vibecoding/M365FoundationsCISReport
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add: New testing function

Browse Source
This commit is contained in:
DrIOS
2024-05-28 17:08:04 -05:00
parent 8505439516
commit 129bb33a99
55 changed files with 691 additions and 804 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
source/Classes/CISAuditResult.ps1
View File

@@ -2,6 +2,8 @@ class CISAuditResult {
[string]$Status [string]$Status
[string]$ELevel [string]$ELevel
[string]$ProfileLevel [string]$ProfileLevel
[bool]$Automated
[string]$Connection
[string]$Rec [string]$Rec
[string]$RecDescription [string]$RecDescription
[string]$CISControlVer = 'v8' [string]$CISControlVer = 'v8'

55
source/Private/Initialize-CISAuditResult.ps1 Normal file
View File

@@ -0,0 +1,55 @@
function Initialize-CISAuditResult {
param (
[Parameter(Mandatory = $true)]
[string]$Rec,
[Parameter(Mandatory = $true)]
[bool]$Result,
[Parameter(Mandatory = $true)]
[string]$Status,
[Parameter(Mandatory = $true)]
[string]$Details,
[Parameter(Mandatory = $true)]
[string]$FailureReason,
[Parameter(Mandatory = $true)]
[string]$RecDescription,
[Parameter(Mandatory = $true)]
[string]$CISControl,
[Parameter(Mandatory = $true)]
[string]$CISDescription
)
# Import the test definitions CSV file
$testDefinitionsPath = Join-Path -Path $PSScriptRoot -ChildPath "helper/TestDefinitions.csv"
$testDefinitions = Import-Csv -Path $testDefinitionsPath
# Find the row that matches the provided recommendation (Rec)
$testDefinition = $testDefinitions | Where-Object { $_.Rec -eq $Rec }
# Create an instance of CISAuditResult and populate it
$auditResult = [CISAuditResult]::new()
$auditResult.Rec = $Rec
$auditResult.ELevel = $testDefinition.ELevel
$auditResult.ProfileLevel = $testDefinition.ProfileLevel
$auditResult.IG1 = [bool]::Parse($testDefinition.IG1)
$auditResult.IG2 = [bool]::Parse($testDefinition.IG2)
$auditResult.IG3 = [bool]::Parse($testDefinition.IG3)
$auditResult.RecDescription = $RecDescription
$auditResult.CISControl = $CISControl
$auditResult.CISDescription = $CISDescription
$auditResult.Automated = [bool]::Parse($testDefinition.Automated)
$auditResult.Connection = $testDefinition.Connection
$auditResult.CISControlVer = 'v8'
$auditResult.Result = $Result
$auditResult.Status = $Status
$auditResult.Details = $Details
$auditResult.FailureReason = $FailureReason
return $auditResult
}

34
source/tests/Test-AdministrativeAccountCompliance.ps1
View File

@@ -4,10 +4,12 @@ function Test-AdministrativeAccountCompliance {
# Aligned # Aligned
# Parameters can be added if needed # Parameters can be added if needed
) )
begin { begin {
#. .\source\Classes\CISAuditResult.ps1 #. .\source\Classes\CISAuditResult.ps1
$validLicenses = @('AAD_PREMIUM', 'AAD_PREMIUM_P2') $validLicenses = @('AAD_PREMIUM', 'AAD_PREMIUM_P2')
} }
process { process {
$adminRoles = Get-MgRoleManagementDirectoryRoleDefinition | Where-Object { $_.DisplayName -like "*Admin*" } $adminRoles = Get-MgRoleManagementDirectoryRoleDefinition | Where-Object { $_.DisplayName -like "*Admin*" }
$adminRoleUsers = @() $adminRoleUsers = @()
@@ -58,21 +60,23 @@ function Test-AdministrativeAccountCompliance {
"Compliant Accounts: $($uniqueAdminRoleUsers.Count)" "Compliant Accounts: $($uniqueAdminRoleUsers.Count)"
} }
$auditResult = [CISAuditResult]::new() $result = $nonCompliantUsers.Count -eq 0
$auditResult.Status = if ($nonCompliantUsers) { 'Fail' } else { 'Pass' } $status = if ($result) { 'Pass' } else { 'Fail' }
$auditResult.ELevel = 'E3' $failureReason = if ($nonCompliantUsers) { "Non-compliant accounts: `nUsername | Roles | HybridStatus | Missing Licence`n$failureReasons" } else { "N/A" }
$auditResult.ProfileLevel = 'L1'
$auditResult.Rec = '1.1.1' # Create the parameter splat
$auditResult.RecDescription = "Ensure Administrative accounts are separate and cloud-only" $params = @{
$auditResult.CISControlVer = 'v8' Rec = "1.1.1"
$auditResult.CISControl = "5.4" Result = $result
$auditResult.CISDescription = "Restrict Administrator Privileges to Dedicated Administrator Accounts" Status = $status
$auditResult.IG1 = $true Details = $details
$auditResult.IG2 = $true FailureReason = $failureReason
$auditResult.IG3 = $true RecDescription = "Ensure Administrative accounts are separate and cloud-only"
$auditResult.Result = $nonCompliantUsers.Count -eq 0 CISControl = "5.4"
$auditResult.Details = $Details CISDescription = "Restrict Administrator Privileges to Dedicated Administrator Accounts"
$auditResult.FailureReason = if ($nonCompliantUsers) { "Non-compliant accounts: `nUsername | Roles | HybridStatus | Missing Licence`n$failureReasons" } else { "N/A" } }
$auditResult = Initialize-CISAuditResult @params
} }
end { end {

34
source/tests/Test-AntiPhishingPolicy.ps1
View File

@@ -40,7 +40,8 @@ function Test-AntiPhishingPolicy {
$nonCompliantNames = $nonCompliantItems | ForEach-Object { $_.Name } $nonCompliantNames = $nonCompliantItems | ForEach-Object { $_.Name }
$failureReasons = if ($nonCompliantNames.Count -gt 0) { $failureReasons = if ($nonCompliantNames.Count -gt 0) {
"Reason: Does not meet one or more compliance criteria.`nNon-compliant Policies:`n" + ($nonCompliantNames -join "`n") "Reason: Does not meet one or more compliance criteria.`nNon-compliant Policies:`n" + ($nonCompliantNames -join "`n")
} else { }
else {
"N/A" "N/A"
} }
@@ -58,27 +59,24 @@ function Test-AntiPhishingPolicy {
"Compliant Items: $($compliantItems.Count)" "Compliant Items: $($compliantItems.Count)"
} }
# Create and populate the CISAuditResult object # Parameter splat for Initialize-CISAuditResult function
$auditResult = [CISAuditResult]::new() $params = @{
$auditResult.Status = if ($isCompliant) { "Pass" } else { "Fail" } Rec = "2.1.7"
$auditResult.ELevel = 'E5' # Modify as needed Result = $nonCompliantItems.Count -eq 0
$auditResult.ProfileLevel = 'L1' # Modify as needed Status = if ($isCompliant) { "Pass" } else { "Fail" }
$auditResult.Rec = '2.1.7' # Modify as needed Details = $details
$auditResult.RecDescription = "Ensure that an anti-phishing policy has been created" # Modify as needed FailureReason = $failureReasons
$auditResult.CISControlVer = 'v8' # Modify as needed RecDescription = "Ensure that an anti-phishing policy has been created"
$auditResult.CISControl = "9.7" # Modify as needed CISControl = "9.7"
$auditResult.CISDescription = "Deploy and Maintain Email Server Anti-Malware Protections" # Modify as needed CISDescription = "Deploy and Maintain Email Server Anti-Malware Protections"
$auditResult.IG1 = $false # Modify as needed }
$auditResult.IG2 = $false # Modify as needed
$auditResult.IG3 = $true # Modify as needed
$auditResult.Result = $nonCompliantItems.Count -eq 0
$auditResult.Details = $details
$auditResult.FailureReason = $failureReasons
# Create and populate the CISAuditResult object
$auditResult = Initialize-CISAuditResult @params
} }
end { end {
# Return auditResults # Return auditResult
return $auditResult return $auditResult
} }
} }

26
source/tests/Test-AuditDisabledFalse.ps1
View File

@@ -34,21 +34,17 @@ function Test-AuditDisabledFalse {
} }
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$auditResult = [CISAuditResult]::new() $params = @{
$auditResult.Status = if ($auditNotDisabled) { "Pass" } else { "Fail" } Rec = "6.1.1"
$auditResult.ELevel = "E3" Result = $auditNotDisabled
$auditResult.ProfileLevel = "L1" Status = if ($auditNotDisabled) { "Pass" } else { "Fail" }
$auditResult.Rec = "6.1.1" Details = $details
$auditResult.RecDescription = "Ensure 'AuditDisabled' organizationally is set to 'False'" FailureReason = $failureReasons
$auditResult.CISControlVer = "v8" RecDescription = "Ensure 'AuditDisabled' organizationally is set to 'False'"
$auditResult.CISControl = "8.2" CISControl = "8.2"
$auditResult.CISDescription = "Collect Audit Logs" CISDescription = "Collect Audit Logs"
$auditResult.IG1 = $true }
$auditResult.IG2 = $true $auditResult = Initialize-CISAuditResult @params
$auditResult.IG3 = $true
$auditResult.Result = $auditNotDisabled
$auditResult.Details = $details
$auditResult.FailureReason = $failureReasons
} }
end { end {

27
source/tests/Test-AuditLogSearch.ps1
View File

@@ -34,21 +34,18 @@ function Test-AuditLogSearch {
} }
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$auditResult = [CISAuditResult]::new() $params = @{
$auditResult.Status = if ($auditLogResult) { "Pass" } else { "Fail" } Rec = "3.1.1"
$auditResult.ELevel = "E3" Result = $auditLogResult
$auditResult.ProfileLevel = "L1" Status = if ($auditLogResult) { "Pass" } else { "Fail" }
$auditResult.Rec = "3.1.1" Details = $details
$auditResult.RecDescription = "Ensure Microsoft 365 audit log search is Enabled" FailureReason = $failureReasons
$auditResult.CISControlVer = "v8" RecDescription = "Ensure Microsoft 365 audit log search is Enabled"
$auditResult.CISControl = "8.2" CISControl = "8.2"
$auditResult.CISDescription = "Collect Audit Logs" CISDescription = "Collect Audit Logs"
$auditResult.IG1 = $true }
$auditResult.IG2 = $true $auditResult = Initialize-CISAuditResult @params
$auditResult.IG3 = $true
$auditResult.Result = $auditLogResult
$auditResult.Details = $details
$auditResult.FailureReason = $failureReasons
} }
end { end {

26
source/tests/Test-BlockChannelEmails.ps1
View File

@@ -34,21 +34,17 @@ function Test-BlockChannelEmails {
} }
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$auditResult = [CISAuditResult]::new() $params = @{
$auditResult.CISControlVer = "v8" Rec = "8.1.2"
$auditResult.CISControl = "0.0" # This control is explicitly not mapped as per the image provided Result = -not $allowEmailIntoChannel
$auditResult.CISDescription = "Explicitly Not Mapped" Status = if (-not $allowEmailIntoChannel) { "Pass" } else { "Fail" }
$auditResult.Rec = "8.1.2" Details = $details
$auditResult.ELevel = "E3" FailureReason = $failureReasons
$auditResult.ProfileLevel = "L1" RecDescription = "Ensure users can't send emails to a channel email address"
$auditResult.IG1 = $false # Set based on the benchmark CISControl = "0.0"
$auditResult.IG2 = $false # Set based on the benchmark CISDescription = "Explicitly Not Mapped"
$auditResult.IG3 = $false # Set based on the benchmark }
$auditResult.RecDescription = "Ensure users can't send emails to a channel email address" $auditResult = Initialize-CISAuditResult @params
$auditResult.Result = -not $allowEmailIntoChannel
$auditResult.Details = $details
$auditResult.FailureReason = $failureReasons
$auditResult.Status = if (-not $allowEmailIntoChannel) { "Pass" } else { "Fail" }
} }
end { end {

27
source/tests/Test-BlockMailForwarding.ps1
View File

@@ -35,22 +35,17 @@ function Test-BlockMailForwarding {
"Step 1: No forwarding rules found. Please proceed with Step 2 described in CIS Benchmark." "Step 1: No forwarding rules found. Please proceed with Step 2 described in CIS Benchmark."
} }
# Create and populate the CISAuditResult object $params = @{
$auditResult = [CISAuditResult]::new() Rec = "6.2.1"
$auditResult.Rec = "6.2.1" Result = $forwardingBlocked
$auditResult.ELevel = "E3" Status = if ($forwardingBlocked) { "Pass" } else { "Fail" }
$auditResult.ProfileLevel = "L1" Details = $details
$auditResult.CISControlVer = "v8" FailureReason = $failureReasons
$auditResult.CISControl = "0.0" # Explicitly Not Mapped RecDescription = "Ensure all forms of mail forwarding are blocked and/or disabled"
$auditResult.CISDescription = "Explicitly Not Mapped" CISControl = "0.0"
$auditResult.IG1 = $false CISDescription = "Explicitly Not Mapped"
$auditResult.IG2 = $false }
$auditResult.IG3 = $false $auditResult = Initialize-CISAuditResult @params
$auditResult.RecDescription = "Ensure all forms of mail forwarding are blocked and/or disabled"
$auditResult.Result = $forwardingBlocked
$auditResult.Details = $details
$auditResult.FailureReason = $failureReasons
$auditResult.Status = if ($forwardingBlocked) { "Pass" } else { "Fail" }
} }
end { end {

26
source/tests/Test-BlockSharedMailboxSignIn.ps1
View File

@@ -36,21 +36,17 @@ function Test-BlockSharedMailboxSignIn {
} }
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$auditResult = [CISAuditResult]::new() $params = @{
$auditResult.CISControlVer = "v8" Rec = "1.2.2"
$auditResult.CISControl = "0.0" # Control is explicitly not mapped Result = $allBlocked
$auditResult.CISDescription = "Explicitly Not Mapped" Status = if ($allBlocked) { "Pass" } else { "Fail" }
$auditResult.Rec = "1.2.2" Details = $details
$auditResult.ELevel = "E3" FailureReason = $failureReasons
$auditResult.ProfileLevel = "L1" RecDescription = "Ensure sign-in to shared mailboxes is blocked"
$auditResult.IG1 = $false # Control is not mapped, hence IG1 is false CISControl = "0.0"
$auditResult.IG2 = $false # Control is not mapped, hence IG2 is false CISDescription = "Explicitly Not Mapped"
$auditResult.IG3 = $false # Control is not mapped, hence IG3 is false }
$auditResult.RecDescription = "Ensure sign-in to shared mailboxes is blocked" $auditResult = Initialize-CISAuditResult @params
$auditResult.Result = $allBlocked
$auditResult.Details = $details
$auditResult.FailureReason = $failureReasons
$auditResult.Status = if ($allBlocked) { "Pass" } else { "Fail" }
} }
end { end {

26
source/tests/Test-CommonAttachmentFilter.ps1
View File

@@ -34,21 +34,17 @@ function Test-CommonAttachmentFilter {
} }
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$auditResult = [CISAuditResult]::new() $params = @{
$auditResult.Status = if ($result) { "Pass" } else { "Fail" } Rec = "2.1.2"
$auditResult.ELevel = "E3" Result = $result
$auditResult.ProfileLevel = "L1" Status = if ($result) { "Pass" } else { "Fail" }
$auditResult.Rec = "2.1.2" Details = $details
$auditResult.RecDescription = "Ensure the Common Attachment Types Filter is enabled" FailureReason = $failureReasons
$auditResult.CISControlVer = "v8" RecDescription = "Ensure the Common Attachment Types Filter is enabled"
$auditResult.CISControl = "9.6" CISControl = "9.6"
$auditResult.CISDescription = "Block Unnecessary File Types" CISDescription = "Block Unnecessary File Types"
$auditResult.IG1 = $false }
$auditResult.IG2 = $true $auditResult = Initialize-CISAuditResult @params
$auditResult.IG3 = $true
$auditResult.Result = $result
$auditResult.Details = $details
$auditResult.FailureReason = $failureReasons
} }
end { end {

28
source/tests/Test-CustomerLockbox.ps1
View File

@@ -33,22 +33,18 @@ function Test-CustomerLockbox {
"Customer Lockbox Enabled: False" "Customer Lockbox Enabled: False"
} }
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object #
$auditResult = [CISAuditResult]::new() $params = @{
$auditResult.Status = if ($customerLockboxEnabled) { "Pass" } else { "Fail" } Rec = "1.3.6"
$auditResult.ELevel = "E5" Result = $customerLockboxEnabled
$auditResult.ProfileLevel = "L2" Status = if ($customerLockboxEnabled) { "Pass" } else { "Fail" }
$auditResult.Rec = "1.3.6" Details = $details
$auditResult.RecDescription = "Ensure the customer lockbox feature is enabled" FailureReason = $failureReasons
$auditResult.CISControlVer = 'v8' RecDescription = "Ensure the customer lockbox feature is enabled"
$auditResult.CISControl = "0.0" # As per the snapshot provided, this is explicitly not mapped CISControl = "0.0"
$auditResult.CISDescription = "Explicitly Not Mapped" CISDescription = "Explicitly Not Mapped"
$auditResult.IG1 = $false }
$auditResult.IG2 = $false $auditResult = Initialize-CISAuditResult @params
$auditResult.IG3 = $false
$auditResult.Result = $customerLockboxEnabled
$auditResult.Details = $details
$auditResult.FailureReason = $failureReasons
} }
end { end {

26
source/tests/Test-DialInBypassLobby.ps1
View File

@@ -34,21 +34,17 @@ function Test-DialInBypassLobby {
} }
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$auditResult = [CISAuditResult]::new() $params = @{
$auditResult.CISControlVer = "v8" Rec = "8.5.4"
$auditResult.CISControl = "0.0" # Explicitly Not Mapped Result = $PSTNBypassDisabled
$auditResult.CISDescription = "Explicitly Not Mapped" Status = if ($PSTNBypassDisabled) { "Pass" } else { "Fail" }
$auditResult.Rec = "8.5.4" Details = $details
$auditResult.ELevel = "E3" FailureReason = $failureReasons
$auditResult.ProfileLevel = "L1" RecDescription = "Ensure users dialing in can't bypass the lobby"
$auditResult.IG1 = $false # Set based on the CIS Controls image CISControl = "0.0"
$auditResult.IG2 = $false # Set based on the CIS Controls image CISDescription = "Explicitly Not Mapped"
$auditResult.IG3 = $false # Set based on the CIS Controls image }
$auditResult.RecDescription = "Ensure users dialing in can't bypass the lobby" $auditResult = Initialize-CISAuditResult @params
$auditResult.Result = $PSTNBypassDisabled
$auditResult.Details = $details
$auditResult.FailureReason = $failureReasons
$auditResult.Status = if ($PSTNBypassDisabled) { "Pass" } else { "Fail" }
} }
end { end {

27
source/tests/Test-DisallowInfectedFilesDownload.ps1
View File

@@ -35,21 +35,18 @@ function Test-DisallowInfectedFilesDownload {
} }
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$auditResult = [CISAuditResult]::new() $params = @{
$auditResult.CISControlVer = "v8" Rec = "7.3.1"
$auditResult.CISControl = "10.1" Result = $isDisallowInfectedFileDownloadEnabled
$auditResult.CISDescription = "Deploy and Maintain Anti-Malware Software" Status = if ($isDisallowInfectedFileDownloadEnabled) { "Pass" } else { "Fail" }
$auditResult.Rec = "7.3.1" Details = $details
$auditResult.ELevel = "E5" FailureReason = $failureReasons
$auditResult.ProfileLevel = "L2" RecDescription = "Ensure Office 365 SharePoint infected files are disallowed for download"
$auditResult.IG1 = $true CISControl = "10.1"
$auditResult.IG2 = $true CISDescription = "Deploy and Maintain Anti-Malware Software"
$auditResult.IG3 = $true }
$auditResult.RecDescription = "Ensure Office 365 SharePoint infected files are disallowed for download" $auditResult = Initialize-CISAuditResult @params
$auditResult.Result = $isDisallowInfectedFileDownloadEnabled
$auditResult.Details = $details
$auditResult.FailureReason = $failureReasons
$auditResult.Status = if ($isDisallowInfectedFileDownloadEnabled) { "Pass" } else { "Fail" }
} }
end { end {

26
source/tests/Test-EnableDKIM.ps1
View File

@@ -35,21 +35,17 @@ function Test-EnableDKIM {
} }
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$auditResult = [CISAuditResult]::new() $params = @{
$auditResult.Status = if ($dkimResult) { "Pass" } else { "Fail" } Rec = "2.1.9"
$auditResult.ELevel = "E3" Result = $dkimResult
$auditResult.ProfileLevel = "L1" Status = if ($dkimResult) { "Pass" } else { "Fail" }
$auditResult.Rec = "2.1.9" Details = $details
$auditResult.RecDescription = "Ensure that DKIM is enabled for all Exchange Online Domains" FailureReason = $failureReasons
$auditResult.CISControlVer = "v8" RecDescription = "Ensure that DKIM is enabled for all Exchange Online Domains"
$auditResult.CISControl = "9.5" CISControl = "9.5"
$auditResult.CISDescription = "Implement DMARC" CISDescription = "Implement DMARC"
$auditResult.IG1 = $false }
$auditResult.IG2 = $true $auditResult = Initialize-CISAuditResult @params
$auditResult.IG3 = $true
$auditResult.Result = $dkimResult
$auditResult.Details = $details
$auditResult.FailureReason = $failureReasons
} }
end { end {

26
source/tests/Test-ExternalNoControl.ps1
View File

@@ -35,21 +35,17 @@ function Test-ExternalNoControl {
} }
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$auditResult = [CISAuditResult]::new() $params = @{
$auditResult.CISControlVer = "v8" Rec = "8.5.7"
$auditResult.CISControl = "0.0" # Explicitly Not Mapped Result = $externalControlRestricted
$auditResult.CISDescription = "Explicitly Not Mapped" Status = if ($externalControlRestricted) { "Pass" } else { "Fail" }
$auditResult.Rec = "8.5.7" Details = $details
$auditResult.ELevel = "E3" FailureReason = $failureReasons
$auditResult.ProfileLevel = "L1" RecDescription = "Ensure external participants can't give or request control"
$auditResult.IG1 = $false # Set based on the CIS Controls image CISControl = "0.0"
$auditResult.IG2 = $false # Set based on the CIS Controls image CISDescription = "Explicitly Not Mapped"
$auditResult.IG3 = $false # Set based on the CIS Controls image }
$auditResult.RecDescription = "Ensure external participants can't give or request control" $auditResult = Initialize-CISAuditResult @params
$auditResult.Result = $externalControlRestricted
$auditResult.Details = $details
$auditResult.FailureReason = $failureReasons
$auditResult.Status = if ($externalControlRestricted) { "Pass" } else { "Fail" }
} }
end { end {

26
source/tests/Test-ExternalSharingCalendars.ps1
View File

@@ -44,21 +44,17 @@ function Test-ExternalSharingCalendars {
} }
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$auditResult = [CISAuditResult]::new() $params = @{
$auditResult.Rec = "1.3.3" Rec = "1.3.3"
$auditResult.RecDescription = "Ensure 'External sharing' of calendars is not available" Result = $isExternalSharingDisabled
$auditResult.ELevel = "E3" Status = if ($isExternalSharingDisabled) { "Pass" } else { "Fail" }
$auditResult.ProfileLevel = "L2" Details = $details
$auditResult.IG1 = $false FailureReason = $failureReasons
$auditResult.IG2 = $true RecDescription = "Ensure 'External sharing' of calendars is not available"
$auditResult.IG3 = $true CISControl = "4.8"
$auditResult.CISControlVer = "v8" CISDescription = "Uninstall or Disable Unnecessary Services on Enterprise Assets and Software"
$auditResult.CISControl = "4.8" }
$auditResult.CISDescription = "Uninstall or Disable Unnecessary Services on Enterprise Assets and Software" $auditResult = Initialize-CISAuditResult @params
$auditResult.Result = $isExternalSharingDisabled
$auditResult.Details = $details
$auditResult.FailureReason = $failureReasons
$auditResult.Status = if ($isExternalSharingDisabled) { "Pass" } else { "Fail" }
} }
end { end {

26
source/tests/Test-GlobalAdminsCount.ps1
View File

@@ -35,21 +35,17 @@ function Test-GlobalAdminsCount {
$details = "Count: $globalAdminCount; Users: $globalAdminUsernames" $details = "Count: $globalAdminCount; Users: $globalAdminUsernames"
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$auditResult = [CISAuditResult]::new() $params = @{
$auditResult.CISControlVer = "v8" Rec = "1.1.3"
$auditResult.CISControl = "5.1" Result = $globalAdminCount -ge 2 -and $globalAdminCount -le 4
$auditResult.CISDescription = "Establish and Maintain an Inventory of Accounts" Status = if ($globalAdminCount -ge 2 -and $globalAdminCount -le 4) { "Pass" } else { "Fail" }
$auditResult.Rec = "1.1.3" Details = $details
$auditResult.ELevel = "E3" FailureReason = $failureReasons
$auditResult.ProfileLevel = "L1" RecDescription = "Ensure that between two and four global admins are designated"
$auditResult.IG1 = $true CISControl = "5.1"
$auditResult.IG2 = $true CISDescription = "Establish and Maintain an Inventory of Accounts"
$auditResult.IG3 = $true }
$auditResult.RecDescription = "Ensure that between two and four global admins are designated" $auditResult = Initialize-CISAuditResult @params
$auditResult.Result = $globalAdminCount -ge 2 -and $globalAdminCount -le 4
$auditResult.Details = $details
$auditResult.FailureReason = $failureReasons
$auditResult.Status = if ($globalAdminCount -ge 2 -and $globalAdminCount -le 4) { "Pass" } else { "Fail" }
} }
end { end {

26
source/tests/Test-GuestAccessExpiration.ps1
View File

@@ -30,21 +30,17 @@ function Test-GuestAccessExpiration {
$details = "ExternalUserExpirationRequired: $($SPOTenantGuestAccess.ExternalUserExpirationRequired); ExternalUserExpireInDays: $($SPOTenantGuestAccess.ExternalUserExpireInDays)" $details = "ExternalUserExpirationRequired: $($SPOTenantGuestAccess.ExternalUserExpirationRequired); ExternalUserExpireInDays: $($SPOTenantGuestAccess.ExternalUserExpireInDays)"
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$auditResult = [CISAuditResult]::new() $params = @{
$auditResult.CISControlVer = "v8" Rec = "7.2.9"
$auditResult.CISControl = "0.0" # Explicitly Not Mapped Result = $isGuestAccessExpirationConfiguredCorrectly
$auditResult.CISDescription = "Explicitly Not Mapped" Status = if ($isGuestAccessExpirationConfiguredCorrectly) { "Pass" } else { "Fail" }
$auditResult.Rec = "7.2.9" Details = $details
$auditResult.ELevel = "E3" FailureReason = $failureReasons
$auditResult.ProfileLevel = "L1" RecDescription = "Ensure guest access to a site or OneDrive will expire automatically"
$auditResult.IG1 = $false CISControl = "0.0"
$auditResult.IG2 = $false CISDescription = "Explicitly Not Mapped"
$auditResult.IG3 = $false }
$auditResult.RecDescription = "Ensure guest access to a site or OneDrive will expire automatically" $auditResult = Initialize-CISAuditResult @params
$auditResult.Result = $isGuestAccessExpirationConfiguredCorrectly
$auditResult.Details = $details
$auditResult.FailureReason = $failureReasons
$auditResult.Status = if ($isGuestAccessExpirationConfiguredCorrectly) { "Pass" } else { "Fail" }
} }
end { end {

34
source/tests/Test-GuestUsersBiweeklyReview.ps1
View File

@@ -15,7 +15,7 @@ function Test-GuestUsersBiweeklyReview {
process { process {
# 1.1.4 (L1) Ensure Guest Users are reviewed at least biweekly # 1.1.4 (L1) Ensure Guest Users are reviewed at least biweekly
try {
# Retrieve guest users from Microsoft Graph # Retrieve guest users from Microsoft Graph
# Connect-MgGraph -Scopes "User.Read.All" # Connect-MgGraph -Scopes "User.Read.All"
$guestUsers = Get-MgUser -All -Filter "UserType eq 'Guest'" $guestUsers = Get-MgUser -All -Filter "UserType eq 'Guest'"
@@ -37,29 +37,17 @@ function Test-GuestUsersBiweeklyReview {
} }
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$auditResult = [CISAuditResult]::new() $params = @{
$auditResult.CISControl = "5.1, 5.3" Rec = "1.1.4"
$auditResult.CISDescription = "Establish and Maintain an Inventory of Accounts, Disable Dormant Accounts" Result = -not $guestUsers
$auditResult.Rec = "1.1.4" Status = if ($guestUsers) { "Fail" } else { "Pass" }
$auditResult.RecDescription = "Ensure Guest Users are reviewed at least biweekly" Details = $details
$auditResult.ELevel = "E3" FailureReason = $failureReasons
$auditResult.ProfileLevel = "L1" RecDescription = "Ensure Guest Users are reviewed at least biweekly"
$auditResult.IG1 = $true CISControl = "5.1, 5.3"
$auditResult.IG2 = $true CISDescription = "Establish and Maintain an Inventory of Accounts, Disable Dormant Accounts"
$auditResult.IG3 = $true
$auditResult.CISControlVer = 'v8'
$auditResult.Result = -not $guestUsers
$auditResult.Details = $details
$auditResult.FailureReason = $failureReasons
$auditResult.Status = if ($guestUsers) { "Fail" } else { "Pass" }
}
catch {
$auditResult = [CISAuditResult]::new()
$auditResult.Status = "Error"
$auditResult.Result = $false
$auditResult.Details = "Error while attempting to check guest users. Error message: $($_.Exception.Message)"
$auditResult.FailureReason = "An error occurred during the audit check."
} }
$auditResult = Initialize-CISAuditResult @params
} }
end { end {

26
source/tests/Test-IdentifyExternalEmail.ps1
View File

@@ -30,21 +30,17 @@ function Test-IdentifyExternalEmail {
$details = "Enabled: $($externalTaggingEnabled); AllowList: $($externalInOutlook.AllowList)" $details = "Enabled: $($externalTaggingEnabled); AllowList: $($externalInOutlook.AllowList)"
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$auditResult = [CISAuditResult]::new() $params = @{
$auditResult.Status = if ($externalTaggingEnabled) { "Pass" } else { "Fail" } Rec = "6.2.3"
$auditResult.ELevel = "E3" Result = $externalTaggingEnabled
$auditResult.ProfileLevel = "L1" Status = if ($externalTaggingEnabled) { "Pass" } else { "Fail" }
$auditResult.Rec = "6.2.3" Details = $details
$auditResult.RecDescription = "Ensure email from external senders is identified" FailureReason = $failureReasons
$auditResult.CISControlVer = "v8" RecDescription = "Ensure email from external senders is identified"
$auditResult.CISControl = "0.0" # Explicitly Not Mapped CISControl = "0.0"
$auditResult.CISDescription = "Explicitly Not Mapped" CISDescription = "Explicitly Not Mapped"
$auditResult.IG1 = $false }
$auditResult.IG2 = $false $auditResult = Initialize-CISAuditResult @params
$auditResult.IG3 = $false
$auditResult.Result = $externalTaggingEnabled
$auditResult.Details = $details
$auditResult.FailureReason = $failureReasons
} }
end { end {

26
source/tests/Test-LinkSharingRestrictions.ps1
View File

@@ -30,21 +30,17 @@ function Test-LinkSharingRestrictions {
$details = "DefaultSharingLinkType: $($SPOTenantLinkSharing.DefaultSharingLinkType)" $details = "DefaultSharingLinkType: $($SPOTenantLinkSharing.DefaultSharingLinkType)"
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$auditResult = [CISAuditResult]::new() $params = @{
$auditResult.Status = if ($isLinkSharingRestricted) { "Pass" } else { "Fail" } Rec = "7.2.7"
$auditResult.ELevel = "E3" Result = $isLinkSharingRestricted
$auditResult.ProfileLevel = "L1" Status = if ($isLinkSharingRestricted) { "Pass" } else { "Fail" }
$auditResult.Rec = "7.2.7" Details = $details
$auditResult.RecDescription = "Ensure link sharing is restricted in SharePoint and OneDrive" FailureReason = $failureReasons
$auditResult.CISControlVer = "v8" RecDescription = "Ensure link sharing is restricted in SharePoint and OneDrive"
$auditResult.CISControl = "3.3" CISControl = "3.3"
$auditResult.CISDescription = "Configure Data Access Control Lists" CISDescription = "Configure Data Access Control Lists"
$auditResult.IG1 = $true }
$auditResult.IG2 = $true $auditResult = Initialize-CISAuditResult @params
$auditResult.IG3 = $true
$auditResult.Result = $isLinkSharingRestricted
$auditResult.Details = $details
$auditResult.FailureReason = $failureReasons
} }
end { end {

25
source/tests/Test-MailTipsEnabled.ps1
View File

@@ -37,20 +37,17 @@ function Test-MailTipsEnabled {
} }
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$auditResult.CISControlVer = "v8" $params = @{
$auditResult.CISControl = "0.0" # Explicitly Not Mapped Rec = "6.5.2"
$auditResult.CISDescription = "Explicitly Not Mapped" Result = $allTipsEnabled -and $externalRecipientsTipsEnabled
$auditResult.Rec = "6.5.2" Status = if ($allTipsEnabled -and $externalRecipientsTipsEnabled) { "Pass" } else { "Fail" }
$auditResult.ELevel = "E3" Details = $details
$auditResult.ProfileLevel = "L2" FailureReason = $failureReasons
$auditResult.IG1 = $false RecDescription = "Ensure MailTips are enabled for end users"
$auditResult.IG2 = $false CISControl = "0.0"
$auditResult.IG3 = $false CISDescription = "Explicitly Not Mapped"
$auditResult.RecDescription = "Ensure MailTips are enabled for end users" }
$auditResult.Result = $allTipsEnabled -and $externalRecipientsTipsEnabled $auditResult = Initialize-CISAuditResult @params
$auditResult.Details = $details
$auditResult.FailureReason = $failureReasons
$auditResult.Status = if ($auditResult.Result) { "Pass" } else { "Fail" }
} }
end { end {

26
source/tests/Test-MailboxAuditingE3.ps1
View File

@@ -15,17 +15,6 @@ function Test-MailboxAuditingE3 {
$DelegateActions = @("ApplyRecord", "Create", "FolderBind", "HardDelete", "Move", "MoveToDeletedItems", "SendAs", "SendOnBehalf", "SoftDelete", "Update", "UpdateFolderPermissions", "UpdateInboxRules") $DelegateActions = @("ApplyRecord", "Create", "FolderBind", "HardDelete", "Move", "MoveToDeletedItems", "SendAs", "SendOnBehalf", "SoftDelete", "Update", "UpdateFolderPermissions", "UpdateInboxRules")
$OwnerActions = @("ApplyRecord", "Create", "HardDelete", "MailboxLogin", "Move", "MoveToDeletedItems", "SoftDelete", "Update", "UpdateCalendarDelegation", "UpdateFolderPermissions", "UpdateInboxRules") $OwnerActions = @("ApplyRecord", "Create", "HardDelete", "MailboxLogin", "Move", "MoveToDeletedItems", "SoftDelete", "Update", "UpdateCalendarDelegation", "UpdateFolderPermissions", "UpdateInboxRules")
$auditResult = [CISAuditResult]::new()
$auditResult.ELevel = "E3"
$auditResult.ProfileLevel = "L1"
$auditResult.Rec = "6.1.2"
$auditResult.RecDescription = "Ensure mailbox auditing for Office E3 users is Enabled"
$auditResult.CISControlVer = "v8"
$auditResult.CISControl = "8.2"
$auditResult.CISDescription = "Collect audit logs."
$auditResult.IG1 = $true
$auditResult.IG2 = $true
$auditResult.IG3 = $true
$allFailures = @() $allFailures = @()
$allUsers = Get-AzureADUser -All $true $allUsers = Get-AzureADUser -All $true
@@ -82,10 +71,17 @@ function Test-MailboxAuditingE3 {
$details = if ($allFailures.Count -eq 0) { "All Office E3 users have correct mailbox audit settings." } else { $allFailures -join " | " } $details = if ($allFailures.Count -eq 0) { "All Office E3 users have correct mailbox audit settings." } else { $allFailures -join " | " }
# Populate the audit result # Populate the audit result
$auditResult.Result = $allFailures.Count -eq 0 $params = @{
$auditResult.Status = if ($auditResult.Result) { "Pass" } else { "Fail" } Rec = "6.1.2"
$auditResult.Details = $details Result = $allFailures.Count -eq 0
$auditResult.FailureReason = $failureReasons Status = if ($allFailures.Count -eq 0) { "Pass" } else { "Fail" }
Details = $details
FailureReason = $failureReasons
RecDescription = "Ensure mailbox auditing for Office E3 users is Enabled"
CISControl = "8.2"
CISDescription = "Collect audit logs."
}
$auditResult = Initialize-CISAuditResult @params
} }
end { end {

27
source/tests/Test-MailboxAuditingE5.ps1
View File

@@ -15,17 +15,7 @@ function Test-MailboxAuditingE5 {
$DelegateActions = @("ApplyRecord", "Create", "FolderBind", "HardDelete", "MailItemsAccessed", "Move", "MoveToDeletedItems", "SendAs", "SendOnBehalf", "SoftDelete", "Update", "UpdateFolderPermissions", "UpdateInboxRules") $DelegateActions = @("ApplyRecord", "Create", "FolderBind", "HardDelete", "MailItemsAccessed", "Move", "MoveToDeletedItems", "SendAs", "SendOnBehalf", "SoftDelete", "Update", "UpdateFolderPermissions", "UpdateInboxRules")
$OwnerActions = @("ApplyRecord", "Create", "HardDelete", "MailboxLogin", "Move", "MailItemsAccessed", "MoveToDeletedItems", "Send", "SoftDelete", "Update", "UpdateCalendarDelegation", "UpdateFolderPermissions", "UpdateInboxRules") $OwnerActions = @("ApplyRecord", "Create", "HardDelete", "MailboxLogin", "Move", "MailItemsAccessed", "MoveToDeletedItems", "Send", "SoftDelete", "Update", "UpdateCalendarDelegation", "UpdateFolderPermissions", "UpdateInboxRules")
$auditResult = [CISAuditResult]::new()
$auditResult.ELevel = "E5"
$auditResult.ProfileLevel = "L1"
$auditResult.Rec = "6.1.3"
$auditResult.RecDescription = "Ensure mailbox auditing for Office E5 users is Enabled"
$auditResult.CISControlVer = "v8"
$auditResult.CISControl = "8.2"
$auditResult.CISDescription = "Collect audit logs."
$auditResult.IG1 = $true
$auditResult.IG2 = $true
$auditResult.IG3 = $true
$allFailures = @() $allFailures = @()
$allUsers = Get-AzureADUser -All $true $allUsers = Get-AzureADUser -All $true
@@ -87,10 +77,17 @@ function Test-MailboxAuditingE5 {
$details = if ($allFailures.Count -eq 0) { "All Office E5 users have correct mailbox audit settings." } else { $allFailures -join " | " } $details = if ($allFailures.Count -eq 0) { "All Office E5 users have correct mailbox audit settings." } else { $allFailures -join " | " }
# Populate the audit result # Populate the audit result
$auditResult.Result = $allFailures.Count -eq 0 $params = @{
$auditResult.Status = if ($auditResult.Result) { "Pass" } else { "Fail" } Rec = "6.1.3"
$auditResult.Details = $details Result = $allFailures.Count -eq 0
$auditResult.FailureReason = $failureReasons Status = if ($allFailures.Count -eq 0) { "Pass" } else { "Fail" }
Details = $details
FailureReason = $failureReasons
RecDescription = "Ensure mailbox auditing for Office E5 users is Enabled"
CISControl = "8.2"
CISDescription = "Collect audit logs."
}
$auditResult = Initialize-CISAuditResult @params
} }
end { end {

26
source/tests/Test-ManagedApprovedPublicGroups.ps1
View File

@@ -35,21 +35,17 @@ function Test-ManagedApprovedPublicGroups {
} }
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$auditResult = [CISAuditResult]::new() $params = @{
$auditResult.CISControlVer = "v8" Rec = "1.2.1"
$auditResult.CISControl = "3.3" Result = $null -eq $allGroups -or $allGroups.Count -eq 0
$auditResult.CISDescription = "Configure Data Access Control Lists" Status = if ($null -eq $allGroups -or $allGroups.Count -eq 0) { "Pass" } else { "Fail" }
$auditResult.Rec = "1.2.1" Details = $details
$auditResult.ELevel = "E3" FailureReason = $failureReasons
$auditResult.ProfileLevel = "L2" RecDescription = "Ensure that only organizationally managed/approved public groups exist"
$auditResult.IG1 = $true CISControl = "3.3"
$auditResult.IG2 = $true CISDescription = "Configure Data Access Control Lists"
$auditResult.IG3 = $true }
$auditResult.RecDescription = "Ensure that only organizationally managed/approved public groups exist" $auditResult = Initialize-CISAuditResult @params
$auditResult.Result = $null -eq $allGroups -or $allGroups.Count -eq 0
$auditResult.Details = $details
$auditResult.FailureReason = $failureReasons
$auditResult.Status = if ($auditResult.Result) { "Pass" } else { "Fail" }
} }
end { end {

26
source/tests/Test-MeetingChatNoAnonymous.ps1
View File

@@ -31,21 +31,17 @@ function Test-MeetingChatNoAnonymous {
$details = "MeetingChatEnabledType is set to $($CsTeamsMeetingPolicyChat.MeetingChatEnabledType)" $details = "MeetingChatEnabledType is set to $($CsTeamsMeetingPolicyChat.MeetingChatEnabledType)"
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$auditResult = [CISAuditResult]::new() $params = @{
$auditResult.CISControlVer = "v8" Rec = "8.5.5"
$auditResult.CISControl = "0.0" # Explicitly Not Mapped as per the image provided Result = $chatAnonDisabled
$auditResult.CISDescription = "Explicitly Not Mapped" Status = if ($chatAnonDisabled) { "Pass" } else { "Fail" }
$auditResult.Rec = "8.5.5" Details = $details
$auditResult.ELevel = "E3" FailureReason = $failureReasons
$auditResult.ProfileLevel = "L1" RecDescription = "Ensure meeting chat does not allow anonymous users"
$auditResult.IG1 = $false # Set based on the CIS Controls image CISControl = "0.0"
$auditResult.IG2 = $false # Set based on the CIS Controls image CISDescription = "Explicitly Not Mapped"
$auditResult.IG3 = $false # Set based on the CIS Controls image }
$auditResult.RecDescription = "Ensure meeting chat does not allow anonymous users" $auditResult = Initialize-CISAuditResult @params
$auditResult.Result = $chatAnonDisabled
$auditResult.Details = $details
$auditResult.FailureReason = $failureReasons
$auditResult.Status = if ($chatAnonDisabled) { "Pass" } else { "Fail" }
} }
end { end {

26
source/tests/Test-ModernAuthExchangeOnline.ps1
View File

@@ -29,21 +29,17 @@ function Test-ModernAuthExchangeOnline {
$details = "OAuth2ClientProfileEnabled: $($orgConfig.OAuth2ClientProfileEnabled) for Organization: $($orgConfig.Name)" $details = "OAuth2ClientProfileEnabled: $($orgConfig.OAuth2ClientProfileEnabled) for Organization: $($orgConfig.Name)"
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$auditResult = [CISAuditResult]::new() $params = @{
$auditResult.CISControlVer = "v8" Rec = "6.5.1"
$auditResult.CISControl = "3.10" Result = $orgConfig.OAuth2ClientProfileEnabled
$auditResult.CISDescription = "Encrypt Sensitive Data in Transit" Status = if ($orgConfig.OAuth2ClientProfileEnabled) { "Pass" } else { "Fail" }
$auditResult.IG1 = $false # As per CIS Control v8 mapping for IG1 Details = $details
$auditResult.IG2 = $true # As per CIS Control v8 mapping for IG2 FailureReason = $failureReasons
$auditResult.IG3 = $true # As per CIS Control v8 mapping for IG3 RecDescription = "Ensure modern authentication for Exchange Online is enabled (Automated)"
$auditResult.ELevel = "E3" # Based on your environment (E3, E5, etc.) CISControl = "3.10"
$auditResult.ProfileLevel = "L1" CISDescription = "Encrypt Sensitive Data in Transit"
$auditResult.Rec = "6.5.1" }
$auditResult.RecDescription = "Ensure modern authentication for Exchange Online is enabled (Automated)" $auditResult = Initialize-CISAuditResult @params
$auditResult.Result = $orgConfig.OAuth2ClientProfileEnabled
$auditResult.Details = $details
$auditResult.FailureReason = $failureReasons
$auditResult.Status = if ($orgConfig.OAuth2ClientProfileEnabled) { "Pass" } else { "Fail" }
} }
catch { catch {

26
source/tests/Test-ModernAuthSharePoint.ps1
View File

@@ -27,21 +27,17 @@ function Test-ModernAuthSharePoint {
$details = "LegacyAuthProtocolsEnabled: $($SPOTenant.LegacyAuthProtocolsEnabled)" $details = "LegacyAuthProtocolsEnabled: $($SPOTenant.LegacyAuthProtocolsEnabled)"
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$auditResult = [CISAuditResult]::new() $params = @{
$auditResult.CISControlVer = "v8" Rec = "7.2.1"
$auditResult.CISControl = "3.10" Result = $modernAuthForSPRequired
$auditResult.CISDescription = "Encrypt Sensitive Data in Transit" Status = if ($modernAuthForSPRequired) { "Pass" } else { "Fail" }
$auditResult.Rec = "7.2.1" Details = $details
$auditResult.ELevel = "E3" FailureReason = $failureReasons
$auditResult.ProfileLevel = "L1" RecDescription = "Modern Authentication for SharePoint Applications"
$auditResult.IG1 = $false CISControl = "3.10"
$auditResult.IG2 = $true CISDescription = "Encrypt Sensitive Data in Transit"
$auditResult.IG3 = $true }
$auditResult.RecDescription = "Modern Authentication for SharePoint Applications" $auditResult = Initialize-CISAuditResult @params
$auditResult.Result = $modernAuthForSPRequired
$auditResult.Details = $details
$auditResult.FailureReason = $failureReasons
$auditResult.Status = if ($modernAuthForSPRequired) { "Pass" } else { "Fail" }
} }
end { end {

26
source/tests/Test-NoAnonymousMeetingJoin.ps1
View File

@@ -30,21 +30,17 @@ function Test-NoAnonymousMeetingJoin {
$details = "AllowAnonymousUsersToJoinMeeting is set to $allowAnonymousUsersToJoinMeeting" $details = "AllowAnonymousUsersToJoinMeeting is set to $allowAnonymousUsersToJoinMeeting"
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$auditResult = [CISAuditResult]::new() $params = @{
$auditResult.CISControlVer = "v8" Rec = "8.5.1"
$auditResult.CISControl = "0.0" # The control is Explicitly Not Mapped as per the image provided Result = -not $allowAnonymousUsersToJoinMeeting
$auditResult.CISDescription = "Explicitly Not Mapped" Status = if (-not $allowAnonymousUsersToJoinMeeting) { "Pass" } else { "Fail" }
$auditResult.Rec = "8.5.1" Details = $details
$auditResult.ELevel = "E3" FailureReason = $failureReasons
$auditResult.ProfileLevel = "L2" RecDescription = "Ensure anonymous users can't join a meeting"
$auditResult.IG1 = $false # Set based on the CIS Controls image CISControl = "0.0"
$auditResult.IG2 = $false # Set based on the CIS Controls image CISDescription = "Explicitly Not Mapped"
$auditResult.IG3 = $false # Set based on the CIS Controls image }
$auditResult.RecDescription = "Ensure anonymous users can't join a meeting" $auditResult = Initialize-CISAuditResult @params
$auditResult.Result = -not $allowAnonymousUsersToJoinMeeting
$auditResult.Details = $details
$auditResult.FailureReason = $failureReasons
$auditResult.Status = if (-not $allowAnonymousUsersToJoinMeeting) { "Pass" } else { "Fail" }
} }
end { end {

26
source/tests/Test-NoAnonymousMeetingStart.ps1
View File

@@ -30,21 +30,17 @@ function Test-NoAnonymousMeetingStart {
$details = "AllowAnonymousUsersToStartMeeting is set to $($CsTeamsMeetingPolicyAnonymous.AllowAnonymousUsersToStartMeeting)" $details = "AllowAnonymousUsersToStartMeeting is set to $($CsTeamsMeetingPolicyAnonymous.AllowAnonymousUsersToStartMeeting)"
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$auditResult = [CISAuditResult]::new() $params = @{
$auditResult.CISControlVer = "v8" Rec = "8.5.2"
$auditResult.CISControl = "0.0" # Explicitly Not Mapped as per the image provided Result = $anonymousStartDisabled
$auditResult.CISDescription = "Explicitly Not Mapped" Status = if ($anonymousStartDisabled) { "Pass" } else { "Fail" }
$auditResult.Rec = "8.5.2" Details = $details
$auditResult.ELevel = "E3" FailureReason = $failureReasons
$auditResult.ProfileLevel = "L1" RecDescription = "Ensure anonymous users and dial-in callers can't start a meeting"
$auditResult.IG1 = $false # Set based on the CIS Controls image CISControl = "0.0"
$auditResult.IG2 = $false # Set based on the CIS Controls image CISDescription = "Explicitly Not Mapped"
$auditResult.IG3 = $false # Set based on the CIS Controls image }
$auditResult.RecDescription = "Ensure anonymous users and dial-in callers can't start a meeting" $auditResult = Initialize-CISAuditResult @params
$auditResult.Result = $anonymousStartDisabled
$auditResult.Details = $details
$auditResult.FailureReason = $failureReasons
$auditResult.Status = if ($anonymousStartDisabled) { "Pass" } else { "Fail" }
} }
end { end {

26
source/tests/Test-NoWhitelistDomains.ps1
View File

@@ -34,21 +34,17 @@ function Test-NoWhitelistDomains {
} }
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$auditResult = [CISAuditResult]::new() $params = @{
$auditResult.Status = if ($whitelistedRules) { "Fail" } else { "Pass" } Rec = "6.2.2"
$auditResult.ELevel = "E3" Result = -not $whitelistedRules
$auditResult.ProfileLevel = "L1" Status = if ($whitelistedRules) { "Fail" } else { "Pass" }
$auditResult.Rec = "6.2.2" Details = $details
$auditResult.RecDescription = "Ensure mail transport rules do not whitelist specific domains" FailureReason = $failureReasons
$auditResult.CISControlVer = "v8" RecDescription = "Ensure mail transport rules do not whitelist specific domains"
$auditResult.CISControl = "0.0" CISControl = "0.0"
$auditResult.CISDescription = "Explicitly Not Mapped" CISDescription = "Explicitly Not Mapped"
$auditResult.IG1 = $false }
$auditResult.IG2 = $false $auditResult = Initialize-CISAuditResult @params
$auditResult.IG3 = $false
$auditResult.Result = -not $whitelistedRules
$auditResult.Details = $details
$auditResult.FailureReason = $failureReasons
} }
end { end {

26
source/tests/Test-NotifyMalwareInternal.ps1
View File

@@ -43,21 +43,17 @@ function Test-NotifyMalwareInternal {
} }
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$auditResult = [CISAuditResult]::new() $params = @{
$auditResult.Status = if ($result) { "Pass" } else { "Fail" } Rec = "2.1.3"
$auditResult.ELevel = "E3" Result = $result
$auditResult.ProfileLevel = "L1" Status = if ($result) { "Pass" } else { "Fail" }
$auditResult.Rec = "2.1.3" Details = $details
$auditResult.RecDescription = "Ensure notifications for internal users sending malware is Enabled" FailureReason = $failureReasons
$auditResult.CISControlVer = "v8" RecDescription = "Ensure notifications for internal users sending malware is Enabled"
$auditResult.CISControl = "17.5" CISControl = "17.5"
$auditResult.CISDescription = "Assign Key Roles and Responsibilities" CISDescription = "Assign Key Roles and Responsibilities"
$auditResult.IG1 = $false }
$auditResult.IG2 = $true $auditResult = Initialize-CISAuditResult @params
$auditResult.IG3 = $true
$auditResult.Result = $result
$auditResult.Details = $details
$auditResult.FailureReason = $failureReasons
} }
end { end {

26
source/tests/Test-OneDriveContentRestrictions.ps1
View File

@@ -34,21 +34,17 @@ function Test-OneDriveContentRestrictions {
} }
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$auditResult = [CISAuditResult]::new() $params = @{
$auditResult.Status = if ($isOneDriveSharingRestricted) { "Pass" } else { "Fail" } Rec = "7.2.4"
$auditResult.ELevel = "E3" Result = $isOneDriveSharingRestricted
$auditResult.ProfileLevel = "L2" Status = if ($isOneDriveSharingRestricted) { "Pass" } else { "Fail" }
$auditResult.Rec = "7.2.4" Details = $details
$auditResult.RecDescription = "Ensure OneDrive content sharing is restricted" FailureReason = $failureReasons
$auditResult.CISControlVer = "v8" RecDescription = "Ensure OneDrive content sharing is restricted"
$auditResult.CISControl = "3.3" CISControl = "3.3"
$auditResult.CISDescription = "Configure Data Access Control Lists" CISDescription = "Configure Data Access Control Lists"
$auditResult.IG1 = $true }
$auditResult.IG2 = $true $auditResult = Initialize-CISAuditResult @params
$auditResult.IG3 = $true
$auditResult.Result = $isOneDriveSharingRestricted
$auditResult.Details = $details
$auditResult.FailureReason = $failureReasons
} }
end { end {

26
source/tests/Test-OneDriveSyncRestrictions.ps1
View File

@@ -34,21 +34,17 @@ function Test-OneDriveSyncRestrictions {
} }
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$auditResult = [CISAuditResult]::new() $params = @{
$auditResult.Status = if ($isSyncRestricted) { "Pass" } else { "Fail" } Rec = "7.3.2"
$auditResult.ELevel = "E3" Result = $isSyncRestricted
$auditResult.ProfileLevel = "L2" Status = if ($isSyncRestricted) { "Pass" } else { "Fail" }
$auditResult.Rec = "7.3.2" Details = $details
$auditResult.RecDescription = "Ensure OneDrive sync is restricted for unmanaged devices" FailureReason = $failureReasons
$auditResult.CISControlVer = "v8" RecDescription = "Ensure OneDrive sync is restricted for unmanaged devices"
$auditResult.CISControl = "0.0" CISControl = "0.0"
$auditResult.CISDescription = "Explicitly Not Mapped" CISDescription = "Explicitly Not Mapped"
$auditResult.IG1 = $false }
$auditResult.IG2 = $false $auditResult = Initialize-CISAuditResult @params
$auditResult.IG3 = $false
$auditResult.Result = $isSyncRestricted
$auditResult.Details = $details
$auditResult.FailureReason = $failureReasons
} }
end { end {

26
source/tests/Test-OrgOnlyBypassLobby.ps1
View File

@@ -36,21 +36,17 @@ function Test-OrgOnlyBypassLobby {
} }
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$auditResult = [CISAuditResult]::new() $params = @{
$auditResult.Status = if ($lobbyBypassRestricted) { "Pass" } else { "Fail" } Rec = "8.5.3"
$auditResult.ELevel = "E3" Result = $lobbyBypassRestricted
$auditResult.ProfileLevel = "L1" Status = if ($lobbyBypassRestricted) { "Pass" } else { "Fail" }
$auditResult.Rec = "8.5.3" Details = $details
$auditResult.RecDescription = "Ensure only people in my org can bypass the lobby" FailureReason = $failureReasons
$auditResult.CISControlVer = "v8" RecDescription = "Ensure only people in my org can bypass the lobby"
$auditResult.CISControl = "6.8" CISControl = "6.8"
$auditResult.CISDescription = "Define and Maintain Role-Based Access Control" CISDescription = "Define and Maintain Role-Based Access Control"
$auditResult.IG1 = $false # Set based on the CIS Controls image }
$auditResult.IG2 = $false # Set based on the CIS Controls image $auditResult = Initialize-CISAuditResult @params
$auditResult.IG3 = $true # Set based on the CIS Controls image
$auditResult.Result = $lobbyBypassRestricted
$auditResult.Details = $details
$auditResult.FailureReason = $failureReasons
} }
end { end {

26
source/tests/Test-OrganizersPresent.ps1
View File

@@ -36,21 +36,17 @@ function Test-OrganizersPresent {
} }
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$auditResult = [CISAuditResult]::new() $params = @{
$auditResult.Status = if ($presenterRoleRestricted) { "Pass" } else { "Fail" } Rec = "8.5.6"
$auditResult.ELevel = "E3" Result = $presenterRoleRestricted
$auditResult.ProfileLevel = "L1" Status = if ($presenterRoleRestricted) { "Pass" } else { "Fail" }
$auditResult.Rec = "8.5.6" Details = $details
$auditResult.RecDescription = "Ensure only organizers and co-organizers can present" FailureReason = $failureReasons
$auditResult.CISControlVer = "v8" RecDescription = "Ensure only organizers and co-organizers can present"
$auditResult.CISControl = "0.0" # Explicitly Not Mapped CISControl = "0.0"
$auditResult.CISDescription = "Explicitly Not Mapped" CISDescription = "Explicitly Not Mapped"
$auditResult.IG1 = $false # Set based on the CIS Controls image }
$auditResult.IG2 = $false # Set based on the CIS Controls image $auditResult = Initialize-CISAuditResult @params
$auditResult.IG3 = $false # Set based on the CIS Controls image
$auditResult.Result = $presenterRoleRestricted
$auditResult.Details = $details
$auditResult.FailureReason = $failureReasons
} }
end { end {

26
source/tests/Test-PasswordHashSync.ps1
View File

@@ -30,21 +30,17 @@ function Test-PasswordHashSync {
$details = "OnPremisesSyncEnabled: $($passwordHashSync)" $details = "OnPremisesSyncEnabled: $($passwordHashSync)"
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$auditResult = [CISAuditResult]::new() $params = @{
$auditResult.Status = if ($hashSyncResult) { "Pass" } else { "Fail" } Rec = "5.1.8.1"
$auditResult.ELevel = "E3" Result = $hashSyncResult
$auditResult.ProfileLevel = "L1" Status = if ($hashSyncResult) { "Pass" } else { "Fail" }
$auditResult.Rec = "5.1.8.1" Details = $details
$auditResult.RecDescription = "Ensure password hash sync is enabled for hybrid deployments" FailureReason = $failureReasons
$auditResult.CISControlVer = "v8" RecDescription = "Ensure password hash sync is enabled for hybrid deployments"
$auditResult.CISControl = "6.7" CISControl = "6.7"
$auditResult.CISDescription = "Centralize Access Control" CISDescription = "Centralize Access Control"
$auditResult.IG1 = $false }
$auditResult.IG2 = $true $auditResult = Initialize-CISAuditResult @params
$auditResult.IG3 = $true
$auditResult.Result = $hashSyncResult
$auditResult.Details = $details
$auditResult.FailureReason = $failureReasons
} }
end { end {

26
source/tests/Test-PasswordNeverExpirePolicy.ps1
View File

@@ -30,21 +30,17 @@ function Test-PasswordNeverExpirePolicy {
$details = "Validity Period: $passwordPolicy days" $details = "Validity Period: $passwordPolicy days"
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$auditResult = [CISAuditResult]::new() $params = @{
$auditResult.Status = if ($passwordPolicy -eq 0) { "Pass" } else { "Fail" } Rec = "1.3.1"
$auditResult.ELevel = "E3" Result = $passwordPolicy -eq 0
$auditResult.ProfileLevel = "L1" Status = if ($passwordPolicy -eq 0) { "Pass" } else { "Fail" }
$auditResult.Rec = "1.3.1" Details = $details
$auditResult.RecDescription = "Ensure the 'Password expiration policy' is set to 'Set passwords to never expire'" FailureReason = $failureReasons
$auditResult.CISControlVer = "v8" RecDescription = "Ensure the 'Password expiration policy' is set to 'Set passwords to never expire'"
$auditResult.CISControl = "5.2" CISControl = "5.2"
$auditResult.CISDescription = "Use Unique Passwords" CISDescription = "Use Unique Passwords"
$auditResult.IG1 = $true }
$auditResult.IG2 = $true $auditResult = Initialize-CISAuditResult @params
$auditResult.IG3 = $true
$auditResult.Result = $passwordPolicy -eq 0
$auditResult.Details = $details
$auditResult.FailureReason = $failureReasons
} }
end { end {

26
source/tests/Test-ReauthWithCode.ps1
View File

@@ -29,21 +29,17 @@ function Test-ReauthWithCode {
$details = "EmailAttestationRequired: $($SPOTenantReauthentication.EmailAttestationRequired); EmailAttestationReAuthDays: $($SPOTenantReauthentication.EmailAttestationReAuthDays)" $details = "EmailAttestationRequired: $($SPOTenantReauthentication.EmailAttestationRequired); EmailAttestationReAuthDays: $($SPOTenantReauthentication.EmailAttestationReAuthDays)"
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$auditResult = [CISAuditResult]::new() $params = @{
$auditResult.Status = if ($isReauthenticationRestricted) { "Pass" } else { "Fail" } Rec = "7.2.10"
$auditResult.ELevel = "E3" Result = $isReauthenticationRestricted
$auditResult.ProfileLevel = "L1" Status = if ($isReauthenticationRestricted) { "Pass" } else { "Fail" }
$auditResult.Rec = "7.2.10" Details = $details
$auditResult.RecDescription = "Ensure reauthentication with verification code is restricted" FailureReason = $failureReasons
$auditResult.CISControlVer = "v8" RecDescription = "Ensure reauthentication with verification code is restricted"
$auditResult.CISControl = "0.0" CISControl = "0.0"
$auditResult.CISDescription = "Explicitly Not Mapped" CISDescription = "Explicitly Not Mapped"
$auditResult.IG1 = $false }
$auditResult.IG2 = $false $auditResult = Initialize-CISAuditResult @params
$auditResult.IG3 = $false
$auditResult.Result = $isReauthenticationRestricted
$auditResult.Details = $details
$auditResult.FailureReason = $failureReasons
} }
end { end {

26
source/tests/Test-ReportSecurityInTeams.ps1
View File

@@ -39,21 +39,17 @@ function Test-ReportSecurityInTeams {
"ReportChatMessageToCustomizedAddressEnabled: $($ReportSubmissionPolicy.ReportChatMessageToCustomizedAddressEnabled)" "ReportChatMessageToCustomizedAddressEnabled: $($ReportSubmissionPolicy.ReportChatMessageToCustomizedAddressEnabled)"
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$auditResult = [CISAuditResult]::new() $params = @{
$auditResult.Status = if ($securityReportEnabled) { "Pass" } else { "Fail" } Rec = "8.6.1"
$auditResult.ELevel = "E3" Result = $securityReportEnabled
$auditResult.ProfileLevel = "L1" Status = if ($securityReportEnabled) { "Pass" } else { "Fail" }
$auditResult.Rec = "8.6.1" Details = $details
$auditResult.RecDescription = "Ensure users can report security concerns in Teams" FailureReason = $failureReasons
$auditResult.CISControlVer = "v8" RecDescription = "Ensure users can report security concerns in Teams"
$auditResult.CISControl = "0.0" CISControl = "0.0"
$auditResult.CISDescription = "Explicitly Not Mapped" CISDescription = "Explicitly Not Mapped"
$auditResult.IG1 = $false }
$auditResult.IG2 = $false $auditResult = Initialize-CISAuditResult @params
$auditResult.IG3 = $false
$auditResult.Result = $securityReportEnabled
$auditResult.Details = $details
$auditResult.FailureReason = $failureReasons
} }
end { end {

26
source/tests/Test-RestrictCustomScripts.ps1
View File

@@ -44,21 +44,17 @@ function Test-RestrictCustomScripts {
} }
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$auditResult = [CISAuditResult]::new() $params = @{
$auditResult.Status = if ($complianceResult) { "Pass" } else { "Fail" } Rec = "7.3.4"
$auditResult.ELevel = "E3" Result = $complianceResult
$auditResult.ProfileLevel = "L1" Status = if ($complianceResult) { "Pass" } else { "Fail" }
$auditResult.Rec = "7.3.4" Details = $details
$auditResult.RecDescription = "Ensure custom script execution is restricted on site collections" FailureReason = $failureReasons
$auditResult.CISControlVer = "v8" RecDescription = "Ensure custom script execution is restricted on site collections"
$auditResult.CISControl = "2.7" CISControl = "2.7"
$auditResult.CISDescription = "Allowlist Authorized Scripts" CISDescription = "Allowlist Authorized Scripts"
$auditResult.IG1 = $false }
$auditResult.IG2 = $false $auditResult = Initialize-CISAuditResult @params
$auditResult.IG3 = $true
$auditResult.Result = $complianceResult
$auditResult.Details = $details
$auditResult.FailureReason = $failureReasons
} }
end { end {

26
source/tests/Test-RestrictExternalSharing.ps1
View File

@@ -29,21 +29,17 @@ function Test-RestrictExternalSharing {
$details = "SharingCapability: $($SPOTenantSharingCapability.SharingCapability)" $details = "SharingCapability: $($SPOTenantSharingCapability.SharingCapability)"
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$auditResult = [CISAuditResult]::new() $params = @{
$auditResult.Status = if ($isRestricted) { "Pass" } else { "Fail" } Rec = "7.2.3"
$auditResult.ELevel = "E3" Result = $isRestricted
$auditResult.ProfileLevel = "L1" Status = if ($isRestricted) { "Pass" } else { "Fail" }
$auditResult.Rec = "7.2.3" Details = $details
$auditResult.RecDescription = "Ensure external content sharing is restricted" FailureReason = $failureReasons
$auditResult.CISControlVer = "v8" RecDescription = "Ensure external content sharing is restricted"
$auditResult.CISControl = "3.3" CISControl = "3.3"
$auditResult.CISDescription = "Configure Data Access Control Lists" CISDescription = "Configure Data Access Control Lists"
$auditResult.IG1 = $true }
$auditResult.IG2 = $true $auditResult = Initialize-CISAuditResult @params
$auditResult.IG3 = $true
$auditResult.Result = $isRestricted
$auditResult.Details = $details
$auditResult.FailureReason = $failureReasons
} }
end { end {

26
source/tests/Test-RestrictOutlookAddins.ps1
View File

@@ -61,21 +61,17 @@ function Test-RestrictOutlookAddins {
$isCompliant = -not ($customPolicyFailures -or $defaultPolicyFailureDetails) $isCompliant = -not ($customPolicyFailures -or $defaultPolicyFailureDetails)
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$auditResult = [CISAuditResult]::new() $params = @{
$auditResult.Status = if ($isCompliant) { "Pass" } else { "Fail" } Rec = "6.3.1"
$auditResult.ELevel = "E3" Result = $isCompliant
$auditResult.ProfileLevel = "L2" Status = if ($isCompliant) { "Pass" } else { "Fail" }
$auditResult.Rec = "6.3.1" Details = $detailsString
$auditResult.RecDescription = "Ensure users installing Outlook add-ins is not allowed" FailureReason = if ($isCompliant) { "N/A" } else { "Unauthorized Outlook add-ins found in custom or default policies." }
$auditResult.CISControlVer = "v8" RecDescription = "Ensure users installing Outlook add-ins is not allowed"
$auditResult.CISControl = "9.4" CISControl = "9.4"
$auditResult.CISDescription = "Restrict Unnecessary or Unauthorized Browser and Email Client Extensions" CISDescription = "Restrict Unnecessary or Unauthorized Browser and Email Client Extensions"
$auditResult.IG1 = $false }
$auditResult.IG2 = $true $auditResult = Initialize-CISAuditResult @params
$auditResult.IG3 = $true
$auditResult.Result = $isCompliant
$auditResult.Details = $detailsString
$auditResult.FailureReason = if ($isCompliant) { "N/A" } else { "Unauthorized Outlook add-ins found in custom or default policies." }
} }
end { end {

26
source/tests/Test-RestrictStorageProvidersOutlook.ps1
View File

@@ -37,21 +37,17 @@ function Test-RestrictStorageProvidersOutlook {
} }
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$auditResult = [CISAuditResult]::new() $params = @{
$auditResult.Status = if ($allPoliciesRestricted) { "Pass" } else { "Fail" } Rec = "6.5.3"
$auditResult.ELevel = "E3" # Based on your environment Result = $allPoliciesRestricted
$auditResult.ProfileLevel = "L2" Status = if ($allPoliciesRestricted) { "Pass" } else { "Fail" }
$auditResult.Rec = "6.5.3" Details = $details
$auditResult.RecDescription = "Ensure additional storage providers are restricted in Outlook on the web" FailureReason = $failureReasons
$auditResult.CISControlVer = "v8" RecDescription = "Ensure additional storage providers are restricted in Outlook on the web"
$auditResult.CISControl = "3.3" CISControl = "3.3"
$auditResult.CISDescription = "Configure Data Access Control Lists" CISDescription = "Configure Data Access Control Lists"
$auditResult.IG1 = $true }
$auditResult.IG2 = $true $auditResult = Initialize-CISAuditResult @params
$auditResult.IG3 = $true
$auditResult.Result = $allPoliciesRestricted
$auditResult.Details = $details
$auditResult.FailureReason = $failureReasons
} }
end { end {

26
source/tests/Test-RestrictTenantCreation.ps1
View File

@@ -29,21 +29,17 @@ function Test-RestrictTenantCreation {
$details = "AllowedToCreateTenants: $($tenantCreationPolicy.AllowedToCreateTenants)" $details = "AllowedToCreateTenants: $($tenantCreationPolicy.AllowedToCreateTenants)"
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$auditResult = [CISAuditResult]::new() $params = @{
$auditResult.Status = if ($tenantCreationResult) { "Pass" } else { "Fail" } Rec = "5.1.2.3"
$auditResult.ELevel = "E3" Result = $tenantCreationResult
$auditResult.ProfileLevel = "L1" Status = if ($tenantCreationResult) { "Pass" } else { "Fail" }
$auditResult.Rec = "5.1.2.3" Details = $details
$auditResult.RecDescription = "Ensure 'Restrict non-admin users from creating tenants' is set to 'Yes'" FailureReason = $failureReasons
$auditResult.CISControlVer = "v8" RecDescription = "Ensure 'Restrict non-admin users from creating tenants' is set to 'Yes'"
$auditResult.CISControl = "0.0" CISControl = "0.0"
$auditResult.CISDescription = "Explicitly Not Mapped" CISDescription = "Explicitly Not Mapped"
$auditResult.IG1 = $false }
$auditResult.IG2 = $false $auditResult = Initialize-CISAuditResult @params
$auditResult.IG3 = $false
$auditResult.Result = $tenantCreationResult
$auditResult.Details = $details
$auditResult.FailureReason = $failureReasons
} }
end { end {

26
source/tests/Test-SafeAttachmentsPolicy.ps1
View File

@@ -34,21 +34,17 @@ function Test-SafeAttachmentsPolicy {
} }
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$auditResult = [CISAuditResult]::new() $params = @{
$auditResult.Status = if ($result) { "Pass" } else { "Fail" } Rec = "2.1.4"
$auditResult.ELevel = "E5" Result = $result
$auditResult.ProfileLevel = "L2" Status = if ($result) { "Pass" } else { "Fail" }
$auditResult.Rec = "2.1.4" Details = $details
$auditResult.RecDescription = "Ensure Safe Attachments policy is enabled" FailureReason = $failureReasons
$auditResult.CISControlVer = "v8" RecDescription = "Ensure Safe Attachments policy is enabled"
$auditResult.CISControl = "9.7" CISControl = "9.7"
$auditResult.CISDescription = "Deploy and Maintain Email Server Anti-Malware Protections" CISDescription = "Deploy and Maintain Email Server Anti-Malware Protections"
$auditResult.IG1 = $false }
$auditResult.IG2 = $false $auditResult = Initialize-CISAuditResult @params
$auditResult.IG3 = $true
$auditResult.Result = $result
$auditResult.Details = $details
$auditResult.FailureReason = $failureReasons
} }
end { end {

26
source/tests/Test-SafeAttachmentsTeams.ps1
View File

@@ -41,21 +41,17 @@ function Test-SafeAttachmentsTeams {
} }
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$auditResult = [CISAuditResult]::new() $params = @{
$auditResult.Status = if ($result) { "Pass" } else { "Fail" } Rec = "2.1.5"
$auditResult.ELevel = "E5" Result = $result
$auditResult.ProfileLevel = "L2" Status = if ($result) { "Pass" } else { "Fail" }
$auditResult.Rec = "2.1.5" Details = $details
$auditResult.RecDescription = "Ensure Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is Enabled" FailureReason = $failureReasons
$auditResult.CISControlVer = "v8" RecDescription = "Ensure Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is Enabled"
$auditResult.CISControl = "9.7, 10.1" CISControl = "9.7, 10.1"
$auditResult.CISDescription = "Deploy and Maintain Email Server Anti-Malware Protections, Deploy and Maintain Anti-Malware Software" CISDescription = "Deploy and Maintain Email Server Anti-Malware Protections, Deploy and Maintain Anti-Malware Software"
$auditResult.IG1 = $true }
$auditResult.IG2 = $true $auditResult = Initialize-CISAuditResult @params
$auditResult.IG3 = $true
$auditResult.Result = $result
$auditResult.Details = $details
$auditResult.FailureReason = $failureReasons
} }
end { end {

26
source/tests/Test-SafeLinksOfficeApps.ps1
View File

@@ -48,21 +48,17 @@ function Test-SafeLinksOfficeApps {
$failureReasons = if ($result) { "N/A" } else { "The following Safe Links policies settings do not meet the recommended configuration: $($misconfiguredDetails -join ' | ')" } $failureReasons = if ($result) { "N/A" } else { "The following Safe Links policies settings do not meet the recommended configuration: $($misconfiguredDetails -join ' | ')" }
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$auditResult = [CISAuditResult]::new() $params = @{
$auditResult.Status = if ($result) { "Pass" } else { "Fail" } Rec = "2.1.1"
$auditResult.ELevel = "E5" Result = $result
$auditResult.ProfileLevel = "L2" Status = if ($result) { "Pass" } else { "Fail" }
$auditResult.Rec = "2.1.1" Details = $details
$auditResult.RecDescription = "Ensure Safe Links for Office Applications is Enabled" FailureReason = $failureReasons
$auditResult.CISControlVer = "v8" RecDescription = "Ensure Safe Links for Office Applications is Enabled"
$auditResult.CISControl = "10.1" CISControl = "10.1"
$auditResult.CISDescription = "Deploy and Maintain Anti-Malware Software" CISDescription = "Deploy and Maintain Anti-Malware Software"
$auditResult.IG1 = $true }
$auditResult.IG2 = $true $auditResult = Initialize-CISAuditResult @params
$auditResult.IG3 = $true
$auditResult.Result = $result
$auditResult.Details = $details
$auditResult.FailureReason = $failureReasons
} }
end { end {

25
source/tests/Test-SharePointAADB2B.ps1
View File

@@ -18,20 +18,17 @@ function Test-SharePointAADB2B {
$SPOTenantAzureADB2B = Get-SPOTenant | Select-Object EnableAzureADB2BIntegration $SPOTenantAzureADB2B = Get-SPOTenant | Select-Object EnableAzureADB2BIntegration
# Populate the auditResult object with the required properties # Populate the auditResult object with the required properties
$auditResult.CISControlVer = "v8" $params = @{
$auditResult.CISControl = "0.0" Rec = "7.2.2"
$auditResult.CISDescription = "Explicitly Not Mapped" Result = $SPOTenantAzureADB2B.EnableAzureADB2BIntegration
$auditResult.Rec = "7.2.2" Status = if ($SPOTenantAzureADB2B.EnableAzureADB2BIntegration) { "Pass" } else { "Fail" }
$auditResult.ELevel = "E3" Details = "EnableAzureADB2BIntegration: $($SPOTenantAzureADB2B.EnableAzureADB2BIntegration)"
$auditResult.ProfileLevel = "L1" FailureReason = if (-not $SPOTenantAzureADB2B.EnableAzureADB2BIntegration) { "Azure AD B2B integration is not enabled" } else { "N/A" }
$auditResult.IG1 = $false RecDescription = "Ensure SharePoint and OneDrive integration with Azure AD B2B is enabled"
$auditResult.IG2 = $false CISControl = "0.0"
$auditResult.IG3 = $false CISDescription = "Explicitly Not Mapped"
$auditResult.RecDescription = "Ensure SharePoint and OneDrive integration with Azure AD B2B is enabled" }
$auditResult.Result = $SPOTenantAzureADB2B.EnableAzureADB2BIntegration $auditResult = Initialize-CISAuditResult @params
$auditResult.Details = "EnableAzureADB2BIntegration: $($SPOTenantAzureADB2B.EnableAzureADB2BIntegration)"
$auditResult.FailureReason = if (-not $SPOTenantAzureADB2B.EnableAzureADB2BIntegration) { "Azure AD B2B integration is not enabled" } else { "N/A" }
$auditResult.Status = if ($SPOTenantAzureADB2B.EnableAzureADB2BIntegration) { "Pass" } else { "Fail" }
} }
end { end {

25
source/tests/Test-SharePointExternalSharingDomains.ps1
View File

@@ -19,20 +19,17 @@ function Test-SharePointExternalSharingDomains {
$isDomainRestrictionConfigured = $SPOTenant.SharingDomainRestrictionMode -eq 'AllowList' $isDomainRestrictionConfigured = $SPOTenant.SharingDomainRestrictionMode -eq 'AllowList'
# Populate the auditResult object with the required properties # Populate the auditResult object with the required properties
$auditResult.CISControlVer = "v8" $params = @{
$auditResult.CISControl = "3.3" Rec = "7.2.6"
$auditResult.CISDescription = "Configure Data Access Control Lists" Result = $isDomainRestrictionConfigured
$auditResult.Rec = "7.2.6" Status = if ($isDomainRestrictionConfigured) { "Pass" } else { "Fail" }
$auditResult.ELevel = "E3" Details = "SharingDomainRestrictionMode: $($SPOTenant.SharingDomainRestrictionMode); SharingAllowedDomainList: $($SPOTenant.SharingAllowedDomainList)"
$auditResult.ProfileLevel = "L2" FailureReason = if (-not $isDomainRestrictionConfigured) { "Domain restrictions for SharePoint external sharing are not configured to 'AllowList'. Current setting: $($SPOTenant.SharingDomainRestrictionMode)" } else { "N/A" }
$auditResult.IG1 = $true RecDescription = "Ensure SharePoint external sharing is managed through domain whitelist/blacklists"
$auditResult.IG2 = $true CISControl = "3.3"
$auditResult.IG3 = $true CISDescription = "Configure Data Access Control Lists"
$auditResult.RecDescription = "Ensure SharePoint external sharing is managed through domain whitelist/blacklists" }
$auditResult.Result = $isDomainRestrictionConfigured $auditResult = Initialize-CISAuditResult @params
$auditResult.Details = "SharingDomainRestrictionMode: $($SPOTenant.SharingDomainRestrictionMode); SharingAllowedDomainList: $($SPOTenant.SharingAllowedDomainList)"
$auditResult.FailureReason = if (-not $isDomainRestrictionConfigured) { "Domain restrictions for SharePoint external sharing are not configured to 'AllowList'. Current setting: $($SPOTenant.SharingDomainRestrictionMode)" } else { "N/A" }
$auditResult.Status = if ($isDomainRestrictionConfigured) { "Pass" } else { "Fail" }
} }
end { end {

25
source/tests/Test-SharePointGuestsItemSharing.ps1
View File

@@ -19,20 +19,17 @@ function Test-SharePointGuestsItemSharing {
$isGuestResharingPrevented = $SPOTenant.PreventExternalUsersFromResharing $isGuestResharingPrevented = $SPOTenant.PreventExternalUsersFromResharing
# Populate the auditResult object with the required properties # Populate the auditResult object with the required properties
$auditResult.CISControlVer = "v8" $params = @{
$auditResult.CISControl = "3.3" Rec = "7.2.5"
$auditResult.CISDescription = "Configure Data Access Control Lists" Result = $isGuestResharingPrevented
$auditResult.Rec = "7.2.5" Status = if ($isGuestResharingPrevented) { "Pass" } else { "Fail" }
$auditResult.ELevel = "E3" Details = "PreventExternalUsersFromResharing: $isGuestResharingPrevented"
$auditResult.ProfileLevel = "L2" FailureReason = if (-not $isGuestResharingPrevented) { "Guest users can reshare items they don't own." } else { "N/A" }
$auditResult.IG1 = $true RecDescription = "Ensure that SharePoint guest users cannot share items they don't own"
$auditResult.IG2 = $true CISControl = "3.3"
$auditResult.IG3 = $true CISDescription = "Configure Data Access Control Lists"
$auditResult.RecDescription = "Ensure that SharePoint guest users cannot share items they don't own" }
$auditResult.Result = $isGuestResharingPrevented $auditResult = Initialize-CISAuditResult @params
$auditResult.Details = "PreventExternalUsersFromResharing: $isGuestResharingPrevented"
$auditResult.FailureReason = if (-not $isGuestResharingPrevented) { "Guest users can reshare items they don't own." } else { "N/A" }
$auditResult.Status = if ($isGuestResharingPrevented) { "Pass" } else { "Fail" }
} }
end { end {

25
source/tests/Test-SpamPolicyAdminNotify.ps1
View File

@@ -34,20 +34,17 @@ function Test-SpamPolicyAdminNotify {
} }
# Create an instance of CISAuditResult and populate it # Create an instance of CISAuditResult and populate it
$auditResult.Status = if ($areSettingsEnabled) { "Pass" } else { "Fail" } $params = @{
$auditResult.ELevel = "E3" Rec = "2.1.6"
$auditResult.ProfileLevel = "L1" Result = $areSettingsEnabled
$auditResult.Rec = "2.1.6" Status = if ($areSettingsEnabled) { "Pass" } else { "Fail" }
$auditResult.RecDescription = "Ensure Exchange Online Spam Policies are set to notify administrators" Details = if ($areSettingsEnabled) { "Both BccSuspiciousOutboundMail and NotifyOutboundSpam are enabled." } else { $failureDetails -join ' ' }
$auditResult.CISControlVer = "v8" FailureReason = if (-not $areSettingsEnabled) { "One or both spam policies are not set to notify administrators." } else { "N/A" }
$auditResult.CISControl = "17.5" RecDescription = "Ensure Exchange Online Spam Policies are set to notify administrators"
$auditResult.CISDescription = "Assign Key Roles and Responsibilities" CISControl = "17.5"
$auditResult.IG1 = $false CISDescription = "Assign Key Roles and Responsibilities"
$auditResult.IG2 = $true }
$auditResult.IG3 = $true $auditResult = Initialize-CISAuditResult @params
$auditResult.Result = $areSettingsEnabled
$auditResult.Details = if ($areSettingsEnabled) { "Both BccSuspiciousOutboundMail and NotifyOutboundSpam are enabled." } else { $failureDetails -join ' ' }
$auditResult.FailureReason = if (-not $areSettingsEnabled) { "One or both spam policies are not set to notify administrators." } else { "N/A" }
} }
end { end {

25
source/tests/Test-TeamsExternalAccess.ps1
View File

@@ -29,20 +29,17 @@ function Test-TeamsExternalAccess {
$isCompliant = -not $externalAccessConfig.AllowTeamsConsumer -and -not $externalAccessConfig.AllowPublicUsers -and (-not $externalAccessConfig.AllowFederatedUsers -or $allowedDomainsLimited) $isCompliant = -not $externalAccessConfig.AllowTeamsConsumer -and -not $externalAccessConfig.AllowPublicUsers -and (-not $externalAccessConfig.AllowFederatedUsers -or $allowedDomainsLimited)
# Create an instance of CISAuditResult and populate it # Create an instance of CISAuditResult and populate it
$auditResult.CISControlVer = "v8" $params = @{
$auditResult.CISControl = "0.0" # The control is Explicitly Not Mapped as per the image provided Rec = "8.2.1"
$auditResult.CISDescription = "Explicitly Not Mapped" Result = $isCompliant
$auditResult.Rec = "8.2.1" Status = if ($isCompliant) { "Pass" } else { "Fail" }
$auditResult.ELevel = "E3" Details = "AllowTeamsConsumer: $($externalAccessConfig.AllowTeamsConsumer); AllowPublicUsers: $($externalAccessConfig.AllowPublicUsers); AllowFederatedUsers: $($externalAccessConfig.AllowFederatedUsers); AllowedDomains limited: $allowedDomainsLimited"
$auditResult.ProfileLevel = "L2" FailureReason = if (-not $isCompliant) { "One or more external access configurations are not compliant." } else { "N/A" }
$auditResult.IG1 = $false # Set based on the CIS Controls image RecDescription = "Ensure 'external access' is restricted in the Teams admin center"
$auditResult.IG2 = $false # Set based on the CIS Controls image CISControl = "0.0"
$auditResult.IG3 = $false # Set based on the CIS Controls image CISDescription = "Explicitly Not Mapped"
$auditResult.RecDescription = "Ensure 'external access' is restricted in the Teams admin center" }
$auditResult.Result = $isCompliant $auditResult = Initialize-CISAuditResult @params
$auditResult.Details = "AllowTeamsConsumer: $($externalAccessConfig.AllowTeamsConsumer); AllowPublicUsers: $($externalAccessConfig.AllowPublicUsers); AllowFederatedUsers: $($externalAccessConfig.AllowFederatedUsers); AllowedDomains limited: $allowedDomainsLimited"
$auditResult.FailureReason = if (-not $isCompliant) { "One or more external access configurations are not compliant." } else { "N/A" }
$auditResult.Status = if ($isCompliant) { "Pass" } else { "Fail" }
} }
end { end {

25
source/tests/Test-TeamsExternalFileSharing.ps1
View File

@@ -33,20 +33,17 @@ function Test-TeamsExternalFileSharing {
} }
# Create an instance of CISAuditResult and populate it # Create an instance of CISAuditResult and populate it
$auditResult.CISControlVer = "v8" $params = @{
$auditResult.CISControl = "3.3" Rec = "8.1.1"
$auditResult.CISDescription = "Configure Data Access Control Lists" Result = $isCompliant
$auditResult.Rec = "8.1.1" Status = if ($isCompliant) { "Pass" } else { "Fail" }
$auditResult.ELevel = "E3" Details = if (-not $isCompliant) { "Non-approved providers enabled: $($nonCompliantProviders -join ', ')" } else { "All cloud storage services are approved providers" }
$auditResult.ProfileLevel = "L2" FailureReason = if (-not $isCompliant) { "The following non-approved providers are enabled: $($nonCompliantProviders -join ', ')" } else { "N/A" }
$auditResult.IG1 = $true # Set based on the benchmark RecDescription = "Ensure external file sharing in Teams is enabled for only approved cloud storage services"
$auditResult.IG2 = $true # Set based on the benchmark CISControl = "3.3"
$auditResult.IG3 = $true # Set based on the benchmark CISDescription = "Configure Data Access Control Lists"
$auditResult.RecDescription = "Ensure external file sharing in Teams is enabled for only approved cloud storage services" }
$auditResult.Result = $isCompliant $auditResult = Initialize-CISAuditResult @params
$auditResult.Details = if (-not $isCompliant) { "Non-approved providers enabled: $($nonCompliantProviders -join ', ')" } else { "All cloud storage services are approved providers" }
$auditResult.FailureReason = if (-not $isCompliant) { "The following non-approved providers are enabled: $($nonCompliantProviders -join ', ')" } else { "N/A" }
$auditResult.Status = if ($isCompliant) { "Pass" } else { "Fail" }
} }
end { end {

27
tests/Unit/Private/Initialize-CISAuditResult.tests.ps1 Normal file
View File

@@ -0,0 +1,27 @@
$ProjectPath = "$PSScriptRoot\..\..\.." | Convert-Path
$ProjectName = ((Get-ChildItem -Path $ProjectPath\*\*.psd1).Where{
($_.Directory.Name -match 'source|src' -or $_.Directory.Name -eq $_.BaseName) -and
$(try { Test-ModuleManifest $_.FullName -ErrorAction Stop } catch { $false } )
}).BaseName
Import-Module $ProjectName
InModuleScope $ProjectName {
Describe Get-PrivateFunction {
Context 'Default' {
BeforeEach {
$return = Get-PrivateFunction -PrivateData 'string'
}
It 'Returns a single object' {
($return | Measure-Object).Count | Should -Be 1
}
It 'Returns a string based on the parameter PrivateData' {
$return | Should -Be 'string'
}
}
}
}