Add policy group 5 in Classroom baseline stating that only verified teachers can create classes

baselines/Gmail Minimum Viable Secure Configuration Baseline v0.2.md

@@ -28,6 +28,7 @@ This baseline is based on Google documentation available at the [Gmail Google Wo
 - [Security Sandbox](#16-security-sandbox)
 - [Comprehensive Mail Storage](#17-comprehensive-mail-storage)
 - [Content Compliance Filtering](#18-content-compliance-filtering)
+- [Spam Filtering](#19-spam-filtering)
 
 
 Within Google Workspace, settings can be assigned to users through organizational units, configuration groups, or individually. Before changing a setting, the user can select the organizational unit, configuration group, or individual users to which they want to apply changes.
@@ -1152,3 +1153,67 @@ To configure the settings for Objectionable content:
 
 #### GWS.GMAIL.18.3v0.2 Instructions
 1.  There is no implementation steps for this policy.
+
+
+## 19. Spam Filtering
+
+This section covers the settings relating to bypassing spam filters.
+
+### Policies
+
+#### GWS.GMAIL.19.1v0.1
+Domains SHALL NOT be added to lists that bypass spam filters.
+
+- _Rationale:_ Allowing an entire domain to bypass the spam filters allows for the potential for a spoofed email within the domain to bypass the filter. Only allowing specific users to bypass helps mitigate the risk.
+- _Last modified:_ April 10, 2024
+- _Note:_ Allowed senders MAY be added.
+
+- MITRE ATT&CK TTP Mapping
+  - { Needs TTP Mappings }
+
+#### GWS.GMAIL.19.2v0.1
+Domains SHALL NOT be added to lists that bypass spam filters and hide warnings.
+
+- _Rationale:_ Allowing an entire domain to bypass the spam filters and hide warnings allows for the potential for a spoofed email within the domain to bypass the filter and prevents the user from knowing. Not adding domains and users helps mitigate the risk.
+- _Last modified:_ April 10, 2024
+
+- MITRE ATT&CK TTP Mapping
+  - { Needs TTP Mappings }
+
+#### GWS.GMAIL.19.3v0.1
+Bypass spam filters and hide warnings for all messages from internal and external senders SHALL NOT be enabled.
+
+- _Rationale:_ Bypassing spam filters and hiding warning for all messages from internal and external senders creates a security risk because of the potential for a malicious message being able to bypass filters. Disabling this feature mitigates the risk.
+- _Last modified:_ April 10, 2024
+
+- MITRE ATT&CK TTP Mapping
+  - { Needs TTP Mappings }
+
+### Resources
+
+-   [How to bypass the spam filter for incoming emails using the spam settings ](https://knowledge.workspace.google.com/kb/how-to-bypass-the-spam-filter-for-incoming-emails-using-the-spam-settings-000006661)
+
+### Prerequisites
+
+-   N/A
+
+### Implementation
+
+To configure the settings for spam filtering:
+
+#### Policy Group 19 Common Instructions
+1.  Sign in to the [Google Admin Console](https://admin.google.com).
+2.  Select **Apps -\> Google Workspace -\> Gmail**.
+3.  Select **Spam, Phishing, and Malware**.
+
+#### GWS.GMAIL.19.1v0.1 Instructions
+1.  Un-select **Bypass spam filters for messages from senders or domains in selected lists.**
+2.  Select **Save**.
+
+#### GWS.GMAIL.19.2v0.1 Instructions
+1.  Un-select **Bypass spam filters and hide warnings for messages from senders or domains in selected lists.**
+2.  Select **Save**.
+
+#### GWS.GMAIL.19.3v0.1 Instructions
+1.  Un-select **Bypass spam filters and hide warnings for all messages from internal and external senders**
+2.  Select **Save**.

baselines/Google Classroom Minimum Viable Secure Configuration Baseline v0.2.md

@@ -175,9 +175,43 @@ Only teachers SHALL be allowed to unenroll students from classes.
 ### Implementation
 To configure the settings for Student Unenrollment:
 
-#### GWS.CLASSROOM.4.1v0.2 Instructions
+#### GWS.CLASSROOM.5.1v0.2 Instructions
 1.  Sign in to the [Google Admin Console](https://admin.google.com).
 2.  Select **Apps** -\> **Additional Google Service** -\> **Classroom**.
 3.  Select **Student unenrollment**.
 4.  Select **Teachers Only**.
 5.  Select **Save**.
+
+## 5. Class Creation
+
+This section covers who has the ability to create classes.
+
+### Policy
+
+#### GWS.CLASSROOM.5.1v0.2
+Who can create classes SHALL be set to Verified teachers only.
+
+- _Rationale:_ Allowing pending teachers to create classes allows for potential unauthorized data creation which creates a security risk. By allowing only verified teachers to create classes mitigates the risk.
+- _Last modified:_ June 21, 2024
+
+- MITRE ATT&CK TTP Mapping
+  - Pending
+
+### Resources
+
+-   [Verify teachers and set permissions](https://support.google.com/edu/classroom/answer/6071551?hl=en)
+
+### Prerequisites
+
+-   None
+
+### Implementation
+To configure the settings for Student Unenrollment:
+
+#### GWS.CLASSROOM.4.1v0.2 Instructions
+1.  Sign in to the [Google Admin Console](https://admin.google.com).
+2.  Select **Apps** -\> **Additional Google Service** -\> **Classroom**.
+3.  Select **General Settings**.
+4.  Select **Teacher permissions**.
+5.  Select **Verified teachers only** for **Who can create classes?**
+5.  Select **Save**.

drift-rules/GWS Drift Monitoring Rules - Classroom.csv

@@ -3,4 +3,5 @@ GWS.CLASSROOM.1.1v0.2,Who can join classes in your domain SHALL be set to Users
 GWS.CLASSROOM.1.2v0.2,Which classes can users in your domain join SHALL be set to Classes in your domain only,Admin Log Events,Change Application Setting,ClassMembershipSettingProto which_classes_can_users_join,1,rules/00gjdgxs0hj2dit,JK 10-20-23 @ 13:23
 GWS.CLASSROOM.2.1v0.2,Classroom API SHALL be disabled for users,Admin Log Events,Change Application Setting,ApiDataAccessSettingProto api_access_enabled,false,rules/00gjdgxs3aafl8p,JK 10-20-23 @ 13:31
 GWS.CLASSROOM.3.1v0.2,Roster import with Clever SHOULD be turned off,Admin Log Events,Change Application Setting,RosterImportSettingsProto sis_integrator,SIS_INTEGRATOR_NONE,rules/00gjdgxs25t0l8g,JK 10-20-23 @ 13:42
-GWS.CLASSROOM.4.1v0.2,Who can unenroll students from classes SHALL be set to Teachers Only,Admin Log Events,Change Application Setting,StudentUnenrollmentSettingsProto who_can_unenroll_students,ONLY_TEACHERS_CAN_UNENROLL_STUDENTS,rules/00gjdgxs44rgreu,JK 10-20-23 @ 13:50
+GWS.CLASSROOM.4.1v0.2,Who can unenroll students from classes SHALL be set to Teachers Only,Admin Log Events,Change Application Setting,StudentUnenrollmentSettingsProto who_can_unenroll_students,ONLY_TEACHERS_CAN_UNENROLL_STUDENTS,rules/00gjdgxs44rgreu,JK 10-20-23 @ 13:50
+GWS.CLASSROOM.5.1v0.2,Who can create classes SHALL be set to Verified teachers only.,Admin Log Events,Change Application Setting,TeacherPermissionsSettingProto who_can_create_class,rules/00gjdgxs4cfwumr,JK 06-21-24 @ 11:58

drift-rules/GWS Drift Monitoring Rules - Gmail.csv

@@ -50,3 +50,6 @@ GWS.GMAIL.17.1v0.2,Comprehensive mail storage SHOULD be enabled to ensure inform
 GWS.GMAIL.18.1v0.2,Content filtering SHOULD be enabled within Gmail messages.,N/A,N/A,N/A,N/A,N/A,Not Alertable
 GWS.GMAIL.18.2v0.2,Any third-party or outside application selected for advanced email content filtering SHOULD offer services comparable to those offered by Google Workspace.,N/A,N/A,N/A,N/A,N/A,Not Alertable
 GWS.GMAIL.18.3v0.2,"Gmail or third-party applications SHALL be configured to protect PII and sensitive information as defined by the agency. At a minimum, credit card numbers, taxpayer Identification Numbers (TIN), and Social Security Numbers (SSN) SHALL be blocked.",N/A,N/A,N/A,N/A,N/A,Not Alertable
+GWS.GMAIL.19.1v0.1,"Domains SHALL NOT be added to lists that bypass spam filters.",Admin Log Event,Change Gmail Setting,SPAM_CONTROL,N/A,rules/00gjdgxs12jr6zt,JGK 04-11-24 @ 09:45
+GWS.GMAIL.19.2v0.1,"Domains SHALL NOT be added to lists that bypass spam filters and hide warnings.",Admin Log Event,Change Gmail Setting,SPAM_CONTROL,N/A,rules/00gjdgxs12jr6zt,JGK 04-11-24 @ 09:45
+GWS.GMAIL.19.3v0.1,"Bypass spam filters and hide warnings for all messages from internal and external senders SHALL NOT be enabled.",Admin Log Event,Change Gmail Setting,SPAM_CONTROL,N/A,rules/00gjdgxs12jr6zt,JGK 04-11-24 @ 09:45