add: Get-ExoOutput function and updated tests
This commit is contained in:
DrIOS
@@ -23,6 +23,33 @@ function Get-ExoOutput {
|
||||
|
||||
begin {
|
||||
# Begin Block #
|
||||
<#
|
||||
1.2.2
|
||||
1.3.3
|
||||
1.3.6
|
||||
2.1.1
|
||||
2.1.2
|
||||
2.1.3
|
||||
2.1.4
|
||||
2.1.5
|
||||
2.1.6
|
||||
2.1.7
|
||||
2.1.9
|
||||
3.1.1
|
||||
6.1.1
|
||||
6.1.2
|
||||
6.1.3
|
||||
6.2.1
|
||||
6.2.2
|
||||
6.2.3
|
||||
6.3.1
|
||||
6.5.1
|
||||
6.5.2
|
||||
6.5.3
|
||||
8.6.1
|
||||
|
||||
$testNumbers = @('1.2.2', '1.3.3', '1.3.6', '2.1.1', '2.1.2', '2.1.3', '2.1.4', '2.1.5', '2.1.6', '2.1.7', '2.1.9', '3.1.1', '6.1.1', '6.1.2', '6.1.3', '6.2.1', '6.2.2', '6.2.3', '6.3.1', '6.5.1', '6.5.2', '6.5.3', '8.6.1')
|
||||
#>
|
||||
}
|
||||
process {
|
||||
switch ($Rec) {
|
||||
@@ -94,25 +121,195 @@ function Get-ExoOutput {
|
||||
# [bool]
|
||||
return $result
|
||||
}
|
||||
'2.1.3' { Write-Output "Matched 2.1.3" }
|
||||
'2.1.4' { Write-Output "Matched 2.1.4" }
|
||||
'2.1.5' { Write-Output "Matched 2.1.5" }
|
||||
'2.1.6' { Write-Output "Matched 2.1.6" }
|
||||
'2.1.7' { Write-Output "Matched 2.1.7" }
|
||||
'2.1.9' { Write-Output "Matched 2.1.9" }
|
||||
'3.1.1' { Write-Output "Matched 3.1.1" }
|
||||
'6.1.1' { Write-Output "Matched 6.1.1" }
|
||||
'6.1.2' { Write-Output "Matched 6.1.2" }
|
||||
'6.1.3' { Write-Output "Matched 6.1.3" }
|
||||
'6.2.1' { Write-Output "Matched 6.2.1" }
|
||||
'6.2.2' { Write-Output "Matched 6.2.2" }
|
||||
'6.2.3' { Write-Output "Matched 6.2.3" }
|
||||
'6.3.1' { Write-Output "Matched 6.3.1" }
|
||||
'6.5.1' { Write-Output "Matched 6.5.1" }
|
||||
'6.5.2' { Write-Output "Matched 6.5.2" }
|
||||
'6.5.3' { Write-Output "Matched 6.5.3" }
|
||||
'8.6.1' { Write-Output "Matched 8.6.1" }
|
||||
default { Write-Output "No match found" }
|
||||
'2.1.3' {
|
||||
# Test-NotifyMalwareInternal.ps1
|
||||
# 2.1.3 Ensure notifications for internal users sending malware is Enabled
|
||||
|
||||
# Retrieve all 'Custom' malware filter policies and check notification settings
|
||||
$malwareNotifications = Get-MalwareFilterPolicy | Where-Object { $_.RecommendedPolicyType -eq 'Custom' }
|
||||
# [object[]]
|
||||
return $malwareNotifications
|
||||
}
|
||||
'2.1.4' {
|
||||
# Test-SafeAttachmentsPolicy.ps1
|
||||
if (Get-Command Get-SafeAttachmentPolicy -ErrorAction SilentlyContinue) {
|
||||
# Retrieve all Safe Attachment policies where Enable is set to True
|
||||
# Check if ErrorAction needed below
|
||||
$safeAttachmentPolicies = Get-SafeAttachmentPolicy -ErrorAction SilentlyContinue | Where-Object { $_.Enable -eq $true }
|
||||
# [object[]]
|
||||
return $safeAttachmentPolicies
|
||||
else {
|
||||
return 1
|
||||
}
|
||||
}
|
||||
}
|
||||
'2.1.5' {
|
||||
# Test-SafeAttachmentsTeams.ps1
|
||||
if (Get-Command Get-AtpPolicyForO365 -ErrorAction SilentlyContinue) {
|
||||
# 2.1.5 (L2) Ensure Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is Enabled
|
||||
# Retrieve the ATP policies for Office 365 and check Safe Attachments settings
|
||||
$atpPolicies = Get-AtpPolicyForO365
|
||||
# Check if the required ATP policies are enabled
|
||||
$atpPolicyResult = $atpPolicies | Where-Object {
|
||||
$_.EnableATPForSPOTeamsODB -eq $true -and
|
||||
$_.EnableSafeDocs -eq $true -and
|
||||
$_.AllowSafeDocsOpen -eq $false
|
||||
}
|
||||
# [psobject[]]
|
||||
return $atpPolicyResult
|
||||
}
|
||||
else {
|
||||
return 1
|
||||
}
|
||||
}
|
||||
'2.1.6' {
|
||||
# Test-SpamPolicyAdminNotify.ps1
|
||||
# Retrieve the default hosted outbound spam filter policy
|
||||
$hostedOutboundSpamFilterPolicy = Get-HostedOutboundSpamFilterPolicy | Where-Object { $_.IsDefault -eq $true }
|
||||
return $hostedOutboundSpamFilterPolicy
|
||||
|
||||
}
|
||||
'2.1.7' {
|
||||
# Test-AntiPhishingPolicy.ps1
|
||||
# Condition A: Ensure that an anti-phishing policy has been created
|
||||
$antiPhishPolicies = Get-AntiPhishPolicy
|
||||
return $antiPhishPolicies
|
||||
}
|
||||
'2.1.9' {
|
||||
# Test-EnableDKIM.ps1
|
||||
# 2.1.9 (L1) Ensure DKIM is enabled for all Exchange Online Domains
|
||||
|
||||
# Retrieve DKIM configuration for all domains
|
||||
$dkimConfig = Get-DkimSigningConfig | Select-Object Domain, Enabled
|
||||
# [object[]]
|
||||
return $dkimConfig
|
||||
}
|
||||
'3.1.1' {
|
||||
# Test-AuditLogSearch.ps1
|
||||
# 3.1.1 (L1) Ensure Microsoft 365 audit log search is Enabled
|
||||
|
||||
# Retrieve the audit log configuration
|
||||
$auditLogConfig = Get-AdminAuditLogConfig | Select-Object UnifiedAuditLogIngestionEnabled
|
||||
#
|
||||
$auditLogResult = $auditLogConfig.UnifiedAuditLogIngestionEnabled
|
||||
# [bool]
|
||||
return $auditLogResult
|
||||
}
|
||||
'6.1.1' {
|
||||
# Test-AuditDisabledFalse.ps1
|
||||
# 6.1.1 (L1) Ensure 'AuditDisabled' organizationally is set to 'False'
|
||||
|
||||
# Retrieve the AuditDisabled configuration (Condition B)
|
||||
$auditDisabledConfig = Get-OrganizationConfig | Select-Object AuditDisabled
|
||||
# [bool]
|
||||
$auditNotDisabled = -not $auditDisabledConfig.AuditDisabled
|
||||
return $auditNotDisabled
|
||||
}
|
||||
'6.1.2' {
|
||||
# Test-MailboxAuditingE3.ps1
|
||||
$mailboxes = Get-EXOMailbox -PropertySets Audit
|
||||
# [object[]]
|
||||
return $mailboxes
|
||||
}
|
||||
'6.1.3' {
|
||||
# Test-MailboxAuditingE5.ps1
|
||||
$mailboxes = Get-EXOMailbox -PropertySets Audit
|
||||
# [object[]]
|
||||
return $mailboxes
|
||||
}
|
||||
'6.2.1' {
|
||||
# Test-BlockMailForwarding.ps1
|
||||
# 6.2.1 (L1) Ensure all forms of mail forwarding are blocked and/or disabled
|
||||
# Step 1: Retrieve the transport rules that redirect messages
|
||||
$transportRules = Get-TransportRule | Where-Object { $null -ne $_.RedirectMessageTo }
|
||||
if ($null -eq $transportRules) {
|
||||
$transportRules = 1
|
||||
}
|
||||
# Step 2: Check all anti-spam outbound policies
|
||||
$outboundSpamPolicies = Get-HostedOutboundSpamFilterPolicy
|
||||
$nonCompliantSpamPolicies = $outboundSpamPolicies | Where-Object { $_.AutoForwardingMode -ne 'Off' }
|
||||
return $transportRules, $nonCompliantSpamPolicies
|
||||
|
||||
}
|
||||
'6.2.2' {
|
||||
# Test-NoWhitelistDomains.ps1
|
||||
# 6.2.2 (L1) Ensure mail transport rules do not whitelist specific domains
|
||||
|
||||
# Retrieve transport rules that whitelist specific domains
|
||||
# Condition A: Checking for transport rules that whitelist specific domains
|
||||
# [object[]]
|
||||
$whitelistedRules = Get-TransportRule | Where-Object { $_.SetSCL -eq -1 -and $null -ne $_.SenderDomainIs }
|
||||
return $whitelistedRules
|
||||
}
|
||||
'6.2.3' {
|
||||
# Test-IdentifyExternalEmail.ps1
|
||||
# 6.2.3 (L1) Ensure email from external senders is identified
|
||||
|
||||
# Retrieve external sender tagging configuration
|
||||
# [object[]]
|
||||
$externalInOutlook = Get-ExternalInOutlook
|
||||
return $externalInOutlook
|
||||
}
|
||||
'6.3.1' {
|
||||
# Test-RestrictOutlookAddins.ps1
|
||||
# 6.3.1 (L2) Ensure users installing Outlook add-ins is not allowed
|
||||
$customPolicyFailures = @()
|
||||
# Check all mailboxes for custom policies with unallowed add-ins
|
||||
$roleAssignmentPolicies = Get-EXOMailbox | Select-Object -Unique RoleAssignmentPolicy
|
||||
|
||||
if ($roleAssignmentPolicies.RoleAssignmentPolicy) {
|
||||
foreach ($policy in $roleAssignmentPolicies) {
|
||||
if ($policy.RoleAssignmentPolicy) {
|
||||
$rolePolicyDetails = Get-RoleAssignmentPolicy -Identity $policy.RoleAssignmentPolicy
|
||||
$foundRoles = $rolePolicyDetails.AssignedRoles | Where-Object { $_ -in $relevantRoles }
|
||||
|
||||
# Condition B: Using PowerShell, verify that MyCustomApps, MyMarketplaceApps, and MyReadWriteMailboxApps are not assigned to users.
|
||||
if ($foundRoles) {
|
||||
$customPolicyFailures += "Policy: $($policy.RoleAssignmentPolicy): Roles: $($foundRoles -join ', ')"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
# Check Default Role Assignment Policy
|
||||
$defaultPolicy = Get-RoleAssignmentPolicy "Default Role Assignment Policy"
|
||||
return $customPolicyFailures, $defaultPolicy
|
||||
}
|
||||
'6.5.1' {
|
||||
# Test-ModernAuthExchangeOnline.ps1
|
||||
# Ensuring the ExchangeOnlineManagement module is available
|
||||
# 6.5.1 (L1) Ensure modern authentication for Exchange Online is enabled
|
||||
|
||||
# Check modern authentication setting in Exchange Online configuration (Condition A and B)
|
||||
$orgConfig = Get-OrganizationConfig | Select-Object -Property Name, OAuth2ClientProfileEnabled
|
||||
return $orgConfig
|
||||
}
|
||||
'6.5.2' {
|
||||
# Test-MailTipsEnabled.ps1
|
||||
# 6.5.2 (L2) Ensure MailTips are enabled for end users
|
||||
# Retrieve organization configuration for MailTips settings
|
||||
# [object]
|
||||
$orgConfig = Get-OrganizationConfig | Select-Object MailTipsAllTipsEnabled, MailTipsExternalRecipientsTipsEnabled, MailTipsGroupMetricsEnabled, MailTipsLargeAudienceThreshold
|
||||
return $orgConfig
|
||||
}
|
||||
'6.5.3' {
|
||||
# Test-RestrictStorageProvidersOutlook.ps1
|
||||
# 6.5.3 (L2) Ensure additional storage providers are restricted in Outlook on the web
|
||||
# Retrieve all OwaMailbox policies
|
||||
# [object[]]
|
||||
$owaPolicies = Get-OwaMailboxPolicy
|
||||
return $owaPolicies
|
||||
}
|
||||
'8.6.1' {
|
||||
# Test-ReportSecurityInTeams.ps1
|
||||
# 8.6.1 (L1) Ensure users can report security concerns in Teams
|
||||
|
||||
# Retrieve the necessary settings for Teams and Exchange Online
|
||||
# Condition B: Verify that 'Monitor reported messages in Microsoft Teams' is checked in the Microsoft 365 Defender portal.
|
||||
# Condition C: Ensure the 'Send reported messages to' setting in the Microsoft 365 Defender portal is set to 'My reporting mailbox only' with the correct report email addresses.
|
||||
$ReportSubmissionPolicy = Get-ReportSubmissionPolicy | Select-Object -Property ReportJunkToCustomizedAddress, ReportNotJunkToCustomizedAddress, ReportPhishToCustomizedAddress, ReportChatMessageToCustomizedAddressEnabled
|
||||
return $ReportSubmissionPolicy
|
||||
}
|
||||
default { throw "No match found for test: $Rec" }
|
||||
}
|
||||
}
|
||||
end {
|
||||
|
||||
Reference in New Issue
Block a user