From 6d9d43c4432df713fe4a77a0c48eba70e55f1937 Mon Sep 17 00:00:00 2001 From: jkaufman-mitre Date: Fri, 21 Jun 2024 11:22:14 -0400 Subject: [PATCH 01/14] Added Policy Group 19 --- ...able Secure Configuration Baseline v0.2.md | 65 +++++++++++++++++++ .../GWS Drift Monitoring Rules - Gmail.csv | 3 + 2 files changed, 68 insertions(+) diff --git a/baselines/Gmail Minimum Viable Secure Configuration Baseline v0.2.md b/baselines/Gmail Minimum Viable Secure Configuration Baseline v0.2.md index c720f243..77de6e5d 100644 --- a/baselines/Gmail Minimum Viable Secure Configuration Baseline v0.2.md +++ b/baselines/Gmail Minimum Viable Secure Configuration Baseline v0.2.md @@ -28,6 +28,7 @@ This baseline is based on Google documentation available at the [Gmail Google Wo - [Security Sandbox](#16-security-sandbox) - [Comprehensive Mail Storage](#17-comprehensive-mail-storage) - [Content Compliance Filtering](#18-content-compliance-filtering) +- [Spam Filtering](#19-spam-filtering) Within Google Workspace, settings can be assigned to users through organizational units, configuration groups, or individually. Before changing a setting, the user can select the organizational unit, configuration group, or individual users to which they want to apply changes. @@ -1152,3 +1153,67 @@ To configure the settings for Objectionable content: #### GWS.GMAIL.18.3v0.2 Instructions 1. There is no implementation steps for this policy. + + +## 19. Spam Filtering + +This section covers the settings relating to bypassing spam filters. + +### Policies + +#### GWS.GMAIL.19.1v0.1 +Domains SHALL NOT be added to lists that bypass spam filters. + +- _Rationale:_ Allowing an entire domain to bypass the spam filters allows for the potential for a spoofed email within the domain to bypass the filter. Only allowing specific users to bypass helps mitigate the risk. +- _Last modified:_ April 10, 2024 +- _Note:_ Allowed senders MAY be added. + +- MITRE ATT&CK TTP Mapping + - { Needs TTP Mappings } + +#### GWS.GMAIL.19.2v0.1 +Domains SHALL NOT be added to lists that bypass spam filters and hide warnings. + +- _Rationale:_ Allowing an entire domain to bypass the spam filters and hide warnings allows for the potential for a spoofed email within the domain to bypass the filter and prevents the user from knowing. Not adding domains and users helps mitigate the risk. +- _Last modified:_ April 10, 2024 + +- MITRE ATT&CK TTP Mapping + - { Needs TTP Mappings } + +#### GWS.GMAIL.19.3v0.1 +Bypass spam filters and hide warnings for all messages from internal and external senders SHALL NOT be enabled. + +- _Rationale:_ Bypassing spam filters and hiding warning for all messages from internal and external senders creates a security risk because of the potential for a malicious message being able to bypass filters. Disabling this feature mitigates the risk. +- _Last modified:_ April 10, 2024 + +- MITRE ATT&CK TTP Mapping + - { Needs TTP Mappings } + +### Resources + +- [How to bypass the spam filter for incoming emails using the spam settings ](https://knowledge.workspace.google.com/kb/how-to-bypass-the-spam-filter-for-incoming-emails-using-the-spam-settings-000006661) + +### Prerequisites + +- N/A + +### Implementation + +To configure the settings for spam filtering: + +#### Policy Group 19 Common Instructions +1. Sign in to the [Google Admin Console](https://admin.google.com). +2. Select **Apps -\> Google Workspace -\> Gmail**. +3. Select **Spam, Phishing, and Malware**. + +#### GWS.GMAIL.19.1v0.1 Instructions +1. Un-select **Bypass spam filters for messages from senders or domains in selected lists.** +2. Select **Save**. + +#### GWS.GMAIL.19.2v0.1 Instructions +1. Un-select **Bypass spam filters and hide warnings for messages from senders or domains in selected lists.** +2. Select **Save**. + +#### GWS.GMAIL.19.3v0.1 Instructions +1. Un-select **Bypass spam filters and hide warnings for all messages from internal and external senders** +2. Select **Save**. diff --git a/drift-rules/GWS Drift Monitoring Rules - Gmail.csv b/drift-rules/GWS Drift Monitoring Rules - Gmail.csv index fb9391a2..48fad473 100644 --- a/drift-rules/GWS Drift Monitoring Rules - Gmail.csv +++ b/drift-rules/GWS Drift Monitoring Rules - Gmail.csv @@ -50,3 +50,6 @@ GWS.GMAIL.17.1v0.2,Comprehensive mail storage SHOULD be enabled to ensure inform GWS.GMAIL.18.1v0.2,Content filtering SHOULD be enabled within Gmail messages.,N/A,N/A,N/A,N/A,N/A,Not Alertable GWS.GMAIL.18.2v0.2,Any third-party or outside application selected for advanced email content filtering SHOULD offer services comparable to those offered by Google Workspace.,N/A,N/A,N/A,N/A,N/A,Not Alertable GWS.GMAIL.18.3v0.2,"Gmail or third-party applications SHALL be configured to protect PII and sensitive information as defined by the agency. At a minimum, credit card numbers, taxpayer Identification Numbers (TIN), and Social Security Numbers (SSN) SHALL be blocked.",N/A,N/A,N/A,N/A,N/A,Not Alertable +GWS.GMAIL.19.1v0.1,"Domains SHALL NOT be added to lists that bypass spam filters.",Admin Log Event,Change Gmail Setting,SPAM_CONTROL,N/A,rules/00gjdgxs12jr6zt,JGK 04-11-24 @ 09:45 +GWS.GMAIL.19.2v0.1,"Domains SHALL NOT be added to lists that bypass spam filters and hide warnings.",Admin Log Event,Change Gmail Setting,SPAM_CONTROL,N/A,rules/00gjdgxs12jr6zt,JGK 04-11-24 @ 09:45 +GWS.GMAIL.19.3v0.1,"Bypass spam filters and hide warnings for all messages from internal and external senders SHALL NOT be enabled.",Admin Log Event,Change Gmail Setting,SPAM_CONTROL,N/A,rules/00gjdgxs12jr6zt,JGK 04-11-24 @ 09:45 From 9362ad1b89ab905e7ef4f8958f0aedf2fdc94a14 Mon Sep 17 00:00:00 2001 From: jkaufman-mitre Date: Fri, 21 Jun 2024 11:49:21 -0400 Subject: [PATCH 02/14] Added Class Creation Policy --- ...able Secure Configuration Baseline v0.2.md | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/baselines/Google Classroom Minimum Viable Secure Configuration Baseline v0.2.md b/baselines/Google Classroom Minimum Viable Secure Configuration Baseline v0.2.md index 8f480eb4..212b0e45 100644 --- a/baselines/Google Classroom Minimum Viable Secure Configuration Baseline v0.2.md +++ b/baselines/Google Classroom Minimum Viable Secure Configuration Baseline v0.2.md @@ -181,3 +181,37 @@ To configure the settings for Student Unenrollment: 3. Select **Student unenrollment**. 4. Select **Teachers Only**. 5. Select **Save**. + +## 5. Teacher Permissions + +This section covers policies related to unenrolling a student from a class. + +### Policy + +#### GWS.CLASSROOM.5.1v0.2 +Who can create classes SHALL be set to Verified teachers only. + +- _Rationale:_ Allowing pending teachers to create classes allows for potential unauthorized data creation which creates a security risk. By allowing only verified teachers to create classes mitigates the risk. +- _Last modified:_ June 21, 2024 + +- MITRE ATT&CK TTP Mapping + - Pending + +### Resources + +- [Verify teachers and set permissions](https://support.google.com/edu/classroom/answer/6071551?hl=en) + +### Prerequisites + +- None + +### Implementation +To configure the settings for Student Unenrollment: + +#### GWS.CLASSROOM.4.1v0.2 Instructions +1. Sign in to the [Google Admin Console](https://admin.google.com). +2. Select **Apps** -\> **Additional Google Service** -\> **Classroom**. +3. Select **General Settings**. +4. Select **Teacher permissions**. +5. Select **Verified teachers only** for **Who can create classes?** +5. Select **Save**. From 63596c00c95f9fce93d4ffdadab2ef762570ea92 Mon Sep 17 00:00:00 2001 From: jkaufman-mitre Date: Fri, 21 Jun 2024 11:49:42 -0400 Subject: [PATCH 03/14] Added Class Creation Policy --- ...oom Minimum Viable Secure Configuration Baseline v0.2.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/baselines/Google Classroom Minimum Viable Secure Configuration Baseline v0.2.md b/baselines/Google Classroom Minimum Viable Secure Configuration Baseline v0.2.md index 212b0e45..8d244b2a 100644 --- a/baselines/Google Classroom Minimum Viable Secure Configuration Baseline v0.2.md +++ b/baselines/Google Classroom Minimum Viable Secure Configuration Baseline v0.2.md @@ -175,16 +175,16 @@ Only teachers SHALL be allowed to unenroll students from classes. ### Implementation To configure the settings for Student Unenrollment: -#### GWS.CLASSROOM.4.1v0.2 Instructions +#### GWS.CLASSROOM.5.1v0.2 Instructions 1. Sign in to the [Google Admin Console](https://admin.google.com). 2. Select **Apps** -\> **Additional Google Service** -\> **Classroom**. 3. Select **Student unenrollment**. 4. Select **Teachers Only**. 5. Select **Save**. -## 5. Teacher Permissions +## 5. Class Creation -This section covers policies related to unenrolling a student from a class. +This section covers who has the ability to create classes. ### Policy From a511811efe0e3b3cd9ba8184f823a87b868bf76a Mon Sep 17 00:00:00 2001 From: jkaufman-mitre Date: Fri, 21 Jun 2024 11:59:45 -0400 Subject: [PATCH 04/14] Added drift rules --- drift-rules/GWS Drift Monitoring Rules - Classroom.csv | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drift-rules/GWS Drift Monitoring Rules - Classroom.csv b/drift-rules/GWS Drift Monitoring Rules - Classroom.csv index 1d0c7a4b..92f70fe1 100644 --- a/drift-rules/GWS Drift Monitoring Rules - Classroom.csv +++ b/drift-rules/GWS Drift Monitoring Rules - Classroom.csv @@ -3,4 +3,5 @@ GWS.CLASSROOM.1.1v0.2,Who can join classes in your domain SHALL be set to Users GWS.CLASSROOM.1.2v0.2,Which classes can users in your domain join SHALL be set to Classes in your domain only,Admin Log Events,Change Application Setting,ClassMembershipSettingProto which_classes_can_users_join,1,rules/00gjdgxs0hj2dit,JK 10-20-23 @ 13:23 GWS.CLASSROOM.2.1v0.2,Classroom API SHALL be disabled for users,Admin Log Events,Change Application Setting,ApiDataAccessSettingProto api_access_enabled,false,rules/00gjdgxs3aafl8p,JK 10-20-23 @ 13:31 GWS.CLASSROOM.3.1v0.2,Roster import with Clever SHOULD be turned off,Admin Log Events,Change Application Setting,RosterImportSettingsProto sis_integrator,SIS_INTEGRATOR_NONE,rules/00gjdgxs25t0l8g,JK 10-20-23 @ 13:42 -GWS.CLASSROOM.4.1v0.2,Who can unenroll students from classes SHALL be set to Teachers Only,Admin Log Events,Change Application Setting,StudentUnenrollmentSettingsProto who_can_unenroll_students,ONLY_TEACHERS_CAN_UNENROLL_STUDENTS,rules/00gjdgxs44rgreu,JK 10-20-23 @ 13:50 \ No newline at end of file +GWS.CLASSROOM.4.1v0.2,Who can unenroll students from classes SHALL be set to Teachers Only,Admin Log Events,Change Application Setting,StudentUnenrollmentSettingsProto who_can_unenroll_students,ONLY_TEACHERS_CAN_UNENROLL_STUDENTS,rules/00gjdgxs44rgreu,JK 10-20-23 @ 13:50 +GWS.CLASSROOM.5.1v0.2,Who can create classes SHALL be set to Verified teachers only.,Admin Log Events,Change Application Setting,TeacherPermissionsSettingProto who_can_create_class,rules/00gjdgxs4cfwumr,JK 06-21-24 @ 11:58 \ No newline at end of file From 488071c35d2eed2b6e50008cc9e86582a1262d87 Mon Sep 17 00:00:00 2001 From: jkaufman-mitre <135844572+jkaufman-mitre@users.noreply.github.com> Date: Fri, 21 Jun 2024 15:44:48 -0400 Subject: [PATCH 05/14] Apply suggestions from code review Co-authored-by: Alden Hilton <106177711+adhilto@users.noreply.github.com> --- ...m Minimum Viable Secure Configuration Baseline v0.2.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/baselines/Google Classroom Minimum Viable Secure Configuration Baseline v0.2.md b/baselines/Google Classroom Minimum Viable Secure Configuration Baseline v0.2.md index 8d244b2a..7c1635d8 100644 --- a/baselines/Google Classroom Minimum Viable Secure Configuration Baseline v0.2.md +++ b/baselines/Google Classroom Minimum Viable Secure Configuration Baseline v0.2.md @@ -175,7 +175,7 @@ Only teachers SHALL be allowed to unenroll students from classes. ### Implementation To configure the settings for Student Unenrollment: -#### GWS.CLASSROOM.5.1v0.2 Instructions +#### GWS.CLASSROOM.4.1v0.2 Instructions 1. Sign in to the [Google Admin Console](https://admin.google.com). 2. Select **Apps** -\> **Additional Google Service** -\> **Classroom**. 3. Select **Student unenrollment**. @@ -184,14 +184,14 @@ To configure the settings for Student Unenrollment: ## 5. Class Creation -This section covers who has the ability to create classes. +The first time users sign in to Classroom, they self-identify as either a student or teacher. Users who identify as teachers will be marked as a pending teacher until an administrator verifies them. Google Classroom allows administrators to restrict class creation to only verified teachers. ### Policy #### GWS.CLASSROOM.5.1v0.2 -Who can create classes SHALL be set to Verified teachers only. +Who can create classes SHALL be set to verified teachers only. -- _Rationale:_ Allowing pending teachers to create classes allows for potential unauthorized data creation which creates a security risk. By allowing only verified teachers to create classes mitigates the risk. +- _Rationale:_ Allowing pending teachers to create classes potentially allows students to impersonate teachers and exploit the trusted relationship between teacher and student, e.g., to phish sensitive information from the students. Restricting class creation to verified teachers reduces this risk. - _Last modified:_ June 21, 2024 - MITRE ATT&CK TTP Mapping From 853ea82dbe9b334cbebd3f9c95d30836aefd9b72 Mon Sep 17 00:00:00 2001 From: Alden Hilton Date: Fri, 21 Jun 2024 13:27:42 -0700 Subject: [PATCH 06/14] Revert gmail baseline --- ...able Secure Configuration Baseline v0.2.md | 65 ------------------- 1 file changed, 65 deletions(-) diff --git a/baselines/Gmail Minimum Viable Secure Configuration Baseline v0.2.md b/baselines/Gmail Minimum Viable Secure Configuration Baseline v0.2.md index 77de6e5d..c720f243 100644 --- a/baselines/Gmail Minimum Viable Secure Configuration Baseline v0.2.md +++ b/baselines/Gmail Minimum Viable Secure Configuration Baseline v0.2.md @@ -28,7 +28,6 @@ This baseline is based on Google documentation available at the [Gmail Google Wo - [Security Sandbox](#16-security-sandbox) - [Comprehensive Mail Storage](#17-comprehensive-mail-storage) - [Content Compliance Filtering](#18-content-compliance-filtering) -- [Spam Filtering](#19-spam-filtering) Within Google Workspace, settings can be assigned to users through organizational units, configuration groups, or individually. Before changing a setting, the user can select the organizational unit, configuration group, or individual users to which they want to apply changes. @@ -1153,67 +1152,3 @@ To configure the settings for Objectionable content: #### GWS.GMAIL.18.3v0.2 Instructions 1. There is no implementation steps for this policy. - - -## 19. Spam Filtering - -This section covers the settings relating to bypassing spam filters. - -### Policies - -#### GWS.GMAIL.19.1v0.1 -Domains SHALL NOT be added to lists that bypass spam filters. - -- _Rationale:_ Allowing an entire domain to bypass the spam filters allows for the potential for a spoofed email within the domain to bypass the filter. Only allowing specific users to bypass helps mitigate the risk. -- _Last modified:_ April 10, 2024 -- _Note:_ Allowed senders MAY be added. - -- MITRE ATT&CK TTP Mapping - - { Needs TTP Mappings } - -#### GWS.GMAIL.19.2v0.1 -Domains SHALL NOT be added to lists that bypass spam filters and hide warnings. - -- _Rationale:_ Allowing an entire domain to bypass the spam filters and hide warnings allows for the potential for a spoofed email within the domain to bypass the filter and prevents the user from knowing. Not adding domains and users helps mitigate the risk. -- _Last modified:_ April 10, 2024 - -- MITRE ATT&CK TTP Mapping - - { Needs TTP Mappings } - -#### GWS.GMAIL.19.3v0.1 -Bypass spam filters and hide warnings for all messages from internal and external senders SHALL NOT be enabled. - -- _Rationale:_ Bypassing spam filters and hiding warning for all messages from internal and external senders creates a security risk because of the potential for a malicious message being able to bypass filters. Disabling this feature mitigates the risk. -- _Last modified:_ April 10, 2024 - -- MITRE ATT&CK TTP Mapping - - { Needs TTP Mappings } - -### Resources - -- [How to bypass the spam filter for incoming emails using the spam settings ](https://knowledge.workspace.google.com/kb/how-to-bypass-the-spam-filter-for-incoming-emails-using-the-spam-settings-000006661) - -### Prerequisites - -- N/A - -### Implementation - -To configure the settings for spam filtering: - -#### Policy Group 19 Common Instructions -1. Sign in to the [Google Admin Console](https://admin.google.com). -2. Select **Apps -\> Google Workspace -\> Gmail**. -3. Select **Spam, Phishing, and Malware**. - -#### GWS.GMAIL.19.1v0.1 Instructions -1. Un-select **Bypass spam filters for messages from senders or domains in selected lists.** -2. Select **Save**. - -#### GWS.GMAIL.19.2v0.1 Instructions -1. Un-select **Bypass spam filters and hide warnings for messages from senders or domains in selected lists.** -2. Select **Save**. - -#### GWS.GMAIL.19.3v0.1 Instructions -1. Un-select **Bypass spam filters and hide warnings for all messages from internal and external senders** -2. Select **Save**. From 301b18bc6569022e6da8eff30c83dc4860b78c94 Mon Sep 17 00:00:00 2001 From: Alden Hilton Date: Fri, 21 Jun 2024 13:29:15 -0700 Subject: [PATCH 07/14] Reverse gmail drift rules --- drift-rules/GWS Drift Monitoring Rules - Gmail.csv | 3 --- 1 file changed, 3 deletions(-) diff --git a/drift-rules/GWS Drift Monitoring Rules - Gmail.csv b/drift-rules/GWS Drift Monitoring Rules - Gmail.csv index 48fad473..fb9391a2 100644 --- a/drift-rules/GWS Drift Monitoring Rules - Gmail.csv +++ b/drift-rules/GWS Drift Monitoring Rules - Gmail.csv @@ -50,6 +50,3 @@ GWS.GMAIL.17.1v0.2,Comprehensive mail storage SHOULD be enabled to ensure inform GWS.GMAIL.18.1v0.2,Content filtering SHOULD be enabled within Gmail messages.,N/A,N/A,N/A,N/A,N/A,Not Alertable GWS.GMAIL.18.2v0.2,Any third-party or outside application selected for advanced email content filtering SHOULD offer services comparable to those offered by Google Workspace.,N/A,N/A,N/A,N/A,N/A,Not Alertable GWS.GMAIL.18.3v0.2,"Gmail or third-party applications SHALL be configured to protect PII and sensitive information as defined by the agency. At a minimum, credit card numbers, taxpayer Identification Numbers (TIN), and Social Security Numbers (SSN) SHALL be blocked.",N/A,N/A,N/A,N/A,N/A,Not Alertable -GWS.GMAIL.19.1v0.1,"Domains SHALL NOT be added to lists that bypass spam filters.",Admin Log Event,Change Gmail Setting,SPAM_CONTROL,N/A,rules/00gjdgxs12jr6zt,JGK 04-11-24 @ 09:45 -GWS.GMAIL.19.2v0.1,"Domains SHALL NOT be added to lists that bypass spam filters and hide warnings.",Admin Log Event,Change Gmail Setting,SPAM_CONTROL,N/A,rules/00gjdgxs12jr6zt,JGK 04-11-24 @ 09:45 -GWS.GMAIL.19.3v0.1,"Bypass spam filters and hide warnings for all messages from internal and external senders SHALL NOT be enabled.",Admin Log Event,Change Gmail Setting,SPAM_CONTROL,N/A,rules/00gjdgxs12jr6zt,JGK 04-11-24 @ 09:45 From 3cef6adbe889d9247af1e73ee76fdec7625c533f Mon Sep 17 00:00:00 2001 From: jkaufman-mitre Date: Mon, 24 Jun 2024 09:12:43 -0400 Subject: [PATCH 08/14] Fixed issue --- ...assroom Minimum Viable Secure Configuration Baseline v0.2.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/baselines/Google Classroom Minimum Viable Secure Configuration Baseline v0.2.md b/baselines/Google Classroom Minimum Viable Secure Configuration Baseline v0.2.md index 7c1635d8..8f3616a8 100644 --- a/baselines/Google Classroom Minimum Viable Secure Configuration Baseline v0.2.md +++ b/baselines/Google Classroom Minimum Viable Secure Configuration Baseline v0.2.md @@ -208,7 +208,7 @@ Who can create classes SHALL be set to verified teachers only. ### Implementation To configure the settings for Student Unenrollment: -#### GWS.CLASSROOM.4.1v0.2 Instructions +#### GWS.CLASSROOM.5.1v0.2 Instructions 1. Sign in to the [Google Admin Console](https://admin.google.com). 2. Select **Apps** -\> **Additional Google Service** -\> **Classroom**. 3. Select **General Settings**. From 9ec7b7dbbbb50f777bed915a0e3997042edee239 Mon Sep 17 00:00:00 2001 From: jkaufman-mitre Date: Mon, 24 Jun 2024 09:13:14 -0400 Subject: [PATCH 09/14] Fixed Issues --- ...assroom Minimum Viable Secure Configuration Baseline v0.2.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/baselines/Google Classroom Minimum Viable Secure Configuration Baseline v0.2.md b/baselines/Google Classroom Minimum Viable Secure Configuration Baseline v0.2.md index 8f3616a8..7fa0a52f 100644 --- a/baselines/Google Classroom Minimum Viable Secure Configuration Baseline v0.2.md +++ b/baselines/Google Classroom Minimum Viable Secure Configuration Baseline v0.2.md @@ -206,7 +206,7 @@ Who can create classes SHALL be set to verified teachers only. - None ### Implementation -To configure the settings for Student Unenrollment: +To configure the settings for Class Creation: #### GWS.CLASSROOM.5.1v0.2 Instructions 1. Sign in to the [Google Admin Console](https://admin.google.com). From f82d499ccb1238c535778aa76a44c959ff713c42 Mon Sep 17 00:00:00 2001 From: jkaufman-mitre Date: Mon, 24 Jun 2024 09:14:21 -0400 Subject: [PATCH 10/14] Updated TOC --- ...lassroom Minimum Viable Secure Configuration Baseline v0.2.md | 1 + 1 file changed, 1 insertion(+) diff --git a/baselines/Google Classroom Minimum Viable Secure Configuration Baseline v0.2.md b/baselines/Google Classroom Minimum Viable Secure Configuration Baseline v0.2.md index 7fa0a52f..ac6d498d 100644 --- a/baselines/Google Classroom Minimum Viable Secure Configuration Baseline v0.2.md +++ b/baselines/Google Classroom Minimum Viable Secure Configuration Baseline v0.2.md @@ -16,6 +16,7 @@ This baseline is based on Google documentation available at [Google Workspace Ad - [Classroom API](#2-classroom-api) - [Roster Import](#3-roster-import) - [Student Unenrollment](#4-student-unenrollment) +- [Class Creation](#5-class-creation) Settings can be assigned to certain users within Google Workspace through organizational units, configuration groups, or individually. Before changing a setting, the user can select the organizational unit, configuration group, or individual users to which they want to apply changes. From 46219c7279c296bcaf8e45128517dfe592e62707 Mon Sep 17 00:00:00 2001 From: jkaufman-mitre <135844572+jkaufman-mitre@users.noreply.github.com> Date: Mon, 24 Jun 2024 11:34:50 -0400 Subject: [PATCH 11/14] Update baselines/Google Classroom Minimum Viable Secure Configuration Baseline v0.2.md Co-authored-by: Alden Hilton <106177711+adhilto@users.noreply.github.com> --- ...assroom Minimum Viable Secure Configuration Baseline v0.2.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/baselines/Google Classroom Minimum Viable Secure Configuration Baseline v0.2.md b/baselines/Google Classroom Minimum Viable Secure Configuration Baseline v0.2.md index ac6d498d..7653e146 100644 --- a/baselines/Google Classroom Minimum Viable Secure Configuration Baseline v0.2.md +++ b/baselines/Google Classroom Minimum Viable Secure Configuration Baseline v0.2.md @@ -190,7 +190,7 @@ The first time users sign in to Classroom, they self-identify as either a studen ### Policy #### GWS.CLASSROOM.5.1v0.2 -Who can create classes SHALL be set to verified teachers only. +Class creation SHALL be restricted to verified teachers only. - _Rationale:_ Allowing pending teachers to create classes potentially allows students to impersonate teachers and exploit the trusted relationship between teacher and student, e.g., to phish sensitive information from the students. Restricting class creation to verified teachers reduces this risk. - _Last modified:_ June 21, 2024 From 69913e279f863def6186ca758d3f1856942dacbd Mon Sep 17 00:00:00 2001 From: Alden Hilton Date: Mon, 24 Jun 2024 14:04:33 -0700 Subject: [PATCH 12/14] Implemented 5.1 in rego --- .../RegoTests/classroom/classroom05_test.rego | 188 ++++++++++++++++++ rego/Classroom.rego | 64 ++++++ 2 files changed, 252 insertions(+) create mode 100644 Testing/RegoTests/classroom/classroom05_test.rego diff --git a/Testing/RegoTests/classroom/classroom05_test.rego b/Testing/RegoTests/classroom/classroom05_test.rego new file mode 100644 index 00000000..f2f2942b --- /dev/null +++ b/Testing/RegoTests/classroom/classroom05_test.rego @@ -0,0 +1,188 @@ +package classroom +import future.keywords + +# +# GWS.CLASSROOM.5.1v0.2 +#-- + +test_ClassroomCreation_Correct_V1 if { + # Test only teachers can unenroll students when there's only one event + PolicyId := "GWS.CLASSROOM.5.1v0.2" + Output := tests with input as { + "classroom_logs": {"items": [ + { + "id": {"time": "2022-12-20T00:02:28.672Z"}, + "events": [{ + "parameters": [ + {"name":"SETTING_NAME", + "value": "TeacherPermissionsSettingProto who_can_create_class"}, + {"name": "NEW_VALUE", "value": "3"}, + {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, + ] + }] + } + ]}, + "tenant_info": { + "topLevelOU": "Test Top-Level OU" + } + } + + RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] + count(RuleOutput) == 1 + RuleOutput[0].RequirementMet + not RuleOutput[0].NoSuchEvent + RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." +} + +test_ClassroomCreation_Correct_V2 if { + # Test when there's multiple events, with the chronological latest + # correct but not last in json list + PolicyId := "GWS.CLASSROOM.5.1v0.2" + Output := tests with input as { + "classroom_logs": {"items": [ + { + "id": {"time": "2022-12-20T00:02:28.672Z"}, + "events": [{ + "parameters": [ + {"name":"SETTING_NAME", + "value": "TeacherPermissionsSettingProto who_can_create_class"}, + {"name": "NEW_VALUE", "value": "3"}, + {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, + ] + }] + }, + { + "id": {"time": "2021-12-20T00:02:28.672Z"}, + "events": [{ + "parameters": [ + {"name":"SETTING_NAME", + "value": "TeacherPermissionsSettingProto who_can_create_class"}, + {"name": "NEW_VALUE", "value": "2"}, + {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, + ] + }] + } + ]}, + "tenant_info": { + "topLevelOU": "Test Top-Level OU" + } + } + + RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] + count(RuleOutput) == 1 + RuleOutput[0].RequirementMet + not RuleOutput[0].NoSuchEvent + RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups." +} + +# No tests for multiple OUs, inheritance, groups, etc as this setting can't be controlled at the OU or group level + +test_ClassroomCreation_Incorrect_V1 if { + # Test when there's only one event and it's wrong + PolicyId := "GWS.CLASSROOM.5.1v0.2" + Output := tests with input as { + "classroom_logs": {"items": [ + { + "id": {"time": "2022-12-20T00:02:28.672Z"}, + "events": [{ + "parameters": [ + {"name":"SETTING_NAME", + "value": "TeacherPermissionsSettingProto who_can_create_class"}, + {"name": "NEW_VALUE", "value": "1"}, + {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, + ] + }] + } + ]}, + "tenant_info": { + "topLevelOU": "Test Top-Level OU" + } + } + + RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] + count(RuleOutput) == 1 + not RuleOutput[0].RequirementMet + not RuleOutput[0].NoSuchEvent + RuleOutput[0].ReportDetails == concat("", [ + "The following OUs are non-compliant:
  • Test Top-Level OU: ", + "Who can create classes is set to anyone in this domain
" + ]) +} + +test_ClassroomCreation_Incorrect_V2 if { + # Test when there's multiple events, with the chronological latest + # incorrect but not last in json list + PolicyId := "GWS.CLASSROOM.5.1v0.2" + Output := tests with input as { + "classroom_logs": {"items": [ + { + "id": {"time": "2022-12-20T00:02:28.672Z"}, + "events": [{ + "parameters": [ + {"name":"SETTING_NAME", + "value": "TeacherPermissionsSettingProto who_can_create_class"}, + {"name": "NEW_VALUE", "value": "2"}, + {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, + ] + }] + }, + { + "id": {"time": "2021-12-20T00:02:28.672Z"}, + "events": [{ + "parameters": [ + {"name":"SETTING_NAME", + "value": "TeacherPermissionsSettingProto who_can_create_class"}, + {"name": "NEW_VALUE", "value": "3"}, + {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, + ] + }] + } + ]}, + "tenant_info": { + "topLevelOU": "Test Top-Level OU" + } + } + + RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] + count(RuleOutput) == 1 + not RuleOutput[0].RequirementMet + not RuleOutput[0].NoSuchEvent + RuleOutput[0].ReportDetails == concat("", [ + "The following OUs are non-compliant:
  • Test Top-Level OU: ", + "Who can create classes is set to all pending and verified teachers
" + ]) +} + + +test_ClassroomCreation_Incorrect_V3 if { + # Test when there no applicable event + PolicyId := "GWS.CLASSROOM.5.1v0.2" + Output := tests with input as { + "classroom_logs": {"items": [ + { + "id": {"time": "2022-12-20T00:02:28.672Z"}, + "events": [{ + "parameters": [ + {"name":"SETTING_NAME", + "value": "something else"}, + {"name": "NEW_VALUE", "value": "false"}, + {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, + ] + }] + } + ]}, + "tenant_info": { + "topLevelOU": "Test Top-Level OU" + } + } + + RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] + count(RuleOutput) == 1 + not RuleOutput[0].RequirementMet + RuleOutput[0].NoSuchEvent + RuleOutput[0].ReportDetails == concat("", [ + "No relevant event in the current logs for the top-level OU, Test Top-Level OU. ", + "While we are unable to determine the state from the logs, the default setting ", + "is non-compliant; manual check recommended." + ]) +} diff --git a/rego/Classroom.rego b/rego/Classroom.rego index 2d1d1b4c..d31d4c43 100644 --- a/rego/Classroom.rego +++ b/rego/Classroom.rego @@ -311,3 +311,67 @@ if { Status := count(NonCompliantOUs4_1) == 0 } #-- + + +################### +# GWS.CLASSROOM.5 # +################### + +# +# Baseline GWS.CLASSROOM.5.1v0.2 +#-- +GetFriendlyValue5_1(Value) := "anyone in this domain" if { + Value == "1" +} else := "all pending and verified teachers" if { + Value == "2" +} else := Value + +NonCompliantOUs5_1 contains { + "Name": OU, + "Value": concat(" ", [ + "Who can create classes is set to", + GetFriendlyValue5_1(LastEvent.NewValue) + ]) +} if { + some OU in utils.OUsWithEvents + Events := utils.FilterEventsOU(LogEvents, "TeacherPermissionsSettingProto who_can_create_class", OU) + # Ignore OUs without any events. We're already asserting that the + # top-level OU has at least one event; for all other OUs we assume + # they inherit from a parent OU if they have no events. + count(Events) > 0 + LastEvent := utils.GetLastEvent(Events) + LastEvent.NewValue != "3" + LastEvent.NewValue != "DELETE_APPLICATION_SETTING" +} + +tests contains { + "PolicyId": "GWS.CLASSROOM.5.1v0.2", + "Criticality": "Shall", + "ReportDetails": utils.NoSuchEventDetails(DefaultSafe, utils.TopLevelOU), + "ActualValue": "No relevant event in the current logs", + "RequirementMet": DefaultSafe, + "NoSuchEvent": true +} +if { + DefaultSafe := false + SettingName := "TeacherPermissionsSettingProto who_can_create_class" + Events := utils.FilterEventsOU(LogEvents, SettingName, utils.TopLevelOU) + count(Events) == 0 +} + +tests contains { + "PolicyId": "GWS.CLASSROOM.5.1v0.2", + "Criticality": "Shall", + "ReportDetails": utils.ReportDetails(NonCompliantOUs5_1, []), + "ActualValue": {"NonCompliantOUs": NonCompliantOUs5_1}, + "RequirementMet": Status, + "NoSuchEvent": false +} +if { + SettingName := "TeacherPermissionsSettingProto who_can_create_class" + Events := utils.FilterEventsOU(LogEvents, SettingName, utils.TopLevelOU) + count(Events) > 0 + Status := count(NonCompliantOUs5_1) == 0 +} +#-- + From 734528017b3ad20609567797cca7db7645f6b9ff Mon Sep 17 00:00:00 2001 From: jkaufman-mitre <135844572+jkaufman-mitre@users.noreply.github.com> Date: Tue, 25 Jun 2024 07:28:51 -0400 Subject: [PATCH 13/14] Update drift-rules/GWS Drift Monitoring Rules - Classroom.csv Co-authored-by: Alden Hilton <106177711+adhilto@users.noreply.github.com> --- drift-rules/GWS Drift Monitoring Rules - Classroom.csv | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drift-rules/GWS Drift Monitoring Rules - Classroom.csv b/drift-rules/GWS Drift Monitoring Rules - Classroom.csv index 92f70fe1..3dd9fd43 100644 --- a/drift-rules/GWS Drift Monitoring Rules - Classroom.csv +++ b/drift-rules/GWS Drift Monitoring Rules - Classroom.csv @@ -4,4 +4,4 @@ GWS.CLASSROOM.1.2v0.2,Which classes can users in your domain join SHALL be set t GWS.CLASSROOM.2.1v0.2,Classroom API SHALL be disabled for users,Admin Log Events,Change Application Setting,ApiDataAccessSettingProto api_access_enabled,false,rules/00gjdgxs3aafl8p,JK 10-20-23 @ 13:31 GWS.CLASSROOM.3.1v0.2,Roster import with Clever SHOULD be turned off,Admin Log Events,Change Application Setting,RosterImportSettingsProto sis_integrator,SIS_INTEGRATOR_NONE,rules/00gjdgxs25t0l8g,JK 10-20-23 @ 13:42 GWS.CLASSROOM.4.1v0.2,Who can unenroll students from classes SHALL be set to Teachers Only,Admin Log Events,Change Application Setting,StudentUnenrollmentSettingsProto who_can_unenroll_students,ONLY_TEACHERS_CAN_UNENROLL_STUDENTS,rules/00gjdgxs44rgreu,JK 10-20-23 @ 13:50 -GWS.CLASSROOM.5.1v0.2,Who can create classes SHALL be set to Verified teachers only.,Admin Log Events,Change Application Setting,TeacherPermissionsSettingProto who_can_create_class,rules/00gjdgxs4cfwumr,JK 06-21-24 @ 11:58 \ No newline at end of file +GWS.CLASSROOM.5.1v0.2,Class creation SHALL be restricted to verified teachers only.,Admin Log Events,Change Application Setting,TeacherPermissionsSettingProto who_can_create_class,rules/00gjdgxs4cfwumr,JK 06-21-24 @ 11:58 \ No newline at end of file From 9312fb8b14ab3e16123f38650d140bd1c47edcc4 Mon Sep 17 00:00:00 2001 From: jkaufman-mitre Date: Tue, 2 Jul 2024 08:45:16 -0400 Subject: [PATCH 14/14] Added TTP Mappings --- ...om Minimum Viable Secure Configuration Baseline v0.2.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/baselines/Google Classroom Minimum Viable Secure Configuration Baseline v0.2.md b/baselines/Google Classroom Minimum Viable Secure Configuration Baseline v0.2.md index 7653e146..bdf757e3 100644 --- a/baselines/Google Classroom Minimum Viable Secure Configuration Baseline v0.2.md +++ b/baselines/Google Classroom Minimum Viable Secure Configuration Baseline v0.2.md @@ -196,7 +196,12 @@ Class creation SHALL be restricted to verified teachers only. - _Last modified:_ June 21, 2024 - MITRE ATT&CK TTP Mapping - - Pending + - [T1656: Impersonation](https://attack.mitre.org/techniques/T1656/) + - [T534: Internal Spearphishing](https://attack.mitre.org/techniques/T1534/) + - [T1598: Phishing for Information](https://attack.mitre.org/techniques/T1598/) + - [T1598:002: Phishing for Information: Spearphishing Attachment](https://attack.mitre.org/techniques/T1598/002/) + - [T1598:003: Phishing for Information: Spearphishing Link](https://attack.mitre.org/techniques/T1598/003/) + - [T1598:004: Phishing for Information: Spearphishing Voice](https://attack.mitre.org/techniques/T1598/004/) ### Resources