feat: Added new policy to GitLab groups: MFA grace period (#286)

* feat: Added new policy to GitLab groups: MFA grace period --------- Co-authored-by: noamd-legit <[email protected]>
Legit-Labs · Jan 7, 2024 · 4bbb761 · 4bbb761
1 parent 26129a2
commit 4bbb761
Showing 1 changed file with 20 additions and 0 deletions.
diff --git a/policies/gitlab/organization.rego b/policies/gitlab/organization.rego
@@ -81,3 +81,23 @@ default group_does_not_enforce_branch_protection_by_default := true
 group_does_not_enforce_branch_protection_by_default := false {
 	input.default_branch_protection > 0
 }
+
+# METADATA
+# scope: rule
+# title: Two-Factor Authentication Grace Period Should Not Be Longer Than One Week
+# description: New members added to your group are allowed longer than a week to enable MFA. The time frame should be lowered to one week or less.
+# custom:
+#   severity: MEDIUM
+#   remediationSteps:
+#     - Go to the group page
+#     - Press Settings -> General
+#     - Expand "Permissions and group features"
+#     - 'In the box titled: "Delay 2FA enforcement (hours)", enter a number under 168 (preferably 0)'
+#     - Press "Save Changes"
+#   threat:
+#     - Any new group membmer effectivly acts as an attack surface until two-factor authentication is enabled. The risk is compounded as new members may be more vulnerable to phising and identity theft attacks.
+default group_allows_excessive_mfa_grace_period := true
+
+group_allows_excessive_mfa_grace_period := false{
+	input.two_factor_grace_period <= 168
+}