cisagov · buidav · Jun 20, 2024 · Jun 11, 2024 · Jun 12, 2024 · Jun 12, 2024
diff --git a/Testing/RegoTests/meet/meet05_test.rego b/Testing/RegoTests/meet/meet05_test.rego
@@ -0,0 +1,288 @@
+package meet
+import future.keywords
+
+#
+# GWS.MEET.5.1v0.2
+#--
+test_Incoming_Correct_V1 if {
+    # Test restricted to contacts
+    PolicyId := "GWS.MEET.5.1v0.2"
+    Output := tests with input as {
+        "meet_logs": {"items": [
+            {
+                "id": {"time": "2022-12-20T00:02:28.672Z"},
+                "events": [{
+                    "parameters": [
+                        {
+                            "name": "SETTING_NAME",
+                            "value": "Incoming call restrictions Allowed caller type"
+                        },
+                        {"name": "NEW_VALUE", "value": "CONTACTS_AND_SAME_DOMAIN"},
+                        {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
+                    ]
+                }]
+            }
+        ]},
+        "tenant_info": {
+            "topLevelOU": ""
+        }
+    }
+
+    RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
+    count(RuleOutput) == 1
+    RuleOutput[0].RequirementMet
+    not RuleOutput[0].NoSuchEvent
+    RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
+}
+
+test_Incoming_Correct_V2 if {
+    # Test disabled
+    PolicyId := "GWS.MEET.5.1v0.2"
+    Output := tests with input as {
+        "meet_logs": {"items": [
+            {
+                "id": {"time": "2022-12-20T00:02:28.672Z"},
+                "events": [{
+                    "parameters": [
+                        {
+                            "name": "SETTING_NAME",
+                            "value": "Incoming call restrictions Allowed caller type"
+                        },
+                        {"name": "NEW_VALUE", "value": "NO_ONE"},
+                        {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
+                    ]
+                }]
+            }
+        ]},
+        "tenant_info": {
+            "topLevelOU": ""
+        }
+    }
+
+    RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
+    count(RuleOutput) == 1
+    RuleOutput[0].RequirementMet
+    not RuleOutput[0].NoSuchEvent
+    RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
+}
+
+test_Incoming_Correct_V3 if {
+    # Test inheritance
+    PolicyId := "GWS.MEET.5.1v0.2"
+    Output := tests with input as {
+        "meet_logs": {"items": [
+            {
+                "id": {"time": "2022-12-20T00:02:28.672Z"},
+                "events": [{
+                    "parameters": [
+                        {
+                            "name": "SETTING_NAME",
+                            "value": "Incoming call restrictions Allowed caller type"
+                        },
+                        {"name": "NEW_VALUE", "value": "NO_ONE"},
+                        {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
+                    ]
+                }]
+            },
+            {
+                "id": {"time": "2022-12-20T00:02:28.672Z"},
+                "events": [{
+                    "parameters": [
+                        {
+                            "name": "SETTING_NAME",
+                            "value": "Incoming call restrictions Allowed caller type"
+                        },
+                        {"name": "NEW_VALUE", "value": "NO_ONE"},
+                        {"name": "ORG_UNIT_NAME", "value": "Test Second-Level OU"},
+                    ]
+                }]
+            },
+            {
+                "id": {"time": "2023-12-20T00:02:28.672Z"},
+                "events": [{
+                    "name": "DELETE_APPLICATION_SETTING",
+                    "parameters": [
+                        {"name": "SETTING_NAME", "value": "Incoming call restrictions Allowed caller type"},
+                        {"name": "ORG_UNIT_NAME", "value": "Test Second-Level OU"},
+                    ]
+                }]
+            },
+        ]},
+        "tenant_info": {
+            "topLevelOU": "Test Top-Level OU"
+        }
+    }
+
+    RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
+    count(RuleOutput) == 1
+    RuleOutput[0].RequirementMet
+    not RuleOutput[0].NoSuchEvent
+    RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
+}
+
+test_Incoming_Incorrect_V1 if {
+    # Test top-level OU wrong
+    PolicyId := "GWS.MEET.5.1v0.2"
+    Output := tests with input as {
+        "meet_logs": {"items": [
+            {
+                "id": {"time": "2022-12-20T00:02:28.672Z"},
+                "events": [{
+                    "parameters": [
+                        {
+                            "name": "SETTING_NAME",
+                            "value": "Incoming call restrictions Allowed caller type"
+                        },
+                        {"name": "NEW_VALUE", "value": "ALL"},
+                        {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
+                    ]
+                }]
+            }
+        ]},
+        "tenant_info": {
+            "topLevelOU": ""
+        }
+    }
+
+    RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
+    count(RuleOutput) == 1
+    not RuleOutput[0].RequirementMet
+    not RuleOutput[0].NoSuchEvent
+    RuleOutput[0].ReportDetails == concat("", [
+        "The following OUs are non-compliant:<ul>",
+        "<li>Test Top-Level OU: Users can receive calls from anyone</li>",
+        "</ul>"
+    ])
+}
+
+test_Incoming_Incorrect_V2 if {
+    # Test child OU wrong
+    PolicyId := "GWS.MEET.5.1v0.2"
+    Output := tests with input as {
+        "meet_logs": {"items": [
+            {
+                "id": {"time": "2022-12-20T00:02:28.672Z"},
+                "events": [{
+                    "parameters": [
+                        {
+                            "name": "SETTING_NAME",
+                            "value": "Incoming call restrictions Allowed caller type"
+                        },
+                        {"name": "NEW_VALUE", "value": "NO_ONE"},
+                        {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
+                    ]
+                }]
+            },
+            {
+                "id": {"time": "2022-12-20T00:02:28.672Z"},
+                "events": [{
+                    "parameters": [
+                        {
+                            "name": "SETTING_NAME",
+                            "value": "Incoming call restrictions Allowed caller type"
+                        },
+                        {"name": "NEW_VALUE", "value": "ALL"},
+                        {"name": "ORG_UNIT_NAME", "value": "Test Second-Level OU"},
+                    ]
+                }]
+            }
+        ]},
+        "tenant_info": {
+            "topLevelOU": "Test Top-Level OU"
+        }
+    }
+
+    RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
+    count(RuleOutput) == 1
+    not RuleOutput[0].RequirementMet
+    not RuleOutput[0].NoSuchEvent
+    RuleOutput[0].ReportDetails == concat("", [
+        "The following OUs are non-compliant:<ul>",
+        "<li>Test Second-Level OU: Users can receive calls from anyone</li>",
+        "</ul>"
+    ])
+}
+
+test_Incoming_Incorrect_V3 if {
+    # Test group wrong
+    PolicyId := "GWS.MEET.5.1v0.2"
+    Output := tests with input as {
+        "meet_logs": {"items": [
+            {
+                "id": {"time": "2022-12-20T00:02:28.672Z"},
+                "events": [{
+                    "parameters": [
+                        {
+                            "name": "SETTING_NAME",
+                            "value": "Incoming call restrictions Allowed caller type"
+                        },
+                        {"name": "NEW_VALUE", "value": "NO_ONE"},
+                        {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
+                    ]
+                }]
+            },
+            {
+                "id": {"time": "2022-12-20T00:02:28.672Z"},
+                "events": [{
+                    "parameters": [
+                        {
+                            "name": "SETTING_NAME",
+                            "value": "Incoming call restrictions Allowed caller type"
+                        },
+                        {"name": "NEW_VALUE", "value": "ALL"},
+                        {"name": "GROUP_EMAIL", "value": "[email protected]"},
+                    ]
+                }]
+            }
+        ]},
+        "tenant_info": {
+            "topLevelOU": "Test Top-Level OU"
+        }
+    }
+
+    RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
+    count(RuleOutput) == 1
+    not RuleOutput[0].RequirementMet
+    not RuleOutput[0].NoSuchEvent
+    RuleOutput[0].ReportDetails == concat("", [
+        "The following groups are non-compliant:<ul>",
+        "<li>[email protected]: Users can receive calls from anyone</li>",
+        "</ul>"
+    ])
+}
+
+test_Incoming_Incorrect_V4 if {
+    # Test no events
+    PolicyId := "GWS.MEET.5.1v0.2"
+    Output := tests with input as {
+        "meet_logs": {"items": [
+            {
+                "id": {"time": "2022-12-20T00:02:28.672Z"},
+                "events": [{
+                    "parameters": [
+                        {
+                            "name": "SETTING_NAME",
+                            "value": "something else"
+                        },
+                        {"name": "NEW_VALUE", "value": "ALL"},
+                        {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
+                    ]
+                }]
+            }
+        ]},
+        "tenant_info": {
+            "topLevelOU": ""
+        }
+    }
+
+    RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
+    count(RuleOutput) == 1
+    not RuleOutput[0].RequirementMet
+    RuleOutput[0].NoSuchEvent
+    RuleOutput[0].ReportDetails == concat("", [
+        "No relevant event in the current logs for the top-level OU, Test Top-Level OU. ",
+        "While we are unable to determine the state from the logs, the default setting is non-compliant; ",
+        "manual check recommended."
+    ])
+}
+#--
diff --git a/baselines/Google Meet Minimum Viable Secure Configuration Baseline v0.2.md b/baselines/Google Meet Minimum Viable Secure Configuration Baseline v0.2.md
@@ -190,3 +190,41 @@ To enable Host Management meeting features:
 3.  Select **Meet safety settings** -\> **Warn for external participants**.
 4.  Check the **External or unidentified participants in a meeting are given a label** checkbox.
 5.  Select **Save**.
+
+## 5. Incoming Calls
+
+This section covers who domain users are allowed to receive a 1:1 call from.
+
+### Policies
+
+#### GWS.MEET.5.1v0.2
+Incoming calls SHALL be restricted to contacts and other users in the organization.
+
+- _Rationale:_ Calls could potentially be used to pass sensitive information. By selecting this setting, it potentially mitigates unauthorized data leakage.
+- _Last modified:_ March 15, 2024
+
+- MITRE ATT&CK TTP Mapping
+  - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/)
+  - [T1566: Phishing](https://attack.mitre.org/techniques/T1566/)
+    - [T1566:004: Phishing: Spearphishing Voice](https://attack.mitre.org/techniques/T1566/004/)
+  - [T1598: Phishing for Information](https://attack.mitre.org/techniques/T1598/)
+    - [T1598:004: Phishing for Information: Spearphishing Voice](https://attack.mitre.org/techniques/T1598/004/)
+  - [T1123: Audio Capture](https://attack.mitre.org/techniques/T1123/)
+  - [T1113: Screen Capture](https://attack.mitre.org/techniques/T1113/)
+  - [T1125: Video Capture](https://attack.mitre.org/techniques/T1125/)
+
+### Resources
+- [Restrict who can call my organization's users with Google Meet](https://support.google.com/a/answer/14277985)
+
+### Prerequisites
+-   None
+
+### Implementation
+
+#### GWS.MEET.5.1v0.2 Instructions
+1.  Sign in to the [Google Admin Console](https://admin.google.com).
+2.  Select **Menu** -> **Apps** -> **Google Workspace** -> **Google Meet**.
+3.  Click **Meet safety settings**.
+4.  Click **Incoming call restrictions**.
+5.  Ensure **Users receive calls only from contacts and other users in the organization** or **Users can't receive calls** is selected.
+6.  Click **Save**.
diff --git a/drift-rules/GWS Drift Monitoring Rules - Meet.csv b/drift-rules/GWS Drift Monitoring Rules - Meet.csv
@@ -2,4 +2,5 @@ PolicyId,Name,Data Source,Event (Is),Setting Name (Is),New Value (Is Not),Rule I
 GWS.MEET.1.1v0.2,Meeting access SHALL be restricted to users signed in with a Google Account or Dialing in using a phone.,Admin Log Event,Change Application Setting,SafetyDomainLockProto users_allowed_to_join,LOGGED_IN,rules/00gjdgxs1wv8d7g,JK 08-02-23 @ 15:58
 GWS.MEET.2.1v0.2,Meeting access SHALL be disabled for meetings created by users who are not members of any Google Workspace tenant or organization.,Admin Log Event,Change Application Setting,SafetyAccessLockProto meetings_allowed_to_join,WORKSPACE_DOMAINS,rules/00gjdgxs0rw9s95,JK 08-02-23 @ 16:02
 GWS.MEET.3.1v0.2,Host Management meeting features SHALL be enabled so that they are available by default when a host starts their meeting.,Admin Log Event,Change Application Setting,SafetyModerationLockProto host_management_enabled,true,rules/00gjdgxs3bvxawy,JK 08-02-23 @ 16:05
-GWS.MEET.4.1v0.2,Warn for external participants SHALL be enabled.,Admin Log Event,Change Application Setting,Warn for external participants External or unidentified participants in a meeting are given a label,true,rules/00gjdgxs2yp7uet,JK 10-16-23 @ 07:32
+GWS.MEET.4.1v0.2,Warn for external participants SHALL be enabled.,Admin Log Event,Change Application Setting,Warn for external participants External or unidentified participants in a meeting are given a label,true,rules/00gjdgxs2yp7uet,JK 10-16-23 @ 07:32
+GWS.MEET.5.1v0.2,Users receive calls only from contacts and other users in the organization SHALL be selected.,Admin Log Event,Change Application Setting,Incoming call restrictions Allowed caller type,CONTACTS_AND_SAME_DOMAIN,rules/00gjdgxs188dve6,MD 06-11-24 @ 12:30