fix: 2.1.1,2.1.4,2.1.5 surpress error messages and create a standard object when no e5
This commit is contained in:
DrIOS
@@ -13,7 +13,7 @@ function Test-SafeAttachmentsPolicy {
|
||||
# Initialization code, if needed
|
||||
$recnum = "2.1.4"
|
||||
|
||||
<#
|
||||
<#
|
||||
Conditions for 2.1.4 (L2) Ensure Safe Attachments policy is enabled
|
||||
|
||||
Validate test for a pass:
|
||||
@@ -33,56 +33,68 @@ function Test-SafeAttachmentsPolicy {
|
||||
- Condition D: The policy is disabled.
|
||||
#>
|
||||
}
|
||||
|
||||
process {
|
||||
try {
|
||||
# 2.1.4 (L2) Ensure Safe Attachments policy is enabled
|
||||
# Retrieve all Safe Attachment policies where Enable is set to True
|
||||
$safeAttachmentPolicies = Get-SafeAttachmentPolicy | Where-Object { $_.Enable -eq $true }
|
||||
if ($null -ne $safeAttachmentPolicies) {
|
||||
try {
|
||||
# 2.1.4 (L2) Ensure Safe Attachments policy is enabled
|
||||
|
||||
# Retrieve all Safe Attachment policies where Enable is set to True
|
||||
$safeAttachmentPolicies = Get-SafeAttachmentPolicy | Where-Object { $_.Enable -eq $true }
|
||||
|
||||
# Condition A: Check if any Safe Attachments policy is enabled
|
||||
$result = $null -ne $safeAttachmentPolicies -and $safeAttachmentPolicies.Count -gt 0
|
||||
|
||||
# Condition B, C, D: Additional checks can be added here if more detailed policy attributes are required
|
||||
# Condition A: Check if any Safe Attachments policy is enabled
|
||||
$result = $null -ne $safeAttachmentPolicies -and $safeAttachmentPolicies.Count -gt 0
|
||||
|
||||
# Determine details and failure reasons based on the presence of enabled policies
|
||||
$details = if ($result) {
|
||||
"Enabled Safe Attachments Policies: $($safeAttachmentPolicies.Name -join ', ')"
|
||||
}
|
||||
else {
|
||||
"No Safe Attachments Policies are enabled."
|
||||
# Condition B, C, D: Additional checks can be added here if more detailed policy attributes are required
|
||||
|
||||
# Determine details and failure reasons based on the presence of enabled policies
|
||||
$details = if ($result) {
|
||||
"Enabled Safe Attachments Policies: $($safeAttachmentPolicies.Name -join ', ')"
|
||||
}
|
||||
else {
|
||||
"No Safe Attachments Policies are enabled."
|
||||
}
|
||||
|
||||
$failureReasons = if ($result) {
|
||||
"N/A"
|
||||
}
|
||||
else {
|
||||
"Safe Attachments policy is not enabled."
|
||||
}
|
||||
|
||||
# Create and populate the CISAuditResult object
|
||||
$params = @{
|
||||
Rec = $recnum
|
||||
Result = $result
|
||||
Status = if ($result) { "Pass" } else { "Fail" }
|
||||
Details = $details
|
||||
FailureReason = $failureReasons
|
||||
}
|
||||
$auditResult = Initialize-CISAuditResult @params
|
||||
}
|
||||
catch {
|
||||
Write-Error "An error occurred during the test: $_"
|
||||
|
||||
$failureReasons = if ($result) {
|
||||
"N/A"
|
||||
}
|
||||
else {
|
||||
"Safe Attachments policy is not enabled."
|
||||
}
|
||||
# Retrieve the description from the test definitions
|
||||
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
|
||||
$description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
|
||||
|
||||
# Create and populate the CISAuditResult object
|
||||
$script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
|
||||
|
||||
# Call Initialize-CISAuditResult with error parameters
|
||||
$auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
|
||||
}
|
||||
}
|
||||
else {
|
||||
$params = @{
|
||||
Rec = $recnum
|
||||
Result = $result
|
||||
Status = if ($result) { "Pass" } else { "Fail" }
|
||||
Details = $details
|
||||
FailureReason = $failureReasons
|
||||
Result = $false
|
||||
Status = "Fail"
|
||||
Details = "No M365 E5 licenses found."
|
||||
FailureReason = "The audit is for M365 E5 licenses and the required EXO commands will not be available otherwise."
|
||||
}
|
||||
$auditResult = Initialize-CISAuditResult @params
|
||||
}
|
||||
catch {
|
||||
Write-Error "An error occurred during the test: $_"
|
||||
|
||||
# Retrieve the description from the test definitions
|
||||
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
|
||||
$description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
|
||||
|
||||
$script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
|
||||
|
||||
# Call Initialize-CISAuditResult with error parameters
|
||||
$auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
|
||||
}
|
||||
}
|
||||
|
||||
end {
|
||||
|
||||
@@ -31,61 +31,72 @@ function Test-SafeAttachmentsTeams {
|
||||
}
|
||||
|
||||
process {
|
||||
try {
|
||||
# 2.1.5 (L2) Ensure Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is Enabled
|
||||
# Retrieve the ATP policies for Office 365 and check Safe Attachments settings
|
||||
[void]($atpPolicies = Get-AtpPolicyForO365)
|
||||
if ($null -ne $atpPolicies) {
|
||||
try {
|
||||
# 2.1.5 (L2) Ensure Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is Enabled
|
||||
|
||||
# Retrieve the ATP policies for Office 365 and check Safe Attachments settings
|
||||
$atpPolicies = Get-AtpPolicyForO365
|
||||
# Check if the required ATP policies are enabled
|
||||
$atpPolicyResult = $atpPolicies | Where-Object {
|
||||
$_.EnableATPForSPOTeamsODB -eq $true -and
|
||||
$_.EnableSafeDocs -eq $true -and
|
||||
$_.AllowSafeDocsOpen -eq $false
|
||||
}
|
||||
|
||||
# Check if the required ATP policies are enabled
|
||||
$atpPolicyResult = $atpPolicies | Where-Object {
|
||||
$_.EnableATPForSPOTeamsODB -eq $true -and
|
||||
$_.EnableSafeDocs -eq $true -and
|
||||
$_.AllowSafeDocsOpen -eq $false
|
||||
# Condition A: Check Safe Attachments for SharePoint
|
||||
# Condition B: Check Safe Attachments for OneDrive
|
||||
# Condition C: Check Safe Attachments for Microsoft Teams
|
||||
|
||||
# Determine the result based on the ATP policy settings
|
||||
$result = $null -ne $atpPolicyResult
|
||||
$details = if ($result) {
|
||||
"ATP for SharePoint, OneDrive, and Teams is enabled with correct settings."
|
||||
}
|
||||
else {
|
||||
"ATP for SharePoint, OneDrive, and Teams is not enabled with correct settings."
|
||||
}
|
||||
|
||||
$failureReasons = if ($result) {
|
||||
"N/A"
|
||||
}
|
||||
else {
|
||||
"ATP policy for SharePoint, OneDrive, and Microsoft Teams is not correctly configured."
|
||||
}
|
||||
|
||||
# Create and populate the CISAuditResult object
|
||||
$params = @{
|
||||
Rec = $recnum
|
||||
Result = $result
|
||||
Status = if ($result) { "Pass" } else { "Fail" }
|
||||
Details = $details
|
||||
FailureReason = $failureReasons
|
||||
}
|
||||
$auditResult = Initialize-CISAuditResult @params
|
||||
}
|
||||
catch {
|
||||
Write-Error "An error occurred during the test: $_"
|
||||
|
||||
# Condition A: Check Safe Attachments for SharePoint
|
||||
# Condition B: Check Safe Attachments for OneDrive
|
||||
# Condition C: Check Safe Attachments for Microsoft Teams
|
||||
# Retrieve the description from the test definitions
|
||||
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
|
||||
$description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
|
||||
|
||||
# Determine the result based on the ATP policy settings
|
||||
$result = $null -ne $atpPolicyResult
|
||||
$details = if ($result) {
|
||||
"ATP for SharePoint, OneDrive, and Teams is enabled with correct settings."
|
||||
}
|
||||
else {
|
||||
"ATP for SharePoint, OneDrive, and Teams is not enabled with correct settings."
|
||||
}
|
||||
$script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
|
||||
|
||||
$failureReasons = if ($result) {
|
||||
"N/A"
|
||||
# Call Initialize-CISAuditResult with error parameters
|
||||
$auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
|
||||
}
|
||||
else {
|
||||
"ATP policy for SharePoint, OneDrive, and Microsoft Teams is not correctly configured."
|
||||
}
|
||||
|
||||
# Create and populate the CISAuditResult object
|
||||
}
|
||||
else {
|
||||
$params = @{
|
||||
Rec = $recnum
|
||||
Result = $result
|
||||
Status = if ($result) { "Pass" } else { "Fail" }
|
||||
Details = $details
|
||||
FailureReason = $failureReasons
|
||||
Result = $false
|
||||
Status = "Fail"
|
||||
Details = "No M365 E3 licenses found."
|
||||
FailureReason = "The audit is for M365 E3 licenses, but no such licenses were found."
|
||||
}
|
||||
$auditResult = Initialize-CISAuditResult @params
|
||||
}
|
||||
catch {
|
||||
Write-Error "An error occurred during the test: $_"
|
||||
|
||||
# Retrieve the description from the test definitions
|
||||
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
|
||||
$description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
|
||||
|
||||
$script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
|
||||
|
||||
# Call Initialize-CISAuditResult with error parameters
|
||||
$auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
|
||||
}
|
||||
}
|
||||
|
||||
end {
|
||||
|
||||
@@ -40,62 +40,73 @@ function Test-SafeLinksOfficeApps {
|
||||
}
|
||||
|
||||
process {
|
||||
try {
|
||||
# 2.1.1 (L2) Ensure Safe Links for Office Applications is Enabled
|
||||
# Retrieve all Safe Links policies
|
||||
[void]($policies = Get-SafeLinksPolicy)
|
||||
if ($null -ne $policies) {
|
||||
try {
|
||||
# 2.1.1 (L2) Ensure Safe Links for Office Applications is Enabled
|
||||
|
||||
# Retrieve all Safe Links policies
|
||||
$policies = Get-SafeLinksPolicy
|
||||
# Initialize the details collection
|
||||
$misconfiguredDetails = @()
|
||||
|
||||
# Initialize the details collection
|
||||
$misconfiguredDetails = @()
|
||||
foreach ($policy in $policies) {
|
||||
# Get the detailed configuration of each policy
|
||||
$policyDetails = Get-SafeLinksPolicy -Identity $policy.Name
|
||||
|
||||
foreach ($policy in $policies) {
|
||||
# Get the detailed configuration of each policy
|
||||
$policyDetails = Get-SafeLinksPolicy -Identity $policy.Name
|
||||
# Check each required property and record failures
|
||||
# Condition A: Checking policy settings
|
||||
$failures = @()
|
||||
if ($policyDetails.EnableSafeLinksForEmail -ne $true) { $failures += "EnableSafeLinksForEmail: False" } # Email: On
|
||||
if ($policyDetails.EnableSafeLinksForTeams -ne $true) { $failures += "EnableSafeLinksForTeams: False" } # Teams: On
|
||||
if ($policyDetails.EnableSafeLinksForOffice -ne $true) { $failures += "EnableSafeLinksForOffice: False" } # Office 365 Apps: On
|
||||
if ($policyDetails.TrackClicks -ne $true) { $failures += "TrackClicks: False" } # Click protection settings: On
|
||||
if ($policyDetails.AllowClickThrough -ne $false) { $failures += "AllowClickThrough: True" } # Do not track when users click safe links: Off
|
||||
|
||||
# Check each required property and record failures
|
||||
# Condition A: Checking policy settings
|
||||
$failures = @()
|
||||
if ($policyDetails.EnableSafeLinksForEmail -ne $true) { $failures += "EnableSafeLinksForEmail: False" } # Email: On
|
||||
if ($policyDetails.EnableSafeLinksForTeams -ne $true) { $failures += "EnableSafeLinksForTeams: False" } # Teams: On
|
||||
if ($policyDetails.EnableSafeLinksForOffice -ne $true) { $failures += "EnableSafeLinksForOffice: False" } # Office 365 Apps: On
|
||||
if ($policyDetails.TrackClicks -ne $true) { $failures += "TrackClicks: False" } # Click protection settings: On
|
||||
if ($policyDetails.AllowClickThrough -ne $false) { $failures += "AllowClickThrough: True" } # Do not track when users click safe links: Off
|
||||
|
||||
# Only add details for policies that have misconfigurations
|
||||
if ($failures.Count -gt 0) {
|
||||
$misconfiguredDetails += "Policy: $($policy.Name); Failures: $($failures -join ', ')"
|
||||
# Only add details for policies that have misconfigurations
|
||||
if ($failures.Count -gt 0) {
|
||||
$misconfiguredDetails += "Policy: $($policy.Name); Failures: $($failures -join ', ')"
|
||||
}
|
||||
}
|
||||
|
||||
# Prepare the final result
|
||||
# Condition B: Ensuring no misconfigurations
|
||||
$result = $misconfiguredDetails.Count -eq 0
|
||||
$details = if ($result) { "All Safe Links policies are correctly configured." } else { $misconfiguredDetails -join ' | ' }
|
||||
$failureReasons = if ($result) { "N/A" } else { "The following Safe Links policies settings do not meet the recommended configuration: $($misconfiguredDetails -join ' | ')" }
|
||||
|
||||
# Create and populate the CISAuditResult object
|
||||
$params = @{
|
||||
Rec = $recnum
|
||||
Result = $result
|
||||
Status = if ($result) { "Pass" } else { "Fail" }
|
||||
Details = $details
|
||||
FailureReason = $failureReasons
|
||||
}
|
||||
$auditResult = Initialize-CISAuditResult @params
|
||||
}
|
||||
catch {
|
||||
Write-Error "An error occurred during the test: $_"
|
||||
|
||||
# Prepare the final result
|
||||
# Condition B: Ensuring no misconfigurations
|
||||
$result = $misconfiguredDetails.Count -eq 0
|
||||
$details = if ($result) { "All Safe Links policies are correctly configured." } else { $misconfiguredDetails -join ' | ' }
|
||||
$failureReasons = if ($result) { "N/A" } else { "The following Safe Links policies settings do not meet the recommended configuration: $($misconfiguredDetails -join ' | ')" }
|
||||
# Retrieve the description from the test definitions
|
||||
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
|
||||
$description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
|
||||
|
||||
# Create and populate the CISAuditResult object
|
||||
$script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
|
||||
|
||||
# Call Initialize-CISAuditResult with error parameters
|
||||
$auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
|
||||
}
|
||||
}
|
||||
else {
|
||||
$params = @{
|
||||
Rec = $recnum
|
||||
Result = $result
|
||||
Status = if ($result) { "Pass" } else { "Fail" }
|
||||
Details = $details
|
||||
FailureReason = $failureReasons
|
||||
Result = $false
|
||||
Status = "Fail"
|
||||
Details = "No M365 E5 licenses found."
|
||||
FailureReason = "The audit is for M365 E5 licenses and the required EXO commands will not be available otherwise."
|
||||
}
|
||||
$auditResult = Initialize-CISAuditResult @params
|
||||
}
|
||||
catch {
|
||||
Write-Error "An error occurred during the test: $_"
|
||||
|
||||
# Retrieve the description from the test definitions
|
||||
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
|
||||
$description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
|
||||
|
||||
$script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
|
||||
|
||||
# Call Initialize-CISAuditResult with error parameters
|
||||
$auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
|
||||
}
|
||||
}
|
||||
|
||||
end {
|
||||
|
||||
Reference in New Issue
Block a user