From 656a9b553792acba41e6e2d380e37933d0dd8aa8 Mon Sep 17 00:00:00 2001 From: jkaufman-mitre Date: Fri, 7 Jun 2024 08:58:39 -0400 Subject: [PATCH 01/13] Adjusted the Policy Statement for Drive_Docs 1.6 and added a note. --- ...Docs Minimum Viable Secure Configuration Baseline v0.2.md | 5 +++-- drift-rules/GWS Drift Monitoring Rules - Drive and Docs.csv | 2 +- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/baselines/Google Drive and Docs Minimum Viable Secure Configuration Baseline v0.2.md b/baselines/Google Drive and Docs Minimum Viable Secure Configuration Baseline v0.2.md index 367714c7..a8702e20 100644 --- a/baselines/Google Drive and Docs Minimum Viable Secure Configuration Baseline v0.2.md +++ b/baselines/Google Drive and Docs Minimum Viable Secure Configuration Baseline v0.2.md @@ -98,10 +98,11 @@ Agencies SHALL disable making files and published web content visible to anyone - [T1537: Transfer Data to Cloud Account](https://attack.mitre.org/techniques/T1537/) #### GWS.DRIVEDOCS.1.6v0.2 -Agencies SHALL enable access checking for file sharing outside of Docs or Drive. +Agencies SHOULD set access checking to recipients only. - _Rationale:_ The Access Checker feature can be configured to allows users to grant access to the public if a recipient is missing access, creating the potential for data leakage. This control mitigates this by only allowing access to be granted to recipients or the suggested target audience. -- _Last modified:_ July 10, 2023 +- _Last modified:_ June 7, 2024 +- _Note:_ Agencies SHALL NOT set access checking to Recipients only, suggested target audience, or public (no Google account required). - MITRE ATT&CK TTP Mapping - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/) diff --git a/drift-rules/GWS Drift Monitoring Rules - Drive and Docs.csv b/drift-rules/GWS Drift Monitoring Rules - Drive and Docs.csv index c3922627..9934d00b 100644 --- a/drift-rules/GWS Drift Monitoring Rules - Drive and Docs.csv +++ b/drift-rules/GWS Drift Monitoring Rules - Drive and Docs.csv @@ -4,7 +4,7 @@ GWS.DRIVEDOCS.1.2v0.2,"If disabling sharing outside of the organization's domain GWS.DRIVEDOCS.1.3v0.2,"If sharing outside of the organization, then agencies SHALL enable warnings for users when they are about to share something outside of their domain.",Admin Log Event,Change Drive Setting,SHARING_OUTSIDE_DOMAIN,SHARING_ALLOWED_WITH_WARNING,rules/00gjdgxs0qwshr5, GWS.DRIVEDOCS.1.4v0.2,"If sharing outside of the organization, then agencies SHALL disable sharing of files with individuals who are not using a Google account.",N/A,N/A,N/A,N/A,N/A,Not Alertable due to no log evemt GWS.DRIVEDOCS.1.5v0.2,Agencies SHALL disable making files and published web content visible to anyone with the link.,Admin Log Event,Change Drive Setting,PUBLISHING_TO_WEB,NOT_ALLOWED,rules/00gjdgxs2l9hukl,JK 08-02-23 @ 12:16 -GWS.DRIVEDOCS.1.6v0.2,Agencies SHALL enable access checking for file sharing outside of Docs or Drive.,Admin Log Event,Change Drive Setting,SHARING_ACCESS_CHECKER_OPTIONS,DOMAIN_OR_NAMED_PARTIES,rules/00gjdgxs2qv9x6y,JK 08-02-23 @ 12:59 +GWS.DRIVEDOCS.1.6v0.2,Agencies SHOULD set access checking to recipients only.,Admin Log Event,Change Drive Setting,SHARING_ACCESS_CHECKER_OPTIONS,DOMAIN_OR_NAMED_PARTIES,rules/00gjdgxs2qv9x6y,JK 08-02-23 @ 12:59 GWS.DRIVEDOCS.1.7v0.2,Agencies SHALL NOT allow any users to distribute content from an organization-owned shared drive to shared drives owned by another organizations.,Admin Log Event,Change Drive Setting,SHARING_TEAM_DRIVE_CROSS_DOMAIN_OPTIONS,CROSS_DOMAIN_FROM_INTERNAL_ONLY,rules/00gjdgxs2bll5l2,JK 09-26-23 @ 09:24 GWS.DRIVEDOCS.1.8v0.2,Agencies SHALL ensure that newly created items assume the default access level of Private to the Owner.,Admin Log Event,Change Drive Setting,DEFAULT_LINK_SHARING_FOR_NEW_DOCS,PRIVATE,rules/00gjdgxs1jfq3ds,JK 08-02-23 @ 13:28 GWS.DRIVEDOCS.2.1v0.2,Agencies SHOULD NOT allow members with manager access to override shared drive creation settings.,Admin Log Event,Change Application Setting,Shared Drive Creation new_team_drive_admin_only,true,rules/00gjdgxs418trv6,JK 08-02-23 @ 13:44 From dba4226f9bb5130140ab8c22c6871c5e848e3ab9 Mon Sep 17 00:00:00 2001 From: jkaufman-mitre Date: Fri, 7 Jun 2024 09:01:13 -0400 Subject: [PATCH 02/13] Adjusted Drive_Docs 6.1 to be clearer and simpler --- ... Docs Minimum Viable Secure Configuration Baseline v0.2.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/baselines/Google Drive and Docs Minimum Viable Secure Configuration Baseline v0.2.md b/baselines/Google Drive and Docs Minimum Viable Secure Configuration Baseline v0.2.md index a8702e20..19a2ec37 100644 --- a/baselines/Google Drive and Docs Minimum Viable Secure Configuration Baseline v0.2.md +++ b/baselines/Google Drive and Docs Minimum Viable Secure Configuration Baseline v0.2.md @@ -368,10 +368,10 @@ This section addresses Drive for Desktop, a feature that enables users to intera ### Policies #### GWS.DRIVEDOCS.6.1v0.2 -Agencies SHOULD either disable Google Drive for Desktop or only allow Google Drive for Desktop on authorized devices. +Google Drive for Desktop SHOULD only be enabled for authorized devices. - _Rationale:_ Some users may attempt to use Drive for Desktop to connect unapproved devices (e.g., a personal computer), to the agency's Google Drive. Even if done without malicious intent, this represents a security risk as the agency has no ability audit or protect such computers. -- _Last modified:_ July 10, 2023 +- _Last modified:_ June 7, 2024 - MITRE ATT&CK TTP Mapping - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/) From 06f6d8c3ee0164685968e73159802381e20baceb Mon Sep 17 00:00:00 2001 From: jkaufman-mitre Date: Fri, 7 Jun 2024 09:02:07 -0400 Subject: [PATCH 03/13] Updated the drift rules for the 6.1 update --- drift-rules/GWS Drift Monitoring Rules - Drive and Docs.csv | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/drift-rules/GWS Drift Monitoring Rules - Drive and Docs.csv b/drift-rules/GWS Drift Monitoring Rules - Drive and Docs.csv index 9934d00b..c9172be8 100644 --- a/drift-rules/GWS Drift Monitoring Rules - Drive and Docs.csv +++ b/drift-rules/GWS Drift Monitoring Rules - Drive and Docs.csv @@ -14,6 +14,5 @@ GWS.DRIVEDOCS.2.4v0.2,"Agencies SHALL NOT allow viewers and commenters to downlo GWS.DRIVEDOCS.3.1v0.2,Agencies SHALL enable security updates for Drive files.,Admin Log Event,Change Application Setting,Link Security Update Settings less_secure_link_option,REMOVE_LESS_SECURE_LINKS,rules/00gjdgxs0mrpx7o,JK 08-02-23 @ 14:41 GWS.DRIVEDOCS.4.1v0.2,Agencies SHOULD disable Drive SDK access to restrict information sharing and prevent data leakage.,Admin Log Event,Change Drive Setting,ENABLE_DRIVE_APPS,true,rules/00gjdgxs1mm4n4i,JK 08-02-23 @ 14:49 GWS.DRIVEDOCS.5.1v0.2,Agencies SHALL disable Add-Ons with the exception of those that are approved within the organization.,Admin Log Event,Change Drive Setting,ENABLE_DOCS_ADD_ONS,false,rules/00gjdgxs4d794jn,JK 08-02-23 @ 15:14 -GWS.DRIVEDOCS.6.1v0.2(a),Agencies SHOULD either disable Google Drive for Desktop or only allow Google Drive for Desktop on authorized devices.,Admin Log Event,Change Application Setting, DriveFsSettingsProto drive_fs_enabled,false,rules/00gjdgxs0yziufl,JK 10-19-23 @ 13:47 -GWS.DRIVEDOCS.6.1v0.2(b),Agencies SHOULD either disable Google Drive for Desktop or only allow Google Drive for Desktop on authorized devices.,Admin Log Event,Change Application Setting,DriveFsSettingsProto company_owned_only_enabled,true,rules/00gjdgxs4ghyiin,JK 10-19-23 @ 14:01 +GWS.DRIVEDOCS.6.1v0.2,Google Drive for Desktop SHOULD only be enabled for authorized devices.,Admin Log Event,Change Application Setting,DriveFsSettingsProto company_owned_only_enabled,true,rules/00gjdgxs4ghyiin,JK 10-19-23 @ 14:01 GWS.DRIVEDOCS.7.1v0.2,Agencies SHOULD configure DLP rules to block or warn on sharing files with sensitive data.,N/A,N/A,N/A,N/A,N/A,Not Alertable due to no log event \ No newline at end of file From ba751164754b536d724c3cf30aef0cb0e0830512 Mon Sep 17 00:00:00 2001 From: jkaufman-mitre <135844572+jkaufman-mitre@users.noreply.github.com> Date: Mon, 10 Jun 2024 09:48:52 -0400 Subject: [PATCH 04/13] Update baselines/Google Drive and Docs Minimum Viable Secure Configuration Baseline v0.2.md Co-authored-by: Alden Hilton <106177711+adhilto@users.noreply.github.com> --- ...nd Docs Minimum Viable Secure Configuration Baseline v0.2.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/baselines/Google Drive and Docs Minimum Viable Secure Configuration Baseline v0.2.md b/baselines/Google Drive and Docs Minimum Viable Secure Configuration Baseline v0.2.md index 19a2ec37..2a5b98b9 100644 --- a/baselines/Google Drive and Docs Minimum Viable Secure Configuration Baseline v0.2.md +++ b/baselines/Google Drive and Docs Minimum Viable Secure Configuration Baseline v0.2.md @@ -368,7 +368,7 @@ This section addresses Drive for Desktop, a feature that enables users to intera ### Policies #### GWS.DRIVEDOCS.6.1v0.2 -Google Drive for Desktop SHOULD only be enabled for authorized devices. +Google Drive for Desktop SHOULD be enabled only for authorized devices. - _Rationale:_ Some users may attempt to use Drive for Desktop to connect unapproved devices (e.g., a personal computer), to the agency's Google Drive. Even if done without malicious intent, this represents a security risk as the agency has no ability audit or protect such computers. - _Last modified:_ June 7, 2024 From b2de19d181d30ebb3ec5f6e6d48a0a0205c77bf6 Mon Sep 17 00:00:00 2001 From: jkaufman-mitre Date: Thu, 20 Jun 2024 09:19:20 -0400 Subject: [PATCH 05/13] Fixed DRIVEDOCS.3.1v0.2 --- ...nd Docs Minimum Viable Secure Configuration Baseline v0.2.md | 2 +- drift-rules/GWS Drift Monitoring Rules - Drive and Docs.csv | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/baselines/Google Drive and Docs Minimum Viable Secure Configuration Baseline v0.2.md b/baselines/Google Drive and Docs Minimum Viable Secure Configuration Baseline v0.2.md index 2a5b98b9..5551f371 100644 --- a/baselines/Google Drive and Docs Minimum Viable Secure Configuration Baseline v0.2.md +++ b/baselines/Google Drive and Docs Minimum Viable Secure Configuration Baseline v0.2.md @@ -261,7 +261,7 @@ This section covers whether a security update issued by Google will be applied t ### Policies #### GWS.DRIVEDOCS.3.1v0.2 -Agencies SHALL enable security updates for Drive files. +Agencies SHALL enable the security update for Drive files. - _Rationale:_ Google may add new security features over time. Allowing security updates helps ensure that your files are protected with the latest features Google makes available. - _Last modified:_ July 10, 2023 diff --git a/drift-rules/GWS Drift Monitoring Rules - Drive and Docs.csv b/drift-rules/GWS Drift Monitoring Rules - Drive and Docs.csv index c9172be8..027e323b 100644 --- a/drift-rules/GWS Drift Monitoring Rules - Drive and Docs.csv +++ b/drift-rules/GWS Drift Monitoring Rules - Drive and Docs.csv @@ -11,7 +11,7 @@ GWS.DRIVEDOCS.2.1v0.2,Agencies SHOULD NOT allow members with manager access to o GWS.DRIVEDOCS.2.2v0.2,Agencies SHOULD NOT allow users outside of their organization to access files in shared drives.,Admin Log Event,Change Application Setting,Shared Drive Creation new_team_drive_restricts_cross_domain_access,true,rules/00gjdgxs1o31qud,JK 08-02-23 @ 14:12 GWS.DRIVEDOCS.2.3v0.2,Agencies SHALL allow users who are not shared drive members to be added to files.,Admin Log Event,Change Application Setting,Shared Drive Creation new_team_drive_restricts_direct_access,true,rules/00gjdgxs3mcxcll,JK 08-02-23 @ 14:23 GWS.DRIVEDOCS.2.4v0.2,"Agencies SHALL NOT allow viewers and commenters to download, print, and copy files.",Admin Log Event,Change Application Setting,Shared Drive Creation new_team_drive_restricts_download,true,rules/00gjdgxs18yk89t,JK 08-02-23 @ 14:30 -GWS.DRIVEDOCS.3.1v0.2,Agencies SHALL enable security updates for Drive files.,Admin Log Event,Change Application Setting,Link Security Update Settings less_secure_link_option,REMOVE_LESS_SECURE_LINKS,rules/00gjdgxs0mrpx7o,JK 08-02-23 @ 14:41 +GWS.DRIVEDOCS.3.1v0.2,Agencies SHALL enable the security update for Drive files.,Admin Log Event,Change Application Setting,Link Security Update Settings less_secure_link_option,REMOVE_LESS_SECURE_LINKS,rules/00gjdgxs0mrpx7o,JK 08-02-23 @ 14:41 GWS.DRIVEDOCS.4.1v0.2,Agencies SHOULD disable Drive SDK access to restrict information sharing and prevent data leakage.,Admin Log Event,Change Drive Setting,ENABLE_DRIVE_APPS,true,rules/00gjdgxs1mm4n4i,JK 08-02-23 @ 14:49 GWS.DRIVEDOCS.5.1v0.2,Agencies SHALL disable Add-Ons with the exception of those that are approved within the organization.,Admin Log Event,Change Drive Setting,ENABLE_DOCS_ADD_ONS,false,rules/00gjdgxs4d794jn,JK 08-02-23 @ 15:14 GWS.DRIVEDOCS.6.1v0.2,Google Drive for Desktop SHOULD only be enabled for authorized devices.,Admin Log Event,Change Application Setting,DriveFsSettingsProto company_owned_only_enabled,true,rules/00gjdgxs4ghyiin,JK 10-19-23 @ 14:01 From 665f9ff44e9b2a3d67d196cb982def3218c622ad Mon Sep 17 00:00:00 2001 From: jkaufman-mitre Date: Tue, 9 Jul 2024 15:18:24 -0400 Subject: [PATCH 06/13] Fixed issues from the PR comments --- ...ocs Minimum Viable Secure Configuration Baseline v0.2.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/baselines/Google Drive and Docs Minimum Viable Secure Configuration Baseline v0.2.md b/baselines/Google Drive and Docs Minimum Viable Secure Configuration Baseline v0.2.md index 5551f371..ea0b9f4c 100644 --- a/baselines/Google Drive and Docs Minimum Viable Secure Configuration Baseline v0.2.md +++ b/baselines/Google Drive and Docs Minimum Viable Secure Configuration Baseline v0.2.md @@ -100,9 +100,9 @@ Agencies SHALL disable making files and published web content visible to anyone #### GWS.DRIVEDOCS.1.6v0.2 Agencies SHOULD set access checking to recipients only. -- _Rationale:_ The Access Checker feature can be configured to allows users to grant access to the public if a recipient is missing access, creating the potential for data leakage. This control mitigates this by only allowing access to be granted to recipients or the suggested target audience. +- _Rationale:_ The Access Checker feature can be configured to allow users to grant open access if a recipient is missing access, creating the potential for data leakage. This control mitigates this by only allowing access to be granted to recipients or the suggested target audience. - _Last modified:_ June 7, 2024 -- _Note:_ Agencies SHALL NOT set access checking to Recipients only, suggested target audience, or public (no Google account required). +- _Note:_ Agencies need to ensure that access checking is not set to the "Recipients only, suggested target audience, or public (no Google account required)" option. - MITRE ATT&CK TTP Mapping - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/) @@ -263,7 +263,7 @@ This section covers whether a security update issued by Google will be applied t #### GWS.DRIVEDOCS.3.1v0.2 Agencies SHALL enable the security update for Drive files. -- _Rationale:_ Google may add new security features over time. Allowing security updates helps ensure that your files are protected with the latest features Google makes available. +- _Rationale:_ By not enabling the resource key security update it creates the potential for an unauthorized access to files. Enabling this security update mitigates the risk by ensuring access is controlled properly. - _Last modified:_ July 10, 2023 - MITRE ATT&CK TTP Mapping From 5a2f4be11c67ce5bc4613c31d31c35fa326fe1b1 Mon Sep 17 00:00:00 2001 From: jkaufman-mitre Date: Tue, 9 Jul 2024 15:19:54 -0400 Subject: [PATCH 07/13] Fixed Resource Link --- ...nd Docs Minimum Viable Secure Configuration Baseline v0.2.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/baselines/Google Drive and Docs Minimum Viable Secure Configuration Baseline v0.2.md b/baselines/Google Drive and Docs Minimum Viable Secure Configuration Baseline v0.2.md index ea0b9f4c..0a00041a 100644 --- a/baselines/Google Drive and Docs Minimum Viable Secure Configuration Baseline v0.2.md +++ b/baselines/Google Drive and Docs Minimum Viable Secure Configuration Baseline v0.2.md @@ -271,7 +271,7 @@ Agencies SHALL enable the security update for Drive files. ### Resources -- [Google Workspace Admin Help: Security update for Google Drive](https://support.google.com/drive/answer/10729743?hl=en#zippy=%2Care-any-file-types-not-impacted%2Cwhat-happens-if-i-dont-apply-the-security-update-to-my-files%2Chow-will-this-security-update-change-access-to-my-impacted-files) +- [Google Workspace Admin Help: Security update for Google Drive](https://apps.google.com/supportwidget/articlehome?article_url=https%3A%2F%2Fsupport.google.com%2Fa%2Fanswer%2F10685032%3Fvisit_id%3D638533824698144528-3160863719&assistant_event=welcome&assistant_id=mega-bot-shared-drive&product_context=10685032&product_name=UnuFlow&trigger_context=a) ### Prerequisites From c8b6cce13de29bff168699bc0495a6a3db810713 Mon Sep 17 00:00:00 2001 From: jkaufman-mitre Date: Wed, 10 Jul 2024 15:25:49 -0400 Subject: [PATCH 08/13] Made DRIVEDOCS.1.6 a SHALL and removed note and fixed implementation --- ...Docs Minimum Viable Secure Configuration Baseline v0.2.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/baselines/Google Drive and Docs Minimum Viable Secure Configuration Baseline v0.2.md b/baselines/Google Drive and Docs Minimum Viable Secure Configuration Baseline v0.2.md index 0a00041a..1a6af460 100644 --- a/baselines/Google Drive and Docs Minimum Viable Secure Configuration Baseline v0.2.md +++ b/baselines/Google Drive and Docs Minimum Viable Secure Configuration Baseline v0.2.md @@ -98,11 +98,10 @@ Agencies SHALL disable making files and published web content visible to anyone - [T1537: Transfer Data to Cloud Account](https://attack.mitre.org/techniques/T1537/) #### GWS.DRIVEDOCS.1.6v0.2 -Agencies SHOULD set access checking to recipients only. +Agencies SHALL set access checking to recipients only. - _Rationale:_ The Access Checker feature can be configured to allow users to grant open access if a recipient is missing access, creating the potential for data leakage. This control mitigates this by only allowing access to be granted to recipients or the suggested target audience. - _Last modified:_ June 7, 2024 -- _Note:_ Agencies need to ensure that access checking is not set to the "Recipients only, suggested target audience, or public (no Google account required)" option. - MITRE ATT&CK TTP Mapping - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/) @@ -170,7 +169,7 @@ To configure the settings for Sharing options: #### GWS.DRIVEDOCS.1.6v0.2 Instructions 1. Select **Sharing settings** -\> **Sharing options**. -2. Select **Access Checker** -\> **Recipients only, or suggested target audience.** +2. Select **Access Checker** -\> **Recipients only.** #### GWS.DRIVEDOCS.1.7v0.2 Instructions 1. Select **Sharing settings** -\> **Sharing options**. From bcb55733d156dad941f601fd7572f941058c2bcd Mon Sep 17 00:00:00 2001 From: mdueltgen <148897369+mdueltgen@users.noreply.github.com> Date: Wed, 24 Jul 2024 16:22:31 -0400 Subject: [PATCH 09/13] updated rationale statement for 3.1 --- ...nd Docs Minimum Viable Secure Configuration Baseline v0.2.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/baselines/Google Drive and Docs Minimum Viable Secure Configuration Baseline v0.2.md b/baselines/Google Drive and Docs Minimum Viable Secure Configuration Baseline v0.2.md index 1a6af460..27b361e0 100644 --- a/baselines/Google Drive and Docs Minimum Viable Secure Configuration Baseline v0.2.md +++ b/baselines/Google Drive and Docs Minimum Viable Secure Configuration Baseline v0.2.md @@ -262,7 +262,7 @@ This section covers whether a security update issued by Google will be applied t #### GWS.DRIVEDOCS.3.1v0.2 Agencies SHALL enable the security update for Drive files. -- _Rationale:_ By not enabling the resource key security update it creates the potential for an unauthorized access to files. Enabling this security update mitigates the risk by ensuring access is controlled properly. +- _Rationale:_ By not enabling the update to the resource key security update a user could potentially gain unauthorized access to files. Enabling this security update decreases risk of unauthorized access and data spillage by controlling access to files in Google Drive. - _Last modified:_ July 10, 2023 - MITRE ATT&CK TTP Mapping From 583066090fc0a9a1473bb5e35abc9479e2d583a6 Mon Sep 17 00:00:00 2001 From: "Max Dueltgen (MITRE)" <148897369+mdueltgen@users.noreply.github.com> Date: Thu, 25 Jul 2024 09:27:03 -0400 Subject: [PATCH 10/13] Update baselines/Google Drive and Docs Minimum Viable Secure Configuration Baseline v0.2.md Co-authored-by: Alden Hilton <106177711+adhilto@users.noreply.github.com> --- ...nd Docs Minimum Viable Secure Configuration Baseline v0.2.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/baselines/Google Drive and Docs Minimum Viable Secure Configuration Baseline v0.2.md b/baselines/Google Drive and Docs Minimum Viable Secure Configuration Baseline v0.2.md index 27b361e0..99d1e17c 100644 --- a/baselines/Google Drive and Docs Minimum Viable Secure Configuration Baseline v0.2.md +++ b/baselines/Google Drive and Docs Minimum Viable Secure Configuration Baseline v0.2.md @@ -100,7 +100,7 @@ Agencies SHALL disable making files and published web content visible to anyone #### GWS.DRIVEDOCS.1.6v0.2 Agencies SHALL set access checking to recipients only. -- _Rationale:_ The Access Checker feature can be configured to allow users to grant open access if a recipient is missing access, creating the potential for data leakage. This control mitigates this by only allowing access to be granted to recipients or the suggested target audience. +- _Rationale:_ The Access Checker feature can be configured to allow users to grant open access if a recipient is missing access, creating the potential for data leakage. This control mitigates this by only allowing access to be granted to recipients. - _Last modified:_ June 7, 2024 - MITRE ATT&CK TTP Mapping From f5a824c629457fb30145aa49e2d2d93cbdcded22 Mon Sep 17 00:00:00 2001 From: Alden Hilton Date: Thu, 25 Jul 2024 09:27:39 -0700 Subject: [PATCH 11/13] Adjust 1.6 rego to only allow sharing to recipients --- Testing/RegoTests/drive/drive01_test.rego | 26 +++++++++++------------ rego/Drive.rego | 26 +++++++++++++++-------- 2 files changed, 30 insertions(+), 22 deletions(-) diff --git a/Testing/RegoTests/drive/drive01_test.rego b/Testing/RegoTests/drive/drive01_test.rego index fbd74a33..2e1ff982 100644 --- a/Testing/RegoTests/drive/drive01_test.rego +++ b/Testing/RegoTests/drive/drive01_test.rego @@ -1508,7 +1508,7 @@ test_SharingChecker_Correct_V1 if { "events": [{ "parameters": [ {"name": "SETTING_NAME", "value": "SHARING_ACCESS_CHECKER_OPTIONS"}, - {"name": "NEW_VALUE", "value": "NAMED_PARTIES_ONLY DOMAIN_OR_NAMED_PARTIES"}, + {"name": "NEW_VALUE", "value": "NAMED_PARTIES_ONLY"}, {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, ] }] @@ -1536,7 +1536,7 @@ test_SharingChecker_Correct_V2 if { "events": [{ "parameters": [ {"name": "SETTING_NAME", "value": "SHARING_ACCESS_CHECKER_OPTIONS"}, - {"name": "NEW_VALUE", "value": "NAMED_PARTIES_ONLY DOMAIN_OR_NAMED_PARTIES"}, + {"name": "NEW_VALUE", "value": "NAMED_PARTIES_ONLY"}, {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, ] }] @@ -1574,7 +1574,7 @@ test_SharingChecker_Correct_V3 if { "events": [{ "parameters": [ {"name": "SETTING_NAME", "value": "SHARING_ACCESS_CHECKER_OPTIONS"}, - {"name": "NEW_VALUE", "value": "NAMED_PARTIES_ONLY DOMAIN_OR_NAMED_PARTIES"}, + {"name": "NEW_VALUE", "value": "NAMED_PARTIES_ONLY"}, {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, ] }] @@ -1584,7 +1584,7 @@ test_SharingChecker_Correct_V3 if { "events": [{ "parameters": [ {"name": "SETTING_NAME", "value": "SHARING_ACCESS_CHECKER_OPTIONS"}, - {"name": "NEW_VALUE", "value": "NAMED_PARTIES_ONLY DOMAIN_OR_NAMED_PARTIES"}, + {"name": "NEW_VALUE", "value": "NAMED_PARTIES_ONLY"}, {"name": "ORG_UNIT_NAME", "value": "Secondary OU"}, ] }] @@ -1644,7 +1644,7 @@ test_SharingChecker_Incorrect_V2 if { "events": [{ "parameters": [ {"name": "SETTING_NAME", "value": "SHARING_ACCESS_CHECKER_OPTIONS"}, - {"name": "NEW_VALUE", "value": "ALLOWED"}, + {"name": "NEW_VALUE", "value": "ALL"}, {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, ] }] @@ -1662,7 +1662,7 @@ test_SharingChecker_Incorrect_V2 if { RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", "
  • Test Top-Level OU: ", "Access Checker allows users to share ", - "files to the public (no Google account required)
"]) + "files to Recipients only, suggested target audience, or public (no Google account required)"]) } test_SharingChecker_Incorrect_V3 if { @@ -1675,7 +1675,7 @@ test_SharingChecker_Incorrect_V3 if { "events": [{ "parameters": [ {"name": "SETTING_NAME", "value": "SHARING_ACCESS_CHECKER_OPTIONS"}, - {"name": "NEW_VALUE", "value": "ALLOWED"}, + {"name": "NEW_VALUE", "value": "ALL"}, {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, ] }] @@ -1685,7 +1685,7 @@ test_SharingChecker_Incorrect_V3 if { "events": [{ "parameters": [ {"name": "SETTING_NAME", "value": "SHARING_ACCESS_CHECKER_OPTIONS"}, - {"name": "NEW_VALUE", "value": "NOT_ALLOWED"}, + {"name": "NEW_VALUE", "value": "NAMED_PARTIES_ONLY"}, {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, ] }] @@ -1703,7 +1703,7 @@ test_SharingChecker_Incorrect_V3 if { RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", "
  • Test Top-Level OU: ", "Access Checker allows users to share ", - "files to the public (no Google account required)
"]) + "files to Recipients only, suggested target audience, or public (no Google account required)"]) } test_SharingChecker_Incorrect_V4 if { @@ -1716,7 +1716,7 @@ test_SharingChecker_Incorrect_V4 if { "events": [{ "parameters": [ {"name": "SETTING_NAME", "value": "SHARING_ACCESS_CHECKER_OPTIONS"}, - {"name": "NEW_VALUE", "value": "NAMED_PARTIES_ONLY DOMAIN_OR_NAMED_PARTIES"}, + {"name": "NEW_VALUE", "value": "NAMED_PARTIES_ONLY"}, {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, ] }] @@ -1726,7 +1726,7 @@ test_SharingChecker_Incorrect_V4 if { "events": [{ "parameters": [ {"name": "SETTING_NAME", "value": "SHARING_ACCESS_CHECKER_OPTIONS"}, - {"name": "NEW_VALUE", "value": "ALLOWED"}, + {"name": "NEW_VALUE", "value": "DOMAIN_OR_NAMED_PARTIES"}, {"name": "ORG_UNIT_NAME", "value": "Test Secondary OU"}, ] }] @@ -1744,7 +1744,7 @@ test_SharingChecker_Incorrect_V4 if { RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", "
  • Test Secondary OU: ", "Access Checker allows users to share ", - "files to the public (no Google account required)
"]) + "files to Recipients only, or suggested target audience"]) } test_SharingChecker_Incorrect_V5 if { @@ -1757,7 +1757,7 @@ test_SharingChecker_Incorrect_V5 if { "events": [{ "parameters": [ {"name": "SETTING_NAME", "value": "SHARING_ACCESS_CHECKER_OPTIONS"}, - {"name": "NEW_VALUE", "value": "NAMED_PARTIES_ONLY DOMAIN_OR_NAMED_PARTIE"}, + {"name": "NEW_VALUE", "value": "NAMED_PARTIES_ONLY"}, {"name": "ORG_UNIT_NAME", "value": "Test Secondary OU"}, ] }] diff --git a/rego/Drive.rego b/rego/Drive.rego index 0c3e7b8c..4777fb55 100644 --- a/rego/Drive.rego +++ b/rego/Drive.rego @@ -378,30 +378,38 @@ if { # # Baseline GWS.DRIVEDOCS.1.6v0.2 #-- + +GetFriendlyValue1_6(Value) := +"Recipients only, suggested target audience, or public (no Google account required)" if { + Value == "ALL" +} else := "Recipients only, or suggested target audience" if { + Value == "DOMAIN_OR_NAMED_PARTIES" +} else := Value + NonCompliantOUs1_6 contains { - "Name":OU, - "Value": concat("", ["Access Checker allows users to share ", - "files to the public (no Google account required)"]) + "Name": OU, + "Value": concat("", ["Access Checker allows users to share files to ", + GetFriendlyValue1_6(LastEvent.NewValue)]) } if { some OU in utils.OUsWithEvents Events := utils.FilterEventsOU(LogEvents, "SHARING_ACCESS_CHECKER_OPTIONS", OU) count(Events) > 0 LastEvent := utils.GetLastEvent(Events) - contains("NAMED_PARTIES_ONLY DOMAIN_OR_NAMED_PARTIES INHERIT_FROM_PARENT", - LastEvent.NewValue) == false + AcceptableValues := {"NAMED_PARTIES_ONLY", "INHERIT_FROM_PARENT"} + not LastEvent.NewValue in AcceptableValues } NonCompliantGroups1_6 contains { "Name":Group, - "Value": concat("", ["Access Checker allows users to share ", - "files to the public (no Google account required)"]) + "Value": concat("", ["Access Checker allows users to share files to ", + GetFriendlyValue1_6(LastEvent.NewValue)]) } if { some Group in utils.GroupsWithEvents Events := utils.FilterEventsGroup(LogEvents, "SHARING_ACCESS_CHECKER_OPTIONS", Group) count(Events) > 0 LastEvent := utils.GetLastEvent(Events) - contains("NAMED_PARTIES_ONLY DOMAIN_OR_NAMED_PARTIES INHERIT_FROM_PARENT", - LastEvent.NewValue) == false + AcceptableValues := {"NAMED_PARTIES_ONLY", "INHERIT_FROM_PARENT"} + not LastEvent.NewValue in AcceptableValues } tests contains { From c9a1d9e395d95a9b9f02950499cd153235f8720c Mon Sep 17 00:00:00 2001 From: Alden Hilton Date: Thu, 25 Jul 2024 09:55:47 -0700 Subject: [PATCH 12/13] Rego changes for 1.6 --- Testing/RegoTests/drive/drive06_test.rego | 6 +- rego/Drive.rego | 99 ++++++++++++----------- 2 files changed, 53 insertions(+), 52 deletions(-) diff --git a/Testing/RegoTests/drive/drive06_test.rego b/Testing/RegoTests/drive/drive06_test.rego index 973db6d3..0f073611 100644 --- a/Testing/RegoTests/drive/drive06_test.rego +++ b/Testing/RegoTests/drive/drive06_test.rego @@ -252,7 +252,7 @@ test_DriveFs_Setting_InCorrect_V1 if { not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", - "
  • Test Top-Level OU: Drive for Desktop is enabled, but can be used on any device.
"]) + "
  • Test Top-Level OU: Drive for Desktop is enabled and can be used on any device.
"]) } test_DriveFs_Setting_InCorrect_V2 if { @@ -311,7 +311,7 @@ test_DriveFs_Setting_InCorrect_V2 if { not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", - "
  • Test Top-Level OU: Drive for Desktop is enabled, but can be used on any device.
"]) + "
  • Test Top-Level OU: Drive for Desktop is enabled and can be used on any device.
"]) } test_DriveFs_Setting_InCorrect_V3 if { @@ -390,5 +390,5 @@ test_DriveFs_Setting_InCorrect_V3 if { not RuleOutput[0].RequirementMet not RuleOutput[0].NoSuchEvent RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:", - "
  • Test Top-Level OU: Drive for Desktop is enabled, but can be used on any device.
"]) + "
  • Test Top-Level OU: Drive for Desktop is enabled and can be used on any device.
"]) } \ No newline at end of file diff --git a/rego/Drive.rego b/rego/Drive.rego index 4777fb55..106a2809 100644 --- a/rego/Drive.rego +++ b/rego/Drive.rego @@ -1035,18 +1035,22 @@ if { # # Baseline GWS.DRIVEDOCS.6.1v0.2 #-- + +GetFriendlyValue6_1(CompanyOnly, DesktopEnabled) := + "Drive for Desktop is enabled and can be used on any device." if { + CompanyOnly == "false" + DesktopEnabled == "true" + } + else := "Drive for Desktop is disabled" if { + DesktopEnabled == "false" + } + else := "Drive for Desktop is enabled but only on approved devices." if { + CompanyOnly == "true" + DesktopEnabled == "true" + } + default NoSuchEvent6_1(_) := true -GetFriendlyValue6_1(Value_B, Value_A) := -"Drive for Desktop is enabled, but can be used on any device." if { - Value_B == "false" -} -else := "Drive for Desktop is disabled" if { - Value_A == "false" -} -else := "Drive for Desktop is enabled, and only on approved devices." if { - Value_A == "true" -} NoSuchEvent6_1(TopLevelOU) := false if { Events := utils.FilterEventsOU(LogEvents, "DriveFsSettingsProto drive_fs_enabled", TopLevelOU) @@ -1054,7 +1058,6 @@ NoSuchEvent6_1(TopLevelOU) := false if { } NoSuchEvent6_1(TopLevelOU) := false if { - # No such event... Events := utils.FilterEventsOU(LogEvents, "DriveFsSettingsProto company_owned_only_enabled", TopLevelOU) count(Events) != 0 @@ -1062,49 +1065,47 @@ NoSuchEvent6_1(TopLevelOU) := false if { NonCompliantOUs6_1 contains { "Name": OU, - "Value": GetFriendlyValue6_1(LastEvent_B.NewValue, LastEvent_A.NewValue) + "Value": GetFriendlyValue6_1(LastCompanyOnlyEvent.NewValue, LastDriveEnabledEvent.NewValue) } if { - some OU in utils.OUsWithEvents - Events_A := utils.FilterEventsOU(LogEvents, - "DriveFsSettingsProto drive_fs_enabled", OU) - count(Events_A) > 0 - LastEvent_A := utils.GetLastEvent(Events_A) - LastEvent_A.NewValue != "DELETE_APPLICATION_SETTING" - - Events_B := utils.FilterEventsOU(LogEvents, - "DriveFsSettingsProto company_owned_only_enabled", OU) - count(Events_B) > 0 - LastEvent_B := utils.GetLastEvent(Events_B) - LastEvent_B.NewValue != "DELETE_APPLICATION_SETTING" - - - LastEvent_A.NewValue == "true" - LastEvent_B.NewValue != "true" - -} + some OU in utils.OUsWithEvents + + DriveEnabledEvents := utils.FilterEventsOU(LogEvents, + "DriveFsSettingsProto drive_fs_enabled", OU) + count(DriveEnabledEvents) > 0 + LastDriveEnabledEvent := utils.GetLastEvent(DriveEnabledEvents) + LastDriveEnabledEvent.NewValue != "DELETE_APPLICATION_SETTING" + + CompanyOnlyEvents := utils.FilterEventsOU(LogEvents, + "DriveFsSettingsProto company_owned_only_enabled", OU) + count(CompanyOnlyEvents) > 0 + LastCompanyOnlyEvent := utils.GetLastEvent(CompanyOnlyEvents) + LastCompanyOnlyEvent.NewValue != "DELETE_APPLICATION_SETTING" + + LastDriveEnabledEvent.NewValue == "true" + LastCompanyOnlyEvent.NewValue != "true" + } NonCompliantGroups6_1 contains { "Name": Group, - "Value": GetFriendlyValue6_1(LastEvent_B.NewValue, LastEvent_A.NewValue) + "Value": GetFriendlyValue6_1(LastCompanyOnlyEvent.NewValue, LastDriveEnabledEvent.NewValue) } if { - some Group in utils.GroupsWithEvents - Events_A := utils.FilterEventsGroup(LogEvents, - "DriveFsSettingsProto drive_fs_enabled", Group) - count(Events_A) > 0 - LastEvent_A := utils.GetLastEvent(Events_A) - LastEvent_A.NewValue != "DELETE_APPLICATION_SETTING" - - Events_B := utils.FilterEventsGroup(LogEvents, - "DriveFsSettingsProto company_owned_only_enabled", Group) - count(Events_B) > 0 - LastEvent_B := utils.GetLastEvent(Events_B) - LastEvent_B.NewValue != "DELETE_APPLICATION_SETTING" - - LastEvent_A.NewValue == "true" - LastEvent_B.NewValue != "true" - - -} + some Group in utils.GroupsWithEvents + + DriveEnabledEvents := utils.FilterEventsGroup(LogEvents, + "DriveFsSettingsProto drive_fs_enabled", Group) + count(DriveEnabledEvents) > 0 + LastDriveEnabledEvent := utils.GetLastEvent(DriveEnabledEvents) + LastDriveEnabledEvent.NewValue != "DELETE_APPLICATION_SETTING" + + CompanyOnlyEvents := utils.FilterEventsGroup(LogEvents, + "DriveFsSettingsProto company_owned_only_enabled", Group) + count(CompanyOnlyEvents) > 0 + LastCompanyOnlyEvent := utils.GetLastEvent(CompanyOnlyEvents) + LastCompanyOnlyEvent.NewValue != "DELETE_APPLICATION_SETTING" + + LastDriveEnabledEvent.NewValue == "true" + LastCompanyOnlyEvent.NewValue != "true" + } tests contains { "PolicyId": "GWS.DRIVEDOCS.6.1v0.2", From b0bdf17104f1d7b5decafa7650a9fd31b394789e Mon Sep 17 00:00:00 2001 From: "Max Dueltgen (MITRE)" <148897369+mdueltgen@users.noreply.github.com> Date: Thu, 25 Jul 2024 13:15:06 -0400 Subject: [PATCH 13/13] Apply suggestions from code review Co-authored-by: Alden Hilton <106177711+adhilto@users.noreply.github.com> --- drift-rules/GWS Drift Monitoring Rules - Drive and Docs.csv | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drift-rules/GWS Drift Monitoring Rules - Drive and Docs.csv b/drift-rules/GWS Drift Monitoring Rules - Drive and Docs.csv index 027e323b..dddfc54e 100644 --- a/drift-rules/GWS Drift Monitoring Rules - Drive and Docs.csv +++ b/drift-rules/GWS Drift Monitoring Rules - Drive and Docs.csv @@ -14,5 +14,5 @@ GWS.DRIVEDOCS.2.4v0.2,"Agencies SHALL NOT allow viewers and commenters to downlo GWS.DRIVEDOCS.3.1v0.2,Agencies SHALL enable the security update for Drive files.,Admin Log Event,Change Application Setting,Link Security Update Settings less_secure_link_option,REMOVE_LESS_SECURE_LINKS,rules/00gjdgxs0mrpx7o,JK 08-02-23 @ 14:41 GWS.DRIVEDOCS.4.1v0.2,Agencies SHOULD disable Drive SDK access to restrict information sharing and prevent data leakage.,Admin Log Event,Change Drive Setting,ENABLE_DRIVE_APPS,true,rules/00gjdgxs1mm4n4i,JK 08-02-23 @ 14:49 GWS.DRIVEDOCS.5.1v0.2,Agencies SHALL disable Add-Ons with the exception of those that are approved within the organization.,Admin Log Event,Change Drive Setting,ENABLE_DOCS_ADD_ONS,false,rules/00gjdgxs4d794jn,JK 08-02-23 @ 15:14 -GWS.DRIVEDOCS.6.1v0.2,Google Drive for Desktop SHOULD only be enabled for authorized devices.,Admin Log Event,Change Application Setting,DriveFsSettingsProto company_owned_only_enabled,true,rules/00gjdgxs4ghyiin,JK 10-19-23 @ 14:01 +GWS.DRIVEDOCS.6.1v0.2,Google Drive for Desktop SHOULD be enabled only for authorized devices..,Admin Log Event,Change Application Setting,DriveFsSettingsProto company_owned_only_enabled,true,rules/00gjdgxs4ghyiin,JK 10-19-23 @ 14:01 GWS.DRIVEDOCS.7.1v0.2,Agencies SHOULD configure DLP rules to block or warn on sharing files with sensitive data.,N/A,N/A,N/A,N/A,N/A,Not Alertable due to no log event \ No newline at end of file