Closed mitchelbaker-cisa closed 2 months ago
I think this PR is going to have merge conflicts with #87 , which is fine, but I might want to hold off on development until this is merged and I can handle the merge conflicts on my end?
I think this PR is going to have merge conflicts with #87 , which is fine, but I might want to hold off on development until this is merged and I can handle the merge conflicts on my end?
That seems like a reasonable path forward for handling any merge conflicts. Or assuming this PR gets merged in beforehand, branch off of 67-groups-prereq-issue
so the changes are already there?
Not sure what's happening on our other test tenant but when I try to intentionally fail 6.1, instead I get a no log events found.
6.1 "Hide groups enabled" which should be a fail
Report Output showing no events found for 6.1
Are there any logs visible from within the investigator tool?
Are there any logs visible from within the investigator tool?
Woops my reply didn't get posted.
It's another case where a Create Application
log is generated rather than a Change Application
log.
fix is to add CREATE_APPLICATION_SETTING
to the groups
key in this dictionary in provider.py
Hi @mitchelbaker-cisa
Sorry for the delay on reviewing this.
Here's my update:
Once I updated the setting 6.1 and 7.1 passed and failed as expected:
However, there is one use case where the settings were not changed and 7.1 errored out:
Use case 1: If 6.1 is non-complaint (existing or new groups can be hidden) then 7.1 is non-complaint as well, because even if a group with Restricted access is created it can be hidden (using the setting from 6.1)
Use case 2: If 6.1 is complaint (existing or new groups cannot be hidden) then 7.1 is complaint -> but with this we are stating that we do not need to confirm if the group is created with Restricted access, which means we can create a group where everyone has access. My understanding is, 7.1 still needs to be confirmed (check if Group is created with Restricted access) when 6.1 is complaint.
Since now we have two other related issues file to handle the use cases not covered here and also to re-evaluate 7.1 this PR is good to go, except for the minor duplicate code block.
🗣 Description
NonCompliantGroups7_1
such that Groups 6.1 compliance is taken into account. This is handled by a helper function which checks if Groups 6.1 is compliant/noncompliant.💠Motivation and context
Closes #67
Groups 7.1 did not handle the following conditions correctly:
If 6.1 is disabled (compliant), then 7.1 will automatically be compliant. If 6.1 is enabled (warning), then 7.1 must be disabled to be compliant, otherwise it is non-compliant (warning).
🧪 Testing
python run_unit_tests.py -b groups -c 7
✅ Pre-approval checklist
✅ Pre-merge Checklist
Squash and merge
button.✅ Post-merge Checklist