vibecoding/M365FoundationsCISReport
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: 2.1.4 simplified output and added object comment

Browse Source
This commit is contained in:
DrIOS
2024-06-28 20:53:50 -05:00
parent c05ba5aebd
commit 37b6557221
2 changed files with 57 additions and 55 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
source/Private/Get-CISExoOutput.ps1
View File

@@ -261,6 +261,18 @@ function Get-CISExoOutput {
if (Get-Command Get-SafeAttachmentPolicy -ErrorAction SilentlyContinue) { if (Get-Command Get-SafeAttachmentPolicy -ErrorAction SilentlyContinue) {
# Retrieve all Safe Attachment policies where Enable is set to True # Retrieve all Safe Attachment policies where Enable is set to True
# Check if ErrorAction needed below # Check if ErrorAction needed below
# $safeAttachmentPolicies Mock Object:
<#
$safeAttachmentPolicies = @(
[PSCustomObject]@{
Policy = "Strict Preset Security Policy"
Action = "Block"
QuarantineTag = "AdminOnlyAccessPolicy"
Redirect = $false
Enabled = $true
}
)
#>
$safeAttachmentPolicies = Get-SafeAttachmentPolicy -ErrorAction SilentlyContinue | Where-Object { $_.Enable -eq $true } $safeAttachmentPolicies = Get-SafeAttachmentPolicy -ErrorAction SilentlyContinue | Where-Object { $_.Enable -eq $true }
# [object[]] # [object[]]
return $safeAttachmentPolicies return $safeAttachmentPolicies

92
source/tests/Test-SafeAttachmentsPolicy.ps1
View File

@@ -5,73 +5,67 @@ function Test-SafeAttachmentsPolicy {
begin { begin {
$recnum = "2.1.4" $recnum = "2.1.4"
Write-Verbose "Running Test-SafeAttachmentsPolicy for $recnum..."
<# <#
Conditions for 2.1.4 (L2) Ensure Safe Attachments policy is enabled Conditions for 2.1.4 (L2) Ensure Safe Attachments policy is enabled:
Validate test for a pass: Validate test for a pass:
- Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark. - Ensure the highest priority Safe Attachments policy is enabled.
- Specific conditions to check: - Check if the policy's action is set to 'Block'.
- Condition A: The Safe Attachments policy is enabled in the Microsoft 365 Defender portal. - Confirm the QuarantineTag is set to 'AdminOnlyAccessPolicy'.
- Condition B: The policy covers all recipients within the organization. - Verify that the Redirect setting is disabled.
- Condition C: The policy action is set to "Dynamic Delivery" or "Quarantine".
- Condition D: The policy is not disabled.
Validate test for a fail: Validate test for a fail:
- Confirm that the failure conditions in the automated test are consistent with the manual audit results. - If the highest priority Safe Attachments policy's action is not set to 'Block'.
- Specific conditions to check: - If the QuarantineTag is not set to 'AdminOnlyAccessPolicy'.
- Condition A: The Safe Attachments policy is not enabled in the Microsoft 365 Defender portal. - If the Redirect setting is enabled.
- Condition B: The policy does not cover all recipients within the organization. - If no enabled Safe Attachments policies are found.
- Condition C: The policy action is not set to "Dynamic Delivery" or "Quarantine".
- Condition D: The policy is disabled.
#> #>
} }
process { process {
# 2.1.4 (L2) Ensure Safe Attachments policy is enabled
# $safeAttachmentPolicies Mock Object
<#
$safeAttachmentPolicies = @(
[PSCustomObject]@{
Policy = "Strict Preset Security Policy"
Action = "Block"
QuarantineTag = "AdminOnlyAccessPolicy"
Redirect = $false
Enabled = $true
}
)
#>
$safeAttachmentPolicies = Get-CISExoOutput -Rec $recnum $safeAttachmentPolicies = Get-CISExoOutput -Rec $recnum
if ($safeAttachmentPolicies -ne 1) { if ($safeAttachmentPolicies -ne 1) {
try { try {
# Check if any Safe Attachments policy is enabled (Condition A) $highestPriorityPolicy = $safeAttachmentPolicies | Select-Object -First 1
$result = $null -ne $safeAttachmentPolicies -and $safeAttachmentPolicies.Count -gt 0
# Initialize details and failure reasons # Initialize details and failure reasons
$details = @() $details = @()
$failureReasons = @() $failureReasons = @()
# Check policy specifics as per CIS benchmark requirements
foreach ($policy in $safeAttachmentPolicies) { if ($highestPriorityPolicy.Action -ne 'Block') {
# Initialize policy detail and failed status $failureReasons += "Policy action is not set to 'Block'."
$failed = $false
# Check if the policy action is set to "Dynamic Delivery" or "Quarantine" (Condition C)
if ($policy.Action -notin @("DynamicDelivery", "Quarantine")) {
$failureReasons += "Policy '$($policy.Name)' action is not set to 'Dynamic Delivery' or 'Quarantine'."
$failed = $true
} }
if ($highestPriorityPolicy.QuarantineTag -ne 'AdminOnlyAccessPolicy') {
# Check if the policy is not disabled (Condition D) $failureReasons += "Quarantine policy is not set to 'AdminOnlyAccessPolicy'."
if (-not $policy.Enable) {
$failureReasons += "Policy '$($policy.Name)' is disabled."
$failed = $true
} }
if ($highestPriorityPolicy.Redirect -ne $false) {
# Add policy details to the details array $failureReasons += "Redirect is not disabled."
$details += [PSCustomObject]@{
Policy = $policy.Name
Enabled = $policy.Enable
Action = $policy.Action
Failed = $failed
} }
}
# The result is a pass if there are no failure reasons # The result is a pass if there are no failure reasons
$result = $failureReasons.Count -eq 0 $result = $failureReasons.Count -eq 0
$details = [PSCustomObject]@{
Policy = $highestPriorityPolicy.Identity
Action = $highestPriorityPolicy.Action
QuarantineTag = $highestPriorityPolicy.QuarantineTag
Redirect = $highestPriorityPolicy.Redirect
Enabled = $highestPriorityPolicy.Enable
}
# Format details for output manually # Format details for output manually
$detailsString = "Policy|Enabled|Action|Failed`n" + ($details | $detailsString = "Policy|Action|QuarantineTag|Redirect|Enabled`n" + ($details |
ForEach-Object {"$($_.Policy)|$($_.Enabled)|$($_.Action)|$($_.Failed)`n"} ForEach-Object { "$($_.Policy)|$($_.Action)|$($_.QuarantineTag)|$($_.Redirect)|$($_.Enabled)`n" }
) )
$failureReasonsString = ($failureReasons | ForEach-Object { $_ }) -join ' ' $failureReasonsString = ($failureReasons -join "`n")
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$params = @{ $params = @{
Rec = $recnum Rec = $recnum
@@ -84,13 +78,10 @@ function Test-SafeAttachmentsPolicy {
} }
catch { catch {
Write-Error "An error occurred during the test: $_" Write-Error "An error occurred during the test: $_"
# Retrieve the description from the test definitions # Retrieve the description from the test definitions
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum } $testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
$description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" } $description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
$script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ }) $script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
# Call Initialize-CISAuditResult with error parameters # Call Initialize-CISAuditResult with error parameters
$auditResult = Initialize-CISAuditResult -Rec $recnum -Failure $auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
} }
@@ -106,7 +97,6 @@ function Test-SafeAttachmentsPolicy {
$auditResult = Initialize-CISAuditResult @params $auditResult = Initialize-CISAuditResult @params
} }
} }
end { end {
# Return the audit result # Return the audit result
return $auditResult return $auditResult