Skip to content

Commit

Permalink
New Policy 5.1 for Meet for 1:1 Calling (#316)
Browse files Browse the repository at this point in the history 
* Changes to meet, added in 1:1 policy

* Update drift-rules/GWS Drift Monitoring Rules - Meet.csv

Correcting Version Number

Co-authored-by: Alden Hilton <[email protected]>

* Update baselines/Google Meet Minimum Viable Secure Configuration Baseline v0.2.md

Correct Version Number

Co-authored-by: Alden Hilton <[email protected]>

* Update baselines/Google Meet Minimum Viable Secure Configuration Baseline v0.2.md

Correct Version Number

Co-authored-by: Alden Hilton <[email protected]>

* Apply suggestions from code review

Co-authored-by: Alden Hilton <[email protected]>

* Correct control ID to meet

* Implement GWS.MEET.5.1v0.2

* Apply suggestions from code review

Co-authored-by: David Bui <[email protected]>

---------

Co-authored-by: Alden Hilton <[email protected]>
Co-authored-by: jkaufman-mitre <[email protected]>
Co-authored-by: Alden Hilton <[email protected]>
Co-authored-by: David Bui <[email protected]>
  • Loading branch information
@mdueltgen @adhilto
@jkaufman-mitre @buidav
5 people authored Jun 20, 2024
1 parent b0c764a commit f946599
Show file tree
Hide file tree
Showing 4 changed files with 396 additions and 5 deletions.
288 changes: 288 additions & 0 deletions Testing/RegoTests/meet/meet05_test.rego
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,288 @@
package meet
import future.keywords

#
# GWS.MEET.5.1v0.2
#--
test_Incoming_Correct_V1 if {
# Test restricted to contacts
PolicyId := "GWS.MEET.5.1v0.2"
Output := tests with input as {
"meet_logs": {"items": [
{
"id": {"time": "2022-12-20T00:02:28.672Z"},
"events": [{
"parameters": [
{
"name": "SETTING_NAME",
"value": "Incoming call restrictions Allowed caller type"
},
{"name": "NEW_VALUE", "value": "CONTACTS_AND_SAME_DOMAIN"},
{"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
]
}]
}
]},
"tenant_info": {
"topLevelOU": ""
}
}

RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
count(RuleOutput) == 1
RuleOutput[0].RequirementMet
not RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
}

test_Incoming_Correct_V2 if {
# Test disabled
PolicyId := "GWS.MEET.5.1v0.2"
Output := tests with input as {
"meet_logs": {"items": [
{
"id": {"time": "2022-12-20T00:02:28.672Z"},
"events": [{
"parameters": [
{
"name": "SETTING_NAME",
"value": "Incoming call restrictions Allowed caller type"
},
{"name": "NEW_VALUE", "value": "NO_ONE"},
{"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
]
}]
}
]},
"tenant_info": {
"topLevelOU": ""
}
}

RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
count(RuleOutput) == 1
RuleOutput[0].RequirementMet
not RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
}

test_Incoming_Correct_V3 if {
# Test inheritance
PolicyId := "GWS.MEET.5.1v0.2"
Output := tests with input as {
"meet_logs": {"items": [
{
"id": {"time": "2022-12-20T00:02:28.672Z"},
"events": [{
"parameters": [
{
"name": "SETTING_NAME",
"value": "Incoming call restrictions Allowed caller type"
},
{"name": "NEW_VALUE", "value": "NO_ONE"},
{"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
]
}]
},
{
"id": {"time": "2022-12-20T00:02:28.672Z"},
"events": [{
"parameters": [
{
"name": "SETTING_NAME",
"value": "Incoming call restrictions Allowed caller type"
},
{"name": "NEW_VALUE", "value": "NO_ONE"},
{"name": "ORG_UNIT_NAME", "value": "Test Second-Level OU"},
]
}]
},
{
"id": {"time": "2023-12-20T00:02:28.672Z"},
"events": [{
"name": "DELETE_APPLICATION_SETTING",
"parameters": [
{"name": "SETTING_NAME", "value": "Incoming call restrictions Allowed caller type"},
{"name": "ORG_UNIT_NAME", "value": "Test Second-Level OU"},
]
}]
},
]},
"tenant_info": {
"topLevelOU": "Test Top-Level OU"
}
}

RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
count(RuleOutput) == 1
RuleOutput[0].RequirementMet
not RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
}

test_Incoming_Incorrect_V1 if {
# Test top-level OU wrong
PolicyId := "GWS.MEET.5.1v0.2"
Output := tests with input as {
"meet_logs": {"items": [
{
"id": {"time": "2022-12-20T00:02:28.672Z"},
"events": [{
"parameters": [
{
"name": "SETTING_NAME",
"value": "Incoming call restrictions Allowed caller type"
},
{"name": "NEW_VALUE", "value": "ALL"},
{"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
]
}]
}
]},
"tenant_info": {
"topLevelOU": ""
}
}

RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
count(RuleOutput) == 1
not RuleOutput[0].RequirementMet
not RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == concat("", [
"The following OUs are non-compliant:<ul>",
"<li>Test Top-Level OU: Users can receive calls from anyone</li>",
"</ul>"
])
}

test_Incoming_Incorrect_V2 if {
# Test child OU wrong
PolicyId := "GWS.MEET.5.1v0.2"
Output := tests with input as {
"meet_logs": {"items": [
{
"id": {"time": "2022-12-20T00:02:28.672Z"},
"events": [{
"parameters": [
{
"name": "SETTING_NAME",
"value": "Incoming call restrictions Allowed caller type"
},
{"name": "NEW_VALUE", "value": "NO_ONE"},
{"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
]
}]
},
{
"id": {"time": "2022-12-20T00:02:28.672Z"},
"events": [{
"parameters": [
{
"name": "SETTING_NAME",
"value": "Incoming call restrictions Allowed caller type"
},
{"name": "NEW_VALUE", "value": "ALL"},
{"name": "ORG_UNIT_NAME", "value": "Test Second-Level OU"},
]
}]
}
]},
"tenant_info": {
"topLevelOU": "Test Top-Level OU"
}
}

RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
count(RuleOutput) == 1
not RuleOutput[0].RequirementMet
not RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == concat("", [
"The following OUs are non-compliant:<ul>",
"<li>Test Second-Level OU: Users can receive calls from anyone</li>",
"</ul>"
])
}

test_Incoming_Incorrect_V3 if {
# Test group wrong
PolicyId := "GWS.MEET.5.1v0.2"
Output := tests with input as {
"meet_logs": {"items": [
{
"id": {"time": "2022-12-20T00:02:28.672Z"},
"events": [{
"parameters": [
{
"name": "SETTING_NAME",
"value": "Incoming call restrictions Allowed caller type"
},
{"name": "NEW_VALUE", "value": "NO_ONE"},
{"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
]
}]
},
{
"id": {"time": "2022-12-20T00:02:28.672Z"},
"events": [{
"parameters": [
{
"name": "SETTING_NAME",
"value": "Incoming call restrictions Allowed caller type"
},
{"name": "NEW_VALUE", "value": "ALL"},
{"name": "GROUP_EMAIL", "value": "[email protected]"},
]
}]
}
]},
"tenant_info": {
"topLevelOU": "Test Top-Level OU"
}
}

RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
count(RuleOutput) == 1
not RuleOutput[0].RequirementMet
not RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == concat("", [
"The following groups are non-compliant:<ul>",
"<li>[email protected]: Users can receive calls from anyone</li>",
"</ul>"
])
}

test_Incoming_Incorrect_V4 if {
# Test no events
PolicyId := "GWS.MEET.5.1v0.2"
Output := tests with input as {
"meet_logs": {"items": [
{
"id": {"time": "2022-12-20T00:02:28.672Z"},
"events": [{
"parameters": [
{
"name": "SETTING_NAME",
"value": "something else"
},
{"name": "NEW_VALUE", "value": "ALL"},
{"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
]
}]
}
]},
"tenant_info": {
"topLevelOU": ""
}
}

RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
count(RuleOutput) == 1
not RuleOutput[0].RequirementMet
RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == concat("", [
"No relevant event in the current logs for the top-level OU, Test Top-Level OU. ",
"While we are unable to determine the state from the logs, the default setting is non-compliant; ",
"manual check recommended."
])
}
#--
38 changes: 38 additions & 0 deletions baselines/Google Meet Minimum Viable Secure Configuration Baseline v0.2.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -190,3 +190,41 @@ To enable Host Management meeting features:
3. Select **Meet safety settings** -\> **Warn for external participants**.
4. Check the **External or unidentified participants in a meeting are given a label** checkbox.
5. Select **Save**.

## 5. Incoming Calls

This section covers who domain users are allowed to receive a 1:1 call from.

### Policies

#### GWS.MEET.5.1v0.2
Incoming calls SHALL be restricted to contacts and other users in the organization.

- _Rationale:_ Calls could potentially be used to pass sensitive information. By selecting this setting, it potentially mitigates unauthorized data leakage.
- _Last modified:_ March 15, 2024

- MITRE ATT&CK TTP Mapping
- [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/)
- [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
- [T1566:004: Phishing: Spearphishing Voice](https://attack.mitre.org/techniques/T1566/004/)
- [T1598: Phishing for Information](https://attack.mitre.org/techniques/T1598/)
- [T1598:004: Phishing for Information: Spearphishing Voice](https://attack.mitre.org/techniques/T1598/004/)
- [T1123: Audio Capture](https://attack.mitre.org/techniques/T1123/)
- [T1113: Screen Capture](https://attack.mitre.org/techniques/T1113/)
- [T1125: Video Capture](https://attack.mitre.org/techniques/T1125/)

### Resources
- [Restrict who can call my organization's users with Google Meet](https://support.google.com/a/answer/14277985)

### Prerequisites
- None

### Implementation

#### GWS.MEET.5.1v0.2 Instructions
1. Sign in to the [Google Admin Console](https://admin.google.com).
2. Select **Menu** -> **Apps** -> **Google Workspace** -> **Google Meet**.
3. Click **Meet safety settings**.
4. Click **Incoming call restrictions**.
5. Ensure **Users receive calls only from contacts and other users in the organization** or **Users can't receive calls** is selected.
6. Click **Save**.
3 changes: 2 additions & 1 deletion drift-rules/GWS Drift Monitoring Rules - Meet.csv
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,4 +2,5 @@ PolicyId,Name,Data Source,Event (Is),Setting Name (Is),New Value (Is Not),Rule I
GWS.MEET.1.1v0.2,Meeting access SHALL be restricted to users signed in with a Google Account or Dialing in using a phone.,Admin Log Event,Change Application Setting,SafetyDomainLockProto users_allowed_to_join,LOGGED_IN,rules/00gjdgxs1wv8d7g,JK 08-02-23 @ 15:58
GWS.MEET.2.1v0.2,Meeting access SHALL be disabled for meetings created by users who are not members of any Google Workspace tenant or organization.,Admin Log Event,Change Application Setting,SafetyAccessLockProto meetings_allowed_to_join,WORKSPACE_DOMAINS,rules/00gjdgxs0rw9s95,JK 08-02-23 @ 16:02
GWS.MEET.3.1v0.2,Host Management meeting features SHALL be enabled so that they are available by default when a host starts their meeting.,Admin Log Event,Change Application Setting,SafetyModerationLockProto host_management_enabled,true,rules/00gjdgxs3bvxawy,JK 08-02-23 @ 16:05
GWS.MEET.4.1v0.2,Warn for external participants SHALL be enabled.,Admin Log Event,Change Application Setting,Warn for external participants External or unidentified participants in a meeting are given a label,true,rules/00gjdgxs2yp7uet,JK 10-16-23 @ 07:32
GWS.MEET.4.1v0.2,Warn for external participants SHALL be enabled.,Admin Log Event,Change Application Setting,Warn for external participants External or unidentified participants in a meeting are given a label,true,rules/00gjdgxs2yp7uet,JK 10-16-23 @ 07:32
GWS.MEET.5.1v0.2,Users receive calls only from contacts and other users in the organization SHALL be selected.,Admin Log Event,Change Application Setting,Incoming call restrictions Allowed caller type,CONTACTS_AND_SAME_DOMAIN,rules/00gjdgxs188dve6,MD 06-11-24 @ 12:30
Loading

0 comments on commit f946599

Please sign in to comment.