Powerpipe Detection Mods →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-github-compliance
Overview
2Dashboards
37Benchmarks
33Queries
2Variables
GitHub

Control: 1.3.5 Ensure the organization is requiring members to use Multi-Factor Authentication (MFA)

Description

Require members of the organization to use Multi-Factor Authentication (MFA) in addition to a standard user name and password when authenticating to the source code management platform.

Rationale

By default, every user authenticates within the system by password only. If the password of a user is compromised, however, the user account and every repository to which they have access is in danger of data loss, malicious code commits, and data theft. It is therefore recommended that each user has Multi-Factor Authentication enabled. This adds an additional layer of protection to ensure the account remains secure even if the user’s password is compromised.

Note: Members could be removed from the organization if they do not have Multi-Factor Authentication already enabled. If this is the case, it is recommended that an invitation be sent to reinstate the user’s access and former privileges. They must enable Multi-Factor Authentication in order to accept the invitation.

Audit

For every organization that exists in your source code management platform, verify that Multi-Factor Authentication is enforced and is the only way to authenticate.

Remediation

Use the built-in setting to ensure the enforcement of Multi-Factor Authentication for each member of the organization.

Usage

Run the control in your terminal:

powerpipe control run github_compliance.control.cis_supply_chain_v100_1_3_5

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run github_compliance.control.cis_supply_chain_v100_1_3_5 --share

SQL

This control uses a named query:

select
  -- Required Columns
  url as resource,
  case
    when two_factor_requirement_enabled is null then 'info' -- info is only available to owners
    when two_factor_requirement_enabled then 'ok'
    else 'alarm'
  end as status,
  coalesce(name, login) || case
    when (two_factor_requirement_enabled)::bool is null then ' two-factor authentication unknown, manual verification required'
    when (two_factor_requirement_enabled)::bool then ' requires two-factor authentication'
    else ' does not require two-factor authentication' end || '.' as reason,
  -- Additional Dimensions
  login
from
  github_my_organization;

Tags

category = Compliance
cis = true
cis_section_id = 1.3
cis_supply_chain_v100 = true
cis_type = automated
cis_version = v1.0.0
plugin = github
service = GitHub