106177711+adhilto@users.noreply.github.com> Co-authored-by: ssnarve <ssnarve@sandia.gov> Co-authored-by: Alden Hilton <adhilto@sandia.gov>
cisagov · Aug 5, 2024 · c823249 · c823249
1 parent 60f8fbf
commit c823249
Show file tree

Hide file tree

Showing 8 changed files with 545 additions and 166 deletions.
diff --git a/Testing/RegoTests/commoncontrols/commoncontrols06_test.rego b/Testing/RegoTests/commoncontrols/commoncontrols06_test.rego
@@ -90,7 +90,7 @@ test_Count_Correct_V2 if {
 }
 
 test_Count_Correct_V3 if {
-    # 4 super admins
+    # 8 super admins
     PolicyId := "GWS.COMMONCONTROLS.6.2v0.2"
     Output := tests with input as {
         "super_admins": [
@@ -109,7 +109,23 @@ test_Count_Correct_V3 if {
             {
                 "primaryEmail": "admin4@example.org",
                 "orgUnitPath": ""
-            }
+            },
+            {
+                "primaryEmail": "admin5@example.org",
+                "orgUnitPath": ""
+            },
+            {
+                "primaryEmail": "admin6@example.org",
+                "orgUnitPath": ""
+            },
+            {
+                "primaryEmail": "admin7@example.org",
+                "orgUnitPath": ""
+            },
+            {
+                "primaryEmail": "admin8@example.org",
+                "orgUnitPath": ""
+            },
         ]
     }
 
@@ -119,15 +135,15 @@ test_Count_Correct_V3 if {
     not RuleOutput[0].NoSuchEvent
     RuleOutput[0].ReportDetails == concat("", [
         "The following super admins are configured: ",
-        "admin1@example.org, admin2@example.org, admin3@example.org, ",
-        "admin4@example.org. <i>Note: Exceptions are ",
+        "admin1@example.org, admin2@example.org, admin3@example.org, admin4@example.org, ",
+        "admin5@example.org, admin6@example.org, admin7@example.org, admin8@example.org. <i>Note: Exceptions are ",
         "allowed for \"break glass\" super admin accounts, ",
         "though we are not able to account for this automatically.</i>"
     ])
 }
 
 test_Count_Incorrect_V1 if {
-    # 5 super admins
+    # 9 super admins
     PolicyId := "GWS.COMMONCONTROLS.6.2v0.2"
     Output := tests with input as {
         "super_admins": [
@@ -150,6 +166,22 @@ test_Count_Incorrect_V1 if {
             {
                 "primaryEmail": "admin5@example.org",
                 "orgUnitPath": ""
+            },
+            {
+                "primaryEmail": "admin6@example.org",
+                "orgUnitPath": ""
+            },
+            {
+                "primaryEmail": "admin7@example.org",
+                "orgUnitPath": ""
+            },
+            {
+                "primaryEmail": "admin8@example.org",
+                "orgUnitPath": ""
+            },
+            {
+                "primaryEmail": "admin9@example.org",
+                "orgUnitPath": ""
             }
         ]
     }
@@ -160,8 +192,8 @@ test_Count_Incorrect_V1 if {
     not RuleOutput[0].NoSuchEvent
     RuleOutput[0].ReportDetails == concat("", [
         "The following super admins are configured: ",
-        "admin1@example.org, admin2@example.org, admin3@example.org, ",
-        "admin4@example.org, admin5@example.org. <i>Note: Exceptions are ",
+        "admin1@example.org, admin2@example.org, admin3@example.org, admin4@example.org, admin5@example.org, ",
+        "admin6@example.org, admin7@example.org, admin8@example.org, admin9@example.org. <i>Note: Exceptions are ",
         "allowed for \"break glass\" super admin accounts, ",
         "though we are not able to account for this automatically.</i>"
     ])

diff --git a/Testing/RegoTests/commoncontrols/commoncontrols10_test.rego b/Testing/RegoTests/commoncontrols/commoncontrols10_test.rego
@@ -4,33 +4,10 @@ import future.keywords
 #
 # GWS.COMMONCONTROLS.10.1v0.2
 #--
-test_AllowList_Correct_V1 if {
-    # Test not implemented
-    PolicyId := "GWS.COMMONCONTROLS.10.1v0.2"
-    Output := tests with input as {
-        "commoncontrols_logs": {"items": [
-
-        ]},
-        "tenant_info": {
-            "topLevelOU": "Test Top-Level OU"
-        }
-    }
-
-    RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
-    count(RuleOutput) == 1
-    not RuleOutput[0].RequirementMet
-    RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Currently not able to be tested automatically; please manually check."
-}
-#--
-
-#
-# GWS.COMMONCONTROLS.10.2v0.2
-#--
 test_AccessControl_Correct_V1 if {
     # Test restricted when there is no _HIGH_RISK event present
     # (not all services have a risk version, just Drive and Gmail)
-    PolicyId := "GWS.COMMONCONTROLS.10.2v0.2"
+    PolicyId := "GWS.COMMONCONTROLS.10.1v0.2"
     Output := tests with input as {
         "commoncontrols_logs": {"items": [
             {
@@ -58,7 +35,7 @@ test_AccessControl_Correct_V1 if {
 
 test_AccessControl_Correct_V2 if {
     # Test allowed with not high risk allowed
-    PolicyId := "GWS.COMMONCONTROLS.10.2v0.2"
+    PolicyId := "GWS.COMMONCONTROLS.10.1v0.2"
     Output := tests with input as {
         "commoncontrols_logs": {"items": [
             {
@@ -96,7 +73,7 @@ test_AccessControl_Correct_V2 if {
 
 test_AccessControl_Correct_V3 if {
     # Test restricted with not high risk disallowed
-    PolicyId := "GWS.COMMONCONTROLS.10.2v0.2"
+    PolicyId := "GWS.COMMONCONTROLS.10.1v0.2"
     Output := tests with input as {
         "commoncontrols_logs": {"items": [
             {
@@ -134,7 +111,7 @@ test_AccessControl_Correct_V3 if {
 
 test_AccessControl_Correct_V4 if {
     # Test multiple services
-    PolicyId := "GWS.COMMONCONTROLS.10.2v0.2"
+    PolicyId := "GWS.COMMONCONTROLS.10.1v0.2"
     Output := tests with input as {
         "commoncontrols_logs": {"items": [
             {
@@ -182,7 +159,7 @@ test_AccessControl_Correct_V4 if {
 
 test_AccessControl_Correct_V5 if {
     # Test multiple services, multiple events
-    PolicyId := "GWS.COMMONCONTROLS.10.2v0.2"
+    PolicyId := "GWS.COMMONCONTROLS.10.1v0.2"
     Output := tests with input as {
         "commoncontrols_logs": {"items": [
             {
@@ -251,7 +228,7 @@ test_AccessControl_Correct_V5 if {
 test_AccessControl_Incorrect_V1 if {
     # Test unrestricted when there is no _HIGH_RISK event present
     # (not all services have a risk version, just Drive and Gmail)
-    PolicyId := "GWS.COMMONCONTROLS.10.2v0.2"
+    PolicyId := "GWS.COMMONCONTROLS.10.1v0.2"
     Output := tests with input as {
         "commoncontrols_logs": {"items": [
             {
@@ -279,7 +256,7 @@ test_AccessControl_Incorrect_V1 if {
 
 test_AccessControl_Incorrect_V2 if {
     # Test unrestricted with not high risk disallowed
-    PolicyId := "GWS.COMMONCONTROLS.10.2v0.2"
+    PolicyId := "GWS.COMMONCONTROLS.10.1v0.2"
     Output := tests with input as {
         "commoncontrols_logs": {"items": [
             {
@@ -317,7 +294,7 @@ test_AccessControl_Incorrect_V2 if {
 
 test_AccessControl_Incorrect_V3 if {
     # Test unrestricted with no high risk version
-    PolicyId := "GWS.COMMONCONTROLS.10.2v0.2"
+    PolicyId := "GWS.COMMONCONTROLS.10.1v0.2"
     Output := tests with input as {
         "commoncontrols_logs": {"items": [
             {
@@ -345,7 +322,7 @@ test_AccessControl_Incorrect_V3 if {
 
 test_AccessControl_Incorrect_V4 if {
     # Test no events
-    PolicyId := "GWS.COMMONCONTROLS.10.2v0.2"
+    PolicyId := "GWS.COMMONCONTROLS.10.1v0.2"
     Output := tests with input as {
         "commoncontrols_logs": {"items": [
 
@@ -368,11 +345,11 @@ test_AccessControl_Incorrect_V4 if {
 #--
 
 #
-# GWS.COMMONCONTROLS.10.3v0.2
+# GWS.COMMONCONTROLS.10.2v0.2
 #--
 test_Consent_Correct_V1 if {
     # Test disallow with no high risk version
-    PolicyId := "GWS.COMMONCONTROLS.10.3v0.2"
+    PolicyId := "GWS.COMMONCONTROLS.10.2v0.2"
     Output := tests with input as {
         "commoncontrols_logs": {"items": [
             {
@@ -400,7 +377,7 @@ test_Consent_Correct_V1 if {
 
 test_Consent_Correct_V2 if {
     # Test disallow with high risk version
-    PolicyId := "GWS.COMMONCONTROLS.10.3v0.2"
+    PolicyId := "GWS.COMMONCONTROLS.10.2v0.2"
     Output := tests with input as {
         "commoncontrols_logs": {"items": [
             {
@@ -438,7 +415,7 @@ test_Consent_Correct_V2 if {
 
 test_Consent_Incorrect_V1 if {
     # Test allow with no high risk version
-    PolicyId := "GWS.COMMONCONTROLS.10.3v0.2"
+    PolicyId := "GWS.COMMONCONTROLS.10.2v0.2"
     Output := tests with input as {
         "commoncontrols_logs": {"items": [
             {
@@ -466,7 +443,7 @@ test_Consent_Incorrect_V1 if {
 
 test_Consent_Incorrect_V2 if {
     # Test allow with high risk version allowed
-    PolicyId := "GWS.COMMONCONTROLS.10.3v0.2"
+    PolicyId := "GWS.COMMONCONTROLS.10.2v0.2"
     Output := tests with input as {
         "commoncontrols_logs": {"items": [
             {
@@ -504,7 +481,7 @@ test_Consent_Incorrect_V2 if {
 
 test_Consent_Incorrect_V3 if {
     # Test allow with high risk version blocked
-    PolicyId := "GWS.COMMONCONTROLS.10.3v0.2"
+    PolicyId := "GWS.COMMONCONTROLS.10.2v0.2"
     Output := tests with input as {
         "commoncontrols_logs": {"items": [
             {
@@ -542,7 +519,7 @@ test_Consent_Incorrect_V3 if {
 
 test_Consent_Incorrect_V4 if {
     # Test no events
-    PolicyId := "GWS.COMMONCONTROLS.10.3v0.2"
+    PolicyId := "GWS.COMMONCONTROLS.10.2v0.2"
     Output := tests with input as {
         "commoncontrols_logs": {"items": [
 
@@ -565,11 +542,11 @@ test_Consent_Incorrect_V4 if {
 #--
 
 #
-# GWS.COMMONCONTROLS.10.4v0.2
+# GWS.COMMONCONTROLS.10.3v0.2
 #--
 test_Internal_Correct_V1 if {
     # Test basic
-    PolicyId := "GWS.COMMONCONTROLS.10.4v0.2"
+    PolicyId := "GWS.COMMONCONTROLS.10.3v0.2"
     Output := tests with input as {
         "commoncontrols_logs": {"items": [
             {
@@ -596,7 +573,7 @@ test_Internal_Correct_V1 if {
 
 test_Internal_Correct_V2 if {
     # Test multiple events
-    PolicyId := "GWS.COMMONCONTROLS.10.4v0.2"
+    PolicyId := "GWS.COMMONCONTROLS.10.3v0.2"
     Output := tests with input as {
         "commoncontrols_logs": {"items": [
             {
@@ -632,7 +609,7 @@ test_Internal_Correct_V2 if {
 
 test_Internal_Incorrect_V1 if {
     # Test basic
-    PolicyId := "GWS.COMMONCONTROLS.10.4v0.2"
+    PolicyId := "GWS.COMMONCONTROLS.10.3v0.2"
     Output := tests with input as {
         "commoncontrols_logs": {"items": [
             {
@@ -663,7 +640,7 @@ test_Internal_Incorrect_V1 if {
 
 test_Internal_Incorrect_V2 if {
     # Test multiple events
-    PolicyId := "GWS.COMMONCONTROLS.10.4v0.2"
+    PolicyId := "GWS.COMMONCONTROLS.10.3v0.2"
     Output := tests with input as {
         "commoncontrols_logs": {"items": [
             {
@@ -703,7 +680,7 @@ test_Internal_Incorrect_V2 if {
 
 test_Internal_Incorrect_V3 if {
     # Test no events
-    PolicyId := "GWS.COMMONCONTROLS.10.4v0.2"
+    PolicyId := "GWS.COMMONCONTROLS.10.3v0.2"
     Output := tests with input as {
         "commoncontrols_logs": {"items": [
 
@@ -726,11 +703,11 @@ test_Internal_Incorrect_V3 if {
 #--
 
 #
-# GWS.COMMONCONTROLS.10.5v0.2
+# GWS.COMMONCONTROLS.10.4v0.2
 #--
 test_Unconfigured_Correct_V1 if {
     # Test basic
-    PolicyId := "GWS.COMMONCONTROLS.10.5v0.2"
+    PolicyId := "GWS.COMMONCONTROLS.10.4v0.2"
     Output := tests with input as {
         "commoncontrols_logs": {"items": [
             {
@@ -757,7 +734,7 @@ test_Unconfigured_Correct_V1 if {
 
 test_Unconfigured_Correct_V2 if {
     # Test basic multiple events
-    PolicyId := "GWS.COMMONCONTROLS.10.5v0.2"
+    PolicyId := "GWS.COMMONCONTROLS.10.4v0.2"
     Output := tests with input as {
         "commoncontrols_logs": {"items": [
             {
@@ -793,7 +770,7 @@ test_Unconfigured_Correct_V2 if {
 
 test_Unconfigured_Incorrect_V1 if {
     # Test unblock
-    PolicyId := "GWS.COMMONCONTROLS.10.5v0.2"
+    PolicyId := "GWS.COMMONCONTROLS.10.4v0.2"
     Output := tests with input as {
         "commoncontrols_logs": {"items": [
             {
@@ -825,7 +802,7 @@ test_Unconfigured_Incorrect_V1 if {
 
 test_Unconfigured_Incorrect_V2 if {
     # Test signin only
-    PolicyId := "GWS.COMMONCONTROLS.10.5v0.2"
+    PolicyId := "GWS.COMMONCONTROLS.10.4v0.2"
     Output := tests with input as {
         "commoncontrols_logs": {"items": [
             {
@@ -857,7 +834,7 @@ test_Unconfigured_Incorrect_V2 if {
 
 test_Unconfigured_Incorrect_V3 if {
     # Test no events
-    PolicyId := "GWS.COMMONCONTROLS.10.5v0.2"
+    PolicyId := "GWS.COMMONCONTROLS.10.4v0.2"
     Output := tests with input as {
         "commoncontrols_logs": {"items": [