During my functional testing, I identified that GWS.GMAIL.14.1v0.3 does not react appropriately when a log event is generated.
Specifically, adding or removing an IP address from the email allowlist does not change the output of the Goggles report at all, and the report continues to produce the message, " No relevant event in the current logs. While we are unable to determine the state from the logs, the default setting is compliant; manual check recommended."
To reproduce
Steps to reproduce the behavior:
Run the ScubaGoggles GMAIL report
Add or remove an IP address in the email allowlist under Apps -> Google Workspace -> Gmail -> Spam, phishing, and malware -> Email allowlist
Run the report again
Note that the output has not changed, and the report indicates no log event has been found.
Proposal
I propose we either change the report default to "cannot manually check" or ensure the log is being read. The current output of the log reports the list of whitelisted IP addresses, so a compliant outcome would have an empty list in the new value field.
🐛 Summary
What's wrong? Please be specific.
During my functional testing, I identified that GWS.GMAIL.14.1v0.3 does not react appropriately when a log event is generated. Specifically, adding or removing an IP address from the email allowlist does not change the output of the Goggles report at all, and the report continues to produce the message, " No relevant event in the current logs. While we are unable to determine the state from the logs, the default setting is compliant; manual check recommended."
To reproduce
Steps to reproduce the behavior:
Proposal
I propose we either change the report default to "cannot manually check" or ensure the log is being read. The current output of the log reports the list of whitelisted IP addresses, so a compliant outcome would have an empty list in the new value field.