Control: 3.1.3.5.2 (L1) Ensure automatic forwarding options are disabled
Description
You should disable automatic forwarding to prevent users from auto-forwarding mail.
In the event that an attacker gains control of an end-user account they could create rules to ex-filtrate data from your environment.
Remediation
To verify this setting via the Google Workspace Admin Console:
- Log in to
https://admin.google.comas an administrator. - Select
Apps. - Select
Google Workspace. - Select
Gmail. - Under
End User Access-Automatic forwarding, setAllow users to automatically forward incoming email to another addresstounchecked. - Select
Save.
Default Value
Allow users to automatically forward incoming email to another address is checked
Usage
Run the control in your terminal:
powerpipe control run googleworkspace_compliance.control.cis_v120_3_1_3_5_2Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run googleworkspace_compliance.control.cis_v120_3_1_3_5_2 --shareSQL
This control uses a named query:
with all_users as ( select primary_email as user_email from googledirectory_user),gmail_settings as ( select u.user_email, gs.auto_forwarding from all_users u left join googleworkspace_gmail_settings gs on gs.user_email = u.user_email)select user_email as resource, case when auto_forwarding ->> 'enabled' = 'false' or auto_forwarding ->> 'enabled' is null then 'ok' else 'alarm' end as status, case when auto_forwarding ->> 'enabled' = 'false' or auto_forwarding ->> 'enabled' is null then 'Auto-forwarding disabled for user: ' || user_email || '.' else 'Auto-forwarding enabled for user: ' || user_email || ' to: ' || coalesce(auto_forwarding ->> 'emailAddress', 'unknown address') || '.' end as reasonfrom gmail_settings;