From 8daadfa50fff058f5ff3302338a0939f2a5b38a7 Mon Sep 17 00:00:00 2001 From: Lauren Bassett Date: Mon, 13 May 2024 17:42:02 -0400 Subject: [PATCH 01/33] Fixed 5.1 and 4.1, still need to account for groups. Some progress on detailed report for 3.1 --- rego/Drive.rego | 28 +++++++++++++++++++--------- 1 file changed, 19 insertions(+), 9 deletions(-) diff --git a/rego/Drive.rego b/rego/Drive.rego index 9e2bae4d..1cc43d8f 100644 --- a/rego/Drive.rego +++ b/rego/Drive.rego @@ -552,13 +552,23 @@ NoSuchEvent3_1(TopLevelOU) := true if { default NoSuchEvent3_1(_) := false -NonCompliantOUs3_1 contains OU if { +GetFriendlyValue3_1(Value_B, Value_A) := +"Remove security update from all impacted files" if { + Value_B == "REQUIRE_LESS_SECURE_LINKS" +} +else := "Allow users to remove/apply the security update for files they own or manage" if { + Value_A == "true" +} +NonCompliantOUs3_1 contains { + "Name": OU, + "Value": concat("", [ GetFriendlyValue3_1(LastEvent_B.NewValue, LastEvent_A.NewValue)]) + } if { some OU in utils.OUsWithEvents Events_A := utils.FilterEvents(LogEvents, "Link Security Update Settings allow_less_secure_link_user_restore", OU) count(Events_A) > 0 LastEvent_A := utils.GetLastEvent(Events_A) - Events_B := utils.FilterEvents(LogEvents, "Link Security Update Settings less_secure_link_option", OU) + Events_B := utils.FilterEventsOU(LogEvents, "Link Security Update Settings less_secure_link_option", OU) count(Events_B) > 0 LastEvent_B := utils.GetLastEvent(Events_B) @@ -584,7 +594,7 @@ if { tests contains { "PolicyId": "GWS.DRIVEDOCS.3.1v0.1", "Criticality": "Shall", - "ReportDetails": utils.ReportDetailsOUs(NonCompliantOUs3_1), + "ReportDetails": utils.ReportDetails(NonCompliantOUs3_1, []), "ActualValue" : {"NonComplaintOUs": NonCompliantOUs3_1}, "RequirementMet": Status, "NoSuchEvent": false @@ -604,7 +614,7 @@ if { #-- NonCompliantOUs4_1 contains OU if { some OU in utils.OUsWithEvents - Events := utils.FilterEvents(LogEvents, "ENABLE_DRIVE_APPS", OU) + Events := utils.FilterEventsOU(LogEvents, "ENABLE_DRIVE_APPS", OU) count(Events) > 0 LastEvent := utils.GetLastEvent(Events) LastEvent.NewValue != "false" @@ -621,7 +631,7 @@ tests contains { } if { DefaultSafe := false - Events := utils.FilterEvents(LogEvents, "ENABLE_DRIVE_APPS", utils.TopLevelOU) + Events := utils.FilterEventsOU(LogEvents, "ENABLE_DRIVE_APPS", utils.TopLevelOU) count(Events) == 0 } @@ -635,7 +645,7 @@ tests contains { "NoSuchEvent": false } if { - Events := utils.FilterEvents(LogEvents, "ENABLE_DRIVE_APPS", utils.TopLevelOU) + Events := utils.FilterEventsOU(LogEvents, "ENABLE_DRIVE_APPS", utils.TopLevelOU) count(Events) > 0 Status := count(NonCompliantOUs4_1) == 0 } @@ -651,7 +661,7 @@ if { #-- NonCompliantOUs5_1 contains OU if { some OU in utils.OUsWithEvents - Events := utils.FilterEvents(LogEvents, "ENABLE_DOCS_ADD_ONS", OU) + Events := utils.FilterEventsOU(LogEvents, "ENABLE_DOCS_ADD_ONS", OU) count(Events) > 0 LastEvent := utils.GetLastEvent(Events) LastEvent.NewValue != "false" @@ -668,7 +678,7 @@ tests contains { } if { DefaultSafe := false - Events := utils.FilterEvents(LogEvents, "ENABLE_DOCS_ADD_ONS", utils.TopLevelOU) + Events := utils.FilterEventsOU(LogEvents, "ENABLE_DOCS_ADD_ONS", utils.TopLevelOU) count(Events) == 0 } @@ -682,7 +692,7 @@ tests contains { "NoSuchEvent": false } if { - Events := utils.FilterEvents(LogEvents, "ENABLE_DOCS_ADD_ONS", utils.TopLevelOU) + Events := utils.FilterEventsOU(LogEvents, "ENABLE_DOCS_ADD_ONS", utils.TopLevelOU) count(Events) > 0 Status := count(NonCompliantOUs5_1) == 0 } From ec5deca13e629466b9f23383cc037e4062922391 Mon Sep 17 00:00:00 2001 From: Lauren Bassett Date: Wed, 15 May 2024 16:40:24 -0400 Subject: [PATCH 02/33] Added support for groups for 2.X, Fixed logic issue on 2.4, Fixed spelling error from Complaint to Compliant --- rego/Drive.rego | 220 +++++++++++++++++++++++++++++++++++++----------- 1 file changed, 170 insertions(+), 50 deletions(-) diff --git a/rego/Drive.rego b/rego/Drive.rego index 1cc43d8f..fb517619 100644 --- a/rego/Drive.rego +++ b/rego/Drive.rego @@ -305,7 +305,7 @@ tests contains { "PolicyId": "GWS.DRIVEDOCS.1.7v0.1", "Criticality": "Shall", "ReportDetails": utils.ReportDetailsOUs(NonCompliantOUs1_7), - "ActualValue": {"NonComplaintOUs": NonCompliantOUs1_7}, + "ActualValue": {"NonCompliantOUs": NonCompliantOUs1_7}, "RequirementMet": Status, "NoSuchEvent": false } @@ -364,9 +364,24 @@ if { # # Baseline GWS.DRIVEDOCS.2.1v0.1 #-- -NonCompliantOUs2_1 contains OU if { +NonCompliantOUs2_1 contains { + "Name": OU, + "Value": "Members with manager access can override shared drive settings." + } if { some OU in utils.OUsWithEvents - Events := utils.FilterEvents(LogEvents, "Shared Drive Creation new_team_drive_admin_only", OU) + Events := utils.FilterEventsOU(LogEvents, "Shared Drive Creation new_team_drive_admin_only", OU) + count(Events) > 0 + LastEvent := utils.GetLastEvent(Events) + contains("true", LastEvent.NewValue) == false + LastEvent.NewValue != "DELETE_APPLICATION_SETTING" +} + +NonCompliantGroups2_1 contains { + "Name": Group, + "Value": "Members with manager access can override shared drive settings." + } if { + some Group in utils.GroupsWithEvents + Events := utils.FilterEventsGroup(LogEvents, "Shared Drive Creation new_team_drive_admin_only", Group) count(Events) > 0 LastEvent := utils.GetLastEvent(Events) contains("true", LastEvent.NewValue) == false @@ -383,31 +398,47 @@ tests contains { } if { DefaultSafe := false - Events := utils.FilterEvents(LogEvents, "Shared Drive Creation new_team_drive_admin_only", utils.TopLevelOU) + Events := utils.FilterEventsOU(LogEvents, "Shared Drive Creation new_team_drive_admin_only", utils.TopLevelOU) count(Events) == 0 } tests contains { "PolicyId": "GWS.DRIVEDOCS.2.1v0.1", "Criticality": "Should", - "ReportDetails": utils.ReportDetailsOUs(NonCompliantOUs2_1), - "ActualValue": {"NonComplaintOUs": NonCompliantOUs2_1}, + "ReportDetails": utils.ReportDetails(NonCompliantOUs2_1, NonCompliantGroups2_1), + "ActualValue": {"NonCompliantOUs": NonCompliantOUs2_1, "NonCompliantGroups": NonCompliantGroups2_1}, "RequirementMet": Status, "NoSuchEvent": false } if { - Events := utils.FilterEvents(LogEvents, "Shared Drive Creation new_team_drive_admin_only", utils.TopLevelOU) + Events := utils.FilterEventsOU(LogEvents, "Shared Drive Creation new_team_drive_admin_only", utils.TopLevelOU) count(Events) > 0 - Status := count(NonCompliantOUs2_1) == 0 + Conditions := {count(NonCompliantOUs2_1) == 0, count(NonCompliantGroups2_1) == 0 } + Status := (false in Conditions) == false } #-- # # Baseline GWS.DRIVEDOCS.2.2v0.1 #-- -NonCompliantOUs2_2 contains OU if { +NonCompliantOUs2_2 contains { + "Name": OU, + "Value": "" + } if { some OU in utils.OUsWithEvents - Events := utils.FilterEvents(LogEvents, "Shared Drive Creation new_team_drive_restricts_cross_domain_access", OU) + Events := utils.FilterEventsOU(LogEvents, "Shared Drive Creation new_team_drive_restricts_cross_domain_access", OU) + count(Events) > 0 + LastEvent := utils.GetLastEvent(Events) + contains("true", LastEvent.NewValue) == false + LastEvent.NewValue != "DELETE_APPLICATION_SETTING" +} + +NonCompliantGroups2_2 contains { + "Name": Group, + "Value": "" + } if { + some Group in utils.GroupsWithEvents + Events := utils.FilterEventsGroup(LogEvents, "Shared Drive Creation new_team_drive_restricts_cross_domain_access", Group) count(Events) > 0 LastEvent := utils.GetLastEvent(Events) contains("true", LastEvent.NewValue) == false @@ -425,15 +456,15 @@ tests contains { if { DefaultSafe := false SettingName := "Shared Drive Creation new_team_drive_restricts_cross_domain_access" - Events := utils.FilterEvents(LogEvents, SettingName, utils.TopLevelOU) + Events := utils.FilterEventsOU(LogEvents, SettingName, utils.TopLevelOU) count(Events) == 0 } tests contains { "PolicyId": "GWS.DRIVEDOCS.2.2v0.1", "Criticality": "Should", - "ReportDetails": utils.ReportDetailsOUs(NonCompliantOUs2_2), - "ActualValue": {"NonComplaintOUs": NonCompliantOUs2_2}, + "ReportDetails": utils.ReportDetails(NonCompliantOUs2_2, NonCompliantGroups2_2), + "ActualValue": {"NonCompliantOUs": NonCompliantOUs2_2, "NonCompliantGroups": NonCompliantGroups2_2}, "RequirementMet": Status, "NoSuchEvent": false } @@ -441,22 +472,38 @@ if { SettingName := "Shared Drive Creation new_team_drive_restricts_cross_domain_access" Events := utils.FilterEvents(LogEvents, SettingName, utils.TopLevelOU) count(Events) > 0 - Status := count(NonCompliantOUs2_2) == 0 + Conditions := {count(NonCompliantOUs2_2) == 0, count(NonCompliantGroups2_2) == 0 } + Status := (false in Conditions) == false } #-- # # Baseline GWS.DRIVEDOCS.2.3v0.1 #-- -NonCompliantOUs2_3 contains OU if { +NonCompliantOUs2_3 contains { + "Name": OU, + "Value": "" + } if { some OU in utils.OUsWithEvents - Events := utils.FilterEvents(LogEvents, "Shared Drive Creation new_team_drive_restricts_direct_access", OU) + Events := utils.FilterEventsOU(LogEvents, "Shared Drive Creation new_team_drive_restricts_direct_access", OU) + count(Events) > 0 + LastEvent := utils.GetLastEvent(Events) + contains("true", LastEvent.NewValue) == false + LastEvent.NewValue != "DELETE_APPLICATION_SETTING" +} +NonCompliantGroups2_3 contains { + "Name": Group, + "Value": "" + } if { + some Group in utils.GroupsWithEvents + Events := utils.FilterEventsGroup(LogEvents, "Shared Drive Creation new_team_drive_restricts_direct_access", Group) count(Events) > 0 LastEvent := utils.GetLastEvent(Events) contains("true", LastEvent.NewValue) == false LastEvent.NewValue != "DELETE_APPLICATION_SETTING" } + tests contains { "PolicyId": "GWS.DRIVEDOCS.2.3v0.1", "Criticality": "Shall", @@ -468,35 +515,51 @@ tests contains { if { DefaultSafe := false SettingName := "Shared Drive Creation new_team_drive_restricts_direct_access" - Events := utils.FilterEvents(LogEvents, SettingName, utils.TopLevelOU) + Events := utils.FilterEventsOU(LogEvents, SettingName, utils.TopLevelOU) count(Events) == 0 } tests contains { "PolicyId": "GWS.DRIVEDOCS.2.3v0.1", "Criticality": "Shall", - "ReportDetails": utils.ReportDetailsOUs(NonCompliantOUs2_3), - "ActualValue": {"NonComplaintOUs": NonCompliantOUs2_3}, + "ReportDetails": utils.ReportDetails(NonCompliantOUs2_3, NonCompliantGroups2_3), + "ActualValue": {"NonCompliantOUs": NonCompliantOUs2_3, "NonCompliantGroups": NonCompliantGroups2_3}, "RequirementMet": Status, "NoSuchEvent": false } if { SettingName := "Shared Drive Creation new_team_drive_restricts_direct_access" - Events := utils.FilterEvents(LogEvents, SettingName, utils.TopLevelOU) + Events := utils.FilterEventsOU(LogEvents, SettingName, utils.TopLevelOU) count(Events) > 0 - Status := count(NonCompliantOUs2_3) == 0 + Conditions := {count(NonCompliantOUs2_3) == 0, count(NonCompliantGroups2_3) == 0 } + Status := (false in Conditions) == false } #-- # # Baseline GWS.DRIVEDOCS.2.4v0.1 #-- -NonCompliantOUs2_4 contains OU if { +NonCompliantOUs2_4 contains { + "Name": OU, + "Value": "" + } if { some OU in utils.OUsWithEvents - Events := utils.FilterEvents(LogEvents, "Shared Drive Creation new_team_drive_restricts_download", OU) + Events := utils.FilterEventsOU(LogEvents, "Shared Drive Creation new_team_drive_restricts_download", OU) + count(Events) > 0 + LastEvent := utils.GetLastEvent(Events) + contains("false", LastEvent.NewValue) == true + LastEvent.NewValue != "DELETE_APPLICATION_SETTING" +} + +NonCompliantGroups2_4 contains { + "Name": Group, + "Value": "" + } if { + some Group in utils.GroupsWithEvents + Events := utils.FilterEventsGroup(LogEvents, "Shared Drive Creation new_team_drive_restricts_download", Group) count(Events) > 0 LastEvent := utils.GetLastEvent(Events) - contains("false", LastEvent.NewValue) == false + contains("false", LastEvent.NewValue) == true LastEvent.NewValue != "DELETE_APPLICATION_SETTING" } @@ -510,22 +573,23 @@ tests contains { } if { DefaultSafe := false - Events := utils.FilterEvents(LogEvents, "Shared Drive Creation new_team_drive_restricts_download", utils.TopLevelOU) + Events := utils.FilterEventsOU(LogEvents, "Shared Drive Creation new_team_drive_restricts_download", utils.TopLevelOU) count(Events) == 0 } tests contains { "PolicyId": "GWS.DRIVEDOCS.2.4v0.1", "Criticality": "Shall", - "ReportDetails": utils.ReportDetailsOUs(NonCompliantOUs2_4), - "ActualValue": {"NonComplaintOUs": NonCompliantOUs2_4}, + "ReportDetails": utils.ReportDetails(NonCompliantOUs2_4, NonCompliantGroups2_4), + "ActualValue": {"NonCompliantOUs": NonCompliantOUs2_4, "NonCompliantGroups": NonCompliantGroups2_4}, "RequirementMet": Status, "NoSuchEvent": false } if { - Events := utils.FilterEvents(LogEvents, "Shared Drive Creation new_team_drive_restricts_download", utils.TopLevelOU) + Events := utils.FilterEventsOU(LogEvents, "Shared Drive Creation new_team_drive_restricts_download", utils.TopLevelOU) count(Events) > 0 - Status := count(NonCompliantOUs2_4) == 0 + Conditions := {count(NonCompliantOUs2_4) == 0, count(NonCompliantGroups2_4) == 0 } + Status := (false in Conditions) == false } #-- @@ -540,13 +604,13 @@ if { NoSuchEvent3_1(TopLevelOU) := true if { # No such event... SettingName := "Link Security Update Settings allow_less_secure_link_user_restore" - Events_A := utils.FilterEvents(LogEvents, SettingName, TopLevelOU) + Events_A := utils.FilterEventsOU(LogEvents, SettingName, TopLevelOU) count(Events_A) == 0 } NoSuchEvent3_1(TopLevelOU) := true if { # No such event... - Events := utils.FilterEvents(LogEvents, "Link Security Update Settings less_secure_link_option", TopLevelOU) + Events := utils.FilterEventsOU(LogEvents, "Link Security Update Settings less_secure_link_option", TopLevelOU) count(Events) == 0 } @@ -564,7 +628,7 @@ NonCompliantOUs3_1 contains { "Value": concat("", [ GetFriendlyValue3_1(LastEvent_B.NewValue, LastEvent_A.NewValue)]) } if { some OU in utils.OUsWithEvents - Events_A := utils.FilterEvents(LogEvents, "Link Security Update Settings allow_less_secure_link_user_restore", OU) + Events_A := utils.FilterEventsOU(LogEvents, "Link Security Update Settings allow_less_secure_link_user_restore", OU) count(Events_A) > 0 LastEvent_A := utils.GetLastEvent(Events_A) @@ -595,7 +659,7 @@ tests contains { "PolicyId": "GWS.DRIVEDOCS.3.1v0.1", "Criticality": "Shall", "ReportDetails": utils.ReportDetails(NonCompliantOUs3_1, []), - "ActualValue" : {"NonComplaintOUs": NonCompliantOUs3_1}, + "ActualValue" : {"NonCompliantOUs": NonCompliantOUs3_1}, "RequirementMet": Status, "NoSuchEvent": false } @@ -612,7 +676,11 @@ if { # # Baseline GWS.DRIVEDOCS.4.1v0.1 #-- -NonCompliantOUs4_1 contains OU if { +NonCompliantOUs4_1 contains { + "Name": OU, + "Value": "Drive SDK is Enabled" +} + if { some OU in utils.OUsWithEvents Events := utils.FilterEventsOU(LogEvents, "ENABLE_DRIVE_APPS", OU) count(Events) > 0 @@ -620,7 +688,17 @@ NonCompliantOUs4_1 contains OU if { LastEvent.NewValue != "false" LastEvent.NewValue != "INHERIT_FROM_PARENT" } - +NonCompliantGroups4_1 contains { + "Name": Group, + "Value": "Drive SDK is Enabled" +} if { + some Group in utils.GroupsWithEvents + Events := utils.FilterEventsGroup(LogEvents, "ENABLE_DRIVE_APPS", Group) + count(Events) > 0 + LastEvent := utils.GetLastEvent(Events) + LastEvent.NewValue != "false" + LastEvent.NewValue != "INHERIT_FROM_PARENT" +} tests contains { "PolicyId": "GWS.DRIVEDOCS.4.1v0.1", "Criticality": "Should", @@ -639,16 +717,18 @@ if { tests contains { "PolicyId": "GWS.DRIVEDOCS.4.1v0.1", "Criticality": "Should", - "ReportDetails": utils.ReportDetailsOUs(NonCompliantOUs4_1), - "ActualValue": {"NonComplaintOUs": NonCompliantOUs4_1}, + "ReportDetails": utils.ReportDetails(NonCompliantOUs4_1, NonCompliantGroups4_1), + "ActualValue": {"NonCompliantOUs": NonCompliantOUs4_1, "NonCompliantGroups": NonCompliantGroups4_1}, "RequirementMet": Status, "NoSuchEvent": false } if { Events := utils.FilterEventsOU(LogEvents, "ENABLE_DRIVE_APPS", utils.TopLevelOU) count(Events) > 0 - Status := count(NonCompliantOUs4_1) == 0 + Conditions := {count(NonCompliantOUs4_1) == 0, count(NonCompliantGroups4_1) == 0} + Status := (false in Conditions) == false } + #-- @@ -659,7 +739,10 @@ if { # # Baseline GWS.DRIVEDOCS.5.1v0.1 #-- -NonCompliantOUs5_1 contains OU if { +NonCompliantOUs5_1 contains { + "Name": OU, + "Value": "Users can install Google Docs add-ons from add-ons store." + } if { some OU in utils.OUsWithEvents Events := utils.FilterEventsOU(LogEvents, "ENABLE_DOCS_ADD_ONS", OU) count(Events) > 0 @@ -668,6 +751,17 @@ NonCompliantOUs5_1 contains OU if { LastEvent.NewValue != "INHERIT_FROM_PARENT" } +NonCompliantGroups5_1 contains { + "Name": Group, + "Value": "Users can install Google Docs add-ons from add-ons store." + } if { + some Group in utils.GroupsWithEvents + Events := utils.FilterEventsGroup(LogEvents, "ENABLE_DOCS_ADD_ONS", Group) + count(Events) > 0 + LastEvent := utils.GetLastEvent(Events) + LastEvent.NewValue != "false" + LastEvent.NewValue != "INHERIT_FROM_PARENT" +} tests contains { "PolicyId": "GWS.DRIVEDOCS.5.1v0.1", "Criticality": "Shall", @@ -686,15 +780,16 @@ if { tests contains { "PolicyId": "GWS.DRIVEDOCS.5.1v0.1", "Criticality": "Shall", - "ReportDetails": utils.ReportDetailsOUs(NonCompliantOUs5_1), - "ActualValue": {"NonComplaintOUs": NonCompliantOUs5_1}, + "ReportDetails": utils.ReportDetails(NonCompliantOUs5_1, NonCompliantGroups5_1), + "ActualValue": {"NonCompliantOUs": NonCompliantOUs5_1, "NonCompliantGroups": NonCompliantGroups5_1}, "RequirementMet": Status, "NoSuchEvent": false } if { Events := utils.FilterEventsOU(LogEvents, "ENABLE_DOCS_ADD_ONS", utils.TopLevelOU) count(Events) > 0 - Status := count(NonCompliantOUs5_1) == 0 + Conditions := {count(NonCompliantOUs5_1) == 0, count(NonCompliantGroups5_1) == 0 } + Status := (false in Conditions) == false } #-- @@ -708,24 +803,48 @@ if { default NoSuchEvent6_1(_) := true NoSuchEvent6_1(TopLevelOU) := false if { - Events := utils.FilterEvents(LogEvents, "DriveFsSettingsProto drive_fs_enabled", TopLevelOU) + Events := utils.FilterEventsOU(LogEvents, "DriveFsSettingsProto drive_fs_enabled", TopLevelOU) count(Events) != 0 } NoSuchEvent6_1(TopLevelOU) := false if { # No such event... - Events := utils.FilterEvents(LogEvents, "DriveFsSettingsProto company_owned_only_enabled", TopLevelOU) + Events := utils.FilterEventsOU(LogEvents, "DriveFsSettingsProto company_owned_only_enabled", TopLevelOU) count(Events) != 0 } -NonCompliantOUs6_1 contains OU if { +NonCompliantOUs6_1 contains { + "Name": OU, + "Value": "Fail" + } if { some OU in utils.OUsWithEvents - Events_A := utils.FilterEvents(LogEvents, "DriveFsSettingsProto drive_fs_enabled", OU) + Events_A := utils.FilterEventsOU(LogEvents, "DriveFsSettingsProto drive_fs_enabled", OU) + count(Events_A) > 0 + LastEvent_A := utils.GetLastEvent(Events_A) + LastEvent_A.NewValue != "DELETE_APPLICATION_SETTING" + + Events_B := utils.FilterEventsOU(LogEvents, "DriveFsSettingsProto company_owned_only_enabled", OU) + count(Events_B) > 0 + LastEvent_B := utils.GetLastEvent(Events_B) + LastEvent_B.NewValue != "DELETE_APPLICATION_SETTING" + + true in { + LastEvent_A.NewValue != "true", + LastEvent_B.NewValue != "true" + } +} + +NonCompliantGroups6_1 contains { + "Name": Group, + "Value": "" + } if { + some Group in utils.GroupsWithEvents + Events_A := utils.FilterEventsGroup(LogEvents, "DriveFsSettingsProto drive_fs_enabled", Group) count(Events_A) > 0 LastEvent_A := utils.GetLastEvent(Events_A) LastEvent_A.NewValue != "DELETE_APPLICATION_SETTING" - Events_B := utils.FilterEvents(LogEvents, "DriveFsSettingsProto company_owned_only_enabled", OU) + Events_B := utils.FilterEventsGroup(LogEvents, "DriveFsSettingsProto company_owned_only_enabled", Group) count(Events_B) > 0 LastEvent_B := utils.GetLastEvent(Events_B) LastEvent_B.NewValue != "DELETE_APPLICATION_SETTING" @@ -752,14 +871,15 @@ if { tests contains { "PolicyId": "GWS.DRIVEDOCS.6.1v0.1", "Criticality": "Should", - "ReportDetails": utils.ReportDetailsOUs(NonCompliantOUs6_1), - "ActualValue" : {"NonComplaintOUs": NonCompliantOUs6_1}, + "ReportDetails": utils.ReportDetails(NonCompliantOUs6_1, NonCompliantGroups6_1), + "ActualValue" : {"NonCompliantOUs": NonCompliantOUs6_1, "NonCompliantGroups": NonCompliantGroups6_1}, "RequirementMet": Status, "NoSuchEvent": false } if { not NoSuchEvent6_1(utils.TopLevelOU) - Status := count(NonCompliantOUs6_1) == 0 + Conditions := {count(NonCompliantOUs6_1) == 0, count(NonCompliantGroups6_1) == 0} + Status := (false in Conditions) == false } #-- From 7880269361d96c470423c8b51a619a4809c0b5c5 Mon Sep 17 00:00:00 2001 From: Lauren Bassett Date: Wed, 29 May 2024 17:10:14 -0400 Subject: [PATCH 03/33] Everything is done but 2.2, 2.3, and 2.4 messages and testing. --- rego/Drive.rego | 332 ++++++++++++++++++++++++++++++++++++++---------- 1 file changed, 267 insertions(+), 65 deletions(-) diff --git a/rego/Drive.rego b/rego/Drive.rego index fb517619..ee5d089d 100644 --- a/rego/Drive.rego +++ b/rego/Drive.rego @@ -12,9 +12,31 @@ LogEvents := utils.GetEvents("drive_logs") # # Baseline GWS.DRIVEDOCS.1.1v0.1 #-- -NonCompliantOUs1_1 contains OU if { +GetFriendlyValue1_1(Value, AcceptableValues) := "Sharing is Properly Configured" if { + Value in AcceptableValues == true +} +else := "Sharing Outside Domain is not properly configured." + +NonCompliantOUs1_1 contains { + "Name": OU, + "Value": concat("", [GetFriendlyValue1_1(LastEvent.NewValue, AcceptableValues)]) + } if { some OU in utils.OUsWithEvents - Events := utils.FilterEvents(LogEvents, "SHARING_OUTSIDE_DOMAIN", OU) + Events := utils.FilterEventsOU(LogEvents, "SHARING_OUTSIDE_DOMAIN", OU) + count(Events) > 0 + LastEvent := utils.GetLastEvent(Events) + AcceptableValues := {"SHARING_NOT_ALLOWED", "INHERIT_FROM_PARENT", + "SHARING_NOT_ALLOWED_BUT_MAY_RECEIVE_FILES"} + not LastEvent.NewValue in AcceptableValues +} + + +NonCompliantGroups1_1 contains { + "Name": Group, + "Value": concat("", [GetFriendlyValue1_1(LastEvent.NewValue, AcceptableValues)]) + } if { + some Group in utils.GroupsWithEvents + Events := utils.FilterEventsGroup(LogEvents, "SHARING_OUTSIDE_DOMAIN", Group) count(Events) > 0 LastEvent := utils.GetLastEvent(Events) AcceptableValues := {"SHARING_NOT_ALLOWED", "INHERIT_FROM_PARENT", @@ -32,22 +54,23 @@ tests contains { } if { DefaultSafe := false - Events := utils.FilterEvents(LogEvents, "SHARING_OUTSIDE_DOMAIN", utils.TopLevelOU) + Events := utils.FilterEventsOU(LogEvents, "SHARING_OUTSIDE_DOMAIN", utils.TopLevelOU) count(Events) == 0 } tests contains { "PolicyId": "GWS.DRIVEDOCS.1.1v0.1", "Criticality": "Should", - "ReportDetails": utils.ReportDetailsOUs(NonCompliantOUs1_1), - "ActualValue": {"NonCompliantOUs": NonCompliantOUs1_1}, + "ReportDetails": utils.ReportDetails(NonCompliantOUs1_1, NonCompliantGroups1_1), + "ActualValue": {"NonCompliantOUs": NonCompliantOUs1_1, "NonCompliantGroups": NonCompliantGroups1_1}, "RequirementMet": Status, "NoSuchEvent": false } if { Events := utils.FilterEvents(LogEvents, "SHARING_OUTSIDE_DOMAIN", utils.TopLevelOU) count(Events) > 0 - Status := count(NonCompliantOUs1_1) == 0 + Conditions := {count(NonCompliantOUs1_1) == 0, count(NonCompliantGroups1_1) == 0 } + Status := (false in Conditions) == false } #-- @@ -55,14 +78,37 @@ if { # # Baseline GWS.DRIVEDOCS.1.2v0.1 #-- -NonCompliantOUs1_2 contains OU if { + + +GetFriendlyValue1_2(Value) := "Users cannot recieve files outside the domain" if { + contains("SHARING_NOT_ALLOWED INHERIT_FROM_PARENT", Value) == true +} +else := "Users can recieve files outside the domain." + +NonCompliantOUs1_2 contains { + "Name": OU, + "Value": concat("", [GetFriendlyValue1_2(LastEvent.NewValue)]) + } + if { some OU in utils.OUsWithEvents - Events := utils.FilterEvents(LogEvents, "SHARING_OUTSIDE_DOMAIN", OU) + Events := utils.FilterEventsOU(LogEvents, "SHARING_OUTSIDE_DOMAIN", OU) count(Events) > 0 LastEvent := utils.GetLastEvent(Events) contains("SHARING_NOT_ALLOWED INHERIT_FROM_PARENT", LastEvent.NewValue) == false } +NonCompliantGroups1_2 contains { + "Name": Group, + "Value": concat("", [GetFriendlyValue1_2(LastEvent.NewValue)]) + } + if { + some Group in utils.GroupsWithEvents + Events := utils.FilterEventsGroup(LogEvents, "SHARING_OUTSIDE_DOMAIN", Group) + count(Events) > 0 + LastEvent := utils.GetLastEvent(Events) + contains("SHARING_NOT_ALLOWED INHERIT_FROM_PARENT", LastEvent.NewValue) == false + } + tests contains { "PolicyId": "GWS.DRIVEDOCS.1.2v0.1", "Criticality": "Should", @@ -73,22 +119,23 @@ tests contains { } if { DefaultSafe := false - Events := utils.FilterEvents(LogEvents, "SHARING_OUTSIDE_DOMAIN", utils.TopLevelOU) + Events := utils.FilterEventsOU(LogEvents, "SHARING_OUTSIDE_DOMAIN", utils.TopLevelOU) count(Events) == 0 } tests contains { "PolicyId": "GWS.DRIVEDOCS.1.2v0.1", "Criticality": "Should", - "ReportDetails": utils.ReportDetailsOUs(NonCompliantOUs1_2), - "ActualValue": {"NonCompliantOUs": NonCompliantOUs1_2}, + "ReportDetails": utils.ReportDetails(NonCompliantOUs1_2, NonCompliantGroups1_2), + "ActualValue": {"NonCompliantOUs": NonCompliantOUs1_2, "NonCompliantGroups": NonCompliantGroups1_2}, "RequirementMet": Status, "NoSuchEvent": false } if { - Events := utils.FilterEvents(LogEvents, "SHARING_OUTSIDE_DOMAIN", utils.TopLevelOU) + Events := utils.FilterEventsOU(LogEvents, "SHARING_OUTSIDE_DOMAIN", utils.TopLevelOU) count(Events) > 0 - Status := count(NonCompliantOUs1_2) == 0 + Conditions := {count(NonCompliantOUs1_2) == 0, count(NonCompliantGroups1_2) == 0 } + Status := (false in Conditions) == false } #-- @@ -96,9 +143,32 @@ if { # # Baseline GWS.DRIVEDOCS.1.3v0.1 #-- -NonCompliantOUs1_3 contains OU if { + +GetFriendlyValue1_3(Value, AcceptableValues) := "External Sharing Warning is Enabled" if { + Value in AcceptableValues == true +} +else := "External Sharing Warning is Disabled" + + +NonCompliantOUs1_3 contains { + "Name": OU, + "Value": concat("", [GetFriendlyValue1_3(LastEvent.NewValue, AcceptableValues)]) + } if { some OU in utils.OUsWithEvents - Events := utils.FilterEvents(LogEvents, "SHARING_OUTSIDE_DOMAIN", OU) + Events := utils.FilterEventsOU(LogEvents, "SHARING_OUTSIDE_DOMAIN", OU) + count(Events) > 0 + LastEvent := utils.GetLastEvent(Events) + AcceptableValues := {"SHARING_ALLOWED_WITH_WARNING", "SHARING_NOT_ALLOWED", + "INHERIT_FROM_PARENT", "SHARING_NOT_ALLOWED_BUT_MAY_RECEIVE_FILES"} + not LastEvent.NewValue in AcceptableValues +} + +NonCompliantGroups1_3 contains { + "Name": Group, + "Value": concat("", [GetFriendlyValue1_3(LastEvent.NewValue, AcceptableValues)]) + } if { + some Group in utils.GroupsWithEvents + Events := utils.FilterEventsGroup(LogEvents, "SHARING_OUTSIDE_DOMAIN", Group) count(Events) > 0 LastEvent := utils.GetLastEvent(Events) AcceptableValues := {"SHARING_ALLOWED_WITH_WARNING", "SHARING_NOT_ALLOWED", @@ -116,23 +186,25 @@ tests contains { } if { DefaultSafe := false - Events := utils.FilterEvents(LogEvents, "SHARING_OUTSIDE_DOMAIN", utils.TopLevelOU) + Events := utils.FilterEventsOU(LogEvents, "SHARING_OUTSIDE_DOMAIN", utils.TopLevelOU) count(Events) == 0 } tests contains { "PolicyId": "GWS.DRIVEDOCS.1.3v0.1", "Criticality": "Shall", - "ReportDetails": utils.ReportDetailsOUs(NonCompliantOUs1_3), - "ActualValue": {"NonCompliantOUs": NonCompliantOUs1_3}, + "ReportDetails": utils.ReportDetails(NonCompliantOUs1_3, NonCompliantGroups1_3), + "ActualValue": {"NonCompliantOUs": NonCompliantOUs1_3, "NonCompliantGroups": NonCompliantGroups1_3}, "RequirementMet": Status, "NoSuchEvent": false } if { - Events := utils.FilterEvents(LogEvents, "SHARING_OUTSIDE_DOMAIN", utils.TopLevelOU) + Events := utils.FilterEventsOU(LogEvents, "SHARING_OUTSIDE_DOMAIN", utils.TopLevelOU) count(Events) > 0 - Status := count(NonCompliantOUs1_3) == 0 + Conditions := {count(NonCompliantOUs1_3) == 0, count(NonCompliantGroups1_3) == 0 } + Status := (false in Conditions) == false } + #-- # @@ -152,13 +224,42 @@ NoSuchEvent1_4(TopLevelOU) := true if { default NoSuchEvent1_4(_) := false -NonCompliantOUs1_4 contains OU if { +GetFriendlyValue1_4(Value_A, Value_B, AcceptableValues_A, AcceptableValues_B) := +"External Sharing is Disabled" if { + Value_B in AcceptableValues_B +} else := "External Sharing is Enabled, but Sharing invites to non-google accounts is disabled" if { + Value_A in AcceptableValues_A +} else := "External Sharing is Enabled, and invites can be shared to non-google accounts." + +NonCompliantOUs1_4 contains { + "Name": OU, + "Value": concat("", [GetFriendlyValue1_4(LastEvent_A.NewValue, LastEvent_B.NewValue, AcceptableValues_A, AcceptableValues_B)]) + } if { some OU in utils.OUsWithEvents - Events_A := utils.FilterEvents(LogEvents, "SHARING_INVITES_TO_NON_GOOGLE_ACCOUNTS", OU) + Events_A := utils.FilterEventsOU(LogEvents, "SHARING_INVITES_TO_NON_GOOGLE_ACCOUNTS", OU) + count(Events_A) > 0 + LastEvent_A := utils.GetLastEvent(Events_A) + + Events_B := utils.FilterEventsOU(LogEvents, "SHARING_OUTSIDE_DOMAIN", OU) + count(Events_B) > 0 + LastEvent_B := utils.GetLastEvent(Events_B) + + AcceptableValues_A := {"NOT_ALLOWED", "INHERIT_FROM_PARENT"} + not LastEvent_A.NewValue in AcceptableValues_A + AcceptableValues_B := {"SHARING_NOT_ALLOWED", "INHERIT_FROM_PARENT"} + not LastEvent_B.NewValue in AcceptableValues_B +} + +NonCompliantGroups1_4 contains { + "Name": Group, + "Value": concat("", [GetFriendlyValue1_4(LastEvent_A.NewValue, LastEvent_B.NewValue, AcceptableValues_A, AcceptableValues_B)]) + } if { + some Group in utils.GroupsWithEvents + Events_A := utils.FilterEventsGroup(LogEvents, "SHARING_INVITES_TO_NON_GOOGLE_ACCOUNTS", Group) count(Events_A) > 0 LastEvent_A := utils.GetLastEvent(Events_A) - Events_B := utils.FilterEvents(LogEvents, "SHARING_OUTSIDE_DOMAIN", OU) + Events_B := utils.FilterEventsGroup(LogEvents, "SHARING_OUTSIDE_DOMAIN", Group) count(Events_B) > 0 LastEvent_B := utils.GetLastEvent(Events_B) @@ -184,28 +285,46 @@ if { tests contains { "PolicyId": "GWS.DRIVEDOCS.1.4v0.1", "Criticality": "Shall", - "ReportDetails": utils.ReportDetailsOUs(NonCompliantOUs1_4), - "ActualValue": {"NonCompliantOUs": NonCompliantOUs1_4}, + "ReportDetails": utils.ReportDetails(NonCompliantOUs1_4, NonCompliantGroups1_4), + "ActualValue": {"NonCompliantOUs": NonCompliantOUs1_4, "NonCompliantGroups": NonCompliantGroups1_4}, "RequirementMet": Status, "NoSuchEvent": false } if { not NoSuchEvent1_4(utils.TopLevelOU) - Status := count(NonCompliantOUs1_4) == 0 + Conditions := {count(NonCompliantOUs1_4) == 0, count(NonCompliantGroups1_4) == 0 } + Status := (false in Conditions) == false } + #-- # # Baseline GWS.DRIVEDOCS.1.5v0.1 #-- -NonCompliantOUs1_5 contains OU if { + +NonCompliantOUs1_5 contains { + "Name": OU, + "Value": "Published web content is visible to anyone with a link. " + } if { some OU in utils.OUsWithEvents - Events := utils.FilterEvents(LogEvents, "PUBLISHING_TO_WEB", OU) + Events := utils.FilterEventsOU(LogEvents, "PUBLISHING_TO_WEB", OU) count(Events) > 0 LastEvent := utils.GetLastEvent(Events) contains("ALLOWED", LastEvent.NewValue) == true } +NonCompliantGroups1_5 contains { + "Name": Group, + "Value": "Published web content is visible to anyone with a link. " + } if { + some Group in utils.GroupsWithEvents + Events := utils.FilterEventsGroup(LogEvents, "PUBLISHING_TO_WEB", Group) + count(Events) > 0 + LastEvent := utils.GetLastEvent(Events) + contains("ALLOWED", LastEvent.NewValue) == true +} + + tests contains { "PolicyId": "GWS.DRIVEDOCS.1.5v0.1", "Criticality": "Shall", @@ -216,31 +335,51 @@ tests contains { } if { DefaultSafe := false - Events := utils.FilterEvents(LogEvents, "PUBLISHING_TO_WEB", utils.TopLevelOU) + Events := utils.FilterEventsOU(LogEvents, "PUBLISHING_TO_WEB", utils.TopLevelOU) count(Events) == 0 } tests contains { "PolicyId": "GWS.DRIVEDOCS.1.5v0.1", "Criticality": "Shall", - "ReportDetails": utils.ReportDetailsOUs(NonCompliantOUs1_5), - "ActualValue": {"NonCompliantOUs": NonCompliantOUs1_5}, + "ReportDetails": utils.ReportDetails(NonCompliantOUs1_5, NonCompliantGroups1_5), + "ActualValue": {"NonCompliantOUs": NonCompliantOUs1_5, "NonCompliantGroups": NonCompliantGroups1_5}, "RequirementMet": Status, "NoSuchEvent": false } if { - Events := utils.FilterEvents(LogEvents, "PUBLISHING_TO_WEB", utils.TopLevelOU) + Events := utils.FilterEventsOU(LogEvents, "PUBLISHING_TO_WEB", utils.TopLevelOU) count(Events) > 0 - Status := count(NonCompliantOUs1_5) == 0 + Conditions := {count(NonCompliantOUs1_5) == 0, count(NonCompliantGroups1_5) == 0 } + Status := (false in Conditions) == false } #-- # # Baseline GWS.DRIVEDOCS.1.6v0.1 #-- -NonCompliantOUs1_6 contains OU if { +GetFriendlyValue1_6(Value):= "Access Checking is disabled outside of docs and drive." +if { contains("NAMED_PARTIES_ONLY DOMAIN_OR_NAMED_PARTIES INHERIT_FROM_PARENT", Value) == false +} else := "Access Checking is enabled outside of docs and drive." + + +NonCompliantOUs1_6 contains { + "Name":OU, + "Value": concat("",[GetFriendlyValue1_6(LastEvent.NewValue)]) + } if { some OU in utils.OUsWithEvents - Events := utils.FilterEvents(LogEvents, "SHARING_ACCESS_CHECKER_OPTIONS", OU) + Events := utils.FilterEventsOU(LogEvents, "SHARING_ACCESS_CHECKER_OPTIONS", OU) + count(Events) > 0 + LastEvent := utils.GetLastEvent(Events) + contains("NAMED_PARTIES_ONLY DOMAIN_OR_NAMED_PARTIES INHERIT_FROM_PARENT", LastEvent.NewValue) == false +} + +NonCompliantGroups1_6 contains { + "Name":Group, + "Value": concat("",[GetFriendlyValue1_6(LastEvent.NewValue)]) + } if { + some Group in utils.GroupsWithEvents + Events := utils.FilterEventsGroup(LogEvents, "SHARING_ACCESS_CHECKER_OPTIONS", Group) count(Events) > 0 LastEvent := utils.GetLastEvent(Events) contains("NAMED_PARTIES_ONLY DOMAIN_OR_NAMED_PARTIES INHERIT_FROM_PARENT", LastEvent.NewValue) == false @@ -256,31 +395,55 @@ tests contains { } if { DefaultSafe := false - Events := utils.FilterEvents(LogEvents, "SHARING_ACCESS_CHECKER_OPTIONS",utils.TopLevelOU) + Events := utils.FilterEventsOU(LogEvents, "SHARING_ACCESS_CHECKER_OPTIONS",utils.TopLevelOU) count(Events) == 0 } tests contains { "PolicyId": "GWS.DRIVEDOCS.1.6v0.1", "Criticality": "Shall", - "ReportDetails": utils.ReportDetailsOUs(NonCompliantOUs1_6), - "ActualValue": {"NonCompliantOUs": NonCompliantOUs1_6}, + "ReportDetails": utils.ReportDetails(NonCompliantOUs1_6, NonCompliantGroups1_6), + "ActualValue": {"NonCompliantOUs": NonCompliantOUs1_6, "NonCompliantGroups": NonCompliantGroups1_6}, "RequirementMet": Status, "NoSuchEvent": false } if { - Events := utils.FilterEvents(LogEvents, "SHARING_ACCESS_CHECKER_OPTIONS", utils.TopLevelOU) + Events := utils.FilterEventsOU(LogEvents, "SHARING_ACCESS_CHECKER_OPTIONS", utils.TopLevelOU) count(Events) > 0 - Status := count(NonCompliantOUs1_6) == 0 + Conditions := {count(NonCompliantOUs1_6) == 0, count(NonCompliantGroups1_6) == 0 } + Status := (false in Conditions) == false } #-- # # Baseline GWS.DRIVEDOCS.1.7v0.1 #-- -NonCompliantOUs1_7 contains OU if { +GetFriendlyValue1_7(Value):= "Setting is compliant." if { + Value == "CROSS_DOMAIN_MOVES_BLOCKED" +} else := "Only users inside the organization can distribute content outside of the organization" if { + Value == "CROSS_DOMAIN_FROM_INTERNAL_ONLY" +} else := "Anyone can distribute content in the organization to outside the organization" if { + Value == "CROSS_DOMAIN_FROM_INTERNAL_OR_EXTERNAL" +} else := Value + +NonCompliantOUs1_7 contains { + "Name": OU, + "Value": concat("", [GetFriendlyValue1_7(LastEvent.NewValue)]) + } if { some OU in utils.OUsWithEvents - Events := utils.FilterEvents(LogEvents, "SHARING_TEAM_DRIVE_CROSS_DOMAIN_OPTIONS", OU) + Events := utils.FilterEventsOU(LogEvents, "SHARING_TEAM_DRIVE_CROSS_DOMAIN_OPTIONS", OU) + count(Events) > 0 + LastEvent := utils.GetLastEvent(Events) + SettingValue := "CROSS_DOMAIN_MOVES_BLOCKED INHERIT_FROM_PARENT" + contains(SettingValue, LastEvent.NewValue) == false +} + +NonCompliantGroups1_7 contains { + "Name": Group, + "Value": concat("", [GetFriendlyValue1_7(LastEvent.NewValue)]) + } if { + some Group in utils.GroupsWithEvents + Events := utils.FilterEventsGroup(LogEvents, "SHARING_TEAM_DRIVE_CROSS_DOMAIN_OPTIONS", Group) count(Events) > 0 LastEvent := utils.GetLastEvent(Events) SettingValue := "CROSS_DOMAIN_MOVES_BLOCKED INHERIT_FROM_PARENT" @@ -297,31 +460,58 @@ tests contains { } if { DefaultSafe := false - Events := utils.FilterEvents(LogEvents, "SHARING_TEAM_DRIVE_CROSS_DOMAIN_OPTIONS", utils.TopLevelOU) + Events := utils.FilterEventsOU(LogEvents, "SHARING_TEAM_DRIVE_CROSS_DOMAIN_OPTIONS", utils.TopLevelOU) count(Events) == 0 } tests contains { "PolicyId": "GWS.DRIVEDOCS.1.7v0.1", "Criticality": "Shall", - "ReportDetails": utils.ReportDetailsOUs(NonCompliantOUs1_7), - "ActualValue": {"NonCompliantOUs": NonCompliantOUs1_7}, + "ReportDetails": utils.ReportDetails(NonCompliantOUs1_7, NonCompliantGroups1_7), + "ActualValue": {"NonCompliantOUs": NonCompliantOUs1_7, "NonCompliantGroups": NonCompliantGroups1_7}, "RequirementMet": Status, "NoSuchEvent": false } if { - Events := utils.FilterEvents(LogEvents, "SHARING_TEAM_DRIVE_CROSS_DOMAIN_OPTIONS", utils.TopLevelOU) + Events := utils.FilterEventsOU(LogEvents, "SHARING_TEAM_DRIVE_CROSS_DOMAIN_OPTIONS", utils.TopLevelOU) count(Events) > 0 - Status := count(NonCompliantOUs1_7) == 0 + Conditions := {count(NonCompliantOUs1_7) == 0, count(NonCompliantGroups1_7) == 0 } + Status := (false in Conditions) == false } #-- # # Baseline GWS.DRIVEDOCS.1.8v0.1 #-- -NonCompliantOUs1_8 contains OU if { + +GetFriendlyValue1_8(Value):= "private to the owner." if { + Value == "PRIVATE" +} else := "The primary target audience can access the item if they have the link" if { + Value == "PEOPLE_WITH_LINK" +} else := "The primary target audience can search and find the item." if { + Value == "PUBLIC" +} else := Value + + +NonCompliantOUs1_8 contains { + "Name": OU, + "Value": concat("", ["When users create items, the default access is set to: ", GetFriendlyValue1_8(LastEvent.NewValue)]) +} if { some OU in utils.OUsWithEvents - Events := utils.FilterEvents(LogEvents, "DEFAULT_LINK_SHARING_FOR_NEW_DOCS", OU) + Events := utils.FilterEventsOU(LogEvents, "DEFAULT_LINK_SHARING_FOR_NEW_DOCS", OU) + count(Events) > 0 + LastEvent := utils.GetLastEvent(Events) + LastEvent.NewValue != "PRIVATE" + LastEvent.NewValue != "INHERIT_FROM_PARENT" +} + + +NonCompliantGroups1_8 contains { + "Name": Group, + "Value": concat("", ["When users create items, the default access is set to: ", GetFriendlyValue1_8(LastEvent.NewValue)]) +} if { + some Group in utils.GroupsWithEvents + Events := utils.FilterEventsGroup(LogEvents, "DEFAULT_LINK_SHARING_FOR_NEW_DOCS", Group) count(Events) > 0 LastEvent := utils.GetLastEvent(Events) LastEvent.NewValue != "PRIVATE" @@ -338,22 +528,23 @@ tests contains { } if { DefaultSafe := false - Events := utils.FilterEvents(LogEvents, "DEFAULT_LINK_SHARING_FOR_NEW_DOCS",utils.TopLevelOU) + Events := utils.FilterEventsOU(LogEvents, "DEFAULT_LINK_SHARING_FOR_NEW_DOCS",utils.TopLevelOU) count(Events) == 0 } tests contains { "PolicyId": "GWS.DRIVEDOCS.1.8v0.1", "Criticality": "Shall", - "ReportDetails": utils.ReportDetailsOUs(NonCompliantOUs1_8), - "ActualValue": {"NonCompliantOUs": NonCompliantOUs1_8}, + "ReportDetails": utils.ReportDetails(NonCompliantOUs1_8, NonCompliantGroups1_8), + "ActualValue": {"NonCompliantOUs": NonCompliantOUs1_8, "NonCompliantGroups": NonCompliantGroups1_8}, "RequirementMet": Status, "NoSuchEvent": false } if { - Events := utils.FilterEvents(LogEvents, "DEFAULT_LINK_SHARING_FOR_NEW_DOCS", utils.TopLevelOU) + Events := utils.FilterEventsOU(LogEvents, "DEFAULT_LINK_SHARING_FOR_NEW_DOCS", utils.TopLevelOU) count(Events) > 0 - Status := count(NonCompliantOUs1_8) == 0 + Conditions := {count(NonCompliantOUs1_8) == 0, count(NonCompliantGroups1_8) == 0 } + Status := (false in Conditions) == false } #-- @@ -470,7 +661,7 @@ tests contains { } if { SettingName := "Shared Drive Creation new_team_drive_restricts_cross_domain_access" - Events := utils.FilterEvents(LogEvents, SettingName, utils.TopLevelOU) + Events := utils.FilterEventsOU(LogEvents, SettingName, utils.TopLevelOU) count(Events) > 0 Conditions := {count(NonCompliantOUs2_2) == 0, count(NonCompliantGroups2_2) == 0 } Status := (false in Conditions) == false @@ -802,6 +993,16 @@ if { #-- default NoSuchEvent6_1(_) := true +GetFriendlyValue6_1(Value_B, Value_A) := +"Drive for Desktop is Enabled, but can be used on any device." if { + Value_B == "false" +} +else := "Drive for Desktop is disabled" if { + Value_A == "false" +} +else := "Drive for Desktop is enabled, and only on approved devices." if { + Value_A == "true" +} NoSuchEvent6_1(TopLevelOU) := false if { Events := utils.FilterEventsOU(LogEvents, "DriveFsSettingsProto drive_fs_enabled", TopLevelOU) count(Events) != 0 @@ -815,7 +1016,7 @@ NoSuchEvent6_1(TopLevelOU) := false if { NonCompliantOUs6_1 contains { "Name": OU, - "Value": "Fail" + "Value": concat("", [GetFriendlyValue6_1(LastEvent_B.NewValue, LastEvent_A.NewValue)]) } if { some OU in utils.OUsWithEvents Events_A := utils.FilterEventsOU(LogEvents, "DriveFsSettingsProto drive_fs_enabled", OU) @@ -828,15 +1029,15 @@ NonCompliantOUs6_1 contains { LastEvent_B := utils.GetLastEvent(Events_B) LastEvent_B.NewValue != "DELETE_APPLICATION_SETTING" - true in { - LastEvent_A.NewValue != "true", - LastEvent_B.NewValue != "true" - } + + LastEvent_A.NewValue == "true" + LastEvent_B.NewValue != "true" + } NonCompliantGroups6_1 contains { "Name": Group, - "Value": "" + "Value": concat("", [GetFriendlyValue6_1(LastEvent_B.NewValue, LastEvent_A.NewValue)]) } if { some Group in utils.GroupsWithEvents Events_A := utils.FilterEventsGroup(LogEvents, "DriveFsSettingsProto drive_fs_enabled", Group) @@ -849,10 +1050,11 @@ NonCompliantGroups6_1 contains { LastEvent_B := utils.GetLastEvent(Events_B) LastEvent_B.NewValue != "DELETE_APPLICATION_SETTING" - true in { - LastEvent_A.NewValue != "true", - LastEvent_B.NewValue != "true" - } + + LastEvent_A.NewValue == "true" + LastEvent_B.NewValue != "true" + + } tests contains { From a93aab066802060ca9de6ee958f8f69162ad212b Mon Sep 17 00:00:00 2001 From: ssnarve Date: Wed, 29 May 2024 16:26:49 -0700 Subject: [PATCH 04/33] [#259] Update policy 2 --- rego/Drive.rego | 85 ++++++++++++++++++++++++------------------------- 1 file changed, 42 insertions(+), 43 deletions(-) diff --git a/rego/Drive.rego b/rego/Drive.rego index ee5d089d..bd278cfc 100644 --- a/rego/Drive.rego +++ b/rego/Drive.rego @@ -14,11 +14,11 @@ LogEvents := utils.GetEvents("drive_logs") #-- GetFriendlyValue1_1(Value, AcceptableValues) := "Sharing is Properly Configured" if { Value in AcceptableValues == true -} +} else := "Sharing Outside Domain is not properly configured." NonCompliantOUs1_1 contains { - "Name": OU, + "Name": OU, "Value": concat("", [GetFriendlyValue1_1(LastEvent.NewValue, AcceptableValues)]) } if { some OU in utils.OUsWithEvents @@ -26,13 +26,13 @@ NonCompliantOUs1_1 contains { count(Events) > 0 LastEvent := utils.GetLastEvent(Events) AcceptableValues := {"SHARING_NOT_ALLOWED", "INHERIT_FROM_PARENT", - "SHARING_NOT_ALLOWED_BUT_MAY_RECEIVE_FILES"} + "SHARING_NOT_ALLOWED_BUT_MAY_RECEIVE_FILES"} not LastEvent.NewValue in AcceptableValues } NonCompliantGroups1_1 contains { - "Name": Group, + "Name": Group, "Value": concat("", [GetFriendlyValue1_1(LastEvent.NewValue, AcceptableValues)]) } if { some Group in utils.GroupsWithEvents @@ -40,7 +40,7 @@ NonCompliantGroups1_1 contains { count(Events) > 0 LastEvent := utils.GetLastEvent(Events) AcceptableValues := {"SHARING_NOT_ALLOWED", "INHERIT_FROM_PARENT", - "SHARING_NOT_ALLOWED_BUT_MAY_RECEIVE_FILES"} + "SHARING_NOT_ALLOWED_BUT_MAY_RECEIVE_FILES"} not LastEvent.NewValue in AcceptableValues } @@ -62,7 +62,7 @@ tests contains { "PolicyId": "GWS.DRIVEDOCS.1.1v0.1", "Criticality": "Should", "ReportDetails": utils.ReportDetails(NonCompliantOUs1_1, NonCompliantGroups1_1), - "ActualValue": {"NonCompliantOUs": NonCompliantOUs1_1, "NonCompliantGroups": NonCompliantGroups1_1}, + "ActualValue": {"NonCompliantOUs": NonCompliantOUs1_1, "NonCompliantGroups": NonCompliantGroups1_1}, "RequirementMet": Status, "NoSuchEvent": false } @@ -82,12 +82,12 @@ if { GetFriendlyValue1_2(Value) := "Users cannot recieve files outside the domain" if { contains("SHARING_NOT_ALLOWED INHERIT_FROM_PARENT", Value) == true -} -else := "Users can recieve files outside the domain." +} +else := "Users can recieve files outside the domain" NonCompliantOUs1_2 contains { "Name": OU, - "Value": concat("", [GetFriendlyValue1_2(LastEvent.NewValue)]) + "Value": concat("", [GetFriendlyValue1_2(LastEvent.NewValue)]) } if { some OU in utils.OUsWithEvents @@ -99,7 +99,7 @@ NonCompliantOUs1_2 contains { NonCompliantGroups1_2 contains { "Name": Group, - "Value": concat("", [GetFriendlyValue1_2(LastEvent.NewValue)]) + "Value": concat("", [GetFriendlyValue1_2(LastEvent.NewValue)]) } if { some Group in utils.GroupsWithEvents @@ -107,7 +107,7 @@ NonCompliantGroups1_2 contains { count(Events) > 0 LastEvent := utils.GetLastEvent(Events) contains("SHARING_NOT_ALLOWED INHERIT_FROM_PARENT", LastEvent.NewValue) == false - } + } tests contains { "PolicyId": "GWS.DRIVEDOCS.1.2v0.1", @@ -146,33 +146,33 @@ if { GetFriendlyValue1_3(Value, AcceptableValues) := "External Sharing Warning is Enabled" if { Value in AcceptableValues == true -} +} else := "External Sharing Warning is Disabled" NonCompliantOUs1_3 contains { - "Name": OU, - "Value": concat("", [GetFriendlyValue1_3(LastEvent.NewValue, AcceptableValues)]) + "Name": OU, + "Value": concat("", [GetFriendlyValue1_3(LastEvent.NewValue, AcceptableValues)]) } if { some OU in utils.OUsWithEvents Events := utils.FilterEventsOU(LogEvents, "SHARING_OUTSIDE_DOMAIN", OU) count(Events) > 0 LastEvent := utils.GetLastEvent(Events) AcceptableValues := {"SHARING_ALLOWED_WITH_WARNING", "SHARING_NOT_ALLOWED", - "INHERIT_FROM_PARENT", "SHARING_NOT_ALLOWED_BUT_MAY_RECEIVE_FILES"} + "INHERIT_FROM_PARENT", "SHARING_NOT_ALLOWED_BUT_MAY_RECEIVE_FILES"} not LastEvent.NewValue in AcceptableValues } NonCompliantGroups1_3 contains { - "Name": Group, - "Value": concat("", [GetFriendlyValue1_3(LastEvent.NewValue, AcceptableValues)]) + "Name": Group, + "Value": concat("", [GetFriendlyValue1_3(LastEvent.NewValue, AcceptableValues)]) } if { some Group in utils.GroupsWithEvents Events := utils.FilterEventsGroup(LogEvents, "SHARING_OUTSIDE_DOMAIN", Group) count(Events) > 0 LastEvent := utils.GetLastEvent(Events) AcceptableValues := {"SHARING_ALLOWED_WITH_WARNING", "SHARING_NOT_ALLOWED", - "INHERIT_FROM_PARENT", "SHARING_NOT_ALLOWED_BUT_MAY_RECEIVE_FILES"} + "INHERIT_FROM_PARENT", "SHARING_NOT_ALLOWED_BUT_MAY_RECEIVE_FILES"} not LastEvent.NewValue in AcceptableValues } @@ -229,10 +229,10 @@ GetFriendlyValue1_4(Value_A, Value_B, AcceptableValues_A, AcceptableValues_B) := Value_B in AcceptableValues_B } else := "External Sharing is Enabled, but Sharing invites to non-google accounts is disabled" if { Value_A in AcceptableValues_A -} else := "External Sharing is Enabled, and invites can be shared to non-google accounts." +} else := "External Sharing is Enabled, and invites can be shared to non-google accounts" NonCompliantOUs1_4 contains { - "Name": OU, + "Name": OU, "Value": concat("", [GetFriendlyValue1_4(LastEvent_A.NewValue, LastEvent_B.NewValue, AcceptableValues_A, AcceptableValues_B)]) } if { some OU in utils.OUsWithEvents @@ -251,7 +251,7 @@ NonCompliantOUs1_4 contains { } NonCompliantGroups1_4 contains { - "Name": Group, + "Name": Group, "Value": concat("", [GetFriendlyValue1_4(LastEvent_A.NewValue, LastEvent_B.NewValue, AcceptableValues_A, AcceptableValues_B)]) } if { some Group in utils.GroupsWithEvents @@ -303,7 +303,7 @@ if { #-- NonCompliantOUs1_5 contains { - "Name": OU, + "Name": OU, "Value": "Published web content is visible to anyone with a link. " } if { some OU in utils.OUsWithEvents @@ -314,7 +314,7 @@ NonCompliantOUs1_5 contains { } NonCompliantGroups1_5 contains { - "Name": Group, + "Name": Group, "Value": "Published web content is visible to anyone with a link. " } if { some Group in utils.GroupsWithEvents @@ -358,7 +358,7 @@ if { # # Baseline GWS.DRIVEDOCS.1.6v0.1 #-- -GetFriendlyValue1_6(Value):= "Access Checking is disabled outside of docs and drive." +GetFriendlyValue1_6(Value):= "Access Checking is disabled outside of docs and drive" if { contains("NAMED_PARTIES_ONLY DOMAIN_OR_NAMED_PARTIES INHERIT_FROM_PARENT", Value) == false } else := "Access Checking is enabled outside of docs and drive." @@ -428,7 +428,7 @@ GetFriendlyValue1_7(Value):= "Setting is compliant." if { NonCompliantOUs1_7 contains { "Name": OU, - "Value": concat("", [GetFriendlyValue1_7(LastEvent.NewValue)]) + "Value": concat("", [GetFriendlyValue1_7(LastEvent.NewValue)]) } if { some OU in utils.OUsWithEvents Events := utils.FilterEventsOU(LogEvents, "SHARING_TEAM_DRIVE_CROSS_DOMAIN_OPTIONS", OU) @@ -440,7 +440,7 @@ NonCompliantOUs1_7 contains { NonCompliantGroups1_7 contains { "Name": Group, - "Value": concat("", [GetFriendlyValue1_7(LastEvent.NewValue)]) + "Value": concat("", [GetFriendlyValue1_7(LastEvent.NewValue)]) } if { some Group in utils.GroupsWithEvents Events := utils.FilterEventsGroup(LogEvents, "SHARING_TEAM_DRIVE_CROSS_DOMAIN_OPTIONS", Group) @@ -494,7 +494,7 @@ GetFriendlyValue1_8(Value):= "private to the owner." if { NonCompliantOUs1_8 contains { - "Name": OU, + "Name": OU, "Value": concat("", ["When users create items, the default access is set to: ", GetFriendlyValue1_8(LastEvent.NewValue)]) } if { some OU in utils.OUsWithEvents @@ -507,7 +507,7 @@ NonCompliantOUs1_8 contains { NonCompliantGroups1_8 contains { - "Name": Group, + "Name": Group, "Value": concat("", ["When users create items, the default access is set to: ", GetFriendlyValue1_8(LastEvent.NewValue)]) } if { some Group in utils.GroupsWithEvents @@ -556,7 +556,7 @@ if { # Baseline GWS.DRIVEDOCS.2.1v0.1 #-- NonCompliantOUs2_1 contains { - "Name": OU, + "Name": OU, "Value": "Members with manager access can override shared drive settings." } if { some OU in utils.OUsWithEvents @@ -614,7 +614,7 @@ if { #-- NonCompliantOUs2_2 contains { "Name": OU, - "Value": "" + "Value": "Users outside the organization can access files in shared drives" } if { some OU in utils.OUsWithEvents Events := utils.FilterEventsOU(LogEvents, "Shared Drive Creation new_team_drive_restricts_cross_domain_access", OU) @@ -626,7 +626,7 @@ NonCompliantOUs2_2 contains { NonCompliantGroups2_2 contains { "Name": Group, - "Value": "" + "Value": "Users outside the organization can access files in shared drives" } if { some Group in utils.GroupsWithEvents Events := utils.FilterEventsGroup(LogEvents, "Shared Drive Creation new_team_drive_restricts_cross_domain_access", Group) @@ -673,7 +673,7 @@ if { #-- NonCompliantOUs2_3 contains { "Name": OU, - "Value": "" + "Value": "People who aren't shared drive members cannot be added to files" } if { some OU in utils.OUsWithEvents Events := utils.FilterEventsOU(LogEvents, "Shared Drive Creation new_team_drive_restricts_direct_access", OU) @@ -684,7 +684,7 @@ NonCompliantOUs2_3 contains { } NonCompliantGroups2_3 contains { "Name": Group, - "Value": "" + "Value": "People who aren't shared drive members cannot be added to files" } if { some Group in utils.GroupsWithEvents Events := utils.FilterEventsGroup(LogEvents, "Shared Drive Creation new_team_drive_restricts_direct_access", Group) @@ -732,7 +732,7 @@ if { #-- NonCompliantOUs2_4 contains { "Name": OU, - "Value": "" + "Value": "Viewers and commenters are not allowed to download, print, and copy files" } if { some OU in utils.OUsWithEvents Events := utils.FilterEventsOU(LogEvents, "Shared Drive Creation new_team_drive_restricts_download", OU) @@ -744,7 +744,7 @@ NonCompliantOUs2_4 contains { NonCompliantGroups2_4 contains { "Name": Group, - "Value": "" + "Value": "Viewers and commenters are not allowed to download, print, and copy files" } if { some Group in utils.GroupsWithEvents Events := utils.FilterEventsGroup(LogEvents, "Shared Drive Creation new_team_drive_restricts_download", Group) @@ -779,7 +779,7 @@ tests contains { if { Events := utils.FilterEventsOU(LogEvents, "Shared Drive Creation new_team_drive_restricts_download", utils.TopLevelOU) count(Events) > 0 - Conditions := {count(NonCompliantOUs2_4) == 0, count(NonCompliantGroups2_4) == 0 } + Conditions := {count(NonCompliantOUs2_4) == 0, count(NonCompliantGroups2_4) == 0 } Status := (false in Conditions) == false } #-- @@ -815,7 +815,7 @@ else := "Allow users to remove/apply the security update for files they own or m Value_A == "true" } NonCompliantOUs3_1 contains { - "Name": OU, + "Name": OU, "Value": concat("", [ GetFriendlyValue3_1(LastEvent_B.NewValue, LastEvent_A.NewValue)]) } if { some OU in utils.OUsWithEvents @@ -871,7 +871,7 @@ NonCompliantOUs4_1 contains { "Name": OU, "Value": "Drive SDK is Enabled" } - if { +if { some OU in utils.OUsWithEvents Events := utils.FilterEventsOU(LogEvents, "ENABLE_DRIVE_APPS", OU) count(Events) > 0 @@ -931,7 +931,7 @@ if { # Baseline GWS.DRIVEDOCS.5.1v0.1 #-- NonCompliantOUs5_1 contains { - "Name": OU, + "Name": OU, "Value": "Users can install Google Docs add-ons from add-ons store." } if { some OU in utils.OUsWithEvents @@ -943,7 +943,7 @@ NonCompliantOUs5_1 contains { } NonCompliantGroups5_1 contains { - "Name": Group, + "Name": Group, "Value": "Users can install Google Docs add-ons from add-ons store." } if { some Group in utils.GroupsWithEvents @@ -1015,7 +1015,7 @@ NoSuchEvent6_1(TopLevelOU) := false if { } NonCompliantOUs6_1 contains { - "Name": OU, + "Name": OU, "Value": concat("", [GetFriendlyValue6_1(LastEvent_B.NewValue, LastEvent_A.NewValue)]) } if { some OU in utils.OUsWithEvents @@ -1036,7 +1036,7 @@ NonCompliantOUs6_1 contains { } NonCompliantGroups6_1 contains { - "Name": Group, + "Name": Group, "Value": concat("", [GetFriendlyValue6_1(LastEvent_B.NewValue, LastEvent_A.NewValue)]) } if { some Group in utils.GroupsWithEvents @@ -1049,7 +1049,6 @@ NonCompliantGroups6_1 contains { count(Events_B) > 0 LastEvent_B := utils.GetLastEvent(Events_B) LastEvent_B.NewValue != "DELETE_APPLICATION_SETTING" - LastEvent_A.NewValue == "true" LastEvent_B.NewValue != "true" From 4954ff7ac3eb37f3c015f1f7cd9056482ca814eb Mon Sep 17 00:00:00 2001 From: Lauren Bassett Date: Thu, 30 May 2024 09:50:46 -0400 Subject: [PATCH 05/33] Drive_01 Testing Complete. --- Testing/RegoTests/drive/drive01_test.rego | 220 ++++++++++++++++------ rego/Drive.rego | 4 +- 2 files changed, 169 insertions(+), 55 deletions(-) diff --git a/Testing/RegoTests/drive/drive01_test.rego b/Testing/RegoTests/drive/drive01_test.rego index b5780aec..03a15788 100644 --- a/Testing/RegoTests/drive/drive01_test.rego +++ b/Testing/RegoTests/drive/drive01_test.rego @@ -29,7 +29,7 @@ test_Sharing_Correct_V1 if { count(RuleOutput) == 1 RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs." + RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." } test_Sharing_Correct_V2 if { @@ -67,7 +67,7 @@ test_Sharing_Correct_V2 if { count(RuleOutput) == 1 RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs." + RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." } test_Sharing_Correct_V3 if { @@ -105,7 +105,7 @@ test_Sharing_Correct_V3 if { count(RuleOutput) == 1 RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs." + RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." } test_Sharing_Incorrect_V1 if { @@ -165,7 +165,8 @@ test_Sharing_Incorrect_V2 if { count(RuleOutput) == 1 not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU." + RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", + "
  • Test Top-Level OU: Sharing Outside Domain is not properly configured.
"]) } test_Sharing_Incorrect_V3 if { @@ -203,7 +204,9 @@ test_Sharing_Incorrect_V3 if { count(RuleOutput) == 1 not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU." + print(RuleOutput[0].ReportDetails) + RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", + "
  • Test Top-Level OU: Sharing Outside Domain is not properly configured.
"]) } test_Sharing_Incorrect_V4 if { @@ -241,7 +244,8 @@ test_Sharing_Incorrect_V4 if { count(RuleOutput) == 1 not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement failed in Test Secondary OU." + RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", + "
  • Test Secondary OU: Sharing Outside Domain is not properly configured.
"]) } test_Sharing_Incorrect_V5 if { @@ -305,7 +309,7 @@ test_Receiving_Correct_V1 if { count(RuleOutput) == 1 RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs." + RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." } test_Receiving_Correct_V2 if { @@ -343,7 +347,7 @@ test_Receiving_Correct_V2 if { count(RuleOutput) == 1 RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs." + RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." } test_Receiving_Correct_V3 if { @@ -381,7 +385,7 @@ test_Receiving_Correct_V3 if { count(RuleOutput) == 1 RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs." + RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." } test_Receiving_Incorrect_V1 if { @@ -441,7 +445,8 @@ test_Receiving_Incorrect_V2 if { count(RuleOutput) == 1 not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU." + RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", + "
  • Test Top-Level OU: Users can recieve files outside the domain
"]) } test_Receiving_Incorrect_V3 if { @@ -479,7 +484,9 @@ test_Receiving_Incorrect_V3 if { count(RuleOutput) == 1 not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU." + RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", + "
  • Test Top-Level OU: Users can recieve files outside the domain
"]) + } test_Receiving_Incorrect_V4 if { @@ -517,7 +524,8 @@ test_Receiving_Incorrect_V4 if { count(RuleOutput) == 1 not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement failed in Test Secondary OU." + RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", + "
  • Test Secondary OU: Users can recieve files outside the domain
"]) } test_Receiving_Incorrect_V5 if { @@ -580,7 +588,7 @@ test_Warnings_Correct_V1 if { count(RuleOutput) == 1 RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs." + RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." } test_Warnings_Correct_V2 if { @@ -618,10 +626,10 @@ test_Warnings_Correct_V2 if { count(RuleOutput) == 1 RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs." + RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." } -test_Warningsr_Correct_V3 if { +test_Warnings_Correct_V3 if { # Test sharing setting when there's multiple OUs PolicyId := "GWS.DRIVEDOCS.1.3v0.1" Output := tests with input as { @@ -656,7 +664,7 @@ test_Warningsr_Correct_V3 if { count(RuleOutput) == 1 RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs." + RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." } test_Warnings_Incorrect_V1 if { @@ -716,7 +724,8 @@ test_Warnings_Incorrect_V2 if { count(RuleOutput) == 1 not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU." + RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", + "
  • Test Top-Level OU: External Sharing Warning is Disabled
"]) } test_Warningsr_Incorrect_V3 if { @@ -754,7 +763,8 @@ test_Warningsr_Incorrect_V3 if { count(RuleOutput) == 1 not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU." + RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", + "
  • Test Top-Level OU: External Sharing Warning is Disabled
"]) } test_Warnings_Incorrect_V4 if { @@ -792,7 +802,8 @@ test_Warnings_Incorrect_V4 if { count(RuleOutput) == 1 not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement failed in Test Secondary OU." + RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", + "
  • Test Secondary OU: External Sharing Warning is Disabled
"]) } test_Warnings_Incorrect_V5 if { @@ -865,7 +876,7 @@ test_NonGoogle_Correct_V1 if { count(RuleOutput) == 1 RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs." + RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." } test_NonGoogle_Correct_V2 if { @@ -913,7 +924,7 @@ test_NonGoogle_Correct_V2 if { count(RuleOutput) == 1 RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs." + RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." } test_NonGoogle_Correct_V3 if { @@ -971,7 +982,7 @@ test_NonGoogle_Correct_V3 if { count(RuleOutput) == 1 RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs." + RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." } test_NonGoogle_Incorrect_V1 if { @@ -1041,7 +1052,8 @@ test_NonGoogle_Incorrect_V2 if { count(RuleOutput) == 1 not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU." + RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", + "
  • Test Top-Level OU: External Sharing is Enabled, and invites can be shared to non-google accounts
"]) } test_NonGoogle_Incorrect_V3 if { @@ -1099,7 +1111,8 @@ test_NonGoogle_Incorrect_V3 if { count(RuleOutput) == 1 not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU." + RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", + "
  • Test Top-Level OU: External Sharing is Enabled, and invites can be shared to non-google accounts
"]) } test_NonGoogle_Incorrect_V4 if { @@ -1157,7 +1170,8 @@ test_NonGoogle_Incorrect_V4 if { count(RuleOutput) == 1 not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement failed in Test Secondary OU." + RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", + "
  • Test Secondary OU: External Sharing is Enabled, and invites can be shared to non-google accounts
"]) } test_NonGoogle_Incorrect_V5 if { @@ -1220,7 +1234,7 @@ test_Link_Correct_V1 if { count(RuleOutput) == 1 RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs." + RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." } test_Link_Correct_V2 if { @@ -1258,7 +1272,7 @@ test_Link_Correct_V2 if { count(RuleOutput) == 1 RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs." + RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." } test_Link_Correct_V3 if { @@ -1296,7 +1310,7 @@ test_Link_Correct_V3 if { count(RuleOutput) == 1 RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs." + RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." } test_Link_Incorrect_V1 if { @@ -1356,9 +1370,10 @@ test_Link_Incorrect_V2 if { count(RuleOutput) == 1 not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU." + print(RuleOutput[0].ReportDetails) + RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", + "
  • Test Top-Level OU: Published web content is visible to anyone with a link.
"]) } - test_Link_Incorrect_V3 if { # Test sharing setting when there are multiple events and the most recent is wrong PolicyId := "GWS.DRIVEDOCS.1.5v0.1" @@ -1394,7 +1409,8 @@ test_Link_Incorrect_V3 if { count(RuleOutput) == 1 not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU." + RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", + "
  • Test Top-Level OU: Published web content is visible to anyone with a link.
"]) } test_Link_Incorrect_V4 if { @@ -1432,7 +1448,8 @@ test_Link_Incorrect_V4 if { count(RuleOutput) == 1 not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement failed in Test Secondary OU." + RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", + "
  • Test Secondary OU: Published web content is visible to anyone with a link.
"]) } test_Link_Incorrect_V5 if { @@ -1496,7 +1513,7 @@ test_SharingChecker_Correct_V1 if { count(RuleOutput) == 1 RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs." + RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." } test_SharingChecker_Correct_V2 if { @@ -1534,7 +1551,7 @@ test_SharingChecker_Correct_V2 if { count(RuleOutput) == 1 RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs." + RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." } test_SharingChecker_Correct_V3 if { @@ -1572,7 +1589,7 @@ test_SharingChecker_Correct_V3 if { count(RuleOutput) == 1 RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs." + RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." } test_SharingChecker_Incorrect_V1 if { @@ -1632,7 +1649,8 @@ test_SharingChecker_Incorrect_V2 if { count(RuleOutput) == 1 not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU." + RuleOutput[0].ReportDetails == concat("", [ "The following OUs are non-compliant:", + "
  • Test Top-Level OU: Access Checking is disabled outside of docs and drive
"]) } test_SharingChecker_Incorrect_V3 if { @@ -1670,7 +1688,8 @@ test_SharingChecker_Incorrect_V3 if { count(RuleOutput) == 1 not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU." + RuleOutput[0].ReportDetails == concat("", [ "The following OUs are non-compliant:", + "
  • Test Top-Level OU: Access Checking is disabled outside of docs and drive
"]) } test_SharingChecker_Incorrect_V4 if { @@ -1708,7 +1727,8 @@ test_SharingChecker_Incorrect_V4 if { count(RuleOutput) == 1 not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement failed in Test Secondary OU." + RuleOutput[0].ReportDetails == concat("", [ "The following OUs are non-compliant:", + "
  • Test Secondary OU: Access Checking is disabled outside of docs and drive
"]) } test_SharingChecker_Incorrect_V5 if { @@ -1771,7 +1791,7 @@ test_CrossDomain_Correct_V1 if { count(RuleOutput) == 1 RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs." + RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." } test_CrossDomain_Correct_V2 if { @@ -1809,7 +1829,7 @@ test_CrossDomain_Correct_V2 if { count(RuleOutput) == 1 RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs." + RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." } test_CrossDomain_Correct_V3 if { @@ -1847,7 +1867,7 @@ test_CrossDomain_Correct_V3 if { count(RuleOutput) == 1 RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs." + RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." } test_CrossDomain_Incorrect_V1 if { @@ -1883,7 +1903,7 @@ test_CrossDomain_Incorrect_V1 if { } test_CrossDomain_Incorrect_V2 if { - # Test sharing setting when there's only one event and it's wrong + # Test sharing setting when there's only one event and it's wrong, set to anyone can distribute content PolicyId := "GWS.DRIVEDOCS.1.7v0.1" Output := tests with input as { "drive_logs": {"items": [ @@ -1907,11 +1927,13 @@ test_CrossDomain_Incorrect_V2 if { count(RuleOutput) == 1 not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU." + print(RuleOutput[0].ReportDetails) + RuleOutput[0].ReportDetails == concat("", [ "The following OUs are non-compliant:", + "
  • Test Top-Level OU: Anyone can distribute content in the organization to outside the organization
"]) } test_CrossDomain_Incorrect_V3 if { - # Test sharing setting when there are multiple events and the most recent is wrong + # Test sharing setting when there are multiple events and the most recent is wrong, set to anyone can distribute content. PolicyId := "GWS.DRIVEDOCS.1.7v0.1" Output := tests with input as { "drive_logs": {"items": [ @@ -1945,11 +1967,12 @@ test_CrossDomain_Incorrect_V3 if { count(RuleOutput) == 1 not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU." + RuleOutput[0].ReportDetails == concat("", [ "The following OUs are non-compliant:", + "
  • Test Top-Level OU: Anyone can distribute content in the organization to outside the organization
"]) } test_CrossDomain_Incorrect_V4 if { - # Test sharing setting when Top OU is correct but not secondary OU + # Test sharing setting when Top OU is correct but not secondary OU, which is set to Anyone in the Organization PolicyId := "GWS.DRIVEDOCS.1.7v0.1" Output := tests with input as { "drive_logs": {"items": [ @@ -1983,9 +2006,11 @@ test_CrossDomain_Incorrect_V4 if { count(RuleOutput) == 1 not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement failed in Test Secondary OU." + RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", + "
  • Test Secondary OU: Anyone can distribute content in the organization to outside the organization
"]) } + test_CrossDomain_Incorrect_V5 if { # Test sharing setting when Top OU is not present PolicyId := "GWS.DRIVEDOCS.1.7v0.1" @@ -2017,6 +2042,45 @@ test_CrossDomain_Incorrect_V5 if { "is non-compliant; manual check recommended." ]) } + +test_CrossDomain_Incorrect_V6 if { + # Test sharing setting when there are multiple events and the most recent event is wrong, set to only users in the organization + PolicyId := "GWS.DRIVEDOCS.1.7v0.1" + Output := tests with input as { + "drive_logs": {"items": [ + { + "id": {"time": "2022-12-20T00:02:28.672Z"}, + "events": [{ + "parameters": [ + {"name": "SETTING_NAME", "value": "SHARING_TEAM_DRIVE_CROSS_DOMAIN_OPTIONS"}, + {"name": "NEW_VALUE", "value": "CROSS_DOMAIN_FROM_INTERNAL_ONLY"}, + {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, + ] + }] + }, + { + "id": {"time": "2021-12-20T00:02:28.672Z"}, + "events": [{ + "parameters": [ + {"name": "SETTING_NAME", "value": "SHARING_TEAM_DRIVE_CROSS_DOMAIN_OPTIONS"}, + {"name": "NEW_VALUE", "value": "CROSS_DOMAIN_MOVES_BLOCKED"}, + {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, + ] + }] + } + ]}, + "tenant_info": { + "topLevelOU": "" + }, + } + + RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] + count(RuleOutput) == 1 + not RuleOutput[0].RequirementMet + not RuleOutput[0].NoSuchEvent + RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", + "
  • Test Top-Level OU: Only users inside the organization can distribute content outside of the organization
"]) +} #-- # @@ -2047,7 +2111,7 @@ test_Default_Correct_V1 if { count(RuleOutput) == 1 RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs." + RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." } test_Default_Correct_V2 if { @@ -2085,7 +2149,7 @@ test_Default_Correct_V2 if { count(RuleOutput) == 1 RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs." + RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." } test_Default_Correct_V3 if { @@ -2123,7 +2187,7 @@ test_Default_Correct_V3 if { count(RuleOutput) == 1 RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs." + RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." } test_Default_Incorrect_V1 if { @@ -2183,7 +2247,11 @@ test_Default_Incorrect_V2 if { count(RuleOutput) == 1 not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU." + print(RuleOutput[0].ReportDetails) + RuleOutput[0].ReportDetails == concat("", [ + "The following OUs are non-compliant:","
  • Test Top-Level OU: When users create items, the default access is set to: The primary target audience can search and find the item.
" + + ]) } test_Default_Incorrect_V3 if { @@ -2221,7 +2289,9 @@ test_Default_Incorrect_V3 if { count(RuleOutput) == 1 not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU." + RuleOutput[0].ReportDetails == concat("", [ + "The following OUs are non-compliant:","
  • Test Top-Level OU: When users create items, the default access is set to: The primary target audience can search and find the item.
" + ]) } test_Default_Incorrect_V4 if { @@ -2259,7 +2329,10 @@ test_Default_Incorrect_V4 if { count(RuleOutput) == 1 not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement failed in Test Secondary OU." + RuleOutput[0].ReportDetails == concat("", [ + "The following OUs are non-compliant:","
  • Test Secondary OU: When users create items, the default access is set to: The primary target audience can search and find the item.
" + + ]) } test_Default_Incorrect_V5 if { @@ -2292,4 +2365,45 @@ test_Default_Incorrect_V5 if { "While we are unable to determine the state from the logs, the default setting ", "is non-compliant; manual check recommended." ]) +} + +test_Default_Incorrect_V6 if { + # Test sharing setting when Top OU is correct but not secondary OU + PolicyId := "GWS.DRIVEDOCS.1.8v0.1" + Output := tests with input as { + "drive_logs": {"items": [ + { + "id": {"time": "2022-12-20T00:02:28.672Z"}, + "events": [{ + "parameters": [ + {"name": "SETTING_NAME", "value": "DEFAULT_LINK_SHARING_FOR_NEW_DOCS"}, + {"name": "NEW_VALUE", "value": "PRIVATE"}, + {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, + ] + }] + }, + { + "id": {"time": "2021-12-20T00:02:28.672Z"}, + "events": [{ + "parameters": [ + {"name": "SETTING_NAME", "value": "DEFAULT_LINK_SHARING_FOR_NEW_DOCS"}, + {"name": "NEW_VALUE", "value": "PEOPLE_WITH_LINK"}, + {"name": "ORG_UNIT_NAME", "value": "Test Secondary OU"}, + ] + }] + } + ]}, + "tenant_info": { + "topLevelOU": "Test Top-Level OU" + }, + } + + RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] + count(RuleOutput) == 1 + not RuleOutput[0].RequirementMet + not RuleOutput[0].NoSuchEvent + RuleOutput[0].ReportDetails == concat("", [ + "The following OUs are non-compliant:","
  • Test Secondary OU: When users create items, the default access is set to: The primary target audience can access the item if they have the link
" + + ]) } \ No newline at end of file diff --git a/rego/Drive.rego b/rego/Drive.rego index bd278cfc..00b3cc7c 100644 --- a/rego/Drive.rego +++ b/rego/Drive.rego @@ -225,9 +225,9 @@ NoSuchEvent1_4(TopLevelOU) := true if { default NoSuchEvent1_4(_) := false GetFriendlyValue1_4(Value_A, Value_B, AcceptableValues_A, AcceptableValues_B) := -"External Sharing is Disabled" if { +"External Sharing is Disabled" if { Value_B in AcceptableValues_B -} else := "External Sharing is Enabled, but Sharing invites to non-google accounts is disabled" if { +} else := "External Sharing is Enabled, but Sharing invites to non-google accounts is disabled" if { Value_A in AcceptableValues_A } else := "External Sharing is Enabled, and invites can be shared to non-google accounts" From 0ad94eb167b56028b3d553f36260cc3ea69480cd Mon Sep 17 00:00:00 2001 From: Lauren Bassett Date: Thu, 30 May 2024 11:55:16 -0400 Subject: [PATCH 06/33] removed print statements --- Testing/RegoTests/drive/drive01_test.rego | 4 ---- 1 file changed, 4 deletions(-) diff --git a/Testing/RegoTests/drive/drive01_test.rego b/Testing/RegoTests/drive/drive01_test.rego index 03a15788..6a4969f6 100644 --- a/Testing/RegoTests/drive/drive01_test.rego +++ b/Testing/RegoTests/drive/drive01_test.rego @@ -204,7 +204,6 @@ test_Sharing_Incorrect_V3 if { count(RuleOutput) == 1 not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - print(RuleOutput[0].ReportDetails) RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", "
  • Test Top-Level OU: Sharing Outside Domain is not properly configured.
"]) } @@ -1370,7 +1369,6 @@ test_Link_Incorrect_V2 if { count(RuleOutput) == 1 not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - print(RuleOutput[0].ReportDetails) RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", "
  • Test Top-Level OU: Published web content is visible to anyone with a link.
"]) } @@ -1927,7 +1925,6 @@ test_CrossDomain_Incorrect_V2 if { count(RuleOutput) == 1 not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - print(RuleOutput[0].ReportDetails) RuleOutput[0].ReportDetails == concat("", [ "The following OUs are non-compliant:", "
  • Test Top-Level OU: Anyone can distribute content in the organization to outside the organization
"]) } @@ -2247,7 +2244,6 @@ test_Default_Incorrect_V2 if { count(RuleOutput) == 1 not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - print(RuleOutput[0].ReportDetails) RuleOutput[0].ReportDetails == concat("", [ "The following OUs are non-compliant:","
  • Test Top-Level OU: When users create items, the default access is set to: The primary target audience can search and find the item.
" From 2ffbb6909751d6ba42c5419a2139a84bcd4404a1 Mon Sep 17 00:00:00 2001 From: Lauren Bassett Date: Thu, 30 May 2024 12:32:32 -0400 Subject: [PATCH 07/33] Fixed tests for Drive02, and flipped the logic to reflect the baseline for 2.4, the failing condition is that download, print, and copy is turned on. --- Testing/RegoTests/drive/drive02_test.rego | 84 ++++++++++++++--------- rego/Drive.rego | 4 +- 2 files changed, 52 insertions(+), 36 deletions(-) diff --git a/Testing/RegoTests/drive/drive02_test.rego b/Testing/RegoTests/drive/drive02_test.rego index c3d6ed5d..50ac5808 100644 --- a/Testing/RegoTests/drive/drive02_test.rego +++ b/Testing/RegoTests/drive/drive02_test.rego @@ -29,7 +29,7 @@ test_Managers_Correct_V1 if { count(RuleOutput) == 1 RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs." + RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." } test_Managers_Correct_V2 if { @@ -67,7 +67,7 @@ test_Managers_Correct_V2 if { count(RuleOutput) == 1 RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs." + RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." } test_Managers_Correct_V3 if { @@ -105,7 +105,7 @@ test_Managers_Correct_V3 if { count(RuleOutput) == 1 RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs." + RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." } test_Managers_Incorrect_V1 if { @@ -165,7 +165,8 @@ test_Managers_Incorrect_V2 if { count(RuleOutput) == 1 not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU." + RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", + "
  • Test Top-Level OU: Members with manager access can override shared drive settings.
"]) } test_Managers_Incorrect_V3 if { @@ -203,7 +204,8 @@ test_Managers_Incorrect_V3 if { count(RuleOutput) == 1 not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU." + RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", + "
  • Test Top-Level OU: Members with manager access can override shared drive settings.
"]) } test_Managers_Incorrect_V4 if { @@ -241,7 +243,8 @@ test_Managers_Incorrect_V4 if { count(RuleOutput) == 1 not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement failed in Test Secondary OU." + RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", + "
  • Test Secondary OU: Members with manager access can override shared drive settings.
"]) } test_Managers_Incorrect_V5 if { @@ -307,7 +310,7 @@ test_Outside_Correct_V1 if { count(RuleOutput) == 1 RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs." + RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." } test_Outside_Correct_V2 if { @@ -351,7 +354,7 @@ test_Outside_Correct_V2 if { count(RuleOutput) == 1 RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs." + RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." } test_Outside_Correct_V3 if { @@ -395,7 +398,7 @@ test_Outside_Correct_V3 if { count(RuleOutput) == 1 RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs." + RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." } test_Outside_Incorrect_V1 if { @@ -458,7 +461,8 @@ test_Outside_Incorrect_V2 if { count(RuleOutput) == 1 not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU." + RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", + "
  • Test Top-Level OU: Users outside the organization can access files in shared drives
"]) } test_Outside_Incorrect_V3 if { @@ -502,7 +506,8 @@ test_Outside_Incorrect_V3 if { count(RuleOutput) == 1 not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU." + RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", + "
  • Test Top-Level OU: Users outside the organization can access files in shared drives
"]) } test_Outside_Incorrect_V4 if { @@ -546,7 +551,8 @@ test_Outside_Incorrect_V4 if { count(RuleOutput) == 1 not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement failed in Test Secondary OU." + RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", + "
  • Test Secondary OU: Users outside the organization can access files in shared drives
"]) } test_Outside_Incorrect_V5 if { @@ -615,7 +621,7 @@ test_SharedDrive_Correct_V1 if { count(RuleOutput) == 1 RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs." + RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." } test_SharedDrive_Correct_V2 if { @@ -659,7 +665,7 @@ test_SharedDrive_Correct_V2 if { count(RuleOutput) == 1 RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs." + RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." } test_SharedDrive_Correct_V3 if { @@ -703,7 +709,7 @@ test_SharedDrive_Correct_V3 if { count(RuleOutput) == 1 RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs." + RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." } test_SharedDrive_Incorrect_V1 if { @@ -766,7 +772,8 @@ test_SharedDrive_Incorrect_V2 if { count(RuleOutput) == 1 not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU." + RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", + "
  • Test Top-Level OU: People who aren't shared drive members cannot be added to files
"]) } test_SharedDrive_Incorrect_V3 if { @@ -810,9 +817,11 @@ test_SharedDrive_Incorrect_V3 if { count(RuleOutput) == 1 not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU." + RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", + "
  • Test Top-Level OU: People who aren't shared drive members cannot be added to files
"]) } + test_SharedDrive_Incorrect_V4 if { # Test sharing setting when top OU is correct but secondary isn't PolicyId := "GWS.DRIVEDOCS.2.3v0.1" @@ -854,7 +863,8 @@ test_SharedDrive_Incorrect_V4 if { count(RuleOutput) == 1 not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement failed in Test Secondary OU." + RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", + "
  • Test Secondary OU: People who aren't shared drive members cannot be added to files
"]) } test_SharedDrive_Incorrect_V5 if { @@ -905,7 +915,7 @@ test_Viewers_Correct_V1 if { "events": [{ "parameters": [ {"name": "SETTING_NAME", "value": "Shared Drive Creation new_team_drive_restricts_download"}, - {"name": "NEW_VALUE", "value": "false"}, + {"name": "NEW_VALUE", "value": "true"}, {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, ] }] @@ -920,7 +930,7 @@ test_Viewers_Correct_V1 if { count(RuleOutput) == 1 RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs." + RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." } test_Viewers_Correct_V2 if { @@ -933,7 +943,7 @@ test_Viewers_Correct_V2 if { "events": [{ "parameters": [ {"name": "SETTING_NAME", "value": "Shared Drive Creation new_team_drive_restricts_download"}, - {"name": "NEW_VALUE", "value": "false"}, + {"name": "NEW_VALUE", "value": "true"}, {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, ] }] @@ -943,7 +953,7 @@ test_Viewers_Correct_V2 if { "events": [{ "parameters": [ {"name": "SETTING_NAME", "value": "Shared Drive Creation new_team_drive_restricts_download"}, - {"name": "NEW_VALUE", "value": "true"}, + {"name": "NEW_VALUE", "value": "false"}, {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, ] }] @@ -955,10 +965,12 @@ test_Viewers_Correct_V2 if { } RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] + print(RuleOutput) count(RuleOutput) == 1 RuleOutput[0].RequirementMet + print(RuleOutput[0].RequirementMet) not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs." + RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." } test_Viewers_Correct_V3 if { @@ -971,7 +983,7 @@ test_Viewers_Correct_V3 if { "events": [{ "parameters": [ {"name": "SETTING_NAME", "value": "Shared Drive Creation new_team_drive_restricts_download"}, - {"name": "NEW_VALUE", "value": "false"}, + {"name": "NEW_VALUE", "value": "true"}, {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, ] }] @@ -981,7 +993,7 @@ test_Viewers_Correct_V3 if { "events": [{ "parameters": [ {"name": "SETTING_NAME", "value": "Shared Drive Creation new_team_drive_restricts_download"}, - {"name": "NEW_VALUE", "value": "false"}, + {"name": "NEW_VALUE", "value": "true"}, {"name": "ORG_UNIT_NAME", "value": "Secondary OU"}, ] }] @@ -996,7 +1008,7 @@ test_Viewers_Correct_V3 if { count(RuleOutput) == 1 RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs." + RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." } test_Viewers_Incorrect_V1 if { @@ -1041,7 +1053,7 @@ test_Viewers_Incorrect_V2 if { "events": [{ "parameters": [ {"name": "SETTING_NAME", "value": "Shared Drive Creation new_team_drive_restricts_download"}, - {"name": "NEW_VALUE", "value": "true"}, + {"name": "NEW_VALUE", "value": "false"}, {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, ] }] @@ -1056,7 +1068,8 @@ test_Viewers_Incorrect_V2 if { count(RuleOutput) == 1 not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU." + RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", + "
  • Test Top-Level OU: Viewers and commenters are allowed to download, print, and copy files
"]) } test_Viewers_Incorrect_V3 if { @@ -1069,7 +1082,7 @@ test_Viewers_Incorrect_V3 if { "events": [{ "parameters": [ {"name": "SETTING_NAME", "value": "Shared Drive Creation new_team_drive_restricts_download"}, - {"name": "NEW_VALUE", "value": "true"}, + {"name": "NEW_VALUE", "value": "false"}, {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, ] }] @@ -1079,7 +1092,7 @@ test_Viewers_Incorrect_V3 if { "events": [{ "parameters": [ {"name": "SETTING_NAME", "value": "Shared Drive Creation new_team_drive_restricts_download"}, - {"name": "NEW_VALUE", "value": "false"}, + {"name": "NEW_VALUE", "value": "true"}, {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, ] }] @@ -1094,7 +1107,9 @@ test_Viewers_Incorrect_V3 if { count(RuleOutput) == 1 not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU." + print() + RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", + "
  • Test Top-Level OU: Viewers and commenters are allowed to download, print, and copy files
"]) } test_Viewers_Incorrect_V4 if { @@ -1107,7 +1122,7 @@ test_Viewers_Incorrect_V4 if { "events": [{ "parameters": [ {"name": "SETTING_NAME", "value": "Shared Drive Creation new_team_drive_restricts_download"}, - {"name": "NEW_VALUE", "value": "false"}, + {"name": "NEW_VALUE", "value": "true"}, {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, ] }] @@ -1117,7 +1132,7 @@ test_Viewers_Incorrect_V4 if { "events": [{ "parameters": [ {"name": "SETTING_NAME", "value": "Shared Drive Creation new_team_drive_restricts_download"}, - {"name": "NEW_VALUE", "value": "true"}, + {"name": "NEW_VALUE", "value": "false"}, {"name": "ORG_UNIT_NAME", "value": "Test Secondary OU"}, ] }] @@ -1132,7 +1147,8 @@ test_Viewers_Incorrect_V4 if { count(RuleOutput) == 1 not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement failed in Test Secondary OU." + RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", + "
  • Test Secondary OU: Viewers and commenters are allowed to download, print, and copy files
"]) } test_Viewers_Incorrect_V5 if { diff --git a/rego/Drive.rego b/rego/Drive.rego index 00b3cc7c..786cdccd 100644 --- a/rego/Drive.rego +++ b/rego/Drive.rego @@ -732,7 +732,7 @@ if { #-- NonCompliantOUs2_4 contains { "Name": OU, - "Value": "Viewers and commenters are not allowed to download, print, and copy files" + "Value": "Viewers and commenters are allowed to download, print, and copy files" } if { some OU in utils.OUsWithEvents Events := utils.FilterEventsOU(LogEvents, "Shared Drive Creation new_team_drive_restricts_download", OU) @@ -744,7 +744,7 @@ NonCompliantOUs2_4 contains { NonCompliantGroups2_4 contains { "Name": Group, - "Value": "Viewers and commenters are not allowed to download, print, and copy files" + "Value": "Viewers and commenters are allowed to download, print, and copy files" } if { some Group in utils.GroupsWithEvents Events := utils.FilterEventsGroup(LogEvents, "Shared Drive Creation new_team_drive_restricts_download", Group) From 0771ec286e1b76c09e0f1bbcc7cf2398ca795ac1 Mon Sep 17 00:00:00 2001 From: ssnarve Date: Mon, 3 Jun 2024 10:24:17 -0700 Subject: [PATCH 08/33] [#259] Tests for policy 6 updated --- Testing/RegoTests/drive/drive06_test.rego | 37 ++++++++++++----------- 1 file changed, 20 insertions(+), 17 deletions(-) diff --git a/Testing/RegoTests/drive/drive06_test.rego b/Testing/RegoTests/drive/drive06_test.rego index 4908120f..956b3753 100644 --- a/Testing/RegoTests/drive/drive06_test.rego +++ b/Testing/RegoTests/drive/drive06_test.rego @@ -59,7 +59,7 @@ test_DriveFs_Setting_Correct_V1 if { count(RuleOutput) == 1 RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs." + RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." } test_DriveFs_Setting_Correct_V2 if { @@ -107,7 +107,7 @@ test_DriveFs_Setting_Correct_V2 if { count(RuleOutput) == 1 RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs." + RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." } test_DriveFs_Setting_Correct_V3 if { @@ -175,7 +175,7 @@ test_DriveFs_Setting_Correct_V3 if { count(RuleOutput) == 1 RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs." + RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." } test_DriveFs_Setting_Correct_V4 if { @@ -213,7 +213,7 @@ test_DriveFs_Setting_Correct_V4 if { count(RuleOutput) == 1 RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs." + RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." } test_DriveFs_Setting_InCorrect_V1 if { @@ -226,7 +226,7 @@ test_DriveFs_Setting_InCorrect_V1 if { "events": [{ "parameters": [ {"name": "SETTING_NAME", "value": "DriveFsSettingsProto company_owned_only_enabled"}, - {"name": "NEW_VALUE", "value": "true"}, + {"name": "NEW_VALUE", "value": "false"}, {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, ] }] @@ -236,7 +236,7 @@ test_DriveFs_Setting_InCorrect_V1 if { "events": [{ "parameters": [ {"name": "SETTING_NAME", "value": "DriveFsSettingsProto drive_fs_enabled"}, - {"name": "NEW_VALUE", "value": "false"}, + {"name": "NEW_VALUE", "value": "true"}, {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, ] }] @@ -251,7 +251,8 @@ test_DriveFs_Setting_InCorrect_V1 if { count(RuleOutput) == 1 not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU." + RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", + "
  • Test Top-Level OU: Drive for Desktop is Enabled, but can be used on any device.
"]) } test_DriveFs_Setting_InCorrect_V2 if { @@ -264,7 +265,7 @@ test_DriveFs_Setting_InCorrect_V2 if { "events": [{ "parameters": [ {"name": "SETTING_NAME", "value": "DriveFsSettingsProto company_owned_only_enabled"}, - {"name": "NEW_VALUE", "value": "true"}, + {"name": "NEW_VALUE", "value": "false"}, {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, ] }] @@ -274,7 +275,7 @@ test_DriveFs_Setting_InCorrect_V2 if { "events": [{ "parameters": [ {"name": "SETTING_NAME", "value": "DriveFsSettingsProto drive_fs_enabled"}, - {"name": "NEW_VALUE", "value": "false"}, + {"name": "NEW_VALUE", "value": "true"}, {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, ] }] @@ -284,7 +285,7 @@ test_DriveFs_Setting_InCorrect_V2 if { "events": [{ "parameters": [ {"name": "SETTING_NAME", "value": "DriveFsSettingsProto company_owned_only_enabled"}, - {"name": "NEW_VALUE", "value": "true"}, + {"name": "NEW_VALUE", "value": "false"}, {"name": "ORG_UNIT_NAME", "value": "Secondary-Level OU"}, ] }] @@ -309,7 +310,8 @@ test_DriveFs_Setting_InCorrect_V2 if { count(RuleOutput) == 1 not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU." + RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", + "
  • Test Top-Level OU: Drive for Desktop is Enabled, but can be used on any device.
"]) } test_DriveFs_Setting_InCorrect_V3 if { @@ -322,7 +324,7 @@ test_DriveFs_Setting_InCorrect_V3 if { "events": [{ "parameters": [ {"name": "SETTING_NAME", "value": "DriveFsSettingsProto company_owned_only_enabled"}, - {"name": "NEW_VALUE", "value": "true"}, + {"name": "NEW_VALUE", "value": "false"}, {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, ] }] @@ -332,13 +334,13 @@ test_DriveFs_Setting_InCorrect_V3 if { "events": [{ "parameters": [ {"name": "SETTING_NAME", "value": "DriveFsSettingsProto drive_fs_enabled"}, - {"name": "NEW_VALUE", "value": "false"}, + {"name": "NEW_VALUE", "value": "true"}, {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, ] }] }, { - "id": {"time": "2022-22-20T00:02:24.672Z"}, + "id": {"time": "2022-05-20T00:02:24.672Z"}, "events": [{ "parameters": [ {"name": "SETTING_NAME", "value": "DriveFsSettingsProto company_owned_only_enabled"}, @@ -348,11 +350,11 @@ test_DriveFs_Setting_InCorrect_V3 if { }] }, { - "id": {"time": "2022-21-20T00:02:25.672Z"}, + "id": {"time": "2022-05-20T00:02:25.672Z"}, "events": [{ "parameters": [ {"name": "SETTING_NAME", "value": "DriveFsSettingsProto drive_fs_enabled"}, - {"name": "NEW_VALUE", "value": "true"}, + {"name": "NEW_VALUE", "value": "false"}, {"name": "ORG_UNIT_NAME", "value": "Secondary-Level OU"}, ] }] @@ -387,5 +389,6 @@ test_DriveFs_Setting_InCorrect_V3 if { count(RuleOutput) == 1 not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU." + RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", + "
  • Test Top-Level OU: Drive for Desktop is Enabled, but can be used on any device.
"]) } \ No newline at end of file From 643548149d9eae35a52635fb6ef982844e655ab8 Mon Sep 17 00:00:00 2001 From: ssnarve Date: Mon, 3 Jun 2024 10:28:38 -0700 Subject: [PATCH 09/33] [#259] Tests for policy 5 updated --- Testing/RegoTests/drive/drive05_test.rego | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/Testing/RegoTests/drive/drive05_test.rego b/Testing/RegoTests/drive/drive05_test.rego index 510495b7..2231f110 100644 --- a/Testing/RegoTests/drive/drive05_test.rego +++ b/Testing/RegoTests/drive/drive05_test.rego @@ -29,7 +29,7 @@ test_Sharing_Correct_V1 if { count(RuleOutput) == 1 RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs." + RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." } test_Sharing_Correct_V2 if { @@ -67,7 +67,7 @@ test_Sharing_Correct_V2 if { count(RuleOutput) == 1 RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs." + RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." } test_Sharing_Correct_V3 if { @@ -105,7 +105,7 @@ test_Sharing_Correct_V3 if { count(RuleOutput) == 1 RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs." + RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." } test_Sharing_Incorrect_V1 if { @@ -165,7 +165,8 @@ test_Sharing_Incorrect_V2 if { count(RuleOutput) == 1 not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU." + RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", + "
  • Test Top-Level OU: Users can install Google Docs add-ons from add-ons store.
"]) } test_Sharing_Incorrect_V3 if { @@ -203,7 +204,8 @@ test_Sharing_Incorrect_V3 if { count(RuleOutput) == 1 not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU." + RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", + "
  • Test Top-Level OU: Users can install Google Docs add-ons from add-ons store.
"]) } test_Sharing_Incorrect_V4 if { @@ -241,7 +243,8 @@ test_Sharing_Incorrect_V4 if { count(RuleOutput) == 1 not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement failed in Test Secondary OU." + RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", + "
  • Test Secondary OU: Users can install Google Docs add-ons from add-ons store.
"]) } test_Sharing_Incorrect_V5 if { From 55882e866c1be26f4510c8a964f4eaa9da2fb1e1 Mon Sep 17 00:00:00 2001 From: ssnarve Date: Mon, 3 Jun 2024 10:33:01 -0700 Subject: [PATCH 10/33] [#259] Tests updated for policy 4 --- Testing/RegoTests/drive/drive04_test.rego | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/Testing/RegoTests/drive/drive04_test.rego b/Testing/RegoTests/drive/drive04_test.rego index f5092fb5..eaa2439d 100644 --- a/Testing/RegoTests/drive/drive04_test.rego +++ b/Testing/RegoTests/drive/drive04_test.rego @@ -29,7 +29,7 @@ test_Security_Correct_V1 if { count(RuleOutput) == 1 RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs." + RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." } test_Security_Correct_V2 if { @@ -67,7 +67,7 @@ test_Security_Correct_V2 if { count(RuleOutput) == 1 RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs." + RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." } test_Security_Correct_V3 if { @@ -105,7 +105,7 @@ test_Security_Correct_V3 if { count(RuleOutput) == 1 RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs." + RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." } test_Security_Incorrect_V1 if { @@ -165,7 +165,8 @@ test_Security_Incorrect_V2 if { count(RuleOutput) == 1 not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU." + RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", + "
  • Test Top-Level OU: Drive SDK is Enabled
"]) } test_Security_Incorrect_V3 if { @@ -203,7 +204,8 @@ test_Security_Incorrect_V3 if { count(RuleOutput) == 1 not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU." + RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", + "
  • Test Top-Level OU: Drive SDK is Enabled
"]) } test_Security_Incorrect_V4 if { @@ -241,7 +243,8 @@ test_Security_Incorrect_V4 if { count(RuleOutput) == 1 not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement failed in Test Secondary OU." + RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", + "
  • Test Secondary OU: Drive SDK is Enabled
"]) } test_Security_Incorrect_V5 if { From 138812a32f370faf10a0000bc9d56aafbd1a3a47 Mon Sep 17 00:00:00 2001 From: ssnarve Date: Mon, 3 Jun 2024 10:38:31 -0700 Subject: [PATCH 11/33] [#259] Updated tests for policy 3. All unit tests are updated --- Testing/RegoTests/drive/drive03_test.rego | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/Testing/RegoTests/drive/drive03_test.rego b/Testing/RegoTests/drive/drive03_test.rego index f1e14017..2bb2de64 100644 --- a/Testing/RegoTests/drive/drive03_test.rego +++ b/Testing/RegoTests/drive/drive03_test.rego @@ -42,7 +42,7 @@ test_Sharing_Correct_V1 if { count(RuleOutput) == 1 RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs." + RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." } test_Sharing_Correct_V2 if { @@ -96,7 +96,7 @@ test_Sharing_Correct_V2 if { count(RuleOutput) == 1 RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs." + RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." } test_Sharing_Correct_V3 if { @@ -160,7 +160,7 @@ test_Sharing_Correct_V3 if { count(RuleOutput) == 1 RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs." + RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." } test_Sharing_Incorrect_V1 if { @@ -234,7 +234,8 @@ test_Sharing_Incorrect_V2 if { count(RuleOutput) == 1 not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU." + RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", + "
  • Test Top-Level OU: Allow users to remove/apply the security update for files they own or manage
"]) } test_Sharing_Incorrect_V3 if { @@ -288,7 +289,8 @@ test_Sharing_Incorrect_V3 if { count(RuleOutput) == 1 not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU." + RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", + "
  • Test Top-Level OU: Allow users to remove/apply the security update for files they own or manage
"]) } test_Sharing_Incorrect_V4 if { @@ -352,7 +354,8 @@ test_Sharing_Incorrect_V4 if { count(RuleOutput) == 1 not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement failed in Test Secondary OU." + RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", + "
  • Test Secondary OU: Allow users to remove/apply the security update for files they own or manage
"]) } test_Sharing_Incorrect_V5 if { From cf4602c0db91af196f1d8c6e2d01294ae8d4eb62 Mon Sep 17 00:00:00 2001 From: ssnarve Date: Mon, 3 Jun 2024 13:44:52 -0700 Subject: [PATCH 12/33] [#259] Fix linter issues --- Testing/RegoTests/drive/drive01_test.rego | 40 ++++++++++++++++------- 1 file changed, 28 insertions(+), 12 deletions(-) diff --git a/Testing/RegoTests/drive/drive01_test.rego b/Testing/RegoTests/drive/drive01_test.rego index 6a4969f6..acfaeefc 100644 --- a/Testing/RegoTests/drive/drive01_test.rego +++ b/Testing/RegoTests/drive/drive01_test.rego @@ -1052,7 +1052,8 @@ test_NonGoogle_Incorrect_V2 if { not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", - "
  • Test Top-Level OU: External Sharing is Enabled, and invites can be shared to non-google accounts
"]) + "
  • Test Top-Level OU: External Sharing is Enabled, ", + "and invites can be shared to non-google accounts
"]) } test_NonGoogle_Incorrect_V3 if { @@ -1111,7 +1112,8 @@ test_NonGoogle_Incorrect_V3 if { not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", - "
  • Test Top-Level OU: External Sharing is Enabled, and invites can be shared to non-google accounts
"]) + "
  • Test Top-Level OU: External Sharing is Enabled, ", + "and invites can be shared to non-google accounts
"]) } test_NonGoogle_Incorrect_V4 if { @@ -1170,7 +1172,8 @@ test_NonGoogle_Incorrect_V4 if { not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", - "
  • Test Secondary OU: External Sharing is Enabled, and invites can be shared to non-google accounts
"]) + "
  • Test Secondary OU: ", + "External Sharing is Enabled, and invites can be shared to non-google accounts
"]) } test_NonGoogle_Incorrect_V5 if { @@ -1407,7 +1410,7 @@ test_Link_Incorrect_V3 if { count(RuleOutput) == 1 not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", + RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", "
  • Test Top-Level OU: Published web content is visible to anyone with a link.
"]) } @@ -1926,7 +1929,8 @@ test_CrossDomain_Incorrect_V2 if { not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent RuleOutput[0].ReportDetails == concat("", [ "The following OUs are non-compliant:", - "
  • Test Top-Level OU: Anyone can distribute content in the organization to outside the organization
"]) + "
  • Test Top-Level OU: ", + "Anyone can distribute content in the organization to outside the organization
"]) } test_CrossDomain_Incorrect_V3 if { @@ -1965,7 +1969,8 @@ test_CrossDomain_Incorrect_V3 if { not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent RuleOutput[0].ReportDetails == concat("", [ "The following OUs are non-compliant:", - "
  • Test Top-Level OU: Anyone can distribute content in the organization to outside the organization
"]) + "
  • Test Top-Level OU: ", + "Anyone can distribute content in the organization to outside the organization
"]) } test_CrossDomain_Incorrect_V4 if { @@ -2004,7 +2009,8 @@ test_CrossDomain_Incorrect_V4 if { not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", - "
  • Test Secondary OU: Anyone can distribute content in the organization to outside the organization
"]) + "
  • Test Secondary OU: ", + "Anyone can distribute content in the organization to outside the organization
"]) } @@ -2076,7 +2082,8 @@ test_CrossDomain_Incorrect_V6 if { not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", - "
  • Test Top-Level OU: Only users inside the organization can distribute content outside of the organization
"]) + "
  • Test Top-Level OU: ", + "Only users inside the organization can distribute content outside of the organization
"]) } #-- @@ -2245,7 +2252,9 @@ test_Default_Incorrect_V2 if { not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent RuleOutput[0].ReportDetails == concat("", [ - "The following OUs are non-compliant:","
  • Test Top-Level OU: When users create items, the default access is set to: The primary target audience can search and find the item.
" + "The following OUs are non-compliant:", + "
  • Test Top-Level OU: When users create items, the default access is set to: ", + "The primary target audience can search and find the item.
" ]) } @@ -2286,7 +2295,9 @@ test_Default_Incorrect_V3 if { not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent RuleOutput[0].ReportDetails == concat("", [ - "The following OUs are non-compliant:","
  • Test Top-Level OU: When users create items, the default access is set to: The primary target audience can search and find the item.
" + "The following OUs are non-compliant:", + "
  • Test Top-Level OU: When users create items, the default access is set to: ", + "The primary target audience can search and find the item.
" ]) } @@ -2326,7 +2337,9 @@ test_Default_Incorrect_V4 if { not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent RuleOutput[0].ReportDetails == concat("", [ - "The following OUs are non-compliant:","
  • Test Secondary OU: When users create items, the default access is set to: The primary target audience can search and find the item.
" + "The following OUs are non-compliant:", + "
  • Test Secondary OU: When users create items, the default access is set to: ", + "The primary target audience can search and find the item.
" ]) } @@ -2399,7 +2412,10 @@ test_Default_Incorrect_V6 if { not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent RuleOutput[0].ReportDetails == concat("", [ - "The following OUs are non-compliant:","
  • Test Secondary OU: When users create items, the default access is set to: The primary target audience can access the item if they have the link
" + "The following OUs are non-compliant:", + "
  • Test Secondary OU: When users create items,", + " the default access is set to: "," + The primary target audience can access the item if they have the link
" ]) } \ No newline at end of file From 5cc9d112eaa8d4a15d75e8839e0c1646fbb62fb3 Mon Sep 17 00:00:00 2001 From: ssnarve Date: Mon, 3 Jun 2024 13:58:24 -0700 Subject: [PATCH 13/33] [#259] More linter clean up --- rego/Drive.rego | 104 +++++++++++++++++++++++++++++++----------------- 1 file changed, 68 insertions(+), 36 deletions(-) diff --git a/rego/Drive.rego b/rego/Drive.rego index 786cdccd..f4beca6c 100644 --- a/rego/Drive.rego +++ b/rego/Drive.rego @@ -127,7 +127,8 @@ tests contains { "PolicyId": "GWS.DRIVEDOCS.1.2v0.1", "Criticality": "Should", "ReportDetails": utils.ReportDetails(NonCompliantOUs1_2, NonCompliantGroups1_2), - "ActualValue": {"NonCompliantOUs": NonCompliantOUs1_2, "NonCompliantGroups": NonCompliantGroups1_2}, + "ActualValue": {"NonCompliantOUs": NonCompliantOUs1_2, + "NonCompliantGroups": NonCompliantGroups1_2}, "RequirementMet": Status, "NoSuchEvent": false } @@ -194,7 +195,8 @@ tests contains { "PolicyId": "GWS.DRIVEDOCS.1.3v0.1", "Criticality": "Shall", "ReportDetails": utils.ReportDetails(NonCompliantOUs1_3, NonCompliantGroups1_3), - "ActualValue": {"NonCompliantOUs": NonCompliantOUs1_3, "NonCompliantGroups": NonCompliantGroups1_3}, + "ActualValue": {"NonCompliantOUs": NonCompliantOUs1_3, + "NonCompliantGroups": NonCompliantGroups1_3}, "RequirementMet": Status, "NoSuchEvent": false } @@ -225,15 +227,17 @@ NoSuchEvent1_4(TopLevelOU) := true if { default NoSuchEvent1_4(_) := false GetFriendlyValue1_4(Value_A, Value_B, AcceptableValues_A, AcceptableValues_B) := -"External Sharing is Disabled" if { +"External Sharing is Disabled" if { Value_B in AcceptableValues_B -} else := "External Sharing is Enabled, but Sharing invites to non-google accounts is disabled" if { +} else := "External Sharing is Enabled, + but Sharing invites to non-google accounts is disabled" if { Value_A in AcceptableValues_A } else := "External Sharing is Enabled, and invites can be shared to non-google accounts" NonCompliantOUs1_4 contains { "Name": OU, - "Value": concat("", [GetFriendlyValue1_4(LastEvent_A.NewValue, LastEvent_B.NewValue, AcceptableValues_A, AcceptableValues_B)]) + "Value": concat("", [GetFriendlyValue1_4(LastEvent_A.NewValue, + LastEvent_B.NewValue, AcceptableValues_A, AcceptableValues_B)]) } if { some OU in utils.OUsWithEvents Events_A := utils.FilterEventsOU(LogEvents, "SHARING_INVITES_TO_NON_GOOGLE_ACCOUNTS", OU) @@ -252,7 +256,8 @@ NonCompliantOUs1_4 contains { NonCompliantGroups1_4 contains { "Name": Group, - "Value": concat("", [GetFriendlyValue1_4(LastEvent_A.NewValue, LastEvent_B.NewValue, AcceptableValues_A, AcceptableValues_B)]) + "Value": concat("", [GetFriendlyValue1_4(LastEvent_A.NewValue, LastEvent_B.NewValue, + AcceptableValues_A, AcceptableValues_B)]) } if { some Group in utils.GroupsWithEvents Events_A := utils.FilterEventsGroup(LogEvents, "SHARING_INVITES_TO_NON_GOOGLE_ACCOUNTS", Group) @@ -286,7 +291,8 @@ tests contains { "PolicyId": "GWS.DRIVEDOCS.1.4v0.1", "Criticality": "Shall", "ReportDetails": utils.ReportDetails(NonCompliantOUs1_4, NonCompliantGroups1_4), - "ActualValue": {"NonCompliantOUs": NonCompliantOUs1_4, "NonCompliantGroups": NonCompliantGroups1_4}, + "ActualValue": {"NonCompliantOUs": NonCompliantOUs1_4, + "NonCompliantGroups": NonCompliantGroups1_4}, "RequirementMet": Status, "NoSuchEvent": false } @@ -343,7 +349,8 @@ tests contains { "PolicyId": "GWS.DRIVEDOCS.1.5v0.1", "Criticality": "Shall", "ReportDetails": utils.ReportDetails(NonCompliantOUs1_5, NonCompliantGroups1_5), - "ActualValue": {"NonCompliantOUs": NonCompliantOUs1_5, "NonCompliantGroups": NonCompliantGroups1_5}, + "ActualValue": {"NonCompliantOUs": NonCompliantOUs1_5, + "NonCompliantGroups": NonCompliantGroups1_5}, "RequirementMet": Status, "NoSuchEvent": false } @@ -371,7 +378,8 @@ NonCompliantOUs1_6 contains { Events := utils.FilterEventsOU(LogEvents, "SHARING_ACCESS_CHECKER_OPTIONS", OU) count(Events) > 0 LastEvent := utils.GetLastEvent(Events) - contains("NAMED_PARTIES_ONLY DOMAIN_OR_NAMED_PARTIES INHERIT_FROM_PARENT", LastEvent.NewValue) == false + contains("NAMED_PARTIES_ONLY DOMAIN_OR_NAMED_PARTIES INHERIT_FROM_PARENT", + LastEvent.NewValue) == false } NonCompliantGroups1_6 contains { @@ -382,7 +390,8 @@ NonCompliantGroups1_6 contains { Events := utils.FilterEventsGroup(LogEvents, "SHARING_ACCESS_CHECKER_OPTIONS", Group) count(Events) > 0 LastEvent := utils.GetLastEvent(Events) - contains("NAMED_PARTIES_ONLY DOMAIN_OR_NAMED_PARTIES INHERIT_FROM_PARENT", LastEvent.NewValue) == false + contains("NAMED_PARTIES_ONLY DOMAIN_OR_NAMED_PARTIES INHERIT_FROM_PARENT", + LastEvent.NewValue) == false } tests contains { @@ -403,7 +412,8 @@ tests contains { "PolicyId": "GWS.DRIVEDOCS.1.6v0.1", "Criticality": "Shall", "ReportDetails": utils.ReportDetails(NonCompliantOUs1_6, NonCompliantGroups1_6), - "ActualValue": {"NonCompliantOUs": NonCompliantOUs1_6, "NonCompliantGroups": NonCompliantGroups1_6}, + "ActualValue": {"NonCompliantOUs": NonCompliantOUs1_6, + "NonCompliantGroups": NonCompliantGroups1_6}, "RequirementMet": Status, "NoSuchEvent": false } @@ -495,7 +505,8 @@ GetFriendlyValue1_8(Value):= "private to the owner." if { NonCompliantOUs1_8 contains { "Name": OU, - "Value": concat("", ["When users create items, the default access is set to: ", GetFriendlyValue1_8(LastEvent.NewValue)]) + "Value": concat("", ["When users create items, the default access is set to: ", + GetFriendlyValue1_8(LastEvent.NewValue)]) } if { some OU in utils.OUsWithEvents Events := utils.FilterEventsOU(LogEvents, "DEFAULT_LINK_SHARING_FOR_NEW_DOCS", OU) @@ -508,7 +519,8 @@ NonCompliantOUs1_8 contains { NonCompliantGroups1_8 contains { "Name": Group, - "Value": concat("", ["When users create items, the default access is set to: ", GetFriendlyValue1_8(LastEvent.NewValue)]) + "Value": concat("", ["When users create items, the default access is set to: ", + GetFriendlyValue1_8(LastEvent.NewValue)]) } if { some Group in utils.GroupsWithEvents Events := utils.FilterEventsGroup(LogEvents, "DEFAULT_LINK_SHARING_FOR_NEW_DOCS", Group) @@ -528,7 +540,7 @@ tests contains { } if { DefaultSafe := false - Events := utils.FilterEventsOU(LogEvents, "DEFAULT_LINK_SHARING_FOR_NEW_DOCS",utils.TopLevelOU) + Events := utils.FilterEventsOU(LogEvents, "DEFAULT_LINK_SHARING_FOR_NEW_DOCS", utils.TopLevelOU) count(Events) == 0 } @@ -617,7 +629,8 @@ NonCompliantOUs2_2 contains { "Value": "Users outside the organization can access files in shared drives" } if { some OU in utils.OUsWithEvents - Events := utils.FilterEventsOU(LogEvents, "Shared Drive Creation new_team_drive_restricts_cross_domain_access", OU) + Events := utils.FilterEventsOU(LogEvents, + "Shared Drive Creation new_team_drive_restricts_cross_domain_access", OU) count(Events) > 0 LastEvent := utils.GetLastEvent(Events) contains("true", LastEvent.NewValue) == false @@ -629,7 +642,8 @@ NonCompliantGroups2_2 contains { "Value": "Users outside the organization can access files in shared drives" } if { some Group in utils.GroupsWithEvents - Events := utils.FilterEventsGroup(LogEvents, "Shared Drive Creation new_team_drive_restricts_cross_domain_access", Group) + Events := utils.FilterEventsGroup(LogEvents, + "Shared Drive Creation new_team_drive_restricts_cross_domain_access", Group) count(Events) > 0 LastEvent := utils.GetLastEvent(Events) contains("true", LastEvent.NewValue) == false @@ -676,7 +690,8 @@ NonCompliantOUs2_3 contains { "Value": "People who aren't shared drive members cannot be added to files" } if { some OU in utils.OUsWithEvents - Events := utils.FilterEventsOU(LogEvents, "Shared Drive Creation new_team_drive_restricts_direct_access", OU) + Events := utils.FilterEventsOU(LogEvents, + "Shared Drive Creation new_team_drive_restricts_direct_access", OU) count(Events) > 0 LastEvent := utils.GetLastEvent(Events) contains("true", LastEvent.NewValue) == false @@ -687,7 +702,8 @@ NonCompliantGroups2_3 contains { "Value": "People who aren't shared drive members cannot be added to files" } if { some Group in utils.GroupsWithEvents - Events := utils.FilterEventsGroup(LogEvents, "Shared Drive Creation new_team_drive_restricts_direct_access", Group) + Events := utils.FilterEventsGroup(LogEvents, + "Shared Drive Creation new_team_drive_restricts_direct_access", Group) count(Events) > 0 LastEvent := utils.GetLastEvent(Events) contains("true", LastEvent.NewValue) == false @@ -714,7 +730,8 @@ tests contains { "PolicyId": "GWS.DRIVEDOCS.2.3v0.1", "Criticality": "Shall", "ReportDetails": utils.ReportDetails(NonCompliantOUs2_3, NonCompliantGroups2_3), - "ActualValue": {"NonCompliantOUs": NonCompliantOUs2_3, "NonCompliantGroups": NonCompliantGroups2_3}, + "ActualValue": {"NonCompliantOUs": NonCompliantOUs2_3, + "NonCompliantGroups": NonCompliantGroups2_3}, "RequirementMet": Status, "NoSuchEvent": false } @@ -731,11 +748,12 @@ if { # Baseline GWS.DRIVEDOCS.2.4v0.1 #-- NonCompliantOUs2_4 contains { - "Name": OU, + "Name": OU, "Value": "Viewers and commenters are allowed to download, print, and copy files" } if { some OU in utils.OUsWithEvents - Events := utils.FilterEventsOU(LogEvents, "Shared Drive Creation new_team_drive_restricts_download", OU) + Events := utils.FilterEventsOU(LogEvents, + "Shared Drive Creation new_team_drive_restricts_download", OU) count(Events) > 0 LastEvent := utils.GetLastEvent(Events) contains("false", LastEvent.NewValue) == true @@ -743,11 +761,12 @@ NonCompliantOUs2_4 contains { } NonCompliantGroups2_4 contains { - "Name": Group, + "Name": Group, "Value": "Viewers and commenters are allowed to download, print, and copy files" } if { some Group in utils.GroupsWithEvents - Events := utils.FilterEventsGroup(LogEvents, "Shared Drive Creation new_team_drive_restricts_download", Group) + Events := utils.FilterEventsGroup(LogEvents, + "Shared Drive Creation new_team_drive_restricts_download", Group) count(Events) > 0 LastEvent := utils.GetLastEvent(Events) contains("false", LastEvent.NewValue) == true @@ -764,7 +783,8 @@ tests contains { } if { DefaultSafe := false - Events := utils.FilterEventsOU(LogEvents, "Shared Drive Creation new_team_drive_restricts_download", utils.TopLevelOU) + Events := utils.FilterEventsOU(LogEvents, + "Shared Drive Creation new_team_drive_restricts_download", utils.TopLevelOU) count(Events) == 0 } @@ -772,12 +792,14 @@ tests contains { "PolicyId": "GWS.DRIVEDOCS.2.4v0.1", "Criticality": "Shall", "ReportDetails": utils.ReportDetails(NonCompliantOUs2_4, NonCompliantGroups2_4), - "ActualValue": {"NonCompliantOUs": NonCompliantOUs2_4, "NonCompliantGroups": NonCompliantGroups2_4}, + "ActualValue": {"NonCompliantOUs": NonCompliantOUs2_4, + "NonCompliantGroups": NonCompliantGroups2_4}, "RequirementMet": Status, "NoSuchEvent": false } if { - Events := utils.FilterEventsOU(LogEvents, "Shared Drive Creation new_team_drive_restricts_download", utils.TopLevelOU) + Events := utils.FilterEventsOU(LogEvents, + "Shared Drive Creation new_team_drive_restricts_download", utils.TopLevelOU) count(Events) > 0 Conditions := {count(NonCompliantOUs2_4) == 0, count(NonCompliantGroups2_4) == 0 } Status := (false in Conditions) == false @@ -801,7 +823,8 @@ NoSuchEvent3_1(TopLevelOU) := true if { NoSuchEvent3_1(TopLevelOU) := true if { # No such event... - Events := utils.FilterEventsOU(LogEvents, "Link Security Update Settings less_secure_link_option", TopLevelOU) + Events := utils.FilterEventsOU(LogEvents, + "Link Security Update Settings less_secure_link_option", TopLevelOU) count(Events) == 0 } @@ -819,11 +842,13 @@ NonCompliantOUs3_1 contains { "Value": concat("", [ GetFriendlyValue3_1(LastEvent_B.NewValue, LastEvent_A.NewValue)]) } if { some OU in utils.OUsWithEvents - Events_A := utils.FilterEventsOU(LogEvents, "Link Security Update Settings allow_less_secure_link_user_restore", OU) + Events_A := utils.FilterEventsOU(LogEvents, + "Link Security Update Settings allow_less_secure_link_user_restore", OU) count(Events_A) > 0 LastEvent_A := utils.GetLastEvent(Events_A) - Events_B := utils.FilterEventsOU(LogEvents, "Link Security Update Settings less_secure_link_option", OU) + Events_B := utils.FilterEventsOU(LogEvents, + "Link Security Update Settings less_secure_link_option", OU) count(Events_B) > 0 LastEvent_B := utils.GetLastEvent(Events_B) @@ -972,7 +997,8 @@ tests contains { "PolicyId": "GWS.DRIVEDOCS.5.1v0.1", "Criticality": "Shall", "ReportDetails": utils.ReportDetails(NonCompliantOUs5_1, NonCompliantGroups5_1), - "ActualValue": {"NonCompliantOUs": NonCompliantOUs5_1, "NonCompliantGroups": NonCompliantGroups5_1}, + "ActualValue": {"NonCompliantOUs": NonCompliantOUs5_1, + "NonCompliantGroups": NonCompliantGroups5_1}, "RequirementMet": Status, "NoSuchEvent": false } @@ -1004,13 +1030,15 @@ else := "Drive for Desktop is enabled, and only on approved devices." if { Value_A == "true" } NoSuchEvent6_1(TopLevelOU) := false if { - Events := utils.FilterEventsOU(LogEvents, "DriveFsSettingsProto drive_fs_enabled", TopLevelOU) + Events := utils.FilterEventsOU(LogEvents, + "DriveFsSettingsProto drive_fs_enabled", TopLevelOU) count(Events) != 0 } NoSuchEvent6_1(TopLevelOU) := false if { # No such event... - Events := utils.FilterEventsOU(LogEvents, "DriveFsSettingsProto company_owned_only_enabled", TopLevelOU) + Events := utils.FilterEventsOU(LogEvents, + "DriveFsSettingsProto company_owned_only_enabled", TopLevelOU) count(Events) != 0 } @@ -1019,12 +1047,14 @@ NonCompliantOUs6_1 contains { "Value": concat("", [GetFriendlyValue6_1(LastEvent_B.NewValue, LastEvent_A.NewValue)]) } if { some OU in utils.OUsWithEvents - Events_A := utils.FilterEventsOU(LogEvents, "DriveFsSettingsProto drive_fs_enabled", OU) + Events_A := utils.FilterEventsOU(LogEvents, + "DriveFsSettingsProto drive_fs_enabled", OU) count(Events_A) > 0 LastEvent_A := utils.GetLastEvent(Events_A) LastEvent_A.NewValue != "DELETE_APPLICATION_SETTING" - Events_B := utils.FilterEventsOU(LogEvents, "DriveFsSettingsProto company_owned_only_enabled", OU) + Events_B := utils.FilterEventsOU(LogEvents, + "DriveFsSettingsProto company_owned_only_enabled", OU) count(Events_B) > 0 LastEvent_B := utils.GetLastEvent(Events_B) LastEvent_B.NewValue != "DELETE_APPLICATION_SETTING" @@ -1040,12 +1070,14 @@ NonCompliantGroups6_1 contains { "Value": concat("", [GetFriendlyValue6_1(LastEvent_B.NewValue, LastEvent_A.NewValue)]) } if { some Group in utils.GroupsWithEvents - Events_A := utils.FilterEventsGroup(LogEvents, "DriveFsSettingsProto drive_fs_enabled", Group) + Events_A := utils.FilterEventsGroup(LogEvents, + "DriveFsSettingsProto drive_fs_enabled", Group) count(Events_A) > 0 LastEvent_A := utils.GetLastEvent(Events_A) LastEvent_A.NewValue != "DELETE_APPLICATION_SETTING" - Events_B := utils.FilterEventsGroup(LogEvents, "DriveFsSettingsProto company_owned_only_enabled", Group) + Events_B := utils.FilterEventsGroup(LogEvents, + "DriveFsSettingsProto company_owned_only_enabled", Group) count(Events_B) > 0 LastEvent_B := utils.GetLastEvent(Events_B) LastEvent_B.NewValue != "DELETE_APPLICATION_SETTING" From a85af65ecd5d8f954369f08249346d537346031d Mon Sep 17 00:00:00 2001 From: ssnarve Date: Mon, 3 Jun 2024 14:25:15 -0700 Subject: [PATCH 14/33] [#259] Linter fix --- Testing/RegoTests/drive/drive01_test.rego | 4 ++-- rego/Drive.rego | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/Testing/RegoTests/drive/drive01_test.rego b/Testing/RegoTests/drive/drive01_test.rego index acfaeefc..f38fd816 100644 --- a/Testing/RegoTests/drive/drive01_test.rego +++ b/Testing/RegoTests/drive/drive01_test.rego @@ -2414,8 +2414,8 @@ test_Default_Incorrect_V6 if { RuleOutput[0].ReportDetails == concat("", [ "The following OUs are non-compliant:", "
  • Test Secondary OU: When users create items,", - " the default access is set to: "," - The primary target audience can access the item if they have the link
" + " the default access is set to: ", + "The primary target audience can access the item if they have the link" ]) } \ No newline at end of file diff --git a/rego/Drive.rego b/rego/Drive.rego index f4beca6c..5b745bb9 100644 --- a/rego/Drive.rego +++ b/rego/Drive.rego @@ -229,15 +229,15 @@ default NoSuchEvent1_4(_) := false GetFriendlyValue1_4(Value_A, Value_B, AcceptableValues_A, AcceptableValues_B) := "External Sharing is Disabled" if { Value_B in AcceptableValues_B -} else := "External Sharing is Enabled, - but Sharing invites to non-google accounts is disabled" if { +} else := concat("", ["External Sharing is Enabled, "," + but Sharing invites to non-google accounts is disabled"]) if { Value_A in AcceptableValues_A } else := "External Sharing is Enabled, and invites can be shared to non-google accounts" NonCompliantOUs1_4 contains { "Name": OU, - "Value": concat("", [GetFriendlyValue1_4(LastEvent_A.NewValue, - LastEvent_B.NewValue, AcceptableValues_A, AcceptableValues_B)]) + "Value": concat("", [GetFriendlyValue1_4(LastEvent_A.NewValue, + LastEvent_B.NewValue, AcceptableValues_A, AcceptableValues_B)]) } if { some OU in utils.OUsWithEvents Events_A := utils.FilterEventsOU(LogEvents, "SHARING_INVITES_TO_NON_GOOGLE_ACCOUNTS", OU) From c8a9c781150de30cf8534ccf3cea2d08cc8d772d Mon Sep 17 00:00:00 2001 From: ssnarve Date: Mon, 3 Jun 2024 14:55:40 -0700 Subject: [PATCH 15/33] [#259] another linter fix --- rego/Drive.rego | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rego/Drive.rego b/rego/Drive.rego index 5b745bb9..ef9884d9 100644 --- a/rego/Drive.rego +++ b/rego/Drive.rego @@ -229,8 +229,8 @@ default NoSuchEvent1_4(_) := false GetFriendlyValue1_4(Value_A, Value_B, AcceptableValues_A, AcceptableValues_B) := "External Sharing is Disabled" if { Value_B in AcceptableValues_B -} else := concat("", ["External Sharing is Enabled, "," - but Sharing invites to non-google accounts is disabled"]) if { +} else := concat("", ["External Sharing is Enabled, ", + "but Sharing invites to non-google accounts is disabled"]) if { Value_A in AcceptableValues_A } else := "External Sharing is Enabled, and invites can be shared to non-google accounts" From c23a9f82e88245c21d8f19a4b9fca0c512215357 Mon Sep 17 00:00:00 2001 From: ssnarve Date: Mon, 3 Jun 2024 15:02:24 -0700 Subject: [PATCH 16/33] [#259] linter fixes --- Testing/RegoTests/drive/drive01_test.rego | 9 ++++++--- Testing/RegoTests/drive/drive02_test.rego | 6 ++++-- Testing/RegoTests/drive/drive03_test.rego | 9 ++++++--- 3 files changed, 16 insertions(+), 8 deletions(-) diff --git a/Testing/RegoTests/drive/drive01_test.rego b/Testing/RegoTests/drive/drive01_test.rego index f38fd816..66909843 100644 --- a/Testing/RegoTests/drive/drive01_test.rego +++ b/Testing/RegoTests/drive/drive01_test.rego @@ -1934,7 +1934,8 @@ test_CrossDomain_Incorrect_V2 if { } test_CrossDomain_Incorrect_V3 if { - # Test sharing setting when there are multiple events and the most recent is wrong, set to anyone can distribute content. + # Test sharing setting when there are multiple events and + # the most recent is wrong, set to anyone can distribute content. PolicyId := "GWS.DRIVEDOCS.1.7v0.1" Output := tests with input as { "drive_logs": {"items": [ @@ -1974,7 +1975,8 @@ test_CrossDomain_Incorrect_V3 if { } test_CrossDomain_Incorrect_V4 if { - # Test sharing setting when Top OU is correct but not secondary OU, which is set to Anyone in the Organization + # Test sharing setting when Top OU is correct but not secondary OU, + # which is set to Anyone in the Organization PolicyId := "GWS.DRIVEDOCS.1.7v0.1" Output := tests with input as { "drive_logs": {"items": [ @@ -2047,7 +2049,8 @@ test_CrossDomain_Incorrect_V5 if { } test_CrossDomain_Incorrect_V6 if { - # Test sharing setting when there are multiple events and the most recent event is wrong, set to only users in the organization + # Test sharing setting when there are multiple events and + # the most recent event is wrong, set to only users in the organization PolicyId := "GWS.DRIVEDOCS.1.7v0.1" Output := tests with input as { "drive_logs": {"items": [ diff --git a/Testing/RegoTests/drive/drive02_test.rego b/Testing/RegoTests/drive/drive02_test.rego index 50ac5808..84eac175 100644 --- a/Testing/RegoTests/drive/drive02_test.rego +++ b/Testing/RegoTests/drive/drive02_test.rego @@ -1109,7 +1109,8 @@ test_Viewers_Incorrect_V3 if { not RuleOutput[0].NoSuchEvent print() RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", - "
  • Test Top-Level OU: Viewers and commenters are allowed to download, print, and copy files
"]) + "
  • Test Top-Level OU: ", + "Viewers and commenters are allowed to download, print, and copy files
"]) } test_Viewers_Incorrect_V4 if { @@ -1148,7 +1149,8 @@ test_Viewers_Incorrect_V4 if { not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", - "
  • Test Secondary OU: Viewers and commenters are allowed to download, print, and copy files
"]) + "
  • Test Secondary OU: ", + "Viewers and commenters are allowed to download, print, and copy files
"]) } test_Viewers_Incorrect_V5 if { diff --git a/Testing/RegoTests/drive/drive03_test.rego b/Testing/RegoTests/drive/drive03_test.rego index 2bb2de64..f72c180d 100644 --- a/Testing/RegoTests/drive/drive03_test.rego +++ b/Testing/RegoTests/drive/drive03_test.rego @@ -235,7 +235,8 @@ test_Sharing_Incorrect_V2 if { not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", - "
  • Test Top-Level OU: Allow users to remove/apply the security update for files they own or manage
"]) + "
  • Test Top-Level OU: ", + "Allow users to remove/apply the security update for files they own or manage
"]) } test_Sharing_Incorrect_V3 if { @@ -290,7 +291,8 @@ test_Sharing_Incorrect_V3 if { not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", - "
  • Test Top-Level OU: Allow users to remove/apply the security update for files they own or manage
"]) + "
  • Test Top-Level OU: ", + "Allow users to remove/apply the security update for files they own or manage
"]) } test_Sharing_Incorrect_V4 if { @@ -355,7 +357,8 @@ test_Sharing_Incorrect_V4 if { not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", - "
  • Test Secondary OU: Allow users to remove/apply the security update for files they own or manage
"]) + "
  • Test Secondary OU: ", + "Allow users to remove/apply the security update for files they own or manage
"]) } test_Sharing_Incorrect_V5 if { From f2bc7069341095eed9448a3ea224bd28ea59282f Mon Sep 17 00:00:00 2001 From: ssnarve Date: Mon, 3 Jun 2024 15:16:01 -0700 Subject: [PATCH 17/33] [#259] more linter fixes --- Testing/RegoTests/drive/drive02_test.rego | 3 --- 1 file changed, 3 deletions(-) diff --git a/Testing/RegoTests/drive/drive02_test.rego b/Testing/RegoTests/drive/drive02_test.rego index 84eac175..26494c4c 100644 --- a/Testing/RegoTests/drive/drive02_test.rego +++ b/Testing/RegoTests/drive/drive02_test.rego @@ -965,10 +965,8 @@ test_Viewers_Correct_V2 if { } RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - print(RuleOutput) count(RuleOutput) == 1 RuleOutput[0].RequirementMet - print(RuleOutput[0].RequirementMet) not RuleOutput[0].NoSuchEvent RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." } @@ -1107,7 +1105,6 @@ test_Viewers_Incorrect_V3 if { count(RuleOutput) == 1 not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - print() RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", "
  • Test Top-Level OU: ", "Viewers and commenters are allowed to download, print, and copy files
"]) From ad0f86eaf48e357dc45645e03530ad74e435f56d Mon Sep 17 00:00:00 2001 From: ssnarve Date: Mon, 3 Jun 2024 21:11:08 -0700 Subject: [PATCH 18/33] [#259] MR updates for policy 1 --- Testing/RegoTests/drive/drive01_test.rego | 9 ++++++--- rego/Drive.rego | 19 +++++++++++++------ 2 files changed, 19 insertions(+), 9 deletions(-) diff --git a/Testing/RegoTests/drive/drive01_test.rego b/Testing/RegoTests/drive/drive01_test.rego index 66909843..7fa27362 100644 --- a/Testing/RegoTests/drive/drive01_test.rego +++ b/Testing/RegoTests/drive/drive01_test.rego @@ -166,7 +166,8 @@ test_Sharing_Incorrect_V2 if { not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", - "
  • Test Top-Level OU: Sharing Outside Domain is not properly configured.
"]) + "
  • Test Top-Level OU: Files owned by users or shared drives ", + "can be shared outside of the organization
"]) } test_Sharing_Incorrect_V3 if { @@ -205,7 +206,8 @@ test_Sharing_Incorrect_V3 if { not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", - "
  • Test Top-Level OU: Sharing Outside Domain is not properly configured.
"]) + "
  • Test Top-Level OU: Files owned by users or shared drives ", + "can be shared outside of the organization
"]) } test_Sharing_Incorrect_V4 if { @@ -244,7 +246,8 @@ test_Sharing_Incorrect_V4 if { not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", - "
  • Test Secondary OU: Sharing Outside Domain is not properly configured.
"]) + "
  • Test Secondary OU: Files owned by users or shared drives ", + "can be shared outside of the organization
"]) } test_Sharing_Incorrect_V5 if { diff --git a/rego/Drive.rego b/rego/Drive.rego index ef9884d9..835c1ebe 100644 --- a/rego/Drive.rego +++ b/rego/Drive.rego @@ -12,14 +12,21 @@ LogEvents := utils.GetEvents("drive_logs") # # Baseline GWS.DRIVEDOCS.1.1v0.1 #-- -GetFriendlyValue1_1(Value, AcceptableValues) := "Sharing is Properly Configured" if { - Value in AcceptableValues == true -} -else := "Sharing Outside Domain is not properly configured." +GetFriendlyValue1_1(Value) := concat("", ["Files owned by users or shared drives ", + "can be shared with Google accounts in compatible allowlisted domains"]) if { + Value == "TRUSTED_DOMAINS_ALLOWED_WITH_WARNING_MAY_RECEIVE_FILES_FROM_ANYONE" +} +else := concat("", ["Files owned by users or shared drives ", + "can be shared outside of the organization"]) if { + Value == "SHARING_ALLOWED" +} else := concat("", ["Files owned by users or shared drives ", + "can be shared outside of the organization with a warning"]) if { + Value == "SHARING_ALLOWED_WITH_WARNING" +} else := Value NonCompliantOUs1_1 contains { "Name": OU, - "Value": concat("", [GetFriendlyValue1_1(LastEvent.NewValue, AcceptableValues)]) + "Value": concat("", [GetFriendlyValue1_1(LastEvent.NewValue)]) } if { some OU in utils.OUsWithEvents Events := utils.FilterEventsOU(LogEvents, "SHARING_OUTSIDE_DOMAIN", OU) @@ -33,7 +40,7 @@ NonCompliantOUs1_1 contains { NonCompliantGroups1_1 contains { "Name": Group, - "Value": concat("", [GetFriendlyValue1_1(LastEvent.NewValue, AcceptableValues)]) + "Value": concat("", [GetFriendlyValue1_1(LastEvent.NewValue)]) } if { some Group in utils.GroupsWithEvents Events := utils.FilterEventsGroup(LogEvents, "SHARING_OUTSIDE_DOMAIN", Group) From c0844edf6dfce4e337ea2ee90e372c03ac176e22 Mon Sep 17 00:00:00 2001 From: ssnarve Date: Mon, 3 Jun 2024 21:28:11 -0700 Subject: [PATCH 19/33] [#259] More MR updates --- rego/Drive.rego | 34 ++++++++++++++++++++-------------- 1 file changed, 20 insertions(+), 14 deletions(-) diff --git a/rego/Drive.rego b/rego/Drive.rego index 835c1ebe..f32dcda0 100644 --- a/rego/Drive.rego +++ b/rego/Drive.rego @@ -81,7 +81,6 @@ if { } #-- -# Can be combined with 1.1, since this is a single setting with the same value that will pass for both conditions # # Baseline GWS.DRIVEDOCS.1.2v0.1 #-- @@ -94,26 +93,30 @@ else := "Users can recieve files outside the domain" NonCompliantOUs1_2 contains { "Name": OU, - "Value": concat("", [GetFriendlyValue1_2(LastEvent.NewValue)]) + "Value": GetFriendlyValue1_2(LastEvent.NewValue) } if { some OU in utils.OUsWithEvents Events := utils.FilterEventsOU(LogEvents, "SHARING_OUTSIDE_DOMAIN", OU) count(Events) > 0 LastEvent := utils.GetLastEvent(Events) - contains("SHARING_NOT_ALLOWED INHERIT_FROM_PARENT", LastEvent.NewValue) == false + AcceptableValues = {"SHARING_NOT_ALLOWED", "INHERIT_FROM_PARENT", + "TRUSTED_DOMAINS_ALLOWED", "TRUSTED_DOMAINS_ALLOWED_WITH_WARNING"} + not LastEvent.NewValue in AcceptableValues } NonCompliantGroups1_2 contains { "Name": Group, - "Value": concat("", [GetFriendlyValue1_2(LastEvent.NewValue)]) + "Value": GetFriendlyValue1_2(LastEvent.NewValue) } if { some Group in utils.GroupsWithEvents Events := utils.FilterEventsGroup(LogEvents, "SHARING_OUTSIDE_DOMAIN", Group) count(Events) > 0 LastEvent := utils.GetLastEvent(Events) - contains("SHARING_NOT_ALLOWED INHERIT_FROM_PARENT", LastEvent.NewValue) == false + AcceptableValues = {"SHARING_NOT_ALLOWED", "INHERIT_FROM_PARENT", + "TRUSTED_DOMAINS_ALLOWED", "TRUSTED_DOMAINS_ALLOWED_WITH_WARNING"} + not LastEvent.NewValue in AcceptableValues } tests contains { @@ -147,7 +150,6 @@ if { } #-- -# Can be combined with 1.4 since a single policy can be used to check both conditions # # Baseline GWS.DRIVEDOCS.1.3v0.1 #-- @@ -160,27 +162,31 @@ else := "External Sharing Warning is Disabled" NonCompliantOUs1_3 contains { "Name": OU, - "Value": concat("", [GetFriendlyValue1_3(LastEvent.NewValue, AcceptableValues)]) + "Value": GetFriendlyValue1_3(LastEvent.NewValue, AcceptableValues) } if { some OU in utils.OUsWithEvents Events := utils.FilterEventsOU(LogEvents, "SHARING_OUTSIDE_DOMAIN", OU) count(Events) > 0 LastEvent := utils.GetLastEvent(Events) AcceptableValues := {"SHARING_ALLOWED_WITH_WARNING", "SHARING_NOT_ALLOWED", - "INHERIT_FROM_PARENT", "SHARING_NOT_ALLOWED_BUT_MAY_RECEIVE_FILES"} + "INHERIT_FROM_PARENT", "SHARING_NOT_ALLOWED_BUT_MAY_RECEIVE_FILES", + "TRUSTED_DOMAINS_ALLOWED_WITH_WARNING", + "TRUSTED_DOMAINS_ALLOWED_WITH_WARNING_MAY_RECEIVE_FILES_FROM_ANYONE"} not LastEvent.NewValue in AcceptableValues } NonCompliantGroups1_3 contains { "Name": Group, - "Value": concat("", [GetFriendlyValue1_3(LastEvent.NewValue, AcceptableValues)]) + "Value": GetFriendlyValue1_3(LastEvent.NewValue, AcceptableValues) } if { some Group in utils.GroupsWithEvents Events := utils.FilterEventsGroup(LogEvents, "SHARING_OUTSIDE_DOMAIN", Group) count(Events) > 0 LastEvent := utils.GetLastEvent(Events) AcceptableValues := {"SHARING_ALLOWED_WITH_WARNING", "SHARING_NOT_ALLOWED", - "INHERIT_FROM_PARENT", "SHARING_NOT_ALLOWED_BUT_MAY_RECEIVE_FILES"} + "INHERIT_FROM_PARENT", "SHARING_NOT_ALLOWED_BUT_MAY_RECEIVE_FILES", + "TRUSTED_DOMAINS_ALLOWED_WITH_WARNING", + "TRUSTED_DOMAINS_ALLOWED_WITH_WARNING_MAY_RECEIVE_FILES_FROM_ANYONE"} not LastEvent.NewValue in AcceptableValues } @@ -243,8 +249,8 @@ GetFriendlyValue1_4(Value_A, Value_B, AcceptableValues_A, AcceptableValues_B) := NonCompliantOUs1_4 contains { "Name": OU, - "Value": concat("", [GetFriendlyValue1_4(LastEvent_A.NewValue, - LastEvent_B.NewValue, AcceptableValues_A, AcceptableValues_B)]) + "Value": GetFriendlyValue1_4(LastEvent_A.NewValue, + LastEvent_B.NewValue, AcceptableValues_A, AcceptableValues_B) } if { some OU in utils.OUsWithEvents Events_A := utils.FilterEventsOU(LogEvents, "SHARING_INVITES_TO_NON_GOOGLE_ACCOUNTS", OU) @@ -263,8 +269,8 @@ NonCompliantOUs1_4 contains { NonCompliantGroups1_4 contains { "Name": Group, - "Value": concat("", [GetFriendlyValue1_4(LastEvent_A.NewValue, LastEvent_B.NewValue, - AcceptableValues_A, AcceptableValues_B)]) + "Value": GetFriendlyValue1_4(LastEvent_A.NewValue, LastEvent_B.NewValue, + AcceptableValues_A, AcceptableValues_B) } if { some Group in utils.GroupsWithEvents Events_A := utils.FilterEventsGroup(LogEvents, "SHARING_INVITES_TO_NON_GOOGLE_ACCOUNTS", Group) From ac4e10100461b98cf4e78643c49439977995367a Mon Sep 17 00:00:00 2001 From: ssnarve Date: Mon, 3 Jun 2024 22:26:49 -0700 Subject: [PATCH 20/33] [#259] Remove unnecessary concats --- rego/Drive.rego | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/rego/Drive.rego b/rego/Drive.rego index f32dcda0..be44ceed 100644 --- a/rego/Drive.rego +++ b/rego/Drive.rego @@ -26,7 +26,7 @@ else := concat("", ["Files owned by users or shared drives ", NonCompliantOUs1_1 contains { "Name": OU, - "Value": concat("", [GetFriendlyValue1_1(LastEvent.NewValue)]) + "Value": GetFriendlyValue1_1(LastEvent.NewValue) } if { some OU in utils.OUsWithEvents Events := utils.FilterEventsOU(LogEvents, "SHARING_OUTSIDE_DOMAIN", OU) @@ -40,7 +40,7 @@ NonCompliantOUs1_1 contains { NonCompliantGroups1_1 contains { "Name": Group, - "Value": concat("", [GetFriendlyValue1_1(LastEvent.NewValue)]) + "Value": GetFriendlyValue1_1(LastEvent.NewValue) } if { some Group in utils.GroupsWithEvents Events := utils.FilterEventsGroup(LogEvents, "SHARING_OUTSIDE_DOMAIN", Group) @@ -385,7 +385,7 @@ if { contains("NAMED_PARTIES_ONLY DOMAIN_OR_NAMED_PARTIES INHERIT_FROM_PARENT", NonCompliantOUs1_6 contains { "Name":OU, - "Value": concat("",[GetFriendlyValue1_6(LastEvent.NewValue)]) + "Value": GetFriendlyValue1_6(LastEvent.NewValue) } if { some OU in utils.OUsWithEvents Events := utils.FilterEventsOU(LogEvents, "SHARING_ACCESS_CHECKER_OPTIONS", OU) @@ -397,7 +397,7 @@ NonCompliantOUs1_6 contains { NonCompliantGroups1_6 contains { "Name":Group, - "Value": concat("",[GetFriendlyValue1_6(LastEvent.NewValue)]) + "Value": GetFriendlyValue1_6(LastEvent.NewValue) } if { some Group in utils.GroupsWithEvents Events := utils.FilterEventsGroup(LogEvents, "SHARING_ACCESS_CHECKER_OPTIONS", Group) @@ -451,7 +451,7 @@ GetFriendlyValue1_7(Value):= "Setting is compliant." if { NonCompliantOUs1_7 contains { "Name": OU, - "Value": concat("", [GetFriendlyValue1_7(LastEvent.NewValue)]) + "Value": GetFrendlyValue1_7(LastEvent.NewValue) } if { some OU in utils.OUsWithEvents Events := utils.FilterEventsOU(LogEvents, "SHARING_TEAM_DRIVE_CROSS_DOMAIN_OPTIONS", OU) @@ -463,7 +463,7 @@ NonCompliantOUs1_7 contains { NonCompliantGroups1_7 contains { "Name": Group, - "Value": concat("", [GetFriendlyValue1_7(LastEvent.NewValue)]) + "Value": GetFriendlyValue1_7(LastEvent.NewValue) } if { some Group in utils.GroupsWithEvents Events := utils.FilterEventsGroup(LogEvents, "SHARING_TEAM_DRIVE_CROSS_DOMAIN_OPTIONS", Group) @@ -852,7 +852,7 @@ else := "Allow users to remove/apply the security update for files they own or m } NonCompliantOUs3_1 contains { "Name": OU, - "Value": concat("", [ GetFriendlyValue3_1(LastEvent_B.NewValue, LastEvent_A.NewValue)]) + "Value": GetFriendlyValue3_1(LastEvent_B.NewValue, LastEvent_A.NewValue) } if { some OU in utils.OUsWithEvents Events_A := utils.FilterEventsOU(LogEvents, @@ -1057,7 +1057,7 @@ NoSuchEvent6_1(TopLevelOU) := false if { NonCompliantOUs6_1 contains { "Name": OU, - "Value": concat("", [GetFriendlyValue6_1(LastEvent_B.NewValue, LastEvent_A.NewValue)]) + "Value": GetFriendlyValue6_1(LastEvent_B.NewValue, LastEvent_A.NewValue) } if { some OU in utils.OUsWithEvents Events_A := utils.FilterEventsOU(LogEvents, @@ -1080,7 +1080,7 @@ NonCompliantOUs6_1 contains { NonCompliantGroups6_1 contains { "Name": Group, - "Value": concat("", [GetFriendlyValue6_1(LastEvent_B.NewValue, LastEvent_A.NewValue)]) + "Value": GetFriendlyValue6_1(LastEvent_B.NewValue, LastEvent_A.NewValue) } if { some Group in utils.GroupsWithEvents Events_A := utils.FilterEventsGroup(LogEvents, From dabb364c5fa2ed9755df8811950865256bcc70cb Mon Sep 17 00:00:00 2001 From: Alden Hilton Date: Tue, 4 Jun 2024 08:29:15 -0700 Subject: [PATCH 21/33] Correct minor typo in GetFriendlyValue1_7 --- rego/Drive.rego | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rego/Drive.rego b/rego/Drive.rego index be44ceed..23443403 100644 --- a/rego/Drive.rego +++ b/rego/Drive.rego @@ -451,7 +451,7 @@ GetFriendlyValue1_7(Value):= "Setting is compliant." if { NonCompliantOUs1_7 contains { "Name": OU, - "Value": GetFrendlyValue1_7(LastEvent.NewValue) + "Value": GetFriendlyValue1_7(LastEvent.NewValue) } if { some OU in utils.OUsWithEvents Events := utils.FilterEventsOU(LogEvents, "SHARING_TEAM_DRIVE_CROSS_DOMAIN_OPTIONS", OU) From 63b5d5b28ddb68ae2a22b50010c78c0f4eb2715c Mon Sep 17 00:00:00 2001 From: ssnarve Date: Tue, 4 Jun 2024 16:24:09 -0700 Subject: [PATCH 22/33] [#259] MR updates --- rego/Drive.rego | 19 ++++++++----------- 1 file changed, 8 insertions(+), 11 deletions(-) diff --git a/rego/Drive.rego b/rego/Drive.rego index be44ceed..3c49fcbd 100644 --- a/rego/Drive.rego +++ b/rego/Drive.rego @@ -12,16 +12,13 @@ LogEvents := utils.GetEvents("drive_logs") # # Baseline GWS.DRIVEDOCS.1.1v0.1 #-- + GetFriendlyValue1_1(Value) := concat("", ["Files owned by users or shared drives ", "can be shared with Google accounts in compatible allowlisted domains"]) if { - Value == "TRUSTED_DOMAINS_ALLOWED_WITH_WARNING_MAY_RECEIVE_FILES_FROM_ANYONE" -} -else := concat("", ["Files owned by users or shared drives ", - "can be shared outside of the organization"]) if { - Value == "SHARING_ALLOWED" -} else := concat("", ["Files owned by users or shared drives ", - "can be shared outside of the organization with a warning"]) if { - Value == "SHARING_ALLOWED_WITH_WARNING" + startswith(Value, "TRUSTED_DOMAINS") +} +else := "Files owned by users or shared drives can be shared outside of the organization" if { + startswith(Value, "SHARING_ALLOWED") } else := Value NonCompliantOUs1_1 contains { @@ -242,10 +239,10 @@ default NoSuchEvent1_4(_) := false GetFriendlyValue1_4(Value_A, Value_B, AcceptableValues_A, AcceptableValues_B) := "External Sharing is Disabled" if { Value_B in AcceptableValues_B -} else := concat("", ["External Sharing is Enabled, ", - "but Sharing invites to non-google accounts is disabled"]) if { +} else := concat("", ["External sharing is enabled, ", + "but sharing items to non-google accounts is disabled"]) if { Value_A in AcceptableValues_A -} else := "External Sharing is Enabled, and invites can be shared to non-google accounts" +} else := "External sharing is enabled, and items can be shared to non-google accounts" NonCompliantOUs1_4 contains { "Name": OU, From 55ebb4f0c243f1d08466d6ade9c37beeeb52b129 Mon Sep 17 00:00:00 2001 From: ssnarve Date: Tue, 4 Jun 2024 16:27:04 -0700 Subject: [PATCH 23/33] [#259] Linter fix --- rego/Drive.rego | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/rego/Drive.rego b/rego/Drive.rego index c2a12785..4c8a0519 100644 --- a/rego/Drive.rego +++ b/rego/Drive.rego @@ -13,11 +13,14 @@ LogEvents := utils.GetEvents("drive_logs") # Baseline GWS.DRIVEDOCS.1.1v0.1 #-- -GetFriendlyValue1_1(Value) := concat("", ["Files owned by users or shared drives ", - "can be shared with Google accounts in compatible allowlisted domains"]) if { +GetFriendlyValue1_1(Value) := concat("", + ["Files owned by users or shared drives ", + "can be shared with Google accounts in ", + "compatible allowlisted domains"]) if { startswith(Value, "TRUSTED_DOMAINS") } -else := "Files owned by users or shared drives can be shared outside of the organization" if { +else := concat(["Files owned by users or shared drives can ", + "be shared outside of the organization"]) if { startswith(Value, "SHARING_ALLOWED") } else := Value From 84d4eb73f657be8e162237eda32b5c977de27bf9 Mon Sep 17 00:00:00 2001 From: ssnarve Date: Tue, 4 Jun 2024 16:29:51 -0700 Subject: [PATCH 24/33] [#259] formatting error --- rego/Drive.rego | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rego/Drive.rego b/rego/Drive.rego index 4c8a0519..bfe68689 100644 --- a/rego/Drive.rego +++ b/rego/Drive.rego @@ -19,7 +19,7 @@ GetFriendlyValue1_1(Value) := concat("", "compatible allowlisted domains"]) if { startswith(Value, "TRUSTED_DOMAINS") } -else := concat(["Files owned by users or shared drives can ", +else := concat("", ["Files owned by users or shared drives can ", "be shared outside of the organization"]) if { startswith(Value, "SHARING_ALLOWED") } else := Value From 319c3122e12af0c66f379a83e2ab82f317833ef7 Mon Sep 17 00:00:00 2001 From: ssnarve Date: Tue, 4 Jun 2024 16:42:54 -0700 Subject: [PATCH 25/33] [#259] Fix unit tests --- Testing/RegoTests/drive/drive01_test.rego | 28 ++++++++++++++--------- rego/Drive.rego | 4 ++-- 2 files changed, 19 insertions(+), 13 deletions(-) diff --git a/Testing/RegoTests/drive/drive01_test.rego b/Testing/RegoTests/drive/drive01_test.rego index 7fa27362..f0010ade 100644 --- a/Testing/RegoTests/drive/drive01_test.rego +++ b/Testing/RegoTests/drive/drive01_test.rego @@ -166,8 +166,9 @@ test_Sharing_Incorrect_V2 if { not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", - "
  • Test Top-Level OU: Files owned by users or shared drives ", - "can be shared outside of the organization
"]) + "
  • Test Top-Level OU: ", + "Files owned by users or shared drives can ", + "be shared outside of the organization
"]) } test_Sharing_Incorrect_V3 if { @@ -206,8 +207,9 @@ test_Sharing_Incorrect_V3 if { not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", - "
  • Test Top-Level OU: Files owned by users or shared drives ", - "can be shared outside of the organization
"]) + "
  • Test Top-Level OU: ", + "Files owned by users or shared drives can ", + "be shared outside of the organization
"]) } test_Sharing_Incorrect_V4 if { @@ -246,8 +248,9 @@ test_Sharing_Incorrect_V4 if { not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", - "
  • Test Secondary OU: Files owned by users or shared drives ", - "can be shared outside of the organization
"]) + "
  • Test Secondary OU: ", + "Files owned by users or shared drives can ", + "be shared outside of the organization
"]) } test_Sharing_Incorrect_V5 if { @@ -1055,8 +1058,9 @@ test_NonGoogle_Incorrect_V2 if { not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", - "
  • Test Top-Level OU: External Sharing is Enabled, ", - "and invites can be shared to non-google accounts
"]) + "
  • Test Top-Level OU: ", + "External sharing is enabled and ", + "items can be shared to non-google accounts
"]) } test_NonGoogle_Incorrect_V3 if { @@ -1115,8 +1119,9 @@ test_NonGoogle_Incorrect_V3 if { not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", - "
  • Test Top-Level OU: External Sharing is Enabled, ", - "and invites can be shared to non-google accounts
"]) + "
  • Test Top-Level OU: ", + "External sharing is enabled and ", + "items can be shared to non-google accounts
"]) } test_NonGoogle_Incorrect_V4 if { @@ -1176,7 +1181,8 @@ test_NonGoogle_Incorrect_V4 if { not RuleOutput[0].NoSuchEvent RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", "
  • Test Secondary OU: ", - "External Sharing is Enabled, and invites can be shared to non-google accounts
"]) + "External sharing is enabled and ", + "items can be shared to non-google accounts"]) } test_NonGoogle_Incorrect_V5 if { diff --git a/rego/Drive.rego b/rego/Drive.rego index bfe68689..fa9842ad 100644 --- a/rego/Drive.rego +++ b/rego/Drive.rego @@ -242,10 +242,10 @@ default NoSuchEvent1_4(_) := false GetFriendlyValue1_4(Value_A, Value_B, AcceptableValues_A, AcceptableValues_B) := "External Sharing is Disabled" if { Value_B in AcceptableValues_B -} else := concat("", ["External sharing is enabled, ", +} else := concat("", ["External sharing is enabled ", "but sharing items to non-google accounts is disabled"]) if { Value_A in AcceptableValues_A -} else := "External sharing is enabled, and items can be shared to non-google accounts" +} else := "External sharing is enabled and items can be shared to non-google accounts" NonCompliantOUs1_4 contains { "Name": OU, From fdcaf166d631d61f7c844faea6d01e93adbee399 Mon Sep 17 00:00:00 2001 From: ssnarve Date: Tue, 4 Jun 2024 16:50:12 -0700 Subject: [PATCH 26/33] [#259] Update policy 1.5 --- Testing/RegoTests/drive/drive01_test.rego | 8 ++++---- rego/Drive.rego | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/Testing/RegoTests/drive/drive01_test.rego b/Testing/RegoTests/drive/drive01_test.rego index f0010ade..d7292ed5 100644 --- a/Testing/RegoTests/drive/drive01_test.rego +++ b/Testing/RegoTests/drive/drive01_test.rego @@ -1382,7 +1382,7 @@ test_Link_Incorrect_V2 if { not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", - "
  • Test Top-Level OU: Published web content is visible to anyone with a link.
"]) + "
  • Test Top-Level OU: Published web content can be made visible to anyone with a link
"]) } test_Link_Incorrect_V3 if { # Test sharing setting when there are multiple events and the most recent is wrong @@ -1420,7 +1420,7 @@ test_Link_Incorrect_V3 if { not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", - "
  • Test Top-Level OU: Published web content is visible to anyone with a link.
"]) + "
  • Test Top-Level OU: Published web content can be made visible to anyone with a link
"]) } test_Link_Incorrect_V4 if { @@ -1458,8 +1458,8 @@ test_Link_Incorrect_V4 if { count(RuleOutput) == 1 not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", - "
  • Test Secondary OU: Published web content is visible to anyone with a link.
"]) + RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", + "
  • Test Secondary OU: Published web content can be made visible to anyone with a link
"]) } test_Link_Incorrect_V5 if { diff --git a/rego/Drive.rego b/rego/Drive.rego index fa9842ad..6fbab4b5 100644 --- a/rego/Drive.rego +++ b/rego/Drive.rego @@ -323,7 +323,7 @@ if { NonCompliantOUs1_5 contains { "Name": OU, - "Value": "Published web content is visible to anyone with a link. " + "Value": "Published web content can be made visible to anyone with a link" } if { some OU in utils.OUsWithEvents Events := utils.FilterEventsOU(LogEvents, "PUBLISHING_TO_WEB", OU) @@ -334,7 +334,7 @@ NonCompliantOUs1_5 contains { NonCompliantGroups1_5 contains { "Name": Group, - "Value": "Published web content is visible to anyone with a link. " + "Value": "Published web content can be made visible to anyone with a link" } if { some Group in utils.GroupsWithEvents Events := utils.FilterEventsGroup(LogEvents, "PUBLISHING_TO_WEB", Group) From fb72c182234769e9408a780738c196120cb01172 Mon Sep 17 00:00:00 2001 From: ssnarve Date: Tue, 4 Jun 2024 17:26:58 -0700 Subject: [PATCH 27/33] [#259] Update 1.6 --- Testing/RegoTests/drive/drive01_test.rego | 18 ++++++++++++------ rego/Drive.rego | 6 ++---- 2 files changed, 14 insertions(+), 10 deletions(-) diff --git a/Testing/RegoTests/drive/drive01_test.rego b/Testing/RegoTests/drive/drive01_test.rego index d7292ed5..0aa2b108 100644 --- a/Testing/RegoTests/drive/drive01_test.rego +++ b/Testing/RegoTests/drive/drive01_test.rego @@ -1659,8 +1659,10 @@ test_SharingChecker_Incorrect_V2 if { count(RuleOutput) == 1 not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == concat("", [ "The following OUs are non-compliant:", - "
  • Test Top-Level OU: Access Checking is disabled outside of docs and drive
"]) + RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", + "
  • Test Top-Level OU: ", + "Access Checker allows users to share ", + "files to the public (no Google account required)
"]) } test_SharingChecker_Incorrect_V3 if { @@ -1698,8 +1700,10 @@ test_SharingChecker_Incorrect_V3 if { count(RuleOutput) == 1 not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == concat("", [ "The following OUs are non-compliant:", - "
  • Test Top-Level OU: Access Checking is disabled outside of docs and drive
"]) + RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", + "
  • Test Top-Level OU: ", + "Access Checker allows users to share ", + "files to the public (no Google account required)
"]) } test_SharingChecker_Incorrect_V4 if { @@ -1737,8 +1741,10 @@ test_SharingChecker_Incorrect_V4 if { count(RuleOutput) == 1 not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == concat("", [ "The following OUs are non-compliant:", - "
  • Test Secondary OU: Access Checking is disabled outside of docs and drive
"]) + RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", + "
  • Test Secondary OU: ", + "Access Checker allows users to share ", + "files to the public (no Google account required)
"]) } test_SharingChecker_Incorrect_V5 if { diff --git a/rego/Drive.rego b/rego/Drive.rego index 6fbab4b5..23d81e67 100644 --- a/rego/Drive.rego +++ b/rego/Drive.rego @@ -378,10 +378,8 @@ if { # # Baseline GWS.DRIVEDOCS.1.6v0.1 #-- -GetFriendlyValue1_6(Value):= "Access Checking is disabled outside of docs and drive" -if { contains("NAMED_PARTIES_ONLY DOMAIN_OR_NAMED_PARTIES INHERIT_FROM_PARENT", Value) == false -} else := "Access Checking is enabled outside of docs and drive." - +GetFriendlyValue1_6(Value):= concat("", ["Access Checker allows users to share ", + "files to the public (no Google account required)"]) NonCompliantOUs1_6 contains { "Name":OU, From d78bfd8a4916abada78d7017d32ed2ecb6182358 Mon Sep 17 00:00:00 2001 From: ssnarve Date: Tue, 4 Jun 2024 17:29:14 -0700 Subject: [PATCH 28/33] [#259] Remove friendly message method for 1.6 --- rego/Drive.rego | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/rego/Drive.rego b/rego/Drive.rego index 23d81e67..578fc59b 100644 --- a/rego/Drive.rego +++ b/rego/Drive.rego @@ -378,12 +378,10 @@ if { # # Baseline GWS.DRIVEDOCS.1.6v0.1 #-- -GetFriendlyValue1_6(Value):= concat("", ["Access Checker allows users to share ", - "files to the public (no Google account required)"]) - NonCompliantOUs1_6 contains { "Name":OU, - "Value": GetFriendlyValue1_6(LastEvent.NewValue) + "Value": concat("", ["Access Checker allows users to share ", + "files to the public (no Google account required)"]) } if { some OU in utils.OUsWithEvents Events := utils.FilterEventsOU(LogEvents, "SHARING_ACCESS_CHECKER_OPTIONS", OU) @@ -395,7 +393,8 @@ NonCompliantOUs1_6 contains { NonCompliantGroups1_6 contains { "Name":Group, - "Value": GetFriendlyValue1_6(LastEvent.NewValue) + "Value": concat("", ["Access Checker allows users to share ", + "files to the public (no Google account required)"]) } if { some Group in utils.GroupsWithEvents Events := utils.FilterEventsGroup(LogEvents, "SHARING_ACCESS_CHECKER_OPTIONS", Group) From 5c9ed1ccbd831efd66a3143219c543bd0874cc6d Mon Sep 17 00:00:00 2001 From: Alden Hilton Date: Fri, 7 Jun 2024 11:11:24 -0700 Subject: [PATCH 29/33] Correct unit tests missed by merge --- Testing/RegoTests/drive/drive01_test.rego | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Testing/RegoTests/drive/drive01_test.rego b/Testing/RegoTests/drive/drive01_test.rego index 620867f9..fbd74a33 100644 --- a/Testing/RegoTests/drive/drive01_test.rego +++ b/Testing/RegoTests/drive/drive01_test.rego @@ -2066,7 +2066,7 @@ test_CrossDomain_Incorrect_V5 if { test_CrossDomain_Incorrect_V6 if { # Test sharing setting when there are multiple events and # the most recent event is wrong, set to only users in the organization - PolicyId := "GWS.DRIVEDOCS.1.7v0.1" + PolicyId := "GWS.DRIVEDOCS.1.7v0.2" Output := tests with input as { "drive_logs": {"items": [ { @@ -2396,7 +2396,7 @@ test_Default_Incorrect_V5 if { test_Default_Incorrect_V6 if { # Test sharing setting when Top OU is correct but not secondary OU - PolicyId := "GWS.DRIVEDOCS.1.8v0.1" + PolicyId := "GWS.DRIVEDOCS.1.8v0.2" Output := tests with input as { "drive_logs": {"items": [ { From 1b99ee8d61043f59a0c759aa10cf3ea6f47c5541 Mon Sep 17 00:00:00 2001 From: Alden Hilton Date: Fri, 7 Jun 2024 12:14:47 -0700 Subject: [PATCH 30/33] Added missing event for the Drive provider --- scubagoggles/provider.py | 1 + 1 file changed, 1 insertion(+) diff --git a/scubagoggles/provider.py b/scubagoggles/provider.py index 270bc4a0..79f4597e 100644 --- a/scubagoggles/provider.py +++ b/scubagoggles/provider.py @@ -42,6 +42,7 @@ 'CHANGE_DATA_LOCALIZATION_FOR_RUSSIA' ], 'drive': [ + 'CREATE_APPLICATION_SETTING', 'CHANGE_APPLICATION_SETTING', 'CHANGE_DOCS_SETTING', 'DELETE_APPLICATION_SETTING' From 62a84f70713c7e9a7fa17c3c5069e000cfad6df8 Mon Sep 17 00:00:00 2001 From: ssnarve Date: Wed, 26 Jun 2024 16:14:12 -0700 Subject: [PATCH 31/33] [#259] MR updates - typos and formatting --- rego/Drive.rego | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/rego/Drive.rego b/rego/Drive.rego index 578fc59b..72cc7cff 100644 --- a/rego/Drive.rego +++ b/rego/Drive.rego @@ -697,7 +697,7 @@ if { #-- NonCompliantOUs2_3 contains { "Name": OU, - "Value": "People who aren't shared drive members cannot be added to files" + "Value": "People who aren't shared drive members can be added to files" } if { some OU in utils.OUsWithEvents Events := utils.FilterEventsOU(LogEvents, @@ -709,7 +709,7 @@ NonCompliantOUs2_3 contains { } NonCompliantGroups2_3 contains { "Name": Group, - "Value": "People who aren't shared drive members cannot be added to files" + "Value": "People who aren't shared drive members can be added to files" } if { some Group in utils.GroupsWithEvents Events := utils.FilterEventsGroup(LogEvents, @@ -841,10 +841,10 @@ NoSuchEvent3_1(TopLevelOU) := true if { default NoSuchEvent3_1(_) := false GetFriendlyValue3_1(Value_B, Value_A) := -"Remove security update from all impacted files" if { +"The security update is removed from all impacted files" if { Value_B == "REQUIRE_LESS_SECURE_LINKS" } -else := "Allow users to remove/apply the security update for files they own or manage" if { +else := "Users are allowed to remove/apply the security update for files they own or manage" if { Value_A == "true" } NonCompliantOUs3_1 contains { @@ -904,7 +904,7 @@ if { #-- NonCompliantOUs4_1 contains { "Name": OU, - "Value": "Drive SDK is Enabled" + "Value": "Drive SDK is enabled" } if { some OU in utils.OUsWithEvents @@ -916,7 +916,7 @@ if { } NonCompliantGroups4_1 contains { "Name": Group, - "Value": "Drive SDK is Enabled" + "Value": "Drive SDK is enabled" } if { some Group in utils.GroupsWithEvents Events := utils.FilterEventsGroup(LogEvents, "ENABLE_DRIVE_APPS", Group) @@ -1030,7 +1030,7 @@ if { default NoSuchEvent6_1(_) := true GetFriendlyValue6_1(Value_B, Value_A) := -"Drive for Desktop is Enabled, but can be used on any device." if { +"Drive for Desktop is enabled, but can be used on any device." if { Value_B == "false" } else := "Drive for Desktop is disabled" if { From 7a81eed94d9662c62b418a870b409a16af8ab35d Mon Sep 17 00:00:00 2001 From: ssnarve Date: Wed, 26 Jun 2024 16:27:22 -0700 Subject: [PATCH 32/33] [#259] Unit tests updated --- Testing/RegoTests/drive/drive02_test.rego | 6 +++--- Testing/RegoTests/drive/drive03_test.rego | 6 +++--- Testing/RegoTests/drive/drive04_test.rego | 6 +++--- Testing/RegoTests/drive/drive06_test.rego | 4 ++-- 4 files changed, 11 insertions(+), 11 deletions(-) diff --git a/Testing/RegoTests/drive/drive02_test.rego b/Testing/RegoTests/drive/drive02_test.rego index f8ec34c7..f4a99492 100644 --- a/Testing/RegoTests/drive/drive02_test.rego +++ b/Testing/RegoTests/drive/drive02_test.rego @@ -773,7 +773,7 @@ test_SharedDrive_Incorrect_V2 if { not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", - "
  • Test Top-Level OU: People who aren't shared drive members cannot be added to files
"]) + "
  • Test Top-Level OU: People who aren't shared drive members can be added to files
"]) } test_SharedDrive_Incorrect_V3 if { @@ -818,7 +818,7 @@ test_SharedDrive_Incorrect_V3 if { not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", - "
  • Test Top-Level OU: People who aren't shared drive members cannot be added to files
"]) + "
  • Test Top-Level OU: People who aren't shared drive members can be added to files
"]) } @@ -864,7 +864,7 @@ test_SharedDrive_Incorrect_V4 if { not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", - "
  • Test Secondary OU: People who aren't shared drive members cannot be added to files
"]) + "
  • Test Secondary OU: People who aren't shared drive members can be added to files
"]) } test_SharedDrive_Incorrect_V5 if { diff --git a/Testing/RegoTests/drive/drive03_test.rego b/Testing/RegoTests/drive/drive03_test.rego index 1781b02a..824caefe 100644 --- a/Testing/RegoTests/drive/drive03_test.rego +++ b/Testing/RegoTests/drive/drive03_test.rego @@ -236,7 +236,7 @@ test_Sharing_Incorrect_V2 if { not RuleOutput[0].NoSuchEvent RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", "
  • Test Top-Level OU: ", - "Allow users to remove/apply the security update for files they own or manage
"]) + "Users are allowed to remove/apply the security update for files they own or manage"]) } test_Sharing_Incorrect_V3 if { @@ -292,7 +292,7 @@ test_Sharing_Incorrect_V3 if { not RuleOutput[0].NoSuchEvent RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", "
  • Test Top-Level OU: ", - "Allow users to remove/apply the security update for files they own or manage
"]) + "Users are allowed to remove/apply the security update for files they own or manage"]) } test_Sharing_Incorrect_V4 if { @@ -358,7 +358,7 @@ test_Sharing_Incorrect_V4 if { not RuleOutput[0].NoSuchEvent RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", "
  • Test Secondary OU: ", - "Allow users to remove/apply the security update for files they own or manage
"]) + "Users are allowed to remove/apply the security update for files they own or manage"]) } test_Sharing_Incorrect_V5 if { diff --git a/Testing/RegoTests/drive/drive04_test.rego b/Testing/RegoTests/drive/drive04_test.rego index f2936cca..ef8c5656 100644 --- a/Testing/RegoTests/drive/drive04_test.rego +++ b/Testing/RegoTests/drive/drive04_test.rego @@ -166,7 +166,7 @@ test_Security_Incorrect_V2 if { not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", - "
  • Test Top-Level OU: Drive SDK is Enabled
"]) + "
  • Test Top-Level OU: Drive SDK is enabled
"]) } test_Security_Incorrect_V3 if { @@ -205,7 +205,7 @@ test_Security_Incorrect_V3 if { not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", - "
  • Test Top-Level OU: Drive SDK is Enabled
"]) + "
  • Test Top-Level OU: Drive SDK is enabled
"]) } test_Security_Incorrect_V4 if { @@ -244,7 +244,7 @@ test_Security_Incorrect_V4 if { not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", - "
  • Test Secondary OU: Drive SDK is Enabled
"]) + "
  • Test Secondary OU: Drive SDK is enabled
"]) } test_Security_Incorrect_V5 if { diff --git a/Testing/RegoTests/drive/drive06_test.rego b/Testing/RegoTests/drive/drive06_test.rego index 82acf367..ff824c29 100644 --- a/Testing/RegoTests/drive/drive06_test.rego +++ b/Testing/RegoTests/drive/drive06_test.rego @@ -311,7 +311,7 @@ test_DriveFs_Setting_InCorrect_V2 if { not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", - "
  • Test Top-Level OU: Drive for Desktop is Enabled, but can be used on any device.
"]) + "
  • Test Top-Level OU: Drive for Desktop is enabled, but can be used on any device.
"]) } test_DriveFs_Setting_InCorrect_V3 if { @@ -390,5 +390,5 @@ test_DriveFs_Setting_InCorrect_V3 if { not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", - "
  • Test Top-Level OU: Drive for Desktop is Enabled, but can be used on any device.
"]) + "
  • Test Top-Level OU: Drive for Desktop is enabled, but can be used on any device.
"]) } \ No newline at end of file From 7bf6c6d9809c51765cd2b06b7e93f6cd6b2874a9 Mon Sep 17 00:00:00 2001 From: ssnarve Date: Wed, 26 Jun 2024 16:30:58 -0700 Subject: [PATCH 33/33] [#259] Missed one typo --- Testing/RegoTests/drive/drive06_test.rego | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Testing/RegoTests/drive/drive06_test.rego b/Testing/RegoTests/drive/drive06_test.rego index ff824c29..973db6d3 100644 --- a/Testing/RegoTests/drive/drive06_test.rego +++ b/Testing/RegoTests/drive/drive06_test.rego @@ -252,7 +252,7 @@ test_DriveFs_Setting_InCorrect_V1 if { not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", - "
  • Test Top-Level OU: Drive for Desktop is Enabled, but can be used on any device.
"]) + "
  • Test Top-Level OU: Drive for Desktop is enabled, but can be used on any device.
"]) } test_DriveFs_Setting_InCorrect_V2 if {