search

cisagov / ScubaGoggles

SCuBA Security Configuration Baselines and assessment tool for Google Workspace
https://www.cisa.gov/resources-tools/services/secure-cloud-business-applications-scuba-project
Creative Commons Zero v1.0 Universal
129 stars 13 forks source link

Multiple baseline policies are referring to the incorrect FilterEvents method #265

Closed snarve closed 2 months ago

snarve commented 2 months ago

🐛 Summary

Multiple baseline policies are referring to the incorrect FilterEvents method

Description

Since the last update to add support for multiple OU's, each of the NonCompliantOUs method should refer to the 'FilterEventsOU' method that has added support for policies that can be controlled at OU level.

While updating unit tests for Gmail, it was noticed that multiple baselines are referring to the old 'FilterEvents' method from the utils file. This causes the report to error when any of the OU settings fails.

Steps to Reproduce

  1. Go to the admin console and select any of the Google workspace app that can be controlled at the OU level.
  2. Ex: Gmail 1.1 and change the setting such that the policy will fail
  3. Run the report and the report will throw an error for policy 1.1

image

Steps to fix this

  1. This needs to be updated across almost all baselines
  2. Replace 'FilterEvents' with 'FilterEventsOU'
  3. Note: For Gmail, will do this as part of https://github.com/cisagov/ScubaGoggles/issues/84

Mark as complete when the following baseline's rego code is updated:

Testing

  1. Test whether the baseline policies pass/fail as expected when the OU level controls are updated
mitchelbaker-cisa commented 2 months ago

Per @adhilto's comment in Utils.rego: 

# The FilterEvents(...) function is only here to maintain backwards compatability.
# After https://github.com/cisagov/ScubaGoggles/issues/190 is complete, delete
# this function.
FilterEvents(Events, SettingName, OrgUnit) := FilteredEvents if { ... }

190

Perhaps we get started with switching to 'FilterEventsOU' for baselines where we handle group overrides. Then add this as additional TODO when adding group overrides to Drive docs/Gmail?

adhilto commented 2 months ago

I just put in a PR to change to the new function for Chat, Classroom, and Meet. Those one's already have the group/report details update; the old function still being there in those baselines was just an oversight. I didn't do Drive or Groups; as Mitchel said, we should change those ones as we make the groups/report details update.

snarve commented 2 months ago

Thanks @adhilto for updating Chat, Classroom and Meet. Gmail update is done as part of #84 Will add a note for Drive Docs Thanks @mitchelbaker-cisa for the suggestion.