-
Notifications
You must be signed in to change notification settings - Fork 16
/
test.rego
60 lines (44 loc) · 2.18 KB
/
test.rego
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
package compliance.cis_azure.rules.cis_5_2_1
import data.cis_azure.test_data
import data.compliance.policy.azure.data_adapter
import data.lib.test
test_violation {
# fail if no alert exists
eval_fail with input as test_data.generate_activity_log_alerts_no_alerts
# fail if no alert matches the rule
eval_fail with input as test_data.generate_activity_log_alerts([mismatch_alert])
# fail if no alert matches the rule
eval_fail with input as test_data.generate_activity_log_alerts([mismatch_alert_only_operation])
# fail if no alert matches the rule
eval_fail with input as test_data.generate_activity_log_alerts([mismatch_alert_only_category])
# fail if no alert matches the rule
eval_fail with input as test_data.generate_activity_log_alerts([mismatch_alert, mismatch_alert_only_operation, mismatch_alert_only_category])
}
test_pass {
# pass if the alert exists and is properly configured
eval_pass with input as test_data.generate_activity_log_alerts([matching_alert])
# pass if at least one alert exists and is properly configured
eval_pass with input as test_data.generate_activity_log_alerts([matching_alert, mismatch_alert])
}
test_not_evaluated {
# not_eval if the resiurce is not relevant
not_eval with input as test_data.not_eval_resource
}
eval_fail {
test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter
}
eval_pass {
test.assert_pass(finding) with data.benchmark_data_adapter as data_adapter
}
not_eval {
not finding with data.benchmark_data_adapter as data_adapter
}
# test data
# alert rule that does not match the rule by operation and category
mismatch_alert = test_data.generate_activity_log_alert("mismatch_opreation", "mismatch_category")
# alert rule that does not match the rule by operation
mismatch_alert_only_operation = test_data.generate_activity_log_alert("mismatch_opreation", "Administrative")
# alert rule that does not match the rule by category
mismatch_alert_only_category = test_data.generate_activity_log_alert("Microsoft.Authorization/policyAssignments/write", "mismatch_category")
# alert rule that matches the rule
matching_alert = test_data.generate_activity_log_alert("Microsoft.Authorization/policyAssignments/write", "Administrative")