Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Correct the "No Such Event" behavior for Gmail policies with multiple settings #369

Merged
merged 4 commits into from
Sep 5, 2024
Merged

Correct the "No Such Event" behavior for Gmail policies with multiple settings #369

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
53f65ac
Invert no such event rule for 7.6
adhilto Aug 28, 2024
59452bb
Invert no such event rule for gmail 5.5
adhilto Aug 28, 2024
549ac6c
Change to default per regal rule
adhilto Aug 28, 2024
0e9f20a
Add new test cases to cover partial no such event edge case
adhilto Aug 28, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
72 changes: 72 additions & 0 deletions Testing/RegoTests/gmail/gmail05_test.rego
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1284,3 +1284,75 @@ test_AttachmentSafety_InCorrect_V2 if {
"Emails with encrypted attachments from untrusted senders are kept in the inbox</li></ul>"])
}

test_AttachmentSafety_Inorrect_V3 if {
# Test Spoofing and Authentication Protections when one setting is missing events
PolicyId := "GWS.GMAIL.5.5v0.3"
Output := tests with input as {
"gmail_logs": {"items": [
{
"id": {"time": "2022-12-20T00:02:24.672Z"},
"events": [{
"parameters": [
{
"name": "SETTING_NAME",
"value": "Attachment safety Encrypted attachment protection setting action"
},
{"name": "NEW_VALUE", "value": "Move to spam"},
{"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
]
}]
},
{
"id": {"time": "2022-12-20T00:02:25.672Z"},
"events": [{
"parameters": [
{
"name": "SETTING_NAME",
"value": "Attachment safety Attachment with scripts protection action"
},
{"name": "NEW_VALUE", "value": "Move to spam"},
{"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
]
}]
}
# Note: no event for "Attachment safety Anomalous attachment protection setting action"
]},
"tenant_info": {
"topLevelOU": ""
}
}

RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
count(RuleOutput) == 1
not RuleOutput[0].RequirementMet
RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == concat("", [
"No relevant event in the current logs for the top-level OU, Test Top-Level OU. ",
"While we are unable to determine the state from the logs, the default setting ",
"is non-compliant; manual check recommended."
])
}


test_AttachmentSafety_Inorrect_V4 if {
# Test Spoofing and Authentication Protections when all settings have no events
PolicyId := "GWS.GMAIL.5.5v0.3"
Output := tests with input as {
"gmail_logs": {"items": [

]},
"tenant_info": {
"topLevelOU": "Test Top-Level OU"
}
}

RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
count(RuleOutput) == 1
not RuleOutput[0].RequirementMet
RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == concat("", [
"No relevant event in the current logs for the top-level OU, Test Top-Level OU. ",
"While we are unable to determine the state from the logs, the default setting ",
"is non-compliant; manual check recommended."
])
}
90 changes: 87 additions & 3 deletions Testing/RegoTests/gmail/gmail07_test.rego
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2421,6 +2421,90 @@ test_SpoofingAuthenticationProtectionFutureRecommendedSettings_Incorrect_V1 if {
}

test_SpoofingAuthenticationProtectionFutureRecommendedSettings_Incorrect_V2 if {
# Test Spoofing and Authentication Protections when only one setting doesn't have enents
PolicyId := "GWS.GMAIL.7.7v0.3"
Output := tests with input as {
"gmail_logs": {"items": [
{
"id": {"time": "2022-12-20T00:02:24.672Z"},
"events": [{
"parameters": [
{
"name": "SETTING_NAME",
"value": concat("", [
"Spoofing and authentication safety Protect against domain spoofing based on similar ",
"domain names action"
])
},
{"name": "NEW_VALUE", "value": "Quarantine"},
{"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
]
}]
},
{
"id": {"time": "2022-12-20T00:02:25.672Z"},
"events": [{
"parameters": [
{
"name": "SETTING_NAME",
"value":
"Spoofing and authentication safety Protect against spoofing of employee names action"
},
{"name": "NEW_VALUE", "value": "Move to spam"},
{"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
]
}]
},
{
"id": {"time": "2022-12-20T00:02:26.672Z"},
"events": [{
"parameters": [
{
"name": "SETTING_NAME",
"value": concat("", [
"Spoofing and authentication safety Protect against inbound emails spoofing your ",
"domain action"
])
},
{"name": "NEW_VALUE", "value": "Move to spam"},
{"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
]
}]
},
{
"id": {"time": "2022-12-20T00:02:27.672Z"},
"events": [{
"parameters": [
{
"name": "SETTING_NAME",
"value":
"Spoofing and authentication safety Protect against any unauthenticated emails action"
},
{"name": "NEW_VALUE", "value": "Move to spam"},
{"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
]
}]
},
# Note that "Spoofing and authentication safety Protect your Groups from inbound emails spoofing your
# domain action" is missing
]},
"tenant_info": {
"topLevelOU": ""
}
}

RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
count(RuleOutput) == 1
not RuleOutput[0].RequirementMet
RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == concat("", [
"No relevant event in the current logs for the top-level OU, Test Top-Level OU. ",
"While we are unable to determine the state from the logs, the default setting ",
"is non-compliant; manual check recommended."
])
}

test_SpoofingAuthenticationProtectionFutureRecommendedSettings_Incorrect_V3 if {
# Test Spoofing and Authentication Protections when there's only one event and it's wrong
PolicyId := "GWS.GMAIL.7.7v0.3"
Output := tests with input as {
Expand Down Expand Up @@ -2455,7 +2539,7 @@ test_SpoofingAuthenticationProtectionFutureRecommendedSettings_Incorrect_V2 if {
"Automatically enable all future added settings is set to disabled</li></ul>"])
}

test_SpoofingAuthenticationProtectionFutureRecommendedSettings_Incorrect_V3 if {
test_SpoofingAuthenticationProtectionFutureRecommendedSettings_Incorrect_V4 if {
# Test Spoofing and Authentication Protections when there are multiple events and the most recent is wrong
PolicyId := "GWS.GMAIL.7.7v0.3"
Output := tests with input as {
Expand Down Expand Up @@ -2506,7 +2590,7 @@ test_SpoofingAuthenticationProtectionFutureRecommendedSettings_Incorrect_V3 if {
"Automatically enable all future added settings is set to disabled</li></ul>"])
}

test_SpoofingAuthenticationProtectionFutureRecommendedSettings_Incorrect_V4 if {
test_SpoofingAuthenticationProtectionFutureRecommendedSettings_Incorrect_V5 if {
# Test Spoofing and Authentication Protections when there's only one event and it's wrong
PolicyId := "GWS.GMAIL.7.7v0.3"
Output := tests with input as {
Expand Down Expand Up @@ -2541,7 +2625,7 @@ test_SpoofingAuthenticationProtectionFutureRecommendedSettings_Incorrect_V4 if {
"Automatically enable all future added settings is set to disabled</li></ul>"])
}

test_SpoofingAuthenticationProtectionFutureRecommendedSettings_Incorrect_V5 if {
test_SpoofingAuthenticationProtectionFutureRecommendedSettings_Incorrect_V6 if {
# Test Spoofing and Authentication Protections when there are multiple events and the most recent is wrong
PolicyId := "GWS.GMAIL.7.7v0.3"
Output := tests with input as {
Expand Down
104 changes: 36 additions & 68 deletions rego/Gmail.rego
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -500,27 +500,20 @@ if {
#
# Baseline GWS.GMAIL.5.5v0.3
#--
default NoSuchEvent5_5(_) := true

NoSuchEvent5_5(TopLevelOU) := false if {
# No such event...
default NoSuchEvent5_5 := false
NoSuchEvent5_5 := true if {
SettingName := "Attachment safety Encrypted attachment protection setting action"
Events := utils.FilterEventsOU(LogEvents, SettingName, TopLevelOU)
count(Events) != 0
}

NoSuchEvent5_5(TopLevelOU) := false if {
# No such event...
Events := utils.FilterEventsOU(LogEvents, SettingName, utils.TopLevelOU)
count(Events) == 0
} else := true if {
SettingName := "Attachment safety Attachment with scripts protection action"
Events := utils.FilterEventsOU(LogEvents, SettingName, TopLevelOU)
count(Events) != 0
}

NoSuchEvent5_5(TopLevelOU) := false if {
# No such event...
Events := utils.FilterEventsOU(LogEvents, SettingName, utils.TopLevelOU)
count(Events) == 0
} else := true if {
SettingName := "Attachment safety Anomalous attachment protection setting action"
Events := utils.FilterEventsOU(LogEvents, SettingName, TopLevelOU)
count(Events) != 0
Events := utils.FilterEventsOU(LogEvents, SettingName, utils.TopLevelOU)
count(Events) == 0
}

GetFriendlyValue5_5(NewValueA, NewValueB, NewValueC) :=
Expand Down Expand Up @@ -568,7 +561,7 @@ tests contains {
}
if {
DefaultSafe := false
NoSuchEvent5_5(utils.TopLevelOU)
NoSuchEvent5_5
}

tests contains {
Expand All @@ -580,7 +573,7 @@ tests contains {
"NoSuchEvent": false
}
if {
not NoSuchEvent5_5(utils.TopLevelOU)
not NoSuchEvent5_5
Status := count(NonCompliantOUs5_5) == 0
}
#--
Expand Down Expand Up @@ -1190,50 +1183,30 @@ if {
# Baseline GWS.GMAIL.7.6v0.3
#--

default NoSuchEvent7_6(_) := true

NoSuchEvent7_6(TopLevelOU) := false if {
# No such event...
SettingName := concat("", [
"Spoofing and authentication safety Protect against domain spoofing based on similar ",
"domain names action"
])
Events := utils.FilterEventsOU(LogEvents, SettingName, TopLevelOU)
count(Events) != 0
}

NoSuchEvent7_6(TopLevelOU) := false if {
# No such event...
# No such event is true if any of the revelant settings doesn't having any events
default NoSuchEvent7_6 := false
NoSuchEvent7_6 := true if {
SettingName :=
"Spoofing and authentication safety Protect against domain spoofing based on similar domain names action"
Events := utils.FilterEventsOU(LogEvents, SettingName, utils.TopLevelOU)
count(Events) == 0
} else := true if {
SettingName := "Spoofing and authentication safety Protect against spoofing of employee names action"
Events := utils.FilterEventsOU(LogEvents, SettingName, TopLevelOU)
count(Events) != 0
}

NoSuchEvent7_6(TopLevelOU) := false if {
# No such event...
SettingName := concat("", [
"Spoofing and authentication safety Protect against domain spoofing based on similar ",
"domain names action"
])
Events := utils.FilterEventsOU(LogEvents, SettingName, TopLevelOU)
count(Events) != 0
}

NoSuchEvent7_6(TopLevelOU) := false if {
# No such event...
Events := utils.FilterEventsOU(LogEvents, SettingName, utils.TopLevelOU)
count(Events) == 0
} else := true if {
SettingName := "Spoofing and authentication safety Protect against inbound emails spoofing your domain action"
Events := utils.FilterEventsOU(LogEvents, SettingName, utils.TopLevelOU)
count(Events) == 0
} else := true if {
SettingName := "Spoofing and authentication safety Protect against any unauthenticated emails action"
Events := utils.FilterEventsOU(LogEvents, SettingName, TopLevelOU)
count(Events) != 0
}

NoSuchEvent7_6(TopLevelOU) := false if {
# No such event...
SettingName := concat("", [
"Spoofing and authentication safety Protect your Groups from inbound emails spoofing ",
"your domain action"
])
Events := utils.FilterEventsOU(LogEvents, SettingName, TopLevelOU)
count(Events) != 0
Events := utils.FilterEventsOU(LogEvents, SettingName, utils.TopLevelOU)
count(Events) == 0
} else := true if {
SettingName :=
"Spoofing and authentication safety Protect your Groups from inbound emails spoofing your domain action"
Events := utils.FilterEventsOU(LogEvents, SettingName, utils.TopLevelOU)
count(Events) == 0
}

GetFriendlyValue7_6(NewValueA, NewValueB, NewValueC, NewValueD, NewValueE) :=
Expand Down Expand Up @@ -1264,30 +1237,25 @@ NonCompliantOUs7_6 contains {
"similar domain names action"
])
EventsA := utils.FilterEventsOU(LogEvents, SettingA, OU)
count(EventsA) > 0
LastEventA := utils.GetLastEvent(EventsA)

SettingB := "Spoofing and authentication safety Protect against spoofing of employee names action"
EventsB := utils.FilterEventsOU(LogEvents, SettingB, OU)
count(EventsB) > 0
LastEventB := utils.GetLastEvent(EventsB)

SettingC := "Spoofing and authentication safety Protect against inbound emails spoofing your domain action"
EventsC := utils.FilterEventsOU(LogEvents, SettingC, OU)
count(EventsC) > 0
LastEventC := utils.GetLastEvent(EventsC)

SettingD := "Spoofing and authentication safety Protect against any unauthenticated emails action"
EventsD := utils.FilterEventsOU(LogEvents, SettingD, OU)
count(EventsD) > 0
LastEventD := utils.GetLastEvent(EventsD)

SettingE := concat("", [
"Spoofing and authentication safety Protect your Groups from inbound emails spoofing ",
"your domain action"
])
EventsE := utils.FilterEventsOU(LogEvents, SettingE, OU)
count(EventsE) > 0
LastEventE := utils.GetLastEvent(EventsE)

# OU is non-compliant if any of the following are true
Expand All @@ -1311,7 +1279,7 @@ tests contains {
}
if {
DefaultSafe := false
NoSuchEvent7_6(utils.TopLevelOU)
NoSuchEvent7_6
}

tests contains {
Expand All @@ -1323,7 +1291,7 @@ tests contains {
"NoSuchEvent": false
}
if {
not NoSuchEvent7_6(utils.TopLevelOU)
not NoSuchEvent7_6
Status := count(NonCompliantOUs7_6) == 0
}
#--
Expand Down
Loading