More Info:

MFA should be enabled and enforced for all users of an organization.

Risk Level

High

Address

Security

Compliance Standards

Remediation

Using Console

To remediate the misconfiguration “Org MFA required” for GitHub using the GitHub console, follow these steps:

  1. Log in to your GitHub account and navigate to the organization’s settings page.
  2. Click on the “Security” tab in the left-hand menu.
  3. Scroll down to the “Organization security” section and look for the “Require two-factor authentication” option.
  4. Enable the “Require two-factor authentication” option by clicking on the toggle button.
  5. Click on the “Save” button to save the changes.

Once you have completed these steps, all members of your organization will be required to enable two-factor authentication (2FA) on their accounts before they can access any organization resources. This will help to ensure that your organization’s data and resources are protected from unauthorized access.

Using CLI

To remediate the misconfiguration “Org MFA required” for Github using Github CLI, follow these steps:

  1. Install Github CLI by following the instructions on this page: https://cli.github.com/manual/installation

  2. Open your terminal and authenticate to Github CLI by running the command gh auth login. Follow the prompts to authenticate with your Github account.

  3. Once you are authenticated, run the command gh config set prompt disabled to disable the interactive prompts.

  4. Run the command gh api /orgs/{org}/settings/members_require_two_factor_authentication -X PUT -F enabled=true to require MFA for all members of your organization. Replace {org} with the name of your organization.

  5. You will be prompted to enter your Github password. Enter your password and press Enter.

  6. Github CLI will return a JSON response indicating that MFA is now required for all members of your organization.

  7. Verify that the misconfiguration has been remediated by checking your organization’s settings in the Github web interface.

That’s it! You have successfully remediated the “Org MFA required” misconfiguration for Github using Github CLI.

Using Python

To remediate the “Org MFA required” misconfiguration for GitHub using Python, you can follow these steps:

  1. Install the PyGithub library using pip. You can run the following command in your terminal:

    pip install PyGithub
    
  2. Create a Personal Access Token (PAT) in your GitHub account with the “admin:org” scope. You can follow the instructions here to create a PAT.

  3. Use the PyGithub library to authenticate with your GitHub account using the PAT. You can use the following code snippet:

    from github import Github
    
    g = Github("your_personal_access_token")
    
  4. Get the organization object for your GitHub organization. You can use the following code snippet:

    org_name = "your_organization_name"
    org = g.get_organization(org_name)
    
  5. Check if the organization requires multi-factor authentication (MFA) for all members. You can use the following code snippet:

    mfa_required = org.mfa_enforced
    
  6. If MFA is not required, enable it for the organization. You can use the following code snippet:

    org.edit(mfa_enforced=True)
    

    This will enforce MFA for all members of the organization.

  7. Print a message to confirm that MFA has been enabled for the organization. You can use the following code snippet:

    if mfa_required:
        print("MFA is already enabled for the organization.")
    else:
        print("MFA has been enabled for the organization.")
    

    This will print a message to confirm that MFA has been enabled for the organization if it was not already enabled.

By following these steps, you can remediate the “Org MFA required” misconfiguration for GitHub using Python.

Additional Reading: