From 44f1d5281fcb66d44fed5d9efa7db157984a9816 Mon Sep 17 00:00:00 2001 From: "Max Dueltgen (MITRE)" <148897369+mdueltgen@users.noreply.github.com> Date: Tue, 4 Mar 2025 21:33:24 -0500 Subject: [PATCH] Removing Common Controls 15.3 (#626) * removing cc 15.3 * Update rego code to remove commoncontrols.15.3 --------- Co-authored-by: Alden Hilton --- ...Rules - Common Controls as of 11-14-23.csv | 1 - .../commoncontrols/commoncontrols15_test.rego | 213 +----------------- scubagoggles/baselines/commoncontrols.md | 17 -- scubagoggles/rego/Commoncontrols.rego | 52 ----- 4 files changed, 1 insertion(+), 282 deletions(-) diff --git a/drift-rules/GWS Drift Monitoring Rules - Common Controls as of 11-14-23.csv b/drift-rules/GWS Drift Monitoring Rules - Common Controls as of 11-14-23.csv index 2ca240a9..c1c094bc 100644 --- a/drift-rules/GWS Drift Monitoring Rules - Common Controls as of 11-14-23.csv +++ b/drift-rules/GWS Drift Monitoring Rules - Common Controls as of 11-14-23.csv @@ -39,7 +39,6 @@ GWS.COMMONCONTROLS.13.1v0.4,"Required system-defined alerting rules, as listed i GWS.COMMONCONTROLS.14.1v0.4,The following critical logs SHALL be sent at a minimum.,Admin Log Event,Change Application Setting,"Data Sharing Settings between GCP and Google Workspace ""Sharing Options""",ENABLED,rules/00gjdgxs0yu1jgq,JK 09-19-23 @ 06:40 GWS.COMMONCONTROLS.15.1v0.4,The data storage region SHALL be set to be the United States for all users in the agency's GWS environment.,Admin Log Event,Change Application Setting,Location Policy,US,rules/00gjdgxs2k8ieyq,JK 12-05-23 @ 15:57 GWS.COMMONCONTROLS.15.2v0.4,Data SHALL be processed in the region selected for data at rest.,Admin Log Event,Create Application Setting,DataProcessingRequirementsProto limit_to_storage_location,true,N/A,MD 09-20-24 @ 15:57 -GWS.COMMONCONTROLS.15.3v0.4,The supplemental data storage region SHALL NOT be set to 'Russian Federation'.,Admin Log Event,Change Data Localization for Russia,N/A,false,rules/00gjdgxs3rufh17,Not Tested GWS.COMMONCONTROLS.16.1v0.4,Service status for Google services that do not have an individual control SHOULD be set to OFF for everyone.,Admin Log Event,Toggle Service Enabled,DISABLE_UNLISTED_SERVICES, true, N/A, MD 09-12-2024 @ 11:12 GWS.COMMONCONTROLS.16.2v0.4,Early Access Apps Service Status SHOULD be set to OFF for everyone., Admin Log Event,Toggle Service Enabled,Early Access Apps, false, N/A, MD 09-12-2024 @ 11:16 GWS.COMMONCONTROLS.17.1v0.4,Require multi party approval for sensitive admin actions SHALL be enabled., Admin Log Event, Change Application Setting, Multi Party Approval (MPA) Control Multi Party Approval Control, enabled, N/A, MD 09-12-2024 @ 11:20 diff --git a/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols15_test.rego b/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols15_test.rego index 1702cf41..26355fb7 100644 --- a/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols15_test.rego +++ b/scubagoggles/Testing/RegoTests/commoncontrols/commoncontrols15_test.rego @@ -332,215 +332,4 @@ test_DataProcessing_OUs_Groups_Incorrect_V3 if { "" ]) } -#-- - - -# -# GWS.COMMONCONTROLS.15.3 -#-- -test_Logs_Correct_V1 if { - # Test 1 event - PolicyId := CommonControlsId15_3 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "CHANGE_DATA_LOCALIZATION_FOR_RUSSIA", - "parameters": [ - {"name": "NEW_VALUE", "value": "false"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." -} - -test_Logs_Correct_V2 if { - # Test multiple events - PolicyId := CommonControlsId15_3 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "CHANGE_DATA_LOCALIZATION_FOR_RUSSIA", - "parameters": [ - {"name": "NEW_VALUE", "value": "true"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - }, - { - "id": {"time": "2023-12-20T00:02:28.672Z"}, - "events": [{ - "name": "CHANGE_DATA_LOCALIZATION_FOR_RUSSIA", - "parameters": [ - {"name": "NEW_VALUE", "value": "false"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." -} - -test_Logs_Incorrect_V1 if { - # Test 1 event - PolicyId := CommonControlsId15_3 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "CHANGE_DATA_LOCALIZATION_FOR_RUSSIA", - "parameters": [ - {"name": "NEW_VALUE", "value": "true"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - not RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == concat("", [ - "The following OUs are non-compliant:" - ]) -} - -test_Logs_Incorrect_V2 if { - # Test multiple events - PolicyId := CommonControlsId15_3 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "CHANGE_DATA_LOCALIZATION_FOR_RUSSIA", - "parameters": [ - {"name": "NEW_VALUE", "value": "false"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - }, - { - "id": {"time": "2023-12-20T00:02:28.672Z"}, - "events": [{ - "name": "CHANGE_DATA_LOCALIZATION_FOR_RUSSIA", - "parameters": [ - {"name": "NEW_VALUE", "value": "true"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - not RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == concat("", [ - "The following OUs are non-compliant:" - ]) -} - -test_Logs_Incorrect_V3 if { - # Test no relevent events - PolicyId := CommonControlsId15_3 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - RuleOutput[0].RequirementMet - RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == concat("", [ - "No relevant event in the current logs for the top-level OU, ", - "Test Top-Level OU. While we are unable ", - "to determine the state from the logs, the default setting ", - "is compliant; manual check recommended." - ]) -} - -test_Logs_Incorrect_V4 if { - # Test multiple ous - PolicyId := CommonControlsId15_3 - Output := tests with input as { - "commoncontrols_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "name": "CHANGE_DATA_LOCALIZATION_FOR_RUSSIA", - "parameters": [ - {"name": "NEW_VALUE", "value": "false"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - }, - { - "id": {"time": "2023-12-20T00:02:28.672Z"}, - "events": [{ - "name": "CHANGE_DATA_LOCALIZATION_FOR_RUSSIA", - "parameters": [ - {"name": "NEW_VALUE", "value": "true"}, - {"name": "ORG_UNIT_NAME", "value": "Test Second OU"}, - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "Test Top-Level OU" - } - } - - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - not RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == concat("", [ - "The following OUs are non-compliant:" - ]) -} -#-- +#-- \ No newline at end of file diff --git a/scubagoggles/baselines/commoncontrols.md b/scubagoggles/baselines/commoncontrols.md index 661f0d4e..1c50ba3a 100644 --- a/scubagoggles/baselines/commoncontrols.md +++ b/scubagoggles/baselines/commoncontrols.md @@ -1147,15 +1147,6 @@ Data SHALL be processed in the region selected for data at rest. - [T1567: Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567/) - [T1567:002: Exfiltration Over Web Service: Exfiltration to Cloud Storage](https://attack.mitre.org/techniques/T1567/002/) -#### GWS.COMMONCONTROLS.15.3v0.4 -The supplemental data storage region SHALL NOT be set to 'Russian Federation'. - -- _Rationale:_ This policy is aligned with the concept of sovereignty, taking into account geopolitical and USG national security concerns. Keeping data out of Russia helps prevent official data from being subject to Russian law. -- _Last modified:_ November 30, 2023 - -- MITRE ATT&CK TTP Mapping - - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/) - ### Resources - [GWS Admin Help \| Data regions: Choose a geographic location for your data](https://support.google.com/a/answer/7630496) - [GWS Admin Help \| What data is covered by a data region policy?](https://support.google.com/a/answer/9223653) @@ -1183,14 +1174,6 @@ To configure Data Regions per the policy: 5. Select the radio button option: "**Process data in the region selected for data at rest**". 6. Click **Save**. -#### GWS.COMMONCONTROLS.15.3v0.4 Instructions -To configure Supplemental Data Storage per the policy: -1. Sign in to the [Google Admin console](https://admin.google.com) as an administrator. -2. Navigate to **Account** -> **Account settings**. -3. Click the **Supplemental Data Storage** card. -4. Ensure the checkbox for "**Russian Federation**" is unchecked. -6. Click **Save**. - ## 16. Additional Google Services diff --git a/scubagoggles/rego/Commoncontrols.rego b/scubagoggles/rego/Commoncontrols.rego index 95b3f285..57d7630a 100644 --- a/scubagoggles/rego/Commoncontrols.rego +++ b/scubagoggles/rego/Commoncontrols.rego @@ -1441,58 +1441,6 @@ if { } #-- -# -# Baseline GWS.COMMONCONTROLS.15.3 -#-- - -CommonControlsId15_3 := utils.PolicyIdWithSuffix("GWS.COMMONCONTROLS.15.3") - -# NOTE: This setting cannot be controlled at the group level - -NonCompliantOUs15_3 contains { - "Name": OU, - "Value": "Supplemental data storage is set to Russian Federation" -} -if { - some OU in utils.OUsWithEvents - Events := utils.FilterEventsOU(LogEvents, "CHANGE_DATA_LOCALIZATION_FOR_RUSSIA", OU) - # Ignore OUs without any events. We're already asserting that the - # top-level OU has at least one event; for all other OUs we assume - # they inherit from a parent OU if they have no events. - count(Events) > 0 - LastEvent := utils.GetLastEvent(Events) - LastEvent.NewValue == "true" -} - -tests contains { - "PolicyId": CommonControlsId15_3, - "Criticality": "Shall", - "ReportDetails": utils.NoSuchEventDetails(DefaultSafe, utils.TopLevelOU), - "ActualValue": "No relevant event for the top-level OU in the current logs", - "RequirementMet": DefaultSafe, - "NoSuchEvent": true -} -if { - DefaultSafe := true - Events := utils.FilterEventsOU(LogEvents, "CHANGE_DATA_LOCALIZATION_FOR_RUSSIA", utils.TopLevelOU) - count(Events) == 0 -} - -tests contains { - "PolicyId": CommonControlsId15_3, - "Criticality": "Shall", - "ReportDetails": utils.ReportDetails(NonCompliantOUs15_3, []), - "ActualValue": {"NonCompliantOUs": NonCompliantOUs15_3}, - "RequirementMet": Status, - "NoSuchEvent": false -} -if { - Events := utils.FilterEventsOU(LogEvents, "CHANGE_DATA_LOCALIZATION_FOR_RUSSIA", utils.TopLevelOU) - count(Events) > 0 - Status := count(NonCompliantOUs15_3) == 0 -} -#-- - # # Baseline GWS.COMMONCONTROLS.16.1 #--