From d2e36ebf2298781c8343cfec2ab59430485b733b Mon Sep 17 00:00:00 2001 From: Alden Hilton Date: Mon, 4 Nov 2024 11:06:57 -0800 Subject: [PATCH] Add 3.2 to common controls --- baselines/commoncontrols.md | 43 +++++++++++++------ ...Rules - Common Controls as of 11-14-23.csv | 3 +- rego/Commoncontrols.rego | 15 +++++++ 3 files changed, 46 insertions(+), 15 deletions(-) diff --git a/baselines/commoncontrols.md b/baselines/commoncontrols.md index 85781681..59901ef6 100644 --- a/baselines/commoncontrols.md +++ b/baselines/commoncontrols.md @@ -11,7 +11,7 @@ The information in this document is being provided "as is" for INFORMATIONAL PUR This baseline is based on Google documentation and addresses the following: - [Phishing-Resistant Multi-Factor Authentication](#1-phishing-resistant-multi-factor-authentication) - [Context Aware Access](#2-context-aware-access) -- [Login Challenges](#3-login-challenges) +- [Post-SSO Verification](#3-post-sso-verification) - [User Session Duration](#4-user-session-duration) - [Secure Passwords](#5-secure-passwords) - [Highly Privileged Accounts](#6-highly-privileged-accounts) @@ -301,17 +301,28 @@ Note that the implementation details of context-aware access use cases will vary - Allow or disallow access from specific locations - Use nested access levels instead of selecting multiple access levels during assignment -## 3. Login Challenges - -Login challenges are additional security measures used to verify a user's identity. For example, Google might ask the user to confirm their recovery email before logging in as part of a challenge. +## 3. Post-SSO Verification +Post-SSO verification controls what additional checks are performed (e.g., Google 2SV) after a user succesfully authenticates through a third-party identity provider. ### Policies #### GWS.COMMONCONTROLS.3.1v0.3 -Login challenges SHOULD be enabled when third party SAML SSO is in use. +Post-SSO verification SHOULD be enabled for users signing in using the SSO profile for your organization. - _Rationale:_ Without enabling Post-SSO verification, any Google 2-Step Verification (2SV) configuration is ignored for third-party SSO users. Enabling Post-SSO verification will apply 2SV verification policies. -- _Last modified:_ July 10, 2023 +- _Last modified:_ November 4, 2024 + +- MITRE ATT&CK TTP Mapping + - [T1110: Brute Force](https://attack.mitre.org/techniques/T1110/) + - [T1110:001: Brute Force: Password Guessing](https://attack.mitre.org/techniques/T1110/001/) + - [T1110:002: Brute Force: Password Cracking](https://attack.mitre.org/techniques/T1110/002/) + - [T1110:003: Brute Force: Password Spraying](https://attack.mitre.org/techniques/T1110/003/) + +#### GWS.COMMONCONTROLS.3.2v0.3 +Post-SSO verification SHOULD be enabled for users signing in using other SSO profiles. + +- _Rationale:_ Without enabling Post-SSO verification, any Google 2-Step Verification (2SV) configuration is ignored for third-party SSO users. Enabling Post-SSO verification will apply 2SV verification policies. +- _Last modified:_ November 4, 2024 - MITRE ATT&CK TTP Mapping - [T1110: Brute Force](https://attack.mitre.org/techniques/T1110/) @@ -326,19 +337,23 @@ Login challenges SHOULD be enabled when third party SAML SSO is in use. ### Prerequisites -- When using Employee ID challenge, the Employee ID must be uploaded to Google Workspace through the Agency's Identity Management infrastructure (e.g., via GCDS). +- None ### Implementation -#### GWS.COMMONCONTROLS.3.1v0.3 Instructions +#### Policy Group 3 Common Instructions 1. Sign in to [Google Admin console](https://admin.google.com) as an administrator. -2. Select **Security**-\>**Authentication**-\>**Login challenges.** +2. Select **Security**-\>**Authentication**-\>**Login challenges**. 3. Under **Organizational units**, ensure that the name for the entire organization is selected. -4. Click **Post-SSO verification**, then select **Ask users for additional verifications from Google if a sign-in looks suspicious, and always apply 2-Step Verification policies (if configured)**. Click **SAVE**. -5. Optionally, if employee IDs are known to agency employees (or accessible to the employee outside of Google Workspace), they may be used. -6. Click **Login challenges**. -7. Select the **Use employee ID to keep my users more secure** checkbox. -8. Click **SAVE**. +4. Click **Post-SSO verification**. + +#### GWS.COMMONCONTROLS.3.1v0.3 Instructions +1. For **Settings for users signing in using the SSO profile for your organization**, select **Ask users for additional verifications from Google if a sign-in looks suspicious, and always apply 2-Step Verification policies (if configured)**. +2. Click **SAVE**. + +#### GWS.COMMONCONTROLS.3.2v0.3 Instructions +1. For **Settings for users signing in using other SSO profiles**, select **Ask users for additional verifications from Google if a sign-in looks suspicious, and always apply 2-Step Verification policies (if configured)**. +2. Click **SAVE**. ## 4. User Session Duration diff --git a/drift-rules/GWS Drift Monitoring Rules - Common Controls as of 11-14-23.csv b/drift-rules/GWS Drift Monitoring Rules - Common Controls as of 11-14-23.csv index 974e8300..500fb662 100644 --- a/drift-rules/GWS Drift Monitoring Rules - Common Controls as of 11-14-23.csv +++ b/drift-rules/GWS Drift Monitoring Rules - Common Controls as of 11-14-23.csv @@ -5,7 +5,8 @@ GWS.COMMONCONTROLS.1.3v0.3,Allow users to trust the device SHALL be disabled.,Ad GWS.COMMONCONTROLS.1.4v0.3,"If phishing-resistant MFA is not yet tenable, an MFA method from the following list SHALL be used in the interim.",Admin Log Event,Change Allowed 2-Step Verification Methods,No Setting Name,NO_TELEPHONY,rules/00gjdgxs3t3ug07,JK 08-02-23 @ 14:53 GWS.COMMONCONTROLS.2.1v0.3,Policies restricting access to GWS based on signals about enterprise devices SHOULD be implemented.,Admin Log Event,Context Aware Access Enablement,No Setting Name,ENABLED,rules/00gjdgxs1qrcqvm,JK 08-02-23 @ 07:49 GWS.COMMONCONTROLS.2.2v0.3,"Use of context-aware access for more granular controls, including using Advanced Mode (CEL), MAY be maximized and tailored if necessary.",N/A,N/A,N/A,N/A,N/A,Not Alertable -GWS.COMMONCONTROLS.3.1v0.3,Login Challenges SHOULD be enabled when third party SAML SSO is in use.,Admin Log Event,Change Application Setting,SsoPolicyProto challenge_selection_behavior,PERFORM_CHALLENGE_SELECTION,rules/00gjdgxs0o76pk2,JK 08-02-23 @ 07:59 +GWS.COMMONCONTROLS.3.1v0.3,Post-SSO verification SHOULD be enabled for users signing in using the SSO profile for your organization.,Admin Log Event,Change Application Setting,SsoPolicyProto challenge_selection_behavior,PERFORM_CHALLENGE_SELECTION,rules/00gjdgxs0o76pk2,JK 08-02-23 @ 07:59 +GWS.COMMONCONTROLS.3.2v0.3,Post-SSO verification SHOULD be enabled for users signing in using other SSO profiles.,Admin Log Event,Change Application Setting,SsoPolicyProto sso_profile_challenge_selection_behavior,PERFORM_CHALLENGE_SELECTION,rules/00gjdgxs0o76pk2,JK 08-02-23 @ 07:59 GWS.COMMONCONTROLS.4.1v0.3,Users SHALL be forced to re-authenticate after an established 12-hour GWS login session has expired.,Admin Log Event,Change Application Setting,Session management settings - Session length in seconds,43200,rules/00gjdgxs1j87x46,JK 08-02-23 @ 08:11 GWS.COMMONCONTROLS.5.1v0.3,User password strength SHALL be enforced.,Admin Log Event,Change Application Setting,Password Management - Enforce strong password,on,rules/00gjdgxs2rh5fry,JK 08-02-23 @ 08:21 GWS.COMMONCONTROLS.5.2v0.3,User password length SHALL be at least 12 characters.,Admin Log Event,Change Application Setting,Password Management - Minimum password length,12,rules/00gjdgxs0ogcs3x,JK 08-02-23 @ 08:51 diff --git a/rego/Commoncontrols.rego b/rego/Commoncontrols.rego index 4ea30acd..f333d029 100644 --- a/rego/Commoncontrols.rego +++ b/rego/Commoncontrols.rego @@ -534,6 +534,21 @@ if { } #-- +# +# Baseline GWS.COMMONCONTROLS.3.2v0.3 +#-- +# TODO replace the following placeholder with actual implementation +# SsoPolicyProto sso_profile_challenge_selection_behavior appears to the appropriate log event +tests contains { + "PolicyId": "GWS.COMMONCONTROLS.3.2v0.3", + "Criticality": "Should/Not-Implemented", + "ReportDetails": "Currently not able to be tested automatically; please manually check.", + "ActualValue": "", + "RequirementMet": false, + "NoSuchEvent": true +} +#-- + ######################## # GWS.COMMONCONTROLS.4 # ########################