diff --git a/scubagoggles/Testing/RegoTests/classroom/classroom_api01_test.rego b/scubagoggles/Testing/RegoTests/classroom/classroom_api01_test.rego index d881bbd3..6d262aa5 100644 --- a/scubagoggles/Testing/RegoTests/classroom/classroom_api01_test.rego +++ b/scubagoggles/Testing/RegoTests/classroom/classroom_api01_test.rego @@ -31,7 +31,7 @@ BadClassroomApi01 := { "topOU": { "classroom_class_membership": { "whoCanJoinClasses": "ANYONE_IN_DOMAIN", - "whichClassesCanUsersJoin": "CLASSES_IN_ALLOWLISTED_DOMAINS" + "whichClassesCanUsersJoin": "ANY_GOOGLE_WORKSPACE_CLASS" }, "classroom_service_status": {"serviceState": "ENABLED"} }, @@ -40,7 +40,7 @@ BadClassroomApi01 := { "thirdOU": { "classroom_class_membership": { "whoCanJoinClasses": "ANY_GOOGLE_WORKSPACE_USER", - "whichClassesCanUsersJoin": "CLASSES_IN_ALLOWLISTED_DOMAINS" + "whichClassesCanUsersJoin": "ANY_GOOGLE_WORKSPACE_CLASS" }, }, "fourthOU": { @@ -81,7 +81,7 @@ test_ClassroomAPI_JoinClasses_Incorrect_1 if { PolicyId := ClassroomId1_2 Output := tests with input as BadClassroomApi01 - whichClasses := "Classes in allowlisted domains" + whichClasses := "Any Google Workspace class" failedOU := [{"Name": "thirdOU", "Value": NonComplianceMessage1_2(whichClasses)}, {"Name": "topOU", diff --git a/scubagoggles/baselines/classroom.md b/scubagoggles/baselines/classroom.md index b1b9d342..77cc8555 100644 --- a/scubagoggles/baselines/classroom.md +++ b/scubagoggles/baselines/classroom.md @@ -39,20 +39,20 @@ This section covers who has the ability to join classes and what classes the use ### Policies #### GWS.CLASSROOM.1.1v0.6 -Who can join classes in your domain SHALL be set to Users in your domain only. +Who can join classes in your domain SHALL be restricted to users in your domain or allowlisted domains. -- _Rationale:_ Classes can contain private or otherwise sensitive information. Restricting classes to users in your domain helps prevent data leakage resulting from unauthorized classroom access. -- _Last modified:_ September 2023 +- _Rationale:_ Classes can contain private or otherwise sensitive information. Restricting access to your classes helps prevent data leakage resulting from unauthorized classroom access. +- _Last modified:_ October 2025 - _NIST SP 800-53 Rev. 5 FedRAMP High Baseline Mapping:_ AC-3 - MITRE ATT&CK TTP Mapping - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/) - [T1537: Transfer Data to Cloud Account](https://attack.mitre.org/techniques/T1537/) #### GWS.CLASSROOM.1.2v0.6 -Which classes users in your domain can join SHALL be set to Classes in your domain only. +Which classes users in your domain can join SHALL be restricted to classes in your domain or allowlisted domains. -- _Rationale:_ Allowing users to join a class from outside your domain could allow for data to be exfiltrated to entities outside the control of the organization creating a significant security risk. -- _Last modified:_ January 2025 +- _Rationale:_ Allowing users to join classes in arbitrary domains could allow for data to be exfiltrated to entities outside the control of the organization. +- _Last modified:_ October 2025 - _NIST SP 800-53 Rev. 5 FedRAMP High Baseline Mapping:_ SC-7(10) - MITRE ATT&CK TTP Mapping - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/) diff --git a/scubagoggles/rego/Classroom.rego b/scubagoggles/rego/Classroom.rego index c5f42310..1698ed9d 100644 --- a/scubagoggles/rego/Classroom.rego +++ b/scubagoggles/rego/Classroom.rego @@ -35,6 +35,7 @@ NonCompliantOUs1_1 contains { ClassroomEnabled(OU) whoCanJoin := settings.classroom_class_membership.whoCanJoinClasses whoCanJoin != "ANYONE_IN_DOMAIN" + whoCanJoin != "ANYONE_IN_ALLOWLISTED_DOMAINS" } tests contains { @@ -80,6 +81,7 @@ NonCompliantOUs1_2 contains { ClassroomEnabled(OU) whichClasses := settings.classroom_class_membership.whichClassesCanUsersJoin whichClasses != "CLASSES_IN_DOMAIN" + whichClasses != "CLASSES_IN_ALLOWLISTED_DOMAINS" } tests contains {