add: Get-ExoOutput function and updated tests

2024-06-23 14:28:51 -05:00
parent 90c5b95f35
commit 381b8ebeb8
20 changed files with 239 additions and 79 deletions
--- a/source/tests/Test-AntiPhishingPolicy.ps1
+++ b/source/tests/Test-AntiPhishingPolicy.ps1
@@ -34,7 +34,7 @@ function Test-AntiPhishingPolicy {

        try {
            # Condition A: Ensure that an anti-phishing policy has been created
-            $antiPhishPolicies = Get-AntiPhishPolicy
+            $antiPhishPolicies = Get-ExoOutput -Rec $recnum

            # Condition B: Verify the anti-phishing policy settings using PowerShell
            $validatedPolicies = $antiPhishPolicies | Where-Object {
--- a/source/tests/Test-AuditDisabledFalse.ps1
+++ b/source/tests/Test-AuditDisabledFalse.ps1
@@ -35,8 +35,7 @@ function Test-AuditDisabledFalse {
            # 6.1.1 (L1) Ensure 'AuditDisabled' organizationally is set to 'False'

            # Retrieve the AuditDisabled configuration (Condition B)
-            $auditDisabledConfig = Get-OrganizationConfig | Select-Object AuditDisabled
-            $auditNotDisabled = -not $auditDisabledConfig.AuditDisabled
+            $auditNotDisabled = Get-ExoOutput -Rec $recnum

            # Prepare failure reasons and details based on compliance
            $failureReasons = if (-not $auditNotDisabled) {
--- a/source/tests/Test-AuditLogSearch.ps1
+++ b/source/tests/Test-AuditLogSearch.ps1
@@ -36,9 +36,7 @@ function Test-AuditLogSearch {
        try {
            # 3.1.1 (L1) Ensure Microsoft 365 audit log search is Enabled

-            # Retrieve the audit log configuration
-            $auditLogConfig = Get-AdminAuditLogConfig | Select-Object UnifiedAuditLogIngestionEnabled
-            $auditLogResult = $auditLogConfig.UnifiedAuditLogIngestionEnabled
+            $auditLogResult = Get-ExoOutput -Rec $recnum

            # Prepare failure reasons and details based on compliance
            $failureReasons = if (-not $auditLogResult) {
--- a/source/tests/Test-BlockMailForwarding.ps1
+++ b/source/tests/Test-BlockMailForwarding.ps1
@@ -35,12 +35,10 @@ function Test-BlockMailForwarding {
            # 6.2.1 (L1) Ensure all forms of mail forwarding are blocked and/or disabled

            # Step 1: Retrieve the transport rules that redirect messages
-            $transportRules = Get-TransportRule | Where-Object { $null -ne $_.RedirectMessageTo }
+            $transportRules,$nonCompliantSpamPolicies = Get-ExoOutput -Rec $recnum
            $transportForwardingBlocked = $transportRules.Count -eq 0

            # Step 2: Check all anti-spam outbound policies
-            $outboundSpamPolicies = Get-HostedOutboundSpamFilterPolicy
-            $nonCompliantSpamPolicies = $outboundSpamPolicies | Where-Object { $_.AutoForwardingMode -ne 'Off' }
            $nonCompliantSpamPoliciesArray = @($nonCompliantSpamPolicies)
            $spamForwardingBlocked = $nonCompliantSpamPoliciesArray.Count -eq 0

@@ -51,7 +49,7 @@ function Test-BlockMailForwarding {
            $failureReasons = @()
            $details = @()

-            if ($transportRules.Count -gt 0) {
+            if ($transportRules -ne 1) {
                # Fail Condition A
                $failureReasons += "Mail forwarding rules found: $($transportRules.Name -join ', ')"
                $details += "Transport Rules Details:`nRule Name|Redirects To"
--- a/source/tests/Test-CommonAttachmentFilter.ps1
+++ b/source/tests/Test-CommonAttachmentFilter.ps1
@@ -38,8 +38,7 @@ function Test-CommonAttachmentFilter {
            # Condition B: Using Exchange Online PowerShell, verify that the `EnableFileFilter` property of the default malware filter policy is set to `True`.

            # Retrieve the attachment filter policy
-            $attachmentFilter = Get-MalwareFilterPolicy -Identity Default | Select-Object EnableFileFilter
-            $result = $attachmentFilter.EnableFileFilter
+            $result = Get-ExoOutput -Rec $recnum

            # Prepare failure reasons and details based on compliance
            $failureReasons = if (-not $result) {
--- a/source/tests/Test-EnableDKIM.ps1
+++ b/source/tests/Test-EnableDKIM.ps1
@@ -36,7 +36,7 @@ function Test-EnableDKIM {
            # 2.1.9 (L1) Ensure DKIM is enabled for all Exchange Online Domains

            # Retrieve DKIM configuration for all domains
-            $dkimConfig = Get-DkimSigningConfig | Select-Object Domain, Enabled
+            $dkimConfig = Get-ExoOutput -Rec $recnum
            $dkimResult = ($dkimConfig | ForEach-Object { $_.Enabled }) -notcontains $false
            $dkimFailedDomains = $dkimConfig | Where-Object { -not $_.Enabled } | ForEach-Object { $_.Domain }

--- a/source/tests/Test-IdentifyExternalEmail.ps1
+++ b/source/tests/Test-IdentifyExternalEmail.ps1
@@ -36,7 +36,7 @@ function Test-IdentifyExternalEmail {
            # 6.2.3 (L1) Ensure email from external senders is identified

            # Retrieve external sender tagging configuration
-            $externalInOutlook = Get-ExternalInOutlook
+            $externalInOutlook = Get-ExoOutput -Rec $recnum
            $externalTaggingEnabled = ($externalInOutlook | ForEach-Object { $_.Enabled }) -contains $true

            # Prepare failure reasons and details based on compliance
--- a/source/tests/Test-MailTipsEnabled.ps1
+++ b/source/tests/Test-MailTipsEnabled.ps1
@@ -38,7 +38,7 @@ function Test-MailTipsEnabled {
            # 6.5.2 (L2) Ensure MailTips are enabled for end users

            # Retrieve organization configuration for MailTips settings
-            $orgConfig = Get-OrganizationConfig | Select-Object MailTipsAllTipsEnabled, MailTipsExternalRecipientsTipsEnabled, MailTipsGroupMetricsEnabled, MailTipsLargeAudienceThreshold
+            $orgConfig = Get-ExoOutput -Rec $recnum

            # Check the MailTips settings (Conditions A, B, C, D)
            $allTipsEnabled = $orgConfig.MailTipsAllTipsEnabled -and $orgConfig.MailTipsGroupMetricsEnabled -and $orgConfig.MailTipsLargeAudienceThreshold -eq 25
--- a/source/tests/Test-MailboxAuditingE3.ps1
+++ b/source/tests/Test-MailboxAuditingE3.ps1
@@ -45,7 +45,7 @@ function Test-MailboxAuditingE3 {

    process {
        if ($null -ne $allUsers) {
-            $mailboxes = Get-EXOMailbox -PropertySets Audit
+            $mailboxes = Get-ExoOutput -Rec $recnum
            try {
                foreach ($user in $allUsers) {
                    if ($processedUsers.ContainsKey($user.UserPrincipalName)) {
--- a/source/tests/Test-MailboxAuditingE5.ps1
+++ b/source/tests/Test-MailboxAuditingE5.ps1
@@ -40,7 +40,7 @@ function Test-MailboxAuditingE5 {

    process {
        if ($null -ne $allUsers) {
-            $mailboxes = Get-EXOMailbox -PropertySets Audit
+            $mailboxes = Get-ExoOutput -Rec $recnum
            try {
                foreach ($user in $allUsers) {
                    if ($processedUsers.ContainsKey($user.UserPrincipalName)) {
--- a/source/tests/Test-ModernAuthExchangeOnline.ps1
+++ b/source/tests/Test-ModernAuthExchangeOnline.ps1
@@ -31,12 +31,10 @@ function Test-ModernAuthExchangeOnline {

    process {
        try {
-            # Ensuring the ExchangeOnlineManagement module is available
-
            # 6.5.1 (L1) Ensure modern authentication for Exchange Online is enabled

            # Check modern authentication setting in Exchange Online configuration (Condition A and B)
-            $orgConfig = Get-OrganizationConfig | Select-Object -Property Name, OAuth2ClientProfileEnabled
+            $orgConfig = Get-ExoOutput -Rec $recnum

            # Prepare failure reasons and details based on compliance
            $failureReasons = if (-not $orgConfig.OAuth2ClientProfileEnabled) {
--- a/source/tests/Test-NoWhitelistDomains.ps1
+++ b/source/tests/Test-NoWhitelistDomains.ps1
@@ -38,8 +38,7 @@ function Test-NoWhitelistDomains {

            # Retrieve transport rules that whitelist specific domains
            # Condition A: Checking for transport rules that whitelist specific domains
-            $whitelistedRules = Get-TransportRule | Where-Object { $_.SetSCL -eq -1 -and $null -ne $_.SenderDomainIs }
-
+            $whitelistedRules = Get-ExoOutput -Rec $recnum
            # Prepare failure reasons and details based on compliance
            # Condition B: Prepare failure reasons based on the presence of whitelisted rules
            $failureReasons = if ($whitelistedRules) {
--- a/source/tests/Test-NotifyMalwareInternal.ps1
+++ b/source/tests/Test-NotifyMalwareInternal.ps1
@@ -34,7 +34,7 @@ function Test-NotifyMalwareInternal {
            # 2.1.3 Ensure notifications for internal users sending malware is Enabled

            # Retrieve all 'Custom' malware filter policies and check notification settings
-            $malwareNotifications = Get-MalwareFilterPolicy | Where-Object { $_.RecommendedPolicyType -eq 'Custom' }
+            $malwareNotifications = Get-ExoOutput -Rec $recnum

            # Condition B: Using PowerShell, the `NotifyInternal` property in the anti-malware policy is set to `True` and includes at least one valid email address for notifications.
            $policiesToReport = @()
--- a/source/tests/Test-ReportSecurityInTeams.ps1
+++ b/source/tests/Test-ReportSecurityInTeams.ps1
@@ -16,16 +16,15 @@ function Test-ReportSecurityInTeams {

    process {
        try {
+            # Test-ReportSecurityInTeams.ps1
            # 8.6.1 (L1) Ensure users can report security concerns in Teams

            # Retrieve the necessary settings for Teams and Exchange Online
            # Condition A: Ensure the 'Report a security concern' setting in the Teams admin center is set to 'On'.
            $CsTeamsMessagingPolicy = Get-CsTeamsMessagingPolicy -Identity Global | Select-Object -Property AllowSecurityEndUserReporting
-
            # Condition B: Verify that 'Monitor reported messages in Microsoft Teams' is checked in the Microsoft 365 Defender portal.
            # Condition C: Ensure the 'Send reported messages to' setting in the Microsoft 365 Defender portal is set to 'My reporting mailbox only' with the correct report email addresses.
-            $ReportSubmissionPolicy = Get-ReportSubmissionPolicy | Select-Object -Property ReportJunkToCustomizedAddress, ReportNotJunkToCustomizedAddress, ReportPhishToCustomizedAddress, ReportChatMessageToCustomizedAddressEnabled
-
+            $ReportSubmissionPolicy = Get-ExoOutput -Rec $recnum
            # Check if all the required settings are enabled
            $securityReportEnabled = $CsTeamsMessagingPolicy.AllowSecurityEndUserReporting -and
            $ReportSubmissionPolicy.ReportJunkToCustomizedAddress -and
--- a/source/tests/Test-RestrictOutlookAddins.ps1
+++ b/source/tests/Test-RestrictOutlookAddins.ps1
@@ -11,7 +11,6 @@ function Test-RestrictOutlookAddins {
        #. .\source\Classes\CISAuditResult.ps1

        # Initialization code
-        $customPolicyFailures = @()
        $defaultPolicyFailureDetails = @()
        $relevantRoles = @('My Custom Apps', 'My Marketplace Apps', 'My ReadWriteMailbox Apps')
        $recnum = "6.3.1"
@@ -36,24 +35,8 @@ function Test-RestrictOutlookAddins {
            # 6.3.1 (L2) Ensure users installing Outlook add-ins is not allowed

            # Check all mailboxes for custom policies with unallowed add-ins
-            $roleAssignmentPolicies = Get-EXOMailbox | Select-Object -Unique RoleAssignmentPolicy
-
-            if ($roleAssignmentPolicies.RoleAssignmentPolicy) {
-                foreach ($policy in $roleAssignmentPolicies) {
-                    if ($policy.RoleAssignmentPolicy) {
-                        $rolePolicyDetails = Get-RoleAssignmentPolicy -Identity $policy.RoleAssignmentPolicy
-                        $foundRoles = $rolePolicyDetails.AssignedRoles | Where-Object { $_ -in $relevantRoles }
-
-                        # Condition B: Using PowerShell, verify that MyCustomApps, MyMarketplaceApps, and MyReadWriteMailboxApps are not assigned to users.
-                        if ($foundRoles) {
-                            $customPolicyFailures += "Policy: $($policy.RoleAssignmentPolicy): Roles: $($foundRoles -join ', ')"
-                        }
-                    }
-                }
-            }
-
            # Check Default Role Assignment Policy
-            $defaultPolicy = Get-RoleAssignmentPolicy "Default Role Assignment Policy"
+            $customPolicyFailures, $defaultPolicy = Get-ExoOutput -Rec $recnum
            $defaultPolicyRoles = $defaultPolicy.AssignedRoles | Where-Object { $_ -in $relevantRoles }

            # Condition A: Verify that the roles MyCustomApps, MyMarketplaceApps, and MyReadWriteMailboxApps are unchecked under Other roles.
--- a/source/tests/Test-RestrictStorageProvidersOutlook.ps1
+++ b/source/tests/Test-RestrictStorageProvidersOutlook.ps1
@@ -34,7 +34,7 @@ function Test-RestrictStorageProvidersOutlook {
            # 6.5.3 (L2) Ensure additional storage providers are restricted in Outlook on the web

            # Retrieve all OwaMailbox policies
-            $owaPolicies = Get-OwaMailboxPolicy
+            $owaPolicies = Get-ExoOutput -Rec $recnum
            # Condition A: Check if AdditionalStorageProvidersAvailable is set to False
            $nonCompliantPolicies = $owaPolicies | Where-Object { $_.AdditionalStorageProvidersAvailable }

--- a/source/tests/Test-SafeAttachmentsPolicy.ps1
+++ b/source/tests/Test-SafeAttachmentsPolicy.ps1
@@ -28,10 +28,9 @@ function Test-SafeAttachmentsPolicy {
    }

    process {
-        if (Get-Command Get-SafeAttachmentPolicy -ErrorAction SilentlyContinue) {
+        $safeAttachmentPolicies = Get-ExoOutput -Rec $recnum
+        if ($safeAttachmentPolicies -ne 1) {
            try {
-                # Retrieve all Safe Attachment policies where Enable is set to True
-                $safeAttachmentPolicies = Get-SafeAttachmentPolicy -ErrorAction SilentlyContinue | Where-Object { $_.Enable -eq $true }
                # Check if any Safe Attachments policy is enabled (Condition A)
                $result = $null -ne $safeAttachmentPolicies -and $safeAttachmentPolicies.Count -gt 0

--- a/source/tests/Test-SafeAttachmentsTeams.ps1
+++ b/source/tests/Test-SafeAttachmentsTeams.ps1
@@ -31,18 +31,9 @@ function Test-SafeAttachmentsTeams {
    }

    process {
-        if (Get-Command Get-AtpPolicyForO365 -ErrorAction SilentlyContinue) {
+        $atpPolicyResult = Get-ExoOutput -Rec $recnum
+        if ($atpPolicyResult -ne 1) {
            try {
-                # 2.1.5 (L2) Ensure Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is Enabled
-                # Retrieve the ATP policies for Office 365 and check Safe Attachments settings
-                $atpPolicies = Get-AtpPolicyForO365
-                # Check if the required ATP policies are enabled
-                $atpPolicyResult = $atpPolicies | Where-Object {
-                    $_.EnableATPForSPOTeamsODB -eq $true -and
-                    $_.EnableSafeDocs -eq $true -and
-                    $_.AllowSafeDocsOpen -eq $false
-                }
-
                # Condition A: Check Safe Attachments for SharePoint
                # Condition B: Check Safe Attachments for OneDrive
                # Condition C: Check Safe Attachments for Microsoft Teams
--- a/source/tests/Test-SpamPolicyAdminNotify.ps1
+++ b/source/tests/Test-SpamPolicyAdminNotify.ps1
@@ -38,7 +38,7 @@ function Test-SpamPolicyAdminNotify {
            # 2.1.6 Ensure Exchange Online Spam Policies are set to notify administrators

            # Retrieve the default hosted outbound spam filter policy
-            $hostedOutboundSpamFilterPolicy = Get-HostedOutboundSpamFilterPolicy | Where-Object { $_.IsDefault -eq $true }
+            $hostedOutboundSpamFilterPolicy = Get-ExoOutput -Rec $recnum

            # Check if both settings are enabled (Condition A and Condition B for pass)
            $bccSuspiciousOutboundMailEnabled = $hostedOutboundSpamFilterPolicy.BccSuspiciousOutboundMail