From 273630839ea67454c5ad2f5250e49bf84a89d09d Mon Sep 17 00:00:00 2001 From: DrIOS <58635327+DrIOSX@users.noreply.github.com> Date: Fri, 14 Jun 2024 08:40:44 -0500 Subject: [PATCH] fix: 2.1.1,2.1.4,2.1.5 surpress error messages and create a standard object when no e5 --- source/tests/Test-SafeAttachmentsPolicy.ps1 | 88 +++++++++++-------- source/tests/Test-SafeAttachmentsTeams.ps1 | 97 ++++++++++++--------- source/tests/Test-SafeLinksOfficeApps.ps1 | 97 ++++++++++++--------- 3 files changed, 158 insertions(+), 124 deletions(-) diff --git a/source/tests/Test-SafeAttachmentsPolicy.ps1 b/source/tests/Test-SafeAttachmentsPolicy.ps1 index 8b5fe06..d9dfca4 100644 --- a/source/tests/Test-SafeAttachmentsPolicy.ps1 +++ b/source/tests/Test-SafeAttachmentsPolicy.ps1 @@ -13,7 +13,7 @@ function Test-SafeAttachmentsPolicy { # Initialization code, if needed $recnum = "2.1.4" - <# + <# Conditions for 2.1.4 (L2) Ensure Safe Attachments policy is enabled Validate test for a pass: @@ -33,56 +33,68 @@ function Test-SafeAttachmentsPolicy { - Condition D: The policy is disabled. #> } - process { - try { - # 2.1.4 (L2) Ensure Safe Attachments policy is enabled + # Retrieve all Safe Attachment policies where Enable is set to True + $safeAttachmentPolicies = Get-SafeAttachmentPolicy | Where-Object { $_.Enable -eq $true } + if ($null -ne $safeAttachmentPolicies) { + try { + # 2.1.4 (L2) Ensure Safe Attachments policy is enabled - # Retrieve all Safe Attachment policies where Enable is set to True - $safeAttachmentPolicies = Get-SafeAttachmentPolicy | Where-Object { $_.Enable -eq $true } - # Condition A: Check if any Safe Attachments policy is enabled - $result = $null -ne $safeAttachmentPolicies -and $safeAttachmentPolicies.Count -gt 0 - # Condition B, C, D: Additional checks can be added here if more detailed policy attributes are required + # Condition A: Check if any Safe Attachments policy is enabled + $result = $null -ne $safeAttachmentPolicies -and $safeAttachmentPolicies.Count -gt 0 - # Determine details and failure reasons based on the presence of enabled policies - $details = if ($result) { - "Enabled Safe Attachments Policies: $($safeAttachmentPolicies.Name -join ', ')" - } - else { - "No Safe Attachments Policies are enabled." + # Condition B, C, D: Additional checks can be added here if more detailed policy attributes are required + + # Determine details and failure reasons based on the presence of enabled policies + $details = if ($result) { + "Enabled Safe Attachments Policies: $($safeAttachmentPolicies.Name -join ', ')" + } + else { + "No Safe Attachments Policies are enabled." + } + + $failureReasons = if ($result) { + "N/A" + } + else { + "Safe Attachments policy is not enabled." + } + + # Create and populate the CISAuditResult object + $params = @{ + Rec = $recnum + Result = $result + Status = if ($result) { "Pass" } else { "Fail" } + Details = $details + FailureReason = $failureReasons + } + $auditResult = Initialize-CISAuditResult @params } + catch { + Write-Error "An error occurred during the test: $_" - $failureReasons = if ($result) { - "N/A" - } - else { - "Safe Attachments policy is not enabled." - } + # Retrieve the description from the test definitions + $testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum } + $description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" } - # Create and populate the CISAuditResult object + $script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ }) + + # Call Initialize-CISAuditResult with error parameters + $auditResult = Initialize-CISAuditResult -Rec $recnum -Failure + } + } + else { $params = @{ Rec = $recnum - Result = $result - Status = if ($result) { "Pass" } else { "Fail" } - Details = $details - FailureReason = $failureReasons + Result = $false + Status = "Fail" + Details = "No M365 E5 licenses found." + FailureReason = "The audit is for M365 E5 licenses and the required EXO commands will not be available otherwise." } $auditResult = Initialize-CISAuditResult @params } - catch { - Write-Error "An error occurred during the test: $_" - - # Retrieve the description from the test definitions - $testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum } - $description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" } - - $script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ }) - - # Call Initialize-CISAuditResult with error parameters - $auditResult = Initialize-CISAuditResult -Rec $recnum -Failure - } } end { diff --git a/source/tests/Test-SafeAttachmentsTeams.ps1 b/source/tests/Test-SafeAttachmentsTeams.ps1 index 8c0b5f3..588eb57 100644 --- a/source/tests/Test-SafeAttachmentsTeams.ps1 +++ b/source/tests/Test-SafeAttachmentsTeams.ps1 @@ -31,61 +31,72 @@ function Test-SafeAttachmentsTeams { } process { - try { - # 2.1.5 (L2) Ensure Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is Enabled + # Retrieve the ATP policies for Office 365 and check Safe Attachments settings + [void]($atpPolicies = Get-AtpPolicyForO365) + if ($null -ne $atpPolicies) { + try { + # 2.1.5 (L2) Ensure Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is Enabled - # Retrieve the ATP policies for Office 365 and check Safe Attachments settings - $atpPolicies = Get-AtpPolicyForO365 + # Check if the required ATP policies are enabled + $atpPolicyResult = $atpPolicies | Where-Object { + $_.EnableATPForSPOTeamsODB -eq $true -and + $_.EnableSafeDocs -eq $true -and + $_.AllowSafeDocsOpen -eq $false + } - # Check if the required ATP policies are enabled - $atpPolicyResult = $atpPolicies | Where-Object { - $_.EnableATPForSPOTeamsODB -eq $true -and - $_.EnableSafeDocs -eq $true -and - $_.AllowSafeDocsOpen -eq $false + # Condition A: Check Safe Attachments for SharePoint + # Condition B: Check Safe Attachments for OneDrive + # Condition C: Check Safe Attachments for Microsoft Teams + + # Determine the result based on the ATP policy settings + $result = $null -ne $atpPolicyResult + $details = if ($result) { + "ATP for SharePoint, OneDrive, and Teams is enabled with correct settings." + } + else { + "ATP for SharePoint, OneDrive, and Teams is not enabled with correct settings." + } + + $failureReasons = if ($result) { + "N/A" + } + else { + "ATP policy for SharePoint, OneDrive, and Microsoft Teams is not correctly configured." + } + + # Create and populate the CISAuditResult object + $params = @{ + Rec = $recnum + Result = $result + Status = if ($result) { "Pass" } else { "Fail" } + Details = $details + FailureReason = $failureReasons + } + $auditResult = Initialize-CISAuditResult @params } + catch { + Write-Error "An error occurred during the test: $_" - # Condition A: Check Safe Attachments for SharePoint - # Condition B: Check Safe Attachments for OneDrive - # Condition C: Check Safe Attachments for Microsoft Teams + # Retrieve the description from the test definitions + $testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum } + $description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" } - # Determine the result based on the ATP policy settings - $result = $null -ne $atpPolicyResult - $details = if ($result) { - "ATP for SharePoint, OneDrive, and Teams is enabled with correct settings." - } - else { - "ATP for SharePoint, OneDrive, and Teams is not enabled with correct settings." - } + $script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ }) - $failureReasons = if ($result) { - "N/A" + # Call Initialize-CISAuditResult with error parameters + $auditResult = Initialize-CISAuditResult -Rec $recnum -Failure } - else { - "ATP policy for SharePoint, OneDrive, and Microsoft Teams is not correctly configured." - } - - # Create and populate the CISAuditResult object + } + else { $params = @{ Rec = $recnum - Result = $result - Status = if ($result) { "Pass" } else { "Fail" } - Details = $details - FailureReason = $failureReasons + Result = $false + Status = "Fail" + Details = "No M365 E3 licenses found." + FailureReason = "The audit is for M365 E3 licenses, but no such licenses were found." } $auditResult = Initialize-CISAuditResult @params } - catch { - Write-Error "An error occurred during the test: $_" - - # Retrieve the description from the test definitions - $testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum } - $description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" } - - $script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ }) - - # Call Initialize-CISAuditResult with error parameters - $auditResult = Initialize-CISAuditResult -Rec $recnum -Failure - } } end { diff --git a/source/tests/Test-SafeLinksOfficeApps.ps1 b/source/tests/Test-SafeLinksOfficeApps.ps1 index 37a864b..86cdac4 100644 --- a/source/tests/Test-SafeLinksOfficeApps.ps1 +++ b/source/tests/Test-SafeLinksOfficeApps.ps1 @@ -40,62 +40,73 @@ function Test-SafeLinksOfficeApps { } process { - try { - # 2.1.1 (L2) Ensure Safe Links for Office Applications is Enabled + # Retrieve all Safe Links policies + [void]($policies = Get-SafeLinksPolicy) + if ($null -ne $policies) { + try { + # 2.1.1 (L2) Ensure Safe Links for Office Applications is Enabled - # Retrieve all Safe Links policies - $policies = Get-SafeLinksPolicy + # Initialize the details collection + $misconfiguredDetails = @() - # Initialize the details collection - $misconfiguredDetails = @() + foreach ($policy in $policies) { + # Get the detailed configuration of each policy + $policyDetails = Get-SafeLinksPolicy -Identity $policy.Name - foreach ($policy in $policies) { - # Get the detailed configuration of each policy - $policyDetails = Get-SafeLinksPolicy -Identity $policy.Name + # Check each required property and record failures + # Condition A: Checking policy settings + $failures = @() + if ($policyDetails.EnableSafeLinksForEmail -ne $true) { $failures += "EnableSafeLinksForEmail: False" } # Email: On + if ($policyDetails.EnableSafeLinksForTeams -ne $true) { $failures += "EnableSafeLinksForTeams: False" } # Teams: On + if ($policyDetails.EnableSafeLinksForOffice -ne $true) { $failures += "EnableSafeLinksForOffice: False" } # Office 365 Apps: On + if ($policyDetails.TrackClicks -ne $true) { $failures += "TrackClicks: False" } # Click protection settings: On + if ($policyDetails.AllowClickThrough -ne $false) { $failures += "AllowClickThrough: True" } # Do not track when users click safe links: Off - # Check each required property and record failures - # Condition A: Checking policy settings - $failures = @() - if ($policyDetails.EnableSafeLinksForEmail -ne $true) { $failures += "EnableSafeLinksForEmail: False" } # Email: On - if ($policyDetails.EnableSafeLinksForTeams -ne $true) { $failures += "EnableSafeLinksForTeams: False" } # Teams: On - if ($policyDetails.EnableSafeLinksForOffice -ne $true) { $failures += "EnableSafeLinksForOffice: False" } # Office 365 Apps: On - if ($policyDetails.TrackClicks -ne $true) { $failures += "TrackClicks: False" } # Click protection settings: On - if ($policyDetails.AllowClickThrough -ne $false) { $failures += "AllowClickThrough: True" } # Do not track when users click safe links: Off - - # Only add details for policies that have misconfigurations - if ($failures.Count -gt 0) { - $misconfiguredDetails += "Policy: $($policy.Name); Failures: $($failures -join ', ')" + # Only add details for policies that have misconfigurations + if ($failures.Count -gt 0) { + $misconfiguredDetails += "Policy: $($policy.Name); Failures: $($failures -join ', ')" + } } + + # Prepare the final result + # Condition B: Ensuring no misconfigurations + $result = $misconfiguredDetails.Count -eq 0 + $details = if ($result) { "All Safe Links policies are correctly configured." } else { $misconfiguredDetails -join ' | ' } + $failureReasons = if ($result) { "N/A" } else { "The following Safe Links policies settings do not meet the recommended configuration: $($misconfiguredDetails -join ' | ')" } + + # Create and populate the CISAuditResult object + $params = @{ + Rec = $recnum + Result = $result + Status = if ($result) { "Pass" } else { "Fail" } + Details = $details + FailureReason = $failureReasons + } + $auditResult = Initialize-CISAuditResult @params } + catch { + Write-Error "An error occurred during the test: $_" - # Prepare the final result - # Condition B: Ensuring no misconfigurations - $result = $misconfiguredDetails.Count -eq 0 - $details = if ($result) { "All Safe Links policies are correctly configured." } else { $misconfiguredDetails -join ' | ' } - $failureReasons = if ($result) { "N/A" } else { "The following Safe Links policies settings do not meet the recommended configuration: $($misconfiguredDetails -join ' | ')" } + # Retrieve the description from the test definitions + $testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum } + $description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" } - # Create and populate the CISAuditResult object + $script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ }) + + # Call Initialize-CISAuditResult with error parameters + $auditResult = Initialize-CISAuditResult -Rec $recnum -Failure + } + } + else { $params = @{ Rec = $recnum - Result = $result - Status = if ($result) { "Pass" } else { "Fail" } - Details = $details - FailureReason = $failureReasons + Result = $false + Status = "Fail" + Details = "No M365 E5 licenses found." + FailureReason = "The audit is for M365 E5 licenses and the required EXO commands will not be available otherwise." } $auditResult = Initialize-CISAuditResult @params } - catch { - Write-Error "An error occurred during the test: $_" - - # Retrieve the description from the test definitions - $testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum } - $description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" } - - $script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ }) - - # Call Initialize-CISAuditResult with error parameters - $auditResult = Initialize-CISAuditResult -Rec $recnum -Failure - } } end {