Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Changes to Common Controls Baseline #315

Merged
merged 22 commits into from
Aug 5, 2024
Merged

Changes to Common Controls Baseline #315

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
22 commits
Select commit Hold shift + click to select a range
d0d0afa
Made all Common Controls Changes
jkaufman-mitre Jun 11, 2024
97ea86c
Increased max super admins to 8
jkaufman-mitre Jun 11, 2024
f1fdefd
Removed Policy 10.1
jkaufman-mitre Jun 12, 2024
d9bd02d
Fixed Date for Policy 16.1
jkaufman-mitre Jun 13, 2024
3c4cc61
Update baselines/Common Controls Minimum Viable Secure Configuration …
mdueltgen Jun 18, 2024
c9db7c8
Update baselines/Common Controls Minimum Viable Secure Configuration …
mdueltgen Jun 18, 2024
62cc68b
Apply suggestions from code review
mdueltgen Jun 18, 2024
1dd1153
udpated resources and implementation steps
mdueltgen Jun 18, 2024
cdf3e4c
Added policy group 17
jkaufman-mitre Jun 20, 2024
5691c29
Apply suggestions from code review
jkaufman-mitre Jun 24, 2024
539570b
Fixed most PR comment changes
jkaufman-mitre Jul 9, 2024
4112cdb
Made COMMONCONTROLS.11.1v0.2 a SHALL
jkaufman-mitre Jul 11, 2024
6000ff8
Added Pending TTP Mappings
jkaufman-mitre Jul 22, 2024
db5871c
updated 2.1 implemetation steps for Coast
mdueltgen Aug 1, 2024
0fd8dd1
[#315] Rego update - remove 10.1 rego and unit tests and update numbe…
snarve Aug 1, 2024
7acfead
Merge branch 'common-controls-changes-post-0.2-v2' of https://github.…
snarve Aug 1, 2024
c277a67
[#315] Change 11.1 to Shall
snarve Aug 1, 2024
1a97055
[#315] Fix error in unit test
snarve Aug 1, 2024
119b392
Remove 2.2 from Rego
adhilto Aug 2, 2024
0abca58
Implement 16.1 rego
adhilto Aug 2, 2024
a795a68
Implement 17.1 Rego
adhilto Aug 2, 2024
00e1048
Adjust admin count rego check
adhilto Aug 2, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
46 changes: 39 additions & 7 deletions Testing/RegoTests/commoncontrols/commoncontrols06_test.rego
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -90,7 +90,7 @@ test_Count_Correct_V2 if {
}

test_Count_Correct_V3 if {
# 4 super admins
# 8 super admins
PolicyId := "GWS.COMMONCONTROLS.6.2v0.2"
Output := tests with input as {
"super_admins": [
Expand All @@ -109,7 +109,23 @@ test_Count_Correct_V3 if {
{
"primaryEmail": "admin4@example.org",
"orgUnitPath": ""
}
},
{
"primaryEmail": "admin5@example.org",
"orgUnitPath": ""
},
{
"primaryEmail": "admin6@example.org",
"orgUnitPath": ""
},
{
"primaryEmail": "admin7@example.org",
"orgUnitPath": ""
},
{
"primaryEmail": "admin8@example.org",
"orgUnitPath": ""
},
]
}

Expand All @@ -119,15 +135,15 @@ test_Count_Correct_V3 if {
not RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == concat("", [
"The following super admins are configured: ",
"admin1@example.org, admin2@example.org, admin3@example.org, ",
"admin4@example.org. <i>Note: Exceptions are ",
"admin1@example.org, admin2@example.org, admin3@example.org, admin4@example.org, ",
"admin5@example.org, admin6@example.org, admin7@example.org, admin8@example.org. <i>Note: Exceptions are ",
"allowed for \"break glass\" super admin accounts, ",
"though we are not able to account for this automatically.</i>"
])
}

test_Count_Incorrect_V1 if {
# 5 super admins
# 9 super admins
PolicyId := "GWS.COMMONCONTROLS.6.2v0.2"
Output := tests with input as {
"super_admins": [
Expand All @@ -150,6 +166,22 @@ test_Count_Incorrect_V1 if {
{
"primaryEmail": "admin5@example.org",
"orgUnitPath": ""
},
{
"primaryEmail": "admin6@example.org",
"orgUnitPath": ""
},
{
"primaryEmail": "admin7@example.org",
"orgUnitPath": ""
},
{
"primaryEmail": "admin8@example.org",
"orgUnitPath": ""
},
{
"primaryEmail": "admin9@example.org",
"orgUnitPath": ""
}
]
}
Expand All @@ -160,8 +192,8 @@ test_Count_Incorrect_V1 if {
not RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == concat("", [
"The following super admins are configured: ",
"admin1@example.org, admin2@example.org, admin3@example.org, ",
"admin4@example.org, admin5@example.org. <i>Note: Exceptions are ",
"admin1@example.org, admin2@example.org, admin3@example.org, admin4@example.org, admin5@example.org, ",
"admin6@example.org, admin7@example.org, admin8@example.org, admin9@example.org. <i>Note: Exceptions are ",
"allowed for \"break glass\" super admin accounts, ",
"though we are not able to account for this automatically.</i>"
])
Expand Down
79 changes: 28 additions & 51 deletions Testing/RegoTests/commoncontrols/commoncontrols10_test.rego
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,33 +4,10 @@ import future.keywords
#
# GWS.COMMONCONTROLS.10.1v0.2
#--
test_AllowList_Correct_V1 if {
# Test not implemented
PolicyId := "GWS.COMMONCONTROLS.10.1v0.2"
Output := tests with input as {
"commoncontrols_logs": {"items": [

]},
"tenant_info": {
"topLevelOU": "Test Top-Level OU"
}
}

RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
count(RuleOutput) == 1
not RuleOutput[0].RequirementMet
RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == "Currently not able to be tested automatically; please manually check."
}
#--

#
# GWS.COMMONCONTROLS.10.2v0.2
#--
test_AccessControl_Correct_V1 if {
# Test restricted when there is no _HIGH_RISK event present
# (not all services have a risk version, just Drive and Gmail)
PolicyId := "GWS.COMMONCONTROLS.10.2v0.2"
PolicyId := "GWS.COMMONCONTROLS.10.1v0.2"
Output := tests with input as {
"commoncontrols_logs": {"items": [
{
Expand Down Expand Up @@ -58,7 +35,7 @@ test_AccessControl_Correct_V1 if {

test_AccessControl_Correct_V2 if {
# Test allowed with not high risk allowed
PolicyId := "GWS.COMMONCONTROLS.10.2v0.2"
PolicyId := "GWS.COMMONCONTROLS.10.1v0.2"
Output := tests with input as {
"commoncontrols_logs": {"items": [
{
Expand Down Expand Up @@ -96,7 +73,7 @@ test_AccessControl_Correct_V2 if {

test_AccessControl_Correct_V3 if {
# Test restricted with not high risk disallowed
PolicyId := "GWS.COMMONCONTROLS.10.2v0.2"
PolicyId := "GWS.COMMONCONTROLS.10.1v0.2"
Output := tests with input as {
"commoncontrols_logs": {"items": [
{
Expand Down Expand Up @@ -134,7 +111,7 @@ test_AccessControl_Correct_V3 if {

test_AccessControl_Correct_V4 if {
# Test multiple services
PolicyId := "GWS.COMMONCONTROLS.10.2v0.2"
PolicyId := "GWS.COMMONCONTROLS.10.1v0.2"
Output := tests with input as {
"commoncontrols_logs": {"items": [
{
Expand Down Expand Up @@ -182,7 +159,7 @@ test_AccessControl_Correct_V4 if {

test_AccessControl_Correct_V5 if {
# Test multiple services, multiple events
PolicyId := "GWS.COMMONCONTROLS.10.2v0.2"
PolicyId := "GWS.COMMONCONTROLS.10.1v0.2"
Output := tests with input as {
"commoncontrols_logs": {"items": [
{
Expand Down Expand Up @@ -251,7 +228,7 @@ test_AccessControl_Correct_V5 if {
test_AccessControl_Incorrect_V1 if {
# Test unrestricted when there is no _HIGH_RISK event present
# (not all services have a risk version, just Drive and Gmail)
PolicyId := "GWS.COMMONCONTROLS.10.2v0.2"
PolicyId := "GWS.COMMONCONTROLS.10.1v0.2"
Output := tests with input as {
"commoncontrols_logs": {"items": [
{
Expand Down Expand Up @@ -279,7 +256,7 @@ test_AccessControl_Incorrect_V1 if {

test_AccessControl_Incorrect_V2 if {
# Test unrestricted with not high risk disallowed
PolicyId := "GWS.COMMONCONTROLS.10.2v0.2"
PolicyId := "GWS.COMMONCONTROLS.10.1v0.2"
Output := tests with input as {
"commoncontrols_logs": {"items": [
{
Expand Down Expand Up @@ -317,7 +294,7 @@ test_AccessControl_Incorrect_V2 if {

test_AccessControl_Incorrect_V3 if {
# Test unrestricted with no high risk version
PolicyId := "GWS.COMMONCONTROLS.10.2v0.2"
PolicyId := "GWS.COMMONCONTROLS.10.1v0.2"
Output := tests with input as {
"commoncontrols_logs": {"items": [
{
Expand Down Expand Up @@ -345,7 +322,7 @@ test_AccessControl_Incorrect_V3 if {

test_AccessControl_Incorrect_V4 if {
# Test no events
PolicyId := "GWS.COMMONCONTROLS.10.2v0.2"
PolicyId := "GWS.COMMONCONTROLS.10.1v0.2"
Output := tests with input as {
"commoncontrols_logs": {"items": [

Expand All @@ -368,11 +345,11 @@ test_AccessControl_Incorrect_V4 if {
#--

#
# GWS.COMMONCONTROLS.10.3v0.2
# GWS.COMMONCONTROLS.10.2v0.2
#--
test_Consent_Correct_V1 if {
# Test disallow with no high risk version
PolicyId := "GWS.COMMONCONTROLS.10.3v0.2"
PolicyId := "GWS.COMMONCONTROLS.10.2v0.2"
Output := tests with input as {
"commoncontrols_logs": {"items": [
{
Expand Down Expand Up @@ -400,7 +377,7 @@ test_Consent_Correct_V1 if {

test_Consent_Correct_V2 if {
# Test disallow with high risk version
PolicyId := "GWS.COMMONCONTROLS.10.3v0.2"
PolicyId := "GWS.COMMONCONTROLS.10.2v0.2"
Output := tests with input as {
"commoncontrols_logs": {"items": [
{
Expand Down Expand Up @@ -438,7 +415,7 @@ test_Consent_Correct_V2 if {

test_Consent_Incorrect_V1 if {
# Test allow with no high risk version
PolicyId := "GWS.COMMONCONTROLS.10.3v0.2"
PolicyId := "GWS.COMMONCONTROLS.10.2v0.2"
Output := tests with input as {
"commoncontrols_logs": {"items": [
{
Expand Down Expand Up @@ -466,7 +443,7 @@ test_Consent_Incorrect_V1 if {

test_Consent_Incorrect_V2 if {
# Test allow with high risk version allowed
PolicyId := "GWS.COMMONCONTROLS.10.3v0.2"
PolicyId := "GWS.COMMONCONTROLS.10.2v0.2"
Output := tests with input as {
"commoncontrols_logs": {"items": [
{
Expand Down Expand Up @@ -504,7 +481,7 @@ test_Consent_Incorrect_V2 if {

test_Consent_Incorrect_V3 if {
# Test allow with high risk version blocked
PolicyId := "GWS.COMMONCONTROLS.10.3v0.2"
PolicyId := "GWS.COMMONCONTROLS.10.2v0.2"
Output := tests with input as {
"commoncontrols_logs": {"items": [
{
Expand Down Expand Up @@ -542,7 +519,7 @@ test_Consent_Incorrect_V3 if {

test_Consent_Incorrect_V4 if {
# Test no events
PolicyId := "GWS.COMMONCONTROLS.10.3v0.2"
PolicyId := "GWS.COMMONCONTROLS.10.2v0.2"
Output := tests with input as {
"commoncontrols_logs": {"items": [

Expand All @@ -565,11 +542,11 @@ test_Consent_Incorrect_V4 if {
#--

#
# GWS.COMMONCONTROLS.10.4v0.2
# GWS.COMMONCONTROLS.10.3v0.2
#--
test_Internal_Correct_V1 if {
# Test basic
PolicyId := "GWS.COMMONCONTROLS.10.4v0.2"
PolicyId := "GWS.COMMONCONTROLS.10.3v0.2"
Output := tests with input as {
"commoncontrols_logs": {"items": [
{
Expand All @@ -596,7 +573,7 @@ test_Internal_Correct_V1 if {

test_Internal_Correct_V2 if {
# Test multiple events
PolicyId := "GWS.COMMONCONTROLS.10.4v0.2"
PolicyId := "GWS.COMMONCONTROLS.10.3v0.2"
Output := tests with input as {
"commoncontrols_logs": {"items": [
{
Expand Down Expand Up @@ -632,7 +609,7 @@ test_Internal_Correct_V2 if {

test_Internal_Incorrect_V1 if {
# Test basic
PolicyId := "GWS.COMMONCONTROLS.10.4v0.2"
PolicyId := "GWS.COMMONCONTROLS.10.3v0.2"
Output := tests with input as {
"commoncontrols_logs": {"items": [
{
Expand Down Expand Up @@ -663,7 +640,7 @@ test_Internal_Incorrect_V1 if {

test_Internal_Incorrect_V2 if {
# Test multiple events
PolicyId := "GWS.COMMONCONTROLS.10.4v0.2"
PolicyId := "GWS.COMMONCONTROLS.10.3v0.2"
Output := tests with input as {
"commoncontrols_logs": {"items": [
{
Expand Down Expand Up @@ -703,7 +680,7 @@ test_Internal_Incorrect_V2 if {

test_Internal_Incorrect_V3 if {
# Test no events
PolicyId := "GWS.COMMONCONTROLS.10.4v0.2"
PolicyId := "GWS.COMMONCONTROLS.10.3v0.2"
Output := tests with input as {
"commoncontrols_logs": {"items": [

Expand All @@ -726,11 +703,11 @@ test_Internal_Incorrect_V3 if {
#--

#
# GWS.COMMONCONTROLS.10.5v0.2
# GWS.COMMONCONTROLS.10.4v0.2
#--
test_Unconfigured_Correct_V1 if {
# Test basic
PolicyId := "GWS.COMMONCONTROLS.10.5v0.2"
PolicyId := "GWS.COMMONCONTROLS.10.4v0.2"
Output := tests with input as {
"commoncontrols_logs": {"items": [
{
Expand All @@ -757,7 +734,7 @@ test_Unconfigured_Correct_V1 if {

test_Unconfigured_Correct_V2 if {
# Test basic multiple events
PolicyId := "GWS.COMMONCONTROLS.10.5v0.2"
PolicyId := "GWS.COMMONCONTROLS.10.4v0.2"
Output := tests with input as {
"commoncontrols_logs": {"items": [
{
Expand Down Expand Up @@ -793,7 +770,7 @@ test_Unconfigured_Correct_V2 if {

test_Unconfigured_Incorrect_V1 if {
# Test unblock
PolicyId := "GWS.COMMONCONTROLS.10.5v0.2"
PolicyId := "GWS.COMMONCONTROLS.10.4v0.2"
Output := tests with input as {
"commoncontrols_logs": {"items": [
{
Expand Down Expand Up @@ -825,7 +802,7 @@ test_Unconfigured_Incorrect_V1 if {

test_Unconfigured_Incorrect_V2 if {
# Test signin only
PolicyId := "GWS.COMMONCONTROLS.10.5v0.2"
PolicyId := "GWS.COMMONCONTROLS.10.4v0.2"
Output := tests with input as {
"commoncontrols_logs": {"items": [
{
Expand Down Expand Up @@ -857,7 +834,7 @@ test_Unconfigured_Incorrect_V2 if {

test_Unconfigured_Incorrect_V3 if {
# Test no events
PolicyId := "GWS.COMMONCONTROLS.10.5v0.2"
PolicyId := "GWS.COMMONCONTROLS.10.4v0.2"
Output := tests with input as {
"commoncontrols_logs": {"items": [

Expand Down
Loading
Loading