fix: 2.1.4 simplified output and added object comment
This commit is contained in:
DrIOS
@@ -261,6 +261,18 @@ function Get-CISExoOutput {
|
||||
if (Get-Command Get-SafeAttachmentPolicy -ErrorAction SilentlyContinue) {
|
||||
# Retrieve all Safe Attachment policies where Enable is set to True
|
||||
# Check if ErrorAction needed below
|
||||
# $safeAttachmentPolicies Mock Object:
|
||||
<#
|
||||
$safeAttachmentPolicies = @(
|
||||
[PSCustomObject]@{
|
||||
Policy = "Strict Preset Security Policy"
|
||||
Action = "Block"
|
||||
QuarantineTag = "AdminOnlyAccessPolicy"
|
||||
Redirect = $false
|
||||
Enabled = $true
|
||||
}
|
||||
)
|
||||
#>
|
||||
$safeAttachmentPolicies = Get-SafeAttachmentPolicy -ErrorAction SilentlyContinue | Where-Object { $_.Enable -eq $true }
|
||||
# [object[]]
|
||||
return $safeAttachmentPolicies
|
||||
|
||||
@@ -5,73 +5,67 @@ function Test-SafeAttachmentsPolicy {
|
||||
|
||||
begin {
|
||||
$recnum = "2.1.4"
|
||||
|
||||
Write-Verbose "Running Test-SafeAttachmentsPolicy for $recnum..."
|
||||
<#
|
||||
Conditions for 2.1.4 (L2) Ensure Safe Attachments policy is enabled
|
||||
Conditions for 2.1.4 (L2) Ensure Safe Attachments policy is enabled:
|
||||
Validate test for a pass:
|
||||
- Ensure the highest priority Safe Attachments policy is enabled.
|
||||
- Check if the policy's action is set to 'Block'.
|
||||
- Confirm the QuarantineTag is set to 'AdminOnlyAccessPolicy'.
|
||||
- Verify that the Redirect setting is disabled.
|
||||
|
||||
Validate test for a pass:
|
||||
- Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
|
||||
- Specific conditions to check:
|
||||
- Condition A: The Safe Attachments policy is enabled in the Microsoft 365 Defender portal.
|
||||
- Condition B: The policy covers all recipients within the organization.
|
||||
- Condition C: The policy action is set to "Dynamic Delivery" or "Quarantine".
|
||||
- Condition D: The policy is not disabled.
|
||||
|
||||
Validate test for a fail:
|
||||
- Confirm that the failure conditions in the automated test are consistent with the manual audit results.
|
||||
- Specific conditions to check:
|
||||
- Condition A: The Safe Attachments policy is not enabled in the Microsoft 365 Defender portal.
|
||||
- Condition B: The policy does not cover all recipients within the organization.
|
||||
- Condition C: The policy action is not set to "Dynamic Delivery" or "Quarantine".
|
||||
- Condition D: The policy is disabled.
|
||||
Validate test for a fail:
|
||||
- If the highest priority Safe Attachments policy's action is not set to 'Block'.
|
||||
- If the QuarantineTag is not set to 'AdminOnlyAccessPolicy'.
|
||||
- If the Redirect setting is enabled.
|
||||
- If no enabled Safe Attachments policies are found.
|
||||
#>
|
||||
}
|
||||
|
||||
process {
|
||||
# 2.1.4 (L2) Ensure Safe Attachments policy is enabled
|
||||
# $safeAttachmentPolicies Mock Object
|
||||
<#
|
||||
$safeAttachmentPolicies = @(
|
||||
[PSCustomObject]@{
|
||||
Policy = "Strict Preset Security Policy"
|
||||
Action = "Block"
|
||||
QuarantineTag = "AdminOnlyAccessPolicy"
|
||||
Redirect = $false
|
||||
Enabled = $true
|
||||
}
|
||||
)
|
||||
#>
|
||||
$safeAttachmentPolicies = Get-CISExoOutput -Rec $recnum
|
||||
if ($safeAttachmentPolicies -ne 1) {
|
||||
try {
|
||||
# Check if any Safe Attachments policy is enabled (Condition A)
|
||||
$result = $null -ne $safeAttachmentPolicies -and $safeAttachmentPolicies.Count -gt 0
|
||||
|
||||
$highestPriorityPolicy = $safeAttachmentPolicies | Select-Object -First 1
|
||||
# Initialize details and failure reasons
|
||||
$details = @()
|
||||
$failureReasons = @()
|
||||
|
||||
foreach ($policy in $safeAttachmentPolicies) {
|
||||
# Initialize policy detail and failed status
|
||||
$failed = $false
|
||||
|
||||
# Check if the policy action is set to "Dynamic Delivery" or "Quarantine" (Condition C)
|
||||
if ($policy.Action -notin @("DynamicDelivery", "Quarantine")) {
|
||||
$failureReasons += "Policy '$($policy.Name)' action is not set to 'Dynamic Delivery' or 'Quarantine'."
|
||||
$failed = $true
|
||||
}
|
||||
|
||||
# Check if the policy is not disabled (Condition D)
|
||||
if (-not $policy.Enable) {
|
||||
$failureReasons += "Policy '$($policy.Name)' is disabled."
|
||||
$failed = $true
|
||||
}
|
||||
|
||||
# Add policy details to the details array
|
||||
$details += [PSCustomObject]@{
|
||||
Policy = $policy.Name
|
||||
Enabled = $policy.Enable
|
||||
Action = $policy.Action
|
||||
Failed = $failed
|
||||
}
|
||||
# Check policy specifics as per CIS benchmark requirements
|
||||
if ($highestPriorityPolicy.Action -ne 'Block') {
|
||||
$failureReasons += "Policy action is not set to 'Block'."
|
||||
}
|
||||
if ($highestPriorityPolicy.QuarantineTag -ne 'AdminOnlyAccessPolicy') {
|
||||
$failureReasons += "Quarantine policy is not set to 'AdminOnlyAccessPolicy'."
|
||||
}
|
||||
if ($highestPriorityPolicy.Redirect -ne $false) {
|
||||
$failureReasons += "Redirect is not disabled."
|
||||
}
|
||||
|
||||
# The result is a pass if there are no failure reasons
|
||||
$result = $failureReasons.Count -eq 0
|
||||
|
||||
$details = [PSCustomObject]@{
|
||||
Policy = $highestPriorityPolicy.Identity
|
||||
Action = $highestPriorityPolicy.Action
|
||||
QuarantineTag = $highestPriorityPolicy.QuarantineTag
|
||||
Redirect = $highestPriorityPolicy.Redirect
|
||||
Enabled = $highestPriorityPolicy.Enable
|
||||
}
|
||||
# Format details for output manually
|
||||
$detailsString = "Policy|Enabled|Action|Failed`n" + ($details |
|
||||
ForEach-Object {"$($_.Policy)|$($_.Enabled)|$($_.Action)|$($_.Failed)`n"}
|
||||
$detailsString = "Policy|Action|QuarantineTag|Redirect|Enabled`n" + ($details |
|
||||
ForEach-Object { "$($_.Policy)|$($_.Action)|$($_.QuarantineTag)|$($_.Redirect)|$($_.Enabled)`n" }
|
||||
)
|
||||
$failureReasonsString = ($failureReasons | ForEach-Object { $_ }) -join ' '
|
||||
|
||||
$failureReasonsString = ($failureReasons -join "`n")
|
||||
# Create and populate the CISAuditResult object
|
||||
$params = @{
|
||||
Rec = $recnum
|
||||
@@ -84,13 +78,10 @@ function Test-SafeAttachmentsPolicy {
|
||||
}
|
||||
catch {
|
||||
Write-Error "An error occurred during the test: $_"
|
||||
|
||||
# Retrieve the description from the test definitions
|
||||
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
|
||||
$description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
|
||||
|
||||
$script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
|
||||
|
||||
# Call Initialize-CISAuditResult with error parameters
|
||||
$auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
|
||||
}
|
||||
@@ -106,7 +97,6 @@ function Test-SafeAttachmentsPolicy {
|
||||
$auditResult = Initialize-CISAuditResult @params
|
||||
}
|
||||
}
|
||||
|
||||
end {
|
||||
# Return the audit result
|
||||
return $auditResult
|
||||
|
||||
Reference in New Issue
Block a user