forked from cisagov/ScubaGear
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathaad-config.yaml
52 lines (52 loc) · 2.22 KB
/
aad-config.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
Description: |
SCuBAGear YAML Configuration file with custom variables
This configuration shows a standard SCuBAGear set of parameters to run
but also includes examples of custom variables for use and reference
in Rego policy assessments against the AAD baseline. Specifically, using
policy specific variables to exempt specific user and group exclusions from
conditional access policy checks that normally would not pass if exclusions
are present. These parameters support operational use cases for having
backup or break glass account exclusions to global user policies without
failing best practices. Any exemptions and their risks should be carefully
considered and documented as part of an organization's cybersecurity risk
management program process and practices.
This example includes the following design choices for illustrative purposes:
- Use of Pascal case convention for varible names
- Defines a namespace for values to be used across baselines/products (i.e., GlobalVars)
- Per product namespace for values related to that specific product (i.e., Aad, SharePoint)
- Namespace for each policy item within a product for variables related only to one policy item (i.e., Aad.Policy2_1)
- Use of YAML anchors and aliases following DRY (Don't Repeat Yourself) principle for repeated values and sections
ProductNames:
- aad
M365Environment: commercial
OPAPath: .
LogIn: true
DisconnectOnExit: false
OutPath: .
OutFolderName: M365BaselineConformance
OutProviderFileName: ProviderSettingsExport
OutRegoFileName: TestResults
OutReportName: BaselineReports
GlobalVars: # For cross product variables
AllProductVar: value_example
Aad:
# All AAD specific variables go here
MS.AAD.1.1v1: &CommonExclusions
CapExclusions:
Users:
- fc29f4a8-2b27-4d1e-898e-cfacb98bd8f8
Groups:
- 08adb07a-956f-450e-b41c-81e92e3db2c4
- 8454f405-3b29-4102-b888-315c4e3de2d0
MS.AAD.2.1v1: *CommonExclusions
MS.AAD.2.3v1: *CommonExclusions
MS.AAD.3.1v1: *CommonExclusions
MS.AAD.3.2v1: *CommonExclusions
MS.AAD.7.4v1: &CommonRoleExclusions
RoleExclusions:
Users:
- 2a8adc58-b7c5-4086-a5cc-244b8df40ce8
Groups:
- 4a471183-d934-4fb4-b1b3-d9525e0e1b45
#SharePoint:
#Teams: