DOS6027

Group two-factor grace period should be short

DOS6027

GitLab organization Severitymedium builtIn

Description

When a top-level group enforces 2FA, the grace period for newly invited members to enrol should be short (less than 8 days). Long grace periods let invited accounts accumulate write access without 2FA enrolment, undermining the protection. The lessThan operator works on the int field two_factor_grace_period.

Recommendation

1. Go to your top-level Group Settings > General. 
2. Expand the Permissions and group features section. 
3. With Require all users in this group to setup two-factor authentication enabled, set Two-factor authentication grace period to 7 days or fewer. 
4. Save changes.

Policy Rule

{
  "target": "GLGroup",
  "if": {
    "allOf": [
      {
        "resource": "GLGroup",
        "property": "TwoFactorGracePeriod",
        "operator": "lessThan",
        "value": 8
      }
    ]
  },
  "then": {
    "effect": "Audit"
  }
}
« DOS6026 DOS6028 »
Rule Details
  • Rule ID: DOS6027
  • Code: GL_Group_TwoFactorGracePeriod_Should_Be_Short
  • Platform: GitLab
  • Category: organization
  • Severity: Severitymedium
  • Type: builtIn
Related Rules

Copyright © DevOps Shield. All Rights Reserved. Privacy Policy | Cookie Policy | Terms and Conditions | v1.0.2