1.3.3 Ensure maximum number of administrators are set for the organization

ID

cis_sscs/minimum_admins_org

Severity

critical

Category

source_code/contribution_access

Levels

Optional

false

Tags

administrators, least-privilege, slsa-4

Description

Ensure the organization has (at most) a given number of administrators, below a certain threshold.

You can configure the maximum number of administrators by changing these properties in conf/compliance/checkpoints/cis_sscs/maximum_admins_org.yml:

  • maxAdministrators: The maximum number of administrators allowed for the organization. (Default value: 2)

Rationale

Organization administrators [1] have the highest level of permissions, including the ability to add/remove collaborators, create or delete repositories, change branch protection policy, and convert a repo to be publicly-accessible.

Due to the permissive access granted to an organization administrator, it is highly recommended to keep the number of administrator accounts as minimal as possible.

It is customary to have at least two administrators for staff redundancy, but this check tries to curb the number of administrators.

Verification

Looks that the number of administrators for the organization does not exceed the configured maximum.

Remediation

Set the minimum number of administrators in your organization.

1. Named as Organization owners in some SCM systems.