fix: 2.1.1,2.1.4,2.1.5 surpress error messages and create a standard object when no e5

2024-06-14 08:40:44 -05:00
parent 3ca779650e
commit 273630839e
3 changed files with 158 additions and 124 deletions
--- a/source/tests/Test-SafeAttachmentsPolicy.ps1
+++ b/source/tests/Test-SafeAttachmentsPolicy.ps1
@@ -13,7 +13,7 @@ function Test-SafeAttachmentsPolicy {
        # Initialization code, if needed
        $recnum = "2.1.4"
-    <#
+        <#
        Conditions for 2.1.4 (L2) Ensure Safe Attachments policy is enabled
        Validate test for a pass:
@@ -33,56 +33,68 @@ function Test-SafeAttachmentsPolicy {
          - Condition D: The policy is disabled.
    #>
    }
    process {
-        try {
+        # Retrieve all Safe Attachment policies where Enable is set to True
-            # 2.1.4 (L2) Ensure Safe Attachments policy is enabled
+        $safeAttachmentPolicies = Get-SafeAttachmentPolicy | Where-Object { $_.Enable -eq $true }
        if ($null -ne $safeAttachmentPolicies) {
            try {
                # 2.1.4 (L2) Ensure Safe Attachments policy is enabled
            # Retrieve all Safe Attachment policies where Enable is set to True
            $safeAttachmentPolicies = Get-SafeAttachmentPolicy | Where-Object { $_.Enable -eq $true }
            # Condition A: Check if any Safe Attachments policy is enabled
            $result = $null -ne $safeAttachmentPolicies -and $safeAttachmentPolicies.Count -gt 0
-            # Condition B, C, D: Additional checks can be added here if more detailed policy attributes are required
+                # Condition A: Check if any Safe Attachments policy is enabled
                $result = $null -ne $safeAttachmentPolicies -and $safeAttachmentPolicies.Count -gt 0
-            # Determine details and failure reasons based on the presence of enabled policies
+                # Condition B, C, D: Additional checks can be added here if more detailed policy attributes are required
-            $details = if ($result) {
+
-                "Enabled Safe Attachments Policies: $($safeAttachmentPolicies.Name -join ', ')"
+                # Determine details and failure reasons based on the presence of enabled policies
-            }
+                $details = if ($result) {
-            else {
+                    "Enabled Safe Attachments Policies: $($safeAttachmentPolicies.Name -join ', ')"
-                "No Safe Attachments Policies are enabled."
+                }
                else {
                    "No Safe Attachments Policies are enabled."
                }
                $failureReasons = if ($result) {
                    "N/A"
                }
                else {
                    "Safe Attachments policy is not enabled."
                }
                # Create and populate the CISAuditResult object
                $params = @{
                    Rec           = $recnum
                    Result        = $result
                    Status        = if ($result) { "Pass" } else { "Fail" }
                    Details       = $details
                    FailureReason = $failureReasons
                }
                $auditResult = Initialize-CISAuditResult @params
            }
            catch {
                Write-Error "An error occurred during the test: $_"
-            $failureReasons = if ($result) {
+                # Retrieve the description from the test definitions
-                "N/A"
+                $testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
-            }
+                $description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
            else {
                "Safe Attachments policy is not enabled."
            }
-            # Create and populate the CISAuditResult object
+                $script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
                # Call Initialize-CISAuditResult with error parameters
                $auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
            }
        }
        else {
            $params = @{
                Rec           = $recnum
-                Result        = $result
+                Result        = $false
-                Status        = if ($result) { "Pass" } else { "Fail" }
+                Status        = "Fail"
-                Details       = $details
+                Details       = "No M365 E5 licenses found."
-                FailureReason = $failureReasons
+                FailureReason = "The audit is for M365 E5 licenses and the required EXO commands will not be available otherwise."
            }
            $auditResult = Initialize-CISAuditResult @params
        }
        catch {
            Write-Error "An error occurred during the test: $_"
            # Retrieve the description from the test definitions
            $testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
            $description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
            $script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
            # Call Initialize-CISAuditResult with error parameters
            $auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
        }
    }
    end {
--- a/source/tests/Test-SafeAttachmentsTeams.ps1
+++ b/source/tests/Test-SafeAttachmentsTeams.ps1
@@ -31,61 +31,72 @@ function Test-SafeAttachmentsTeams {
    }
    process {
-        try {
+        # Retrieve the ATP policies for Office 365 and check Safe Attachments settings
-            # 2.1.5 (L2) Ensure Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is Enabled
+        [void]($atpPolicies = Get-AtpPolicyForO365)
        if ($null -ne $atpPolicies) {
            try {
                # 2.1.5 (L2) Ensure Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is Enabled
-            # Retrieve the ATP policies for Office 365 and check Safe Attachments settings
+                # Check if the required ATP policies are enabled
-            $atpPolicies = Get-AtpPolicyForO365
+                $atpPolicyResult = $atpPolicies | Where-Object {
                    $_.EnableATPForSPOTeamsODB -eq $true -and
                    $_.EnableSafeDocs -eq $true -and
                    $_.AllowSafeDocsOpen -eq $false
                }
-            # Check if the required ATP policies are enabled
+                # Condition A: Check Safe Attachments for SharePoint
-            $atpPolicyResult = $atpPolicies | Where-Object {
+                # Condition B: Check Safe Attachments for OneDrive
-                $_.EnableATPForSPOTeamsODB -eq $true -and
+                # Condition C: Check Safe Attachments for Microsoft Teams
-                $_.EnableSafeDocs -eq $true -and
+
-                $_.AllowSafeDocsOpen -eq $false
+                # Determine the result based on the ATP policy settings
                $result = $null -ne $atpPolicyResult
                $details = if ($result) {
                    "ATP for SharePoint, OneDrive, and Teams is enabled with correct settings."
                }
                else {
                    "ATP for SharePoint, OneDrive, and Teams is not enabled with correct settings."
                }
                $failureReasons = if ($result) {
                    "N/A"
                }
                else {
                    "ATP policy for SharePoint, OneDrive, and Microsoft Teams is not correctly configured."
                }
                # Create and populate the CISAuditResult object
                $params = @{
                    Rec           = $recnum
                    Result        = $result
                    Status        = if ($result) { "Pass" } else { "Fail" }
                    Details       = $details
                    FailureReason = $failureReasons
                }
                $auditResult = Initialize-CISAuditResult @params
            }
            catch {
                Write-Error "An error occurred during the test: $_"
-            # Condition A: Check Safe Attachments for SharePoint
+                # Retrieve the description from the test definitions
-            # Condition B: Check Safe Attachments for OneDrive
+                $testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
-            # Condition C: Check Safe Attachments for Microsoft Teams
+                $description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
-            # Determine the result based on the ATP policy settings
+                $script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
            $result = $null -ne $atpPolicyResult
            $details = if ($result) {
                "ATP for SharePoint, OneDrive, and Teams is enabled with correct settings."
            }
            else {
                "ATP for SharePoint, OneDrive, and Teams is not enabled with correct settings."
            }
-            $failureReasons = if ($result) {
+                # Call Initialize-CISAuditResult with error parameters
-                "N/A"
+                $auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
            }
-            else {
+        }
-                "ATP policy for SharePoint, OneDrive, and Microsoft Teams is not correctly configured."
+        else {
            }
            # Create and populate the CISAuditResult object
            $params = @{
                Rec           = $recnum
-                Result        = $result
+                Result        = $false
-                Status        = if ($result) { "Pass" } else { "Fail" }
+                Status        = "Fail"
-                Details       = $details
+                Details       = "No M365 E3 licenses found."
-                FailureReason = $failureReasons
+                FailureReason = "The audit is for M365 E3 licenses, but no such licenses were found."
            }
            $auditResult = Initialize-CISAuditResult @params
        }
        catch {
            Write-Error "An error occurred during the test: $_"
            # Retrieve the description from the test definitions
            $testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
            $description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
            $script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
            # Call Initialize-CISAuditResult with error parameters
            $auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
        }
    }
    end {
--- a/source/tests/Test-SafeLinksOfficeApps.ps1
+++ b/source/tests/Test-SafeLinksOfficeApps.ps1
@@ -40,62 +40,73 @@ function Test-SafeLinksOfficeApps {
    }
    process {
-        try {
+        # Retrieve all Safe Links policies
-            # 2.1.1 (L2) Ensure Safe Links for Office Applications is Enabled
+        [void]($policies = Get-SafeLinksPolicy)
        if ($null -ne $policies) {
            try {
                # 2.1.1 (L2) Ensure Safe Links for Office Applications is Enabled
-            # Retrieve all Safe Links policies
+                # Initialize the details collection
-            $policies = Get-SafeLinksPolicy
+                $misconfiguredDetails = @()
-            # Initialize the details collection
+                foreach ($policy in $policies) {
-            $misconfiguredDetails = @()
+                    # Get the detailed configuration of each policy
                    $policyDetails = Get-SafeLinksPolicy -Identity $policy.Name
-            foreach ($policy in $policies) {
+                    # Check each required property and record failures
-                # Get the detailed configuration of each policy
+                    # Condition A: Checking policy settings
-                $policyDetails = Get-SafeLinksPolicy -Identity $policy.Name
+                    $failures = @()
                    if ($policyDetails.EnableSafeLinksForEmail -ne $true) { $failures += "EnableSafeLinksForEmail: False" } # Email: On
                    if ($policyDetails.EnableSafeLinksForTeams -ne $true) { $failures += "EnableSafeLinksForTeams: False" } # Teams: On
                    if ($policyDetails.EnableSafeLinksForOffice -ne $true) { $failures += "EnableSafeLinksForOffice: False" } # Office 365 Apps: On
                    if ($policyDetails.TrackClicks -ne $true) { $failures += "TrackClicks: False" } # Click protection settings: On
                    if ($policyDetails.AllowClickThrough -ne $false) { $failures += "AllowClickThrough: True" } # Do not track when users click safe links: Off
-                # Check each required property and record failures
+                    # Only add details for policies that have misconfigurations
-                # Condition A: Checking policy settings
+                    if ($failures.Count -gt 0) {
-                $failures = @()
+                        $misconfiguredDetails += "Policy: $($policy.Name); Failures: $($failures -join ', ')"
-                if ($policyDetails.EnableSafeLinksForEmail -ne $true) { $failures += "EnableSafeLinksForEmail: False" } # Email: On
+                    }
                if ($policyDetails.EnableSafeLinksForTeams -ne $true) { $failures += "EnableSafeLinksForTeams: False" } # Teams: On
                if ($policyDetails.EnableSafeLinksForOffice -ne $true) { $failures += "EnableSafeLinksForOffice: False" } # Office 365 Apps: On
                if ($policyDetails.TrackClicks -ne $true) { $failures += "TrackClicks: False" } # Click protection settings: On
                if ($policyDetails.AllowClickThrough -ne $false) { $failures += "AllowClickThrough: True" } # Do not track when users click safe links: Off
                # Only add details for policies that have misconfigurations
                if ($failures.Count -gt 0) {
                    $misconfiguredDetails += "Policy: $($policy.Name); Failures: $($failures -join ', ')"
                }
                # Prepare the final result
                # Condition B: Ensuring no misconfigurations
                $result = $misconfiguredDetails.Count -eq 0
                $details = if ($result) { "All Safe Links policies are correctly configured." } else { $misconfiguredDetails -join ' | ' }
                $failureReasons = if ($result) { "N/A" } else { "The following Safe Links policies settings do not meet the recommended configuration: $($misconfiguredDetails -join ' | ')" }
                # Create and populate the CISAuditResult object
                $params = @{
                    Rec           = $recnum
                    Result        = $result
                    Status        = if ($result) { "Pass" } else { "Fail" }
                    Details       = $details
                    FailureReason = $failureReasons
                }
                $auditResult = Initialize-CISAuditResult @params
            }
            catch {
                Write-Error "An error occurred during the test: $_"
-            # Prepare the final result
+                # Retrieve the description from the test definitions
-            # Condition B: Ensuring no misconfigurations
+                $testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
-            $result = $misconfiguredDetails.Count -eq 0
+                $description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
            $details = if ($result) { "All Safe Links policies are correctly configured." } else { $misconfiguredDetails -join ' | ' }
            $failureReasons = if ($result) { "N/A" } else { "The following Safe Links policies settings do not meet the recommended configuration: $($misconfiguredDetails -join ' | ')" }
-            # Create and populate the CISAuditResult object
+                $script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
                # Call Initialize-CISAuditResult with error parameters
                $auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
            }
        }
        else {
            $params = @{
                Rec           = $recnum
-                Result        = $result
+                Result        = $false
-                Status        = if ($result) { "Pass" } else { "Fail" }
+                Status        = "Fail"
-                Details       = $details
+                Details       = "No M365 E5 licenses found."
-                FailureReason = $failureReasons
+                FailureReason = "The audit is for M365 E5 licenses and the required EXO commands will not be available otherwise."
            }
            $auditResult = Initialize-CISAuditResult @params
        }
        catch {
            Write-Error "An error occurred during the test: $_"
            # Retrieve the description from the test definitions
            $testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
            $description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
            $script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
            # Call Initialize-CISAuditResult with error parameters
            $auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
        }
    }
    end {