Add Rego policy for CIS 1.3.3 (external calendar sharing)#196
Add Rego policy for CIS 1.3.3 (external calendar sharing)#196williamywccc wants to merge 2 commits into
Conversation
Rewrites the sharing_policy collector to produce structured violation data: each SharingPolicy Domains entry is parsed as a domain:Capability pair, and entries using Anonymous or wildcard (*) domains with CalendarSharing capabilities are flagged as non-compliant. Named SMTP partner domains are not evaluated. The Rego policy (1.3.3_external_calendar_sharing.rego) checks calendar_sharing_violations from the collector output and reports each violating domain entry as an affected resource. Includes a sample JSON file for manual OPA eval testing. Made-with: Cursor
williamywccc
requested review from
6igby,
du-dhartley and
liyunze-coding
as code owners
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 3fd9fea956
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| if low == "anonymous": | ||
| return "anonymous_calendar_sharing" | ||
| if low == "*": | ||
| return "wildcard_calendar_sharing" | ||
| return None |
There was a problem hiding this comment.
Control 1.3.3 requires external calendar sharing to be unavailable, but this logic only flags Anonymous and * domains and returns None for named domains. A policy like partner.com:CalendarSharingFreeBusySimple still enables sharing with users outside the organization, yet this collector will report no violation and the new Rego policy will mark the control compliant. That creates a false-negative compliance result for tenants that allow calendar sharing to specific external domains.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
This is valid and should be addressed.
du-dhartley
left a comment
du-dhartley
left a comment
There was a problem hiding this comment.
@williamywccc If there was a known conflict with another branch, why was this PR created?
Aside from that, there are a couple of issues that need to be resolved, however the known and expected conflict should be resolved before either branch have updates applied.
We should also demonstrate expected and matched pass/fail results by settings values to invalid and then valid settings, shown by scans.
There was a problem hiding this comment.
Was this file produced by a tool or by a real API?
There was a problem hiding this comment.
This data was produced by running the data collector against the real live test tenant API. I am double checking to ensure the absolute latest real output is committed
|
|
||
|
|
||
| class SharingPolicyDataCollector(BasePowerShellCollector): | ||
| """Collects sharing policy settings for CIS compliance evaluation. |
There was a problem hiding this comment.
Docstrings have been removed, please add these back to the class
| class SharingPolicyDataCollector(BasePowerShellCollector): | ||
|
|
||
| async def collect(self, client: PowerShellClient) -> dict[str, Any]: | ||
| """Collect sharing policy data. |
There was a problem hiding this comment.
Please restore the docstrings - updates are ok but these should be present.
There was a problem hiding this comment.
My apologies! I accidentally deleted the docstrings while cleaning up the code earlier. I am putting them back right now.
Restore class and collect method docstrings that were accidentally removed. Replace placeholder sample JSON with real output from live sandbox tenant. Co-authored-by: Cursor <cursoragent@cursor.com>
The above are pass/fail results |
2 participants
Summary
sharing_policycollector to produce structured, per-entry violation data instead of a flat booleanHow it works
Get-SharingPolicyreturns aDomainsfield as a list ofdomain:Capabilitypairs. The collector parses each entry and flags those where the domain component isAnonymousor*(wildcard) paired with aCalendarSharing*capability on an enabled policy. Named external SMTP domains are not classified as violations.The Rego policy checks
calendar_sharing_violationsfrom the collector output and surfaces each offending entry as an affected resource.Notes
There is an existing branch
Arvinder/CIS-M365-1-3-3-and-1-3-6that covers the same control. Please coordinate with Arvinder before merging to avoid conflicts.Test plan
opa evalwithengine/samples/exchange_organization_sharing_policy_sample.jsonto verify non-compliant pathopa evalwith an input wherecalendar_sharing_violationsis empty to verify compliant pathMade with Cursor