-
Notifications
You must be signed in to change notification settings - Fork 64
/
Copy pathmember.rego
73 lines (69 loc) · 3.2 KB
/
member.rego
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
package member
import data.common.members as memberUtils
# METADATA
# scope: rule
# title: Organization Should Have Fewer Than Three Owners
# description: Organization owners are highly privileged and could create great damage if they are compromised. It is recommended to limit the number of Organizational Admins to the minimum needed (recommended maximum 3 owners).
# custom:
# remediationSteps:
# - 1. Make sure you have admin permissions
# - 2. Go to the organization People page
# - 3. Select the unwanted owners
# - 4. Using the 'X members selected' - change role to member
# severity: MEDIUM
# requiredScopes: [admin:org]
# threat:
# - 1. An organization has a permissive attitude and provides an owner role to all developers
# - 2. One of the developers has decided to collaborate with an evil ransomware gang, and uses his high privileges to add a malicious external collaborator
# - 3. The malicious collaborator, being an owner, has a wide range of destructive operations he can do (e.g. remove security settings)
default organization_has_too_many_admins := true
organization_has_too_many_admins := false {
admins := count([member | member := input.members[_]; member.is_admin == true])
admins <= 3
}
# METADATA
# scope: rule
# title: Organization Members Should Have Activity In The Last 6 Months
# description: A member did not perform any action in the last 6 months. Stale members can pose a potential risk if they are compromised. Consider removing the user's access completely.
# custom:
# requiredEnrichers: [entityId, violatedUsers]
# remediationSteps:
# - 1. Make sure you have admin permissions
# - 2. Go to the org's People page
# - 3. Select all stale members
# - 4. Using the 'X members selected' - remove members from organization
# severity: LOW
# requiredScopes: [admin:org]
# prerequisites: [premium]
# threat:
# - Stale members are most likely not managed and monitored, increasing the possibility of being compromised.
stale_member_found[mem] := true {
some member
mem := input.members[member]
mem.is_admin == false
mem.last_active != -1
memberUtils.isStale(mem.last_active, 6)
}
# METADATA
# scope: rule
# title: Organization Admins Should Have Activity In The Last 6 Months
# description: A member with organizational admin permissions did not perform any action in the last 6 months. Admin users are extremely powerful and common compliance standards demand keeping the number of admins to a minimum. Consider revoking this member’s admin credentials by downgrading to regular user or removing the user completely.
# custom:
# requiredEnrichers: [entityId, violatedUsers]
# remediationSteps:
# - 1. Make sure you have admin permissions
# - 2. Go to the org's People page
# - 3. Select all stale admins
# - 4. Using the 'X members selected' - remove members from organization
# severity: MEDIUM
# requiredScopes: [admin:org]
# prerequisites: [premium]
# threat:
# - Stale admins are most likely not managed and monitored, increasing the possibility of being compromised.
stale_admin_found[mem] := true {
some member
mem := input.members[member]
mem.is_admin == true
mem.last_active != -1
memberUtils.isStale(mem.last_active, 6)
}