Add Rego policy for CIS 1.3.3 (external calendar sharing)#196
Add Rego policy for CIS 1.3.3 (external calendar sharing)#196williamywccc wants to merge 2 commits into
Conversation
Rewrites the sharing_policy collector to produce structured violation data: each SharingPolicy Domains entry is parsed as a domain:Capability pair, and entries using Anonymous or wildcard (*) domains with CalendarSharing capabilities are flagged as non-compliant. Named SMTP partner domains are not evaluated. The Rego policy (1.3.3_external_calendar_sharing.rego) checks calendar_sharing_violations from the collector output and reports each violating domain entry as an affected resource. Includes a sample JSON file for manual OPA eval testing. Made-with: Cursor
williamywccc
requested review from
6igby,
du-dhartley and
liyunze-coding
as code owners
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 3fd9fea956
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
du-dhartley
left a comment
du-dhartley
left a comment
There was a problem hiding this comment.
@williamywccc If there was a known conflict with another branch, why was this PR created?
Aside from that, there are a couple of issues that need to be resolved, however the known and expected conflict should be resolved before either branch have updates applied.
We should also demonstrate expected and matched pass/fail results by settings values to invalid and then valid settings, shown by scans.
Restore class and collect method docstrings that were accidentally removed. Replace placeholder sample JSON with real output from live sandbox tenant. Co-authored-by: Cursor <cursoragent@cursor.com>
The above are pass/fail results |
2 participants
Summary
sharing_policycollector to produce structured, per-entry violation data instead of a flat booleanHow it works
Get-SharingPolicyreturns aDomainsfield as a list ofdomain:Capabilitypairs. The collector parses each entry and flags those where the domain component isAnonymousor*(wildcard) paired with aCalendarSharing*capability on an enabled policy. Named external SMTP domains are not classified as violations.The Rego policy checks
calendar_sharing_violationsfrom the collector output and surfaces each offending entry as an affected resource.Notes
There is an existing branch
Arvinder/CIS-M365-1-3-3-and-1-3-6that covers the same control. Please coordinate with Arvinder before merging to avoid conflicts.Test plan
opa evalwithengine/samples/exchange_organization_sharing_policy_sample.jsonto verify non-compliant pathopa evalwith an input wherecalendar_sharing_violationsis empty to verify compliant pathMade with Cursor