v0.3.0

Major Changes

• Make it so that the scubagoggles reports link to the baselines by @jfevang in #323
• Add Detailed report messages for Drive&Docs by @snarve in #300
• Orchestrator: convert to class implementation by @rlxdev in #333
• Implement Gmail 19.2 and 19.3 in rego by @adhilto in #338
• Implement group checks for Meet (issue 320) by @rlxdev in #329
• New detailed report message for Groups by @snarve in #301
• Reporter: convert to class implementation (issue 166) by @rlxdev in #342
• Default Safe variable is incorrect in many cases by @snarve in #343
• Add Omit to the Summary Counts by @adhilto in #346
• Add functional smoke tests and automated testing workflow by @mitchelbaker-cisa in #336
• Rename the baseline markdown files by @adhilto in #354
• update supported Python version by @aormu in #356
• Add config file support for existing parameters by @adhilto in #413
• Add support for user input and documentation improvements to smoke testing workflow by @mitchelbaker-cisa in #416
• Update Calendar policy 4.1 to detect inherited settings by @snarve in #471
• Update sample report for v0.3.0 by @adhilto in #472

Documentation

• Update DownloadAndInstall.md by @LaurenBassett in #436
• Documentation Rehaul by @adhilto in #319
• Add instructions for upgrading scubagoggles by @adhilto in #433
• Update OPA.md by @LaurenBassett in #446
• Github guideline for branching and release process by @snarve in #365

Bugs Fixed

• Fixing Various Reported Broken Links by @mdueltgen in #437
• Correct the "No Such Event" behavior for Gmail policies with multiple settings by @adhilto in #369
• Correct no log event found for Gmail.14.1v03 by @LaurenBassett in #468

Baselines

• New Policy 5.1 for Meet for 1:1 Calling by @mdueltgen in #316
• Changes to Gmail Policies 9.1, 9.2 and 13.1 by @jkaufman-mitre in #310
• Add policy group 5 in Classroom baseline stating that only verified teachers can create classes by @jkaufman-mitre in #325
• Remove GWS.CHAT.5.1 by @jkaufman-mitre in #322
• Added Gmail Policy Group 19 by @jkaufman-mitre in #324
• Drive_Docs Changes to 1.6 and 6.1 by @jkaufman-mitre in #311
• Changes to Common Controls Baseline by @jkaufman-mitre in #315
• Update Gmail policies 5 and 7 to include all instances of spoofing and authentication settings that are not complaint by @snarve in #394
• Switched Security to Secure Across All Baselines by @jkaufman-mitre in #389

Dependency Updates

• The minimum supported Python version is now v3.10.x
• The supported version for the following Python modules has changed:
  • requests: changed from v2.32.0 to v2.32.3
  • tqdm: changed from v4.66.3 to v4.66.5
  • google-api-python-client from v1.7.9 to v2.142.0
  • google-auth-httplib2 from v0.0.3 to v0.2.0
  • google-auth-oauthlib from v0.4.0 to v1.2.1
  • MarkupSafe from v2.1.1 to v2.1.5

New Contributors

• @aormu made their first contribution in #356
• @k-winters made their first contribution in #401

Full Changelog: v0.2.0...v0.3.0

v0.2.0

Baseline Changes

• Increment baseline version number from v0.1 to v0.2
• Various spelling and wording improvements throughout the baseline documents
• Add additional MITRE ATT&CK TTP mappings
• Change rationale format to match format used in the M365 SCuBA baselines
• Renumbered policies when a policy is removed
• Drive & Docs
  • Remove GWS.DRIVEDOCS.2.1
  • Change GWS.DRIVEDOCS.1.3 to SHALL policy
• Google Calendar
  • Remove GWS.CALENDAR.1.2
  • Remove GWS.CALENDAR.3.2
• Gmail
  • Remove GWS.GMAIL.3.1
  • Remove GWS.GMAIL.12.1
  • Remove GWS.GMAIL.15.2
  • Remove GWS.GMAIL.19.1
  • Remove GWS.GMAIL.19.2
  • Remove GWS.GMAIL.22.1
  • Remove GWS.GMAIL.22.2
  • Remove GWS.GMAIL.23.x
  • Revise GWS.GMAIL.3.2 (now 3.1) to clarify actions for non-approved addresses
• Common Controls
  • Remove GWS.COMMONCONTROLS.6.1
  • Remove GWS.COMMONCONTROLS.9.1
  • Remove GWS.COMMONCONTROLS.9.3
  • Remove GWS.COMMONCONTROLS.9.4
  • Remove GWS.COMMONCONTROLS.12.1
• Google Chat
  • Add Chat policy GWS.CHAT.7.x for content reporting
  • Remove GWS.CHAT.4.2
• Google Meet
  • Change GWS.MEET.1.1 to SHOULD policy
• See full list of baseline changes here

Enhancements

• Refactor Rego code to follow current style best-practices
• Remove DNS over HTTPS (DoH) NXDOMAIN retry
• Create a JSON version of the HTML output
• Add support for service account authentication
• Enhance error handling for API calls
• Enhance report details for the Common Controls, Gmail, Calendar, Chat, Classroom, Meet, and Sites baseline reports
• Add support for detecting settings applied at the group level to Common Controls, Gmail, Calendar, Chat, Classroom, Meet, and Sites baseline reports
• See full list of enhancements here

Bugs

• Correct bug relating to the test summary counts for Rules/Common Controls
• Correct bug relating to classification of controls with no relevant events
• See full list of bugs here

Dependency Updates

• The minimum supported OPA version has changed from 0.42.2 to 0.45.0
• The supported version for the following Python modules has changed:
  • requests: changed from 2.31.0 to 2.32.0
  • dnspython: changed from 4.64.1 to 4.66.3
  • tqdm: changed from 2.2.1 to 2.6.1

Full Changelog: v0.1.0...v0.2.0

v0.1.0

This is the initial release of the SCuBA Google Workspace Security Configuration Baseline documents for RFC.
Provide feedback on the baselines by opening a GitHub issue or by emailing cybersharedservices@cisa.dhs.gov.

The ScubaGoggles tool itself is in an alpha state. Report outputs could be incorrect and should be reviewed carefully.
See the README for full instructions on running the tool.

The following SCuBA GWS baselines are available:

• Common Controls
• Gmail
• Google Calendar
• Google Chat
• Google Classroom
• Google Drive and Docs
• Google Meet
• Google Sites
• Groups for Business