Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Exchange External Sender Policy: Multiple Rules not iterated through #27

Closed
skirkpatrickms opened this issue Dec 20, 2022 · 4 comments · Fixed by #130
Closed

Exchange External Sender Policy: Multiple Rules not iterated through #27

skirkpatrickms opened this issue Dec 20, 2022 · 4 comments · Fixed by #130
Assignees
@rgbrow1949
Labels
bug This issue or pull request addresses broken functionality public-reported This issue is reported by the public users of the tool.
Milestone
Dolphin

Comments

@skirkpatrickms
Copy link

For Exchange 2.7, the script marks this check as not implemented if Multiple External Sender Policies are present, and the first policy is disabled but the follow-on rules are appropriately configured. Suggest iterating through the policies and checking the configs of each to determine the outcome.
@ethanb-cisa ethanb-cisa added bug This issue or pull request addresses broken functionality public-reported This issue is reported by the public users of the tool. labels Dec 20, 2022
schrolla added a commit that referenced this issue Dec 20, 2022
@schrolla
Merge pull request #27 from mitre/aadteam
de6d044 
Integrate AAD updates into preversion1
@nanda-katikaneni nanda-katikaneni added this to the Backlog milestone Jan 3, 2023
@schrolla schrolla modified the milestones: Backlog, Dolphin Jan 10, 2023
@rgbrow1949
Copy link
Collaborator

Hi Patrick, I've been working to replicate this bug so I try and fix it but I have not been able to. Scuba will correctly flag the test as incorrect if no compliant mail flow rule is present and will mark the test as a success if any such rule exists that meets the criteria regardless of where it is.

I have tried:

  1. Creating a second new mail flow that is in compliance with the baseline and disabled the first rule.
  2. Misconfiguring the first rule and created a second mail flow rule that is compliant.

What steps did you take to find this bug?

Something incorrect I have noticed is that even if the rule is disabled, if the rule would be compliant, the test is marked as success.

@skirkpatrickms
Copy link
Author

Give me a bit to pull the information from the customer tenant and sanitize it. Maybe you can mirror those settings and test.
There are a few checks that are doing this same thing.

@skirkpatrickms
Copy link
Author

Something incorrect I have noticed is that even if the rule is disabled, if the rule would be compliant, the test is marked as success. ----This is what we were noticing.

@rgbrow1949
Copy link
Collaborator

I have made pull request #130 where the Rego will now only examine enabled rules if they are correctly configured or not. Now for 2.7 to pass there must be at least one correctly configured rule that is enabled.

@rgbrow1949 rgbrow1949 mentioned this issue Jan 23, 2023
Merged
12 tasks
@buidav buidav linked a pull request Jan 25, 2023 that will close this issue
EXO 2.7 Rego Bug Fix | Only Enabled Correctly Configured Rules Pass #130
Merged
12 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rgbrow1949 rgbrow1949

Labels
bug This issue or pull request addresses broken functionality public-reported This issue is reported by the public users of the tool.
Projects
None yet
Milestone
Dolphin
Development

Successfully merging a pull request may close this issue.

EXO 2.7 Rego Bug Fix | Only Enabled Correctly Configured Rules Pass cisagov/ScubaGear
5 participants
@ethanb-cisa @nanda-katikaneni @rgbrow1949 @schrolla @skirkpatrickms