Profile Applicability:
Level 1
Description:
Any change to the visibility status of code projects (e.g., from private to public or vice versa) must be tracked and audited. Monitoring these changes helps maintain control over sensitive code exposure and ensures that unauthorized or accidental visibility modifications are detected and addressed promptly.
Rationale:
Tracking visibility changes reduces the risk of unintentional data exposure or security breaches by alerting administrators to modifications that could affect project confidentiality. It supports compliance with data protection policies and organizational governance.
Impact:
Pros:
Enhances control over project confidentiality.
Enables timely detection of unauthorized visibility changes.
Supports compliance with security and privacy policies.
Cons:
Requires configuration of monitoring and alerting mechanisms.
May generate additional audit data to review.
Default value:
Visibility changes may occur without logging or monitoring by default in some platforms.
Audit:
Review audit logs or change histories for project visibility status. Verify that all visibility changes are recorded with user identity, timestamp, and reason if available.
Remediation:
Enable audit logging for project visibility changes. Establish alerting processes to notify administrators of such changes. Implement policies requiring approval for visibility modifications. Educate users on visibility management best practices.
References:
GitHub Audit Logs: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/audit-logs
GitLab Audit Events: https://docs.gitlab.com/ee/administration/audit_event_logging.html
CIS Controls v8, Control 6 – Maintenance, Monitoring, and Analysis of Audit Logs: https://www.cisecurity.org/controls/maintenance-monitoring-and-analysis-of-audit-logs/