diff --git a/Testing/RegoTests/commoncontrols/commoncontrols10_test.rego b/Testing/RegoTests/commoncontrols/commoncontrols10_test.rego
index dc6a7e96..428b6b80 100644
--- a/Testing/RegoTests/commoncontrols/commoncontrols10_test.rego
+++ b/Testing/RegoTests/commoncontrols/commoncontrols10_test.rego
@@ -854,4 +854,246 @@ test_Unconfigured_Incorrect_V3 if {
"to determine the state from the logs, the default setting ",
"is non-compliant; manual check recommended."
])}
+#--
+
+
+#
+# GWS.COMMONCONTROLS.10.5v0.3
+#--
+test_Access_Correct_V1 if {
+ # Test 1 event
+ PolicyId := "GWS.COMMONCONTROLS.10.5v0.3"
+ Output := tests with input as {
+ "commoncontrols_logs": {"items": [
+ {
+ "id": {"time": "2022-12-20T00:02:28.672Z"},
+ "events": [{
+ "name": "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED",
+ "parameters": [
+ {"name": "NEW_VALUE", "value": "DENIED"},
+ {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}
+ ]
+ }]
+ }
+ ]},
+ "tenant_info": {
+ "topLevelOU": "Test Top-Level OU"
+ }
+ }
+
+ RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
+ count(RuleOutput) == 1
+ RuleOutput[0].RequirementMet
+ not RuleOutput[0].NoSuchEvent
+ RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
+}
+
+test_Access_Correct_V2 if {
+ # Test multiple events
+ PolicyId := "GWS.COMMONCONTROLS.10.5v0.3"
+ Output := tests with input as {
+ "commoncontrols_logs": {"items": [
+ {
+ "id": {"time": "2022-12-20T00:02:28.672Z"},
+ "events": [{
+ "name": "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED",
+ "parameters": [
+ {"name": "NEW_VALUE", "value": "DENIED"},
+ {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}
+ ]
+ }]
+ },
+ {
+ "id": {"time": "2021-12-20T00:02:28.672Z"},
+ "events": [{
+ "name": "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED",
+ "parameters": [
+ {"name": "NEW_VALUE", "value": "ALLOWED"},
+ {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}
+ ]
+ }]
+ }
+ ]},
+ "tenant_info": {
+ "topLevelOU": "Test Top-Level OU"
+ }
+ }
+
+ RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
+ count(RuleOutput) == 1
+ RuleOutput[0].RequirementMet
+ not RuleOutput[0].NoSuchEvent
+ RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
+}
+
+test_Access_Incorrect_V1 if {
+ # Test 1 event
+ PolicyId := "GWS.COMMONCONTROLS.10.5v0.3"
+ Output := tests with input as {
+ "commoncontrols_logs": {"items": [
+ {
+ "id": {"time": "2022-12-20T00:02:28.672Z"},
+ "events": [{
+ "name": "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED",
+ "parameters": [
+ {"name": "NEW_VALUE", "value": "ALLOWED"},
+ {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}
+ ]
+ }]
+ }
+ ]},
+ "tenant_info": {
+ "topLevelOU": "Test Top-Level OU"
+ }
+ }
+
+ RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
+ count(RuleOutput) == 1
+ not RuleOutput[0].RequirementMet
+ not RuleOutput[0].NoSuchEvent
+ RuleOutput[0].ReportDetails == concat("", [
+ "The following OUs are non-compliant:",
+ "- Test Top-Level OU: Allow users to manage their access to less secure apps is ON
",
+ "
"
+ ])
+}
+
+test_Access_Incorrect_V2 if {
+ # Test multiple events
+ PolicyId := "GWS.COMMONCONTROLS.10.5v0.3"
+ Output := tests with input as {
+ "commoncontrols_logs": {"items": [
+ {
+ "id": {"time": "2022-12-20T00:02:28.672Z"},
+ "events": [{
+ "name": "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED",
+ "parameters": [
+ {"name": "NEW_VALUE", "value": "ALLOWED"},
+ {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}
+ ]
+ }]
+ },
+ {
+ "id": {"time": "2021-12-20T00:02:28.672Z"},
+ "events": [{
+ "name": "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED",
+ "parameters": [
+ {"name": "NEW_VALUE", "value": "DENIED"},
+ {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}
+ ]
+ }]
+ }
+ ]},
+ "tenant_info": {
+ "topLevelOU": "Test Top-Level OU"
+ }
+ }
+
+ RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
+ count(RuleOutput) == 1
+ not RuleOutput[0].RequirementMet
+ not RuleOutput[0].NoSuchEvent
+ RuleOutput[0].ReportDetails == concat("", [
+ "The following OUs are non-compliant:",
+ "- Test Top-Level OU: Allow users to manage their access to less secure apps is ON
",
+ "
"
+ ])
+}
+
+test_Access_Incorrect_V3 if {
+ # Test no relevant events
+ PolicyId := "GWS.COMMONCONTROLS.10.5v0.3"
+ Output := tests with input as {
+ "commoncontrols_logs": {"items": [
+
+ ]},
+ "tenant_info": {
+ "topLevelOU": "Test Top-Level OU"
+ }
+ }
+
+ RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
+ count(RuleOutput) == 1
+ RuleOutput[0].RequirementMet
+ RuleOutput[0].NoSuchEvent
+ RuleOutput[0].ReportDetails == concat("", [
+ "No relevant event in the current logs for the top-level OU, ",
+ "Test Top-Level OU. While we are unable ",
+ "to determine the state from the logs, the default setting ",
+ "is compliant; manual check recommended."
+ ])}
+
+test_Access_Incorrect_V4 if {
+ # Test no relevant events in top-level OU
+ PolicyId := "GWS.COMMONCONTROLS.10.5v0.3"
+ Output := tests with input as {
+ "commoncontrols_logs": {"items": [
+ {
+ "id": {"time": "2021-12-20T00:02:28.672Z"},
+ "events": [{
+ "name": "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED",
+ "parameters": [
+ {"name": "NEW_VALUE", "value": "DENIED"},
+ {"name": "ORG_UNIT_NAME", "value": "Test Second-Level OU"}
+ ]
+ }]
+ }
+ ]},
+ "tenant_info": {
+ "topLevelOU": "Test Top-Level OU"
+ }
+ }
+
+ RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
+ count(RuleOutput) == 1
+ RuleOutput[0].RequirementMet
+ RuleOutput[0].NoSuchEvent
+ RuleOutput[0].ReportDetails == concat("", [
+ "No relevant event in the current logs for the top-level OU, ",
+ "Test Top-Level OU. While we are unable ",
+ "to determine the state from the logs, the default setting ",
+ "is compliant; manual check recommended."
+ ])}
+
+test_Access_Incorrect_V5 if {
+ # Test multiple OUs
+ PolicyId := "GWS.COMMONCONTROLS.10.5v0.3"
+ Output := tests with input as {
+ "commoncontrols_logs": {"items": [
+ {
+ "id": {"time": "2021-12-20T00:02:28.672Z"},
+ "events": [{
+ "name": "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED",
+ "parameters": [
+ {"name": "NEW_VALUE", "value": "ALLOWED"},
+ {"name": "ORG_UNIT_NAME", "value": "Test Second-Level OU"}
+ ]
+ }]
+ },
+ {
+ "id": {"time": "2021-12-20T00:02:28.672Z"},
+ "events": [{
+ "name": "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED",
+ "parameters": [
+ {"name": "NEW_VALUE", "value": "DENIED"},
+ {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}
+ ]
+ }]
+ }
+ ]},
+ "tenant_info": {
+ "topLevelOU": "Test Top-Level OU"
+ }
+ }
+
+ RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
+ count(RuleOutput) == 1
+ not RuleOutput[0].RequirementMet
+ not RuleOutput[0].NoSuchEvent
+ RuleOutput[0].ReportDetails == concat("", [
+ "The following OUs are non-compliant:",
+ "- Test Second-Level OU: Allow users to manage their access to less secure apps is ON
",
+ "
"
+ ])
+}
#--
\ No newline at end of file
diff --git a/Testing/RegoTests/commoncontrols/commoncontrols11_test.rego b/Testing/RegoTests/commoncontrols/commoncontrols11_test.rego
index 97507cc0..4e697da2 100644
--- a/Testing/RegoTests/commoncontrols/commoncontrols11_test.rego
+++ b/Testing/RegoTests/commoncontrols/commoncontrols11_test.rego
@@ -502,246 +502,4 @@ test_Installation_Incorrect_V7 if {
""
])
}
-#--
-
-
-#
-# GWS.COMMONCONTROLS.11.2v0.3
-#--
-test_Access_Correct_V1 if {
- # Test 1 event
- PolicyId := "GWS.COMMONCONTROLS.11.2v0.3"
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "name": "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED",
- "parameters": [
- {"name": "NEW_VALUE", "value": "DENIED"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
- count(RuleOutput) == 1
- RuleOutput[0].RequirementMet
- not RuleOutput[0].NoSuchEvent
- RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
-}
-
-test_Access_Correct_V2 if {
- # Test multiple events
- PolicyId := "GWS.COMMONCONTROLS.11.2v0.3"
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "name": "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED",
- "parameters": [
- {"name": "NEW_VALUE", "value": "DENIED"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}
- ]
- }]
- },
- {
- "id": {"time": "2021-12-20T00:02:28.672Z"},
- "events": [{
- "name": "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED",
- "parameters": [
- {"name": "NEW_VALUE", "value": "ALLOWED"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
- count(RuleOutput) == 1
- RuleOutput[0].RequirementMet
- not RuleOutput[0].NoSuchEvent
- RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
-}
-
-test_Access_Incorrect_V1 if {
- # Test 1 event
- PolicyId := "GWS.COMMONCONTROLS.11.2v0.3"
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "name": "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED",
- "parameters": [
- {"name": "NEW_VALUE", "value": "ALLOWED"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
- count(RuleOutput) == 1
- not RuleOutput[0].RequirementMet
- not RuleOutput[0].NoSuchEvent
- RuleOutput[0].ReportDetails == concat("", [
- "The following OUs are non-compliant:",
- "- Test Top-Level OU: Allow users to manage their access to less secure apps is ON
",
- "
"
- ])
-}
-
-test_Access_Incorrect_V2 if {
- # Test multiple events
- PolicyId := "GWS.COMMONCONTROLS.11.2v0.3"
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2022-12-20T00:02:28.672Z"},
- "events": [{
- "name": "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED",
- "parameters": [
- {"name": "NEW_VALUE", "value": "ALLOWED"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}
- ]
- }]
- },
- {
- "id": {"time": "2021-12-20T00:02:28.672Z"},
- "events": [{
- "name": "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED",
- "parameters": [
- {"name": "NEW_VALUE", "value": "DENIED"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
- count(RuleOutput) == 1
- not RuleOutput[0].RequirementMet
- not RuleOutput[0].NoSuchEvent
- RuleOutput[0].ReportDetails == concat("", [
- "The following OUs are non-compliant:",
- "- Test Top-Level OU: Allow users to manage their access to less secure apps is ON
",
- "
"
- ])
-}
-
-test_Access_Incorrect_V3 if {
- # Test no relevant events
- PolicyId := "GWS.COMMONCONTROLS.11.2v0.3"
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
-
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
- count(RuleOutput) == 1
- RuleOutput[0].RequirementMet
- RuleOutput[0].NoSuchEvent
- RuleOutput[0].ReportDetails == concat("", [
- "No relevant event in the current logs for the top-level OU, ",
- "Test Top-Level OU. While we are unable ",
- "to determine the state from the logs, the default setting ",
- "is compliant; manual check recommended."
- ])}
-
-test_Access_Incorrect_V4 if {
- # Test no relevant events in top-level OU
- PolicyId := "GWS.COMMONCONTROLS.11.2v0.3"
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2021-12-20T00:02:28.672Z"},
- "events": [{
- "name": "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED",
- "parameters": [
- {"name": "NEW_VALUE", "value": "DENIED"},
- {"name": "ORG_UNIT_NAME", "value": "Test Second-Level OU"}
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
- count(RuleOutput) == 1
- RuleOutput[0].RequirementMet
- RuleOutput[0].NoSuchEvent
- RuleOutput[0].ReportDetails == concat("", [
- "No relevant event in the current logs for the top-level OU, ",
- "Test Top-Level OU. While we are unable ",
- "to determine the state from the logs, the default setting ",
- "is compliant; manual check recommended."
- ])}
-
-test_Access_Incorrect_V5 if {
- # Test multiple OUs
- PolicyId := "GWS.COMMONCONTROLS.11.2v0.3"
- Output := tests with input as {
- "commoncontrols_logs": {"items": [
- {
- "id": {"time": "2021-12-20T00:02:28.672Z"},
- "events": [{
- "name": "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED",
- "parameters": [
- {"name": "NEW_VALUE", "value": "ALLOWED"},
- {"name": "ORG_UNIT_NAME", "value": "Test Second-Level OU"}
- ]
- }]
- },
- {
- "id": {"time": "2021-12-20T00:02:28.672Z"},
- "events": [{
- "name": "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED",
- "parameters": [
- {"name": "NEW_VALUE", "value": "DENIED"},
- {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}
- ]
- }]
- }
- ]},
- "tenant_info": {
- "topLevelOU": "Test Top-Level OU"
- }
- }
-
- RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
- count(RuleOutput) == 1
- not RuleOutput[0].RequirementMet
- not RuleOutput[0].NoSuchEvent
- RuleOutput[0].ReportDetails == concat("", [
- "The following OUs are non-compliant:",
- "- Test Second-Level OU: Allow users to manage their access to less secure apps is ON
",
- "
"
- ])
-}
#--
\ No newline at end of file
diff --git a/baselines/commoncontrols.md b/baselines/commoncontrols.md
index 590cb4da..ab14c749 100644
--- a/baselines/commoncontrols.md
+++ b/baselines/commoncontrols.md
@@ -784,6 +784,19 @@ Agencies SHALL NOT allow users to access unconfigured third-party apps.
- [T1059: Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059/)
- [T1059:009: Command and Scripting Interpreter: Cloud API](https://attack.mitre.org/techniques/T1059/009/)
+#### GWS.COMMONCONTROLS.10.5v0.3
+Access to Google Workspace applications by less secure apps that do not meet security standards for authentication SHALL be prevented.
+
+- _Rationale:_ Antiquated authentication methods introduce additional risk into the workspace environment. Only allowing apps that use modern authentication standards helps reduce the risk of credential compromise.
+- _Last modified:_ July 10, 2023
+
+- MITRE ATT&CK TTP Mapping
+ - [T1110: Brute Force](https://attack.mitre.org/techniques/T1110/)
+ - [T1110:001: Brute Force: Password Guessing](https://attack.mitre.org/techniques/T1110/001/)
+ - [T1110:002: Brute Force: Password Cracking](https://attack.mitre.org/techniques/T1110/002/)
+ - [T1110:003: Brute Force: Password Spraying](https://attack.mitre.org/techniques/T1110/003/)
+ - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
+ - [T1566:002: Phishing: Spearphishing Link](https://attack.mitre.org/techniques/T1566/002/)
### Resources
@@ -792,6 +805,7 @@ Agencies SHALL NOT allow users to access unconfigured third-party apps.
- [OMB M-22-09](https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf)
- [GWS Admin Help \| Control which third-party & internal apps access GWS data](https://support.google.com/a/answer/7281227#zippy=%2Cstep-control-api-access%2Cstep-restrict-or-unrestrict-google-services%2Cbefore-you-begin-review-authorized-third-party-apps%2Cstep-manage-third-party-app-access-to-google-services-add-apps)
- [CIS Google Workspace Foundations Benchmark](https://www.cisecurity.org/benchmark/google_workspace)
+- [GWS Admin Help \| Control access to less secure apps](https://support.google.com/a/answer/6260879?hl=en)
### Prerequisites
@@ -827,6 +841,13 @@ Agencies SHALL NOT allow users to access unconfigured third-party apps.
2. Select **Unconfigured third-party apps** and select **Don't allow users to access any third-party apps**
3. Select **SAVE.**
+#### GWS.COMMONCONTROLS.10.5v0.3 Instructions
+1. Sign in to the [Google Admin console](https://admin.google.com) as an administrator.
+2. Select **Security** -\> **Overview**.
+3. Select **Less Secure Apps**.
+4. Select **Disable access to less secure apps (Recommended)**.
+5. Click **Save** to commit this configuration change.
+
It should be noted that admins will have to manually approve each trusted app. The implementation steps for this activity are outlined in Google's [documentation on controlling which third-party & internal apps access GWS data](https://support.google.com/a/answer/7281227) (also listed under Resources).
@@ -850,25 +871,10 @@ Only approved Google Workspace Marketplace applications SHALL be allowed for ins
- [T1195: Supply Chain Compromise](https://attack.mitre.org/techniques/T1195/)
- [T1195:002: Supply Chain Compromise: Compromise Software Supply Chain](https://attack.mitre.org/techniques/T1195/002/)
-#### GWS.COMMONCONTROLS.11.2v0.3
-Access to Google Workspace applications by less secure apps that do not meet security standards for authentication SHALL be prevented.
-
-- _Rationale:_ Antiquated authentication methods introduce additional risk into the workspace environment. Only allowing apps that use modern authentication standards helps reduce the risk of credential compromise.
-- _Last modified:_ July 10, 2023
-
-- MITRE ATT&CK TTP Mapping
- - [T1110: Brute Force](https://attack.mitre.org/techniques/T1110/)
- - [T1110:001: Brute Force: Password Guessing](https://attack.mitre.org/techniques/T1110/001/)
- - [T1110:002: Brute Force: Password Cracking](https://attack.mitre.org/techniques/T1110/002/)
- - [T1110:003: Brute Force: Password Spraying](https://attack.mitre.org/techniques/T1110/003/)
- - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
- - [T1566:002: Phishing: Spearphishing Link](https://attack.mitre.org/techniques/T1566/002/)
-
### Resources
- [GWS Admin Help \| Manage Google Workspace Marketplace apps on your allowlist](https://support.google.com/a/answer/6089179?fl=1)
- [CIS Google Workspace Foundations Benchmark](https://www.cisecurity.org/benchmark/google_workspace)
-- [GWS Admin Help \| Control access to less secure apps](https://support.google.com/a/answer/6260879?hl=en)
### Prerequisites
@@ -891,13 +897,6 @@ To add an app to the allowlist:
3. Click **Allowlisted Apps** to manage the allow list.
-#### GWS.COMMONCONTROLS.11.2v0.3 Instructions
-1. Sign in to the [Google Admin console](https://admin.google.com) as an administrator.
-2. Select **Security** -\> **Overview**.
-3. Select **Less Secure Apps**.
-4. Select **Disable access to less secure apps (Recommended)**.
-5. Click **Save** to commit this configuration change.
-
## 12. Google Takeout Services for Users
This section prevents users from downloading a copy of the Google Takeout service's data to their user accounts. Services include Google Blogger, Books, Maps, Pay, Photos, Play, Play Console, Location History and YouTube, among numerous others.
diff --git a/drift-rules/GWS Drift Monitoring Rules - Common Controls as of 11-14-23.csv b/drift-rules/GWS Drift Monitoring Rules - Common Controls as of 11-14-23.csv
index 56e72ebd..aa04d080 100644
--- a/drift-rules/GWS Drift Monitoring Rules - Common Controls as of 11-14-23.csv
+++ b/drift-rules/GWS Drift Monitoring Rules - Common Controls as of 11-14-23.csv
@@ -24,11 +24,11 @@ GWS.COMMONCONTROLS.10.2v0.3,Agencies SHALL NOT allow users to consent to access
GWS.COMMONCONTROLS.10.3v0.3,Agencies SHALL NOT trust unconfigured internal apps.,Admin Log Event,"Allow Google Sign-in only third party API access
OR
All third party API access unblocked",No Setting Name,No Value,rules/00gjdgxs0xcbmu1,
-GWS.COMMONCONTROLS.10.5v0.3(a),Agencies SHALL NOT allow users to access unconfigured third-party apps.,Admin Log Event,All third party API access unblocked,No Setting Name,No Value,rules/00gjdgxs0zd46an,JK 09-22-23 @ 14:15 (works only from Don't allow)
-GWS.COMMONCONTROLS.10.5v0.3(b),Agencies SHALL NOT allow users to access unconfigured third-party apps.,Admin Log Event,Allow Google Sign-in only third party API access,No Setting Name,No Value,rules/00gjdgxs3b25o0w,JK 09-22-23 @ 14:15 (works only from Don't allow)
+GWS.COMMONCONTROLS.10.4v0.3(a),Agencies SHALL NOT allow users to access unconfigured third-party apps.,Admin Log Event,All third party API access unblocked,No Setting Name,No Value,rules/00gjdgxs0zd46an,JK 09-22-23 @ 14:15 (works only from Don't allow)
+GWS.COMMONCONTROLS.10.4v0.3(b),Agencies SHALL NOT allow users to access unconfigured third-party apps.,Admin Log Event,Allow Google Sign-in only third party API access,No Setting Name,No Value,rules/00gjdgxs3b25o0w,JK 09-22-23 @ 14:15 (works only from Don't allow)
+GWS.COMMONCONTROLS.10.5v0.3,Access to Google Workspace applications by less secure apps that do not meet security standards for authentication SHALL be prevented.,Admin Log Event,Less Secure Apps Access Setting Changed,No Setting Name,DISABLED,rules/00gjdgxs2y7rekk,JK 09-20-23 @ 06:51
GWS.COMMONCONTROLS.11.1v0.3(a),Only approved Google Workspace Marketplace applications SHOULD be allowed for installation.,Admin Log Event,Change Application Setting,Apps Access Setting Allowlist access,ALLOW_SPECIFIED,rules/00gjdgxs0o3dzli,JK 09-12-23 @ 13:33
GWS.COMMONCONTROLS.11.1v0.3(b),Only approved Google Workspace Marketplace applications SHALL be allowed for installation.,Admin Log Event,Change Application Setting,Apps Access Setting allow_all_internal_apps,false,rules/00gjdgxs3f0ca00,JK 11-14-23 @ 07:37
-GWS.COMMONCONTROLS.11.2v0.3,Access to Google Workspace applications by less secure apps that do not meet security standards for authentication SHALL be prevented.,Admin Log Event,Less Secure Apps Access Setting Changed,No Setting Name,DISABLED,rules/00gjdgxs2y7rekk,JK 09-20-23 @ 06:51
GWS.COMMONCONTROLS.12.1v0.3,Google Takeout services SHALL be disabled for users.,Admin Log Event,Toggle Service Enabled,N/A,false,rules/00gjdgxs3wksszz,JK 09-12-23 @ 13:19
GWS.COMMONCONTROLS.13.1v0.3,"Required system-defined alerting rules, as listed in the Policy section, SHALL be active, with alerts enabled when available. Any system-defined rules not are considered optional but ought to be reviewed for consideration.",Admin Log Event,System Defined Rule Updated,N/A,N/A,rules/00gjdgxs1x4hrff,Needs Manual Verification of Status
GWS.COMMONCONTROLS.14.1v0.3,The following critical logs SHALL be sent at a minimum.,Admin Log Event,Change Application Setting,"Data Sharing Settings between GCP and Google Workspace ""Sharing Options""",ENABLED,rules/00gjdgxs0yu1jgq,JK 09-19-23 @ 06:40
diff --git a/rego/Commoncontrols.rego b/rego/Commoncontrols.rego
index f861998f..c5850a8c 100644
--- a/rego/Commoncontrols.rego
+++ b/rego/Commoncontrols.rego
@@ -1377,6 +1377,73 @@ if {
}
#--
+#
+# Baseline GWS.COMMONCONTROLS.10.5v0.3
+#--
+NonCompliantOUs10_5 contains {
+ "Name": OU,
+ "Value": "Allow users to manage their access to less secure apps is ON"
+} if {
+ some OU in utils.OUsWithEvents
+ Events := FilterEventsOU("WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED", OU)
+ # Ignore OUs without any events. We're already asserting that the
+ # top-level OU has at least one event; for all other OUs we assume
+ # they inherit from a parent OU if they have no events.
+ count(Events) > 0
+ LastEvent := utils.GetLastEvent(Events)
+ LastEvent.NewValue != "DENIED"
+ LastEvent.NewValue != "INHERIT_FROM_PARENT"
+}
+# NOTE: When WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED for a child OU
+# is set to inherit from parent, apparently NO EVENT IS PRODUCED IN
+# THE ADMIN LOGS. When you later override the setting, it shows
+# "INHERIT_FROM_PARENT" as the "OLD_VALUE", so I'm putting that above
+# for completeness, but this appears to be a case where we won't be
+# able to detect setting inheritance, as least for now.
+
+NonCompliantGroups10_5 contains {
+ "Name": Group,
+ "Value": "Allow users to manage their access to less secure apps is ON"
+} if {
+ some Group in utils.GroupsWithEvents
+ Events := FilterEventsGroup("WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED", Group)
+ # Ignore groups without any events.
+ count(Events) > 0
+ LastEvent := utils.GetLastEvent(Events)
+ LastEvent.NewValue != "DENIED"
+ LastEvent.NewValue != "INHERIT_FROM_PARENT"
+}
+
+tests contains {
+ "PolicyId": "GWS.COMMONCONTROLS.10.5v0.3",
+ "Criticality": "Should",
+ "ReportDetails": utils.NoSuchEventDetails(DefaultSafe, utils.TopLevelOU),
+ "ActualValue": "No relevant event for the top-level OU in the current logs",
+ "RequirementMet": DefaultSafe,
+ "NoSuchEvent": true
+}
+if {
+ DefaultSafe := true
+ Events := FilterEventsOU("WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED", utils.TopLevelOU)
+ count(Events) == 0
+}
+
+tests contains {
+ "PolicyId": "GWS.COMMONCONTROLS.10.5v0.3",
+ "Criticality": "Shall",
+ "ReportDetails": utils.ReportDetails(NonCompliantOUs10_5, NonCompliantGroups10_5),
+ "ActualValue": {"NonCompliantOUs": NonCompliantOUs10_5, "NonCompliantGroups": NonCompliantGroups10_5},
+ "RequirementMet": Status,
+ "NoSuchEvent": false
+}
+if {
+ Events := FilterEventsOU("WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED", utils.TopLevelOU)
+ count(Events) > 0
+ Conditions := {count(NonCompliantOUs10_5) == 0, count(NonCompliantGroups10_5) == 0}
+ Status := (false in Conditions) == false
+}
+#--
+
#########################
# GWS.COMMONCONTROLS.11 #
#########################
@@ -1488,73 +1555,6 @@ if {
}
#--
-#
-# Baseline GWS.COMMONCONTROLS.11.2v0.3
-#--
-NonCompliantOUs11_2 contains {
- "Name": OU,
- "Value": "Allow users to manage their access to less secure apps is ON"
-} if {
- some OU in utils.OUsWithEvents
- Events := FilterEventsOU("WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED", OU)
- # Ignore OUs without any events. We're already asserting that the
- # top-level OU has at least one event; for all other OUs we assume
- # they inherit from a parent OU if they have no events.
- count(Events) > 0
- LastEvent := utils.GetLastEvent(Events)
- LastEvent.NewValue != "DENIED"
- LastEvent.NewValue != "INHERIT_FROM_PARENT"
-}
-# NOTE: When WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED for a child OU
-# is set to inherit from parent, apparently NO EVENT IS PRODUCED IN
-# THE ADMIN LOGS. When you later override the setting, it shows
-# "INHERIT_FROM_PARENT" as the "OLD_VALUE", so I'm putting that above
-# for completeness, but this appears to be a case where we won't be
-# able to detect setting inheritance, as least for now.
-
-NonCompliantGroups11_2 contains {
- "Name": Group,
- "Value": "Allow users to manage their access to less secure apps is ON"
-} if {
- some Group in utils.GroupsWithEvents
- Events := FilterEventsGroup("WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED", Group)
- # Ignore groups without any events.
- count(Events) > 0
- LastEvent := utils.GetLastEvent(Events)
- LastEvent.NewValue != "DENIED"
- LastEvent.NewValue != "INHERIT_FROM_PARENT"
-}
-
-tests contains {
- "PolicyId": "GWS.COMMONCONTROLS.11.2v0.3",
- "Criticality": "Should",
- "ReportDetails": utils.NoSuchEventDetails(DefaultSafe, utils.TopLevelOU),
- "ActualValue": "No relevant event for the top-level OU in the current logs",
- "RequirementMet": DefaultSafe,
- "NoSuchEvent": true
-}
-if {
- DefaultSafe := true
- Events := FilterEventsOU("WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED", utils.TopLevelOU)
- count(Events) == 0
-}
-
-tests contains {
- "PolicyId": "GWS.COMMONCONTROLS.11.2v0.3",
- "Criticality": "Shall",
- "ReportDetails": utils.ReportDetails(NonCompliantOUs11_2, NonCompliantGroups11_2),
- "ActualValue": {"NonCompliantOUs": NonCompliantOUs11_2, "NonCompliantGroups": NonCompliantGroups11_2},
- "RequirementMet": Status,
- "NoSuchEvent": false
-}
-if {
- Events := FilterEventsOU("WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED", utils.TopLevelOU)
- count(Events) > 0
- Conditions := {count(NonCompliantOUs11_2) == 0, count(NonCompliantGroups11_2) == 0}
- Status := (false in Conditions) == false
-}
-#--
-
#########################
# GWS.COMMONCONTROLS.12 #
#########################