diff --git a/Testing/RegoTests/commoncontrols/commoncontrols06_test.rego b/Testing/RegoTests/commoncontrols/commoncontrols06_test.rego index abce2a1f..d2ee133e 100644 --- a/Testing/RegoTests/commoncontrols/commoncontrols06_test.rego +++ b/Testing/RegoTests/commoncontrols/commoncontrols06_test.rego @@ -90,7 +90,7 @@ test_Count_Correct_V2 if { } test_Count_Correct_V3 if { - # 4 super admins + # 8 super admins PolicyId := "GWS.COMMONCONTROLS.6.2v0.2" Output := tests with input as { "super_admins": [ @@ -109,7 +109,23 @@ test_Count_Correct_V3 if { { "primaryEmail": "admin4@example.org", "orgUnitPath": "" - } + }, + { + "primaryEmail": "admin5@example.org", + "orgUnitPath": "" + }, + { + "primaryEmail": "admin6@example.org", + "orgUnitPath": "" + }, + { + "primaryEmail": "admin7@example.org", + "orgUnitPath": "" + }, + { + "primaryEmail": "admin8@example.org", + "orgUnitPath": "" + }, ] } @@ -119,15 +135,15 @@ test_Count_Correct_V3 if { not RuleOutput[0].NoSuchEvent RuleOutput[0].ReportDetails == concat("", [ "The following super admins are configured: ", - "admin1@example.org, admin2@example.org, admin3@example.org, ", - "admin4@example.org. Note: Exceptions are ", + "admin1@example.org, admin2@example.org, admin3@example.org, admin4@example.org, ", + "admin5@example.org, admin6@example.org, admin7@example.org, admin8@example.org. Note: Exceptions are ", "allowed for \"break glass\" super admin accounts, ", "though we are not able to account for this automatically." ]) } test_Count_Incorrect_V1 if { - # 5 super admins + # 9 super admins PolicyId := "GWS.COMMONCONTROLS.6.2v0.2" Output := tests with input as { "super_admins": [ @@ -150,6 +166,22 @@ test_Count_Incorrect_V1 if { { "primaryEmail": "admin5@example.org", "orgUnitPath": "" + }, + { + "primaryEmail": "admin6@example.org", + "orgUnitPath": "" + }, + { + "primaryEmail": "admin7@example.org", + "orgUnitPath": "" + }, + { + "primaryEmail": "admin8@example.org", + "orgUnitPath": "" + }, + { + "primaryEmail": "admin9@example.org", + "orgUnitPath": "" } ] } @@ -160,8 +192,8 @@ test_Count_Incorrect_V1 if { not RuleOutput[0].NoSuchEvent RuleOutput[0].ReportDetails == concat("", [ "The following super admins are configured: ", - "admin1@example.org, admin2@example.org, admin3@example.org, ", - "admin4@example.org, admin5@example.org. Note: Exceptions are ", + "admin1@example.org, admin2@example.org, admin3@example.org, admin4@example.org, admin5@example.org, ", + "admin6@example.org, admin7@example.org, admin8@example.org, admin9@example.org. Note: Exceptions are ", "allowed for \"break glass\" super admin accounts, ", "though we are not able to account for this automatically." ]) diff --git a/Testing/RegoTests/commoncontrols/commoncontrols10_test.rego b/Testing/RegoTests/commoncontrols/commoncontrols10_test.rego index b97500eb..b5631535 100644 --- a/Testing/RegoTests/commoncontrols/commoncontrols10_test.rego +++ b/Testing/RegoTests/commoncontrols/commoncontrols10_test.rego @@ -4,33 +4,10 @@ import future.keywords # # GWS.COMMONCONTROLS.10.1v0.2 #-- -test_AllowList_Correct_V1 if { - # Test not implemented - PolicyId := "GWS.COMMONCONTROLS.10.1v0.2" - Output := tests with input as { - "commoncontrols_logs": {"items": [ - - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - not RuleOutput[0].RequirementMet - RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Currently not able to be tested automatically; please manually check." -} -#-- - -# -# GWS.COMMONCONTROLS.10.2v0.2 -#-- test_AccessControl_Correct_V1 if { # Test restricted when there is no _HIGH_RISK event present # (not all services have a risk version, just Drive and Gmail) - PolicyId := "GWS.COMMONCONTROLS.10.2v0.2" + PolicyId := "GWS.COMMONCONTROLS.10.1v0.2" Output := tests with input as { "commoncontrols_logs": {"items": [ { @@ -58,7 +35,7 @@ test_AccessControl_Correct_V1 if { test_AccessControl_Correct_V2 if { # Test allowed with not high risk allowed - PolicyId := "GWS.COMMONCONTROLS.10.2v0.2" + PolicyId := "GWS.COMMONCONTROLS.10.1v0.2" Output := tests with input as { "commoncontrols_logs": {"items": [ { @@ -96,7 +73,7 @@ test_AccessControl_Correct_V2 if { test_AccessControl_Correct_V3 if { # Test restricted with not high risk disallowed - PolicyId := "GWS.COMMONCONTROLS.10.2v0.2" + PolicyId := "GWS.COMMONCONTROLS.10.1v0.2" Output := tests with input as { "commoncontrols_logs": {"items": [ { @@ -134,7 +111,7 @@ test_AccessControl_Correct_V3 if { test_AccessControl_Correct_V4 if { # Test multiple services - PolicyId := "GWS.COMMONCONTROLS.10.2v0.2" + PolicyId := "GWS.COMMONCONTROLS.10.1v0.2" Output := tests with input as { "commoncontrols_logs": {"items": [ { @@ -182,7 +159,7 @@ test_AccessControl_Correct_V4 if { test_AccessControl_Correct_V5 if { # Test multiple services, multiple events - PolicyId := "GWS.COMMONCONTROLS.10.2v0.2" + PolicyId := "GWS.COMMONCONTROLS.10.1v0.2" Output := tests with input as { "commoncontrols_logs": {"items": [ { @@ -251,7 +228,7 @@ test_AccessControl_Correct_V5 if { test_AccessControl_Incorrect_V1 if { # Test unrestricted when there is no _HIGH_RISK event present # (not all services have a risk version, just Drive and Gmail) - PolicyId := "GWS.COMMONCONTROLS.10.2v0.2" + PolicyId := "GWS.COMMONCONTROLS.10.1v0.2" Output := tests with input as { "commoncontrols_logs": {"items": [ { @@ -279,7 +256,7 @@ test_AccessControl_Incorrect_V1 if { test_AccessControl_Incorrect_V2 if { # Test unrestricted with not high risk disallowed - PolicyId := "GWS.COMMONCONTROLS.10.2v0.2" + PolicyId := "GWS.COMMONCONTROLS.10.1v0.2" Output := tests with input as { "commoncontrols_logs": {"items": [ { @@ -317,7 +294,7 @@ test_AccessControl_Incorrect_V2 if { test_AccessControl_Incorrect_V3 if { # Test unrestricted with no high risk version - PolicyId := "GWS.COMMONCONTROLS.10.2v0.2" + PolicyId := "GWS.COMMONCONTROLS.10.1v0.2" Output := tests with input as { "commoncontrols_logs": {"items": [ { @@ -345,7 +322,7 @@ test_AccessControl_Incorrect_V3 if { test_AccessControl_Incorrect_V4 if { # Test no events - PolicyId := "GWS.COMMONCONTROLS.10.2v0.2" + PolicyId := "GWS.COMMONCONTROLS.10.1v0.2" Output := tests with input as { "commoncontrols_logs": {"items": [ @@ -368,11 +345,11 @@ test_AccessControl_Incorrect_V4 if { #-- # -# GWS.COMMONCONTROLS.10.3v0.2 +# GWS.COMMONCONTROLS.10.2v0.2 #-- test_Consent_Correct_V1 if { # Test disallow with no high risk version - PolicyId := "GWS.COMMONCONTROLS.10.3v0.2" + PolicyId := "GWS.COMMONCONTROLS.10.2v0.2" Output := tests with input as { "commoncontrols_logs": {"items": [ { @@ -400,7 +377,7 @@ test_Consent_Correct_V1 if { test_Consent_Correct_V2 if { # Test disallow with high risk version - PolicyId := "GWS.COMMONCONTROLS.10.3v0.2" + PolicyId := "GWS.COMMONCONTROLS.10.2v0.2" Output := tests with input as { "commoncontrols_logs": {"items": [ { @@ -438,7 +415,7 @@ test_Consent_Correct_V2 if { test_Consent_Incorrect_V1 if { # Test allow with no high risk version - PolicyId := "GWS.COMMONCONTROLS.10.3v0.2" + PolicyId := "GWS.COMMONCONTROLS.10.2v0.2" Output := tests with input as { "commoncontrols_logs": {"items": [ { @@ -466,7 +443,7 @@ test_Consent_Incorrect_V1 if { test_Consent_Incorrect_V2 if { # Test allow with high risk version allowed - PolicyId := "GWS.COMMONCONTROLS.10.3v0.2" + PolicyId := "GWS.COMMONCONTROLS.10.2v0.2" Output := tests with input as { "commoncontrols_logs": {"items": [ { @@ -504,7 +481,7 @@ test_Consent_Incorrect_V2 if { test_Consent_Incorrect_V3 if { # Test allow with high risk version blocked - PolicyId := "GWS.COMMONCONTROLS.10.3v0.2" + PolicyId := "GWS.COMMONCONTROLS.10.2v0.2" Output := tests with input as { "commoncontrols_logs": {"items": [ { @@ -542,7 +519,7 @@ test_Consent_Incorrect_V3 if { test_Consent_Incorrect_V4 if { # Test no events - PolicyId := "GWS.COMMONCONTROLS.10.3v0.2" + PolicyId := "GWS.COMMONCONTROLS.10.2v0.2" Output := tests with input as { "commoncontrols_logs": {"items": [ @@ -565,11 +542,11 @@ test_Consent_Incorrect_V4 if { #-- # -# GWS.COMMONCONTROLS.10.4v0.2 +# GWS.COMMONCONTROLS.10.3v0.2 #-- test_Internal_Correct_V1 if { # Test basic - PolicyId := "GWS.COMMONCONTROLS.10.4v0.2" + PolicyId := "GWS.COMMONCONTROLS.10.3v0.2" Output := tests with input as { "commoncontrols_logs": {"items": [ { @@ -596,7 +573,7 @@ test_Internal_Correct_V1 if { test_Internal_Correct_V2 if { # Test multiple events - PolicyId := "GWS.COMMONCONTROLS.10.4v0.2" + PolicyId := "GWS.COMMONCONTROLS.10.3v0.2" Output := tests with input as { "commoncontrols_logs": {"items": [ { @@ -632,7 +609,7 @@ test_Internal_Correct_V2 if { test_Internal_Incorrect_V1 if { # Test basic - PolicyId := "GWS.COMMONCONTROLS.10.4v0.2" + PolicyId := "GWS.COMMONCONTROLS.10.3v0.2" Output := tests with input as { "commoncontrols_logs": {"items": [ { @@ -663,7 +640,7 @@ test_Internal_Incorrect_V1 if { test_Internal_Incorrect_V2 if { # Test multiple events - PolicyId := "GWS.COMMONCONTROLS.10.4v0.2" + PolicyId := "GWS.COMMONCONTROLS.10.3v0.2" Output := tests with input as { "commoncontrols_logs": {"items": [ { @@ -703,7 +680,7 @@ test_Internal_Incorrect_V2 if { test_Internal_Incorrect_V3 if { # Test no events - PolicyId := "GWS.COMMONCONTROLS.10.4v0.2" + PolicyId := "GWS.COMMONCONTROLS.10.3v0.2" Output := tests with input as { "commoncontrols_logs": {"items": [ @@ -726,11 +703,11 @@ test_Internal_Incorrect_V3 if { #-- # -# GWS.COMMONCONTROLS.10.5v0.2 +# GWS.COMMONCONTROLS.10.4v0.2 #-- test_Unconfigured_Correct_V1 if { # Test basic - PolicyId := "GWS.COMMONCONTROLS.10.5v0.2" + PolicyId := "GWS.COMMONCONTROLS.10.4v0.2" Output := tests with input as { "commoncontrols_logs": {"items": [ { @@ -757,7 +734,7 @@ test_Unconfigured_Correct_V1 if { test_Unconfigured_Correct_V2 if { # Test basic multiple events - PolicyId := "GWS.COMMONCONTROLS.10.5v0.2" + PolicyId := "GWS.COMMONCONTROLS.10.4v0.2" Output := tests with input as { "commoncontrols_logs": {"items": [ { @@ -793,7 +770,7 @@ test_Unconfigured_Correct_V2 if { test_Unconfigured_Incorrect_V1 if { # Test unblock - PolicyId := "GWS.COMMONCONTROLS.10.5v0.2" + PolicyId := "GWS.COMMONCONTROLS.10.4v0.2" Output := tests with input as { "commoncontrols_logs": {"items": [ { @@ -825,7 +802,7 @@ test_Unconfigured_Incorrect_V1 if { test_Unconfigured_Incorrect_V2 if { # Test signin only - PolicyId := "GWS.COMMONCONTROLS.10.5v0.2" + PolicyId := "GWS.COMMONCONTROLS.10.4v0.2" Output := tests with input as { "commoncontrols_logs": {"items": [ { @@ -857,7 +834,7 @@ test_Unconfigured_Incorrect_V2 if { test_Unconfigured_Incorrect_V3 if { # Test no events - PolicyId := "GWS.COMMONCONTROLS.10.5v0.2" + PolicyId := "GWS.COMMONCONTROLS.10.4v0.2" Output := tests with input as { "commoncontrols_logs": {"items": [ diff --git a/Testing/RegoTests/commoncontrols/commoncontrols16_test.rego b/Testing/RegoTests/commoncontrols/commoncontrols16_test.rego new file mode 100644 index 00000000..810090fb --- /dev/null +++ b/Testing/RegoTests/commoncontrols/commoncontrols16_test.rego @@ -0,0 +1,131 @@ +package commoncontrols +import future.keywords + +# +# GWS.COMMONCONTROLS.16.1v0.2 +#-- + +test_Unlisted_Correct_V1 if { + # Test 1 event + PolicyId := "GWS.COMMONCONTROLS.16.1v0.2" + Output := tests with input as { + "commoncontrols_logs": {"items": [ + { + "id": {"time": "2022-12-20T00:02:28.672Z"}, + "events": [{ + "name": "TOGGLE_SERVICE_ENABLED", + "parameters": [ + {"name": "SERVICE_NAME", "value": "DISABLE_UNLISTED_SERVICES"}, + {"name": "NEW_VALUE", "value": "true"}, + {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, + ] + }] + } + ]}, + "tenant_info": { + "topLevelOU": "Test Top-Level OU" + } + } + + RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] + count(RuleOutput) == 1 + RuleOutput[0].RequirementMet + not RuleOutput[0].NoSuchEvent + RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." +} + +test_Unlisted_Correct_V2 if { + # Test inheritance + PolicyId := "GWS.COMMONCONTROLS.16.1v0.2" + Output := tests with input as { + "commoncontrols_logs": {"items": [ + { + "id": {"time": "2022-12-20T00:02:28.672Z"}, + "events": [{ + "name": "TOGGLE_SERVICE_ENABLED", + "parameters": [ + {"name": "SERVICE_NAME", "value": "DISABLE_UNLISTED_SERVICES"}, + {"name": "NEW_VALUE", "value": "true"}, + {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, + ] + }] + }, + { + "id": {"time": "2022-12-20T00:02:28.672Z"}, + "events": [{ + "name": "TOGGLE_SERVICE_ENABLED", + "parameters": [ + {"name": "SERVICE_NAME", "value": "DISABLE_UNLISTED_SERVICES"}, + {"name": "NEW_VALUE", "value": "INHERIT_FROM_PARENT"}, + {"name": "ORG_UNIT_NAME", "value": "Test Second-Level OU"}, + ] + }] + } + ]}, + "tenant_info": { + "topLevelOU": "Test Top-Level OU" + } + } + + RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] + count(RuleOutput) == 1 + RuleOutput[0].RequirementMet + not RuleOutput[0].NoSuchEvent + RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." +} + +test_Unlisted_Incorrect_V1 if { + PolicyId := "GWS.COMMONCONTROLS.16.1v0.2" + Output := tests with input as { + "commoncontrols_logs": {"items": [ + { + "id": {"time": "2022-12-20T00:02:28.672Z"}, + "events": [{ + "name": "TOGGLE_SERVICE_ENABLED", + "parameters": [ + {"name": "SERVICE_NAME", "value": "DISABLE_UNLISTED_SERVICES"}, + {"name": "NEW_VALUE", "value": "false"}, + {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, + ] + }] + } + ]}, + "tenant_info": { + "topLevelOU": "Test Top-Level OU" + } + } + + RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] + count(RuleOutput) == 1 + not RuleOutput[0].RequirementMet + not RuleOutput[0].NoSuchEvent + RuleOutput[0].ReportDetails == concat("", [ + "The following OUs are non-compliant:" + ]) +} + +test_Unlisted_Incorrect_V2 if { + # Test no events + PolicyId := "GWS.COMMONCONTROLS.16.1v0.2" + Output := tests with input as { + "commoncontrols_logs": {"items": [ + + ]}, + "tenant_info": { + "topLevelOU": "Test Top-Level OU" + } + } + + RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] + count(RuleOutput) == 1 + not RuleOutput[0].RequirementMet + RuleOutput[0].NoSuchEvent + RuleOutput[0].ReportDetails == concat("", [ + "No relevant event in the current logs for the top-level OU, Test Top-Level OU. While we are unable ", + "to determine the state from the logs, the default setting ", + "is non-compliant; manual check recommended." + ]) +} +#-- \ No newline at end of file diff --git a/Testing/RegoTests/commoncontrols/commoncontrols17_test.rego b/Testing/RegoTests/commoncontrols/commoncontrols17_test.rego new file mode 100644 index 00000000..3ff9f282 --- /dev/null +++ b/Testing/RegoTests/commoncontrols/commoncontrols17_test.rego @@ -0,0 +1,98 @@ +package commoncontrols +import future.keywords + +# +# GWS.COMMONCONTROLS.17.1v0.2 +#-- +test_MPA_Correct_V1 if { + # Test 1 event + PolicyId := "GWS.COMMONCONTROLS.17.1v0.2" + Output := tests with input as { + "commoncontrols_logs": {"items": [ + { + "id": {"time": "2022-12-20T00:02:28.672Z"}, + "events": [{ + "name": "CHANGE_APPLICATION_SETTING", + "parameters": [ + { + "name": "SETTING_NAME", + "value": "Multi Party Approval (MPA) Control Multi Party Approval Control" + }, + {"name": "NEW_VALUE", "value": "enabled"}, + {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, + ] + }] + } + ]}, + "tenant_info": { + "topLevelOU": "Test Top-Level OU" + } + } + + RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] + count(RuleOutput) == 1 + RuleOutput[0].RequirementMet + not RuleOutput[0].NoSuchEvent + RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." +} + +test_MPA_Incorrect_V1 if { + # Test 1 event + PolicyId := "GWS.COMMONCONTROLS.17.1v0.2" + Output := tests with input as { + "commoncontrols_logs": {"items": [ + { + "id": {"time": "2022-12-20T00:02:28.672Z"}, + "events": [{ + "name": "CHANGE_APPLICATION_SETTING", + "parameters": [ + { + "name": "SETTING_NAME", + "value": "Multi Party Approval (MPA) Control Multi Party Approval Control" + }, + {"name": "NEW_VALUE", "value": "disabled"}, + {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, + ] + }] + } + ]}, + "tenant_info": { + "topLevelOU": "Test Top-Level OU" + } + } + + RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] + count(RuleOutput) == 1 + not RuleOutput[0].RequirementMet + not RuleOutput[0].NoSuchEvent + RuleOutput[0].ReportDetails == concat("", [ + "The following OUs are non-compliant:" + ]) +} + +test_MPA_Incorrect_V2 if { + # Test no relevent events + PolicyId := "GWS.COMMONCONTROLS.17.1v0.2" + Output := tests with input as { + "commoncontrols_logs": {"items": [ + + ]}, + "tenant_info": { + "topLevelOU": "Test Top-Level OU" + } + } + + RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] + count(RuleOutput) == 1 + not RuleOutput[0].RequirementMet + RuleOutput[0].NoSuchEvent + RuleOutput[0].ReportDetails == concat("", [ + "No relevant event in the current logs for the top-level OU, ", + "Test Top-Level OU. While we are unable ", + "to determine the state from the logs, the default setting ", + "is non-compliant; manual check recommended." + ]) +} +#-- \ No newline at end of file diff --git a/baselines/Common Controls Minimum Viable Secure Configuration Baseline v0.2.md b/baselines/Common Controls Minimum Viable Secure Configuration Baseline v0.2.md index a15b26b3..6c70b086 100644 --- a/baselines/Common Controls Minimum Viable Secure Configuration Baseline v0.2.md +++ b/baselines/Common Controls Minimum Viable Secure Configuration Baseline v0.2.md @@ -24,6 +24,8 @@ This baseline is based on Google documentation and addresses the following: - [System-Defined Rules](#13-system-defined-rules) - [Google Workspace Logs](#14-google-workspace-logs) - [Data Regions](#15-data-regions-and-storage) +- [Additional Google Services](#16-additional-google-services) +- [Multi-Party Approvals](#17-multi-party-approval) ## Assumptions @@ -239,16 +241,7 @@ Policies restricting access to GWS based on signals about enterprise devices SHO - _Rationale:_ Granular device access control afforded by context-aware access is in alignment with Federal zero trust strategy and principles. Context-aware access can help to increase the security of your GWS data by allowing you to restrict access to certain applications or services based on user/device attributes. - _Last modified:_ July 10, 2023 - -- MITRE ATT&CK TTP Mapping - - [T1098: Account Manipulation](https://attack.mitre.org/techniques/T1098/) - - [T1098:005: Account Manipulation: Device Registration](https://attack.mitre.org/techniques/T1098/005/) - -#### GWS.COMMONCONTROLS.2.2v0.2 -Use of context-aware access for more granular controls, including using Advanced Mode (CEL), MAY be maximized and tailored if necessary. - -- _Rationale:_ Unless you create and assign access levels, enabling context-aware access does not provide any additional protection. Context-aware access can help to increase the security of your GWS data by allowing you to restrict access to certain applications or services based on the user and/or device context. Advanced Mode's Common Expressions Language (CEL) gives administrators the ability to tailor access policies for devices, time-based use cases, authentication, and to combine multiple conditions into tailored controls. -- _Last modified:_ July 11, 2023 +- _Note:_ More granular controls may be used if the agency needs it. - MITRE ATT&CK TTP Mapping - [T1098: Account Manipulation](https://attack.mitre.org/techniques/T1098/) @@ -296,10 +289,10 @@ To turn on Context-Aware Access: 1. Access the [Google Admin console](https://admin.google.com/). 2. From the menu, go to **Security** -\> **Access and data control** -\> **Context-Aware Access**. 3. Verify **Context-Aware Access** is **ON for everyone**. If not, click **Turn On**. +4. Select **Access Level** and select **Create Access Level** and determine the conditions of the rule per agency needs. +5. Select **Assign access levels to apps** and select Apps to apply the rule onto. -#### GWS.COMMONCONTROLS.2.2v0.2 Instructions Note that the implementation details of context-aware access use cases will vary per agency. Refer to [Google's documentation](https://support.google.com/a/answer/12643733) on implementing context-aware access for your specific use cases. Common use cases include: - - Require company-owned on desktop but not on mobile device - Require basic device security - Allow access to contractors only through the corporate network @@ -516,7 +509,7 @@ All highly privileged accounts SHALL leverage Google Account authentication with - [T1556:006: Modifying Authentication Process: Multi-Factor Authentication](https://attack.mitre.org/techniques/T1556/006/) #### GWS.COMMONCONTROLS.6.2v0.2 -A minimum of **two** and maximum of **four** separate and distinct super admin users SHALL be configured. +A minimum of **two** and maximum of **eight** separate and distinct super admin users SHALL be configured. - _Rationale:_ The super admin role provides unfettered access to the workspace. Properly managing the number of users with this level of access makes workspace compromise more challenging. However, having too few accounts can be problematic as it increases the risk of losing admin access entirely (e.g., if a super admin forgets their password); having between 2 and 4 balances these two concerns. - _Last modified:_ July 10, 2023 @@ -593,6 +586,7 @@ Account conflict management SHALL be configured to replace conflicting unmanaged - [Google Workspace Updates Blog | Resolve conflict accounts faster with the new Conflict Accounts Management tool](https://workspaceupdates.googleblog.com/2023/08/conflict-accounts-management-tool.html) - [Google Cloud Architecture Center | Migrating consumer accounts](https://cloud.google.com/architecture/identity/migrating-consumer-accounts#using_a_conflicting_account) - [Google Cloud Architecture Center | Best practices for planning accounts and organizations](https://cloud.google.com/architecture/identity/best-practices-for-planning) +- [How a conflicting account is created](https://support.google.com/accounts/answer/181526) ### Prerequisites @@ -718,20 +712,6 @@ Agencies need to have a process in place to manage and control application acces ### Policies #### GWS.COMMONCONTROLS.10.1v0.2 -Agencies SHALL develop and implement a process to explicitly allow-list (trust) third-party app access to GWS services. - -- _Rationale:_ Third-party apps may include malicious content. Developing a process to review and approve apps reduces the risk of allowing malicious apps to connect to the workspace. -- _Last modified:_ July 10, 2023 - -- MITRE ATT&CK TTP Mapping - - [T1550: Use Alternate Authentication Materials](https://attack.mitre.org/techniques/T1550/) - - [T1550:001: Use Alternate Authentication Materials: Application Access Token](https://attack.mitre.org/techniques/T1550/001/) - - [T1195: Supply Chain Compromise](https://attack.mitre.org/techniques/T1195/) - - [T1195:002: Supply Chain Compromise: Compromise Software Supply Chain](https://attack.mitre.org/techniques/T1195/002/) - - [T1059: Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059/) - - [T1059:009: Command and Scripting Interpreter: Cloud API](https://attack.mitre.org/techniques/T1059/009/) - -#### GWS.COMMONCONTROLS.10.2v0.2 Agencies SHALL use GWS application access control policies to restrict access to all GWS services by third party apps. - _Rationale:_ Third-party apps may include malicious content. Restricting app access to only apps trusted by the agency reduces the risk of allowing malicious apps to connect to the workspace. @@ -745,7 +725,7 @@ Agencies SHALL use GWS application access control policies to restrict access to - [T1059: Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059/) - [T1059:009: Command and Scripting Interpreter: Cloud API](https://attack.mitre.org/techniques/T1059/009/) -#### GWS.COMMONCONTROLS.10.3v0.2 +#### GWS.COMMONCONTROLS.10.2v0.2 Agencies SHALL NOT allow users to consent to access to low-risk scopes. - _Rationale:_ Allowing users to give access to OAuth scopes that aren't classified as high-risk could still allow for apps that are not trusted to be granted access by non-administrator personnel and without having to be allowlisted in accordance with policy 10.1. @@ -759,7 +739,7 @@ Agencies SHALL NOT allow users to consent to access to low-risk scopes. - [T1059: Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059/) - [T1059:009: Command and Scripting Interpreter: Cloud API](https://attack.mitre.org/techniques/T1059/009/) -#### GWS.COMMONCONTROLS.10.4v0.2 +#### GWS.COMMONCONTROLS.10.3v0.2 Agencies SHALL NOT trust unconfigured internal apps. - _Rationale:_ Internal apps may contain vulnerabilities or even malicious content created by compromised user accounts. Restricting access to these apps reduces the risk of allowing unsafe apps to connect to the workspace. @@ -773,7 +753,7 @@ Agencies SHALL NOT trust unconfigured internal apps. - [T1059: Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059/) - [T1059:009: Command and Scripting Interpreter: Cloud API](https://attack.mitre.org/techniques/T1059/009/) -#### GWS.COMMONCONTROLS.10.5v0.2 +#### GWS.COMMONCONTROLS.10.4v0.2 Agencies SHALL NOT allow users to access unconfigured third-party apps. - _Rationale:_ External apps may contain vulnerabilities and malicious content. Restricting access to these apps reduces the risk of allowing unsafe apps to connect to the workspace. @@ -807,28 +787,25 @@ Agencies SHALL NOT allow users to access unconfigured third-party apps. 2. Go to **Security** -\> **Access and Data Control** -\> **API controls.** #### GWS.COMMONCONTROLS.10.1v0.2 instructions: -1. There are no implementation steps for this policy - -#### GWS.COMMONCONTROLS.10.2v0.2 instructions: 1. Select **Manage Google Services.** 2. Select the **Services box** to check all services boxes. 3. Once this box is selected, then the **Change access** link at the top of console will be available; select it. 4. Select **Restricted: Only trusted apps can access a service.** 5. Select **Change** then **confirm** if prompted. -#### GWS.COMMONCONTROLS.10.3v0.2 instructions: +#### GWS.COMMONCONTROLS.10.2v0.2 instructions: 1. Select **Manage Google Services.** 2. Select the **Services box** to check all services boxes. 3. Once this box is selected, then the **Change access** link at the top of console will be available; select it. 4. Ensure to uncheck the check box next to **For apps that are not trusted, allow users to give access to OAuth scopes that aren't classified as high-risk.** 5. Select **Change** then **confirm** if prompted. -#### GWS.COMMONCONTROLS.10.4v0.2 Instructions +#### GWS.COMMONCONTROLS.10.3v0.2 Instructions 1. Select **Settings.** 2. Select **Internal apps** and uncheck the box next to **Trust internal apps.** 3. Select **SAVE.** -#### GWS.COMMONCONTROLS.10.5v0.2 Instructions +#### GWS.COMMONCONTROLS.10.4v0.2 Instructions 1. Select **Settings.** 2. Select **Unconfigured third-party apps** and select **Don't allow users to access any third-party apps** 3. Select **SAVE.** @@ -847,7 +824,7 @@ Some older versions of common software may break when this control is implemente ### Policies #### GWS.COMMONCONTROLS.11.1v0.2 -Only approved Google Workspace Marketplace applications SHOULD be allowed for installation. +Only approved Google Workspace Marketplace applications SHALL be allowed for installation. - _Rationale:_ Marketplace apps may include malicious content. Restricting app access to only apps trusted by the agency reduces the risk of allowing malicious apps to connect to the workspace. - _Last modified:_ October 24, 2023 @@ -1075,11 +1052,9 @@ Audit logs SHALL be maintained for at least 6 months in active storage and an ad ### Implementation #### GWS.COMMONCONTROLS.14.1v0.2 Instructions -1. Sign in to the [Google Admin console](https://admin.google.com) as an administrator. -2. Go to Menu [Account \> Account settings \> Legal and compliance](https://admin.google.com/ac/companyprofile/legal). -3. Click **Sharing options.** -4. Select **Enabled.** -5. Click **Save**. +Follow the configuration instructions unique to the products and integration patterns at your organization to send the security logs to the security operations center for monitoring. + +Note: Agencies can benefit from security detection capabilities offered by the CISA Cloud Log Aggregation Warehouse (CLAW) system. Agencies are urged to send the logs to CLAW. Contact CISA at [cyberliason@cisa.dhs.gov] #### GWS.COMMONCONTROLS.14.2v0.2 Instructions 1. There is no implementation for this policy. @@ -1139,3 +1114,71 @@ To configure Supplemental Data Storage per the policy: 3. Click the **Supplemental Data Storage** card. 4. Ensure the checkbox for "**Russian Federation**" is unchecked. 6. Click **Save**. + + +## 16. Additional Google Services + +This section covers the Google services that do not have an individual control and whether these services are on or off. + +### Policy + +#### GWS.COMMONCONTROLS.16.1v0.2 +Service status for Google services that do not have an individual control SHOULD be set to OFF for everyone. + +- _Rationale_: Allowing access to additional google services without a need may create unnecessary vulnerabilities within the Google Workspace environment. By turning these services off, it mitigates the risk by not allowing access. +- _Last modified:_ June 11, 2024 + +- MITRE ATT&CK TTP Mapping + - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/) + - [T1199: Trusted Relationship](https://attack.mitre.org/techniques/T1199/) + - [T1204: User Execution](https://attack.mitre.org/techniques/T1204/) + - [T1204:001: Trusted Execution: Malicious Link](https://attack.mitre.org/techniques/T1204/001/) + - [T1204:002: Trusted Execution: Malicious File](https://attack.mitre.org/techniques/T1204/002/) + - [T1204:003: Trusted Execution: Malicious Image](https://attack.mitre.org/techniques/T1204/003/) + +### Resources +- [GWS Admin Help \| Turn on or off additional Google services](https://support.google.com/a/answer/181865) + +### Prerequisites + +- Super Admin role + +### Implementation + +#### GWS.COMMONCONTROLS.16.1v0.2 Instructions +To configure additional services per the policy: +1. Sign in to the [Google Admin console](https://admin.google.com) as an administrator. +2. Navigate to **Apps** -> **Additional Google services**. +3. Click **CHANGE** at the top where it says if **Access to additional services without individual control for all organizational units is On/Off**. +4. Select the option: "**OFF for everyone**" +6. Click **Save**. + +## 17. Multi-Party Approval +This section covers whether multiple super admins need to approve changes to specific admin console settings. + +### Policy + +#### GWS.COMMONCONTROLS.17.1v0.2 +Require multi party approval for sensitive admin actions SHALL be enabled. + +- _Rationale_: Changes to sensitive admin settings, such as disabling 2-step verification, could introduce serious vulnerabilities in the GWS environment. Requiring multiple super admins to approve changes to those settings mitigates the risk changing these settings pose. +- _Last modified:_ June 20, 2024 + +- MITRE ATT&CK TTP Mapping + - No TTP Mappings + +### Resources +- [GWS Admin Help \| Multi-party approval for sensitive actions](https://apps.google.com/supportwidget/articlehome?hl=en&article_url=https%3A%2F%2Fsupport.google.com%2Fa%2Fanswer%2F13790448%3Fhl%3Den&assistant_id=generic-unu&product_context=13790448&product_name=UnuFlow&trigger_context=a) + +### Prerequisites + +- Super Admin role + +### Implementation + +#### GWS.COMMONCONTROLS.17.1v0.2 Instructions +To configure additional services per the policy: +1. Sign in to the [Google Admin console](https://admin.google.com) as an administrator. +2. Navigate to **Security** -> **Authentication** -> **Multi-party approval settings**. +3. Ensure **Require multi party approval for sensitive admin actions** is checked. +4. Click **Save**. diff --git a/drift-rules/GWS Drift Monitoring Rules - Common Controls as of 11-14-23.csv b/drift-rules/GWS Drift Monitoring Rules - Common Controls as of 11-14-23.csv index 47465a61..3b724ed8 100644 --- a/drift-rules/GWS Drift Monitoring Rules - Common Controls as of 11-14-23.csv +++ b/drift-rules/GWS Drift Monitoring Rules - Common Controls as of 11-14-23.csv @@ -18,16 +18,15 @@ GWS.COMMONCONTROLS.7.1v0.2,Account conflict management SHALL be configured to re GWS.COMMONCONTROLS.8.1v0.2,"Account self-recovery for Super Admins SHALL be disabled, forcing Super Admin users who have lost their login credentials to contact another Super Admin to recover their account.",Admin Log Event,Change Application Setting,AdminAccountRecoverySettingsProto Enable admin account recovery,false,rules/00gjdgxs2rlm6cr,JK 08-02-23 @ 09:16 GWS.COMMONCONTROLS.9.1v0.2,Highly privileged accounts SHALL be enrolled in the GWS Advanced Protection Program.,Admin Log Event,Change Application Setting,Advanced Protection Program Settings - Enable user enrollment,true,rules/00gjdgxs2mq8dv5,JK 08-02-23 @ 09:20 GWS.COMMONCONTROLS.9.2v0.2,All sensitive user accounts SHOULD be enrolled into the GWS Advanced Protection Program. This control enforces more secure protection of sensitive user accounts from targeted attacks. Sensitive user accounts include political appointees and other Senior Executive Service (SES) officials whose account compromise would pose a level of risk prohibitive to agency mission fulfillment.,Admin Log Event,Change Application Setting,Advanced Protection Program Settings - Enable user enrollment,true,rules/00gjdgxs2mq8dv6,JK 08-02-23 @ 09:21 -GWS.COMMONCONTROLS.10.1v0.2,Agencies SHALL develop and implement a process to explicitly allow-list (trust) third-party app access to GWS services.,Admin Log Event,API Access Allowed,No Setting Name,No Value,rules/00gjdgxs1qiup12, -GWS.COMMONCONTROLS.10.2v0.2,Agencies SHALL use GWS application access control policies to restrict access to all GWS services by third party apps.,N/A,N/A,N/A,N/A,N/A,Not Alertable -GWS.COMMONCONTROLS.10.3v0.2,Agencies SHALL NOT allow users to consent to access to low-risk scopes.,N/A,N/A,N/A,N/A,N/A,Not Alertable -GWS.COMMONCONTROLS.10.4v0.2,Agencies SHALL NOT trust unconfigured internal apps.,Admin Log Event,"Allow Google Sign-in only third party API access +GWS.COMMONCONTROLS.10.1v0.2,Agencies SHALL use GWS application access control policies to restrict access to all GWS services by third party apps.,N/A,N/A,N/A,N/A,N/A,Not Alertable +GWS.COMMONCONTROLS.10.2v0.2,Agencies SHALL NOT allow users to consent to access to low-risk scopes.,N/A,N/A,N/A,N/A,N/A,Not Alertable +GWS.COMMONCONTROLS.10.3v0.2,Agencies SHALL NOT trust unconfigured internal apps.,Admin Log Event,"Allow Google Sign-in only third party API access OR All third party API access unblocked",No Setting Name,No Value,rules/00gjdgxs0xcbmu1, GWS.COMMONCONTROLS.10.5v0.2(a),Agencies SHALL NOT allow users to access unconfigured third-party apps.,Admin Log Event,All third party API access unblocked,No Setting Name,No Value,rules/00gjdgxs0zd46an,JK 09-22-23 @ 14:15 (works only from Don't allow) GWS.COMMONCONTROLS.10.5v0.2(b),Agencies SHALL NOT allow users to access unconfigured third-party apps.,Admin Log Event,Allow Google Sign-in only third party API access,No Setting Name,No Value,rules/00gjdgxs3b25o0w,JK 09-22-23 @ 14:15 (works only from Don't allow) GWS.COMMONCONTROLS.11.1v0.2(a),Only approved Google Workspace Marketplace applications SHOULD be allowed for installation.,Admin Log Event,Change Application Setting,Apps Access Setting Allowlist access,ALLOW_SPECIFIED,rules/00gjdgxs0o3dzli,JK 09-12-23 @ 13:33 -GWS.COMMONCONTROLS.11.1v0.2(b),Only approved Google Workspace Marketplace applications SHOULD be allowed for installation.,Admin Log Event,Change Application Setting,Apps Access Setting allow_all_internal_apps,false,rules/00gjdgxs3f0ca00,JK 11-14-23 @ 07:37 +GWS.COMMONCONTROLS.11.1v0.2(b),Only approved Google Workspace Marketplace applications SHALL be allowed for installation.,Admin Log Event,Change Application Setting,Apps Access Setting allow_all_internal_apps,false,rules/00gjdgxs3f0ca00,JK 11-14-23 @ 07:37 GWS.COMMONCONTROLS.11.2v0.2,Access to Google Workspace applications by less secure apps that do not meet security standards for authentication SHALL be prevented.,Admin Log Event,Less Secure Apps Access Setting Changed,No Setting Name,DISABLED,rules/00gjdgxs2y7rekk,JK 09-20-23 @ 06:51 GWS.COMMONCONTROLS.12.1v0.2,Google Takeout services SHALL be disabled for users.,Admin Log Event,Toggle Service Enabled,N/A,false,rules/00gjdgxs3wksszz,JK 09-12-23 @ 13:19 GWS.COMMONCONTROLS.13.1v0.2,"Required system-defined alerting rules, as listed in the Policy section, SHALL be active, with alerts enabled when available. Any system-defined rules not are considered optional but ought to be reviewed for consideration.",Admin Log Event,System Defined Rule Updated,N/A,N/A,rules/00gjdgxs1x4hrff,Needs Manual Verification of Status diff --git a/rego/Commoncontrols.rego b/rego/Commoncontrols.rego index 7136dd38..bf9429cd 100644 --- a/rego/Commoncontrols.rego +++ b/rego/Commoncontrols.rego @@ -71,6 +71,29 @@ if { Group := utils.GetEventGroup(Event) } +ToggleServiceEvents contains { + "Timestamp": time.parse_rfc3339_ns(Item.id.time), + "TimestampStr": Item.id.time, + "NewValue": NewValue, + "OrgUnit": OrgUnit, + "Group": Group +} +if { + some Item in input.commoncontrols_logs.items + some Event in Item.events + Event.name == "TOGGLE_SERVICE_ENABLED" + + "SERVICE_NAME" in {Parameter.name | some Parameter in Event.parameters} + "NEW_VALUE" in {Parameter.name | some Parameter in Event.parameters} + + ServiceName := [Parameter.value | some Parameter in Event.parameters; Parameter.name == "SERVICE_NAME"][0] + NewValue := [Parameter.value | some Parameter in Event.parameters; Parameter.name == "NEW_VALUE"][0] + OrgUnit := utils.GetEventOu(Event) + Group := utils.GetEventGroup(Event) + + ServiceName == "DISABLE_UNLISTED_SERVICES" +} + LogEvents := utils.GetEvents("commoncontrols_logs") ######################## @@ -457,19 +480,6 @@ if { } #-- -# -# Baseline GWS.COMMONCONTROLS.2.2v0.2 -#-- - -tests contains { - "PolicyId": "GWS.COMMONCONTROLS.2.2v0.2", - "Criticality": "May/Not-Implemented", - "ReportDetails": "Currently not able to be tested automatically; please manually check.", - "ActualValue": "", - "RequirementMet": false, - "NoSuchEvent": true -} - ######################## # GWS.COMMONCONTROLS.3 # ######################## @@ -887,7 +897,7 @@ tests contains { } if { SuperAdmins := {Admin.primaryEmail | some Admin in input.super_admins} - Conditions := {count(SuperAdmins) >= 2, count(SuperAdmins) <= 4} + Conditions := {count(SuperAdmins) >= 2, count(SuperAdmins) <= 8} Status := (false in Conditions) == false } #-- @@ -1014,19 +1024,6 @@ tests contains { # # Baseline GWS.COMMONCONTROLS.10.1v0.2 #-- -tests contains { - "PolicyId": "GWS.COMMONCONTROLS.10.1v0.2", - "Criticality": "Shall/Not-Implemented", - "ReportDetails": "Currently not able to be tested automatically; please manually check.", - "ActualValue": "", - "RequirementMet": false, - "NoSuchEvent": true -} -#-- - -# -# Baseline GWS.COMMONCONTROLS.10.2v0.2 -#-- # NOTE: App access cannot be controlled at the group/OU level @@ -1076,7 +1073,7 @@ HighRiskBlocked contains Service if { # Step 3: Identify services whose most recent event is an allow event and where # the high-risk context isn't blocked -UnrestrictedServices10_2 contains Service if { +UnrestrictedServices10_1 contains Service if { # Iterate through all services some Service in {Event.ServiceName | some Event in APIAccessEvents} # Ignore services that end risk _HIGH_RISK. Those are handled later @@ -1091,15 +1088,15 @@ UnrestrictedServices10_2 contains Service if { not concat("", [Service, "_HIGH_RISK"]) in HighRiskBlocked } -ReportDetails10_2(true) := "Requirement met." +ReportDetails10_1(true) := "Requirement met." -ReportDetails10_2(false) := concat("", [ +ReportDetails10_1(false) := concat("", [ "The following services allow access: ", concat(", ", UnrestrictedServices10_2), "." ]) tests contains { - "PolicyId": "GWS.COMMONCONTROLS.10.2v0.2", + "PolicyId": "GWS.COMMONCONTROLS.10.1v0.2", "Criticality": "Shall", "ReportDetails": concat("", [ "No API Access Allowed/Blocked events in the current logs. ", @@ -1117,16 +1114,16 @@ if { } tests contains { - "PolicyId": "GWS.COMMONCONTROLS.10.2v0.2", + "PolicyId": "GWS.COMMONCONTROLS.10.1v0.2", "Criticality": "Shall", - "ReportDetails": ReportDetails10_2(Status), + "ReportDetails": ReportDetails10_1(Status), "RequirementMet": Status, "NoSuchEvent": false } if { Events := APIAccessEvents count(Events) > 0 - Status := count(UnrestrictedServices10_2) == 0 + Status := count(UnrestrictedServices10_1) == 0 } # Note that the above logic doesn't filter for OU. As the logic for this setting @@ -1135,10 +1132,10 @@ if { #-- # -# Baseline GWS.COMMONCONTROLS.10.3v0.2 +# Baseline GWS.COMMONCONTROLS.10.2v0.2 #-- # Identify services whose most recent event is an allow event -UnrestrictedServices10_3 contains Service if { +UnrestrictedServices10_2 contains Service if { # Iterate through all services some Service in {Event.ServiceName | some Event in APIAccessEvents} # Ignore services that end risk _HIGH_RISK. Those are handled later @@ -1154,15 +1151,15 @@ UnrestrictedServices10_3 contains Service if { Event.EventName == "ALLOW_SERVICE_FOR_OAUTH2_ACCESS" } -ReportDetails10_3(true) := "Requirement met." +ReportDetails10_2(true) := "Requirement met." -ReportDetails10_3(false) := concat("", [ +ReportDetails10_2(false) := concat("", [ "The following services allow access: ", - concat(", ", UnrestrictedServices10_3), "." + concat(", ", UnrestrictedServices10_2), "." ]) tests contains { - "PolicyId": "GWS.COMMONCONTROLS.10.3v0.2", + "PolicyId": "GWS.COMMONCONTROLS.10.2v0.2", "Criticality": "SHALL", "ReportDetails": concat("", [ "No API Access Allowed/Blocked events in the current logs. ", @@ -1180,21 +1177,21 @@ if { } tests contains { - "PolicyId": "GWS.COMMONCONTROLS.10.3v0.2", + "PolicyId": "GWS.COMMONCONTROLS.10.2v0.2", "Criticality": "Shall", - "ReportDetails": ReportDetails10_3(Status), + "ReportDetails": ReportDetails10_2(Status), "RequirementMet": Status, "NoSuchEvent": false } if { Events := APIAccessEvents count(Events) > 0 - Status := count(UnrestrictedServices10_3) == 0 + Status := count(UnrestrictedServices10_2) == 0 } #-- # -# Baseline GWS.COMMONCONTROLS.10.4v0.2 +# Baseline GWS.COMMONCONTROLS.10.3v0.2 #-- # NOTE: this setting cannot be set at the group level. @@ -1216,7 +1213,7 @@ if { OrgUnit := [Parameter.value | some Parameter in Event.parameters; Parameter.name == "ORG_UNIT_NAME"][0] } -NonCompliantOUs10_4 contains { +NonCompliantOUs10_3 contains { "Name": OU, "Value": "Trust internal apps is ON" } if { @@ -1231,7 +1228,7 @@ NonCompliantOUs10_4 contains { } tests contains { - "PolicyId": "GWS.COMMONCONTROLS.10.4v0.2", + "PolicyId": "GWS.COMMONCONTROLS.10.3v0.2", "Criticality": "Shall", "ReportDetails": utils.NoSuchEventDetails(DefaultSafe, utils.TopLevelOU), "ActualValue": "No relevant event for the top-level OU in the current logs", @@ -1245,22 +1242,22 @@ if { } tests contains { - "PolicyId": "GWS.COMMONCONTROLS.10.4v0.2", + "PolicyId": "GWS.COMMONCONTROLS.10.3v0.2", "Criticality": "Shall", - "ReportDetails": utils.ReportDetails(NonCompliantOUs10_4, []), - "ActualValue": {"NonCompliantOUs": NonCompliantOUs10_4}, + "ReportDetails": utils.ReportDetails(NonCompliantOUs10_3, []), + "ActualValue": {"NonCompliantOUs": NonCompliantOUs10_3}, "RequirementMet": Status, "NoSuchEvent": false } if { Events := {Event | some Event in DomainOwnedAppAccessEvents; Event.OrgUnit == utils.TopLevelOU} count(Events) > 0 - Status := count(NonCompliantOUs10_4) == 0 + Status := count(NonCompliantOUs10_3) == 0 } #-- # -# Baseline GWS.COMMONCONTROLS.10.5v0.2 +# Baseline GWS.COMMONCONTROLS.10.4v0.2 #-- # NOTE: this setting cannot be set at the group level. @@ -1283,15 +1280,15 @@ if { OrgUnit := [Parameter.value | some Parameter in Event.parameters; Parameter.name == "ORG_UNIT_NAME"][0] } -GetFriendlyValue10_5(Value) := "Allow users to access any third-party apps" if { +GetFriendlyValue10_4(Value) := "Allow users to access any third-party apps" if { Value == "UNBLOCK_ALL_THIRD_PARTY_API_ACCESS" } else := "Allow users to access third-party apps that only request basic info needed for Sign in with Google." if { Value == "SIGN_IN_ONLY_THIRD_PARTY_API_ACCESS" } else := concat(" ", [Value, "seconds"]) -NonCompliantOUs10_5 contains { +NonCompliantOUs10_4 contains { "Name": OU, - "Value": concat("", ["Unconfigured third-party app access is set to ", GetFriendlyValue10_5(LastEvent.EventName)]) + "Value": concat("", ["Unconfigured third-party app access is set to ", GetFriendlyValue10_4(LastEvent.EventName)]) } if { some OU in utils.OUsWithEvents Events := {Event | some Event in UnconfiguredAppAccessEvents; Event.OrgUnit == OU} @@ -1304,7 +1301,7 @@ NonCompliantOUs10_5 contains { } tests contains { - "PolicyId": "GWS.COMMONCONTROLS.10.5v0.2", + "PolicyId": "GWS.COMMONCONTROLS.10.4v0.2", "Criticality": "Shall", "ReportDetails": utils.NoSuchEventDetails(DefaultSafe, utils.TopLevelOU), "ActualValue": "No relevant event for the top-level OU in the current logs", @@ -1318,17 +1315,17 @@ if { } tests contains { - "PolicyId": "GWS.COMMONCONTROLS.10.5v0.2", + "PolicyId": "GWS.COMMONCONTROLS.10.4v0.2", "Criticality": "Shall", - "ReportDetails": utils.ReportDetails(NonCompliantOUs10_5, []), - "ActualValue": {"NonCompliantOUs": NonCompliantOUs10_5}, + "ReportDetails": utils.ReportDetails(NonCompliantOUs10_4, []), + "ActualValue": {"NonCompliantOUs": NonCompliantOUs10_4}, "RequirementMet": Status, "NoSuchEvent": false } if { Events := {Event | some Event in UnconfiguredAppAccessEvents; Event.OrgUnit == utils.TopLevelOU} count(Events) > 0 - Status := count(NonCompliantOUs10_5) == 0 + Status := count(NonCompliantOUs10_4) == 0 } #-- @@ -1417,7 +1414,7 @@ NonCompliantGroups11_1 contains { tests contains { "PolicyId": "GWS.COMMONCONTROLS.11.1v0.2", - "Criticality": "Should", + "Criticality": "Shall", "ReportDetails": utils.NoSuchEventDetails(DefaultSafe, utils.TopLevelOU), "ActualValue": "No relevant event for the top-level OU in the current logs", "RequirementMet": DefaultSafe, @@ -1430,7 +1427,7 @@ if { tests contains { "PolicyId": "GWS.COMMONCONTROLS.11.1v0.2", - "Criticality": "Should", + "Criticality": "Shall", "ReportDetails": utils.ReportDetails(NonCompliantOUs11_1, NonCompliantGroups11_1), "ActualValue": {"NonCompliantOUs": NonCompliantOUs11_1, "NonCompliantGroups": NonCompliantGroups11_1}, "RequirementMet": Status, @@ -1790,3 +1787,104 @@ if { Status := count(NonCompliantOUs15_2) == 0 } #-- + +# +# Baseline GWS.COMMONCONTROLS.16.1v0.2 +#-- + +# NOTE: This setting cannot be controlled at the group level + +NonCompliantOUs16_1 contains { + "Name": OU, + "Value": "Access to additional services without individual control is turned on" +} if { + some OU in utils.OUsWithEvents + # Note that this setting requires the custom ToggleServiceEvents rule + Events := {Event | some Event in ToggleServiceEvents; Event.OrgUnit == OU} + # Ignore OUs without any events. We're already asserting that the + # top-level OU has at least one event; for all other OUs we assume + # they inherit from a parent OU if they have no events. + count(Events) > 0 + LastEvent := utils.GetLastEvent(Events) + LastEvent.NewValue == "false" +} + +tests contains { + "PolicyId": "GWS.COMMONCONTROLS.16.1v0.2", + "Criticality": "Should", + "ReportDetails": utils.NoSuchEventDetails(DefaultSafe, utils.TopLevelOU), + "ActualValue": "No relevant event for the top-level OU in the current logs", + "RequirementMet": DefaultSafe, + "NoSuchEvent": true +} +if { + DefaultSafe := false + Events := {Event | some Event in ToggleServiceEvents; Event.OrgUnit == utils.TopLevelOU} + count(Events) == 0 +} + +tests contains { + "PolicyId": "GWS.COMMONCONTROLS.16.1v0.2", + "Criticality": "Should", + "ReportDetails": utils.ReportDetails(NonCompliantOUs16_1, []), + "ActualValue": {"NonCompliantOUs": NonCompliantOUs16_1}, + "RequirementMet": Status, + "NoSuchEvent": false +} +if { + Events := {Event | some Event in ToggleServiceEvents; Event.OrgUnit == utils.TopLevelOU} + count(Events) > 0 + Status := count(NonCompliantOUs16_1) == 0 +} +#-- + +# +# Baseline GWS.COMMONCONTROLS.17.1v0.2 +#-- + +# NOTE: This setting cannot be controlled at the group level + +NonCompliantOUs17_1 contains { + "Name": OU, + "Value": "Require multi party approval for sensitive admin actions is DISABLED" +} if { + some OU in utils.OUsWithEvents + Events := utils.FilterEventsOU(LogEvents, "Multi Party Approval (MPA) Control Multi Party Approval Control", OU) + # Ignore OUs without any events. We're already asserting that the + # top-level OU has at least one event; for all other OUs we assume + # they inherit from a parent OU if they have no events. + count(Events) > 0 + LastEvent := utils.GetLastEvent(Events) + LastEvent.NewValue == "disabled" +} + +tests contains { + "PolicyId": "GWS.COMMONCONTROLS.17.1v0.2", + "Criticality": "Shall", + "ReportDetails": utils.NoSuchEventDetails(DefaultSafe, utils.TopLevelOU), + "ActualValue": "No relevant event for the top-level OU in the current logs", + "RequirementMet": DefaultSafe, + "NoSuchEvent": true +} +if { + DefaultSafe := false + SettingName := "Multi Party Approval (MPA) Control Multi Party Approval Control" + Events := utils.FilterEventsOU(LogEvents, SettingName, utils.TopLevelOU) + count(Events) == 0 +} + +tests contains { + "PolicyId": "GWS.COMMONCONTROLS.17.1v0.2", + "Criticality": "Shall", + "ReportDetails": utils.ReportDetails(NonCompliantOUs17_1, []), + "ActualValue": {"NonCompliantOUs": NonCompliantOUs17_1}, + "RequirementMet": Status, + "NoSuchEvent": false +} +if { + SettingName := "Multi Party Approval (MPA) Control Multi Party Approval Control" + Events := utils.FilterEventsOU(LogEvents, SettingName, utils.TopLevelOU) + count(Events) > 0 + Status := count(NonCompliantOUs17_1) == 0 +} +#-- \ No newline at end of file diff --git a/scubagoggles/provider.py b/scubagoggles/provider.py index 270bc4a0..04dfb141 100644 --- a/scubagoggles/provider.py +++ b/scubagoggles/provider.py @@ -387,6 +387,7 @@ def get_gws_logs(self, products: list, event: str) -> dict: 'Timeline - Location History', 'YouTube', 'Google Cloud Platform Sharing Options', + 'Multi Party Approval' ], 'drive': ['Drive and Docs'], 'gmail': ['Gmail'],