Tune MS.EXO.1.1v1 to allow for exceptional cases #1551
Labels
baseline-document
Issues relating to the text in the baseline documents themselves
enhancement
This issue or pull request will add new or improve existing functionality
public-reported
This issue is reported by the public users of the tool.
Comments
buidav
added
baseline-document
schrolla
added
the
public-reported
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
💡 Summary
We've received notice that an organization is currently failing the Rego check for
MS.EXO.1.1v1 "Automatic forwarding to external domains SHALL be disabled."
The organization has a legitimate use case where automatic forwarding needs to be able on a specific domain to a known external domain.
Currently the check for EXO.1.1v1 can not be informed with a ScubaGear config file. Meaning Automatic forwarding to any external domain regardless of use case will fail ScubaGear's rego check.
This issue is to tune EXO.1.1v1 to allow for exceptional cases
Suggestions from @adhilto
Revising EXO.1.1v1 to
"Automatic forwarding to external domains SHALL only be enabled on a per-domain basis"
That would basically just boil down to removing step 6 from the implementation steps and updating the Rego to only look at the default domain.
Or we could take a more stringent approach and require them to enumerate exceptions in a config file, but I’m not convinced the added user burden would be worth it.
Motivation and context
Tuning baselines to be more flexible for operational needs.
Implementation notes
Acceptance criteria
The policy is relaxed to allow for exceptional use cases.
The text was updated successfully, but these errors were encountered: