Skip to content

Commit

Permalink
Removing Common Controls 15.3 (#626)
Browse files Browse the repository at this point in the history 
* removing cc 15.3

* Update rego code to remove commoncontrols.15.3

---------

Co-authored-by: Alden Hilton <[email protected]>
  • Loading branch information
@mdueltgen @adhilto
mdueltgen and adhilto authored Mar 5, 2025
1 parent fc509c2 commit 44f1d52
Show file tree
Hide file tree
Showing 4 changed files with 1 addition and 282 deletions.
1 change: 0 additions & 1 deletion drift-rules/GWS Drift Monitoring Rules - Common Controls as of 11-14-23.csv
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,6 @@ GWS.COMMONCONTROLS.13.1v0.4,"Required system-defined alerting rules, as listed i
GWS.COMMONCONTROLS.14.1v0.4,The following critical logs SHALL be sent at a minimum.,Admin Log Event,Change Application Setting,"Data Sharing Settings between GCP and Google Workspace ""Sharing Options""",ENABLED,rules/00gjdgxs0yu1jgq,JK 09-19-23 @ 06:40
GWS.COMMONCONTROLS.15.1v0.4,The data storage region SHALL be set to be the United States for all users in the agency's GWS environment.,Admin Log Event,Change Application Setting,Location Policy,US,rules/00gjdgxs2k8ieyq,JK 12-05-23 @ 15:57
GWS.COMMONCONTROLS.15.2v0.4,Data SHALL be processed in the region selected for data at rest.,Admin Log Event,Create Application Setting,DataProcessingRequirementsProto limit_to_storage_location,true,N/A,MD 09-20-24 @ 15:57
GWS.COMMONCONTROLS.15.3v0.4,The supplemental data storage region SHALL NOT be set to 'Russian Federation'.,Admin Log Event,Change Data Localization for Russia,N/A,false,rules/00gjdgxs3rufh17,Not Tested
GWS.COMMONCONTROLS.16.1v0.4,Service status for Google services that do not have an individual control SHOULD be set to OFF for everyone.,Admin Log Event,Toggle Service Enabled,DISABLE_UNLISTED_SERVICES, true, N/A, MD 09-12-2024 @ 11:12
GWS.COMMONCONTROLS.16.2v0.4,Early Access Apps Service Status SHOULD be set to OFF for everyone., Admin Log Event,Toggle Service Enabled,Early Access Apps, false, N/A, MD 09-12-2024 @ 11:16
GWS.COMMONCONTROLS.17.1v0.4,Require multi party approval for sensitive admin actions SHALL be enabled., Admin Log Event, Change Application Setting, Multi Party Approval (MPA) Control Multi Party Approval Control, enabled, N/A, MD 09-12-2024 @ 11:20
Expand Down
213 changes: 1 addition & 212 deletions scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols15_test.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -332,215 +332,4 @@ test_DataProcessing_OUs_Groups_Incorrect_V3 if {
"</ul>"
])
}
#--


#
# GWS.COMMONCONTROLS.15.3
#--
test_Logs_Correct_V1 if {
# Test 1 event
PolicyId := CommonControlsId15_3
Output := tests with input as {
"commoncontrols_logs": {"items": [
{
"id": {"time": "2022-12-20T00:02:28.672Z"},
"events": [{
"name": "CHANGE_DATA_LOCALIZATION_FOR_RUSSIA",
"parameters": [
{"name": "NEW_VALUE", "value": "false"},
{"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
]
}]
}
]},
"tenant_info": {
"topLevelOU": "Test Top-Level OU"
}
}

RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
count(RuleOutput) == 1
RuleOutput[0].RequirementMet
not RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
}

test_Logs_Correct_V2 if {
# Test multiple events
PolicyId := CommonControlsId15_3
Output := tests with input as {
"commoncontrols_logs": {"items": [
{
"id": {"time": "2022-12-20T00:02:28.672Z"},
"events": [{
"name": "CHANGE_DATA_LOCALIZATION_FOR_RUSSIA",
"parameters": [
{"name": "NEW_VALUE", "value": "true"},
{"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
]
}]
},
{
"id": {"time": "2023-12-20T00:02:28.672Z"},
"events": [{
"name": "CHANGE_DATA_LOCALIZATION_FOR_RUSSIA",
"parameters": [
{"name": "NEW_VALUE", "value": "false"},
{"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
]
}]
}
]},
"tenant_info": {
"topLevelOU": "Test Top-Level OU"
}
}

RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
count(RuleOutput) == 1
RuleOutput[0].RequirementMet
not RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
}

test_Logs_Incorrect_V1 if {
# Test 1 event
PolicyId := CommonControlsId15_3
Output := tests with input as {
"commoncontrols_logs": {"items": [
{
"id": {"time": "2022-12-20T00:02:28.672Z"},
"events": [{
"name": "CHANGE_DATA_LOCALIZATION_FOR_RUSSIA",
"parameters": [
{"name": "NEW_VALUE", "value": "true"},
{"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
]
}]
}
]},
"tenant_info": {
"topLevelOU": "Test Top-Level OU"
}
}

RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
count(RuleOutput) == 1
not RuleOutput[0].RequirementMet
not RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == concat("", [
"The following OUs are non-compliant:<ul>",
"<li>Test Top-Level OU: Supplemental data storage is set to Russian Federation</li>",
"</ul>"
])
}

test_Logs_Incorrect_V2 if {
# Test multiple events
PolicyId := CommonControlsId15_3
Output := tests with input as {
"commoncontrols_logs": {"items": [
{
"id": {"time": "2022-12-20T00:02:28.672Z"},
"events": [{
"name": "CHANGE_DATA_LOCALIZATION_FOR_RUSSIA",
"parameters": [
{"name": "NEW_VALUE", "value": "false"},
{"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
]
}]
},
{
"id": {"time": "2023-12-20T00:02:28.672Z"},
"events": [{
"name": "CHANGE_DATA_LOCALIZATION_FOR_RUSSIA",
"parameters": [
{"name": "NEW_VALUE", "value": "true"},
{"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
]
}]
}
]},
"tenant_info": {
"topLevelOU": "Test Top-Level OU"
}
}

RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
count(RuleOutput) == 1
not RuleOutput[0].RequirementMet
not RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == concat("", [
"The following OUs are non-compliant:<ul>",
"<li>Test Top-Level OU: Supplemental data storage is set to Russian Federation</li>",
"</ul>"
])
}

test_Logs_Incorrect_V3 if {
# Test no relevent events
PolicyId := CommonControlsId15_3
Output := tests with input as {
"commoncontrols_logs": {"items": [

]},
"tenant_info": {
"topLevelOU": "Test Top-Level OU"
}
}

RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
count(RuleOutput) == 1
RuleOutput[0].RequirementMet
RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == concat("", [
"No relevant event in the current logs for the top-level OU, ",
"Test Top-Level OU. While we are unable ",
"to determine the state from the logs, the default setting ",
"is compliant; manual check recommended."
])
}

test_Logs_Incorrect_V4 if {
# Test multiple ous
PolicyId := CommonControlsId15_3
Output := tests with input as {
"commoncontrols_logs": {"items": [
{
"id": {"time": "2022-12-20T00:02:28.672Z"},
"events": [{
"name": "CHANGE_DATA_LOCALIZATION_FOR_RUSSIA",
"parameters": [
{"name": "NEW_VALUE", "value": "false"},
{"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
]
}]
},
{
"id": {"time": "2023-12-20T00:02:28.672Z"},
"events": [{
"name": "CHANGE_DATA_LOCALIZATION_FOR_RUSSIA",
"parameters": [
{"name": "NEW_VALUE", "value": "true"},
{"name": "ORG_UNIT_NAME", "value": "Test Second OU"},
]
}]
}
]},
"tenant_info": {
"topLevelOU": "Test Top-Level OU"
}
}

RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
count(RuleOutput) == 1
not RuleOutput[0].RequirementMet
not RuleOutput[0].NoSuchEvent
RuleOutput[0].ReportDetails == concat("", [
"The following OUs are non-compliant:<ul>",
"<li>Test Second OU: Supplemental data storage is set to Russian Federation</li>",
"</ul>"
])
}
#--
#--
17 changes: 0 additions & 17 deletions scubagoggles/baselines/commoncontrols.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1147,15 +1147,6 @@ Data SHALL be processed in the region selected for data at rest.
- [T1567: Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567/)
- [T1567:002: Exfiltration Over Web Service: Exfiltration to Cloud Storage](https://attack.mitre.org/techniques/T1567/002/)

#### GWS.COMMONCONTROLS.15.3v0.4
The supplemental data storage region SHALL NOT be set to 'Russian Federation'.

- _Rationale:_ This policy is aligned with the concept of sovereignty, taking into account geopolitical and USG national security concerns. Keeping data out of Russia helps prevent official data from being subject to Russian law.
- _Last modified:_ November 30, 2023

- MITRE ATT&CK TTP Mapping
- [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/)

### Resources
- [GWS Admin Help \| Data regions: Choose a geographic location for your data](https://support.google.com/a/answer/7630496)
- [GWS Admin Help \| What data is covered by a data region policy?](https://support.google.com/a/answer/9223653)
Expand Down Expand Up @@ -1183,14 +1174,6 @@ To configure Data Regions per the policy:
5. Select the radio button option: "**Process data in the region selected for data at rest**".
6. Click **Save**.

#### GWS.COMMONCONTROLS.15.3v0.4 Instructions
To configure Supplemental Data Storage per the policy:
1. Sign in to the [Google Admin console](https://admin.google.com) as an administrator.
2. Navigate to **Account** -> **Account settings**.
3. Click the **Supplemental Data Storage** card.
4. Ensure the checkbox for "**Russian Federation**" is unchecked.
6. Click **Save**.


## 16. Additional Google Services

Expand Down
52 changes: 0 additions & 52 deletions scubagoggles/rego/Commoncontrols.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1441,58 +1441,6 @@ if {
}
#--

#
# Baseline GWS.COMMONCONTROLS.15.3
#--

CommonControlsId15_3 := utils.PolicyIdWithSuffix("GWS.COMMONCONTROLS.15.3")

# NOTE: This setting cannot be controlled at the group level

NonCompliantOUs15_3 contains {
"Name": OU,
"Value": "Supplemental data storage is set to Russian Federation"
}
if {
some OU in utils.OUsWithEvents
Events := utils.FilterEventsOU(LogEvents, "CHANGE_DATA_LOCALIZATION_FOR_RUSSIA", OU)
# Ignore OUs without any events. We're already asserting that the
# top-level OU has at least one event; for all other OUs we assume
# they inherit from a parent OU if they have no events.
count(Events) > 0
LastEvent := utils.GetLastEvent(Events)
LastEvent.NewValue == "true"
}

tests contains {
"PolicyId": CommonControlsId15_3,
"Criticality": "Shall",
"ReportDetails": utils.NoSuchEventDetails(DefaultSafe, utils.TopLevelOU),
"ActualValue": "No relevant event for the top-level OU in the current logs",
"RequirementMet": DefaultSafe,
"NoSuchEvent": true
}
if {
DefaultSafe := true
Events := utils.FilterEventsOU(LogEvents, "CHANGE_DATA_LOCALIZATION_FOR_RUSSIA", utils.TopLevelOU)
count(Events) == 0
}

tests contains {
"PolicyId": CommonControlsId15_3,
"Criticality": "Shall",
"ReportDetails": utils.ReportDetails(NonCompliantOUs15_3, []),
"ActualValue": {"NonCompliantOUs": NonCompliantOUs15_3},
"RequirementMet": Status,
"NoSuchEvent": false
}
if {
Events := utils.FilterEventsOU(LogEvents, "CHANGE_DATA_LOCALIZATION_FOR_RUSSIA", utils.TopLevelOU)
count(Events) > 0
Status := count(NonCompliantOUs15_3) == 0
}
#--

#
# Baseline GWS.COMMONCONTROLS.16.1
#--
Expand Down

0 comments on commit 44f1d52

Please sign in to comment.