How do I ensure MQL resources that return a list result in a true / false check?

[chris-rock]

Question

I want to write a policy hat ensure that all usernames on the operating system are emails.

Answer

As an intuitive solution we want to list all users that are emails. For that we use the built-in email regex available in MQL via regex.email

users.where( name == regex.email )

We can also query if an user does not match the email:

users.where( name !=regex.email )

On macOS this will return the following results:

cnspec> users.where( name == regex.email )
users.where.list: []
cnspec> users.where( name != regex.email )
users.where.list: [
  0: user name="_mailman" uid=78 gid=78
  1: user name="_devicemgr" uid=220 gid=220
  2: user name="_cvs" uid=72 gid=72
  ...
]

If we want to ensure that all user names match email, we could write a simple MQL query that compares the length of all users with the length of the filtered users

cnspec> users.where( name == regex.email ).length  == users.length
[failed] users.where.length == <ref>
  expected: == 114
  actual:   0

This has a couple of disadvantages:

• it does not read so well
• the output is not intuitive since I do not know which user is not matching

For MQL resources that return lists, we recommend to use to use .none , .all , .one or .any expressions. They always returns a bool result which is important for the policy checks. The use of those MQL expressions also helps us to make improved output since we can auto-collect the default fields for resources that do not match.

For the question we had above, we can just write:

users.all( name == regex.email )

MQL allows you to chain filters with the keyworks:

users.where(uid > 1000).all( name == regex.email )

In case a user does not match the expected email regex, we see the result:

cnspec> users.all(name == regex.email )
[failed] users.all()
  actual:   [
    0: user {
      name: "_devicemgr"
      regex.email: /("([ !#-\[\]-~]|[\xC0-\xDF][\x80-\xBF]|[\xE0-\xEF][\x80-\xBF]{2}|[\xF0-\xF7][\x80-\xBF]{3}){1,63}"|([a-z0-9!#$%&'*+-/=?^_`{|}~]|[\xC0-\xDF][\x80-\xBF]|[\xE0-\xEF][\x80-\xBF]{2}|[\xF0-\xF7][\x80-\xBF]{3}){1,63}(\.([a-z0-9!#$%&'*+-/=?^_`{|}~]|[\xC0-\xDF][\x80-\xBF]|[\xE0-\xEF][\x80-\xBF]{2}|[\xF0-\xF7][\x80-\xBF]{3}){1,63})*)@(([0-9][a-zA-Z]|[a-zA-Z0-9][a-zA-Z0-9-]{1,61}[a-zA-Z0-9]|[a-zA-Z][0-9]|[a-zA-Z]{1,2})(\.([0-9][a-zA-Z]|[a-zA-Z0-9][a-zA-Z0-9-]{1,61}[a-zA-Z0-9]|[a-zA-Z][0-9]|[a-zA-Z]{1,2}))*|\[[!-Z^-~]{0,255}\])/
      regex: regex id = time
      uid: 220
      gid: 220
    }
    ...

With .none , .all , .one or .any it is super easy to write checks that check resources with multiple values:

policies:
  - uid: users-names
    name: Linux User Name Policy
    version: 1.0.0
    groups:
      - filters: asset.family.contains(_ == 'unix')
        checks:
          - uid: username-are-emails
            title: Ensure all usernames are emais
            mql: users.all( name == regex.email )

[chris-rock]

TLDR: For MQL resources that return lists, we recommend to use to use .none , .all , .one or .any expressions like:

users.all( name == regex.email )