Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Change Common Controls 7.1 to SHOULD and update Common Controls Policy Group 17 resource link #558

Merged
merged 4 commits into from
Jan 9, 2025
Merged

Change Common Controls 7.1 to SHOULD and update Common Controls Policy Group 17 resource link #558

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
8a54c2b
Changed 7.1 to SHOULD and Fixed CC 17 Resource Link
jkaufman-mitre Jan 8, 2025
bfb7b5f
Updated Drift Rules
jkaufman-mitre Jan 8, 2025
bcdf321
Updated Date
jkaufman-mitre Jan 8, 2025
4d8b4d7
Change CommonControls 7.1 to SHOULD in rego
adhilto Jan 8, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion drift-rules/GWS Drift Monitoring Rules - Common Controls as of 11-14-23.csv
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ GWS.COMMONCONTROLS.5.5v0.3,User passwords SHALL NOT be reused.,Admin Log Event,C
GWS.COMMONCONTROLS.5.6v0.3,User passwords SHALL NOT expire.,Admin Log Event,Change Application Setting,Password Management - Password reset frequency,0,rules/00gjdgxs1k1llys,JK 08-02-23 @ 09:09
GWS.COMMONCONTROLS.6.1v0.3,All highly privileged accounts SHALL leverage Google Account authentication with phishing-resistant MFA and not the agency’s authoritative on-premises or federated identity system.,N/A,N/A,N/A,N/A,N/A,Not Alertable
GWS.COMMONCONTROLS.6.2v0.3,A minimum of two and maximum of four separate and distinct Super Admin users SHALL be configured.,N/A,N/A,N/A,N/A,N/A,Not Alertable
GWS.COMMONCONTROLS.7.1v0.3,Account conflict management SHALL be configured to replace conflicting unmanaged accounts with managed ones.,N/A,N/A,N/A,N/A,N/A,Not Alertable due to no log event being produced
GWS.COMMONCONTROLS.7.1v0.3,Account conflict management SHOULD be configured to replace conflicting unmanaged accounts with managed ones.,N/A,N/A,N/A,N/A,N/A,Not Alertable due to no log event being produced
GWS.COMMONCONTROLS.8.1v0.3,"Account self-recovery for Super Admins SHALL be disabled, forcing Super Admin users who have lost their login credentials to contact another Super Admin to recover their account.",Admin Log Event,Change Application Setting,AdminAccountRecoverySettingsProto Enable admin account recovery,false,rules/00gjdgxs2rlm6cr,JK 08-02-23 @ 09:16
GWS.COMMONCONTROLS.9.1v0.3,Highly privileged accounts SHALL be enrolled in the GWS Advanced Protection Program.,Admin Log Event,Change Application Setting,Advanced Protection Program Settings - Enable user enrollment,true,rules/00gjdgxs2mq8dv5,JK 08-02-23 @ 09:20
GWS.COMMONCONTROLS.9.2v0.3,All sensitive user accounts SHOULD be enrolled into the GWS Advanced Protection Program. This control enforces more secure protection of sensitive user accounts from targeted attacks. Sensitive user accounts include political appointees and other Senior Executive Service (SES) officials whose account compromise would pose a level of risk prohibitive to agency mission fulfillment.,Admin Log Event,Change Application Setting,Advanced Protection Program Settings - Enable user enrollment,true,rules/00gjdgxs2mq8dv6,JK 08-02-23 @ 09:21
Expand Down
6 changes: 3 additions & 3 deletions scubagoggles/baselines/commoncontrols.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -604,10 +604,10 @@ By changing the email address, the user resolves the conflict by ensuring that t
### Policies

#### GWS.COMMONCONTROLS.7.1v0.3
Account conflict management SHALL be configured to replace conflicting unmanaged accounts with managed ones.
Account conflict management SHOULD be configured to replace conflicting unmanaged accounts with managed ones.

- _Rationale:_ Unmanaged user accounts cannot be controlled or monitored by workspace admins. By resolving conflicting accounts, you ensure all users in your workspace are using managed accounts.
- _Last modified:_ September 14, 2023
- _Last modified:_ January 2025

- MITRE ATT&CK TTP Mapping
- [T1136: Create Account](https://attack.mitre.org/techniques/T1136/)
Expand Down Expand Up @@ -1243,7 +1243,7 @@ Require multi party approval for sensitive admin actions SHALL be enabled.
- No TTP Mappings

### Resources
- [GWS Admin Help \| Multi-party approval for sensitive actions](https://apps.google.com/supportwidget/articlehome?hl=en&article_url=https%3A%2F%2Fsupport.google.com%2Fa%2Fanswer%2F13790448%3Fhl%3Den&assistant_id=generic-unu&product_context=13790448&product_name=UnuFlow&trigger_context=a)
- [GWS Admin Help \| Multi-party approval for sensitive actions](https://support.google.com/a/answer/13790448?hl=en-Link)

### Prerequisites

Expand Down
2 changes: 1 addition & 1 deletion scubagoggles/rego/Commoncontrols.rego
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1207,7 +1207,7 @@ CommonControlsId7_1 := utils.PolicyIdWithSuffix("GWS.COMMONCONTROLS.7.1")

tests contains {
"PolicyId": CommonControlsId7_1,
"Criticality": "Shall/Not-Implemented",
"Criticality": "Should/Not-Implemented",
"ReportDetails": "Currently not able to be tested automatically; please manually check.",
"ActualValue": "",
"RequirementMet": false,
Expand Down
Loading