commoncontrols 3.1: remove policy API check for employee ID challenge…

… (see 11/6 change) commoncontrols 4.1: use "friendly" value in non-compliance message
cisagov · Dec 11, 2024 · 6806134 · 6806134
1 parent 1197546
commit 6806134
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 119 deletions.
diff --git a/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols04_test.rego b/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols04_test.rego
@@ -195,7 +195,7 @@ test_Limit_Incorrect_V1 if {
     }
 
     failedOU := [{"Name": "Test Top-Level OU",
-                 "Value": "Web session duration is set to 24 hours"}]
+                 "Value": NonComplianceMessage4_1(GetFriendlyValue4_1(86400))}]
     FailTestOUNonCompliant(PolicyId, Output, failedOU)
 }
 
@@ -233,7 +233,7 @@ test_Limit_Incorrect_V2 if {
     }
 
     failedOU := [{"Name": "Test Top-Level OU",
-                 "Value": "Web session duration is set to 24 hours"}]
+                 "Value": NonComplianceMessage4_1(GetFriendlyValue4_1(86400))}]
     FailTestOUNonCompliant(PolicyId, Output, failedOU)
 }
 
@@ -271,7 +271,7 @@ test_Limit_Incorrect_V3 if {
     }
 
     failedOU := [{"Name": "Test Top-Level OU",
-                 "Value": "Web session duration is set to 24 hours"}]
+                 "Value": NonComplianceMessage4_1(GetFriendlyValue4_1(86400))}]
     FailTestOUNonCompliant(PolicyId, Output, failedOU)
 }
 

diff --git a/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols_api03_test.rego b/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols_api03_test.rego
diff --git a/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols_api04_test.rego b/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols_api04_test.rego
@@ -59,6 +59,6 @@ test_CCAPI_ReAuth_NonComply_1 if {
     Output := tests with input as BaseCaseInputApi04
 
     failedOU := [{"Name": "nextOU",
-                 "Value": "Web session duration: 800m"}]
+                 "Value": NonComplianceMessage4_1(GetFriendlyValue4_1(800 * 60))}]
     FailTestOUNonCompliant(PolicyId, Output, failedOU)
 }
diff --git a/scubagoggles/rego/Commoncontrols.rego b/scubagoggles/rego/Commoncontrols.rego
@@ -515,13 +515,10 @@ CommonControlsId3_1 := utils.PolicyIdWithSuffix("GWS.COMMONCONTROLS.3.1")
 LogMessage3_1 := "SsoPolicyProto challenge_selection_behavior"
 
 Check3_1_OK if {
-    not PolicyApiInUse
     events := utils.FilterEventsOU(LogEvents, LogMessage3_1, utils.TopLevelOU)
     count(events) > 0
 }
 
-Check3_1_OK if {PolicyApiInUse}
-
 NonComplianceMessage3_1 := "Post Single Sign-on (SSO) verification is disabled."
 
 # NOTE: this setting cannot be controlled at the group-level,
@@ -531,7 +528,6 @@ NonCompliantOUs3_1 contains {
     "Value": NonComplianceMessage3_1
 }
 if {
-    not PolicyApiInUse
     some OU in utils.OUsWithEvents
     Events := utils.FilterEventsOU(LogEvents, LogMessage3_1, OU)
     # Ignore OUs without any events. We're already asserting that the
@@ -543,16 +539,6 @@ if {
     LastEvent.NewValue != "DELETE_APPLICATION_SETTING"
 }
 
-NonCompliantOUs3_1 contains {
-    "Name": OU,
-    "Value": NonComplianceMessage3_1
-}
-if {
-    some OU, settings in input.policies
-    enableChallenge := settings.security_login_challenges.enableEmployeeIdChallenge
-    enableChallenge != true
-}
-
 tests contains {
     "PolicyId": CommonControlsId3_1,
     "Criticality": "Should",
@@ -562,7 +548,6 @@ tests contains {
     "NoSuchEvent": true
 }
 if {
-    not PolicyApiInUse
     DefaultSafe := false
     not Check3_1_OK
 }
@@ -633,23 +618,26 @@ IsGoodLimit(ActualLim) := false if {
     count({GoodLim | some GoodLim in GoodLimits; GoodLim == ActualLim}) == 0
 }
 
+NonComplianceMessage4_1(Value) := sprintf("Web session duration: %s",
+                                          [Value])
+
 GetFriendlyValue4_1(Value) := "Session never expires" if {
-    Value == "63072000"
+    Value == 63072000
 } else := "30 days" if {
-    Value == "2592000"
+    Value == 2592000
 } else := "14 days" if {
-    Value == "1209600"
+    Value == 1209600
 } else := "7 days" if {
-    Value == "604800"
+    Value == 604800
 } else := "24 hours" if {
-    Value == "86400"
+    Value == 86400
 } else := "20 hours" if {
-    Value == "72000"
-} else := concat(" ", [Value, "seconds"])
+    Value == 72000
+} else := sprintf("%d seconds", [Value])
 
 NonCompliantOUs4_1 contains {
     "Name": OU,
-    "Value": concat("", ["Web session duration is set to ", GetFriendlyValue4_1(LastEvent.NewValue)])
+    "Value": NonComplianceMessage4_1(GetFriendlyValue4_1(to_number(LastEvent.NewValue)))
 }
 if {
     not PolicyApiInUse
@@ -664,16 +652,9 @@ if {
     not IsGoodLimit(LastEvent.NewValue)
 }
 
-# The following checks for web session duration less than or equal to 12 hours.
-# Not sure whether this really fits with 4.1 requirement.  The 12 hours is
-# mentioned, but the requirement deals with forced re-authentication after the
-# session expiration - is this automatic with session expiration?  If so, then
-# this check is probably appropriate.  It seems to fit with the event log
-# method above.
-
 NonCompliantOUs4_1 contains {
     "Name": OU,
-    "Value": sprintf("Web session duration: %s", [duration])
+    "Value": NonComplianceMessage4_1(GetFriendlyValue4_1(durationSeconds))
 }
 if {
     multipliers := {"s": 1, "m": 60, "h": 3600}