diff --git a/source/Private/Get-CISExoOutput.ps1 b/source/Private/Get-CISExoOutput.ps1 index 0f981db..bc0de27 100644 --- a/source/Private/Get-CISExoOutput.ps1 +++ b/source/Private/Get-CISExoOutput.ps1 @@ -261,6 +261,18 @@ function Get-CISExoOutput { if (Get-Command Get-SafeAttachmentPolicy -ErrorAction SilentlyContinue) { # Retrieve all Safe Attachment policies where Enable is set to True # Check if ErrorAction needed below + # $safeAttachmentPolicies Mock Object: + <# + $safeAttachmentPolicies = @( + [PSCustomObject]@{ + Policy = "Strict Preset Security Policy" + Action = "Block" + QuarantineTag = "AdminOnlyAccessPolicy" + Redirect = $false + Enabled = $true + } + ) + #> $safeAttachmentPolicies = Get-SafeAttachmentPolicy -ErrorAction SilentlyContinue | Where-Object { $_.Enable -eq $true } # [object[]] return $safeAttachmentPolicies diff --git a/source/tests/Test-SafeAttachmentsPolicy.ps1 b/source/tests/Test-SafeAttachmentsPolicy.ps1 index 6011aa8..2065728 100644 --- a/source/tests/Test-SafeAttachmentsPolicy.ps1 +++ b/source/tests/Test-SafeAttachmentsPolicy.ps1 @@ -5,73 +5,67 @@ function Test-SafeAttachmentsPolicy { begin { $recnum = "2.1.4" - + Write-Verbose "Running Test-SafeAttachmentsPolicy for $recnum..." <# - Conditions for 2.1.4 (L2) Ensure Safe Attachments policy is enabled + Conditions for 2.1.4 (L2) Ensure Safe Attachments policy is enabled: + Validate test for a pass: + - Ensure the highest priority Safe Attachments policy is enabled. + - Check if the policy's action is set to 'Block'. + - Confirm the QuarantineTag is set to 'AdminOnlyAccessPolicy'. + - Verify that the Redirect setting is disabled. - Validate test for a pass: - - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark. - - Specific conditions to check: - - Condition A: The Safe Attachments policy is enabled in the Microsoft 365 Defender portal. - - Condition B: The policy covers all recipients within the organization. - - Condition C: The policy action is set to "Dynamic Delivery" or "Quarantine". - - Condition D: The policy is not disabled. - - Validate test for a fail: - - Confirm that the failure conditions in the automated test are consistent with the manual audit results. - - Specific conditions to check: - - Condition A: The Safe Attachments policy is not enabled in the Microsoft 365 Defender portal. - - Condition B: The policy does not cover all recipients within the organization. - - Condition C: The policy action is not set to "Dynamic Delivery" or "Quarantine". - - Condition D: The policy is disabled. + Validate test for a fail: + - If the highest priority Safe Attachments policy's action is not set to 'Block'. + - If the QuarantineTag is not set to 'AdminOnlyAccessPolicy'. + - If the Redirect setting is enabled. + - If no enabled Safe Attachments policies are found. #> } - process { + # 2.1.4 (L2) Ensure Safe Attachments policy is enabled + # $safeAttachmentPolicies Mock Object + <# + $safeAttachmentPolicies = @( + [PSCustomObject]@{ + Policy = "Strict Preset Security Policy" + Action = "Block" + QuarantineTag = "AdminOnlyAccessPolicy" + Redirect = $false + Enabled = $true + } + ) + #> $safeAttachmentPolicies = Get-CISExoOutput -Rec $recnum if ($safeAttachmentPolicies -ne 1) { try { - # Check if any Safe Attachments policy is enabled (Condition A) - $result = $null -ne $safeAttachmentPolicies -and $safeAttachmentPolicies.Count -gt 0 - + $highestPriorityPolicy = $safeAttachmentPolicies | Select-Object -First 1 # Initialize details and failure reasons $details = @() $failureReasons = @() - - foreach ($policy in $safeAttachmentPolicies) { - # Initialize policy detail and failed status - $failed = $false - - # Check if the policy action is set to "Dynamic Delivery" or "Quarantine" (Condition C) - if ($policy.Action -notin @("DynamicDelivery", "Quarantine")) { - $failureReasons += "Policy '$($policy.Name)' action is not set to 'Dynamic Delivery' or 'Quarantine'." - $failed = $true - } - - # Check if the policy is not disabled (Condition D) - if (-not $policy.Enable) { - $failureReasons += "Policy '$($policy.Name)' is disabled." - $failed = $true - } - - # Add policy details to the details array - $details += [PSCustomObject]@{ - Policy = $policy.Name - Enabled = $policy.Enable - Action = $policy.Action - Failed = $failed - } + # Check policy specifics as per CIS benchmark requirements + if ($highestPriorityPolicy.Action -ne 'Block') { + $failureReasons += "Policy action is not set to 'Block'." + } + if ($highestPriorityPolicy.QuarantineTag -ne 'AdminOnlyAccessPolicy') { + $failureReasons += "Quarantine policy is not set to 'AdminOnlyAccessPolicy'." + } + if ($highestPriorityPolicy.Redirect -ne $false) { + $failureReasons += "Redirect is not disabled." } - # The result is a pass if there are no failure reasons $result = $failureReasons.Count -eq 0 - + $details = [PSCustomObject]@{ + Policy = $highestPriorityPolicy.Identity + Action = $highestPriorityPolicy.Action + QuarantineTag = $highestPriorityPolicy.QuarantineTag + Redirect = $highestPriorityPolicy.Redirect + Enabled = $highestPriorityPolicy.Enable + } # Format details for output manually - $detailsString = "Policy|Enabled|Action|Failed`n" + ($details | - ForEach-Object {"$($_.Policy)|$($_.Enabled)|$($_.Action)|$($_.Failed)`n"} + $detailsString = "Policy|Action|QuarantineTag|Redirect|Enabled`n" + ($details | + ForEach-Object { "$($_.Policy)|$($_.Action)|$($_.QuarantineTag)|$($_.Redirect)|$($_.Enabled)`n" } ) - $failureReasonsString = ($failureReasons | ForEach-Object { $_ }) -join ' ' - + $failureReasonsString = ($failureReasons -join "`n") # Create and populate the CISAuditResult object $params = @{ Rec = $recnum @@ -84,13 +78,10 @@ function Test-SafeAttachmentsPolicy { } catch { Write-Error "An error occurred during the test: $_" - # Retrieve the description from the test definitions $testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum } $description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" } - $script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ }) - # Call Initialize-CISAuditResult with error parameters $auditResult = Initialize-CISAuditResult -Rec $recnum -Failure } @@ -106,7 +97,6 @@ function Test-SafeAttachmentsPolicy { $auditResult = Initialize-CISAuditResult @params } } - end { # Return the audit result return $auditResult