vibecoding/M365FoundationsCISReport
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #17 from CriticalSolutionsNetwork/Fix-domain-test

Browse Source 
Fix domain test
This commit is contained in:
Doug Rios
2024-06-08 15:58:29 -05:00
committed by GitHub
parent db9b206ae3 9d9b9e70d9
commit 34cb9aeb95
6 changed files with 53 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
CHANGELOG.md
View File

@@ -17,8 +17,9 @@ The format is based on and uses the types of changes according to [Keep a Change
- Improved `Test-RestrictCustomScripts` to handle long URL lengths better by extracting and replacing common hostnames, and provided detailed output. - Improved `Test-RestrictCustomScripts` to handle long URL lengths better by extracting and replacing common hostnames, and provided detailed output.
- Added sorting to output. - Added sorting to output.
- Created new functions for improved modularity. - Created new functions for improved modularity.
- Parameter validation for excel and csv path in sync function - Parameter validation for Excel and CSV path in sync function.
- Added Output type to tests. - Added Output type to tests.
- Added `M365DomainForPWPolicyTest` parameter to `Invoke-M365SecurityAudit` to specify testing only the default domain for password expiration policy when '1.3.1' is included in the tests.
### Fixed ### Fixed
@@ -34,6 +35,7 @@ The format is based on and uses the types of changes according to [Keep a Change
- Fixed the issue with the output in `Test-RestrictCustomScripts` to ensure no extra spaces between table headers and data. - Fixed the issue with the output in `Test-RestrictCustomScripts` to ensure no extra spaces between table headers and data.
## [0.1.4] - 2024-05-30 ## [0.1.4] - 2024-05-30
### Added ### Added

BIN
README.md
View File

Binary file not shown.

BIN
docs/index.html
View File

Binary file not shown.

2
source/Private/Invoke-TestFunction.ps1
View File

@@ -3,7 +3,7 @@ function Invoke-TestFunction {
[Parameter(Mandatory = $true)] [Parameter(Mandatory = $true)]
[PSObject]$FunctionFile, [PSObject]$FunctionFile,
[Parameter(Mandatory = $true)] [Parameter(Mandatory = $false)]
[string]$DomainName [string]$DomainName
) )

10
source/Public/Invoke-M365SecurityAudit.ps1
View File

@@ -5,8 +5,8 @@
The Invoke-M365SecurityAudit cmdlet performs a comprehensive security audit based on the specified parameters. It allows auditing of various configurations and settings within a Microsoft 365 environment, such as compliance with CIS benchmarks. The Invoke-M365SecurityAudit cmdlet performs a comprehensive security audit based on the specified parameters. It allows auditing of various configurations and settings within a Microsoft 365 environment, such as compliance with CIS benchmarks.
.PARAMETER TenantAdminUrl .PARAMETER TenantAdminUrl
The URL of the tenant admin. This parameter is mandatory. The URL of the tenant admin. This parameter is mandatory.
.PARAMETER DomainName .PARAMETER M365DomainForPWPolicyTest
The domain name of the Microsoft 365 environment. This parameter is mandatory. The domain name of the Microsoft 365 environment to test. This parameter is not mandatory and by default it will pass/fail all found domains as a group if a specific domain is not specified.
.PARAMETER ELevel .PARAMETER ELevel
Specifies the E-Level (E3 or E5) for the audit. This parameter is optional and can be combined with the ProfileLevel parameter. Specifies the E-Level (E3 or E5) for the audit. This parameter is optional and can be combined with the ProfileLevel parameter.
.PARAMETER ProfileLevel .PARAMETER ProfileLevel
@@ -67,9 +67,9 @@ function Invoke-M365SecurityAudit {
[ValidatePattern('^https://[a-zA-Z0-9-]+-admin\.sharepoint\.com$')] [ValidatePattern('^https://[a-zA-Z0-9-]+-admin\.sharepoint\.com$')]
[string]$TenantAdminUrl, [string]$TenantAdminUrl,
[Parameter(Mandatory = $true, HelpMessage = "The domain name of your organization, e.g., 'example.com'.")] [Parameter(Mandatory = $false, HelpMessage = "Specify this to test only the default domain for password expiration policy when '1.3.1' is included in the tests to be run. The domain name of your organization, e.g., 'example.com'.")]
[ValidatePattern('^[a-zA-Z0-9-]+\.[a-zA-Z]{2,}$')] [ValidatePattern('^[a-zA-Z0-9-]+\.[a-zA-Z]{2,}$')]
[string]$DomainName, [string]$M365DomainForPWPolicyTest,
# E-Level with optional ProfileLevel selection # E-Level with optional ProfileLevel selection
[Parameter(Mandatory = $true, ParameterSetName = 'ELevelFilter')] [Parameter(Mandatory = $true, ParameterSetName = 'ELevelFilter')]
@@ -194,7 +194,7 @@ function Invoke-M365SecurityAudit {
Write-Progress -Activity "Executing Tests" -Status "Executing $($currentTestIndex) of $($totalTests): $($testFunction.Name)" -PercentComplete (($currentTestIndex / $totalTests) * 100) Write-Progress -Activity "Executing Tests" -Status "Executing $($currentTestIndex) of $($totalTests): $($testFunction.Name)" -PercentComplete (($currentTestIndex / $totalTests) * 100)
$functionName = $testFunction.BaseName $functionName = $testFunction.BaseName
if ($PSCmdlet.ShouldProcess($functionName, "Execute test")) { if ($PSCmdlet.ShouldProcess($functionName, "Execute test")) {
$auditResult = Invoke-TestFunction -FunctionFile $testFunction -DomainName $DomainName $auditResult = Invoke-TestFunction -FunctionFile $testFunction -DomainName $M365DomainForPWPolicyTest
# Add the result to the collection # Add the result to the collection
[void]$allAuditResults.Add($auditResult) [void]$allAuditResults.Add($auditResult)
} }

54
source/tests/Test-PasswordNeverExpirePolicy.ps1
View File

@@ -2,9 +2,8 @@ function Test-PasswordNeverExpirePolicy {
[CmdletBinding()] [CmdletBinding()]
[OutputType([CISAuditResult])] [OutputType([CISAuditResult])]
param ( param (
# Aligned [Parameter(Mandatory = $false)]
[Parameter(Mandatory)] [string]$DomainName
[string]$DomainName # DomainName parameter is now mandatory
) )
begin { begin {
@@ -12,33 +11,58 @@ function Test-PasswordNeverExpirePolicy {
#. .\source\Classes\CISAuditResult.ps1 #. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed # Initialization code, if needed
$recnum = "1.3.1" $recnum = "1.3.1"
$overallResult = $true
$detailsList = @()
$failureReasonsList = @()
# Add headers for the details
$detailsList += "Domain|Validity Period|IsDefault"
} }
process { process {
try { try {
# 1.3.1 (L1) Ensure the 'Password expiration policy' is set to 'Set passwords to never expire' # Retrieve all domains or a specific domain
# Pass if PasswordValidityPeriodInDays is 0. Fail otherwise. $domains = if ($DomainName) {
Get-MgDomain -DomainId $DomainName
} else {
Get-MgDomain
}
foreach ($domain in $domains) {
$domainName = $domain.Id
$isDefault = $domain.IsDefault
# Retrieve password expiration policy # Retrieve password expiration policy
$passwordPolicy = Get-MgDomain -DomainId $DomainName | Select-Object -ExpandProperty PasswordValidityPeriodInDays $passwordPolicy = $domain.PasswordValidityPeriodInDays
# Determine if the policy is compliant
$isCompliant = $passwordPolicy -eq 0
$overallResult = $overallResult -and $isCompliant
# Prepare failure reasons and details based on compliance # Prepare failure reasons and details based on compliance
$failureReasons = if ($passwordPolicy -ne 0) { $failureReasons = if ($isCompliant) {
"Password expiration is not set to never expire"
}
else {
"N/A" "N/A"
} else {
"Password expiration is not set to never expire for domain $domainName. Run the following command to remediate: `nUpdate-MgDomain -DomainId $domainName -PasswordValidityPeriodInDays 2147483647 -PasswordNotificationWindowInDays 30"
} }
$details = "Validity Period: $passwordPolicy days" $details = "$domainName|$passwordPolicy days|$isDefault"
# Add details and failure reasons to the lists
$detailsList += $details
$failureReasonsList += $failureReasons
}
# Prepare the final failure reason and details
$finalFailureReason = $failureReasonsList -join "`n"
$finalDetails = $detailsList -join "`n"
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$params = @{ $params = @{
Rec = $recnum Rec = $recnum
Result = $passwordPolicy -eq 0 Result = $overallResult
Status = if ($passwordPolicy -eq 0) { "Pass" } else { "Fail" } Status = if ($overallResult) { "Pass" } else { "Fail" }
Details = $details Details = $finalDetails
FailureReason = $failureReasons FailureReason = $finalFailureReason
} }
$auditResult = Initialize-CISAuditResult @params $auditResult = Initialize-CISAuditResult @params
} }