Added Gmail Policy Group 19

Testing/RegoTests/gmail/gmail19_test.rego

@@ -0,0 +1,24 @@
+package gmail
+import future.keywords
+
+#
+# GWS.GMAIL.19.1v0.2
+#--
+test_Spam_Correct_V1 if {
+    # Test not implemented
+    PolicyId := "GWS.GMAIL.19.1v0.2"
+    Output := tests with input as {
+        "gmail_logs": {"items": [
+        ]},
+        "tenant_info": {
+            "topLevelOU": ""
+        }
+    }
+
+    RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
+    count(RuleOutput) == 1
+    not RuleOutput[0].RequirementMet
+    not RuleOutput[0].NoSuchEvent
+    RuleOutput[0].ReportDetails == "Currently not able to be tested automatically; please manually check."
+}
+#--

baselines/Gmail Minimum Viable Secure Configuration Baseline v0.2.md

@@ -28,6 +28,7 @@ This baseline is based on Google documentation available at the [Gmail Google Wo
 - [Security Sandbox](#16-security-sandbox)
 - [Comprehensive Mail Storage](#17-comprehensive-mail-storage)
 - [Content Compliance Filtering](#18-content-compliance-filtering)
+- [Spam Filtering](#19-spam-filtering)
 
 
 Within Google Workspace, settings can be assigned to users through organizational units, configuration groups, or individually. Before changing a setting, the user can select the organizational unit, configuration group, or individual users to which they want to apply changes.
@@ -1152,3 +1153,83 @@ To configure the settings for Objectionable content:
 
 #### GWS.GMAIL.18.3v0.2 Instructions
 1.  There is no implementation steps for this policy.
+
+
+## 19. Spam Filtering
+
+This section covers the settings relating to bypassing spam filters.
+
+### Policies
+
+#### GWS.GMAIL.19.1v0.2
+Domains SHALL NOT be added to lists that bypass spam filters.
+
+- _Rationale:_ Legitimate emails may be incorrectly filtered by spam protections. Adding allowed senders is an acceptable method of combating these false positives. Allowing an entire domain, especially a common domain like office.com, however, provides for a large number of potentially unknown users to bypass spam protections.
+- _Last modified:_ April 10, 2024
+- _Note:_ Allowed senders MAY be added.
+
+- MITRE ATT&CK TTP Mapping
+  - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
+    - [T1566:001: Phishing: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)
+    - [T1566:002: Phishing: Spearphishing Link](https://attack.mitre.org/techniques/T1566/002/)
+  - [T1534: Internal Spearphishing](https://attack.mitre.org/techniques/T1534/)
+
+#### GWS.GMAIL.19.2v0.2
+Domains SHALL NOT be added to lists that bypass spam filters and hide warnings.
+
+- _Rationale:_ Legitimate emails may be incorrectly filtered by spam protections. Adding allowed senders is an acceptable method of combating these false positives. Allowing an entire domain, especially a common domain like office.com, however, provides for a large number of potentially unknown users to bypass spam protections.
+- _Last modified:_ April 10, 2024
+
+- MITRE ATT&CK TTP Mapping
+  - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
+    - [T1566:001: Phishing: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)
+    - [T1566:002: Phishing: Spearphishing Link](https://attack.mitre.org/techniques/T1566/002/)
+  - [T1534: Internal Spearphishing](https://attack.mitre.org/techniques/T1534/)
+
+#### GWS.GMAIL.19.3v0.2
+Bypass spam filters and hide warnings for all messages from internal and external senders SHALL NOT be enabled.
+
+- _Rationale:_ Bypassing spam filters and hiding warning for all messages from internal and external senders creates a security risk because all messages are allowed to bypass filters. Disabling this feature mitigates the risk.
+- _Last modified:_ April 10, 2024
+
+- MITRE ATT&CK TTP Mapping
+  - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
+    - [T1566:001: Phishing: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)
+    - [T1566:002: Phishing: Spearphishing Link](https://attack.mitre.org/techniques/T1566/002/)
+  - [T1534: Internal Spearphishing](https://attack.mitre.org/techniques/T1534/)
+
+### Resources
+
+-   [How to bypass the spam filter for incoming emails using the spam settings ](https://knowledge.workspace.google.com/kb/how-to-bypass-the-spam-filter-for-incoming-emails-000006661)
+
+### Prerequisites
+
+-   N/A
+
+### Implementation
+
+To configure the settings for spam filtering:
+
+#### Policy Group 19 Common Instructions
+1.  Sign in to the [Google Admin Console](https://admin.google.com).
+2.  Select **Apps -\> Google Workspace -\> Gmail**.
+3.  Select **Spam, Phishing, and Malware**.
+
+#### GWS.GMAIL.19.1v0.2 Instructions
+For each rule listed under **Spam**:
+1. Ensure that either:
+    * **Bypass spam filters for messages from senders or domains in selected lists** is not selected, or
+    * None of the lists shown under **Bypass spam filters for messages from senders or domains in selected lists** contain an entire domain. For example, the entire domain "example.com" is not acceptable, but the specific address, john.doe@example.com, would be.
+2. Modify the rule or lists associated with the rule as needed, then select **Save.**
+
+#### GWS.GMAIL.19.2v0.2 Instructions
+For each rule listed under **Spam**:
+1. Ensure that either:
+    * **Bypass spam filters and hide warnings for messages from senders or domains in selected lists** is not selected, or
+    * None of the lists shown under **Bypass spam filters and hide warnings for messages from senders or domains in selected lists** contain an entire domain. For example, the entire domain "example.com" is not acceptable, but the specific address, john.doe@example.com, would be.
+2. Modify the rule or lists associated with the rule as needed, then select **Save.**
+
+#### GWS.GMAIL.19.3v0.2 Instructions
+For each rule listed under **Spam**:
+1. Ensure that **Bypass spam filters and hide warnings for all messages from internal and external sender* is not selected.
+2. Select **Save.**

drift-rules/GWS Drift Monitoring Rules - Gmail.csv

@@ -50,3 +50,6 @@ GWS.GMAIL.17.1v0.2,Comprehensive mail storage SHOULD be enabled to ensure inform
 GWS.GMAIL.18.1v0.2,Content filtering SHOULD be enabled within Gmail messages.,N/A,N/A,N/A,N/A,N/A,Not Alertable
 GWS.GMAIL.18.2v0.2,Any third-party or outside application selected for advanced email content filtering SHOULD offer services comparable to those offered by Google Workspace.,N/A,N/A,N/A,N/A,N/A,Not Alertable
 GWS.GMAIL.18.3v0.2,"Gmail or third-party applications SHALL be configured to protect PII and sensitive information as defined by the agency. At a minimum, credit card numbers, taxpayer Identification Numbers (TIN), and Social Security Numbers (SSN) SHALL be blocked.",N/A,N/A,N/A,N/A,N/A,Not Alertable
+GWS.GMAIL.19.1v0.2,"Domains SHALL NOT be added to lists that bypass spam filters.",Admin Log Event,Change Gmail Setting,SPAM_CONTROL,N/A,rules/00gjdgxs12jr6zt,JGK 04-11-24 @ 09:45
+GWS.GMAIL.19.2v0.2,"Domains SHALL NOT be added to lists that bypass spam filters and hide warnings.",Admin Log Event,Change Gmail Setting,SPAM_CONTROL,N/A,rules/00gjdgxs12jr6zt,JGK 04-11-24 @ 09:45
+GWS.GMAIL.19.3v0.2,"Bypass spam filters and hide warnings for all messages from internal and external senders SHALL NOT be enabled.",Admin Log Event,Change Gmail Setting,SPAM_CONTROL,N/A,rules/00gjdgxs12jr6zt,JGK 04-11-24 @ 09:45

rego/Gmail.rego

@@ -2099,4 +2099,19 @@ tests contains {
     "RequirementMet": false,
     "NoSuchEvent": false
 }
+#--
+
+#
+# Baseline GWS.GMAIL.19.1v0.2
+#--
+# At this time we are unable to test because settings are configured in the GWS Admin Console
+# and not available within the generated logs
+tests contains {
+    "PolicyId": "GWS.GMAIL.19.1v0.2",
+    "Criticality": "Shall/Not-Implemented",
+    "ReportDetails": "Currently not able to be tested automatically; please manually check.",
+    "ActualValue": "",
+    "RequirementMet": false,
+    "NoSuchEvent": false
+}
 #--