turbot/steampipe-mod-googleworkspace-compliance

Control: 3.1.3.5.2 (L1) Ensure automatic forwarding options are disabled

Description

You should disable automatic forwarding to prevent users from auto-forwarding mail.

In the event that an attacker gains control of an end-user account they could create rules to ex-filtrate data from your environment.

Remediation

To verify this setting via the Google Workspace Admin Console:

  1. Log in to https://admin.google.com as an administrator.
  2. Select Apps.
  3. Select Google Workspace.
  4. Select Gmail.
  5. Under End User Access - Automatic forwarding, set Allow users to automatically forward incoming email to another address to unchecked.
  6. Select Save.

Default Value

Allow users to automatically forward incoming email to another address is checked

Usage

Run the control in your terminal:

powerpipe control run googleworkspace_compliance.control.cis_v120_3_1_3_5_2

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run googleworkspace_compliance.control.cis_v120_3_1_3_5_2 --share

SQL

This control uses a named query:

with all_users as (
select primary_email as user_email from googledirectory_user
),
gmail_settings as (
select
u.user_email,
gs.auto_forwarding
from all_users u
left join googleworkspace_gmail_settings gs on gs.user_email = u.user_email
)
select
user_email as resource,
case
when auto_forwarding ->> 'enabled' = 'false' or auto_forwarding ->> 'enabled' is null then 'ok'
else 'alarm'
end as status,
case
when auto_forwarding ->> 'enabled' = 'false' or auto_forwarding ->> 'enabled' is null then 'Auto-forwarding disabled for user: ' || user_email || '.'
else 'Auto-forwarding enabled for user: ' || user_email || ' to: ' || coalesce(auto_forwarding ->> 'emailAddress', 'unknown address') || '.'
end as reason
from
gmail_settings;

Tags