diff --git a/drift-rules/GWS Drift Monitoring Rules - Common Controls as of 11-14-23.csv b/drift-rules/GWS Drift Monitoring Rules - Common Controls as of 11-14-23.csv index 24571997..777e3bd6 100644 --- a/drift-rules/GWS Drift Monitoring Rules - Common Controls as of 11-14-23.csv +++ b/drift-rules/GWS Drift Monitoring Rules - Common Controls as of 11-14-23.csv @@ -16,7 +16,7 @@ GWS.COMMONCONTROLS.5.5v0.3,User passwords SHALL NOT be reused.,Admin Log Event,C GWS.COMMONCONTROLS.5.6v0.3,User passwords SHALL NOT expire.,Admin Log Event,Change Application Setting,Password Management - Password reset frequency,0,rules/00gjdgxs1k1llys,JK 08-02-23 @ 09:09 GWS.COMMONCONTROLS.6.1v0.3,All highly privileged accounts SHALL leverage Google Account authentication with phishing-resistant MFA and not the agency’s authoritative on-premises or federated identity system.,N/A,N/A,N/A,N/A,N/A,Not Alertable GWS.COMMONCONTROLS.6.2v0.3,A minimum of two and maximum of four separate and distinct Super Admin users SHALL be configured.,N/A,N/A,N/A,N/A,N/A,Not Alertable -GWS.COMMONCONTROLS.7.1v0.3,Account conflict management SHALL be configured to replace conflicting unmanaged accounts with managed ones.,N/A,N/A,N/A,N/A,N/A,Not Alertable due to no log event being produced +GWS.COMMONCONTROLS.7.1v0.3,Account conflict management SHOULD be configured to replace conflicting unmanaged accounts with managed ones.,N/A,N/A,N/A,N/A,N/A,Not Alertable due to no log event being produced GWS.COMMONCONTROLS.8.1v0.3,"Account self-recovery for Super Admins SHALL be disabled, forcing Super Admin users who have lost their login credentials to contact another Super Admin to recover their account.",Admin Log Event,Change Application Setting,AdminAccountRecoverySettingsProto Enable admin account recovery,false,rules/00gjdgxs2rlm6cr,JK 08-02-23 @ 09:16 GWS.COMMONCONTROLS.9.1v0.3,Highly privileged accounts SHALL be enrolled in the GWS Advanced Protection Program.,Admin Log Event,Change Application Setting,Advanced Protection Program Settings - Enable user enrollment,true,rules/00gjdgxs2mq8dv5,JK 08-02-23 @ 09:20 GWS.COMMONCONTROLS.9.2v0.3,All sensitive user accounts SHOULD be enrolled into the GWS Advanced Protection Program. This control enforces more secure protection of sensitive user accounts from targeted attacks. Sensitive user accounts include political appointees and other Senior Executive Service (SES) officials whose account compromise would pose a level of risk prohibitive to agency mission fulfillment.,Admin Log Event,Change Application Setting,Advanced Protection Program Settings - Enable user enrollment,true,rules/00gjdgxs2mq8dv6,JK 08-02-23 @ 09:21 diff --git a/scubagoggles/baselines/commoncontrols.md b/scubagoggles/baselines/commoncontrols.md index d3cd1d92..bba4efda 100644 --- a/scubagoggles/baselines/commoncontrols.md +++ b/scubagoggles/baselines/commoncontrols.md @@ -604,10 +604,10 @@ By changing the email address, the user resolves the conflict by ensuring that t ### Policies #### GWS.COMMONCONTROLS.7.1v0.3 -Account conflict management SHALL be configured to replace conflicting unmanaged accounts with managed ones. +Account conflict management SHOULD be configured to replace conflicting unmanaged accounts with managed ones. - _Rationale:_ Unmanaged user accounts cannot be controlled or monitored by workspace admins. By resolving conflicting accounts, you ensure all users in your workspace are using managed accounts. -- _Last modified:_ September 14, 2023 +- _Last modified:_ January 2025 - MITRE ATT&CK TTP Mapping - [T1136: Create Account](https://attack.mitre.org/techniques/T1136/) @@ -1243,7 +1243,7 @@ Require multi party approval for sensitive admin actions SHALL be enabled. - No TTP Mappings ### Resources -- [GWS Admin Help \| Multi-party approval for sensitive actions](https://apps.google.com/supportwidget/articlehome?hl=en&article_url=https%3A%2F%2Fsupport.google.com%2Fa%2Fanswer%2F13790448%3Fhl%3Den&assistant_id=generic-unu&product_context=13790448&product_name=UnuFlow&trigger_context=a) +- [GWS Admin Help \| Multi-party approval for sensitive actions](https://support.google.com/a/answer/13790448?hl=en-Link) ### Prerequisites diff --git a/scubagoggles/rego/Commoncontrols.rego b/scubagoggles/rego/Commoncontrols.rego index eb4f54d7..247b5741 100644 --- a/scubagoggles/rego/Commoncontrols.rego +++ b/scubagoggles/rego/Commoncontrols.rego @@ -1207,7 +1207,7 @@ CommonControlsId7_1 := utils.PolicyIdWithSuffix("GWS.COMMONCONTROLS.7.1") tests contains { "PolicyId": CommonControlsId7_1, - "Criticality": "Shall/Not-Implemented", + "Criticality": "Should/Not-Implemented", "ReportDetails": "Currently not able to be tested automatically; please manually check.", "ActualValue": "", "RequirementMet": false,