Open buidav opened 5 months ago
The other thing I think worth mentioning, is that the baseline currently appears to be checking for ALL existing groups and whether or not they are restricted. It does not address the actual core of the baseline, which is that NEW groups should be restricted.
💡 Summary
In the instructions for 7.1 we're asking that groups be initially created with access type of restricted. This seems like a best practice and can easily just easily be bypassed by changing the access type right after creation.
The rego itself checks if all groups are always of access type restricted permissions.
Due to the organizational needs I'm not sure it's viable for us to have a policy that says groups must always disable that anyone in the organization can.
I think we should delete 7.1 altogether but I'm open to other suggestions.
Motivation and context
Streamlining the ease of use of the SCuBA baselines.
Implementation notes
Acceptance criteria