Compliance Framework Deletion

Detects whether a compliance framework has been removed.

Disabling a compliance framework is typically done by administrators to configure the system’s settings and policies.

While disabling compliance features can have legitimate use cases, if an attacker gains unauthorized access as an administrator or with elevated privileges, they could potentially exploit this to evade or bypass security and compliance measures. Here’s how an attacker might exploit disabling a compliance framework:

Bypassing Security Controls: Disabling compliance frameworks may disable specific security controls, allowing the attacker to bypass security measures, such as code scanning, access controls, and audit trails. This could enable them to upload or modify malicious code without detection.

Unauthorized Access: An attacker might exploit the absence of compliance checks to gain unauthorized access to sensitive repositories, data, or systems within the GitLab environment.

Data Exfiltration: By disabling compliance features, an attacker might be able to exfiltrate sensitive data or proprietary information without leaving a trace in the audit logs.

Avoiding Audits: Compliance frameworks often generate audit logs that track user actions and changes to the system. Disabling compliance can help an attacker avoid leaving evidence of their activities.

This detector is supported by the following sensors: