ahmido
6a5b8a3a11
Some checks failed
Main Confidence / confidence (push) Failing after 50s
## Summary - add a config-seeded canonical control catalog plus shared resolution primitives and Microsoft subject bindings - propagate canonical control references into findings-derived evidence snapshots and tenant review composition - add the feature spec artifacts and focused Pest coverage, plus the supporting workspace and Sail helper adjustments included in this branch ## Testing - cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Unit/Governance/CanonicalControlCatalogTest.php tests/Unit/Governance/CanonicalControlResolverTest.php tests/Feature/Governance/CanonicalControlResolutionIntegrationTest.php tests/Feature/Evidence/EvidenceSnapshotCanonicalControlReferenceTest.php tests/Feature/TenantReview/TenantReviewCanonicalControlReferenceTest.php tests/Feature/PlatformRelocation/CommandModelSmokeTest.php - cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #272
305 lines
14 KiB
PHP
305 lines
14 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
return [
|
|
'controls' => [
|
|
[
|
|
'control_key' => 'strong_authentication',
|
|
'name' => 'Strong authentication',
|
|
'domain_key' => 'identity_access',
|
|
'subdomain_key' => 'authentication_assurance',
|
|
'control_class' => 'preventive',
|
|
'summary' => 'Accounts and privileged actions require strong authentication before access is granted.',
|
|
'operator_description' => 'Use this control when the governance objective is proving that access depends on multi-factor or similarly strong authentication.',
|
|
'detectability_class' => 'indirect_technical',
|
|
'evaluation_strategy' => 'signal_inferred',
|
|
'evidence_archetypes' => [
|
|
'configuration_snapshot',
|
|
'policy_or_assignment_summary',
|
|
'execution_result',
|
|
],
|
|
'artifact_suitability' => [
|
|
'baseline' => true,
|
|
'drift' => true,
|
|
'finding' => true,
|
|
'exception' => true,
|
|
'evidence' => true,
|
|
'review' => true,
|
|
'report' => true,
|
|
],
|
|
'historical_status' => 'active',
|
|
'microsoft_bindings' => [
|
|
[
|
|
'subject_family_key' => 'conditional_access_policy',
|
|
'workload' => 'entra',
|
|
'signal_keys' => [
|
|
'conditional_access.require_mfa',
|
|
'conditional_access.authentication_strength',
|
|
],
|
|
'supported_contexts' => ['baseline', 'drift', 'finding', 'evidence', 'review', 'report'],
|
|
'primary' => true,
|
|
'notes' => 'Microsoft conditional access is provider-owned evidence for strong authentication, not the canonical control identity.',
|
|
],
|
|
[
|
|
'subject_family_key' => 'permission_posture',
|
|
'workload' => 'entra',
|
|
'signal_keys' => [
|
|
'permission_posture.required_graph_permission',
|
|
],
|
|
'supported_contexts' => ['finding', 'evidence', 'review', 'report'],
|
|
'primary' => false,
|
|
'notes' => 'Permission posture can support authentication governance when missing permissions block assessment evidence.',
|
|
],
|
|
],
|
|
],
|
|
[
|
|
'control_key' => 'conditional_access_enforcement',
|
|
'name' => 'Conditional access enforcement',
|
|
'domain_key' => 'identity_access',
|
|
'subdomain_key' => 'access_policy',
|
|
'control_class' => 'preventive',
|
|
'summary' => 'Access decisions are governed by explicit policy conditions and assignment boundaries.',
|
|
'operator_description' => 'Use this control when evaluating whether access is constrained by conditional policies rather than unmanaged default access.',
|
|
'detectability_class' => 'direct_technical',
|
|
'evaluation_strategy' => 'state_evaluated',
|
|
'evidence_archetypes' => [
|
|
'configuration_snapshot',
|
|
'policy_or_assignment_summary',
|
|
],
|
|
'artifact_suitability' => [
|
|
'baseline' => true,
|
|
'drift' => true,
|
|
'finding' => true,
|
|
'exception' => true,
|
|
'evidence' => true,
|
|
'review' => true,
|
|
'report' => true,
|
|
],
|
|
'historical_status' => 'active',
|
|
'microsoft_bindings' => [
|
|
[
|
|
'subject_family_key' => 'conditional_access_policy',
|
|
'workload' => 'entra',
|
|
'signal_keys' => [
|
|
'conditional_access.policy_state',
|
|
'conditional_access.assignment_scope',
|
|
],
|
|
'supported_contexts' => ['baseline', 'drift', 'finding', 'evidence', 'review', 'report'],
|
|
'primary' => true,
|
|
'notes' => 'Policy state and assignments are Microsoft-owned signals for the provider-neutral access enforcement objective.',
|
|
],
|
|
],
|
|
],
|
|
[
|
|
'control_key' => 'privileged_access_governance',
|
|
'name' => 'Privileged access governance',
|
|
'domain_key' => 'identity_access',
|
|
'subdomain_key' => 'privileged_access',
|
|
'control_class' => 'preventive',
|
|
'summary' => 'Privileged roles are assigned intentionally, reviewed, and limited to accountable identities.',
|
|
'operator_description' => 'Use this control when privileged role exposure, ownership, and reviewability are the core governance objective.',
|
|
'detectability_class' => 'indirect_technical',
|
|
'evaluation_strategy' => 'signal_inferred',
|
|
'evidence_archetypes' => [
|
|
'policy_or_assignment_summary',
|
|
'execution_result',
|
|
'operator_attestation',
|
|
],
|
|
'artifact_suitability' => [
|
|
'baseline' => false,
|
|
'drift' => false,
|
|
'finding' => true,
|
|
'exception' => true,
|
|
'evidence' => true,
|
|
'review' => true,
|
|
'report' => true,
|
|
],
|
|
'historical_status' => 'active',
|
|
'microsoft_bindings' => [
|
|
[
|
|
'subject_family_key' => 'entra_admin_roles',
|
|
'workload' => 'entra',
|
|
'signal_keys' => [
|
|
'entra_admin_roles.global_admin_assignment',
|
|
'entra_admin_roles.privileged_role_assignment',
|
|
],
|
|
'supported_contexts' => ['finding', 'evidence', 'review', 'report'],
|
|
'primary' => true,
|
|
'notes' => 'Directory role assignment data supports privileged access governance without becoming the control taxonomy.',
|
|
],
|
|
],
|
|
],
|
|
[
|
|
'control_key' => 'external_sharing_boundaries',
|
|
'name' => 'External sharing boundaries',
|
|
'domain_key' => 'collaboration_boundary',
|
|
'subdomain_key' => 'external_access',
|
|
'control_class' => 'preventive',
|
|
'summary' => 'External access and sharing are constrained by explicit tenant or workload boundaries.',
|
|
'operator_description' => 'Use this control when the product needs to explain whether cross-boundary collaboration is intentionally limited.',
|
|
'detectability_class' => 'workflow_attested',
|
|
'evaluation_strategy' => 'workflow_confirmed',
|
|
'evidence_archetypes' => [
|
|
'configuration_snapshot',
|
|
'operator_attestation',
|
|
'external_artifact_reference',
|
|
],
|
|
'artifact_suitability' => [
|
|
'baseline' => false,
|
|
'drift' => false,
|
|
'finding' => false,
|
|
'exception' => true,
|
|
'evidence' => true,
|
|
'review' => true,
|
|
'report' => true,
|
|
],
|
|
'historical_status' => 'active',
|
|
'microsoft_bindings' => [
|
|
[
|
|
'subject_family_key' => 'sharing_boundary',
|
|
'workload' => 'microsoft_365',
|
|
'signal_keys' => [
|
|
'sharing.external_boundary_attested',
|
|
],
|
|
'supported_contexts' => ['evidence', 'review', 'report'],
|
|
'primary' => true,
|
|
'notes' => 'Current release coverage depends on attested configuration evidence rather than direct universal evaluation.',
|
|
],
|
|
],
|
|
],
|
|
[
|
|
'control_key' => 'endpoint_hardening_compliance',
|
|
'name' => 'Endpoint hardening and compliance',
|
|
'domain_key' => 'endpoint_security',
|
|
'subdomain_key' => 'device_posture',
|
|
'control_class' => 'detective',
|
|
'summary' => 'Endpoint configuration and compliance policies express the expected device hardening posture.',
|
|
'operator_description' => 'Use this control when a finding or review references device configuration, compliance, or hardening drift.',
|
|
'detectability_class' => 'direct_technical',
|
|
'evaluation_strategy' => 'state_evaluated',
|
|
'evidence_archetypes' => [
|
|
'configuration_snapshot',
|
|
'policy_or_assignment_summary',
|
|
'execution_result',
|
|
],
|
|
'artifact_suitability' => [
|
|
'baseline' => true,
|
|
'drift' => true,
|
|
'finding' => true,
|
|
'exception' => true,
|
|
'evidence' => true,
|
|
'review' => true,
|
|
'report' => true,
|
|
],
|
|
'historical_status' => 'active',
|
|
'microsoft_bindings' => [
|
|
[
|
|
'subject_family_key' => 'deviceConfiguration',
|
|
'workload' => 'intune',
|
|
'signal_keys' => [
|
|
'intune.device_configuration_drift',
|
|
],
|
|
'supported_contexts' => ['baseline', 'drift', 'finding', 'evidence', 'review', 'report'],
|
|
'primary' => true,
|
|
'notes' => 'Intune device configuration drift is a provider signal for the endpoint hardening control.',
|
|
],
|
|
[
|
|
'subject_family_key' => 'deviceCompliancePolicy',
|
|
'workload' => 'intune',
|
|
'signal_keys' => [
|
|
'intune.device_compliance_policy',
|
|
],
|
|
'supported_contexts' => ['baseline', 'drift', 'finding', 'evidence', 'review', 'report'],
|
|
'primary' => true,
|
|
'notes' => 'Device compliance policy data supports the same endpoint hardening objective.',
|
|
],
|
|
[
|
|
'subject_family_key' => 'drift',
|
|
'workload' => 'intune',
|
|
'signal_keys' => [
|
|
'finding.drift',
|
|
],
|
|
'supported_contexts' => ['finding', 'evidence', 'review', 'report'],
|
|
'primary' => true,
|
|
'notes' => 'Legacy drift findings without a policy-family discriminator resolve to the broad endpoint hardening objective.',
|
|
],
|
|
],
|
|
],
|
|
[
|
|
'control_key' => 'audit_log_retention',
|
|
'name' => 'Audit log retention',
|
|
'domain_key' => 'auditability',
|
|
'subdomain_key' => 'retention',
|
|
'control_class' => 'detective',
|
|
'summary' => 'Administrative and security-relevant activity remains available for investigation for the required retention period.',
|
|
'operator_description' => 'Use this control when evidence depends on retained logs or exported audit artifacts rather than live configuration alone.',
|
|
'detectability_class' => 'external_evidence_only',
|
|
'evaluation_strategy' => 'externally_attested',
|
|
'evidence_archetypes' => [
|
|
'external_artifact_reference',
|
|
'operator_attestation',
|
|
],
|
|
'artifact_suitability' => [
|
|
'baseline' => false,
|
|
'drift' => false,
|
|
'finding' => false,
|
|
'exception' => true,
|
|
'evidence' => true,
|
|
'review' => true,
|
|
'report' => true,
|
|
],
|
|
'historical_status' => 'active',
|
|
'microsoft_bindings' => [
|
|
[
|
|
'subject_family_key' => 'audit_log_retention',
|
|
'workload' => 'microsoft_365',
|
|
'signal_keys' => [
|
|
'audit.retention_attested',
|
|
],
|
|
'supported_contexts' => ['evidence', 'review', 'report'],
|
|
'primary' => true,
|
|
'notes' => 'Current evidence is external or attested until a later slice adds direct provider evaluation.',
|
|
],
|
|
],
|
|
],
|
|
[
|
|
'control_key' => 'delegated_admin_boundaries',
|
|
'name' => 'Delegated admin boundaries',
|
|
'domain_key' => 'identity_access',
|
|
'subdomain_key' => 'delegated_administration',
|
|
'control_class' => 'preventive',
|
|
'summary' => 'Delegated administration is constrained by explicit role, tenant, and scope boundaries.',
|
|
'operator_description' => 'Use this control when evaluating whether delegated administrative access is bounded and reviewable.',
|
|
'detectability_class' => 'workflow_attested',
|
|
'evaluation_strategy' => 'workflow_confirmed',
|
|
'evidence_archetypes' => [
|
|
'policy_or_assignment_summary',
|
|
'operator_attestation',
|
|
],
|
|
'artifact_suitability' => [
|
|
'baseline' => false,
|
|
'drift' => false,
|
|
'finding' => true,
|
|
'exception' => true,
|
|
'evidence' => true,
|
|
'review' => true,
|
|
'report' => true,
|
|
],
|
|
'historical_status' => 'active',
|
|
'microsoft_bindings' => [
|
|
[
|
|
'subject_family_key' => 'delegated_admin_relationship',
|
|
'workload' => 'microsoft_365',
|
|
'signal_keys' => [
|
|
'delegated_admin.relationship_boundary',
|
|
],
|
|
'supported_contexts' => ['finding', 'evidence', 'review', 'report'],
|
|
'primary' => true,
|
|
'notes' => 'Delegated admin relationship metadata remains provider-owned and secondary to the platform control.',
|
|
],
|
|
],
|
|
],
|
|
],
|
|
];
|