Skip to content

Implement code for new CommonControls.3.2 #646

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Apr 24, 2025
Merged

Implement code for new CommonControls.3.2 #646

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
7248c1c
Added rego code
k-winters Mar 19, 2025
277d7af
Rego fix
k-winters Mar 21, 2025
e053126
Rego tests
k-winters Mar 24, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
257 changes: 257 additions & 0 deletions scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols03_test.rego
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -262,3 +262,260 @@ test_SSO_Incorrect_V5 if {
FailTestOUNonCompliant(PolicyId, Output, failedOU)
}
#--

#
# GWS.COMMONCONTROLS.3.2
#--

test_SSO_Profiles_Correct_V1 if {
# Test 1 event
PolicyId := CommonControlsId3_2
Output := tests with input as {
"commoncontrols_logs": {"items": [
{
"id": {"time": "2025-03-21T14:35:58.353Z"},
"events": [{
"parameters": [
{"name": "NEW_VALUE", "value": "SSO_PROFILES_PERFORM_CHALLENGE_SELECTION"},
{"name": "SETTING_NAME", "value": "SsoPolicyProto sso_profile_challenge_selection_behavior"},
{"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
{"name": "APPLICATION_NAME", "value": "Security"}
]
}]
}
]},
"tenant_info": {
"topLevelOU": "Test Top-Level OU"
}
}

PassTestResult(PolicyId, Output)
}

test_SSO_Profiles_Correct_V2 if {
# Test multiple events
PolicyId := CommonControlsId3_2
Output := tests with input as {
"commoncontrols_logs": {"items": [
{
"id": {"time": "2025-03-21T14:35:58.353Z"},
"events": [{
"parameters": [
{"name": "NEW_VALUE", "value": "SSO_PROFILES_PERFORM_CHALLENGE_SELECTION"},
{"name": "SETTING_NAME", "value": "SsoPolicyProto sso_profile_challenge_selection_behavior"},
{"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
{"name": "APPLICATION_NAME", "value": "Security"}
]
}]
},
{
"id": {"time": "2024-03-21T14:35:58.353Z"},
"events": [{
"parameters": [
{"name": "NEW_VALUE", "value": "SSO_PROFILES_BYPASS_ADDITIONAL_CHALLENGES"},
{"name": "SETTING_NAME", "value": "SsoPolicyProto sso_profile_challenge_selection_behavior"},
{"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
{"name": "APPLICATION_NAME", "value": "Security"}
]
}]
}
]},
"tenant_info": {
"topLevelOU": "Test Top-Level OU"
}
}

PassTestResult(PolicyId, Output)
}

test_SSO_Profiles_Correct_V3 if {
# Test inheritance
PolicyId := CommonControlsId3_2
Output := tests with input as {
"commoncontrols_logs": {"items": [
{
"id": {"time": "2023-03-21T14:35:58.353Z"},
"events": [{
"parameters": [
{"name": "NEW_VALUE", "value": "SSO_PROFILES_PERFORM_CHALLENGE_SELECTION"},
{"name": "SETTING_NAME", "value": "SsoPolicyProto sso_profile_challenge_selection_behavior"},
{"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
{"name": "APPLICATION_NAME", "value": "Security"}
]
}]
},
{
"id": {"time": "2022-03-21T14:35:58.353Z"},
"events": [{
"parameters": [
{"name": "NEW_VALUE", "value": "SSO_PROFILES_BYPASS_ADDITIONAL_CHALLENGES"},
{"name": "SETTING_NAME", "value": "SsoPolicyProto sso_profile_challenge_selection_behavior"},
{"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
{"name": "APPLICATION_NAME", "value": "Security"}
]
}]
},
{
"id": {"time": "2025-03-21T14:35:58.353Z"},
"events": [{
"name": "DELETE_APPLICATION_SETTING",
"parameters": [
{"name": "SETTING_NAME", "value": "SsoPolicyProto sso_profile_challenge_selection_behavior"},
{"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
{"name": "APPLICATION_NAME", "value": "Security"}
]
}]
}
]},
"tenant_info": {
"topLevelOU": "Test Top-Level OU"
}
}
PassTestResult(PolicyId, Output)
}

test_SSO_Profiles_Incorrect_V1 if {
# Test 1 event
PolicyId := CommonControlsId3_2
Output := tests with input as {
"commoncontrols_logs": {"items": [
{
"id": {"time": "2025-03-21T14:35:58.353Z"},
"events": [{
"parameters": [
{"name": "NEW_VALUE", "value": "SSO_PROFILES_BYPASS_ADDITIONAL_CHALLENGES"},
{"name": "SETTING_NAME", "value": "SsoPolicyProto sso_profile_challenge_selection_behavior"},
{"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
{"name": "APPLICATION_NAME", "value": "Security"}
]
}]
}
]},
"tenant_info": {
"topLevelOU": "Test Top-Level OU"
}
}

failedOU := [{"Name": "Test Top-Level OU",
"Value": NonComplianceMessage3_2}]
FailTestOUNonCompliant(PolicyId, Output, failedOU)
}

test_SSO_Profiles_Incorrect_V2 if {
# Test multiple events
PolicyId := CommonControlsId3_2
Output := tests with input as {
"commoncontrols_logs": {"items": [
{
"id": {"time": "2025-03-21T14:35:58.353Z"},
"events": [{
"parameters": [
{"name": "NEW_VALUE", "value": "SSO_PROFILES_BYPASS_ADDITIONAL_CHALLENGES"},
{"name": "SETTING_NAME", "value": "SsoPolicyProto sso_profile_challenge_selection_behavior"},
{"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
{"name": "APPLICATION_NAME", "value": "Security"}
]
}]
},
{
"id": {"time": "2024-03-21T14:35:58.353Z"},
"events": [{
"parameters": [
{"name": "NEW_VALUE", "value": "SSO_PROFILES_BYPASS_ADDITIONAL_CHALLENGES"},
{"name": "SETTING_NAME", "value": "SsoPolicyProto sso_profile_challenge_selection_behavior"},
{"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
{"name": "APPLICATION_NAME", "value": "Security"}
]
}]
}
]},
"tenant_info": {
"topLevelOU": "Test Top-Level OU"
}
}

failedOU := [{"Name": "Test Top-Level OU",
"Value": NonComplianceMessage3_2}]
FailTestOUNonCompliant(PolicyId, Output, failedOU)
}

test_SSO_Profiles_Incorrect_V3 if {
# Test no relevant events
PolicyId := CommonControlsId3_2
Output := tests with input as {
"commoncontrols_logs": {"items": [

]},
"tenant_info": {
"topLevelOU": "Test Top-Level OU"
}
}

FailTestNoEvent(PolicyId, Output, "Test Top-Level OU", false)
}

test_SSO_Profiles_Incorrect_V4 if {
# Test no relevant events in the top-level OU
PolicyId := CommonControlsId3_2
Output := tests with input as {
"commoncontrols_logs": {"items": [
{
"id": {"time": "2025-03-21T14:35:58.353Z"},
"events": [{
"parameters": [
{"name": "NEW_VALUE", "value": "SSO_PROFILES_BYPASS_ADDITIONAL_CHALLENGES"},
{"name": "SETTING_NAME", "value": "SsoPolicyProto sso_profile_challenge_selection_behavior"},
{"name": "ORG_UNIT_NAME", "value": "Test Second-Level OU"},
{"name": "APPLICATION_NAME", "value": "Security"}
]
}]
}
]},
"tenant_info": {
"topLevelOU": "Test Top-Level OU"
}
}

FailTestNoEvent(PolicyId, Output, "Test Top-Level OU", false)
}

test_SSO_Profiles_Incorrect_V5 if {
# Test multiple OUs
PolicyId := CommonControlsId3_2
Output := tests with input as {
"commoncontrols_logs": {"items": [
{
"id": {"time": "2025-03-21T14:35:58.353Z"},
"events": [{
"parameters": [
{"name": "NEW_VALUE", "value": "SSO_PROFILES_BYPASS_ADDITIONAL_CHALLENGES"},
{"name": "SETTING_NAME", "value": "SsoPolicyProto sso_profile_challenge_selection_behavior"},
{"name": "ORG_UNIT_NAME", "value": "Test Second-Level OU"},
{"name": "APPLICATION_NAME", "value": "Security"}
]
}]
},
{
"id": {"time": "2025-03-21T14:35:58.353Z"},
"events": [{
"parameters": [
{"name": "NEW_VALUE", "value": "SSO_PROFILES_BYPASS_ADDITIONAL_CHALLENGES"},
{"name": "SETTING_NAME", "value": "SsoPolicyProto sso_profile_challenge_selection_behavior"},
{"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
{"name": "APPLICATION_NAME", "value": "Security"}
]
}]
}
]},
"tenant_info": {
"topLevelOU": "Test Top-Level OU"
}
}

failedOU := [{"Name": "Test Second-Level OU",
"Value": NonComplianceMessage3_2},
{"Name": "Test Top-Level OU",
"Value": NonComplianceMessage3_2}]
FailTestOUNonCompliant(PolicyId, Output, failedOU)
}
#--
59 changes: 52 additions & 7 deletions scubagoggles/rego/Commoncontrols.rego
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -523,17 +523,62 @@ if {

CommonControlsId3_2 := utils.PolicyIdWithSuffix("GWS.COMMONCONTROLS.3.2")

# TODO replace the following placeholder with actual implementation
# SsoPolicyProto sso_profile_challenge_selection_behavior appears to the appropriate log event
LogMessage3_2 := "SsoPolicyProto sso_profile_challenge_selection_behavior"

Check3_2_OK if {
events := utils.FilterEventsOU(LogEvents, LogMessage3_2, utils.TopLevelOU)
count(events) > 0
}

NonComplianceMessage3_2 := "Post Single Sign-on (SSO) verification is disabled."

# NOTE: this setting cannot be controlled at the group-level,
# so only a check at the OU-level is implemented here.
NonCompliantOUs3_2 contains {
"Name": OU,
"Value": NonComplianceMessage3_2
}

if {
some OU in utils.OUsWithEvents
Events := utils.FilterEventsOU(LogEvents, LogMessage3_2, OU)
# Ignore OUs without any events. We're already asserting that the
# top-level OU has at least one event; for all other OUs we assume
# they inherit from a parent OU if they have no events.
count(Events) > 0
LastEvent := utils.GetLastEvent(Events)
LastEvent.NewValue != "SSO_PROFILES_PERFORM_CHALLENGE_SELECTION"
LastEvent.NewValue != "DELETE_APPLICATION_SETTING"
}

tests contains {
"PolicyId": CommonControlsId3_2,
"Prerequisites": [],
"Criticality": "Should/Not-Implemented",
"ReportDetails": "Currently not able to be tested automatically; please manually check.",
"ActualValue": "",
"RequirementMet": false,
"Criticality": "Should",
"ReportDetails": utils.NoSuchEventDetails(DefaultSafe, utils.TopLevelOU),
"ActualValue": "No relevant event for the top-level OU in the current logs",
"RequirementMet": DefaultSafe,
"NoSuchEvent": true
}
if {
DefaultSafe := false
not Check3_2_OK
}

tests contains {
"PolicyId": CommonControlsId3_2,
"Criticality": "Should",
# Empty list on the next line as this setting can't be set at the group level
"ReportDetails": utils.ReportDetails(NonCompliantOUs3_2, []),
"ActualValue": {"NonCompliantOUs": NonCompliantOUs3_2},
"RequirementMet": Status,
"NoSuchEvent": false
}

if {
Check3_2_OK
Status := count(NonCompliantOUs3_2) == 0
}

#--

########################
Expand Down