From 68061348cf1df1c0b7e88fbaf871aecaa9283c03 Mon Sep 17 00:00:00 2001 From: Roy Lane Date: Wed, 11 Dec 2024 11:21:17 -0500 Subject: [PATCH] commoncontrols 3.1: remove policy API check for employee ID challenge (see 11/6 change) commoncontrols 4.1: use "friendly" value in non-compliance message --- .../commoncontrols/commoncontrols04_test.rego | 6 +- .../commoncontrols_api03_test.rego | 84 ------------------- .../commoncontrols_api04_test.rego | 2 +- scubagoggles/rego/Commoncontrols.rego | 43 +++------- 4 files changed, 16 insertions(+), 119 deletions(-) delete mode 100644 scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols_api03_test.rego diff --git a/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols04_test.rego b/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols04_test.rego index 43b4163e..8da28392 100644 --- a/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols04_test.rego +++ b/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols04_test.rego @@ -195,7 +195,7 @@ test_Limit_Incorrect_V1 if { } failedOU := [{"Name": "Test Top-Level OU", - "Value": "Web session duration is set to 24 hours"}] + "Value": NonComplianceMessage4_1(GetFriendlyValue4_1(86400))}] FailTestOUNonCompliant(PolicyId, Output, failedOU) } @@ -233,7 +233,7 @@ test_Limit_Incorrect_V2 if { } failedOU := [{"Name": "Test Top-Level OU", - "Value": "Web session duration is set to 24 hours"}] + "Value": NonComplianceMessage4_1(GetFriendlyValue4_1(86400))}] FailTestOUNonCompliant(PolicyId, Output, failedOU) } @@ -271,7 +271,7 @@ test_Limit_Incorrect_V3 if { } failedOU := [{"Name": "Test Top-Level OU", - "Value": "Web session duration is set to 24 hours"}] + "Value": NonComplianceMessage4_1(GetFriendlyValue4_1(86400))}] FailTestOUNonCompliant(PolicyId, Output, failedOU) } diff --git a/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols_api03_test.rego b/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols_api03_test.rego deleted file mode 100644 index 5328ef99..00000000 --- a/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols_api03_test.rego +++ /dev/null @@ -1,84 +0,0 @@ -package commoncontrols - -import future.keywords -import data.utils.FailTestOUNonCompliant -import data.utils.PassTestResult - -GoodCaseInputApi03 := { - "policies": { - "topOU": { - "security_login_challenges": { - "enableEmployeeIdChallenge": true - } - }, - "nextOU": { - "security_login_challenges": { - "enableEmployeeIdChallenge": true - } - } - }, - "tenant_info": { - "topLevelOU": "topOU" - } -} - -BaseCaseInputApi03 := { - "policies": { - "topOU": { - "security_login_challenges": { - "enableEmployeeIdChallenge": false - } - }, - "nextOU": { - "security_session_controls": { - "webSessionDuration": "800m" - }, - } - }, - "tenant_info": { - "topLevelOU": "topOU" - } -} - -BaseCaseInputApi03a := { - "policies": { - "topOU": { - "security_login_challenges": { - "enableEmployeeIdChallenge": true - } - }, - "nextOU": { - "security_login_challenges": { - "enableEmployeeIdChallenge": false - } - } - }, - "tenant_info": { - "topLevelOU": "topOU" - } -} - -test_PostSSO_Correct_1 if { - PolicyId := CommonControlsId3_1 - Output := tests with input as GoodCaseInputApi03 - - PassTestResult(PolicyId, Output) -} - -test_PostSSO_Incorrect_1 if { - PolicyId := CommonControlsId3_1 - Output := tests with input as BaseCaseInputApi03 - - failedOU := [{"Name": "topOU", - "Value": NonComplianceMessage3_1}] - FailTestOUNonCompliant(PolicyId, Output, failedOU) -} - -test_PostSSO_Incorrect_2 if { - PolicyId := CommonControlsId3_1 - Output := tests with input as BaseCaseInputApi03a - - failedOU := [{"Name": "nextOU", - "Value": NonComplianceMessage3_1}] - FailTestOUNonCompliant(PolicyId, Output, failedOU) -} diff --git a/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols_api04_test.rego b/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols_api04_test.rego index 6335aa69..39c7d038 100644 --- a/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols_api04_test.rego +++ b/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols_api04_test.rego @@ -59,6 +59,6 @@ test_CCAPI_ReAuth_NonComply_1 if { Output := tests with input as BaseCaseInputApi04 failedOU := [{"Name": "nextOU", - "Value": "Web session duration: 800m"}] + "Value": NonComplianceMessage4_1(GetFriendlyValue4_1(800 * 60))}] FailTestOUNonCompliant(PolicyId, Output, failedOU) } diff --git a/scubagoggles/rego/Commoncontrols.rego b/scubagoggles/rego/Commoncontrols.rego index 4bcb4765..aa7856d4 100644 --- a/scubagoggles/rego/Commoncontrols.rego +++ b/scubagoggles/rego/Commoncontrols.rego @@ -515,13 +515,10 @@ CommonControlsId3_1 := utils.PolicyIdWithSuffix("GWS.COMMONCONTROLS.3.1") LogMessage3_1 := "SsoPolicyProto challenge_selection_behavior" Check3_1_OK if { - not PolicyApiInUse events := utils.FilterEventsOU(LogEvents, LogMessage3_1, utils.TopLevelOU) count(events) > 0 } -Check3_1_OK if {PolicyApiInUse} - NonComplianceMessage3_1 := "Post Single Sign-on (SSO) verification is disabled." # NOTE: this setting cannot be controlled at the group-level, @@ -531,7 +528,6 @@ NonCompliantOUs3_1 contains { "Value": NonComplianceMessage3_1 } if { - not PolicyApiInUse some OU in utils.OUsWithEvents Events := utils.FilterEventsOU(LogEvents, LogMessage3_1, OU) # Ignore OUs without any events. We're already asserting that the @@ -543,16 +539,6 @@ if { LastEvent.NewValue != "DELETE_APPLICATION_SETTING" } -NonCompliantOUs3_1 contains { - "Name": OU, - "Value": NonComplianceMessage3_1 -} -if { - some OU, settings in input.policies - enableChallenge := settings.security_login_challenges.enableEmployeeIdChallenge - enableChallenge != true -} - tests contains { "PolicyId": CommonControlsId3_1, "Criticality": "Should", @@ -562,7 +548,6 @@ tests contains { "NoSuchEvent": true } if { - not PolicyApiInUse DefaultSafe := false not Check3_1_OK } @@ -633,23 +618,26 @@ IsGoodLimit(ActualLim) := false if { count({GoodLim | some GoodLim in GoodLimits; GoodLim == ActualLim}) == 0 } +NonComplianceMessage4_1(Value) := sprintf("Web session duration: %s", + [Value]) + GetFriendlyValue4_1(Value) := "Session never expires" if { - Value == "63072000" + Value == 63072000 } else := "30 days" if { - Value == "2592000" + Value == 2592000 } else := "14 days" if { - Value == "1209600" + Value == 1209600 } else := "7 days" if { - Value == "604800" + Value == 604800 } else := "24 hours" if { - Value == "86400" + Value == 86400 } else := "20 hours" if { - Value == "72000" -} else := concat(" ", [Value, "seconds"]) + Value == 72000 +} else := sprintf("%d seconds", [Value]) NonCompliantOUs4_1 contains { "Name": OU, - "Value": concat("", ["Web session duration is set to ", GetFriendlyValue4_1(LastEvent.NewValue)]) + "Value": NonComplianceMessage4_1(GetFriendlyValue4_1(to_number(LastEvent.NewValue))) } if { not PolicyApiInUse @@ -664,16 +652,9 @@ if { not IsGoodLimit(LastEvent.NewValue) } -# The following checks for web session duration less than or equal to 12 hours. -# Not sure whether this really fits with 4.1 requirement. The 12 hours is -# mentioned, but the requirement deals with forced re-authentication after the -# session expiration - is this automatic with session expiration? If so, then -# this check is probably appropriate. It seems to fit with the event log -# method above. - NonCompliantOUs4_1 contains { "Name": OU, - "Value": sprintf("Web session duration: %s", [duration]) + "Value": NonComplianceMessage4_1(GetFriendlyValue4_1(durationSeconds)) } if { multipliers := {"s": 1, "m": 60, "h": 3600}