DOS6020

Group should require two-factor authentication

DOS6020

GitLab organization Severitycritical builtIn

Description

Top-level groups should require two-factor authentication for all members. When require_two_factor_authentication is true on a Group, every member must enrol in 2FA within the group's grace period or lose access. Note: this property is on the GitLab API but not yet on the GLGroup POCO; the rule will mark NonCompliant until the POCO field lands (see WI follow-on for GitLab Wave 1 POCO extensions).

Learn More

Recommendation

1. Go to your top-level Group Settings > General. 
2. Expand the Permissions and group features section. 
3. Enable Require all users in this group to setup two-factor authentication. 
4. Set a reasonable grace period (1-7 days). 
5. Save changes.

Policy Rule

{
  "target": "GLGroup",
  "if": {
    "allOf": [
      {
        "resource": "GLGroup",
        "property": "RequireTwoFactorAuthentication",
        "operator": "equals",
        "value": true
      }
    ]
  },
  "then": {
    "effect": "Audit"
  }
}
« DOS6010 DOS6021 »
Rule Details
  • Rule ID: DOS6020
  • Code: GL_Group_Authentication_Require_2FA
  • Platform: GitLab
  • Category: organization
  • Severity: Severitycritical
  • Type: builtIn
Related Rules

Copyright © DevOps Shield. All Rights Reserved. Privacy Policy | Cookie Policy | Terms and Conditions | v1.0.2