Arvinder/cis m365 1 3 3 and 1 3 6#177
Conversation
asagle2531
requested review from
6igby,
du-dhartley and
liyunze-coding
as code owners
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 6f12c46f1f
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| "is_manual": false, | ||
| "benchmark_audit_type": "Automated", | ||
| "automation_status": "not_started", | ||
| "automation_status": "implemented", |
There was a problem hiding this comment.
ready status
automation_status is set to implemented here (and similarly for control 1.3.6), but the dispatcher only executes controls when status == "ready" (engine/worker/tasks.py). As a result, both new controls will be marked skipped in scans and their Rego policies will never run, so this change does not actually deliver the intended compliance checks.
Useful? React with 👍 / 👎.
|
@asagle2531 I'd like to see this tested against the sandbox tenant we have with expected-pass and expected-fail settings to confirm that this works as intended. Where did you get those sample payloads from? Were they produced by one of our collectors? |
|
@asagle2531 The comment from a couple of weeks ago still needs to be addressed - we have a valid service principal that we can use to scan, so I'd like to see an expected pass and expected fail result show up as intended in a scan after manually changing settings in the tenant to show these expected values, and then confirm if the value performs as expected. |
|
@asagle2531 Are you able to address the feedback so this can be merged? |
yes, I will complete the testing by tomorrow sir. |
Updated compliance check to consider only enabled policies allowing external sharing.
CI: Engine
All checks passed. |
Tests where successful sir, but i had to change the rego a bit for it to be running perfectly. I have updated the rego as well
|
|
Also the test files in the test configs folder are no longer needed. I tried to delete them but couldn't. Could you please do that |
|
Please review the files and merge this request. Thanks a lot for your help sir |
2 participants
Summary
Adds two new CIS M365 Foundations Benchmark v6.0.0 Rego policy implementations for Exchange controls:
Control 1.3.3 : Ensure external sharing of calendars is not available
Control 1.3.6 : Ensure the Customer Lockbox feature is enabled
Type of Change
Affected Components
/backend-api/frontend/engine(collectors / policies)/security/infrastructure/.github/workflows/docsMotivation
Control 1.3.3 :
Risk Addressed : External calendar sharing exposes availability patterns, meeting titles and internal email addresses to unauthenticated external parties
Business Impact : Data exfiltration, reconnaissance for social engineering, compliance violations
Testing Done
Unit tests pass locally
[✓] Tested manually — describe how:
both policies evaluated against sample compliant and non compliant input data to confirm correct compliant: true/false output and accurate violation messages
Test results :
Output : {
"result": [
{
"expressions": [
{
"value": {
"affected_resources": [],
"compliant": true,
"details": {
"policies_allowing_external": [],
"policies_allowing_external_count": 0,
"total_policies": 1
},
"message": "External calendar sharing is properly disabled"
},
"text": "data.cis.microsoft_365_foundations.v6_0_0.control_1_3_3.result",
"location": {
"row": 1,
"col": 1
}
}
]
}
]
}
Output : {
"result": [
{
"expressions": [
{
"value": {
"affected_resources": [
"Default Sharing Policy"
],
"compliant": false,
"details": {
"policies_allowing_external": [
{
"domains": [
"*"
],
"name": "Default Sharing Policy"
}
],
"policies_allowing_external_count": 1,
"total_policies": 1
},
"message": "1 policy(s) allow external calendar sharing"
},
"text": "data.cis.microsoft_365_foundations.v6_0_0.control_1_3_3.result",
"location": {
"row": 1,
"col": 1
}
}
]
}
]
}
Output :
{
"result": [
{
"expressions": [
{
"value": {
"affected_resources": [],
"compliant": true,
"details": {
"audit_disabled": false,
"customer_lockbox_enabled": true,
"oauth_enabled": true
},
"message": "Customer Lockbox is properly enabled"
},
"text": "data.cis.microsoft_365_foundations.v6_0_0.control_1_3_6.result",
"location": {
"row": 1,
"col": 1
}
}
]
}
]
}
Output : {
"result": [
{
"expressions": [
{
"value": {
"affected_resources": [],
"compliant": false,
"details": {
"audit_disabled": false,
"customer_lockbox_enabled": false,
"oauth_enabled": true
},
"message": "Customer Lockbox is disabled - Microsoft can access content without approval"
},
"text": "data.cis.microsoft_365_foundations.v6_0_0.control_1_3_6.result",
"location": {
"row": 1,
"col": 1
}
}
]
}
]
}
Security Considerations
No impact on auth, secrets, or API permissions
Breaking Changes
Rollback Plan
Checklist
Screenshots
N/A