⭐️ google workspace security policy (#77)

``` GOOGLEWORKSPACE_CREDENTIALS=$PWD/credential.json cnspec scan googleworkspace --customer-id C011a1aa1 --impersonated-user-email chris@example.com -f extra/mondoo-google-workspace-security.mql.yaml → discover related assets for 1 asset(s) → resolved assets resolved-assets=1 → connecting to asset Google Workspace example.com (api) ██████████████████████████ 100% Google Workspace example.com Asset: Google Workspace example.com ================================== Controls: ✓ Pass: Ensure 2-Step Verification (Multi-Factor Authentication) is enforced for all users ✕ Fail: Ensure less than 3 users have Super Admin Permissions Summary (1 assets) ================== Target: Google Workspace example.com Score: C 50/100 (100% completed) ✓ Passed: ████████ 50% (1) ✕ Failed: ████████ 50% (1) ! Errors: 0% (0) » Skipped: 0% (0) Policies: C 50 Google Workspace Security Best Practices by Mondoo To get more information, please run this scan with "-o full". ```
mondoohq · Nov 15, 2022 · 1c3ea8b · 1c3ea8b
1 parent 1c8ac29
commit 1c3ea8b
Showing 1 changed file with 68 additions and 0 deletions.
diff --git a/extra/mondoo-google-workspace-security.mql.yaml b/extra/mondoo-google-workspace-security.mql.yaml
@@ -0,0 +1,68 @@
+policies:
+  - uid: mondoo-gogole-workspace-security
+    name: Google Workspace Security Best Practices by Mondoo
+    version: 1.0.0
+    is_public: true
+    authors:
+      - name: Mondoo, Inc
+        email: hello@mondoo.com
+    docs:
+      desc: |
+        ### Overview
+
+        The Mondoo Google Workspace Incident Response query pack gathers configuration data about your Google Workspace investigation during a security incident.
+
+        ### Prerequisites
+
+        1. Create/Select a GCP project
+        2. Navigate to the [Google API Console](https://console.cloud.google.com/apis/dashboard). 
+        3. Click "Enable APIs and Services" and enable the following APIs:
+          - Admin SDK API 
+          - Cloud Identity API 
+          - Google Calendar API
+          - Google Drive API
+          - Gmail API
+          - Google People API
+        4. Create a service account for [Google Workspace](https://support.google.com/a/answer/7378726?product_name=UnuFlow&hl=en&visit_id=638041387835615758-4147680582&rd=1&src=supportwidget0&hl=en)
+        5. Create credentials for the service account and downlaad the json file
+        6. Enter the following scopes in Security -> Access and data controls -> API controls, and click on  [Domain-wide Delegation](https://developers.google.com/workspace/guides/create-credentials#delegate_domain-wide_authority_to_your_service_account) 
+
+          - https://www.googleapis.com/auth/admin.chrome.printers.readonly
+          - https://www.googleapis.com/auth/admin.directory.customer.readonly
+          - https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly
+          - https://www.googleapis.com/auth/admin.directory.device.mobile.readonly
+          - https://www.googleapis.com/auth/admin.directory.domain.readonly
+          - https://www.googleapis.com/auth/admin.directory.group.member.readonly
+          - https://www.googleapis.com/auth/admin.directory.group.readonly
+          - https://www.googleapis.com/auth/admin.directory.orgunit.readonly
+          - https://www.googleapis.com/auth/admin.directory.resource.calendar.readonly
+          - https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly
+          - https://www.googleapis.com/auth/admin.directory.user.alias.readonly
+          - https://www.googleapis.com/auth/admin.directory.user.readonly
+          - https://www.googleapis.com/auth/admin.directory.userschema.readonly
+          - https://www.googleapis.com/auth/admin.reports.audit.readonly
+          - https://www.googleapis.com/auth/admin.reports.usage.readonly
+          - https://www.googleapis.com/auth/admin.directory.user.security
+          - https://www.googleapis.com/auth/cloud-identity.groups.readonly
+
+        ### Run query pack
+
+        To run this query pack against a Google Workspace customer:
+
+        ```bash
+        export GOOGLEWORKSPACE_CREDENTIALS=$PWD/my-project-123456-1234ea722b12.json
+        cnquery scan googleworkspace --customer-id <CUSTOMERID> --impersonated-user-email <EMAIL>
+        ```
+    specs:
+      - asset_filter:
+          query: asset.platform == "googleworkspace"
+        scoring_queries:
+          mondoo-googleworkspace-security-two-step-verification-enforced:
+          mondoo-googleworkspace-security-limit-super-admins:
+queries:
+  - uid: mondoo-googleworkspace-security-two-step-verification-enforced
+    title: Ensure 2-Step Verification (Multi-Factor Authentication) is enforced for all users
+    query: googleworkspace.users.all ( isEnforcedIn2Sv == true )
+  - uid: mondoo-googleworkspace-security-limit-super-admins
+    title: Ensure less than 3 users have Super Admin Permissions
+    query: googleworkspace.report.users.where(security["isSuperAdmin"] == true).length <= 3