mondoo-okta-security.mql.yaml

# Copyright (c) Mondoo, Inc.
# SPDX-License-Identifier: BUSL-1.1

policies:
  - uid: mondoo-okta-security
    name: Mondoo Okta Organization Security
    version: 2.1.0
    license: BUSL-1.1
    tags:
      mondoo.com/category: security
      mondoo.com/platform: okta-org,saas
    authors:
      - name: Mondoo, Inc
        email: hello@mondoo.com
    docs:
      desc: |
        # Overview

        The Mondoo Okta Organization Security policy provides security recommendations for Okta organizations. This policy supports scanning of Okta organizations as well as Terraform projects using the [Okta Terraform provider](https://registry.terraform.io/providers/okta/okta/latest/docs) from the HashiCorp Terraform Registry.

        ### cnspec Okta provider

        This policy uses the `okta` provider to authenticate with Okta's API in order to remotely scan an Okta organization. Additional information on the `okta` provider can be found by running this command:

        ```bash
        cnspec scan okta --help
        ```

        ## Configuring the Okta provider

        The `okta` provider for cnspec requires an API token to authenticate and run scans.

        ### Create an API token

        To create an API token, see [Create an API token](https://developer.okta.com/docs/guides/create-an-api-token/main/) on Okta's documentation site.

        ### Configure a OKTA_TOKEN environment variable

        You supply your API token to cnspec using the `OKTA_TOKEN` environment variable.

        #### Linux / macOS

        ```bash
        export OKTA_TOKEN=<OKTA_TOKEN>
        ```

        #### Windows
        ```powershell
        $Env:OKTA_TOKEN = "<OKTA_TOKEN>"
        ```

        ## Scan an Okta organization

        To scan the configuration of an Okta organization all together:

        ```bash
        cnspec scan okta --organization DOMAIN.okta.com --token $OKTA_TOKEN  -f okta-security-healthinsights.mql.yaml
        ```

        ## Scan Terraform HCL code managing Okta with the Terraform provider for Okta

        ```
        cnspec scan terraform /path/to/terraform -f okta-security-healthinsights.mql.yaml
        ```

        ## Scan Terraform plan file Okta with the Terraform provider for Okta

        Generate a Terraform plan.json file to scan:

        ```
        terraform plan -out plan.tfplan
        terraform show -json plan.tfplan > tfplan.json
        ```

        Scan Terraform plan file

        ```
        cnspec scan terraform plan /path/to/plan.json -f okta-security-healthinsights.mql.yaml
        ```

        ## Scan Terraform state file Okta with the Terraform provider for Okta

        Generate a Terraform state.json file to scan:

        ```
        terraform show -json > tfstate.json
        ```

        Scan Terraform state file:

        ```
        cnspec scan terraform state /path/to/tfstate.json -f okta-security-healthinsights.mql.yaml
        ```

        ## Join the community!

        Our goal is to build policies that are simple to deploy, accurate, and actionable.

        If you have any suggestions for how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions."
    groups:
      - title: Okta Organization Security - HealthInsight Tasks and Recommendations
        checks:
          - uid: mondoo-okta-security-limit-super-admins
          - uid: mondoo-okta-security-threatinsight-block-suspicious-ip-addresses
          - uid: mondoo-okta-security-okta-mfa-access
          - uid: mondoo-okta-security-disable-weaker-mfa-factors-in-factor-enrollment-policies
          - uid: mondoo-okta-security-enable-okta-verify-with-push-for-mfa
          - uid: mondoo-okta-security-okta-enforce-session-lifetime
          - uid: mondoo-okta-security-enable-suspicious-activity-reporting
          - uid: mondoo-okta-security-sign-on-notifications-for-end-users
          - uid: mondoo-okta-security-factor-enrollment-notifications
          - uid: mondoo-okta-security-factor-reset-notifications-for-end-users
          - uid: mondoo-okta-security-password-changed-notifications-for-end-users
          - uid: mondoo-okta-security-okta-auth-openid-saml
          - uid: mondoo-okta-security-password-settings-minimum-length
          - uid: mondoo-okta-security-password-settings-min-lowercase
          - uid: mondoo-okta-security-password-settings-min-number
          - uid: mondoo-okta-security-password-settings-min-symbols
          - uid: mondoo-okta-security-password-settings-min-age
          - uid: mondoo-okta-security-password-settings-exclude-username
          - uid: mondoo-okta-security-password-settings-exclude-first-name
          - uid: mondoo-okta-security-password-settings-exclude-last-name
          - uid: mondoo-okta-security-password-settings-dictionary-lookup
          - uid: mondoo-okta-security-password-settings-max-age
          - uid: mondoo-okta-security-password-settings-expire-warning
          - uid: mondoo-okta-security-password-settings-history-count
          - uid: mondoo-okta-security-password-settings-max-lockout-attempts
          - uid: mondoo-okta-security-password-settings-password-auto-unlock-minutes
          - uid: mondoo-okta-security-password-settings-password-show-lockout-failures
          - uid: mondoo-okta-security-password-settings-password-email-recovery
          - uid: mondoo-okta-security-password-settings-password-sms-recovery
          - uid: mondoo-okta-security-password-settings-password-question-recovery
    scoring_system: highest impact
queries:
  - uid: mondoo-okta-security-limit-super-admins
    title: Limit the number of super admins
    impact: 100
    props:
      - uid: mondooOktaSecurityMaxOktaSuperAdmins
        title: Maximum number of Okta Super Admins
        mql: return 15
    docs:
      desc: |
        Admin roles allow you to control user access to a range of Okta functions. You can assign more than one role to an individual admin if their job requires them to perform actions that span multiple roles. This role can create other admins, assign or remove permissions, and perform all other admin activities. The super admin has the highest permissions of all admin roles.

        ## Okta Recommends

        Limit the number of super admins only to users who require super admin access. An org shouldn't have more than:

        - 50 percent of admins have super admin privileges
        - 15 super admins

        All other admins should only have the permissions as required for their role.

        Plan for a recurring assessment of all admin privileges to ensure that these best practices are met.
    refs:
      - url: https://help.okta.com/en-us/Content/Topics/Security/healthinsight/healthinsight-security-task-recomendations.htm
        title: HealthInsight tasks and recommendations
      - url: https://help.okta.com/en-us/Content/Topics/Security/network/network-zones.htm
        title: Network Zones
      - url: https://help.okta.com/en-us/Content/Topics/Security/threat-insight/configure-threatinsight.htm
        title: Configure Okta ThreatInsight
      - url: https://help.okta.com/en-us/Content/Topics/Security/Administrators.htm
        title: Administrators
      - url: https://help.okta.com/en-us/Content/Topics/Security/administrators-super-admin.htm
        title: Super Administrators
    variants:
      - uid: mondoo-okta-security-limit-super-admins-api
  - uid: mondoo-okta-security-limit-super-admins-api
    title: Limit the number of super admins
    impact: 100
    filters: asset.platform == "okta-org"
    mql: okta.groups.where(roles.one(type =="SUPER_ADMIN")).all(members.length < props.mondooOktaSecurityMaxOktaSuperAdmins )
    docs:
      remediation:
        - id: console
          desc: |
            ### Change admin privileges to a user or an Okta group

            1. In the Admin Console, go to **Security > Administrators**.
            2. Under **Admin Roles**, select the Super filter to display only super administrators.
            3. Next to each user entry, select **Edit**. The Edit Administrator window is displayed.
            4. From the list of administrator roles, assign a role other than super admin to the user.
            5. Select **Update Administrator**.
  - uid: mondoo-okta-security-threatinsight-block-suspicious-ip-addresses
    title: Enable Okta ThreatInsight to block suspicious IP addresses
    impact: 100
    docs:
      desc: |
        Configure network blocklisting to deny access from known malicious IP addresses or locations from your Okta org.

        Admins can block access to their Okta org to IP addresses coming from network zones, IP zones, and dynamic zones. Network zones contain a list of IP addresses, and dynamic zones contain a list of locations, ASNs, or IP types. Okta doesn't allow blocklisted IP addresses to access any of your org's URLs. Okta blocks these requests before any type of policy evaluation occurs.

        ### Okta recommends

        Block any known untrusted IP addresses, locations, or proxy servers to limit access to your org. If your org uses IP Trust for network zones, Okta also recommends blocking any IP addresses that are identified as a Tor anonymizer proxy. Only add IP addresses or locations that aren't associated with legitimate user activity.

        ### Security impact

        Moderate

        ## User impact

        Low

        Legitimate users within your org see no change in behavior. Clients connecting from blocked network zones see a 403 (access denied) error.
    variants:
      - uid: mondoo-okta-security-threatinsight-block-suspicious-ip-addresses-terraform-hcl
      - uid: mondoo-okta-security-threatinsight-block-suspicious-ip-addresses-terraform-plan
      - uid: mondoo-okta-security-threatinsight-block-suspicious-ip-addresses-terraform-state
      - uid: mondoo-okta-security-threatinsight-block-suspicious-ip-addresses-api
  - uid: mondoo-okta-security-threatinsight-block-suspicious-ip-addresses-api
    title: Enable Okta ThreatInsight to block suspicious IP addresses
    impact: 100
    filters: asset.platform == "okta-org"
    mql: |
      okta.networks.any( usage == "BLOCKLIST" && gateways.length > 0 )
    docs:
      remediation:
        - id: console
          desc: |
            ### Block specific IP addresses
            Block specific IP addresses to deny access to your Okta org.

            1. In the Admin Console, go to SecurityNetworks.
            2. In the list of zones, select Edit for the BlockedIpZone network zone.
            3. Select Block access from IPs matching conditions listed in this zone.
            4. Select Save.

            ### Block IP addresses in a dynamic zone
            Block IP addresses in a dynamic zone from accessing your Okta org.

            1. In the Admin Console, go to SecurityNetworks.
            2. Select Add Zone > Dynamic Zone.
            3. Define a location or proxy type.
            4. Select Block access from IPs matching conditions listed in this zone.
            5. Select Save.

            ### Block Tor anonymizer proxy IP addresses
            Block IP addresses identified as a Tor anonymizer proxy from accessing your Okta org.

            1. In the Admin Console, go to SecurityNetworks.
            2. Select Add Zone > Dynamic Zone.
            3. Select Tor anonymizer proxy for IP Type.
            4. Select Block access from IPs matching conditions listed in this zone.
            5. Select Save.
  - uid: mondoo-okta-security-threatinsight-block-suspicious-ip-addresses-terraform-hcl
    title: Enable Okta ThreatInsight to block suspicious IP addresses
    impact: 100
    filters: asset.platform == "terraform-hcl" && terraform.providers.any( nameLabel == "okta" )
    mql: |
      terraform.resources.where( nameLabel == "okta_network_zone" ).one( arguments['usage'] == "BLOCKLIST" )
      terraform.resources.where( nameLabel == "okta_network_zone" && arguments['usage'] == "BLOCKLIST" ).all( arguments['gateways'].length > 0 )
    docs:
      remediation:
        - id: terraform
          desc: |
            ```
            resource "okta_network_zone" "example_blocklist" {
              name     = "myBlockList"
              type     = "IP"
              usage    - "BLOCKLIST"
              gateways = ["1.2.3.4/24", "2.3.4.5-2.3.4.15"]
              proxies  = ["2.2.3.4/24", "3.3.4.5-3.3.4.15"]
            }
            ```
  - uid: mondoo-okta-security-threatinsight-block-suspicious-ip-addresses-terraform-plan
    title: Enable Okta ThreatInsight to block suspicious IP addresses
    impact: 100
    filters: asset.platform == "terraform-plan" && terraform.plan.resourceChanges.contains( providerName == /okta/ )
    mql: |
      terraform.plan.resourceChanges.where( type == "okta_network_zone" ).one( change.after['usage'] == "BLOCKLIST" )
      terraform.plan.resourceChanges.where( type == "okta_network_zone" && change.after['usage'] == "BLOCKLIST" ).all( change.after['gateways'].length > 0 )
    docs:
      remediation:
        - id: terraform
          desc: |
            ```
            resource "okta_network_zone" "example_blocklist" {
              name     = "myBlockList"
              type     = "IP"
              usage    - "BLOCKLIST"
              gateways = ["1.2.3.4/24", "2.3.4.5-2.3.4.15"]
              proxies  = ["2.2.3.4/24", "3.3.4.5-3.3.4.15"]
            }
            ```
  - uid: mondoo-okta-security-threatinsight-block-suspicious-ip-addresses-terraform-state
    title: Enable Okta ThreatInsight to block suspicious IP addresses
    impact: 100
    filters: asset.platform == "terraform-state" && terraform.state.resources.contains( type == /okta_network_zone/ )
    mql: |
      terraform.state.resources.where( type == 'okta_network_zone' ).contains( values['usage'] == "BLOCKLIST" )
      terraform.state.resources.where( type == 'okta_network_zone' ).contains( values['usage'] == "BLOCKLIST" && values['gateways'].length > 0 )
    docs:
      remediation:
        - id: terraform
          desc: |
            ```
            resource "okta_network_zone" "example_blocklist" {
              name     = "myBlockList"
              type     = "IP"
              usage    - "BLOCKLIST"
              gateways = ["1.2.3.4/24", "2.3.4.5-2.3.4.15"]
              proxies  = ["2.2.3.4/24", "3.3.4.5-3.3.4.15"]
            }
            ```
  - uid: mondoo-okta-security-disable-weaker-mfa-factors-in-factor-enrollment-policies
    title: Disable weaker MFA factors in factor enrollment policies
    impact: 80
    docs:
      desc: |
        Enable strong MFA factors to improve resistance to phishing and man-in-the-middle attacks.

        Admins can configure multifactor authentication (MFA) at the organization level or application level. When users sign in to Okta or an app, they're prompted to authenticate themselves. If you deploy strong factors, they provide better protection against phishing, adversary-in-the-middle attacks, and others.

        ### Okta recommends

        Update factor enrollment policies based on the following:

        - Enable as primary factors: Okta Verify (with Push if available), Google Authenticator, WebAuthn
        - Don't enable as secondary factors: Security Questions and SMS/Email/Voice

        ### Security impact

        High

        ### User impact

        High

        When signing in to their org, end users are prompted to enroll in required factors and may enroll in any factors set to optional. Factors that have been disabled aren't visible to end users.
    refs:
      - url: https://help.okta.com/en-us/Content/Topics/Security/healthinsight/strong-factors.htm
        title: Disable weaker MFA factors in factor enrollment policies
      - url: https://registry.terraform.io/providers/okta/okta/latest/docs/resources/policy_mfa_default
        title: Terraform Registry - okta_policy_mfa_default
    variants:
      - uid: mondoo-okta-security-disable-weaker-mfa-factors-in-factor-enrollment-policies-api
      - uid: mondoo-okta-security-disable-weaker-mfa-factors-in-factor-enrollment-policies-terraform-hcl
      - uid: mondoo-okta-security-disable-weaker-mfa-factors-in-factor-enrollment-policies-terraform-plan
      - uid: mondoo-okta-security-disable-weaker-mfa-factors-in-factor-enrollment-policies-terraform-state
  - uid: mondoo-okta-security-disable-weaker-mfa-factors-in-factor-enrollment-policies-api
    title: Disable weaker MFA factors in factor enrollment policies
    impact: 80
    filters: asset.platform == "okta-org"
    mql: |
      okta.policies.mfaEnroll.all( _.settings['factors']['okta_email']['enroll']['self'] != /(OPTIONAL|REQUIRED)/ )
      okta.policies.mfaEnroll.all( _.settings['factors']['okta_sms']['enroll']['self'] != /(OPTIONAL|REQUIRED)/ )
      okta.policies.mfaEnroll.all( _.settings['factors']['phone_number']['enroll']['self'] != /(OPTIONAL|REQUIRED)/ )
    docs:
      remediation:
        - id: console
          desc: |
            ### Enable strong factors for factor enrollment
            1. In the Admin Console, go to SecurityMultifactor.
            2. Select Factor Enrollment.
            3. Select Edit.
            4. Set the factor of your choice to Required, Optional, or Disabled.
  - uid: mondoo-okta-security-disable-weaker-mfa-factors-in-factor-enrollment-policies-terraform-hcl
    title: Disable weaker MFA factors in factor enrollment policies
    impact: 80
    filters: asset.platform == "terraform-hcl" && terraform.providers.any( nameLabel == "okta" )
    mql: |
      terraform.resources.where( nameLabel == "okta_policy_mfa_default" ).all( arguments['okta_sms']['enroll'] != /(OPTIONAL|REQUIRED)/)
      terraform.resources.where( nameLabel == "okta_policy_mfa_default" ).all( arguments['okta_email']['enroll'] != /(OPTIONAL|REQUIRED)/)
    docs:
      remediation:
        - id: terraform
          desc: |
            ```
            resource "okta_policy_mfa_default" "classic_example" {
              is_oie      = false

              okta_verify = {
                enroll = "REQUIRED"
              }

              okta_otp = {
                enroll = "REQUIRED"
              }

              google_otp = {
                enroll = "REQUIRED"
              }

              okta_email = {
                enroll = "NOT_ALLOWED"
              }

              okta_sms = {
                enroll = "NOT_ALLOWED"
              }

              okta_email = {
                enroll = "NOT_ALLOWED"
              }
            }
            ```
  - uid: mondoo-okta-security-disable-weaker-mfa-factors-in-factor-enrollment-policies-terraform-plan
    title: Disable weaker MFA factors in factor enrollment policies
    impact: 80
    filters: asset.platform == "terraform-plan" && terraform.plan.resourceChanges.contains( providerName == /okta/ )
    mql: |
      terraform.plan.resourceChanges.where( type == "okta_policy_mfa_default" ).all( change.after['okta_email']['enroll'] != /(OPTIONAL|REQUIRED)/ )
      terraform.plan.resourceChanges.where( type == "okta_policy_mfa_default" ).all( change.after['okta_sms']['enroll'] != /(OPTIONAL|REQUIRED)/ )
    docs:
      remediation:
        - id: terraform
          desc: |
            ```
            resource "okta_policy_mfa_default" "classic_example" {
              is_oie      = false

              okta_verify = {
                enroll = "REQUIRED"
              }

              okta_otp = {
                enroll = "REQUIRED"
              }

              google_otp = {
                enroll = "REQUIRED"
              }

              okta_email = {
                enroll = "NOT_ALLOWED"
              }

              okta_sms = {
                enroll = "NOT_ALLOWED"
              }

              okta_email = {
                enroll = "NOT_ALLOWED"
              }
            }
            ```
  - uid: mondoo-okta-security-disable-weaker-mfa-factors-in-factor-enrollment-policies-terraform-state
    title: Disable weaker MFA factors in factor enrollment policies
    impact: 80
    filters: asset.platform == "terraform-state" && terraform.state.resources.contains( type == /okta_policy_password/ )
    mql: |
      terraform.state.resources.where( type == 'okta_policy_mfa_default' ).all( values['okta_sms']['enroll'] != /(OPTIONAL|REQUIRED)/ )
      terraform.state.resources.where( type == 'okta_policy_mfa_default' ).all( values['okta_email']['enroll'] != /(OPTIONAL|REQUIRED)/ )
    docs:
      remediation:
        - id: terraform
          desc: |
            ```
            resource "okta_policy_mfa_default" "classic_example" {
              is_oie      = false

              okta_verify = {
                enroll = "REQUIRED"
              }

              okta_otp = {
                enroll = "REQUIRED"
              }

              google_otp = {
                enroll = "REQUIRED"
              }

              okta_email = {
                enroll = "NOT_ALLOWED"
              }

              okta_sms = {
                enroll = "NOT_ALLOWED"
              }

              okta_email = {
                enroll = "NOT_ALLOWED"
              }
            }
            ```
  - uid: mondoo-okta-security-enable-okta-verify-with-push-for-mfa
    title: Enable Okta Verify (with Push if available) for MFA
    impact: 80
    docs:
      desc: |
        Okta Verify is a multifactor authentication (MFA) app developed by Okta. It lets users verify their identity when they sign in to Okta and makes it less likely that someone pretending to be the user can gain access to the account.

        To use Okta Verify, you must first enable and configure it for your org, and then your end users must install the Okta Verify app on their device and set it up. Then, when end users sign in to Okta, they can verify their identity by approving a push notification in the app, or by entering a one-time code provided by the app into Okta.
    variants:
      - uid: mondoo-okta-security-enable-okta-verify-with-push-for-mfa-api
      - uid: mondoo-okta-security-enable-okta-verify-with-push-for-mfa-terraform-hcl
      - uid: mondoo-okta-security-enable-okta-verify-with-push-for-mfa-terraform-plan
  - uid: mondoo-okta-security-enable-okta-verify-with-push-for-mfa-api
    title: Enable Okta Verify (with Push if available) for MFA
    impact: 80
    filters: asset.platform == "okta-org"
    mql: okta.policies.mfaEnroll.any( _.settings['factors']['okta_otp'] )
    docs:
      remediation:
        - id: console
          desc: |
            See [Enable and configure Okta Verify](https://help.okta.com/en-us/Content/Topics/Mobile/okta-verify-overview.htm) in Okta's documentation site.
  - uid: mondoo-okta-security-enable-okta-verify-with-push-for-mfa-terraform-hcl
    title: Enable Okta Verify (with Push if available) for MFA
    impact: 80
    filters: asset.platform == "terraform-hcl" && terraform.providers.any( nameLabel == "okta" )
    mql: terraform.resources.where( nameLabel == "okta_policy_mfa_default" ).any( arguments['okta_otp']['enroll'] == /REQUIRED/)
    docs:
      remediation:
        - id: terraform
          desc: |
            ```
            resource "okta_policy_mfa_default" "classic_example" {
              is_oie      = false

              okta_verify = {
                enroll = "REQUIRED"
              }

              okta_otp = {
                enroll = "REQUIRED"
              }

              google_otp = {
                enroll = "REQUIRED"
              }

              okta_email = {
                enroll = "NOT_ALLOWED"
              }

              okta_sms = {
                enroll = "NOT_ALLOWED"
              }

              okta_email = {
                enroll = "NOT_ALLOWED"
              }
            }
            ```
  - uid: mondoo-okta-security-enable-okta-verify-with-push-for-mfa-terraform-plan
    title: Enable Okta Verify (with Push if available) for MFA
    impact: 80
    filters: asset.platform == "terraform-plan" && terraform.plan.resourceChanges.contains( providerName == /okta/ )
    mql: |
      terraform.plan.resourceChanges.where( type == "okta_policy_mfa_default" ).all( change.after['okta_otp']['enroll'] == /REQUIRED/ )
    docs:
      remediation:
        - id: terraform
          desc: |
            ```
            resource "okta_policy_mfa_default" "classic_example" {
              is_oie      = false

              okta_verify = {
                enroll = "REQUIRED"
              }

              okta_otp = {
                enroll = "REQUIRED"
              }

              google_otp = {
                enroll = "REQUIRED"
              }

              okta_email = {
                enroll = "NOT_ALLOWED"
              }

              okta_sms = {
                enroll = "NOT_ALLOWED"
              }

              okta_email = {
                enroll = "NOT_ALLOWED"
              }
            }
            ```
  - uid: mondoo-okta-security-okta-mfa-access
    title: Require at least one factor in every MFA enrollment policy
    impact: 100
    docs:
      desc: |
        Enabling at least one required factor for your org ensures that end users assigned to a given policy are enrolled in MFA.

        Once a required factor is set, you can also update your Okta sign-on policy to prompt users to enroll in the factor the next time they sign in.

        ### Okta recommends

        Require at least one factor in every MFA enrollment policy.

        ### Security impact

        High

        ### End-user impact

        Low

        If a factor is required as part of the MFA enrollment policy, end users must enroll in the factor before they can sign in to their org. Setup varies depending on the factor specified.
    variants:
      - uid: mondoo-okta-security-okta-mfa-access-api
  - uid: mondoo-okta-security-okta-mfa-access-api
    title: Require at least one factor in every MFA enrollment policy
    impact: 100
    filters: asset.platform == "okta-org"
    mql: |
      everyoneGroupId = okta.groups.where( profile['name'] == "Everyone" ).map(id)[0]
      okta.policies.mfaEnroll.one( status == "ACTIVE" && conditions['people']['groups']['include'].contains(everyoneGroupId) )
    docs:
      remediation:
        - id: console
          desc: |
            ### Set a required factor in an MFA enrollment policy
            1. In the Admin Console, go to **Security > Multifactor**. The **Factor Types** page appears.
            2. Select **Factor Enrollment** to switch to factor enrollment policies and rules.
            3. Select a policy and select **Edit** to modify it.
            4. From the list of eligible factors, set at least one factor to **Required**.
            5. Select **Update Policy**.

            ### Prompt an end user to enroll in a required factor
            To prompt an end user to enroll in a required factor, you may do one of the following:

            - Set an Okta sign-on policy rule that prompts a user for factor enrollment.
            - Set a factor enrollment policy rule that allows a user to enroll in a factor when challenged for MFA.
            - Set a factor enrollment policy rule that prompts the user to enroll in a factor the first time they sign in to their org.

            ### Create an Okta sign-on policy rule that prompts for factor enrollment
            1. From the Admin Console menu, select Security > Authentication. The Authentication policies page appears.
            2. Select Sign On to access Sign-On Policies.
            3. Select the policy and from the list of associated rules, select Edit to start modifying an existing policy rule. You can also create a rule.
            4. From the Edit Rule window, select Prompt for Factor.
            5. Select **Update Rule**.

            ### Create a factor enrollment policy rule that allows users to enroll in a factor when challenged for MFA
            1. In the Admin Console, go to **Security > Multifactor**. The **Factor Types** page appears.
            2. Select **Factor Enrollment**.
            3. Choose one of the active policy rules in the list and select Edit. The Edit Rule dialog appears.
            4. Under the condition THEN Enroll in multi-factor, select the first time a user is challenged for MFA.
            5. Select **Update Rule**.

            ### Create a factor enrollment policy rule that prompts new users to enroll in a factor the first time they sign in to their org
            1. In the Admin Console, go to **Security > Multifactor**. The **Factor Types** page appears.
            2. Select **Factor Enrollment**.
            3. Choose one of the active policy rules in the list and select Edit. The Edit Rule dialog appears.
            4. Under the condition THEN Enroll in multi-factor, select the first time a user signs in.
            5. Select **Update Rule**.
  - uid: mondoo-okta-security-okta-enforce-session-lifetime
    title: Enforce a limited session lifetime for all policies
    impact: 80
    docs:
      desc: |
        The session lifetime determines the maximum idle time of a user's Okta session, and when the session expires.

        Shorter session lifetimes reduce the risk of malicious parties gaining access to a user's session.

        The default session lifetime is two hours. A countdown timer appears to users when there are five minutes of session time remaining.

        ### Okta recommends

        A session lifetime of two hours or less.

        ### Security impact

        High

        ### End-user impact

        Moderate

        A countdown timer appears to users when there are five minutes of session time remaining.
    variants:
      - uid: mondoo-okta-security-okta-enforce-session-lifetime-api
  - uid: mondoo-okta-security-okta-enforce-session-lifetime-api
    title: Enforce a limited session lifetime for all policies
    impact: 80
    filters: asset.platform == "okta-org"
    props:
      - uid: mondooOktaSecurityMaxSessionIdleMinutes
        title: Okta Security - SignOn mondooOktaSecurityMaxSessionIdleMinutes
        mql: return 120
      - uid: mondooOktaSecurityMaxSessionLifetimeMinutes
        title: Okta Security - Max session lifetime minutes
        mql: return 1440
    mql: |
      okta.policies.signOn.where(_.rules.all(status == "ACTIVE")).all(_.rules.all(actions["signon"]["session"]["mondooOktaSecurityMaxSessionIdleMinutes"] <= props.mondooOktaSecurityMaxSessionIdleMinutes ))
      okta.policies.signOn.where(_.rules.all(status == "ACTIVE")).all(_.rules.all(actions["signon"]["session"]["mondooOktaSecurityMaxSessionLifetimeMinutes"] <= props.mondooOktaSecurityMaxSessionLifetimeMinutes ))
    docs:
      remediation:
        - id: console
          desc: |
            ### Set the session lifetime for a policy
            1. In the Admin Console, go to **Security > Authentication**.
            2. Select **Sign On**.
            3. Select **Add Rule** or **Edit** to modify an existing policy rule.
            4. Under **Session expires after**, set the session lifetime duration in minutes, hours, or days.
            5. Select **Create Rule** or **Save Rule** once your changes have been made.
  - uid: mondoo-okta-security-okta-auth-openid-saml
    title: Enable SAML or OIDC authentication for supported apps
    impact: 100
    docs:
      desc: |
        SAML and OIDC are authentication protocols that reduce reliance on password-based authentication.

        SAML is an XML-based standard for exchanging authentication and authorization data between an Identity Provider (IdP) and a service provider (SP).
        OpenID Connect (OIDC) is a protocol that sits on top of the OAuth 2.0 framework. The OIDC protocol allows otherwise different systems to interoperate and share authentication state and user profile information.
        SWA is an SSO system developed by Okta to provide single sign-on for apps that don't support proprietary federated sign-on methods or SAML. In a SWA login, the username and password are passed to the third-party app whereas with SAML and OIDC, those credentials never leave Okta.

        ### Okta recommends

        Enable SAML or OIDC and disable SWA for applications when possible.

        ### Security impact

        High

        ### User impact

        None

        When signing in to their org, end users are prompted to enroll in required factors and may enroll in any factors set to optional. Factors that have been disabled aren't visible to end users.
    variants:
      - uid: mondoo-okta-security-okta-auth-openid-saml-api
      - uid: mondoo-okta-security-okta-auth-openid-saml-terraform-hcl
      - uid: mondoo-okta-security-okta-auth-openid-saml-terraform-plan
  - uid: mondoo-okta-security-okta-auth-openid-saml-api
    title: Enable SAML or OIDC authentication for supported apps
    impact: 80
    filters: asset.platform == "okta-org"
    mql: |
      okta.applications.where(signOnMode != "BOOKMARK" && status == "ACTIVE").all(_.signOnMode == "OPENID_CONNECT" || _.signOnMode == "SAML_2_0")
    docs:
      desc: |
        This check explicitly skips Okta Bookmark apps.
      remediation:
        - id: console
          desc: |
            ### Use the Okta Admin Console

            1. Log into the organization as an administrator.
            2. Select **Applications > Applications**.
            3. Select **Create App Integration** or **Browse App Catalog** to see the available apps.
            4. Assign OIDC or SAML.
  - uid: mondoo-okta-security-okta-auth-openid-saml-terraform-hcl
    title: Enable SAML or OIDC authentication for supported apps
    impact: 80
    filters: asset.platform == "terraform-hcl" && terraform.providers.any( nameLabel == "okta" )
    mql: |
      terraform.resources.any( nameLabel == "okta_idp_oidc" || nameLabel == "okta_app_saml" )
    docs:
      remediation:
        - id: terraform
          desc: |
            ### Configure a SAML application with Terraform

            >Note: If you receive the error `You do not have permission to access the feature you are requesting` contact support and request feature flag `ADVANCED_SSO` be applied to your org.
            ```
            resource "okta_app_saml" "example" {
              label                    = "example"
              sso_url                  = "https://example.com"
              recipient                = "https://example.com"
              destination              = "https://example.com"
              audience                 = "https://example.com/audience"
              subject_name_id_template = "$${user.userName}"
              subject_name_id_format   = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
              response_signed          = true
              signature_algorithm      = "RSA_SHA256"
              digest_algorithm         = "SHA256"
              honor_force_authn        = false
              authn_context_class_ref  = "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"

              attribute_statements {
                type         = "GROUP"
                name         = "groups"
                filter_type  = "REGEX"
                filter_value = ".*"
              }
            }
            ```
            ### Configure an OIDC provider with Terraform

            ```
            resource "okta_idp_oidc" "example" {
              name                  = "example"
              authorization_url     = "https://idp.example.com/authorize"
              authorization_binding = "HTTP-REDIRECT"
              token_url             = "https://idp.example.com/token"
              token_binding         = "HTTP-POST"
              user_info_url         = "https://idp.example.com/userinfo"
              user_info_binding     = "HTTP-REDIRECT"
              jwks_url              = "https://idp.example.com/keys"
              jwks_binding          = "HTTP-REDIRECT"
              scopes                = ["openid"]
              client_id             = "efg456"
              client_secret         = "efg456"
              issuer_url            = "https://id.example.com"
              username_template     = "idpuser.email"
            }
            ```
  - uid: mondoo-okta-security-okta-auth-openid-saml-terraform-plan
    title: Enable SAML or OIDC authentication for supported apps
    impact: 80
    filters: asset.platform == "terraform-plan" && terraform.plan.resourceChanges.contains( providerName == /okta/ )
    mql: |
      terraform.plan.resourceChanges.any( type == /okta_idp_oidc/ || type == /okta_app_saml/ )
    docs:
      remediation:
        - id: terraform
          desc: |
            ### Configure a SAML application with Terraform

            >Note: If you receive the error `You do not have permission to access the feature you are requesting` contact support and request feature flag `ADVANCED_SSO` be applied to your org.
            ```
            resource "okta_app_saml" "example" {
              label                    = "example"
              sso_url                  = "https://example.com"
              recipient                = "https://example.com"
              destination              = "https://example.com"
              audience                 = "https://example.com/audience"
              subject_name_id_template = "$${user.userName}"
              subject_name_id_format   = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
              response_signed          = true
              signature_algorithm      = "RSA_SHA256"
              digest_algorithm         = "SHA256"
              honor_force_authn        = false
              authn_context_class_ref  = "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"

              attribute_statements {
                type         = "GROUP"
                name         = "groups"
                filter_type  = "REGEX"
                filter_value = ".*"
              }
            }
            ```
            ### Configure an OIDC provider with Terraform

            ```
            resource "okta_idp_oidc" "example" {
              name                  = "example"
              authorization_url     = "https://idp.example.com/authorize"
              authorization_binding = "HTTP-REDIRECT"
              token_url             = "https://idp.example.com/token"
              token_binding         = "HTTP-POST"
              user_info_url         = "https://idp.example.com/userinfo"
              user_info_binding     = "HTTP-REDIRECT"
              jwks_url              = "https://idp.example.com/keys"
              jwks_binding          = "HTTP-REDIRECT"
              scopes                = ["openid"]
              client_id             = "efg456"
              client_secret         = "efg456"
              issuer_url            = "https://id.example.com"
              username_template     = "idpuser.email"
            }
            ```
  - uid: mondoo-okta-security-enable-suspicious-activity-reporting
    title: Enable Suspicious Activity Reporting
    impact: 80
    docs:
      desc: |
        When a user reports suspicious activity, admins can enable specific actions and System Log events to obtain further details about the activity.

        ### Okta Recommends

        Enable Suspicious Activity Reporting for end-user reporting.

        ### Security impact

        High

        ### User impact

        Low
    variants:
      - uid: mondoo-okta-security-enable-suspicious-activity-reporting-api
      - uid: mondoo-okta-security-enable-suspicious-activity-reporting-terraform-hcl
      - uid: mondoo-okta-security-enable-suspicious-activity-reporting-terraform-plan
  - uid: mondoo-okta-security-enable-suspicious-activity-reporting-api
    title: Enable Suspicious Activity Reporting
    impact: 80
    filters: asset.platform == "okta-org"
    mql: okta.organization.securityNotificationEmails['reportSuspiciousActivityEnabled'] == true
    docs:
      remediation:
        - id: console
          desc: |
            ### Enable or disable Security Notification emails
            If you disable this feature, all valid links expire immediately.

            If you disable the Report suspicious activity via email option, the Report Suspicious Activity button is removed from the email templates that use it.

            When you enable the Report suspicious activity via email option, events reported when users select the Report Suspicious Activity button appear on the Admin Console. Select Review Security Event to view the event details in the System Log. The event name is:

            ```
            user.account.report_suspicious_activity_by_enduser
            ```

            The following email templates include the Report Suspicious Activity button:

            - New Sign-On Notification
            - Authenticator Enrolled
            - Authenticator Reset
            - Password Changed

            1. In the Admin Console, go to SecurityGeneral.
            2. In the Security notification emails section, select Edit.
            3. Select either Enabled or Disabled from the dropdown beside the option that you want to enable or disable.
            4. Select Save.
  - uid: mondoo-okta-security-enable-suspicious-activity-reporting-terraform-hcl
    title: Enable Suspicious Activity Reporting
    impact: 80
    filters: asset.platform == "terraform-hcl" && terraform.providers.any( nameLabel == "okta" )
    mql: terraform.resources.where( nameLabel == "okta_security_notification_emails" ).any( arguments['report_suspicious_activity_enabled'] == /var/ || arguments['report_suspicious_activity_enabled'] == true )
    docs:
      remediation:
        - id: terraform
          desc: |
            ```
            resource "okta_security_notification_emails" "example" {
              report_suspicious_activity_enabled       = true
              send_email_for_factor_enrollment_enabled = true
              send_email_for_factor_reset_enabled      = true
              send_email_for_new_device_enabled        = true
              send_email_for_password_changed_enabled  = true
            }
            ```
  - uid: mondoo-okta-security-enable-suspicious-activity-reporting-terraform-plan
    title: Enable Suspicious Activity Reporting
    impact: 80
    filters: asset.platform == "terraform-plan" && terraform.plan.resourceChanges.contains( providerName == /okta/ )
    mql: terraform.plan.resourceChanges.where( type == /okta_security_notification_emails/ ).all( change.after['report_suspicious_activity_enabled'] == true )
    docs:
      remediation:
        - id: terraform
          desc: |
            ```
            resource "okta_security_notification_emails" "example" {
              report_suspicious_activity_enabled       = true
              send_email_for_factor_enrollment_enabled = true
              send_email_for_factor_reset_enabled      = true
              send_email_for_new_device_enabled        = true
              send_email_for_password_changed_enabled  = true
            }
            ```
  - uid: mondoo-okta-security-sign-on-notifications-for-end-users
    title: Enable sign-on notifications for end users
    impact: 80
    docs:
      desc: |
        When enabled, this email notification notifies end users of any sign-in activity. The email contains user sign-on details such as the web browser, operating system used to sign in, and time and location of authentication.

        ### Okta Recommends

        Enable this email notification so end users are informed about new sign-on activity, which can inform them if a different user has signed in to their account.

        ### Security impact

        High

        ### User impact

        Low

        End users receive an email notification if they sign in from a new or unrecognized client.

        ### Known limitations
        Currently, new sign-on notifications don't use Improved New Device Behavior Detection when sending email notifications for new sign-ins. Changes to `deviceToken` or browser cookies may not trigger a new sign-on email notification.
    variants:
      - uid: mondoo-okta-security-sign-on-notifications-for-end-users-api
      - uid: mondoo-okta-security-sign-on-notifications-for-end-users-terraform-hcl
      - uid: mondoo-okta-security-sign-on-notifications-for-end-users-terraform-plan
  - uid: mondoo-okta-security-sign-on-notifications-for-end-users-api
    title: Enable sign-on notifications for end users
    impact: 80
    filters: asset.platform == "okta-org"
    mql: okta.organization.securityNotificationEmails['sendEmailForNewDeviceEnabled'] == true
    docs:
      remediation:
        - id: console
          desc: |
            ### Enable sign-on notification emails for end users
            1. In the Admin Console, go to **Security > General**.
            2. Under **Security Notification Emails**, select **Edit**.
            3. Set **New sign-on notification email** to **Enabled**.
            4. Select **Save**.
  - uid: mondoo-okta-security-sign-on-notifications-for-end-users-terraform-hcl
    title: Enable sign-on notifications for end users
    impact: 80
    filters: asset.platform == "terraform-hcl" && terraform.providers.any( nameLabel == "okta" )
    mql: terraform.resources.where( nameLabel == "okta_security_notification_emails" ).any( arguments['send_email_for_new_device_enabled'] == /var/ || arguments['send_email_for_new_device_enabled'] == true )
    docs:
      remediation:
        - id: terraform
          desc: |
            ```
            resource "okta_security_notification_emails" "example" {
              report_suspicious_activity_enabled       = true
              send_email_for_factor_enrollment_enabled = true
              send_email_for_factor_reset_enabled      = true
              send_email_for_new_device_enabled        = true
              send_email_for_password_changed_enabled  = true
            }
            ```
  - uid: mondoo-okta-security-sign-on-notifications-for-end-users-terraform-plan
    title: Enable sign-on notifications for end users
    impact: 80
    filters: asset.platform == "terraform-plan" && terraform.plan.resourceChanges.contains( providerName == /okta/ )
    mql: terraform.plan.resourceChanges.where( type == /okta_security_notification_emails/ ).all( change.after['send_email_for_new_device_enabled'] == true )
    docs:
      remediation:
        - id: terraform
          desc: |
            ```
            resource "okta_security_notification_emails" "example" {
              report_suspicious_activity_enabled       = true
              send_email_for_factor_enrollment_enabled = true
              send_email_for_factor_reset_enabled      = true
              send_email_for_new_device_enabled        = true
              send_email_for_password_changed_enabled  = true
            }
            ```
  - uid: mondoo-okta-security-factor-enrollment-notifications
    title: Enable factor enrollment notifications for end users
    impact: 80
    docs:
      desc: |
        Factor enrollment notifications for end users notifies end users of any activity on their account related to multifactor authentication (MFA) factor enrollment.

        ### Okta Recommends

        Enable this email notification so end users are informed about factor enrollment.

        ### Security impact

        High

        ### User impact

        Low

        End users are sent a confirmation email if they or an admin enroll in a new factor for their account.
    variants:
      - uid: mondoo-okta-security-factor-enrollment-notifications-api
      - uid: mondoo-okta-security-factor-enrollment-notifications-terraform-hcl
      - uid: mondoo-okta-security-factor-enrollment-notifications-terraform-plan
  - uid: mondoo-okta-security-factor-enrollment-notifications-api
    title: Enable factor enrollment notifications for end users
    impact: 80
    filters: asset.platform == "okta-org"
    mql: okta.organization.securityNotificationEmails['sendEmailForFactorEnrollmentEnabled'] == true
    docs:
      remediation:
        - id: console
          desc: |
            ### Configure factor enrollment notifications for end users
            1. In the Admin Console, go to **Security > General**.
            2. Under **Security Notification Emails**, select **Edit**.
            3. Set **MFA enrolled notification email** to **Enabled**.
            4. Select **Save**.
  - uid: mondoo-okta-security-factor-enrollment-notifications-terraform-hcl
    title: Enable factor enrollment notifications for end users
    impact: 80
    filters: asset.platform == "terraform-hcl" && terraform.providers.any( nameLabel == "okta" )
    mql: terraform.resources.where( nameLabel == "okta_security_notification_emails" ).any( arguments['send_email_for_factor_enrollment_enabled'] == /var/ || arguments['send_email_for_factor_enrollment_enabled'] == true )
    docs:
      remediation:
        - id: terraform
          desc: |
            ```
            resource "okta_security_notification_emails" "example" {
              report_suspicious_activity_enabled       = true
              send_email_for_factor_enrollment_enabled = true
              send_email_for_factor_reset_enabled      = true
              send_email_for_new_device_enabled        = true
              send_email_for_password_changed_enabled  = true
            }
            ```
  - uid: mondoo-okta-security-factor-enrollment-notifications-terraform-plan
    title: Enable factor enrollment notifications for end users
    impact: 80
    filters: asset.platform == "terraform-plan" && terraform.plan.resourceChanges.contains( providerName == /okta/ )
    mql: terraform.plan.resourceChanges.where( type == /okta_security_notification_emails/ ).all( change.after['send_email_for_factor_enrollment_enabled'] == true )
    docs:
      remediation:
        - id: terraform
          desc: |
            ```
            resource "okta_security_notification_emails" "example" {
              report_suspicious_activity_enabled       = true
              send_email_for_factor_enrollment_enabled = true
              send_email_for_factor_reset_enabled      = true
              send_email_for_new_device_enabled        = true
              send_email_for_password_changed_enabled  = true
            }
            ```
  - uid: mondoo-okta-security-factor-reset-notifications-for-end-users
    title: Enable factor reset notifications for end users
    impact: 80
    docs:
      desc: |
        When enabled, end users are sent an email notification to inform them that one or more factors have been reset for their account.

        ### Okta Recommends

        Enable this email notification to inform end users when one or more factors have been reset or removed.

        ### Security impact

        High

        ### User impact

        Low

        End users are sent an email notification if they or an admin reset a factor for their account.
    variants:
      - uid: mondoo-okta-security-factor-reset-notifications-for-end-users-api
      - uid: mondoo-okta-security-factor-reset-notifications-for-end-users-terraform-hcl
      - uid: mondoo-okta-security-factor-reset-notifications-for-end-users-terraform-plan
  - uid: mondoo-okta-security-factor-reset-notifications-for-end-users-api
    title: Enable factor reset notifications for end users
    impact: 80
    filters: asset.platform == "okta-org"
    mql: okta.organization.securityNotificationEmails['sendEmailForFactorResetEnabled'] == true
    docs:
      remediation:
        - id: console
          desc: |
            ### Configure factor reset notifications
            1. In the Admin Console, go to **Security > General**.
            2. Under **Security Notification Emails**, select **Edit**.
            3. Set **MFA reset notification email** to **Enabled**.
            4. Select **Save**.
  - uid: mondoo-okta-security-factor-reset-notifications-for-end-users-terraform-hcl
    title: Enable factor reset notifications for end users
    impact: 80
    filters: asset.platform == "terraform-hcl" && terraform.providers.any( nameLabel == "okta" )
    mql: terraform.resources.where( nameLabel == "okta_security_notification_emails" ).any( arguments['send_email_for_factor_reset_enabled'] == /var/ || arguments['send_email_for_factor_reset_enabled'] == true )
    docs:
      remediation:
        - id: terraform
          desc: |
            ```
            resource "okta_security_notification_emails" "example" {
              report_suspicious_activity_enabled       = true
              send_email_for_factor_enrollment_enabled = true
              send_email_for_factor_reset_enabled      = true
              send_email_for_new_device_enabled        = true
              send_email_for_password_changed_enabled  = true
            }
            ```
  - uid: mondoo-okta-security-factor-reset-notifications-for-end-users-terraform-plan
    title: Enable factor reset notifications for end users
    impact: 80
    filters: asset.platform == "terraform-plan" && terraform.plan.resourceChanges.contains( providerName == /okta/ )
    mql: terraform.plan.resourceChanges.where( type == /okta_security_notification_emails/ ).all( change.after['send_email_for_factor_reset_enabled'] == true )
    docs:
      remediation:
        - id: terraform
          desc: |
            ```
            resource "okta_security_notification_emails" "example" {
              report_suspicious_activity_enabled       = true
              send_email_for_factor_enrollment_enabled = true
              send_email_for_factor_reset_enabled      = true
              send_email_for_new_device_enabled        = true
              send_email_for_password_changed_enabled  = true
            }
            ```
  - uid: mondoo-okta-security-password-changed-notifications-for-end-users
    title: Enable password changed notification for end users
    impact: 80
    docs:
      desc: |
        When enabled, end users are sent an email notification to inform them that the password for their account has changed. This email contains details such as the time and location of the password change.

        ### Okta Recommends

        Enable this email notification to inform end users when their password on their account has been changed or reset.

        ### Security impact

        High

        ### User impact

        Low

        End users are sent an email notification if they change or reset the password on their account. Password changed notifications aren't sent if the admin sets a temporary password for the account, changes the password by API or if the end user is in an inactive state.
    variants:
      - uid: mondoo-okta-security-password-changed-notifications-for-end-users-api
      - uid: mondoo-okta-security-password-changed-notifications-for-end-users-terraform-hcl
      - uid: mondoo-okta-security-password-changed-notifications-for-end-users-terraform-plan
  - uid: mondoo-okta-security-password-changed-notifications-for-end-users-api
    title: Enable password changed notification for end users
    impact: 80
    filters: asset.platform == "okta-org"
    mql: okta.organization.securityNotificationEmails['sendEmailForPasswordChangedEnabled'] == true
    docs:
      remediation:
        - id: console
          desc: |
            ### Configure factor reset notifications
            1. In the Admin Console, go to **Security > General**.
            2. Under **Security Notification Emails**, select **Edit**.
            3. Set **Password changed notification email** to **Enabled**.
            4. Select **Save**.
  - uid: mondoo-okta-security-password-changed-notifications-for-end-users-terraform-hcl
    title: Enable password changed notification for end users
    impact: 80
    filters: asset.platform == "terraform-hcl" && terraform.providers.any( nameLabel == "okta" )
    mql: terraform.resources.where( nameLabel == "okta_security_notification_emails" ).any( arguments['send_email_for_password_changed_enabled'] == /var/ || arguments['send_email_for_password_changed_enabled'] == true )
    docs:
      remediation:
        - id: terraform
          desc: |
            ```
            resource "okta_security_notification_emails" "example" {
              report_suspicious_activity_enabled       = true
              send_email_for_factor_enrollment_enabled = true
              send_email_for_factor_reset_enabled      = true
              send_email_for_new_device_enabled        = true
              send_email_for_password_changed_enabled  = true
            }
            ```
  - uid: mondoo-okta-security-password-changed-notifications-for-end-users-terraform-plan
    title: Enable password changed notification for end users
    impact: 80
    filters: asset.platform == "terraform-plan" && terraform.plan.resourceChanges.contains( providerName == /okta/ )
    mql: terraform.plan.resourceChanges.where( type == /okta_security_notification_emails/ ).all( change.after['send_email_for_factor_reset_enabled'] == true )
    docs:
      remediation:
        - id: terraform
          desc: |
            ```
            resource "okta_security_notification_emails" "example" {
              report_suspicious_activity_enabled       = true
              send_email_for_factor_enrollment_enabled = true
              send_email_for_factor_reset_enabled      = true
              send_email_for_new_device_enabled        = true
              send_email_for_password_changed_enabled  = true
            }
            ```
  - uid: mondoo-okta-security-password-settings-minimum-length
    title: Enable strong password settings for password policies - minimum length
    impact: 30
    props:
      - uid: mondooOktaSecurityOktaPasswordLength
        mql: "15"
    docs:
      desc: |
        Specify a minimum password length of at least eight characters. Longer passwords provide greater protection against brute force attacks.

        Longer passwords are more difficult for users to remember, especially when combined with other complexity requirements (for example, require uppercase, lowercase, symbols, and so on). NIST recommends longer passwords that are easy to remember (“phrase-like”) but more difficult to obtain from brute force attacks.

        These recommendations are provided by Okta as an example of typical password standards. They're derived from current cybersecurity industry best practices. They aren't intended to replace internationally recognized cybersecurity standards, such as ISO 27001, National Institute of Standards and Technology (NIST), PCI-DSS, or others. Your IT department may need to adjust these settings to comply with whichever cybersecurity standard your organization has chosen to follow.
    variants:
      - uid: mondoo-okta-security-password-settings-minimum-length-api
      - uid: mondoo-okta-security-password-settings-minimum-length-terraform-hcl
      - uid: mondoo-okta-security-password-settings-minimum-length-terraform-plan
      - uid: mondoo-okta-security-password-settings-minimum-length-terraform-state
  - uid: mondoo-okta-security-password-settings-minimum-length-api
    title: Enable strong password settings for password policies - minimum length
    impact: 30
    filters: asset.platform == "okta-org"
    mql: |
      okta.policies.password.all( settings['password']['complexity']['minLength'] >= 15 )
    docs:
      remediation:
        - id: console
          desc: |
            Configure password settings for password policies

            1. In the Admin Console menu, go to Security > Authentication.
            2. In the Password tab, review each policy. To edit the policy, select Edit.
            3. Edit the password settings based on the recommendations.
            4. To enable each setting, select the checkboxes for Password History, Password Age, Lock out, and Common Password Check.
  - uid: mondoo-okta-security-password-settings-minimum-length-terraform-hcl
    title: Enable strong password settings for password policies - minimum length
    impact: 30
    filters: asset.platform == "terraform-hcl" && terraform.providers.any( nameLabel == "okta" )
    mql: |
      terraform.resources.where( nameLabel == /okta_policy_password/ ).all( arguments['password_min_length'] == /var/ || arguments['password_min_length'] >= 15 )
    docs:
      remediation:
        - id: terraform
          desc: |
            ```
            resource "okta_policy_password_default" "default" {
              password_min_length            = var.password_minimum_length
            }
            ```
  - uid: mondoo-okta-security-password-settings-minimum-length-terraform-plan
    title: Enable strong password settings for password policies - minimum length
    impact: 30
    filters: asset.platform == "terraform-plan" && terraform.plan.resourceChanges.contains( providerName == /okta/ )
    mql: |
      terraform.plan.resourceChanges.where( type == /okta_policy_password/ ).all( change.after['password_min_length'] >= 15 )
  - uid: mondoo-okta-security-password-settings-minimum-length-terraform-state
    title: Enable strong password settings for password policies - minimum length
    impact: 30
    filters: asset.platform == "terraform-state" && terraform.state.resources.contains( type == /okta_policy_password/ )
    mql: |
      terraform.state.resources.where( type == /okta_policy_password/ ).all( values['password_min_length'] >= 15 )
  - uid: mondoo-okta-security-password-settings-max-lockout-attempts
    title: Enable strong password settings for password policies - max lockout attempts
    impact: 30
    props:
      - uid: mondooOktaSecurityOktaPasswordMaxLockoutAttempts
        mql: "5"
    docs:
      desc: |
        Specify the maximum number of invalid password attempts before locking the user's account. This provides protection against brute-force password attacks.

        Users will be unable to access their accounts after multiple failed sign-ins.

        Admins configure the account unlock options in the lockout options in password policy rules.

        If an admin doesn't enable any self-service or auto-unlock options, users must ask their admin to unlock their account.

        When admins configure lockout policies, they should consider typical user sign-in patterns and security to determine how many attempts are allowed. A lockout policy that allows only a low number of attempts may cause more lockouts. For example, users may mistype passwords when signing in from a mobile device or when they've recently changed their passwords. Some applications may auto-retry cached passwords when they're changed, resulting in user lockouts. However, a lockout policy with too many attempts allowed increases the risk of credential attacks.
    variants:
      - uid: mondoo-okta-security-password-settings-max-lockout-attempts-api
      - uid: mondoo-okta-security-password-settings-max-lockout-attempts-terraform-hcl
      - uid: mondoo-okta-security-password-settings-max-lockout-attempts-terraform-plan
      - uid: mondoo-okta-security-password-settings-max-lockout-attempts-terraform-state
  - uid: mondoo-okta-security-password-settings-max-lockout-attempts-api
    title: Enable strong password settings for password policies - max lockout attempts
    impact: 30
    filters: asset.platform == "okta-org"
    mql: |
      okta.policies.password.all( settings['password']['lockout']['maxAttempts'] >= 5 )
  - uid: mondoo-okta-security-password-settings-max-lockout-attempts-terraform-hcl
    title: Enable strong password settings for password policies - max lockout attempts
    impact: 30
    filters: asset.platform == "terraform-hcl" && terraform.providers.any( nameLabel == "okta" )
    mql: |
      terraform.resources.where( nameLabel == /okta_policy_password/ ).all( arguments['password_max_lockout_attempts'] == /var/ || arguments['password_max_lockout_attempts'] <= 5 )
  - uid: mondoo-okta-security-password-settings-max-lockout-attempts-terraform-plan
    title: Enable strong password settings for password policies - max lockout attempts
    impact: 30
    filters: asset.platform == "terraform-plan" && terraform.plan.resourceChanges.contains( providerName == /okta/ )
    mql: |
      terraform.plan.resourceChanges.where( type == /okta_policy_password/ ).all( change.after['password_max_lockout_attempts'] <= 5 )
  - uid: mondoo-okta-security-password-settings-max-lockout-attempts-terraform-state
    title: Enable strong password settings for password policies - max lockout attempts
    impact: 30
    filters: asset.platform == "terraform-state" && terraform.state.resources.contains( type == /okta_policy_password/ )
    mql: |
      terraform.state.resources.where( type == /okta_policy_password/ ).all( values['password_max_lockout_attempts'] <= 5 )
  - uid: mondoo-okta-security-password-settings-min-lowercase
    title: Enable strong password settings for password policies - minimum lowercase
    impact: 30
    props:
      - uid: mondooOktaSecurityOktaPasswordminLowercase
        mql: "1"
    docs:
      desc: |
        Specify the minimum number of lowercase characters in a password. Complex passwords increase the security of your users' accounts.
    variants:
      - uid: mondoo-okta-security-password-settings-min-lowercase-api
      - uid: mondoo-okta-security-password-settings-min-lowercase-terraform-hcl
      - uid: mondoo-okta-security-password-settings-min-lowercase-terraform-plan
      - uid: mondoo-okta-security-password-settings-min-lowercase-terraform-state
  - uid: mondoo-okta-security-password-settings-min-lowercase-api
    title: Enable strong password settings for password policies - minimum lowercase
    impact: 30
    filters: asset.platform == "okta-org"
    mql: |
      okta.policies.password.all( settings['password']['complexity']['minLowerCase'] >= 1 )
  - uid: mondoo-okta-security-password-settings-min-lowercase-terraform-hcl
    title: Enable strong password settings for password policies - minimum lowercase
    impact: 30
    filters: asset.platform == "terraform-hcl" && terraform.providers.any( nameLabel == "okta" )
    mql: |
      terraform.resources.where( nameLabel == /okta_policy_password/ ).all( arguments['password_min_lowercase'] == /var/ || arguments['password_min_lowercase'] >= 1 )
  - uid: mondoo-okta-security-password-settings-min-lowercase-terraform-plan
    title: Enable strong password settings for password policies - minimum lowercase
    impact: 30
    filters: asset.platform == "terraform-plan" && terraform.plan.resourceChanges.contains( providerName == /okta/ )
    mql: |
      terraform.plan.resourceChanges.where( type == /okta_policy_password/ ).all( change.after['password_min_lowercase'] >= 1 )
  - uid: mondoo-okta-security-password-settings-min-lowercase-terraform-state
    title: Enable strong password settings for password policies - minimum lowercase
    impact: 30
    filters: asset.platform == "terraform-state" && terraform.state.resources.contains( type == /okta_policy_password/ )
    mql: |
      terraform.state.resources.where( type == /okta_policy_password/ ).all( values['password_min_lowercase'] >= 1 )
  - uid: mondoo-okta-security-password-settings-min-number
    title: Enable strong password settings for password policies - minimum number
    impact: 30
    props:
      - uid: mondooOktaSecurityOktaPasswordminNumber
        mql: "1"
    docs:
      desc: |
        Specify the minimum number of lowercase characters in a password. Complex passwords increase the security of your users' accounts.
    variants:
      - uid: mondoo-okta-security-password-settings-min-number-api
      - uid: mondoo-okta-security-password-settings-min-number-terraform-hcl
      - uid: mondoo-okta-security-password-settings-min-number-terraform-plan
      - uid: mondoo-okta-security-password-settings-min-number-terraform-state
  - uid: mondoo-okta-security-password-settings-min-number-api
    title: Enable strong password settings for password policies - minimum number
    impact: 30
    filters: asset.platform == "okta-org"
    mql: |
      okta.policies.password.all( settings['password']['complexity']['minNumber'] >= 1 )
  - uid: mondoo-okta-security-password-settings-min-number-terraform-hcl
    title: Enable strong password settings for password policies - minimum number
    impact: 30
    filters: asset.platform == "terraform-hcl" && terraform.providers.any( nameLabel == "okta" )
    mql: |
      terraform.resources.where( nameLabel == /okta_policy_password/ ).all( arguments['password_min_number'] == /var/ || arguments['password_min_number'] >= 1 )
  - uid: mondoo-okta-security-password-settings-min-number-terraform-plan
    title: Enable strong password settings for password policies - minimum number
    impact: 30
    filters: asset.platform == "terraform-plan" && terraform.plan.resourceChanges.contains( providerName == /okta/ )
    mql: |
      terraform.plan.resourceChanges.where( type == /okta_policy_password/ ).all( change.after['password_min_number'] >= 1 )
  - uid: mondoo-okta-security-password-settings-min-number-terraform-state
    title: Enable strong password settings for password policies - minimum number
    impact: 30
    filters: asset.platform == "terraform-state" && terraform.state.resources.contains( type == /okta_policy_password/ )
    mql: |
      terraform.state.resources.where( type == /okta_policy_password/ ).all( values['password_min_number'] >= 1 )
  - uid: mondoo-okta-security-password-settings-min-symbols
    title: Enable strong password settings for password policies - minimum symbols
    impact: 30
    props:
      - uid: mondooOktaSecurityOktaPasswordminSymbol
        mql: "1"
    docs:
      desc: |
        Specify the minimum number of symbol characters in a password. Complex passwords increase the security of your users' accounts.
    variants:
      - uid: mondoo-okta-security-password-settings-min-symbols-api
      - uid: mondoo-okta-security-password-settings-min-symbols-terraform-hcl
      - uid: mondoo-okta-security-password-settings-min-symbols-terraform-plan
      - uid: mondoo-okta-security-password-settings-min-symbols-terraform-state
  - uid: mondoo-okta-security-password-settings-min-symbols-api
    title: Enable strong password settings for password policies - minimum symbols
    impact: 30
    filters: asset.platform == "okta-org"
    mql: |
      okta.policies.password.all( settings['password']['complexity']['minSymbol'] >= 1 )
  - uid: mondoo-okta-security-password-settings-min-symbols-terraform-hcl
    title: Enable strong password settings for password policies - minimum symbols
    impact: 30
    filters: asset.platform == "terraform-hcl" && terraform.providers.any( nameLabel == "okta" )
    mql: |
      terraform.resources.where( nameLabel == /okta_policy_password/ ).all( arguments['password_min_symbol'] == /var/ || arguments['password_min_symbol'] >= 1 )
  - uid: mondoo-okta-security-password-settings-min-symbols-terraform-plan
    title: Enable strong password settings for password policies - minimum symbols
    impact: 30
    filters: asset.platform == "terraform-plan" && terraform.plan.resourceChanges.contains( providerName == /okta/ )
    mql: |
      terraform.plan.resourceChanges.where( type == /okta_policy_password/ ).all( change.after['password_min_symbol'] >= 1 )
  - uid: mondoo-okta-security-password-settings-min-symbols-terraform-state
    title: Enable strong password settings for password policies - minimum symbols
    impact: 30
    filters: asset.platform == "terraform-state" && terraform.state.resources.contains( type == /okta_policy_password/ )
    mql: |
      terraform.state.resources.where( type == /okta_policy_password/ ).all( values['password_min_symbol'] >= 1 )
  - uid: mondoo-okta-security-password-settings-min-age
    title: Enable strong password settings for password policies - minimum age
    impact: 30
    props:
      - uid: mondooOktaSecurityOktaPasswordminAge
        title: Minimum time interval in minutes between password changes
        mql: "60"
    docs:
      desc: |
        Specify the minimum time interval in minutes between password changes. Setting the minimum password interval protects against brute force attacks.
    variants:
      - uid: mondoo-okta-security-password-settings-min-age-api
      - uid: mondoo-okta-security-password-settings-min-age-terraform-hcl
      - uid: mondoo-okta-security-password-settings-min-age-terraform-plan
      - uid: mondoo-okta-security-password-settings-min-age-terraform-state
  - uid: mondoo-okta-security-password-settings-min-age-api
    title: Enable strong password settings for password policies - minimum age
    impact: 30
    filters: asset.platform == "okta-org"
    mql: |
      okta.policies.password.all( settings['password']['age']['minAgeMinutes'] <= 60 )
  - uid: mondoo-okta-security-password-settings-min-age-terraform-hcl
    title: Enable strong password settings for password policies - minimum age
    impact: 30
    filters: asset.platform == "terraform-hcl" && terraform.providers.any( nameLabel == "okta" )
    mql: |
      terraform.resources.where( nameLabel == /okta_policy_password/ ).all( arguments['password_min_age_minutes'] == /var/ || arguments['password_min_age_minutes'] <= 60 )
  - uid: mondoo-okta-security-password-settings-min-age-terraform-plan
    title: Enable strong password settings for password policies - minimum age
    impact: 30
    filters: asset.platform == "terraform-plan" && terraform.plan.resourceChanges.contains( providerName == /okta/ )
    mql: |
      terraform.plan.resourceChanges.where( type == /okta_policy_password/ ).all( change.after['password_min_age_minutes'] <= 60 )
  - uid: mondoo-okta-security-password-settings-min-age-terraform-state
    title: Enable strong password settings for password policies - minimum age
    impact: 30
    filters: asset.platform == "terraform-state" && terraform.state.resources.contains( type == /okta_policy_password/ )
    mql: |
      terraform.state.resources.where( type == /okta_policy_password/ ).all( values['password_min_age_minutes'] <= 60 )
  - uid: mondoo-okta-security-password-settings-exclude-username
    title: Enable strong password settings for password policies - exclude username
    impact: 30
    props:
      - uid: mondooOktaSecurityOktaPasswordexcludeUsername
        title: Setting to enforce whether the username must be excluded from the password
        mql: "true"
    docs:
      desc: |
        This check enforces whether the username must be excluded from the password. Complex passwords increase the security of your users' accounts.
    variants:
      - uid: mondoo-okta-security-password-settings-exclude-username-api
      - uid: mondoo-okta-security-password-settings-exclude-username-terraform-hcl
      - uid: mondoo-okta-security-password-settings-exclude-username-terraform-plan
      - uid: mondoo-okta-security-password-settings-exclude-username-terraform-state
  - uid: mondoo-okta-security-password-settings-exclude-username-terraform-hcl
    title: Enable strong password settings for password policies - exclude username
    impact: 30
    filters: asset.platform == "terraform-hcl" && terraform.providers.any( nameLabel == "okta" )
    mql: |
      terraform.resources.where( nameLabel == /okta_policy_password/ ).all( arguments['password_exclude_username'] == /var/ || arguments['password_exclude_username'] == true )
  - uid: mondoo-okta-security-password-settings-exclude-username-api
    title: Enable strong password settings for password policies - exclude username
    impact: 30
    filters: asset.platform == "okta-org"
    mql: |
      okta.policies.password.all( settings['password']['complexity']['excludeUsername'] == true )
  - uid: mondoo-okta-security-password-settings-exclude-username-terraform-plan
    title: Enable strong password settings for password policies - exclude username
    impact: 30
    filters: asset.platform == "terraform-plan" && terraform.plan.resourceChanges.contains( providerName == /okta/ )
    mql: |
      terraform.plan.resourceChanges.where( type == /okta_policy_password/ ).all( change.after['password_exclude_username'] == true )
  - uid: mondoo-okta-security-password-settings-exclude-username-terraform-state
    title: Enable strong password settings for password policies - exclude username
    impact: 30
    filters: asset.platform == "terraform-state" && terraform.state.resources.contains( type == /okta_policy_password/ )
    mql: |
      terraform.state.resources.where( type == /okta_policy_password/ ).all( values['password_exclude_username'] == true )
  - uid: mondoo-okta-security-password-settings-exclude-first-name
    title: Enable strong password settings for password policies - exclude first name
    impact: 30
    props:
      - uid: mondooOktaSecurityOktaPasswordexcludeFirstname
        title: Setting to enforce whether the user's first name must be excluded from the password
        mql: "true"
    docs:
      desc: |
        This check enforces whether the user's first name must be excluded from the password. Complex passwords increase the security of your users' accounts.
    variants:
      - uid: mondoo-okta-security-password-settings-exclude-first-name-terraform-hcl
      - uid: mondoo-okta-security-password-settings-exclude-first-name-terraform-plan
  - uid: mondoo-okta-security-password-settings-exclude-first-name-terraform-hcl
    title: Enable strong password settings for password policies - exclude first name
    impact: 30
    filters: asset.platform == "terraform-hcl" && terraform.providers.any( nameLabel == "okta" )
    mql: |
      terraform.resources.where( nameLabel == /okta_policy_password/ ).all( arguments['password_exclude_first_name'] == /var/ || arguments['password_exclude_first_name'] == true )
  - uid: mondoo-okta-security-password-settings-exclude-first-name-terraform-plan
    title: Enable strong password settings for password policies - exclude first name
    impact: 30
    filters: asset.platform == "terraform-plan" && terraform.plan.resourceChanges.contains( providerName == /okta/ )
    mql: |
      terraform.plan.resourceChanges.where( type == /okta_policy_password/ ).all( change.after['password_exclude_first_name'] == true )
  - uid: mondoo-okta-security-password-settings-exclude-last-name
    title: Enable strong password settings for password policies - exclude last name
    impact: 30
    props:
      - uid: mondooOktaSecurityOktaPasswordexcludeLastName
        title: Setting to enforce whether the user's last name must be excluded from the password
        mql: "true"
    docs:
      desc: |
        This check enforces whether the user's last name must be excluded from the password. Complex passwords increase the security of your users' accounts.
    variants:
      - uid: mondoo-okta-security-password-settings-exclude-last-name-terraform-hcl
      - uid: mondoo-okta-security-password-settings-exclude-last-name-terraform-plan
  - uid: mondoo-okta-security-password-settings-exclude-last-name-terraform-hcl
    title: Enable strong password settings for password policies - exclude last name
    impact: 30
    filters: asset.platform == "terraform-hcl" && terraform.providers.any( nameLabel == "okta" )
    mql: |
      terraform.resources.where( nameLabel == /okta_policy_password/ ).all( arguments['password_exclude_last_name'] == /var/ || arguments['password_exclude_last_name'] == true )
  - uid: mondoo-okta-security-password-settings-exclude-last-name-terraform-plan
    title: Enable strong password settings for password policies - exclude last name
    impact: 30
    filters: asset.platform == "terraform-plan" && terraform.plan.resourceChanges.contains( providerName == /okta/ )
    mql: |
      terraform.plan.resourceChanges.where( type == /okta_policy_password/ ).all( change.after['password_exclude_last_name'] == true )
  - uid: mondoo-okta-security-password-settings-dictionary-lookup
    title: Enable strong password settings for password policies - dictionary lookup
    impact: 30
    props:
      - uid: mondooOktaSecurityOktaPasswordDictionaryLookup
        title: Setting to check passwords against common password dictionary
        mql: "true"
    docs:
      desc: |
        This checks passwords against common password dictionary. Complex passwords increase the security of your users' accounts.
    variants:
      - uid: mondoo-okta-security-password-settings-dictionary-lookup-api
      - uid: mondoo-okta-security-password-settings-dictionary-lookup-terraform-hcl
      - uid: mondoo-okta-security-password-settings-dictionary-lookup-terraform-plan
      - uid: mondoo-okta-security-password-settings-dictionary-lookup-terraform-state
  - uid: mondoo-okta-security-password-settings-dictionary-lookup-api
    title: Enable strong password settings for password policies - dictionary lookup
    impact: 30
    filters: asset.platform == "okta-org"
    mql: |
      okta.policies.password.all( settings['password']['complexity']['dictionary']['common']['exclude'] == true )
  - uid: mondoo-okta-security-password-settings-dictionary-lookup-terraform-hcl
    title: Enable strong password settings for password policies - dictionary lookup
    impact: 30
    filters: asset.platform == "terraform-hcl" && terraform.providers.any( nameLabel == "okta" )
    mql: |
      terraform.resources.where( nameLabel == /okta_policy_password/ ).all( arguments['password_dictionary_lookup'] == /var/ || arguments['password_dictionary_lookup'] == true )
  - uid: mondoo-okta-security-password-settings-dictionary-lookup-terraform-plan
    title: Enable strong password settings for password policies - dictionary lookup
    impact: 30
    filters: asset.platform == "terraform-plan" && terraform.plan.resourceChanges.contains( providerName == /okta/ )
    mql: |
      terraform.plan.resourceChanges.where( type == /okta_policy_password/ ).all( change.after['password_dictionary_lookup'] == true )
  - uid: mondoo-okta-security-password-settings-dictionary-lookup-terraform-state
    title: Enable strong password settings for password policies - dictionary lookup
    impact: 30
    filters: asset.platform == "terraform-state" && terraform.state.resources.contains( type == /okta_policy_password/ )
    mql: |
      terraform.state.resources.where( type == /okta_policy_password/ ).all( values['password_dictionary_lookup'] == true )
  - uid: mondoo-okta-security-password-settings-max-age
    title: Enable strong password settings for password policies - max age
    impact: 30
    props:
      - uid: mondooOktaSecurityOktaPasswordMaxAge
        title: Length in days a password is valid before expiry
        mql: "90"
    docs:
      desc: |
        This checks the length in days a password is valid before expiry. Rotating passwords increases the security of your users' accounts.
    variants:
      - uid: mondoo-okta-security-password-settings-max-age-api
      - uid: mondoo-okta-security-password-settings-max-age-terraform-hcl
      - uid: mondoo-okta-security-password-settings-max-age-terraform-plan
      - uid: mondoo-okta-security-password-settings-max-age-terraform-state
  - uid: mondoo-okta-security-password-settings-max-age-api
    title: Enable strong password settings for password policies - max age
    impact: 30
    filters: asset.platform == "okta-org"
    mql: |
      okta.policies.password.all( settings['password']['age']['maxAgeDays'] != 0 && settings['password']['age']['maxAgeDays'] <= 90 )
  - uid: mondoo-okta-security-password-settings-max-age-terraform-hcl
    title: Enable strong password settings for password policies - max age
    impact: 30
    filters: asset.platform == "terraform-hcl" && terraform.providers.any( nameLabel == "okta" )
    mql: |
      terraform.resources.where( nameLabel == /okta_policy_password/ ).all( arguments['password_max_age_days'] == /var/ || arguments['password_max_age_days'] != 0 && arguments['password_max_age_days'] <= 90 )
  - uid: mondoo-okta-security-password-settings-max-age-terraform-plan
    title: Enable strong password settings for password policies - max age
    impact: 30
    filters: asset.platform == "terraform-plan" && terraform.plan.resourceChanges.contains( providerName == /okta/ )
    mql: |
      terraform.plan.resourceChanges.where( type == /okta_policy_password/ ).all( change.after['password_max_age_days'] != 0 && change.after['password_max_age_days'] <= 90 )
  - uid: mondoo-okta-security-password-settings-max-age-terraform-state
    title: Enable strong password settings for password policies - max age
    impact: 30
    filters: asset.platform == "terraform-state" && terraform.state.resources.contains( type == /okta_policy_password/ )
    mql: |
      terraform.state.resources.where( type == /okta_policy_password/ ).all( values['password_max_age_days'] != 0 && values['password_max_age_days'] <= 90 )
  - uid: mondoo-okta-security-password-settings-expire-warning
    title: Enable strong password settings for password policies - expiration warning
    impact: 30
    props:
      - uid: mondooOktaSecurityOktaPasswordExpireWarning
        title: Length in days a user will be warned before password expiry
        mql: "15"
    docs:
      desc: |
        This checks the length in days a user will be warned before password expiry. Rotating passwords increases the security of your users' accounts.
    variants:
      - uid: mondoo-okta-security-password-settings-expire-warning-api
      - uid: mondoo-okta-security-password-settings-expire-warning-terraform-hcl
      - uid: mondoo-okta-security-password-settings-expire-warning-terraform-plan
      - uid: mondoo-okta-security-password-settings-expire-warning-terraform-state
  - uid: mondoo-okta-security-password-settings-expire-warning-api
    title: Enable strong password settings for password policies - expiration warning
    impact: 30
    filters: asset.platform == "okta-org"
    mql: |
      okta.policies.password.all( settings['password']['age']['expireWarnDays'] != 0 && settings['password']['age']['expireWarnDays'] == 15 )
  - uid: mondoo-okta-security-password-settings-expire-warning-terraform-hcl
    title: Enable strong password settings for password policies - expiration warning
    impact: 30
    filters: asset.platform == "terraform-hcl" && terraform.providers.any( nameLabel == "okta" )
    mql: |
      terraform.resources.where( nameLabel == /okta_policy_password/ ).all( arguments['password_expire_warn_days'] == /var/ || arguments['password_expire_warn_days'] != 0 && arguments['password_expire_warn_days'] == 15 )
  - uid: mondoo-okta-security-password-settings-expire-warning-terraform-plan
    title: Enable strong password settings for password policies - expiration warning
    impact: 30
    filters: asset.platform == "terraform-plan" && terraform.plan.resourceChanges.contains( providerName == /okta/ )
    mql: |
      terraform.plan.resourceChanges.where( type == /okta_policy_password/ ).all( change.after['password_expire_warn_days'] != 0 && change.after['password_expire_warn_days'] == 15)
  - uid: mondoo-okta-security-password-settings-expire-warning-terraform-state
    title: Enable strong password settings for password policies - expiration warning
    impact: 30
    filters: asset.platform == "terraform-state" && terraform.state.resources.contains( type == /okta_policy_password/ )
    mql: |
      terraform.state.resources.where( type == /okta_policy_password/ ).all( values['password_expire_warn_days'] != 0 && values['password_expire_warn_days'] == 15 )
  - uid: mondoo-okta-security-password-settings-history-count
    title: Enable strong password settings for password policies - history count
    impact: 30
    props:
      - uid: mondooOktaSecurityOktaPasswordHistoryCount
        title: Number of distinct passwords that must be created before they can be reused
        mql: "24"
    docs:
      desc: |
        This checks the number of distinct passwords that must be created before they can be reused. Rotating passwords increases the security of your users' accounts.
    variants:
      - uid: mondoo-okta-security-password-settings-history-count-api
      - uid: mondoo-okta-security-password-settings-history-count-terraform-hcl
      - uid: mondoo-okta-security-password-settings-history-count-terraform-plan
      - uid: mondoo-okta-security-password-settings-history-count-terraform-state
  - uid: mondoo-okta-security-password-settings-history-count-api
    title: Enable strong password settings for password policies - history count
    impact: 30
    filters: asset.platform == "okta-org"
    mql: |
      okta.policies.password.all( settings['password']['age']['historyCount'] >= 24 )
  - uid: mondoo-okta-security-password-settings-history-count-terraform-hcl
    title: Enable strong password settings for password policies - history count
    impact: 30
    filters: asset.platform == "terraform-hcl" && terraform.providers.any( nameLabel == "okta" )
    mql: |
      terraform.resources.where( nameLabel == /okta_policy_password/ ).all( arguments['password_history_count'] == /var/ || arguments['password_history_count'] >= 24 )
  - uid: mondoo-okta-security-password-settings-history-count-terraform-plan
    filters: asset.platform == "terraform-plan" && terraform.plan.resourceChanges.contains( providerName == /okta/ )
    mql: |
      terraform.plan.resourceChanges.where( type == /okta_policy_password/ ).all( change.after['password_history_count'] >= 24 )
  - uid: mondoo-okta-security-password-settings-history-count-terraform-state
    title: Enable strong password settings for password policies - history count
    impact: 30
    filters: asset.platform == "terraform-state" && terraform.state.resources.contains( type == /okta_policy_password/ )
    mql: |
      terraform.state.resources.where( type == /okta_policy_password/ ).all( values['password_history_count'] >= 24 )
  - uid: mondoo-okta-security-password-settings-password-auto-unlock-minutes
    title: Enable strong password settings for password policies - auto unlock
    impact: 30
    props:
      - uid: mondooOktaSecurityOktaPasswordAutoUnlock
        title: Number of minutes before a locked account is unlocked
        mql: "30"
    docs:
      desc: |
        This checks the number of minutes before a locked account is unlocked.
    variants:
      - uid: mondoo-okta-security-password-settings-auto-unlock-minutes-api
      - uid: mondoo-okta-security-password-settings-auto-unlock-minutes-terraform-hcl
      - uid: mondoo-okta-security-password-settings-auto-unlock-minutes-terraform-plan
      - uid: mondoo-okta-security-password-settings-auto-unlock-minutes-terraform-state
  - uid: mondoo-okta-security-password-settings-auto-unlock-minutes-api
    title: Enable strong password settings for password policies - auto unlock
    impact: 30
    filters: asset.platform == "okta-org"
    mql: |
      okta.policies.password.all( settings['password']['lockout']['autoUnlockMinutes'] >= 30 )
  - uid: mondoo-okta-security-password-settings-auto-unlock-minutes-terraform-hcl
    title: Enable strong password settings for password policies - auto unlock
    impact: 30
    filters: asset.platform == "terraform-hcl" && terraform.providers.any( nameLabel == "okta" )
    mql: |
      terraform.resources.where( nameLabel == /okta_policy_password/ ).all( arguments['password_auto_unlock_minutes'] == /var/ || arguments['password_auto_unlock_minutes'] >= 30 )
  - uid: mondoo-okta-security-password-settings-auto-unlock-minutes-terraform-plan
    title: Enable strong password settings for password policies - auto unlock
    impact: 30
    filters: asset.platform == "terraform-plan" && terraform.plan.resourceChanges.contains( providerName == /okta/ )
    mql: |
      terraform.plan.resourceChanges.where( type == /okta_policy_password/ ).all( change.after['password_auto_unlock_minutes'] >= 30 )
  - uid: mondoo-okta-security-password-settings-auto-unlock-minutes-terraform-state
    title: Enable strong password settings for password policies - auto unlock
    impact: 30
    filters: asset.platform == "terraform-state" && terraform.state.resources.contains( type == /okta_policy_password/ )
    mql: |
      terraform.state.resources.where( type == /okta_policy_password/ ).all( values['password_auto_unlock_minutes'] >= 30 )
  - uid: mondoo-okta-security-password-settings-password-show-lockout-failures
    title: Enable strong password settings for password policies - show lockout failures
    impact: 30
    props:
      - uid: mondooOktaSecurityOktaPasswordShowLockoutFailures
        title: If a user should be informed when their account is locked
        mql: "true"
    docs:
      desc: |
        This checks whether a user should be informed when their account is locked.
    variants:
      - uid: mondoo-okta-security-password-settings-show-lockout-failures-api
      - uid: mondoo-okta-security-password-settings-show-lockout-failures-terraform-hcl
      - uid: mondoo-okta-security-password-settings-show-lockout-failures-terraform-plan
      - uid: mondoo-okta-security-password-settings-show-lockout-failures-terraform-state
  - uid: mondoo-okta-security-password-settings-show-lockout-failures-api
    title: Enable strong password settings for password policies - show lockout failures
    impact: 30
    filters: asset.platform == "okta-org"
    mql: |
      okta.policies.password.all( settings['password']['lockout']['showLockoutFailures'] == true )
  - uid: mondoo-okta-security-password-settings-show-lockout-failures-terraform-hcl
    title: Enable strong password settings for password policies - show lockout failures
    impact: 30
    filters: asset.platform == "terraform-hcl" && terraform.providers.any( nameLabel == "okta" )
    mql: |
      terraform.resources.where( nameLabel == /okta_policy_password/ ).all( arguments['password_show_lockout_failures'] == /var/ || arguments['password_show_lockout_failures'] == true )
  - uid: mondoo-okta-security-password-settings-show-lockout-failures-terraform-plan
    title: Enable strong password settings for password policies - show lockout failures
    impact: 30
    filters: asset.platform == "terraform-plan" && terraform.plan.resourceChanges.contains( providerName == /okta/ )
    mql: |
      terraform.plan.resourceChanges.where( type == /okta_policy_password/ ).all( change.after['password_show_lockout_failures'] == true )
  - uid: mondoo-okta-security-password-settings-show-lockout-failures-terraform-state
    title: Enable strong password settings for password policies - show lockout failures
    impact: 30
    filters: asset.platform == "terraform-state" && terraform.state.resources.contains( type == /okta_policy_password/ )
    mql: |
      terraform.state.resources.where( type == /okta_policy_password/ ).all( values['password_show_lockout_failures'] == true )
  - uid: mondoo-okta-security-password-settings-password-email-recovery
    title: Enable strong password settings for password policies - email recovery
    impact: 30
    props:
      - uid: mondooOktaSecurityOktaPasswordEmailRecovery
        title: Enable or disable email password recovery - ACTIVE or INACTIVE
        mql: return "ACTIVE"
    docs:
      desc: |
        This checks whether email password recovery is enabled or disabled.
    variants:
      - uid: mondoo-okta-security-password-settings-email-recovery-api
      - uid: mondoo-okta-security-password-settings-email-recovery-terraform-hcl
      - uid: mondoo-okta-security-password-settings-email-recovery-terraform-plan
      - uid: mondoo-okta-security-password-settings-email-recovery-terraform-state
  - uid: mondoo-okta-security-password-settings-email-recovery-api
    title: Enable strong password settings for password policies - email recovery
    impact: 30
    filters: asset.platform == "okta-org"
    mql: |
      okta.policies.password.all( settings['recovery']['factors']['okta_email']['status'] == "ACTIVE" )
  - uid: mondoo-okta-security-password-settings-email-recovery-terraform-hcl
    title: Enable strong password settings for password policies - email recovery
    impact: 30
    filters: asset.platform == "terraform-hcl" && terraform.providers.any( nameLabel == "okta" )
    mql: |
      terraform.resources.where( nameLabel == /okta_policy_password/ ).all( arguments['email_recovery'] == /var/ || arguments['email_recovery'] == "ACTIVE" )
  - uid: mondoo-okta-security-password-settings-email-recovery-terraform-plan
    title: Enable strong password settings for password policies - email recovery
    impact: 30
    filters: asset.platform == "terraform-plan" && terraform.plan.resourceChanges.contains( providerName == /okta/ )
    mql: |
      terraform.plan.resourceChanges.where( type == /okta_policy_password/ ).all( change.after['email_recovery'] == "ACTIVE" )
  - uid: mondoo-okta-security-password-settings-email-recovery-terraform-state
    title: Enable strong password settings for password policies - email recovery
    impact: 30
    filters: asset.platform == "terraform-state" && terraform.state.resources.contains( type == /okta_policy_password/ )
    mql: |
      terraform.state.resources.where( type == /okta_policy_password/ ).all( values['email_recovery'] == "ACTIVE" )
  - uid: mondoo-okta-security-password-settings-password-sms-recovery
    title: Enable strong password settings for password policies - sms recovery
    impact: 30
    props:
      - uid: mondooOktaSecurityOktaPasswordSmsRecovery
        title: Enable or disable sms password recovery - ACTIVE or INACTIVE
        mql: return "ACTIVE"
    docs:
      desc: |
        This checks whether sms password recovery is enabled or disabled.
    variants:
      - uid: mondoo-okta-security-password-settings-sms-recovery-api
      - uid: mondoo-okta-security-password-settings-sms-recovery-terraform-hcl
      - uid: mondoo-okta-security-password-settings-sms-recovery-terraform-plan
      - uid: mondoo-okta-security-password-settings-sms-recovery-terraform-state
  - uid: mondoo-okta-security-password-settings-sms-recovery-api
    filters: asset.platform == "okta-org"
    mql: |
      okta.policies.password.all( settings['recovery']['factors']['okta_sms']['status'] == "ACTIVE" )
  - uid: mondoo-okta-security-password-settings-sms-recovery-terraform-hcl
    title: Enable strong password settings for password policies - sms recovery
    impact: 30
    filters: asset.platform == "terraform-hcl" && terraform.providers.any( nameLabel == "okta" )
    mql: |
      terraform.resources.where( nameLabel == /okta_policy_password/ ).all( arguments['sms_recovery'] == /var/ || arguments['sms_recovery'] == "ACTIVE" )
  - uid: mondoo-okta-security-password-settings-sms-recovery-terraform-plan
    title: Enable strong password settings for password policies - sms recovery
    impact: 30
    filters: asset.platform == "terraform-plan" && terraform.plan.resourceChanges.contains( providerName == /okta/ )
    mql: |
      terraform.plan.resourceChanges.where( type == /okta_policy_password/ ).all( change.after['sms_recovery'] == "ACTIVE" )
  - uid: mondoo-okta-security-password-settings-sms-recovery-terraform-state
    title: Enable strong password settings for password policies - sms recovery
    impact: 30
    filters: asset.platform == "terraform-state" && terraform.state.resources.contains( type == /okta_policy_password/ )
    mql: |
      terraform.state.resources.where( type == /okta_policy_password/ ).all( values['sms_recovery'] == "ACTIVE" )
  - uid: mondoo-okta-security-password-settings-password-question-recovery
    title: Enable strong password settings for password policies - question recovery
    impact: 30
    props:
      - uid: mondooOktaSecurityOktaPasswordQuestionRecovery
        title: Enable or disable question password recovery - ACTIVE or INACTIVE
        mql: return "ACTIVE"
    docs:
      desc: |
        This checks whether question password recovery is enabled or disabled.
    variants:
      - uid: mondoo-okta-security-password-settings-question-recovery-api
      - uid: mondoo-okta-security-password-settings-question-recovery-terraform-hcl
      - uid: mondoo-okta-security-password-settings-question-recovery-terraform-plan
      - uid: mondoo-okta-security-password-settings-question-recovery-terraform-state
  - uid: mondoo-okta-security-password-settings-question-recovery-api
    title: Enable strong password settings for password policies - question recovery
    impact: 30
    filters: asset.platform == "okta-org"
    mql: |
      okta.policies.password.all( settings['recovery']['factors']['recovery_question']['status'] == "ACTIVE" )
  - uid: mondoo-okta-security-password-settings-question-recovery-terraform-hcl
    title: Enable strong password settings for password policies - question recovery
    impact: 30
    filters: asset.platform == "terraform-hcl" && terraform.providers.any( nameLabel == "okta" )
    mql: |
      terraform.resources.where( nameLabel == /okta_policy_password/ ).all( arguments['question_recovery'] == /var/ || arguments['question_recovery'] == "ACTIVE" )
  - uid: mondoo-okta-security-password-settings-question-recovery-terraform-plan
    title: Enable strong password settings for password policies - question recovery
    impact: 30
    filters: asset.platform == "terraform-plan" && terraform.plan.resourceChanges.contains( providerName == /okta/ )
    mql: |
      terraform.plan.resourceChanges.where( type == /okta_policy_password/ ).all( change.after['question_recovery'] == "ACTIVE" )
  - uid: mondoo-okta-security-password-settings-question-recovery-terraform-state
    title: Enable strong password settings for password policies - question recovery
    impact: 30
    filters: asset.platform == "terraform-state" && terraform.state.resources.contains( type == /okta_policy_password/ )
    mql: |
      terraform.state.resources.where( type == /okta_policy_password/ ).all( values['question_recovery'] == "ACTIVE" )