From be35ce374567e6b88eb239b84e44853fe07347b4 Mon Sep 17 00:00:00 2001 From: jkaufman-mitre <135844572+jkaufman-mitre@users.noreply.github.com> Date: Tue, 16 Jan 2024 13:39:24 -0500 Subject: [PATCH] Removes DRIVE_DOCS.2.1v0.1 from Baseline per Issue 127 (#130) * Remove "Agencies SHOULD enable shared drive creation to allow for effective collaboration." --------- Co-authored-by: Alden Hilton --- Testing/RegoTests/drive/drive02_test.rego | 345 ++---------------- ...able Secure Configuration Baseline v0.1.md | 25 +- ...rift Monitoring Rules - Drive and Docs.csv | 9 +- rego/Drive.rego | 75 +--- 4 files changed, 62 insertions(+), 392 deletions(-) diff --git a/Testing/RegoTests/drive/drive02_test.rego b/Testing/RegoTests/drive/drive02_test.rego index f61ec950..c3d6ed5d 100644 --- a/Testing/RegoTests/drive/drive02_test.rego +++ b/Testing/RegoTests/drive/drive02_test.rego @@ -4,284 +4,9 @@ import future.keywords # # GWS.DRIVEDOCS.2.1v0.1 #-- -test_Sharing_Correct_V1 if { - # Test sharing setting when there's only one event - PolicyId := "GWS.DRIVEDOCS.2.1v0.1" - Output := tests with input as { - "drive_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "SETTING_NAME", "value": "Shared Drive Creation CanCreateSharedDrives"}, - {"name": "NEW_VALUE", "value": "true"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "" - } - } - - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs." -} - -test_Sharing_Correct_V2 if { - # Test sharing setting when there's multiple events and the most most recent is correct - PolicyId := "GWS.DRIVEDOCS.2.1v0.1" - Output := tests with input as { - "drive_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "SETTING_NAME", "value": "Shared Drive Creation CanCreateSharedDrives"}, - {"name": "NEW_VALUE", "value": "true"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - }, - { - "id": {"time": "2021-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "SETTING_NAME", "value": "Shared Drive Creation CanCreateSharedDrives"}, - {"name": "NEW_VALUE", "value": "false"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "" - } - } - - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs." -} - -test_Sharing_Correct_V3 if { - # Test sharing setting when there's multiple OUs - PolicyId := "GWS.DRIVEDOCS.2.1v0.1" - Output := tests with input as { - "drive_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "SETTING_NAME", "value": "Shared Drive Creation CanCreateSharedDrives"}, - {"name": "NEW_VALUE", "value": "true"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - }, - { - "id": {"time": "2021-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "SETTING_NAME", "value": "Shared Drive Creation CanCreateSharedDrives"}, - {"name": "NEW_VALUE", "value": "true"}, - {"name": "ORG_UNIT_NAME", "value": "Secondary OU"}, - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs." -} - -test_Sharing_Incorrect_V1 if { - # Test sharing setting when there are no relevant events - PolicyId := "GWS.DRIVEDOCS.2.1v0.1" - Output := tests with input as { - "drive_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "SETTING_NAME", "value": "Something else"}, - {"name": "NEW_VALUE", "value": "false"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "" - } - } - - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - not RuleOutput[0].RequirementMet - RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == concat("", [ - "No relevant event in the current logs for the top-level OU, Test Top-Level OU. ", - "While we are unable to determine the state from the logs, the default setting ", - "is non-compliant; manual check recommended." - ]) -} - -test_Sharing_Incorrect_V2 if { - # Test sharing setting when there's only one event and it's wrong - PolicyId := "GWS.DRIVEDOCS.2.1v0.1" - Output := tests with input as { - "drive_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "SETTING_NAME", "value": "Shared Drive Creation CanCreateSharedDrives"}, - {"name": "NEW_VALUE", "value": "false"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "" - } - } - - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - not RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU." -} - -test_Sharing_Incorrect_V3 if { - # Test sharing setting when there are multiple events and the most recent is wrong - PolicyId := "GWS.DRIVEDOCS.2.1v0.1" - Output := tests with input as { - "drive_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "SETTING_NAME", "value": "Shared Drive Creation CanCreateSharedDrives"}, - {"name": "NEW_VALUE", "value": "false"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - }, - { - "id": {"time": "2021-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "SETTING_NAME", "value": "Shared Drive Creation CanCreateSharedDrives"}, - {"name": "NEW_VALUE", "value": "true"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "" - }, - } - - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - not RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU." -} - -test_Sharing_Incorrect_V4 if { - # Test sharing setting when top OU is correct but secondary isn't - PolicyId := "GWS.DRIVEDOCS.2.1v0.1" - Output := tests with input as { - "drive_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "SETTING_NAME", "value": "Shared Drive Creation CanCreateSharedDrives"}, - {"name": "NEW_VALUE", "value": "true"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - }, - { - "id": {"time": "2021-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "SETTING_NAME", "value": "Shared Drive Creation CanCreateSharedDrives"}, - {"name": "NEW_VALUE", "value": "false"}, - {"name": "ORG_UNIT_NAME", "value": "Test Secondary OU"}, - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - }, - } - - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - not RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement failed in Test Secondary OU." -} - -test_Sharing_Incorrect_V5 if { - # Test sharing setting when top OU is missing - PolicyId := "GWS.DRIVEDOCS.2.1v0.1" - Output := tests with input as { - "drive_logs": {"items": [ - { - "id": {"time": "2021-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "SETTING_NAME", "value": "Shared Drive Creation CanCreateSharedDrives"}, - {"name": "NEW_VALUE", "value": "false"}, - {"name": "ORG_UNIT_NAME", "value": "Test Secondary OU"}, - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - }, - } - - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - not RuleOutput[0].RequirementMet - RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == concat("", [ - "No relevant event in the current logs for the top-level OU, Test Top-Level OU. ", - "While we are unable to determine the state from the logs, the default setting ", - "is non-compliant; manual check recommended." - ]) -} - -# -# GWS.DRIVEDOCS.2.2v0.1 -#-- test_Managers_Correct_V1 if { # Test sharing setting when there's only one event - PolicyId := "GWS.DRIVEDOCS.2.2v0.1" + PolicyId := "GWS.DRIVEDOCS.2.1v0.1" Output := tests with input as { "drive_logs": {"items": [ { @@ -309,7 +34,7 @@ test_Managers_Correct_V1 if { test_Managers_Correct_V2 if { # Test sharing setting when there's multiple events and the most most recent is correct - PolicyId := "GWS.DRIVEDOCS.2.2v0.1" + PolicyId := "GWS.DRIVEDOCS.2.1v0.1" Output := tests with input as { "drive_logs": {"items": [ { @@ -347,7 +72,7 @@ test_Managers_Correct_V2 if { test_Managers_Correct_V3 if { # Test sharing setting when there's multiple OUs - PolicyId := "GWS.DRIVEDOCS.2.2v0.1" + PolicyId := "GWS.DRIVEDOCS.2.1v0.1" Output := tests with input as { "drive_logs": {"items": [ { @@ -385,7 +110,7 @@ test_Managers_Correct_V3 if { test_Managers_Incorrect_V1 if { # Test sharing setting when there are no relevant events - PolicyId := "GWS.DRIVEDOCS.2.2v0.1" + PolicyId := "GWS.DRIVEDOCS.2.1v0.1" Output := tests with input as { "drive_logs": {"items": [ { @@ -417,7 +142,7 @@ test_Managers_Incorrect_V1 if { test_Managers_Incorrect_V2 if { # Test sharing setting when there's only one event and it's wrong - PolicyId := "GWS.DRIVEDOCS.2.2v0.1" + PolicyId := "GWS.DRIVEDOCS.2.1v0.1" Output := tests with input as { "drive_logs": {"items": [ { @@ -445,7 +170,7 @@ test_Managers_Incorrect_V2 if { test_Managers_Incorrect_V3 if { # Test sharing setting when there are multiple events and the most recent is wrong - PolicyId := "GWS.DRIVEDOCS.2.2v0.1" + PolicyId := "GWS.DRIVEDOCS.2.1v0.1" Output := tests with input as { "drive_logs": {"items": [ { @@ -483,7 +208,7 @@ test_Managers_Incorrect_V3 if { test_Managers_Incorrect_V4 if { # Test sharing setting when top OU is correct but secondary isn't - PolicyId := "GWS.DRIVEDOCS.2.2v0.1" + PolicyId := "GWS.DRIVEDOCS.2.1v0.1" Output := tests with input as { "drive_logs": {"items": [ { @@ -521,7 +246,7 @@ test_Managers_Incorrect_V4 if { test_Managers_Incorrect_V5 if { # Test sharing setting when top OU is missing - PolicyId := "GWS.DRIVEDOCS.2.2v0.1" + PolicyId := "GWS.DRIVEDOCS.2.1v0.1" Output := tests with input as { "drive_logs": {"items": [ { @@ -552,11 +277,11 @@ test_Managers_Incorrect_V5 if { } # -# GWS.DRIVEDOCS.2.3v0.1 +# GWS.DRIVEDOCS.2.2v0.1 #-- test_Outside_Correct_V1 if { # Test sharing setting when there's only one event - PolicyId := "GWS.DRIVEDOCS.2.3v0.1" + PolicyId := "GWS.DRIVEDOCS.2.2v0.1" Output := tests with input as { "drive_logs": {"items": [ { @@ -587,7 +312,7 @@ test_Outside_Correct_V1 if { test_Outside_Correct_V2 if { # Test sharing setting when there's multiple events and the most most recent is correct - PolicyId := "GWS.DRIVEDOCS.2.3v0.1" + PolicyId := "GWS.DRIVEDOCS.2.2v0.1" Output := tests with input as { "drive_logs": {"items": [ { @@ -631,7 +356,7 @@ test_Outside_Correct_V2 if { test_Outside_Correct_V3 if { # Test sharing setting when there's multiple OUs - PolicyId := "GWS.DRIVEDOCS.2.3v0.1" + PolicyId := "GWS.DRIVEDOCS.2.2v0.1" Output := tests with input as { "drive_logs": {"items": [ { @@ -675,7 +400,7 @@ test_Outside_Correct_V3 if { test_Outside_Incorrect_V1 if { # Test sharing setting when there are no relevant events - PolicyId := "GWS.DRIVEDOCS.2.3v0.1" + PolicyId := "GWS.DRIVEDOCS.2.2v0.1" Output := tests with input as { "drive_logs": {"items": [ { @@ -707,7 +432,7 @@ test_Outside_Incorrect_V1 if { test_Outside_Incorrect_V2 if { # Test sharing setting when there's only one event and it's wrong - PolicyId := "GWS.DRIVEDOCS.2.3v0.1" + PolicyId := "GWS.DRIVEDOCS.2.2v0.1" Output := tests with input as { "drive_logs": {"items": [ { @@ -738,7 +463,7 @@ test_Outside_Incorrect_V2 if { test_Outside_Incorrect_V3 if { # Test sharing setting when there are multiple events and the most recent is wrong - PolicyId := "GWS.DRIVEDOCS.2.3v0.1" + PolicyId := "GWS.DRIVEDOCS.2.2v0.1" Output := tests with input as { "drive_logs": {"items": [ { @@ -782,7 +507,7 @@ test_Outside_Incorrect_V3 if { test_Outside_Incorrect_V4 if { # Test sharing setting when top OU is correct but secondary isn't - PolicyId := "GWS.DRIVEDOCS.2.3v0.1" + PolicyId := "GWS.DRIVEDOCS.2.2v0.1" Output := tests with input as { "drive_logs": {"items": [ { @@ -826,7 +551,7 @@ test_Outside_Incorrect_V4 if { test_Outside_Incorrect_V5 if { # Test sharing setting when top OU is missing - PolicyId := "GWS.DRIVEDOCS.2.3v0.1" + PolicyId := "GWS.DRIVEDOCS.2.2v0.1" Output := tests with input as { "drive_logs": {"items": [ { @@ -860,11 +585,11 @@ test_Outside_Incorrect_V5 if { } # -# GWS.DRIVEDOCS.2.4v0.1 +# GWS.DRIVEDOCS.2.3v0.1 #-- test_SharedDrive_Correct_V1 if { # Test sharing setting when there's only one event - PolicyId := "GWS.DRIVEDOCS.2.4v0.1" + PolicyId := "GWS.DRIVEDOCS.2.3v0.1" Output := tests with input as { "drive_logs": {"items": [ { @@ -895,7 +620,7 @@ test_SharedDrive_Correct_V1 if { test_SharedDrive_Correct_V2 if { # Test sharing setting when there's multiple events and the most most recent is correct - PolicyId := "GWS.DRIVEDOCS.2.4v0.1" + PolicyId := "GWS.DRIVEDOCS.2.3v0.1" Output := tests with input as { "drive_logs": {"items": [ { @@ -939,7 +664,7 @@ test_SharedDrive_Correct_V2 if { test_SharedDrive_Correct_V3 if { # Test sharing setting when there's multiple OUs - PolicyId := "GWS.DRIVEDOCS.2.4v0.1" + PolicyId := "GWS.DRIVEDOCS.2.3v0.1" Output := tests with input as { "drive_logs": {"items": [ { @@ -983,7 +708,7 @@ test_SharedDrive_Correct_V3 if { test_SharedDrive_Incorrect_V1 if { # Test sharing setting when there are no relevant events - PolicyId := "GWS.DRIVEDOCS.2.4v0.1" + PolicyId := "GWS.DRIVEDOCS.2.3v0.1" Output := tests with input as { "drive_logs": {"items": [ { @@ -1015,7 +740,7 @@ test_SharedDrive_Incorrect_V1 if { test_SharedDrive_Incorrect_V2 if { # Test sharing setting when there's only one event and it's wrong - PolicyId := "GWS.DRIVEDOCS.2.4v0.1" + PolicyId := "GWS.DRIVEDOCS.2.3v0.1" Output := tests with input as { "drive_logs": {"items": [ { @@ -1046,7 +771,7 @@ test_SharedDrive_Incorrect_V2 if { test_SharedDrive_Incorrect_V3 if { # Test sharing setting when there are multiple events and the most recent is wrong - PolicyId := "GWS.DRIVEDOCS.2.4v0.1" + PolicyId := "GWS.DRIVEDOCS.2.3v0.1" Output := tests with input as { "drive_logs": {"items": [ { @@ -1090,7 +815,7 @@ test_SharedDrive_Incorrect_V3 if { test_SharedDrive_Incorrect_V4 if { # Test sharing setting when top OU is correct but secondary isn't - PolicyId := "GWS.DRIVEDOCS.2.4v0.1" + PolicyId := "GWS.DRIVEDOCS.2.3v0.1" Output := tests with input as { "drive_logs": {"items": [ { @@ -1134,7 +859,7 @@ test_SharedDrive_Incorrect_V4 if { test_SharedDrive_Incorrect_V5 if { # Test sharing setting when top OU is missing - PolicyId := "GWS.DRIVEDOCS.2.4v0.1" + PolicyId := "GWS.DRIVEDOCS.2.3v0.1" Output := tests with input as { "drive_logs": {"items": [ { @@ -1168,11 +893,11 @@ test_SharedDrive_Incorrect_V5 if { } # -# GWS.DRIVEDOCS.2.5v0.1 +# GWS.DRIVEDOCS.2.4v0.1 #-- test_Viewers_Correct_V1 if { # Test sharing setting when there's only one event - PolicyId := "GWS.DRIVEDOCS.2.5v0.1" + PolicyId := "GWS.DRIVEDOCS.2.4v0.1" Output := tests with input as { "drive_logs": {"items": [ { @@ -1200,7 +925,7 @@ test_Viewers_Correct_V1 if { test_Viewers_Correct_V2 if { # Test sharing setting when there's multiple events and the most most recent is correct - PolicyId := "GWS.DRIVEDOCS.2.5v0.1" + PolicyId := "GWS.DRIVEDOCS.2.4v0.1" Output := tests with input as { "drive_logs": {"items": [ { @@ -1238,7 +963,7 @@ test_Viewers_Correct_V2 if { test_Viewers_Correct_V3 if { # Test sharing setting when there's multiple OUs - PolicyId := "GWS.DRIVEDOCS.2.5v0.1" + PolicyId := "GWS.DRIVEDOCS.2.4v0.1" Output := tests with input as { "drive_logs": {"items": [ { @@ -1276,7 +1001,7 @@ test_Viewers_Correct_V3 if { test_Viewers_Incorrect_V1 if { # Test sharing setting when there are no relevant events - PolicyId := "GWS.DRIVEDOCS.2.5v0.1" + PolicyId := "GWS.DRIVEDOCS.2.4v0.1" Output := tests with input as { "drive_logs": {"items": [ { @@ -1308,7 +1033,7 @@ test_Viewers_Incorrect_V1 if { test_Viewers_Incorrect_V2 if { # Test sharing setting when there's only one event and it's wrong - PolicyId := "GWS.DRIVEDOCS.2.5v0.1" + PolicyId := "GWS.DRIVEDOCS.2.4v0.1" Output := tests with input as { "drive_logs": {"items": [ { @@ -1336,7 +1061,7 @@ test_Viewers_Incorrect_V2 if { test_Viewers_Incorrect_V3 if { # Test sharing setting when there are multiple events and the most recent is wrong - PolicyId := "GWS.DRIVEDOCS.2.5v0.1" + PolicyId := "GWS.DRIVEDOCS.2.4v0.1" Output := tests with input as { "drive_logs": {"items": [ { @@ -1374,7 +1099,7 @@ test_Viewers_Incorrect_V3 if { test_Viewers_Incorrect_V4 if { # Test sharing setting when top OU is correct but secondary isn't - PolicyId := "GWS.DRIVEDOCS.2.5v0.1" + PolicyId := "GWS.DRIVEDOCS.2.4v0.1" Output := tests with input as { "drive_logs": {"items": [ { @@ -1412,7 +1137,7 @@ test_Viewers_Incorrect_V4 if { test_Viewers_Incorrect_V5 if { # Test sharing setting when top OU is missing - PolicyId := "GWS.DRIVEDOCS.2.5v0.1" + PolicyId := "GWS.DRIVEDOCS.2.4v0.1" Output := tests with input as { "drive_logs": {"items": [ { diff --git a/baselines/Google Drive and Docs Minimum Viable Secure Configuration Baseline v0.1.md b/baselines/Google Drive and Docs Minimum Viable Secure Configuration Baseline v0.1.md index 6e746787..a34a02c9 100644 --- a/baselines/Google Drive and Docs Minimum Viable Secure Configuration Baseline v0.1.md +++ b/baselines/Google Drive and Docs Minimum Viable Secure Configuration Baseline v0.1.md @@ -197,16 +197,6 @@ This section covers whether users can create new shared drives to share with oth ### Policies #### GWS.DRIVEDOCS.2.1v0.1 -Agencies SHOULD enable shared drive creation to allow for effective collaboration. - -- Rationale - - Disabling shared drives would make collaboration difficult. Shared drives allow users in the organization to work together on one or multiple documents concurrently. -- Last Modified: July 10, 2023 - -- MITRE ATT&CK TTP Mapping - - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/) - -#### GWS.DRIVEDOCS.2.2v0.1 Agencies SHOULD NOT allow members with manager access to override shared drive creation settings. - Rationale @@ -216,7 +206,7 @@ Agencies SHOULD NOT allow members with manager access to override shared drive c - MITRE ATT&CK TTP Mapping - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/) -#### GWS.DRIVEDOCS.2.3v0.1 +#### GWS.DRIVEDOCS.2.2v0.1 Agencies SHOULD NOT allow users outside of their organization to access files in shared drives. - Rationale @@ -226,7 +216,7 @@ Agencies SHOULD NOT allow users outside of their organization to access files in - MITRE ATT&CK TTP Mapping - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/) -#### GWS.DRIVEDOCS.2.4v0.1 +#### GWS.DRIVEDOCS.2.3v0.1 Agencies SHALL allow users who are not shared drive members to be added to files. - Rationale @@ -236,7 +226,7 @@ Agencies SHALL allow users who are not shared drive members to be added to files - MITRE ATT&CK TTP Mapping - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/) -#### GWS.DRIVEDOCS.2.5v0.1 +#### GWS.DRIVEDOCS.2.4v0.1 Agencies SHALL NOT allow viewers and commenters to download, print, and copy files. - Rationale @@ -267,18 +257,15 @@ To configure the settings for Shared drive creation: 5. Select **Save** #### GWS.DRIVEDOCS.2.1v0.1 Instructions -1. Uncheck the **Prevent users in organization from creating new shared drives** checkbox. - -#### GWS.DRIVEDOCS.2.2v0.1 Instructions 1. Uncheck the **Allow members with manager access to override the settings below** checkbox. -#### GWS.DRIVEDOCS.2.3v0.1 Instructions +#### GWS.DRIVEDOCS.2.2v0.1 Instructions 1. Uncheck the **Allow users outside organization to access files in shared drives** checkbox. -#### GWS.DRIVEDOCS.2.4v0.1 Instructions +#### GWS.DRIVEDOCS.2.3v0.1 Instructions 1. Check the **Allow people who aren't shared drive members to be added to files** checkbox. -#### GWS.DRIVEDOCS.2.5v0.1 Instructions +#### GWS.DRIVEDOCS.2.4v0.1 Instructions 1. Check the **Allow viewers and commenters to download, print, and copy files** checkbox. ## 3. Security Updates for Files diff --git a/drift-rules/GWS Drift Monitoring Rules - Drive and Docs.csv b/drift-rules/GWS Drift Monitoring Rules - Drive and Docs.csv index a252f85a..8cb18fc7 100644 --- a/drift-rules/GWS Drift Monitoring Rules - Drive and Docs.csv +++ b/drift-rules/GWS Drift Monitoring Rules - Drive and Docs.csv @@ -7,11 +7,10 @@ GWS.DRIVEDOCS.1.5v0.1,Agencies SHALL disable making files and published web cont GWS.DRIVEDOCS.1.6v0.1,Agencies SHALL enable access checking for file sharing outside of Docs or Drive.,Admin Log Event,Change Drive Setting,SHARING_ACCESS_CHECKER_OPTIONS,DOMAIN_OR_NAMED_PARTIES,rules/00gjdgxs2qv9x6y,JK 08-02-23 @ 12:59 GWS.DRIVEDOCS.1.7v0.1,Agencies SHALL NOT allow any users to distribute content from an organization-owned shared drive to shared drives owned by another organizations.,Admin Log Event,Change Drive Setting,SHARING_TEAM_DRIVE_CROSS_DOMAIN_OPTIONS,CROSS_DOMAIN_FROM_INTERNAL_ONLY,rules/00gjdgxs2bll5l2,JK 09-26-23 @ 09:24 GWS.DRIVEDOCS.1.8v0.1,Agencies SHALL ensure that newly created items assume the default access level of Private to the Owner.,Admin Log Event,Change Drive Setting,DEFAULT_LINK_SHARING_FOR_NEW_DOCS,PRIVATE,rules/00gjdgxs1jfq3ds,JK 08-02-23 @ 13:28 -GWS.DRIVEDOCS.2.1v0.1,Agencies SHOULD enable shared drive creation to allow for effective collaboration.,Admin Log Event,Change Application Setting,Shared Drive Creation CanCreateSharedDrives,true,rules/00gjdgxs3nclhql,JK 08-02-23 @ 13:37 -GWS.DRIVEDOCS.2.2v0.1,Agencies SHOULD NOT allow members with manager access to override shared drive creation settings.,Admin Log Event,Change Application Setting,Shared Drive Creation new_team_drive_admin_only,true,rules/00gjdgxs418trv6,JK 08-02-23 @ 13:44 -GWS.DRIVEDOCS.2.3v0.1,Agencies SHOULD NOT allow users outside of their organization to access files in shared drives.,Admin Log Event,Change Application Setting,Shared Drive Creation new_team_drive_restricts_cross_domain_access,true,rules/00gjdgxs1o31qud,JK 08-02-23 @ 14:12 -GWS.DRIVEDOCS.2.4v0.1,Agencies SHALL allow users who are not shared drive members to be added to files.,Admin Log Event,Change Application Setting,Shared Drive Creation new_team_drive_restricts_direct_access,true,rules/00gjdgxs3mcxcll,JK 08-02-23 @ 14:23 -GWS.DRIVEDOCS.2.5v0.1,"Agencies SHALL NOT allow viewers and commenters to download, print, and copy files.",Admin Log Event,Change Application Setting,Shared Drive Creation new_team_drive_restricts_download,true,rules/00gjdgxs18yk89t,JK 08-02-23 @ 14:30 +GWS.DRIVEDOCS.2.1v0.1,Agencies SHOULD NOT allow members with manager access to override shared drive creation settings.,Admin Log Event,Change Application Setting,Shared Drive Creation new_team_drive_admin_only,true,rules/00gjdgxs418trv6,JK 08-02-23 @ 13:44 +GWS.DRIVEDOCS.2.2v0.1,Agencies SHOULD NOT allow users outside of their organization to access files in shared drives.,Admin Log Event,Change Application Setting,Shared Drive Creation new_team_drive_restricts_cross_domain_access,true,rules/00gjdgxs1o31qud,JK 08-02-23 @ 14:12 +GWS.DRIVEDOCS.2.3v0.1,Agencies SHALL allow users who are not shared drive members to be added to files.,Admin Log Event,Change Application Setting,Shared Drive Creation new_team_drive_restricts_direct_access,true,rules/00gjdgxs3mcxcll,JK 08-02-23 @ 14:23 +GWS.DRIVEDOCS.2.4v0.1,"Agencies SHALL NOT allow viewers and commenters to download, print, and copy files.",Admin Log Event,Change Application Setting,Shared Drive Creation new_team_drive_restricts_download,true,rules/00gjdgxs18yk89t,JK 08-02-23 @ 14:30 GWS.DRIVEDOCS.3.1v0.1,Agencies SHALL enable security updates for Drive files.,Admin Log Event,Change Application Setting,Link Security Update Settings less_secure_link_option,REMOVE_LESS_SECURE_LINKS,rules/00gjdgxs0mrpx7o,JK 08-02-23 @ 14:41 GWS.DRIVEDOCS.4.1v0.1,Agencies SHOULD disable Drive SDK access to restrict information sharing and prevent data leakage.,Admin Log Event,Change Drive Setting,ENABLE_DRIVE_APPS,true,rules/00gjdgxs1mm4n4i,JK 08-02-23 @ 14:49 GWS.DRIVEDOCS.5.1v0.1,Agencies SHALL disable Add-Ons with the exception of those that are approved within the organization.,Admin Log Event,Change Drive Setting,ENABLE_DOCS_ADD_ONS,false,rules/00gjdgxs4d794jn,JK 08-02-23 @ 15:14 diff --git a/rego/Drive.rego b/rego/Drive.rego index b857667f..2ece7df3 100644 --- a/rego/Drive.rego +++ b/rego/Drive.rego @@ -342,7 +342,7 @@ if { #-- NonCompliantOUs2_1 contains OU if { some OU in utils.OUsWithEvents - Events := utils.FilterEvents(LogEvents, "Shared Drive Creation CanCreateSharedDrives", OU) + Events := utils.FilterEvents(LogEvents, "Shared Drive Creation new_team_drive_admin_only", OU) count(Events) > 0 LastEvent := utils.GetLastEvent(Events) contains("true", LastEvent.NewValue) == false @@ -359,7 +359,7 @@ tests contains { } if { DefaultSafe := false - Events := utils.FilterEvents(LogEvents, "Shared Drive Creation CanCreateSharedDrives", utils.TopLevelOU) + Events := utils.FilterEvents(LogEvents, "Shared Drive Creation new_team_drive_admin_only", utils.TopLevelOU) count(Events) == 0 } @@ -372,7 +372,7 @@ tests contains { "NoSuchEvent": false } if { - Events := utils.FilterEvents(LogEvents, "Shared Drive Creation CanCreateSharedDrives", utils.TopLevelOU) + Events := utils.FilterEvents(LogEvents, "Shared Drive Creation new_team_drive_admin_only", utils.TopLevelOU) count(Events) > 0 Status := count(NonCompliantOUs2_1) == 0 } @@ -383,7 +383,7 @@ if { #-- NonCompliantOUs2_2 contains OU if { some OU in utils.OUsWithEvents - Events := utils.FilterEvents(LogEvents, "Shared Drive Creation new_team_drive_admin_only", OU) + Events := utils.FilterEvents(LogEvents, "Shared Drive Creation new_team_drive_restricts_cross_domain_access", OU) count(Events) > 0 LastEvent := utils.GetLastEvent(Events) contains("true", LastEvent.NewValue) == false @@ -400,7 +400,8 @@ tests contains { } if { DefaultSafe := false - Events := utils.FilterEvents(LogEvents, "Shared Drive Creation new_team_drive_admin_only", utils.TopLevelOU) + SettingName := "Shared Drive Creation new_team_drive_restricts_cross_domain_access" + Events := utils.FilterEvents(LogEvents, SettingName, utils.TopLevelOU) count(Events) == 0 } @@ -413,7 +414,8 @@ tests contains { "NoSuchEvent": false } if { - Events := utils.FilterEvents(LogEvents, "Shared Drive Creation new_team_drive_admin_only", utils.TopLevelOU) + SettingName := "Shared Drive Creation new_team_drive_restricts_cross_domain_access" + Events := utils.FilterEvents(LogEvents, SettingName, utils.TopLevelOU) count(Events) > 0 Status := count(NonCompliantOUs2_2) == 0 } @@ -424,7 +426,7 @@ if { #-- NonCompliantOUs2_3 contains OU if { some OU in utils.OUsWithEvents - Events := utils.FilterEvents(LogEvents, "Shared Drive Creation new_team_drive_restricts_cross_domain_access", OU) + Events := utils.FilterEvents(LogEvents, "Shared Drive Creation new_team_drive_restricts_direct_access", OU) count(Events) > 0 LastEvent := utils.GetLastEvent(Events) contains("true", LastEvent.NewValue) == false @@ -433,7 +435,7 @@ NonCompliantOUs2_3 contains OU if { tests contains { "PolicyId": "GWS.DRIVEDOCS.2.3v0.1", - "Criticality": "Should", + "Criticality": "Shall", "ReportDetails": utils.NoSuchEventDetails(DefaultSafe, utils.TopLevelOU), "ActualValue": "No relevant event for the top-level OU in the current logs", "RequirementMet": DefaultSafe, @@ -441,21 +443,21 @@ tests contains { } if { DefaultSafe := false - SettingName := "Shared Drive Creation new_team_drive_restricts_cross_domain_access" + SettingName := "Shared Drive Creation new_team_drive_restricts_direct_access" Events := utils.FilterEvents(LogEvents, SettingName, utils.TopLevelOU) count(Events) == 0 } tests contains { "PolicyId": "GWS.DRIVEDOCS.2.3v0.1", - "Criticality": "Should", + "Criticality": "Shall", "ReportDetails": utils.ReportDetailsOUs(NonCompliantOUs2_3), "ActualValue": {"NonComplaintOUs": NonCompliantOUs2_3}, "RequirementMet": Status, "NoSuchEvent": false } if { - SettingName := "Shared Drive Creation new_team_drive_restricts_cross_domain_access" + SettingName := "Shared Drive Creation new_team_drive_restricts_direct_access" Events := utils.FilterEvents(LogEvents, SettingName, utils.TopLevelOU) count(Events) > 0 Status := count(NonCompliantOUs2_3) == 0 @@ -467,10 +469,10 @@ if { #-- NonCompliantOUs2_4 contains OU if { some OU in utils.OUsWithEvents - Events := utils.FilterEvents(LogEvents, "Shared Drive Creation new_team_drive_restricts_direct_access", OU) + Events := utils.FilterEvents(LogEvents, "Shared Drive Creation new_team_drive_restricts_download", OU) count(Events) > 0 LastEvent := utils.GetLastEvent(Events) - contains("true", LastEvent.NewValue) == false + contains("false", LastEvent.NewValue) == false LastEvent.NewValue != "DELETE_APPLICATION_SETTING" } @@ -484,8 +486,7 @@ tests contains { } if { DefaultSafe := false - SettingName := "Shared Drive Creation new_team_drive_restricts_direct_access" - Events := utils.FilterEvents(LogEvents, SettingName, utils.TopLevelOU) + Events := utils.FilterEvents(LogEvents, "Shared Drive Creation new_team_drive_restricts_download", utils.TopLevelOU) count(Events) == 0 } @@ -497,52 +498,10 @@ tests contains { "RequirementMet": Status, "NoSuchEvent": false } -if { - SettingName := "Shared Drive Creation new_team_drive_restricts_direct_access" - Events := utils.FilterEvents(LogEvents, SettingName, utils.TopLevelOU) - count(Events) > 0 - Status := count(NonCompliantOUs2_4) == 0 -} -#-- - -# -# Baseline GWS.DRIVEDOCS.2.5v0.1 -#-- -NonCompliantOUs2_5 contains OU if { - some OU in utils.OUsWithEvents - Events := utils.FilterEvents(LogEvents, "Shared Drive Creation new_team_drive_restricts_download", OU) - count(Events) > 0 - LastEvent := utils.GetLastEvent(Events) - contains("false", LastEvent.NewValue) == false - LastEvent.NewValue != "DELETE_APPLICATION_SETTING" -} - -tests contains { - "PolicyId": "GWS.DRIVEDOCS.2.5v0.1", - "Criticality": "Shall", - "ReportDetails": utils.NoSuchEventDetails(DefaultSafe, utils.TopLevelOU), - "ActualValue": "No relevant event for the top-level OU in the current logs", - "RequirementMet": DefaultSafe, - "NoSuchEvent": true -} -if { - DefaultSafe := false - Events := utils.FilterEvents(LogEvents, "Shared Drive Creation new_team_drive_restricts_download", utils.TopLevelOU) - count(Events) == 0 -} - -tests contains { - "PolicyId": "GWS.DRIVEDOCS.2.5v0.1", - "Criticality": "Shall", - "ReportDetails": utils.ReportDetailsOUs(NonCompliantOUs2_5), - "ActualValue": {"NonComplaintOUs": NonCompliantOUs2_5}, - "RequirementMet": Status, - "NoSuchEvent": false -} if { Events := utils.FilterEvents(LogEvents, "Shared Drive Creation new_team_drive_restricts_download", utils.TopLevelOU) count(Events) > 0 - Status := count(NonCompliantOUs2_5) == 0 + Status := count(NonCompliantOUs2_4) == 0 } #--