vibecoding/M365FoundationsCISReport
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #12 from CriticalSolutionsNetwork/Better-Error-Handling

Browse Source 
Better error handling
This commit is contained in:
Doug Rios
2024-06-08 14:52:15 -05:00
committed by GitHub
parent d0270027f9 71c798c52a
commit 447be9cacb
78 changed files with 2581 additions and 1356 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
.github/workflows/powershell.yml vendored
View File

@@ -36,10 +36,11 @@ jobs:
with: with:
# Check https://github.com/microsoft/action-psscriptanalyzer for more info about the options. # Check https://github.com/microsoft/action-psscriptanalyzer for more info about the options.
# The below set up runs PSScriptAnalyzer to your entire repository and runs some basic security rules. # The below set up runs PSScriptAnalyzer to your entire repository and runs some basic security rules.
path: .\ path: .\source
recurse: true recurse: true
# Include your own basic security rules. Removing this option will run all the rules # Include your own basic security rules. Removing this option will run all the rules
includeRule: '"PSAvoidGlobalAliases", "PSAvoidUsingConvertToSecureStringWithPlainText"' includeRule: '"PSAvoidGlobalAliases", "PSAvoidUsingConvertToSecureStringWithPlainText", "PSAvoidUsingPlainTextForPassword", "PSAvoidUsingInvokeExpression", "PSUseApprovedVerbs", "PSAvoidUsingPositionalParameters", "PSAvoidUsingEmptyCatchBlock", "PSAvoidUsingDeprecatedManifestFields", "PSAvoidUsingUserNameAndPasswordParams", "PSAvoidUsingCmdletAliases"'
output: results.sarif output: results.sarif
# Upload the SARIF file generated in the previous step # Upload the SARIF file generated in the previous step

34
CHANGELOG.md
View File

@@ -6,6 +6,38 @@ The format is based on and uses the types of changes according to [Keep a Change
### Added ### Added
- Updated test definitions for CIS Microsoft 365 Foundations Benchmark for better error handling and object output when errors occur.
- Added a parameter to the `Initialize-CISAuditResult` function to allow for a static failed object to be created when an error occurs.
- Refactored `Invoke-M365SecurityAudit` to include a new private function `Invoke-TestFunction` for executing test functions and handling errors.
- Added a new private function `Measure-AuditResult` to calculate and display audit results.
- Enhanced error logging to capture failed test details and display them at the end of the audit.
- Added a private function `Get-RequiredModule` to initialize the `$requiredModules` variable for better code organization in the main script.
- Updated `Test-MailboxAuditingE3` and `Test-MailboxAuditingE5` functions to use `Format-MissingAction` for structuring missing actions into a pipe-separated table format.
- Added more verbose logging to `Test-BlockMailForwarding` and improved error handling for better troubleshooting.
- Improved `Test-RestrictCustomScripts` to handle long URL lengths better by extracting and replacing common hostnames, and provided detailed output.
- Added sorting to output.
- Created new functions for improved modularity.
- Parameter validation for excel and csv path in sync function
- Added Output type to tests.
### Fixed
- Ensured the `Invoke-TestFunction` returns a `CISAuditResult` object, which is then managed in the `Invoke-M365SecurityAudit` function.
- Corrected the usage of the join operation within `$details` in `Test-BlockMailForwarding` to handle arrays properly.
- Fixed the logic in `Test-RestrictCustomScripts` to accurately replace and manage URLs, ensuring compliance checks are correctly performed.
- Updated the `Test-MailboxAuditingE3` and `Test-MailboxAuditingE5` functions to handle the `$allFailures` variable correctly, ensuring accurate pass/fail results.
- Fixed the connections in helper CSV and connect function.
- Removed verbose preference from `Test-RestrictCustomScripts`.
- Ensured that the output in `Test-BlockMailForwarding` does not include extra spaces between table headers and data.
- Fixed output in `Test-MailboxAuditingE3` and `Test-MailboxAuditingE5` to correctly align with the new table format.
- Added step 1 and step 2 in `Test-BlockMailForwarding` details to ensure comprehensive compliance checks.
- Fixed the issue with the output in `Test-RestrictCustomScripts` to ensure no extra spaces between table headers and data.
## [0.1.4] - 2024-05-30
### Added
- Test definitions filter function. - Test definitions filter function.
- Logging function for future use. - Logging function for future use.
- Test grade written to console. - Test grade written to console.
@@ -87,4 +119,4 @@ The format is based on and uses the types of changes according to [Keep a Change
- A dynamic test loading system based on CSV input for flexibility in defining audit tests. - A dynamic test loading system based on CSV input for flexibility in defining audit tests.
- Comprehensive verbose logging to detail the steps being performed during an audit. - Comprehensive verbose logging to detail the steps being performed during an audit.
- Comment-help documentation for the `Invoke-M365SecurityAudit` function with examples and usage details. - Comment-help documentation for the `Invoke-M365SecurityAudit` function with examples and usage details.
- Attribution to CIS and licensing information under the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License in the README. - Attribution to CIS and licensing information under the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License in the README.

BIN
README.md
View File

Binary file not shown.

BIN
docs/index.html
View File

Binary file not shown.

4
helpers/CIS 365 v3.0.0 Controls/Test-MailboxAuditingE3_6.1.2_E3L1_IG1_IG2_IG3.ps1
View File

@@ -60,7 +60,7 @@ function Test-MailboxAuditingE3_6.1.2_E3L1_IG1_IG2_IG3 {
} }
if ($missingActions) { if ($missingActions) {
$formattedActions = Format-MissingActions $missingActions $formattedActions = Format-MissingAction $missingActions
$allFailures += "$userUPN`: AuditEnabled - True; $formattedActions" $allFailures += "$userUPN`: AuditEnabled - True; $formattedActions"
} }
# Mark the user as processed # Mark the user as processed
@@ -83,7 +83,7 @@ function Test-MailboxAuditingE3_6.1.2_E3L1_IG1_IG2_IG3 {
} }
} }
function Format-MissingActions { function Format-MissingAction {
param ([array]$missingActions) param ([array]$missingActions)
$actionGroups = @{ $actionGroups = @{

4
helpers/CIS 365 v3.0.0 Controls/Test-MailboxAuditingE5_6.1.3_E5L1_IG1_IG2_IG3.ps1
View File

@@ -60,7 +60,7 @@ function Test-MailboxAuditingE5_6.1.3_E5L1_IG1_IG2_IG3 {
} }
if ($missingActions) { if ($missingActions) {
$formattedActions = Format-MissingActions $missingActions $formattedActions = Format-MissingAction $missingActions
$allFailures += "$userUPN`: AuditEnabled - True; $formattedActions" $allFailures += "$userUPN`: AuditEnabled - True; $formattedActions"
} }
else { else {
@@ -92,7 +92,7 @@ function Test-MailboxAuditingE5_6.1.3_E5L1_IG1_IG2_IG3 {
} }
} }
function Format-MissingActions { function Format-MissingAction {
param ([array]$missingActions) param ([array]$missingActions)
$actionGroups = @{ $actionGroups = @{

6
source/Private/Connect-M365Suite.ps1
View File

@@ -11,13 +11,13 @@ function Connect-M365Suite {
$VerbosePreference = "SilentlyContinue" $VerbosePreference = "SilentlyContinue"
try { try {
if ($RequiredConnections -contains "AzureAD" -or $RequiredConnections -contains "AzureAD | EXO") { if ($RequiredConnections -contains "AzureAD" -or $RequiredConnections -contains "AzureAD | EXO" -or $RequiredConnections -contains "AzureAD | EXO | Microsoft Graph") {
Write-Host "Connecting to Azure Active Directory..." -ForegroundColor Cyan Write-Host "Connecting to Azure Active Directory..." -ForegroundColor Cyan
Connect-AzureAD | Out-Null Connect-AzureAD | Out-Null
Write-Host "Successfully connected to Azure Active Directory." -ForegroundColor Green Write-Host "Successfully connected to Azure Active Directory." -ForegroundColor Green
} }
if ($RequiredConnections -contains "Microsoft Graph") { if ($RequiredConnections -contains "Microsoft Graph" -or $RequiredConnections -contains "AzureAD | EXO | Microsoft Graph") {
Write-Host "Connecting to Microsoft Graph with scopes: Directory.Read.All, Domain.Read.All, Policy.Read.All, Organization.Read.All" -ForegroundColor Cyan Write-Host "Connecting to Microsoft Graph with scopes: Directory.Read.All, Domain.Read.All, Policy.Read.All, Organization.Read.All" -ForegroundColor Cyan
try { try {
Connect-MgGraph -Scopes "Directory.Read.All", "Domain.Read.All", "Policy.Read.All", "Organization.Read.All" -NoWelcome | Out-Null Connect-MgGraph -Scopes "Directory.Read.All", "Domain.Read.All", "Policy.Read.All", "Organization.Read.All" -NoWelcome | Out-Null
@@ -30,7 +30,7 @@ function Connect-M365Suite {
} }
} }
if ($RequiredConnections -contains "EXO" -or $RequiredConnections -contains "AzureAD | EXO" -or $RequiredConnections -contains "Microsoft Teams | EXO") { if ($RequiredConnections -contains "EXO" -or $RequiredConnections -contains "AzureAD | EXO" -or $RequiredConnections -contains "Microsoft Teams | EXO" -or $RequiredConnections -contains "AzureAD | EXO | Microsoft Graph") {
Write-Host "Connecting to Exchange Online..." -ForegroundColor Cyan Write-Host "Connecting to Exchange Online..." -ForegroundColor Cyan
Connect-ExchangeOnline | Out-Null Connect-ExchangeOnline | Out-Null
Write-Host "Successfully connected to Exchange Online." -ForegroundColor Green Write-Host "Successfully connected to Exchange Online." -ForegroundColor Green

25
source/Private/Format-MissingAction.ps1 Normal file
View File

@@ -0,0 +1,25 @@
function Format-MissingAction {
param ([array]$missingActions)
$actionGroups = @{
"Admin" = @()
"Delegate" = @()
"Owner" = @()
}
foreach ($action in $missingActions) {
if ($action -match "(Admin|Delegate|Owner) action '([^']+)' missing") {
$type = $matches[1]
$actionName = $matches[2]
$actionGroups[$type] += $actionName
}
}
$formattedResults = @{
Admin = $actionGroups["Admin"] -join ', '
Delegate = $actionGroups["Delegate"] -join ', '
Owner = $actionGroups["Owner"] -join ', '
}
return $formattedResults
}

22
source/Private/Get-MostCommonWord.ps1 Normal file
View File

@@ -0,0 +1,22 @@
function Get-MostCommonWord {
param (
[Parameter(Mandatory = $true)]
[string[]]$InputStrings
)
# Combine all strings into one large string
$allText = $InputStrings -join ' '
# Split the large string into words
$words = $allText -split '\s+'
# Group words and count occurrences
$wordGroups = $words | Group-Object | Sort-Object Count -Descending
# Return the most common word if it occurs at least 3 times
if ($wordGroups.Count -gt 0 -and $wordGroups[0].Count -ge 3) {
return $wordGroups[0].Name
} else {
return $null
}
}

37
source/Private/Get-RequiredModule.ps1 Normal file
View File

@@ -0,0 +1,37 @@
function Get-RequiredModule {
[CmdletBinding(DefaultParameterSetName = 'AuditFunction')]
[OutputType([System.Object[]])]
param (
[Parameter(Mandatory = $true, ParameterSetName = 'AuditFunction')]
[switch]$AuditFunction,
[Parameter(Mandatory = $true, ParameterSetName = 'SyncFunction')]
[switch]$SyncFunction
)
switch ($PSCmdlet.ParameterSetName) {
'AuditFunction' {
return @(
@{ ModuleName = "ExchangeOnlineManagement"; RequiredVersion = "3.3.0" },
@{ ModuleName = "AzureAD"; RequiredVersion = "2.0.2.182" },
@{ ModuleName = "Microsoft.Graph"; RequiredVersion = "2.4.0"; SubModuleName = "Authentication" },
@{ ModuleName = "Microsoft.Graph"; RequiredVersion = "2.4.0"; SubModuleName = "Users" },
@{ ModuleName = "Microsoft.Graph"; RequiredVersion = "2.4.0"; SubModuleName = "Groups" },
@{ ModuleName = "Microsoft.Graph"; RequiredVersion = "2.4.0"; SubModuleName = "DirectoryObjects" },
@{ ModuleName = "Microsoft.Graph"; RequiredVersion = "2.4.0"; SubModuleName = "Domains" },
@{ ModuleName = "Microsoft.Graph"; RequiredVersion = "2.4.0"; SubModuleName = "Reports" },
@{ ModuleName = "Microsoft.Graph"; RequiredVersion = "2.4.0"; SubModuleName = "Mail" },
@{ ModuleName = "Microsoft.Online.SharePoint.PowerShell"; RequiredVersion = "16.0.24009.12000" },
@{ ModuleName = "MicrosoftTeams"; RequiredVersion = "5.5.0" }
)
}
'SyncFunction' {
return @(
@{ ModuleName = "ImportExcel"; RequiredVersion = "7.8.9" }
)
}
default {
throw "Please specify either -AuditFunction or -SyncFunction switch."
}
}
}

34
source/Private/Initialize-CISAuditResult.ps1
View File

@@ -1,19 +1,23 @@
function Initialize-CISAuditResult { function Initialize-CISAuditResult {
[CmdletBinding()]
param ( param (
[Parameter(Mandatory = $true)] [Parameter(Mandatory = $true)]
[string]$Rec, [string]$Rec,
[Parameter(Mandatory = $true)] [Parameter(Mandatory = $true, ParameterSetName = 'Full')]
[bool]$Result, [bool]$Result,
[Parameter(Mandatory = $true)] [Parameter(Mandatory = $true, ParameterSetName = 'Full')]
[string]$Status, [string]$Status,
[Parameter(Mandatory = $true)] [Parameter(Mandatory = $true, ParameterSetName = 'Full')]
[string]$Details, [string]$Details,
[Parameter(Mandatory = $true)] [Parameter(Mandatory = $true, ParameterSetName = 'Full')]
[string]$FailureReason [string]$FailureReason,
[Parameter(ParameterSetName = 'Error')]
[switch]$Failure
) )
# Import the test definitions CSV file # Import the test definitions CSV file
@@ -22,6 +26,10 @@ function Initialize-CISAuditResult {
# Find the row that matches the provided recommendation (Rec) # Find the row that matches the provided recommendation (Rec)
$testDefinition = $testDefinitions | Where-Object { $_.Rec -eq $Rec } $testDefinition = $testDefinitions | Where-Object { $_.Rec -eq $Rec }
if (-not $testDefinition) {
throw "Test definition for recommendation '$Rec' not found."
}
# Create an instance of CISAuditResult and populate it # Create an instance of CISAuditResult and populate it
$auditResult = [CISAuditResult]::new() $auditResult = [CISAuditResult]::new()
$auditResult.Rec = $Rec $auditResult.Rec = $Rec
@@ -36,10 +44,18 @@ function Initialize-CISAuditResult {
$auditResult.Automated = [bool]::Parse($testDefinition.Automated) $auditResult.Automated = [bool]::Parse($testDefinition.Automated)
$auditResult.Connection = $testDefinition.Connection $auditResult.Connection = $testDefinition.Connection
$auditResult.CISControlVer = 'v8' $auditResult.CISControlVer = 'v8'
$auditResult.Result = $Result
$auditResult.Status = $Status if ($PSCmdlet.ParameterSetName -eq 'Full') {
$auditResult.Details = $Details $auditResult.Result = $Result
$auditResult.FailureReason = $FailureReason $auditResult.Status = $Status
$auditResult.Details = $Details
$auditResult.FailureReason = $FailureReason
} elseif ($PSCmdlet.ParameterSetName -eq 'Error') {
$auditResult.Result = $false
$auditResult.Status = 'Fail'
$auditResult.Details = "An error occurred while processing the test."
$auditResult.FailureReason = "Initialization error: Failed to process the test."
}
return $auditResult return $auditResult
} }

34
source/Private/Invoke-TestFunction.ps1 Normal file
View File

@@ -0,0 +1,34 @@
function Invoke-TestFunction {
param (
[Parameter(Mandatory = $true)]
[PSObject]$FunctionFile,
[Parameter(Mandatory = $true)]
[string]$DomainName
)
$functionName = $FunctionFile.BaseName
$functionCmd = Get-Command -Name $functionName
# Check if the test function needs DomainName parameter
$paramList = @{}
if ('DomainName' -in $functionCmd.Parameters.Keys) {
$paramList.DomainName = $DomainName
}
# Use splatting to pass parameters
Write-Verbose "Running $functionName..."
try {
$result = & $functionName @paramList
# Assuming each function returns an array of CISAuditResult or a single CISAuditResult
return $result
}
catch {
Write-Error "An error occurred during the test: $_"
$script:FailedTests.Add([PSCustomObject]@{ Test = $functionName; Error = $_ })
# Call Initialize-CISAuditResult with error parameters
$auditResult = Initialize-CISAuditResult -Rec $functionName -Failure
return $auditResult
}
}

31
source/Private/Measure-AuditResult.ps1 Normal file
View File

@@ -0,0 +1,31 @@
function Measure-AuditResult {
param (
[Parameter(Mandatory = $true)]
[System.Collections.ArrayList]$AllAuditResults,
[Parameter(Mandatory = $false)]
[System.Collections.ArrayList]$FailedTests
)
# Calculate the total number of tests
$totalTests = $AllAuditResults.Count
# Calculate the number of passed tests
$passedTests = $AllAuditResults.ToArray() | Where-Object { $_.Result -eq $true } | Measure-Object | Select-Object -ExpandProperty Count
# Calculate the pass percentage
$passPercentage = if ($totalTests -eq 0) { 0 } else { [math]::Round(($passedTests / $totalTests) * 100, 2) }
# Display the pass percentage to the user
Write-Host "Audit completed. $passedTests out of $totalTests tests passed." -ForegroundColor Cyan
Write-Host "Your passing percentage is $passPercentage%."
# Display details of failed tests
if ($FailedTests.Count -gt 0) {
Write-Host "The following tests failed to complete:" -ForegroundColor Red
foreach ($failedTest in $FailedTests) {
Write-Host "Test: $($failedTest.Test)" -ForegroundColor Yellow
Write-Host "Error: $($failedTest.Error)" -ForegroundColor Yellow
}
}
}

37
source/Private/Merge-CISExcelAndCsvData.ps1
View File

@@ -1,5 +1,5 @@
function Merge-CISExcelAndCsvData { function Merge-CISExcelAndCsvData {
[CmdletBinding()] [CmdletBinding(DefaultParameterSetName = 'CsvInput')]
param ( param (
[Parameter(Mandatory = $true)] [Parameter(Mandatory = $true)]
[string]$ExcelPath, [string]$ExcelPath,
@@ -7,40 +7,35 @@ function Merge-CISExcelAndCsvData {
[Parameter(Mandatory = $true)] [Parameter(Mandatory = $true)]
[string]$WorksheetName, [string]$WorksheetName,
[Parameter(Mandatory = $true)] [Parameter(Mandatory = $true, ParameterSetName = 'CsvInput')]
[string]$CsvPath [string]$CsvPath,
[Parameter(Mandatory = $true, ParameterSetName = 'ObjectInput')]
[CISAuditResult[]]$AuditResults
) )
process { process {
# Import data from Excel and CSV # Import data from Excel
$import = Import-Excel -Path $ExcelPath -WorksheetName $WorksheetName $import = Import-Excel -Path $ExcelPath -WorksheetName $WorksheetName
$csvData = Import-Csv -Path $CsvPath
# Define a function to create a merged object # Import data from CSV or use provided object
function CreateMergedObject($excelItem, $csvRow) { $csvData = if ($PSCmdlet.ParameterSetName -eq 'CsvInput') {
$newObject = New-Object PSObject Import-Csv -Path $CsvPath
} else {
foreach ($property in $excelItem.PSObject.Properties) { $AuditResults
$newObject | Add-Member -MemberType NoteProperty -Name $property.Name -Value $property.Value
}
$newObject | Add-Member -MemberType NoteProperty -Name 'CSV_Connection' -Value $csvRow.Connection
$newObject | Add-Member -MemberType NoteProperty -Name 'CSV_Status' -Value $csvRow.Status
$newObject | Add-Member -MemberType NoteProperty -Name 'CSV_Details' -Value $csvRow.Details
$newObject | Add-Member -MemberType NoteProperty -Name 'CSV_FailureReason' -Value $csvRow.FailureReason
return $newObject
} }
# Iterate over each item in the imported Excel object and merge with CSV data # Iterate over each item in the imported Excel object and merge with CSV data or audit results
$mergedData = foreach ($item in $import) { $mergedData = foreach ($item in $import) {
$csvRow = $csvData | Where-Object { $_.Rec -eq $item.'recommendation #' } $csvRow = $csvData | Where-Object { $_.Rec -eq $item.'recommendation #' }
if ($csvRow) { if ($csvRow) {
CreateMergedObject -excelItem $item -csvRow $csvRow New-MergedObject -ExcelItem $item -CsvRow $csvRow
} else { } else {
CreateMergedObject -excelItem $item -csvRow ([PSCustomObject]@{Connection=$null;Status=$null; Details=$null; FailureReason=$null }) New-MergedObject -ExcelItem $item -CsvRow ([PSCustomObject]@{Connection=$null;Status=$null; Details=$null; FailureReason=$null })
} }
} }
# Return the merged data # Return the merged data
return $mergedData return $mergedData
} }
} }

20
source/Private/New-MergedObject.ps1 Normal file
View File

@@ -0,0 +1,20 @@
function New-MergedObject {
param (
[Parameter(Mandatory = $true)]
[psobject]$ExcelItem,
[Parameter(Mandatory = $true)]
[psobject]$CsvRow
)
$newObject = New-Object PSObject
foreach ($property in $ExcelItem.PSObject.Properties) {
$newObject | Add-Member -MemberType NoteProperty -Name $property.Name -Value $property.Value
}
$newObject | Add-Member -MemberType NoteProperty -Name 'CSV_Connection' -Value $CsvRow.Connection
$newObject | Add-Member -MemberType NoteProperty -Name 'CSV_Status' -Value $CsvRow.Status
$newObject | Add-Member -MemberType NoteProperty -Name 'CSV_Details' -Value $CsvRow.Details
$newObject | Add-Member -MemberType NoteProperty -Name 'CSV_FailureReason' -Value $CsvRow.FailureReason
return $newObject
}

2
source/Private/Update-CISExcelWorksheet.ps1
View File

@@ -25,7 +25,7 @@ function Update-CISExcelWorksheet {
# Update the worksheet with the provided data # Update the worksheet with the provided data
Update-WorksheetCells -Worksheet $worksheet -Data $Data -StartingRowIndex $StartingRowIndex Update-WorksheetCell -Worksheet $worksheet -Data $Data -StartingRowIndex $StartingRowIndex
# Save and close the Excel package # Save and close the Excel package
Close-ExcelPackage $excelPackage Close-ExcelPackage $excelPackage

2
source/Private/Update-WorksheetCells.ps1 → source/Private/Update-WorksheetCell.ps1
View File

@@ -1,4 +1,4 @@
function Update-WorksheetCells { function Update-WorksheetCell {
param ( param (
$Worksheet, $Worksheet,
$Data, $Data,

2
source/Public/Get-AdminRoleUserLicense.ps1
View File

@@ -25,6 +25,8 @@
https://criticalsolutionsnetwork.github.io/M365FoundationsCISReport/#Get-AdminRoleUserLicense https://criticalsolutionsnetwork.github.io/M365FoundationsCISReport/#Get-AdminRoleUserLicense
#> #>
function Get-AdminRoleUserLicense { function Get-AdminRoleUserLicense {
# Set output type to System.Collections.ArrayList
[OutputType([System.Collections.ArrayList])]
[CmdletBinding()] [CmdletBinding()]
param ( param (
[Parameter(Mandatory = $false)] [Parameter(Mandatory = $false)]

112
source/Public/Invoke-M365SecurityAudit.ps1
View File

@@ -63,10 +63,12 @@ function Invoke-M365SecurityAudit {
[CmdletBinding(SupportsShouldProcess = $true, DefaultParameterSetName = 'Default')] [CmdletBinding(SupportsShouldProcess = $true, DefaultParameterSetName = 'Default')]
[OutputType([CISAuditResult[]])] [OutputType([CISAuditResult[]])]
param ( param (
[Parameter(Mandatory = $true)] [Parameter(Mandatory = $true, HelpMessage = "The SharePoint tenant admin URL, which should end with '-admin.sharepoint.com'.")]
[ValidatePattern('^https://[a-zA-Z0-9-]+-admin\.sharepoint\.com$')]
[string]$TenantAdminUrl, [string]$TenantAdminUrl,
[Parameter(Mandatory = $true)] [Parameter(Mandatory = $true, HelpMessage = "The domain name of your organization, e.g., 'example.com'.")]
[ValidatePattern('^[a-zA-Z0-9-]+\.[a-zA-Z]{2,}$')]
[string]$DomainName, [string]$DomainName,
# E-Level with optional ProfileLevel selection # E-Level with optional ProfileLevel selection
@@ -92,12 +94,12 @@ function Invoke-M365SecurityAudit {
[Parameter(Mandatory = $true, ParameterSetName = 'RecFilter')] [Parameter(Mandatory = $true, ParameterSetName = 'RecFilter')]
[ValidateSet( [ValidateSet(
'1.1.1', '1.1.3', '1.2.1', '1.2.2', '1.3.1', '1.3.3', '1.3.6', '2.1.1', '2.1.2', ` '1.1.1', '1.1.3', '1.2.1', '1.2.2', '1.3.1', '1.3.3', '1.3.6', '2.1.1', '2.1.2', `
'2.1.3', '2.1.4', '2.1.5', '2.1.6', '2.1.7', '2.1.9', '3.1.1', '5.1.2.3', ` '2.1.3', '2.1.4', '2.1.5', '2.1.6', '2.1.7', '2.1.9', '3.1.1', '5.1.2.3', `
'5.1.8.1', '6.1.1', '6.1.2', '6.1.3', '6.2.1', '6.2.2', '6.2.3', '6.3.1', ` '5.1.8.1', '6.1.1', '6.1.2', '6.1.3', '6.2.1', '6.2.2', '6.2.3', '6.3.1', `
'6.5.1', '6.5.2', '6.5.3', '7.2.1', '7.2.10', '7.2.2', '7.2.3', '7.2.4', ` '6.5.1', '6.5.2', '6.5.3', '7.2.1', '7.2.10', '7.2.2', '7.2.3', '7.2.4', `
'7.2.5', '7.2.6', '7.2.7', '7.2.9', '7.3.1', '7.3.2', '7.3.4', '8.1.1', ` '7.2.5', '7.2.6', '7.2.7', '7.2.9', '7.3.1', '7.3.2', '7.3.4', '8.1.1', `
'8.1.2', '8.2.1', '8.5.1', '8.5.2', '8.5.3', '8.5.4', '8.5.5', '8.5.6', ` '8.1.2', '8.2.1', '8.5.1', '8.5.2', '8.5.3', '8.5.4', '8.5.5', '8.5.6', `
'8.5.7', '8.6.1' '8.5.7', '8.6.1'
)] )]
[string[]]$IncludeRecommendation, [string[]]$IncludeRecommendation,
@@ -105,12 +107,12 @@ function Invoke-M365SecurityAudit {
[Parameter(Mandatory = $true, ParameterSetName = 'SkipRecFilter')] [Parameter(Mandatory = $true, ParameterSetName = 'SkipRecFilter')]
[ValidateSet( [ValidateSet(
'1.1.1', '1.1.3', '1.2.1', '1.2.2', '1.3.1', '1.3.3', '1.3.6', '2.1.1', '2.1.2', ` '1.1.1', '1.1.3', '1.2.1', '1.2.2', '1.3.1', '1.3.3', '1.3.6', '2.1.1', '2.1.2', `
'2.1.3', '2.1.4', '2.1.5', '2.1.6', '2.1.7', '2.1.9', '3.1.1', '5.1.2.3', ` '2.1.3', '2.1.4', '2.1.5', '2.1.6', '2.1.7', '2.1.9', '3.1.1', '5.1.2.3', `
'5.1.8.1', '6.1.1', '6.1.2', '6.1.3', '6.2.1', '6.2.2', '6.2.3', '6.3.1', ` '5.1.8.1', '6.1.1', '6.1.2', '6.1.3', '6.2.1', '6.2.2', '6.2.3', '6.3.1', `
'6.5.1', '6.5.2', '6.5.3', '7.2.1', '7.2.10', '7.2.2', '7.2.3', '7.2.4', ` '6.5.1', '6.5.2', '6.5.3', '7.2.1', '7.2.10', '7.2.2', '7.2.3', '7.2.4', `
'7.2.5', '7.2.6', '7.2.7', '7.2.9', '7.3.1', '7.3.2', '7.3.4', '8.1.1', ` '7.2.5', '7.2.6', '7.2.7', '7.2.9', '7.3.1', '7.3.2', '7.3.4', '8.1.1', `
'8.1.2', '8.2.1', '8.5.1', '8.5.2', '8.5.3', '8.5.4', '8.5.5', '8.5.6', ` '8.1.2', '8.2.1', '8.5.1', '8.5.2', '8.5.3', '8.5.4', '8.5.5', '8.5.6', `
'8.5.7', '8.6.1' '8.5.7', '8.6.1'
)] )]
[string[]]$SkipRecommendation, [string[]]$SkipRecommendation,
@@ -120,43 +122,23 @@ function Invoke-M365SecurityAudit {
[switch]$NoModuleCheck [switch]$NoModuleCheck
) )
Begin { Begin {
if ($script:MaximumFunctionCount -lt 8192) { if ($script:MaximumFunctionCount -lt 8192) {
$script:MaximumFunctionCount = 8192 $script:MaximumFunctionCount = 8192
} }
# Ensure required modules are installed # Ensure required modules are installed
# Define the required modules and versions in a hashtable
if (!($NoModuleCheck)) { if (!($NoModuleCheck)) {
$requiredModules = @( $requiredModules = Get-RequiredModule -AuditFunction
@{ ModuleName = "ExchangeOnlineManagement"; RequiredVersion = "3.3.0" },
@{ ModuleName = "AzureAD"; RequiredVersion = "2.0.2.182" },
@{ ModuleName = "Microsoft.Graph"; RequiredVersion = "2.4.0"; SubModuleName = "Authentication" },
@{ ModuleName = "Microsoft.Graph"; RequiredVersion = "2.4.0"; SubModuleName = "Users" },
@{ ModuleName = "Microsoft.Graph"; RequiredVersion = "2.4.0"; SubModuleName = "Groups" },
@{ ModuleName = "Microsoft.Graph"; RequiredVersion = "2.4.0"; SubModuleName = "DirectoryObjects" },
@{ ModuleName = "Microsoft.Graph"; RequiredVersion = "2.4.0"; SubModuleName = "Domains" },
@{ ModuleName = "Microsoft.Graph"; RequiredVersion = "2.4.0"; SubModuleName = "Reports" },
@{ ModuleName = "Microsoft.Graph"; RequiredVersion = "2.4.0"; SubModuleName = "Mail" },
@{ ModuleName = "Microsoft.Online.SharePoint.PowerShell"; RequiredVersion = "16.0.24009.12000" },
@{ ModuleName = "MicrosoftTeams"; RequiredVersion = "5.5.0" }
)
foreach ($module in $requiredModules) { foreach ($module in $requiredModules) {
Assert-ModuleAvailability -ModuleName $module.ModuleName -RequiredVersion $module.RequiredVersion -SubModuleName $module.SubModuleName Assert-ModuleAvailability -ModuleName $module.ModuleName -RequiredVersion $module.RequiredVersion -SubModuleName $module.SubModuleName
} }
} }
# Loop through each required module and assert its availability
# Establishing connections
# Load test definitions from CSV # Load test definitions from CSV
$testDefinitionsPath = Join-Path -Path $PSScriptRoot -ChildPath "helper\TestDefinitions.csv" $testDefinitionsPath = Join-Path -Path $PSScriptRoot -ChildPath "helper\TestDefinitions.csv"
$testDefinitions = Import-Csv -Path $testDefinitionsPath $testDefinitions = Import-Csv -Path $testDefinitionsPath
# Load the Test Definitions into the script scope for use in other functions # Load the Test Definitions into the script scope for use in other functions
$script:TestDefinitionsObject = $testDefinitions $script:TestDefinitionsObject = $testDefinitions
# Apply filters based on parameter sets # Apply filters based on parameter sets
$params = @{ $params = @{
TestDefinitions = $testDefinitions TestDefinitions = $testDefinitions
@@ -167,58 +149,54 @@ function Invoke-M365SecurityAudit {
SkipRecommendation = $SkipRecommendation SkipRecommendation = $SkipRecommendation
} }
$testDefinitions = Get-TestDefinitionsObject @params $testDefinitions = Get-TestDefinitionsObject @params
# End switch ($PSCmdlet.ParameterSetName)
# Extract unique connections needed # Extract unique connections needed
$requiredConnections = $testDefinitions.Connection | Sort-Object -Unique $requiredConnections = $testDefinitions.Connection | Sort-Object -Unique
# Establishing connections if required # Establishing connections if required
if (!($DoNotConnect)) { if (!($DoNotConnect)) {
Connect-M365Suite -TenantAdminUrl $TenantAdminUrl -RequiredConnections $requiredConnections Connect-M365Suite -TenantAdminUrl $TenantAdminUrl -RequiredConnections $requiredConnections
} }
# Determine which test files to load based on filtering # Determine which test files to load based on filtering
$testsToLoad = $testDefinitions.TestFileName | ForEach-Object { $_ -replace '.ps1$', '' } $testsToLoad = $testDefinitions.TestFileName | ForEach-Object { $_ -replace '.ps1$', '' }
# Display the tests that would be loaded if the function is called with -WhatIf
Write-Verbose "The $(($testsToLoad).count) test/s that would be loaded based on filter criteria:" Write-Verbose "The $(($testsToLoad).count) test/s that would be loaded based on filter criteria:"
$testsToLoad | ForEach-Object { Write-Verbose " $_" } $testsToLoad | ForEach-Object { Write-Verbose " $_" }
# Initialize a collection to hold failed test details
$script:FailedTests = [System.Collections.ArrayList]::new()
} # End Begin } # End Begin
Process { Process {
$allAuditResults = [System.Collections.ArrayList]::new() #@() # Initialize a collection to hold all results $allAuditResults = [System.Collections.ArrayList]::new() # Initialize a collection to hold all results
# Dynamically dot-source the test scripts # Dynamically dot-source the test scripts
$testsFolderPath = Join-Path -Path $PSScriptRoot -ChildPath "tests" $testsFolderPath = Join-Path -Path $PSScriptRoot -ChildPath "tests"
$testFiles = Get-ChildItem -Path $testsFolderPath -Filter "Test-*.ps1" | $testFiles = Get-ChildItem -Path $testsFolderPath -Filter "Test-*.ps1" |
Where-Object { $testsToLoad -contains $_.BaseName } Where-Object { $testsToLoad -contains $_.BaseName }
$totalTests = $testFiles.Count
$currentTestIndex = 0
# Import the test functions # Import the test functions
$testFiles | ForEach-Object { $testFiles | ForEach-Object {
$currentTestIndex++
Write-Progress -Activity "Loading Test Scripts" -Status "Loading $($currentTestIndex) of $($totalTests): $($_.Name)" -PercentComplete (($currentTestIndex / $totalTests) * 100)
Try { Try {
# Dot source the test function
. $_.FullName . $_.FullName
} }
Catch { Catch {
# Log the error and add the test to the failed tests collection
Write-Error "Failed to load test function $($_.Name): $_" Write-Error "Failed to load test function $($_.Name): $_"
$script:FailedTests.Add([PSCustomObject]@{ Test = $_.Name; Error = $_ })
} }
} }
$currentTestIndex = 0
# Execute each test function from the prepared list # Execute each test function from the prepared list
foreach ($testFunction in $testFiles) { foreach ($testFunction in $testFiles) {
$currentTestIndex++
Write-Progress -Activity "Executing Tests" -Status "Executing $($currentTestIndex) of $($totalTests): $($testFunction.Name)" -PercentComplete (($currentTestIndex / $totalTests) * 100)
$functionName = $testFunction.BaseName $functionName = $testFunction.BaseName
$functionCmd = Get-Command -Name $functionName
# Check if the test function needs DomainName parameter
$paramList = @{}
if ('DomainName' -in $functionCmd.Parameters.Keys) {
$paramList.DomainName = $DomainName
}
# Use splatting to pass parameters
if ($PSCmdlet.ShouldProcess($functionName, "Execute test")) { if ($PSCmdlet.ShouldProcess($functionName, "Execute test")) {
Write-Host "Running $functionName..." $auditResult = Invoke-TestFunction -FunctionFile $testFunction -DomainName $DomainName
$result = & $functionName @paramList # Add the result to the collection
# Assuming each function returns an array of CISAuditResult or a single CISAuditResult [void]$allAuditResults.Add($auditResult)
[void]($allAuditResults.add($Result))
} }
} }
} }
@@ -228,20 +206,10 @@ function Invoke-M365SecurityAudit {
# Clean up sessions # Clean up sessions
Disconnect-M365Suite -RequiredConnections $requiredConnections Disconnect-M365Suite -RequiredConnections $requiredConnections
} }
# Calculate the total number of tests # Call the private function to calculate and display results
$totalTests = $allAuditResults.Count Measure-AuditResult -AllAuditResults $allAuditResults -FailedTests $script:FailedTests
# Calculate the number of passed tests
$passedTests = $allAuditResults.ToArray() | Where-Object { $_.Result -eq $true } | Measure-Object | Select-Object -ExpandProperty Count
# Calculate the pass percentage
$passPercentage = if ($totalTests -eq 0) { 0 } else { [math]::Round(($passedTests / $totalTests) * 100, 2) }
# Display the pass percentage to the user
Write-Host "Audit completed. $passedTests out of $totalTests tests passed." -ForegroundColor Cyan
Write-Host "Your passing percentage is $passPercentage%."
# Return all collected audit results # Return all collected audit results
return $allAuditResults.ToArray() return $allAuditResults.ToArray() | Sort-Object -Property Rec
# Check if the Disconnect switch is present
} }
} }

42
source/Public/Sync-CISExcelAndCsvData.ps1
View File

@@ -1,14 +1,16 @@
<# <#
.SYNOPSIS .SYNOPSIS
Synchronizes data between an Excel file and a CSV file and optionally updates the Excel worksheet. Synchronizes data between an Excel file and either a CSV file or an output object from Invoke-M365SecurityAudit, and optionally updates the Excel worksheet.
.DESCRIPTION .DESCRIPTION
The Sync-CISExcelAndCsvData function merges data from a specified Excel file and a CSV file based on a common key. It can also update the Excel worksheet with the merged data. This function is particularly useful for updating Excel records with additional data from a CSV file while preserving the original formatting and structure of the Excel worksheet. The Sync-CISExcelAndCsvData function merges data from a specified Excel file with data from either a CSV file or an output object from Invoke-M365SecurityAudit based on a common key. It can also update the Excel worksheet with the merged data. This function is particularly useful for updating Excel records with additional data from a CSV file or audit results while preserving the original formatting and structure of the Excel worksheet.
.PARAMETER ExcelPath .PARAMETER ExcelPath
The path to the Excel file that contains the original data. This parameter is mandatory. The path to the Excel file that contains the original data. This parameter is mandatory.
.PARAMETER WorksheetName .PARAMETER WorksheetName
The name of the worksheet within the Excel file that contains the data to be synchronized. This parameter is mandatory. The name of the worksheet within the Excel file that contains the data to be synchronized. This parameter is mandatory.
.PARAMETER CsvPath .PARAMETER CsvPath
The path to the CSV file containing data to be merged with the Excel data. This parameter is mandatory. The path to the CSV file containing data to be merged with the Excel data. This parameter is mandatory when using the CsvInput parameter set.
.PARAMETER AuditResults
An array of CISAuditResult objects from Invoke-M365SecurityAudit to be merged with the Excel data. This parameter is mandatory when using the ObjectInput parameter set.
.PARAMETER SkipUpdate .PARAMETER SkipUpdate
If specified, the function will return the merged data object without updating the Excel worksheet. This is useful for previewing the merged data. If specified, the function will return the merged data object without updating the Excel worksheet. This is useful for previewing the merged data.
.EXAMPLE .EXAMPLE
@@ -17,6 +19,14 @@
.EXAMPLE .EXAMPLE
PS> $mergedData = Sync-CISExcelAndCsvData -ExcelPath "path\to\excel.xlsx" -WorksheetName "DataSheet" -CsvPath "path\to\data.csv" -SkipUpdate PS> $mergedData = Sync-CISExcelAndCsvData -ExcelPath "path\to\excel.xlsx" -WorksheetName "DataSheet" -CsvPath "path\to\data.csv" -SkipUpdate
Retrieves the merged data object for preview without updating the Excel worksheet. Retrieves the merged data object for preview without updating the Excel worksheet.
.EXAMPLE
PS> $auditResults = Invoke-M365SecurityAudit -TenantAdminUrl "https://tenant-admin.url" -DomainName "example.com"
PS> Sync-CISExcelAndCsvData -ExcelPath "path\to\excel.xlsx" -WorksheetName "DataSheet" -AuditResults $auditResults
Merges data from the audit results into 'excel.xlsx' on the 'DataSheet' worksheet and updates the worksheet with the merged data.
.EXAMPLE
PS> $auditResults = Invoke-M365SecurityAudit -TenantAdminUrl "https://tenant-admin.url" -DomainName "example.com"
PS> $mergedData = Sync-CISExcelAndCsvData -ExcelPath "path\to\excel.xlsx" -WorksheetName "DataSheet" -AuditResults $auditResults -SkipUpdate
Retrieves the merged data object for preview without updating the Excel worksheet.
.INPUTS .INPUTS
None. You cannot pipe objects to Sync-CISExcelAndCsvData. None. You cannot pipe objects to Sync-CISExcelAndCsvData.
.OUTPUTS .OUTPUTS
@@ -30,25 +40,41 @@
https://criticalsolutionsnetwork.github.io/M365FoundationsCISReport/#Sync-CISExcelAndCsvData https://criticalsolutionsnetwork.github.io/M365FoundationsCISReport/#Sync-CISExcelAndCsvData
#> #>
function Sync-CISExcelAndCsvData { function Sync-CISExcelAndCsvData {
[CmdletBinding()] [CmdletBinding(DefaultParameterSetName = 'CsvInput')]
param ( param (
[Parameter(Mandatory = $true)] [Parameter(Mandatory = $true)]
[ValidateScript({ Test-Path $_ })]
[string]$ExcelPath, [string]$ExcelPath,
[Parameter(Mandatory = $true)] [Parameter(Mandatory = $true)]
[string]$WorksheetName, [string]$WorksheetName,
[Parameter(Mandatory = $true)] [Parameter(Mandatory = $true, ParameterSetName = 'CsvInput')]
[ValidateScript({ Test-Path $_ })]
[string]$CsvPath, [string]$CsvPath,
[Parameter(Mandatory = $true, ParameterSetName = 'ObjectInput')]
[CISAuditResult[]]$AuditResults,
[Parameter(Mandatory = $false)] [Parameter(Mandatory = $false)]
[switch]$SkipUpdate [switch]$SkipUpdate
) )
process { process {
# Merge Excel and CSV data # Verify ImportExcel module is available
$mergedData = Merge-CISExcelAndCsvData -ExcelPath $ExcelPath -WorksheetName $WorksheetName -CsvPath $CsvPath $requiredModules = Get-RequiredModule -SyncFunction
foreach ($module in $requiredModules) {
Assert-ModuleAvailability -ModuleName $module.ModuleName -RequiredVersion $module.RequiredVersion -SubModuleName $module.SubModuleName
}
# Merge Excel and CSV data or Audit Results
if ($PSCmdlet.ParameterSetName -eq 'CsvInput') {
$mergedData = Merge-CISExcelAndCsvData -ExcelPath $ExcelPath -WorksheetName $WorksheetName -CsvPath $CsvPath
} else {
$mergedData = Merge-CISExcelAndCsvData -ExcelPath $ExcelPath -WorksheetName $WorksheetName -AuditResults $AuditResults
}
# Output the merged data if the user chooses to skip the update # Output the merged data if the user chooses to skip the update
if ($SkipUpdate) { if ($SkipUpdate) {
@@ -59,3 +85,5 @@ function Sync-CISExcelAndCsvData {
} }
} }
} }

4
source/helper/TestDefinitions.csv
View File

@@ -18,8 +18,8 @@
17,Test-RestrictTenantCreation.ps1,5.1.2.3,Ensure 'Restrict non-admin users from creating tenants' is set to 'Yes',E3,L1,0,Explicitly Not Mapped,FALSE,FALSE,FALSE,TRUE,Microsoft Graph 17,Test-RestrictTenantCreation.ps1,5.1.2.3,Ensure 'Restrict non-admin users from creating tenants' is set to 'Yes',E3,L1,0,Explicitly Not Mapped,FALSE,FALSE,FALSE,TRUE,Microsoft Graph
18,Test-PasswordHashSync.ps1,5.1.8.1,Ensure password hash sync is enabled for hybrid deployments,E3,L1,6.7,Centralize Access Control,FALSE,TRUE,TRUE,TRUE,Microsoft Graph 18,Test-PasswordHashSync.ps1,5.1.8.1,Ensure password hash sync is enabled for hybrid deployments,E3,L1,6.7,Centralize Access Control,FALSE,TRUE,TRUE,TRUE,Microsoft Graph
19,Test-AuditDisabledFalse.ps1,6.1.1,Ensure 'AuditDisabled' organizationally is set to 'False',E3,L1,8.2,Collect Audit Logs,TRUE,TRUE,TRUE,TRUE,Microsoft Graph 19,Test-AuditDisabledFalse.ps1,6.1.1,Ensure 'AuditDisabled' organizationally is set to 'False',E3,L1,8.2,Collect Audit Logs,TRUE,TRUE,TRUE,TRUE,Microsoft Graph
20,Test-MailboxAuditingE3.ps1,6.1.2,Ensure mailbox auditing for Office E3 users is Enabled,E3,L1,8.2,Collect audit logs.,TRUE,TRUE,TRUE,TRUE,AzureAD | EXO 20,Test-MailboxAuditingE3.ps1,6.1.2,Ensure mailbox auditing for Office E3 users is Enabled,E3,L1,8.2,Collect audit logs.,TRUE,TRUE,TRUE,TRUE,AzureAD | EXO | Microsoft Graph
21,Test-MailboxAuditingE5.ps1,6.1.3,Ensure mailbox auditing for Office E5 users is Enabled,E5,L1,8.2,Collect audit logs.,TRUE,TRUE,TRUE,TRUE,AzureAD | EXO 21,Test-MailboxAuditingE5.ps1,6.1.3,Ensure mailbox auditing for Office E5 users is Enabled,E5,L1,8.2,Collect audit logs.,TRUE,TRUE,TRUE,TRUE,AzureAD | EXO | Microsoft Graph
22,Test-BlockMailForwarding.ps1,6.2.1,Ensure all forms of mail forwarding are blocked and/or disabled,E3,L1,0,Explicitly Not Mapped,FALSE,FALSE,FALSE,TRUE,EXO 22,Test-BlockMailForwarding.ps1,6.2.1,Ensure all forms of mail forwarding are blocked and/or disabled,E3,L1,0,Explicitly Not Mapped,FALSE,FALSE,FALSE,TRUE,EXO
23,Test-NoWhitelistDomains.ps1,6.2.2,Ensure mail transport rules do not whitelist specific domains,E3,L1,0,Explicitly Not Mapped,FALSE,FALSE,FALSE,TRUE,EXO 23,Test-NoWhitelistDomains.ps1,6.2.2,Ensure mail transport rules do not whitelist specific domains,E3,L1,0,Explicitly Not Mapped,FALSE,FALSE,FALSE,TRUE,EXO
24,Test-IdentifyExternalEmail.ps1,6.2.3,Ensure email from external senders is identified,E3,L1,0,Explicitly Not Mapped,FALSE,FALSE,FALSE,TRUE,EXO 24,Test-IdentifyExternalEmail.ps1,6.2.3,Ensure email from external senders is identified,E3,L1,0,Explicitly Not Mapped,FALSE,FALSE,FALSE,TRUE,EXO
1 Index TestFileName Rec RecDescription ELevel ProfileLevel CISControl CISDescription IG1 IG2 IG3 Automated Connection
18 17 Test-RestrictTenantCreation.ps1 5.1.2.3 Ensure 'Restrict non-admin users from creating tenants' is set to 'Yes' E3 L1 0 Explicitly Not Mapped FALSE FALSE FALSE TRUE Microsoft Graph
19 18 Test-PasswordHashSync.ps1 5.1.8.1 Ensure password hash sync is enabled for hybrid deployments E3 L1 6.7 Centralize Access Control FALSE TRUE TRUE TRUE Microsoft Graph
20 19 Test-AuditDisabledFalse.ps1 6.1.1 Ensure 'AuditDisabled' organizationally is set to 'False' E3 L1 8.2 Collect Audit Logs TRUE TRUE TRUE TRUE Microsoft Graph
21 20 Test-MailboxAuditingE3.ps1 6.1.2 Ensure mailbox auditing for Office E3 users is Enabled E3 L1 8.2 Collect audit logs. TRUE TRUE TRUE TRUE AzureAD | EXO AzureAD | EXO | Microsoft Graph
22 21 Test-MailboxAuditingE5.ps1 6.1.3 Ensure mailbox auditing for Office E5 users is Enabled E5 L1 8.2 Collect audit logs. TRUE TRUE TRUE TRUE AzureAD | EXO AzureAD | EXO | Microsoft Graph
23 22 Test-BlockMailForwarding.ps1 6.2.1 Ensure all forms of mail forwarding are blocked and/or disabled E3 L1 0 Explicitly Not Mapped FALSE FALSE FALSE TRUE EXO
24 23 Test-NoWhitelistDomains.ps1 6.2.2 Ensure mail transport rules do not whitelist specific domains E3 L1 0 Explicitly Not Mapped FALSE FALSE FALSE TRUE EXO
25 24 Test-IdentifyExternalEmail.ps1 6.2.3 Ensure email from external senders is identified E3 L1 0 Explicitly Not Mapped FALSE FALSE FALSE TRUE EXO

136
source/tests/Test-AdministrativeAccountCompliance.ps1
View File

@@ -1,83 +1,113 @@
function Test-AdministrativeAccountCompliance { function Test-AdministrativeAccountCompliance {
[CmdletBinding()] [CmdletBinding()]
[OutputType([CISAuditResult])]
param ( param (
# Aligned
# Parameters can be added if needed # Parameters can be added if needed
) )
begin { begin {
#. .\source\Classes\CISAuditResult.ps1
$validLicenses = @('AAD_PREMIUM', 'AAD_PREMIUM_P2') $validLicenses = @('AAD_PREMIUM', 'AAD_PREMIUM_P2')
$recnum = "1.1.1"
} }
process { process {
$adminRoles = Get-MgRoleManagementDirectoryRoleDefinition | Where-Object { $_.DisplayName -like "*Admin*" } try {
$adminRoleUsers = @() # Retrieve all necessary data outside the loops
$adminRoles = Get-MgRoleManagementDirectoryRoleDefinition | Where-Object { $_.DisplayName -like "*Admin*" }
$roleAssignments = Get-MgRoleManagementDirectoryRoleAssignment
$principalIds = $roleAssignments.PrincipalId | Select-Object -Unique
foreach ($role in $adminRoles) { # Fetch user details using filter
$roleAssignments = Get-MgRoleManagementDirectoryRoleAssignment -Filter "roleDefinitionId eq '$($role.Id)'" $userDetailsList = @{}
$licensesList = @{}
foreach ($assignment in $roleAssignments) { $userDetails = Get-MgUser -Filter "id in ('$($principalIds -join "','")')" -Property "DisplayName, UserPrincipalName, Id, OnPremisesSyncEnabled" -ErrorAction SilentlyContinue
$userDetails = Get-MgUser -UserId $assignment.PrincipalId -Property "DisplayName, UserPrincipalName, Id, OnPremisesSyncEnabled" -ErrorAction SilentlyContinue foreach ($user in $userDetails) {
if ($userDetails) { $userDetailsList[$user.Id] = $user
$licenses = Get-MgUserLicenseDetail -UserId $assignment.PrincipalId -ErrorAction SilentlyContinue }
$licenseString = if ($licenses) { ($licenses.SkuPartNumber -join '|') } else { "No Licenses Found" }
$adminRoleUsers += [PSCustomObject]@{ # Fetch user licenses for each unique principal ID
UserName = $userDetails.UserPrincipalName foreach ($principalId in $principalIds) {
RoleName = $role.DisplayName $licensesList[$principalId] = Get-MgUserLicenseDetail -UserId $principalId -ErrorAction SilentlyContinue
UserId = $userDetails.Id }
HybridUser = $userDetails.OnPremisesSyncEnabled
Licenses = $licenseString $adminRoleUsers = @()
foreach ($role in $adminRoles) {
foreach ($assignment in $roleAssignments | Where-Object { $_.RoleDefinitionId -eq $role.Id }) {
$userDetails = $userDetailsList[$assignment.PrincipalId]
if ($userDetails) {
$licenses = $licensesList[$assignment.PrincipalId]
$licenseString = if ($licenses) { ($licenses.SkuPartNumber -join '|') } else { "No Licenses Found" }
$adminRoleUsers += [PSCustomObject]@{
UserName = $userDetails.UserPrincipalName
RoleName = $role.DisplayName
UserId = $userDetails.Id
HybridUser = $userDetails.OnPremisesSyncEnabled
Licenses = $licenseString
}
} }
} }
} }
}
$uniqueAdminRoleUsers = $adminRoleUsers | Group-Object -Property UserName | ForEach-Object { $uniqueAdminRoleUsers = $adminRoleUsers | Group-Object -Property UserName | ForEach-Object {
$first = $_.Group | Select-Object -First 1 $first = $_.Group | Select-Object -First 1
$roles = ($_.Group.RoleName -join ', ') $roles = ($_.Group.RoleName -join ', ')
$licenses = (($_.Group | Select-Object -ExpandProperty Licenses) -join ',').Split(',') | Select-Object -Unique $licenses = (($_.Group | Select-Object -ExpandProperty Licenses) -join ',').Split(',') | Select-Object -Unique
$first | Select-Object UserName, UserId, HybridUser, @{Name = 'Roles'; Expression = { $roles } }, @{Name = 'Licenses'; Expression = { $licenses -join '|' } } $first | Select-Object UserName, UserId, HybridUser, @{Name = 'Roles'; Expression = { $roles } }, @{Name = 'Licenses'; Expression = { $licenses -join '|' } }
} }
$nonCompliantUsers = $uniqueAdminRoleUsers | Where-Object { $nonCompliantUsers = $uniqueAdminRoleUsers | Where-Object {
$_.HybridUser -or $_.HybridUser -or
-not ($_.Licenses -split '\|' | Where-Object { $validLicenses -contains $_ }) -not ($_.Licenses -split '\|' | Where-Object { $validLicenses -contains $_ })
} }
$failureReasons = $nonCompliantUsers | ForEach-Object { $failureReasons = $nonCompliantUsers | ForEach-Object {
$accountType = if ($_.HybridUser) { "Hybrid" } else { "Cloud-Only" } $accountType = if ($_.HybridUser) { "Hybrid" } else { "Cloud-Only" }
$missingLicenses = $validLicenses | Where-Object { $_ -notin ($_.Licenses -split '\|') } $missingLicenses = $validLicenses | Where-Object { $_ -notin ($_.Licenses -split '\|') }
"$($_.UserName)|$($_.Roles)|$accountType|Missing: $($missingLicenses -join ',')" "$($_.UserName)|$($_.Roles)|$accountType|$($missingLicenses -join ',')"
} }
$failureReasons = $failureReasons -join "`n" $failureReasons = $failureReasons -join "`n"
$details = if ($nonCompliantUsers) {
"Non-Compliant Accounts: $($nonCompliantUsers.Count)`nDetails:`n" + ($nonCompliantUsers | ForEach-Object { $_.UserName }) -join "`n"
}
else {
"Compliant Accounts: $($uniqueAdminRoleUsers.Count)"
}
$result = $nonCompliantUsers.Count -eq 0 $details = if ($nonCompliantUsers) {
$status = if ($result) { 'Pass' } else { 'Fail' } "Non-compliant accounts: `nUsername | Roles | HybridStatus | Missing Licence`n$failureReasons"
$failureReason = if ($nonCompliantUsers) { "Non-compliant accounts: `nUsername | Roles | HybridStatus | Missing Licence`n$failureReasons" } else { "N/A" } } else {
"Compliant Accounts: $($uniqueAdminRoleUsers.Count)"
}
# Create the parameter splat $failureReason = if ($nonCompliantUsers) {
$params = @{ "Non-Compliant Accounts: $($nonCompliantUsers.Count)`nDetails:`n" + ($nonCompliantUsers | ForEach-Object { $_.UserName }) -join "`n"
Rec = "1.1.1" } else {
Result = $result "N/A"
Status = $status }
Details = $details
FailureReason = $failureReason $result = $nonCompliantUsers.Count -eq 0
$status = if ($result) { 'Pass' } else { 'Fail' }
$params = @{
Rec = $recnum
Result = $result
Status = $status
Details = $details
FailureReason = $failureReason
}
$auditResult = Initialize-CISAuditResult @params
} }
catch {
Write-Error "An error occurred during the test: $_"
$auditResult = Initialize-CISAuditResult @params $testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
$description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
$script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
$auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
}
} }
end { end {
# Output the result
return $auditResult return $auditResult
} }
} }

117
source/tests/Test-AntiPhishingPolicy.ps1
View File

@@ -1,5 +1,6 @@
function Test-AntiPhishingPolicy { function Test-AntiPhishingPolicy {
[CmdletBinding()] [CmdletBinding()]
[OutputType([CISAuditResult])]
param ( param (
# Aligned # Aligned
# Parameters can be added if needed # Parameters can be added if needed
@@ -10,66 +11,82 @@ function Test-AntiPhishingPolicy {
#. .\source\Classes\CISAuditResult.ps1 #. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed # Initialization code, if needed
#$auditResults = @() #$auditResults = @()
$recnum = "2.1.7"
} }
process { process {
# 2.1.7 Ensure that an anti-phishing policy has been created
# Retrieve and validate the anti-phishing policies try {
$antiPhishPolicies = Get-AntiPhishPolicy # 2.1.7 Ensure that an anti-phishing policy has been created
$validatedPolicies = $antiPhishPolicies | Where-Object {
$_.Enabled -eq $true -and
$_.PhishThresholdLevel -ge 2 -and
$_.EnableMailboxIntelligenceProtection -eq $true -and
$_.EnableMailboxIntelligence -eq $true -and
$_.EnableSpoofIntelligence -eq $true
}
# Check if there is at least one policy that meets the requirements # Retrieve and validate the anti-phishing policies
$nonCompliantItems = $antiPhishPolicies | Where-Object { $antiPhishPolicies = Get-AntiPhishPolicy
$_.Enabled -ne $true -or $validatedPolicies = $antiPhishPolicies | Where-Object {
$_.PhishThresholdLevel -lt 2 -or $_.Enabled -eq $true -and
$_.EnableMailboxIntelligenceProtection -ne $true -or $_.PhishThresholdLevel -ge 2 -and
$_.EnableMailboxIntelligence -ne $true -or $_.EnableMailboxIntelligenceProtection -eq $true -and
$_.EnableSpoofIntelligence -ne $true $_.EnableMailboxIntelligence -eq $true -and
} $_.EnableSpoofIntelligence -eq $true
$compliantItems = $validatedPolicies }
$isCompliant = $compliantItems.Count -gt 0
# Prepare failure reasons for non-compliant items # Check if there is at least one policy that meets the requirements
$nonCompliantNames = $nonCompliantItems | ForEach-Object { $_.Name } $nonCompliantItems = $antiPhishPolicies | Where-Object {
$failureReasons = if ($nonCompliantNames.Count -gt 0) { $_.Enabled -ne $true -or
"Reason: Does not meet one or more compliance criteria.`nNon-compliant Policies:`n" + ($nonCompliantNames -join "`n") $_.PhishThresholdLevel -lt 2 -or
} $_.EnableMailboxIntelligenceProtection -ne $true -or
else { $_.EnableMailboxIntelligence -ne $true -or
"N/A" $_.EnableSpoofIntelligence -ne $true
} }
$compliantItems = $validatedPolicies
$isCompliant = $compliantItems.Count -gt 0
# Prepare details for non-compliant items # Prepare failure reasons for non-compliant items
$nonCompliantDetails = $nonCompliantItems | ForEach-Object { $nonCompliantNames = $nonCompliantItems | ForEach-Object { $_.Name }
"Policy: $($_.Name)" $failureReasons = if ($nonCompliantNames.Count -gt 0) {
} "Reason: Does not meet one or more compliance criteria.`nNon-compliant Policies:`n" + ($nonCompliantNames -join "`n")
$nonCompliantDetails = $nonCompliantDetails -join "`n" }
else {
"N/A"
}
# Prepare details based on compliance # Prepare details for non-compliant items
$details = if ($nonCompliantItems) { $nonCompliantDetails = $nonCompliantItems | ForEach-Object {
"Non-Compliant Items: $($nonCompliantItems.Count)`nDetails:`n$nonCompliantDetails" "Policy: $($_.Name)"
} }
else { $nonCompliantDetails = $nonCompliantDetails -join "`n"
"Compliant Items: $($compliantItems.Count)"
}
# Parameter splat for Initialize-CISAuditResult function # Prepare details based on compliance
$params = @{ $details = if ($nonCompliantItems) {
Rec = "2.1.7" "Non-Compliant Items: $($nonCompliantItems.Count)`nDetails:`n$nonCompliantDetails"
Result = $nonCompliantItems.Count -eq 0 }
Status = if ($isCompliant) { "Pass" } else { "Fail" } else {
Details = $details "Compliant Items: $($compliantItems.Count)"
FailureReason = $failureReasons }
}
# Create and populate the CISAuditResult object # Parameter splat for Initialize-CISAuditResult function
$auditResult = Initialize-CISAuditResult @params $params = @{
Rec = $recnum
Result = $nonCompliantItems.Count -eq 0
Status = if ($isCompliant) { "Pass" } else { "Fail" }
Details = $details
FailureReason = $failureReasons
}
# Create and populate the CISAuditResult object
$auditResult = Initialize-CISAuditResult @params
}
catch {
Write-Error "An error occurred during the test: $_"
# Retrieve the description from the test definitions
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
$description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
$script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
# Call Initialize-CISAuditResult with error parameters
$auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
}
} }
end { end {

67
source/tests/Test-AuditDisabledFalse.ps1
View File

@@ -1,5 +1,6 @@
function Test-AuditDisabledFalse { function Test-AuditDisabledFalse {
[CmdletBinding()] [CmdletBinding()]
[OutputType([CISAuditResult])]
# Aligned # Aligned
param ( param (
# Parameters can be added if needed # Parameters can be added if needed
@@ -9,39 +10,55 @@ function Test-AuditDisabledFalse {
# Dot source the class script if necessary # Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1 #. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed # Initialization code, if needed
$recnum = "6.1.1"
} }
process { process {
# 6.1.1 (L1) Ensure 'AuditDisabled' organizationally is set to 'False'
# Retrieve the AuditDisabled configuration try {
$auditDisabledConfig = Get-OrganizationConfig | Select-Object AuditDisabled # 6.1.1 (L1) Ensure 'AuditDisabled' organizationally is set to 'False'
$auditNotDisabled = -not $auditDisabledConfig.AuditDisabled
# Prepare failure reasons and details based on compliance # Retrieve the AuditDisabled configuration
$failureReasons = if (-not $auditNotDisabled) { $auditDisabledConfig = Get-OrganizationConfig | Select-Object AuditDisabled
"AuditDisabled is set to True" $auditNotDisabled = -not $auditDisabledConfig.AuditDisabled
}
else {
"N/A"
}
$details = if ($auditNotDisabled) { # Prepare failure reasons and details based on compliance
"Audit is not disabled organizationally" $failureReasons = if (-not $auditNotDisabled) {
} "AuditDisabled is set to True"
else { }
"Audit is disabled organizationally" else {
} "N/A"
}
# Create and populate the CISAuditResult object $details = if ($auditNotDisabled) {
$params = @{ "Audit is not disabled organizationally"
Rec = "6.1.1" }
Result = $auditNotDisabled else {
Status = if ($auditNotDisabled) { "Pass" } else { "Fail" } "Audit is disabled organizationally"
Details = $details }
FailureReason = $failureReasons
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Result = $auditNotDisabled
Status = if ($auditNotDisabled) { "Pass" } else { "Fail" }
Details = $details
FailureReason = $failureReasons
}
$auditResult = Initialize-CISAuditResult @params
}
catch {
Write-Error "An error occurred during the test: $_"
# Retrieve the description from the test definitions
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
$description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
$script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
# Call Initialize-CISAuditResult with error parameters
$auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
} }
$auditResult = Initialize-CISAuditResult @params
} }
end { end {

68
source/tests/Test-AuditLogSearch.ps1
View File

@@ -1,5 +1,6 @@
function Test-AuditLogSearch { function Test-AuditLogSearch {
[CmdletBinding()] [CmdletBinding()]
[OutputType([CISAuditResult])]
param ( param (
# Aligned # Aligned
# Parameters can be added if needed # Parameters can be added if needed
@@ -9,40 +10,55 @@ function Test-AuditLogSearch {
# Dot source the class script if necessary # Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1 #. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed # Initialization code, if needed
$recnum = "3.1.1"
} }
process { process {
# 3.1.1 (L1) Ensure Microsoft 365 audit log search is Enabled
# Retrieve the audit log configuration try {
$auditLogConfig = Get-AdminAuditLogConfig | Select-Object UnifiedAuditLogIngestionEnabled # 3.1.1 (L1) Ensure Microsoft 365 audit log search is Enabled
$auditLogResult = $auditLogConfig.UnifiedAuditLogIngestionEnabled
# Prepare failure reasons and details based on compliance # Retrieve the audit log configuration
$failureReasons = if (-not $auditLogResult) { $auditLogConfig = Get-AdminAuditLogConfig | Select-Object UnifiedAuditLogIngestionEnabled
"Audit log search is not enabled" $auditLogResult = $auditLogConfig.UnifiedAuditLogIngestionEnabled
}
else {
"N/A"
}
$details = if ($auditLogResult) { # Prepare failure reasons and details based on compliance
"UnifiedAuditLogIngestionEnabled: True" $failureReasons = if (-not $auditLogResult) {
} "Audit log search is not enabled"
else { }
"UnifiedAuditLogIngestionEnabled: False" else {
} "N/A"
}
# Create and populate the CISAuditResult object $details = if ($auditLogResult) {
$params = @{ "UnifiedAuditLogIngestionEnabled: True"
Rec = "3.1.1" }
Result = $auditLogResult else {
Status = if ($auditLogResult) { "Pass" } else { "Fail" } "UnifiedAuditLogIngestionEnabled: False"
Details = $details }
FailureReason = $failureReasons
}
$auditResult = Initialize-CISAuditResult @params
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Result = $auditLogResult
Status = if ($auditLogResult) { "Pass" } else { "Fail" }
Details = $details
FailureReason = $failureReasons
}
$auditResult = Initialize-CISAuditResult @params
}
catch {
Write-Error "An error occurred during the test: $_"
# Retrieve the description from the test definitions
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
$description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
$script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
# Call Initialize-CISAuditResult with error parameters
$auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
}
} }
end { end {

19
source/tests/Test-BlockChannelEmails.ps1
View File

@@ -1,5 +1,6 @@
function Test-BlockChannelEmails { function Test-BlockChannelEmails {
[CmdletBinding()] [CmdletBinding()]
[OutputType([CISAuditResult])]
param ( param (
# Aligned # Aligned
# Parameters can be added here if needed # Parameters can be added here if needed
@@ -9,9 +10,12 @@ function Test-BlockChannelEmails {
# Dot source the class script if necessary # Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1 #. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed # Initialization code, if needed
$recnum = "8.1.2"
} }
process { process {
try {
# 8.1.2 (L1) Ensure users can't send emails to a channel email address # 8.1.2 (L1) Ensure users can't send emails to a channel email address
# Retrieve Teams client configuration # Retrieve Teams client configuration
@@ -35,13 +39,26 @@ function Test-BlockChannelEmails {
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$params = @{ $params = @{
Rec = "8.1.2" Rec = $recnum
Result = -not $allowEmailIntoChannel Result = -not $allowEmailIntoChannel
Status = if (-not $allowEmailIntoChannel) { "Pass" } else { "Fail" } Status = if (-not $allowEmailIntoChannel) { "Pass" } else { "Fail" }
Details = $details Details = $details
FailureReason = $failureReasons FailureReason = $failureReasons
} }
$auditResult = Initialize-CISAuditResult @params $auditResult = Initialize-CISAuditResult @params
}
catch {
Write-Error "An error occurred during the test: $_"
# Retrieve the description from the test definitions
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
$description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
$script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
# Call Initialize-CISAuditResult with error parameters
$auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
}
} }
end { end {

92
source/tests/Test-BlockMailForwarding.ps1
View File

@@ -1,7 +1,7 @@
function Test-BlockMailForwarding { function Test-BlockMailForwarding {
[CmdletBinding()] [CmdletBinding()]
[OutputType([CISAuditResult])]
param ( param (
# Aligned Compare
# Parameters can be added if needed # Parameters can be added if needed
) )
@@ -9,40 +9,78 @@ function Test-BlockMailForwarding {
# Dot source the class script if necessary # Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1 #. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed # Initialization code, if needed
$recnum = "6.2.1"
} }
process { process {
# 6.2.1 (L1) Ensure all forms of mail forwarding are blocked and/or disabled try {
# 6.2.1 (L1) Ensure all forms of mail forwarding are blocked and/or disabled
# Retrieve the transport rules that redirect messages # Step 1: Retrieve the transport rules that redirect messages
$transportRules = Get-TransportRule | Where-Object { $null -ne $_.RedirectMessageTo } $transportRules = Get-TransportRule | Where-Object { $null -ne $_.RedirectMessageTo }
$forwardingBlocked = $transportRules.Count -eq 0 $transportForwardingBlocked = $transportRules.Count -eq 0
# Prepare failure reasons and details based on compliance # Step 2: Check all anti-spam outbound policies
$failureReasons = if ($transportRules.Count -gt 0) { $outboundSpamPolicies = Get-HostedOutboundSpamFilterPolicy
"Mail forwarding rules found: $($transportRules.Name -join ', ')" $nonCompliantSpamPolicies = $outboundSpamPolicies | Where-Object { $_.AutoForwardingMode -ne 'Off' }
} $nonCompliantSpamPoliciesArray = @($nonCompliantSpamPolicies)
else { $spamForwardingBlocked = $nonCompliantSpamPoliciesArray.Count -eq 0
"N/A"
}
$details = if ($transportRules.Count -gt 0) { # Determine overall compliance
$transportRules | ForEach-Object { $forwardingBlocked = $transportForwardingBlocked -and $spamForwardingBlocked
"$($_.Name) redirects to $($_.RedirectMessageTo)"
} -join " | "
}
else {
"Step 1: No forwarding rules found. Please proceed with Step 2 described in CIS Benchmark."
}
$params = @{ # Prepare failure reasons and details based on compliance
Rec = "6.2.1" $failureReasons = @()
Result = $forwardingBlocked $details = @()
Status = if ($forwardingBlocked) { "Pass" } else { "Fail" }
Details = $details if ($transportRules.Count -gt 0) {
FailureReason = $failureReasons $failureReasons += "Mail forwarding rules found: $($transportRules.Name -join ', ')"
$details += "Transport Rules Details:`nRule Name|Redirects To"
$details += $transportRules | ForEach-Object {
"$($_.Name)|$($_.RedirectMessageTo -join ', ')"
}
$details += "`n"
}
if ($nonCompliantSpamPoliciesArray.Count -gt 0) {
$failureReasons += "Outbound spam policies allowing automatic forwarding found."
$details += "Outbound Spam Policies Details:`nPolicy|AutoForwardingMode"
$details += $nonCompliantSpamPoliciesArray | ForEach-Object {
"$($_.Name)|$($_.AutoForwardingMode)"
}
}
if ($failureReasons.Count -eq 0) {
$failureReasons = "N/A"
$details = "Both transport rules and outbound spam policies are configured correctly to block forwarding."
}
else {
$failureReasons = $failureReasons -join " | "
$details = $details -join "`n"
}
# Populate the audit result
$params = @{
Rec = $recnum
Result = $forwardingBlocked
Status = if ($forwardingBlocked) { "Pass" } else { "Fail" }
Details = $details
FailureReason = $failureReasons
}
$auditResult = Initialize-CISAuditResult @params
}
catch {
Write-Error "An error occurred during the test: $_"
# Retrieve the description from the test definitions
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
$description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
$script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
# Call Initialize-CISAuditResult with error parameters
$auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
} }
$auditResult = Initialize-CISAuditResult @params
} }
end { end {

71
source/tests/Test-BlockSharedMailboxSignIn.ps1
View File

@@ -1,5 +1,6 @@
function Test-BlockSharedMailboxSignIn { function Test-BlockSharedMailboxSignIn {
[CmdletBinding()] [CmdletBinding()]
[OutputType([CISAuditResult])]
param ( param (
# Aligned # Aligned
# Parameters can be added if needed # Parameters can be added if needed
@@ -9,41 +10,57 @@ function Test-BlockSharedMailboxSignIn {
# Dot source the class script if necessary # Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1 #. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed # Initialization code, if needed
$recnum = "1.2.2"
} }
process { process {
# 1.2.2 (L1) Ensure sign-in to shared mailboxes is blocked
# Retrieve shared mailbox details try {
$MBX = Get-EXOMailbox -RecipientTypeDetails SharedMailbox # 1.2.2 (L1) Ensure sign-in to shared mailboxes is blocked
$sharedMailboxDetails = $MBX | ForEach-Object { Get-AzureADUser -ObjectId $_.ExternalDirectoryObjectId }
$enabledMailboxes = $sharedMailboxDetails | Where-Object { $_.AccountEnabled } | ForEach-Object { $_.DisplayName }
$allBlocked = $enabledMailboxes.Count -eq 0
# Prepare failure reasons and details based on compliance # Retrieve shared mailbox details
$failureReasons = if (-not $allBlocked) { $MBX = Get-EXOMailbox -RecipientTypeDetails SharedMailbox
"Some mailboxes have sign-in enabled: $($enabledMailboxes -join ', ')" $sharedMailboxDetails = $MBX | ForEach-Object { Get-AzureADUser -ObjectId $_.ExternalDirectoryObjectId }
} $enabledMailboxes = $sharedMailboxDetails | Where-Object { $_.AccountEnabled } | ForEach-Object { $_.DisplayName }
else { $allBlocked = $enabledMailboxes.Count -eq 0
"N/A"
}
$details = if ($allBlocked) { # Prepare failure reasons and details based on compliance
"All shared mailboxes have sign-in blocked." $failureReasons = if (-not $allBlocked) {
} "Some mailboxes have sign-in enabled: $($enabledMailboxes -join ', ')"
else { }
"Enabled Mailboxes: $($enabledMailboxes -join ', ')" else {
} "N/A"
}
# Create and populate the CISAuditResult object $details = if ($allBlocked) {
$params = @{ "All shared mailboxes have sign-in blocked."
Rec = "1.2.2" }
Result = $allBlocked else {
Status = if ($allBlocked) { "Pass" } else { "Fail" } "Enabled Mailboxes: $($enabledMailboxes -join ', ')"
Details = $details }
FailureReason = $failureReasons
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Result = $allBlocked
Status = if ($allBlocked) { "Pass" } else { "Fail" }
Details = $details
FailureReason = $failureReasons
}
$auditResult = Initialize-CISAuditResult @params
}
catch {
Write-Error "An error occurred during the test: $_"
# Retrieve the description from the test definitions
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
$description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
$script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
# Call Initialize-CISAuditResult with error parameters
$auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
} }
$auditResult = Initialize-CISAuditResult @params
} }
end { end {

66
source/tests/Test-CommonAttachmentFilter.ps1
View File

@@ -1,5 +1,6 @@
function Test-CommonAttachmentFilter { function Test-CommonAttachmentFilter {
[CmdletBinding()] [CmdletBinding()]
[OutputType([CISAuditResult])]
param ( param (
# Aligned # Aligned
# Parameters can be added if needed # Parameters can be added if needed
@@ -9,39 +10,54 @@ function Test-CommonAttachmentFilter {
# Dot source the class script if necessary # Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1 #. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed # Initialization code, if needed
$recnum = "2.1.2"
} }
process { process {
# 2.1.2 (L1) Ensure the Common Attachment Types Filter is enabled try {
# 2.1.2 (L1) Ensure the Common Attachment Types Filter is enabled
# Retrieve the attachment filter policy # Retrieve the attachment filter policy
$attachmentFilter = Get-MalwareFilterPolicy -Identity Default | Select-Object EnableFileFilter $attachmentFilter = Get-MalwareFilterPolicy -Identity Default | Select-Object EnableFileFilter
$result = $attachmentFilter.EnableFileFilter $result = $attachmentFilter.EnableFileFilter
# Prepare failure reasons and details based on compliance # Prepare failure reasons and details based on compliance
$failureReasons = if (-not $result) { $failureReasons = if (-not $result) {
"Common Attachment Types Filter is disabled" "Common Attachment Types Filter is disabled"
} }
else { else {
"N/A" "N/A"
} }
$details = if ($result) { $details = if ($result) {
"File Filter Enabled: True" "File Filter Enabled: True"
} }
else { else {
"File Filter Enabled: False" "File Filter Enabled: False"
} }
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$params = @{ $params = @{
Rec = "2.1.2" Rec = $recnum
Result = $result Result = $result
Status = if ($result) { "Pass" } else { "Fail" } Status = if ($result) { "Pass" } else { "Fail" }
Details = $details Details = $details
FailureReason = $failureReasons FailureReason = $failureReasons
}
$auditResult = Initialize-CISAuditResult @params
}
catch {
Write-Error "An error occurred during the test: $_"
# Retrieve the description from the test definitions
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
$description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
$script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
# Call Initialize-CISAuditResult with error parameters
$auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
} }
$auditResult = Initialize-CISAuditResult @params
} }
end { end {

19
source/tests/Test-CustomerLockbox.ps1
View File

@@ -1,5 +1,6 @@
function Test-CustomerLockbox { function Test-CustomerLockbox {
[CmdletBinding()] [CmdletBinding()]
[OutputType([CISAuditResult])]
param ( param (
# Aligned # Aligned
# Define your parameters here if needed # Define your parameters here if needed
@@ -9,9 +10,12 @@ function Test-CustomerLockbox {
# Dot source the class script if necessary # Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1 #. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed # Initialization code, if needed
$recnum = "1.3.6"
} }
process { process {
try {
# 1.3.6 (L2) Ensure the customer lockbox feature is enabled # 1.3.6 (L2) Ensure the customer lockbox feature is enabled
# Retrieve the organization configuration # Retrieve the organization configuration
@@ -35,13 +39,26 @@ function Test-CustomerLockbox {
# Create and populate the CISAuditResult object # # Create and populate the CISAuditResult object #
$params = @{ $params = @{
Rec = "1.3.6" Rec = $recnum
Result = $customerLockboxEnabled Result = $customerLockboxEnabled
Status = if ($customerLockboxEnabled) { "Pass" } else { "Fail" } Status = if ($customerLockboxEnabled) { "Pass" } else { "Fail" }
Details = $details Details = $details
FailureReason = $failureReasons FailureReason = $failureReasons
} }
$auditResult = Initialize-CISAuditResult @params $auditResult = Initialize-CISAuditResult @params
}
catch {
Write-Error "An error occurred during the test: $_"
# Retrieve the description from the test definitions
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
$description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
$script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
# Call Initialize-CISAuditResult with error parameters
$auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
}
} }
end { end {

67
source/tests/Test-DialInBypassLobby.ps1
View File

@@ -1,5 +1,6 @@
function Test-DialInBypassLobby { function Test-DialInBypassLobby {
[CmdletBinding()] [CmdletBinding()]
[OutputType([CISAuditResult])]
param ( param (
# Aligned # Aligned
# Parameters can be defined here if needed # Parameters can be defined here if needed
@@ -9,39 +10,55 @@ function Test-DialInBypassLobby {
# Dot source the class script if necessary # Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1 #. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed # Initialization code, if needed
$recnum = "8.5.4"
} }
process { process {
# 8.5.4 (L1) Ensure users dialing in can't bypass the lobby
# Retrieve Teams meeting policy for PSTN users try {
$CsTeamsMeetingPolicyPSTN = Get-CsTeamsMeetingPolicy -Identity Global | Select-Object -Property AllowPSTNUsersToBypassLobby # 8.5.4 (L1) Ensure users dialing in can't bypass the lobby
$PSTNBypassDisabled = -not $CsTeamsMeetingPolicyPSTN.AllowPSTNUsersToBypassLobby
# Prepare failure reasons and details based on compliance # Retrieve Teams meeting policy for PSTN users
$failureReasons = if (-not $PSTNBypassDisabled) { $CsTeamsMeetingPolicyPSTN = Get-CsTeamsMeetingPolicy -Identity Global | Select-Object -Property AllowPSTNUsersToBypassLobby
"Users dialing in can bypass the lobby" $PSTNBypassDisabled = -not $CsTeamsMeetingPolicyPSTN.AllowPSTNUsersToBypassLobby
}
else {
"N/A"
}
$details = if ($PSTNBypassDisabled) { # Prepare failure reasons and details based on compliance
"AllowPSTNUsersToBypassLobby is set to False" $failureReasons = if (-not $PSTNBypassDisabled) {
} "Users dialing in can bypass the lobby"
else { }
"AllowPSTNUsersToBypassLobby is set to True" else {
} "N/A"
}
# Create and populate the CISAuditResult object $details = if ($PSTNBypassDisabled) {
$params = @{ "AllowPSTNUsersToBypassLobby is set to False"
Rec = "8.5.4" }
Result = $PSTNBypassDisabled else {
Status = if ($PSTNBypassDisabled) { "Pass" } else { "Fail" } "AllowPSTNUsersToBypassLobby is set to True"
Details = $details }
FailureReason = $failureReasons
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Result = $PSTNBypassDisabled
Status = if ($PSTNBypassDisabled) { "Pass" } else { "Fail" }
Details = $details
FailureReason = $failureReasons
}
$auditResult = Initialize-CISAuditResult @params
}
catch {
Write-Error "An error occurred during the test: $_"
# Retrieve the description from the test definitions
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
$description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
$script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
# Call Initialize-CISAuditResult with error parameters
$auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
} }
$auditResult = Initialize-CISAuditResult @params
} }
end { end {

68
source/tests/Test-DisallowInfectedFilesDownload.ps1
View File

@@ -1,5 +1,6 @@
function Test-DisallowInfectedFilesDownload { function Test-DisallowInfectedFilesDownload {
[CmdletBinding()] [CmdletBinding()]
[OutputType([CISAuditResult])]
param ( param (
# Aligned # Aligned
# Define your parameters here if needed # Define your parameters here if needed
@@ -10,40 +11,55 @@ function Test-DisallowInfectedFilesDownload {
#. .\source\Classes\CISAuditResult.ps1 #. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed # Initialization code, if needed
$recnum = "7.3.1"
} }
process { process {
# 7.3.1 (L2) Ensure Office 365 SharePoint infected files are disallowed for download
# Retrieve the SharePoint tenant configuration try {
$SPOTenantDisallowInfectedFileDownload = Get-SPOTenant | Select-Object DisallowInfectedFileDownload # 7.3.1 (L2) Ensure Office 365 SharePoint infected files are disallowed for download
$isDisallowInfectedFileDownloadEnabled = $SPOTenantDisallowInfectedFileDownload.DisallowInfectedFileDownload
# Prepare failure reasons and details based on compliance # Retrieve the SharePoint tenant configuration
$failureReasons = if (-not $isDisallowInfectedFileDownloadEnabled) { $SPOTenantDisallowInfectedFileDownload = Get-SPOTenant | Select-Object DisallowInfectedFileDownload
"Downloading infected files is not disallowed." $isDisallowInfectedFileDownloadEnabled = $SPOTenantDisallowInfectedFileDownload.DisallowInfectedFileDownload
}
else {
"N/A"
}
$details = if ($isDisallowInfectedFileDownloadEnabled) { # Prepare failure reasons and details based on compliance
"DisallowInfectedFileDownload: True" $failureReasons = if (-not $isDisallowInfectedFileDownloadEnabled) {
} "Downloading infected files is not disallowed."
else { }
"DisallowInfectedFileDownload: False" else {
} "N/A"
}
# Create and populate the CISAuditResult object $details = if ($isDisallowInfectedFileDownloadEnabled) {
$params = @{ "DisallowInfectedFileDownload: True"
Rec = "7.3.1" }
Result = $isDisallowInfectedFileDownloadEnabled else {
Status = if ($isDisallowInfectedFileDownloadEnabled) { "Pass" } else { "Fail" } "DisallowInfectedFileDownload: False"
Details = $details }
FailureReason = $failureReasons
}
$auditResult = Initialize-CISAuditResult @params
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Result = $isDisallowInfectedFileDownloadEnabled
Status = if ($isDisallowInfectedFileDownloadEnabled) { "Pass" } else { "Fail" }
Details = $details
FailureReason = $failureReasons
}
$auditResult = Initialize-CISAuditResult @params
}
catch {
Write-Error "An error occurred during the test: $_"
# Retrieve the description from the test definitions
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
$description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
$script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
# Call Initialize-CISAuditResult with error parameters
$auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
}
} }
end { end {

19
source/tests/Test-EnableDKIM.ps1
View File

@@ -1,5 +1,6 @@
function Test-EnableDKIM { function Test-EnableDKIM {
[CmdletBinding()] [CmdletBinding()]
[OutputType([CISAuditResult])]
param ( param (
# Aligned # Aligned
# Parameters can be added if needed # Parameters can be added if needed
@@ -9,9 +10,12 @@ function Test-EnableDKIM {
# Dot source the class script if necessary # Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1 #. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed # Initialization code, if needed
$recnum = "2.1.9"
} }
process { process {
try {
# 2.1.9 (L1) Ensure DKIM is enabled for all Exchange Online Domains # 2.1.9 (L1) Ensure DKIM is enabled for all Exchange Online Domains
# Retrieve DKIM configuration for all domains # Retrieve DKIM configuration for all domains
@@ -36,13 +40,26 @@ function Test-EnableDKIM {
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$params = @{ $params = @{
Rec = "2.1.9" Rec = $recnum
Result = $dkimResult Result = $dkimResult
Status = if ($dkimResult) { "Pass" } else { "Fail" } Status = if ($dkimResult) { "Pass" } else { "Fail" }
Details = $details Details = $details
FailureReason = $failureReasons FailureReason = $failureReasons
} }
$auditResult = Initialize-CISAuditResult @params $auditResult = Initialize-CISAuditResult @params
}
catch {
Write-Error "An error occurred during the test: $_"
# Retrieve the description from the test definitions
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
$description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
$script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
# Call Initialize-CISAuditResult with error parameters
$auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
}
} }
end { end {

19
source/tests/Test-ExternalNoControl.ps1
View File

@@ -1,5 +1,6 @@
function Test-ExternalNoControl { function Test-ExternalNoControl {
[CmdletBinding()] [CmdletBinding()]
[OutputType([CISAuditResult])]
param ( param (
# Aligned # Aligned
# Parameters can be defined here if needed # Parameters can be defined here if needed
@@ -10,9 +11,12 @@ function Test-ExternalNoControl {
#. .\source\Classes\CISAuditResult.ps1 #. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed # Initialization code, if needed
$recnum = "8.5.7"
} }
process { process {
try {
# 8.5.7 (L1) Ensure external participants can't give or request control # 8.5.7 (L1) Ensure external participants can't give or request control
# Retrieve Teams meeting policy for external participant control # Retrieve Teams meeting policy for external participant control
@@ -36,13 +40,26 @@ function Test-ExternalNoControl {
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$params = @{ $params = @{
Rec = "8.5.7" Rec = $recnum
Result = $externalControlRestricted Result = $externalControlRestricted
Status = if ($externalControlRestricted) { "Pass" } else { "Fail" } Status = if ($externalControlRestricted) { "Pass" } else { "Fail" }
Details = $details Details = $details
FailureReason = $failureReasons FailureReason = $failureReasons
} }
$auditResult = Initialize-CISAuditResult @params $auditResult = Initialize-CISAuditResult @params
}
catch {
Write-Error "An error occurred during the test: $_"
# Retrieve the description from the test definitions
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
$description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
$script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
# Call Initialize-CISAuditResult with error parameters
$auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
}
} }
end { end {

81
source/tests/Test-ExternalSharingCalendars.ps1
View File

@@ -1,5 +1,6 @@
function Test-ExternalSharingCalendars { function Test-ExternalSharingCalendars {
[CmdletBinding()] [CmdletBinding()]
[OutputType([CISAuditResult])]
param ( param (
# Aligned # Aligned
# Parameters can be added if needed # Parameters can be added if needed
@@ -10,48 +11,64 @@ function Test-ExternalSharingCalendars {
#. .\source\Classes\CISAuditResult.ps1 #. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed # Initialization code, if needed
$recnum = "1.3.3"
} }
process { process {
# 1.3.3 (L2) Ensure 'External sharing' of calendars is not available (Automated)
# Retrieve sharing policies related to calendar sharing try {
$sharingPolicies = Get-SharingPolicy | Where-Object { $_.Domains -like '*CalendarSharing*' } # 1.3.3 (L2) Ensure 'External sharing' of calendars is not available (Automated)
# Check if calendar sharing is disabled in all applicable policies # Retrieve sharing policies related to calendar sharing
$isExternalSharingDisabled = $true $sharingPolicies = Get-SharingPolicy | Where-Object { $_.Domains -like '*CalendarSharing*' }
$sharingPolicyDetails = @()
foreach ($policy in $sharingPolicies) { # Check if calendar sharing is disabled in all applicable policies
if ($policy.Enabled -eq $true) { $isExternalSharingDisabled = $true
$isExternalSharingDisabled = $false $sharingPolicyDetails = @()
$sharingPolicyDetails += "$($policy.Name): Enabled" foreach ($policy in $sharingPolicies) {
if ($policy.Enabled -eq $true) {
$isExternalSharingDisabled = $false
$sharingPolicyDetails += "$($policy.Name): Enabled"
}
} }
}
# Prepare failure reasons and details based on compliance # Prepare failure reasons and details based on compliance
$failureReasons = if (-not $isExternalSharingDisabled) { $failureReasons = if (-not $isExternalSharingDisabled) {
"Calendar sharing with external users is enabled in one or more policies." "Calendar sharing with external users is enabled in one or more policies."
} }
else { else {
"N/A" "N/A"
} }
$details = if ($isExternalSharingDisabled) { $details = if ($isExternalSharingDisabled) {
"Calendar sharing with external users is disabled." "Calendar sharing with external users is disabled."
} }
else { else {
"Enabled Sharing Policies: $($sharingPolicyDetails -join ', ')" "Enabled Sharing Policies: $($sharingPolicyDetails -join ', ')"
} }
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$params = @{ $params = @{
Rec = "1.3.3" Rec = $recnum
Result = $isExternalSharingDisabled Result = $isExternalSharingDisabled
Status = if ($isExternalSharingDisabled) { "Pass" } else { "Fail" } Status = if ($isExternalSharingDisabled) { "Pass" } else { "Fail" }
Details = $details Details = $details
FailureReason = $failureReasons FailureReason = $failureReasons
}
$auditResult = Initialize-CISAuditResult @params
}
catch {
Write-Error "An error occurred during the test: $_"
# Retrieve the description from the test definitions
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
$description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
$script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
# Call Initialize-CISAuditResult with error parameters
$auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
} }
$auditResult = Initialize-CISAuditResult @params
} }
end { end {

68
source/tests/Test-GlobalAdminsCount.ps1
View File

@@ -1,5 +1,6 @@
function Test-GlobalAdminsCount { function Test-GlobalAdminsCount {
[CmdletBinding()] [CmdletBinding()]
[OutputType([CISAuditResult])]
param ( param (
# Aligned # Aligned
# Define your parameters here if needed # Define your parameters here if needed
@@ -10,39 +11,56 @@ function Test-GlobalAdminsCount {
#. .\source\Classes\CISAuditResult.ps1 #. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed # Initialization code, if needed
$recnum = "1.1.3"
} }
process { process {
# 1.1.3 (L1) Ensure that between two and four global admins are designated try {
# 1.1.3 (L1) Ensure that between two and four global admins are designated
# Retrieve global admin role and members # Retrieve global admin role and members
$globalAdminRole = Get-MgDirectoryRole -Filter "RoleTemplateId eq '62e90394-69f5-4237-9190-012177145e10'" $globalAdminRole = Get-MgDirectoryRole -Filter "RoleTemplateId eq '62e90394-69f5-4237-9190-012177145e10'"
$globalAdmins = Get-MgDirectoryRoleMember -DirectoryRoleId $globalAdminRole.Id $globalAdmins = Get-MgDirectoryRoleMember -DirectoryRoleId $globalAdminRole.Id
$globalAdminCount = $globalAdmins.AdditionalProperties.Count $globalAdminCount = $globalAdmins.Count
$globalAdminUsernames = ($globalAdmins | ForEach-Object { $_.AdditionalProperties["displayName"] }) -join ', ' $globalAdminUsernames = ($globalAdmins | ForEach-Object {
"$($_.AdditionalProperties["displayName"]) ($($_.AdditionalProperties["userPrincipalName"]))"
}) -join ', '
# Prepare failure reasons and details based on compliance # Prepare failure reasons and details based on compliance
$failureReasons = if ($globalAdminCount -lt 2) { $failureReasons = if ($globalAdminCount -lt 2) {
"Less than 2 global admins: $globalAdminUsernames" "Less than 2 global admins: $globalAdminUsernames"
} }
elseif ($globalAdminCount -gt 4) { elseif ($globalAdminCount -gt 4) {
"More than 4 global admins: $globalAdminUsernames" "More than 4 global admins: $globalAdminUsernames"
} }
else { else {
"N/A" "N/A"
} }
$details = "Count: $globalAdminCount; Users: $globalAdminUsernames" $details = "Count: $globalAdminCount; Users: $globalAdminUsernames"
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$params = @{ $params = @{
Rec = "1.1.3" Rec = $recnum
Result = $globalAdminCount -ge 2 -and $globalAdminCount -le 4 Result = $globalAdminCount -ge 2 -and $globalAdminCount -le 4
Status = if ($globalAdminCount -ge 2 -and $globalAdminCount -le 4) { "Pass" } else { "Fail" } Status = if ($globalAdminCount -ge 2 -and $globalAdminCount -le 4) { "Pass" } else { "Fail" }
Details = $details Details = $details
FailureReason = $failureReasons FailureReason = $failureReasons
}
$auditResult = Initialize-CISAuditResult @params
}
catch {
Write-Error "An error occurred during the test: $_"
# Retrieve the description from the test definitions
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
$description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
$script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
# Call Initialize-CISAuditResult with error parameters
$auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
} }
$auditResult = Initialize-CISAuditResult @params
} }
end { end {

19
source/tests/Test-GuestAccessExpiration.ps1
View File

@@ -1,5 +1,6 @@
function Test-GuestAccessExpiration { function Test-GuestAccessExpiration {
[CmdletBinding()] [CmdletBinding()]
[OutputType([CISAuditResult])]
param ( param (
# Aligned # Aligned
# Define your parameters here if needed # Define your parameters here if needed
@@ -10,9 +11,12 @@ function Test-GuestAccessExpiration {
#. .\source\Classes\CISAuditResult.ps1 #. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed # Initialization code, if needed
$recnum = "7.2.9"
} }
process { process {
try {
# 7.2.9 (L1) Ensure guest access to a site or OneDrive will expire automatically # 7.2.9 (L1) Ensure guest access to a site or OneDrive will expire automatically
# Retrieve SharePoint tenant settings related to guest access expiration # Retrieve SharePoint tenant settings related to guest access expiration
@@ -31,13 +35,26 @@ function Test-GuestAccessExpiration {
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$params = @{ $params = @{
Rec = "7.2.9" Rec = $recnum
Result = $isGuestAccessExpirationConfiguredCorrectly Result = $isGuestAccessExpirationConfiguredCorrectly
Status = if ($isGuestAccessExpirationConfiguredCorrectly) { "Pass" } else { "Fail" } Status = if ($isGuestAccessExpirationConfiguredCorrectly) { "Pass" } else { "Fail" }
Details = $details Details = $details
FailureReason = $failureReasons FailureReason = $failureReasons
} }
$auditResult = Initialize-CISAuditResult @params $auditResult = Initialize-CISAuditResult @params
}
catch {
Write-Error "An error occurred during the test: $_"
# Retrieve the description from the test definitions
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
$description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
$script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
# Call Initialize-CISAuditResult with error parameters
$auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
}
} }
end { end {

68
source/tests/Test-GuestUsersBiweeklyReview.ps1
View File

@@ -1,5 +1,6 @@
function Test-GuestUsersBiweeklyReview { function Test-GuestUsersBiweeklyReview {
[CmdletBinding()] [CmdletBinding()]
[OutputType([CISAuditResult])]
param ( param (
# Aligned # Aligned
# Define your parameters here if needed # Define your parameters here if needed
@@ -10,41 +11,56 @@ function Test-GuestUsersBiweeklyReview {
#. .\source\Classes\CISAuditResult.ps1 #. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed # Initialization code, if needed
$recnum = "1.1.4"
} }
process { process {
# 1.1.4 (L1) Ensure Guest Users are reviewed at least biweekly try {
# 1.1.4 (L1) Ensure Guest Users are reviewed at least biweekly
# Retrieve guest users from Microsoft Graph # Retrieve guest users from Microsoft Graph
# Connect-MgGraph -Scopes "User.Read.All" # Connect-MgGraph -Scopes "User.Read.All"
$guestUsers = Get-MgUser -All -Filter "UserType eq 'Guest'" $guestUsers = Get-MgUser -All -Filter "UserType eq 'Guest'"
# Prepare failure reasons and details based on compliance # Prepare failure reasons and details based on compliance
$failureReasons = if ($guestUsers) { $failureReasons = if ($guestUsers) {
"Guest users present: $($guestUsers.Count)" "Guest users present: $($guestUsers.Count)"
} }
else { else {
"N/A" "N/A"
} }
$details = if ($guestUsers) { $details = if ($guestUsers) {
$auditCommand = "Get-MgUser -All -Property UserType,UserPrincipalName | Where {`$_.UserType -ne 'Member'} | Format-Table UserPrincipalName, UserType" $auditCommand = "Get-MgUser -All -Property UserType,UserPrincipalName | Where {`$_.UserType -ne 'Member'} | Format-Table UserPrincipalName, UserType"
"Manual review required. To list guest users, run: `"$auditCommand`"." "Manual review required. To list guest users, run: `"$auditCommand`"."
} }
else { else {
"No guest users found." "No guest users found."
} }
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$params = @{ $params = @{
Rec = "1.1.4" Rec = $recnum
Result = -not $guestUsers Result = -not $guestUsers
Status = if ($guestUsers) { "Fail" } else { "Pass" } Status = if ($guestUsers) { "Fail" } else { "Pass" }
Details = $details Details = $details
FailureReason = $failureReasons FailureReason = $failureReasons
}
$auditResult = Initialize-CISAuditResult @params
}
catch {
Write-Error "An error occurred during the test: $_"
# Retrieve the description from the test definitions
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
$description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
$script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
# Call Initialize-CISAuditResult with error parameters
$auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
} }
$auditResult = Initialize-CISAuditResult @params
} }
end { end {

55
source/tests/Test-IdentifyExternalEmail.ps1
View File

@@ -1,5 +1,6 @@
function Test-IdentifyExternalEmail { function Test-IdentifyExternalEmail {
[CmdletBinding()] [CmdletBinding()]
[OutputType([CISAuditResult])]
param ( param (
# Aligned # Aligned
# Parameters can be defined here if needed # Parameters can be defined here if needed
@@ -10,34 +11,50 @@ function Test-IdentifyExternalEmail {
#. .\source\Classes\CISAuditResult.ps1 #. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed # Initialization code, if needed
$recnum = "6.2.3"
} }
process { process {
# 6.2.3 (L1) Ensure email from external senders is identified
# Retrieve external sender tagging configuration try {
$externalInOutlook = Get-ExternalInOutlook # 6.2.3 (L1) Ensure email from external senders is identified
$externalTaggingEnabled = ($externalInOutlook | ForEach-Object { $_.Enabled }) -contains $true
# Prepare failure reasons and details based on compliance # Retrieve external sender tagging configuration
$failureReasons = if (-not $externalTaggingEnabled) { $externalInOutlook = Get-ExternalInOutlook
"External sender tagging is disabled" $externalTaggingEnabled = ($externalInOutlook | ForEach-Object { $_.Enabled }) -contains $true
}
else { # Prepare failure reasons and details based on compliance
"N/A" $failureReasons = if (-not $externalTaggingEnabled) {
"External sender tagging is disabled"
}
else {
"N/A"
}
$details = "Enabled: $($externalTaggingEnabled); AllowList: $($externalInOutlook.AllowList)"
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Result = $externalTaggingEnabled
Status = if ($externalTaggingEnabled) { "Pass" } else { "Fail" }
Details = $details
FailureReason = $failureReasons
}
$auditResult = Initialize-CISAuditResult @params
} }
catch {
Write-Error "An error occurred during the test: $_"
$details = "Enabled: $($externalTaggingEnabled); AllowList: $($externalInOutlook.AllowList)" # Retrieve the description from the test definitions
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
$description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
# Create and populate the CISAuditResult object $script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
$params = @{
Rec = "6.2.3" # Call Initialize-CISAuditResult with error parameters
Result = $externalTaggingEnabled $auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
Status = if ($externalTaggingEnabled) { "Pass" } else { "Fail" }
Details = $details
FailureReason = $failureReasons
} }
$auditResult = Initialize-CISAuditResult @params
} }
end { end {

55
source/tests/Test-LinkSharingRestrictions.ps1
View File

@@ -1,5 +1,6 @@
function Test-LinkSharingRestrictions { function Test-LinkSharingRestrictions {
[CmdletBinding()] [CmdletBinding()]
[OutputType([CISAuditResult])]
param ( param (
# Aligned # Aligned
# Define your parameters here # Define your parameters here
@@ -10,34 +11,50 @@ function Test-LinkSharingRestrictions {
# Dot source the class script if necessary # Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1 #. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed # Initialization code, if needed
$recnum = "7.2.7"
} }
process { process {
# 7.2.7 (L1) Ensure link sharing is restricted in SharePoint and OneDrive try {
# 7.2.7 (L1) Ensure link sharing is restricted in SharePoint and OneDrive
# Retrieve link sharing configuration for SharePoint and OneDrive # Retrieve link sharing configuration for SharePoint and OneDrive
$SPOTenantLinkSharing = Get-SPOTenant | Select-Object DefaultSharingLinkType $SPOTenantLinkSharing = Get-SPOTenant | Select-Object DefaultSharingLinkType
$isLinkSharingRestricted = $SPOTenantLinkSharing.DefaultSharingLinkType -eq 'Direct' # Or 'SpecificPeople' as per the recommendation $isLinkSharingRestricted = $SPOTenantLinkSharing.DefaultSharingLinkType -eq 'Direct' # Or 'SpecificPeople' as per the recommendation
# Prepare failure reasons and details based on compliance
$failureReasons = if (-not $isLinkSharingRestricted) {
"Link sharing is not restricted to 'Specific people'. Current setting: $($SPOTenantLinkSharing.DefaultSharingLinkType)"
}
else {
"N/A"
}
$details = "DefaultSharingLinkType: $($SPOTenantLinkSharing.DefaultSharingLinkType)"
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Result = $isLinkSharingRestricted
Status = if ($isLinkSharingRestricted) { "Pass" } else { "Fail" }
Details = $details
FailureReason = $failureReasons
}
$auditResult = Initialize-CISAuditResult @params
# Prepare failure reasons and details based on compliance
$failureReasons = if (-not $isLinkSharingRestricted) {
"Link sharing is not restricted to 'Specific people'. Current setting: $($SPOTenantLinkSharing.DefaultSharingLinkType)"
}
else {
"N/A"
} }
catch {
Write-Error "An error occurred during the test: $_"
$details = "DefaultSharingLinkType: $($SPOTenantLinkSharing.DefaultSharingLinkType)" # Retrieve the description from the test definitions
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
$description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
# Create and populate the CISAuditResult object $script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
$params = @{
Rec = "7.2.7" # Call Initialize-CISAuditResult with error parameters
Result = $isLinkSharingRestricted $auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
Status = if ($isLinkSharingRestricted) { "Pass" } else { "Fail" }
Details = $details
FailureReason = $failureReasons
} }
$auditResult = Initialize-CISAuditResult @params
} }
end { end {

68
source/tests/Test-MailTipsEnabled.ps1
View File

@@ -1,5 +1,6 @@
function Test-MailTipsEnabled { function Test-MailTipsEnabled {
[CmdletBinding()] [CmdletBinding()]
[OutputType([CISAuditResult])]
param ( param (
# Aligned # Aligned
# Parameters can be added if needed # Parameters can be added if needed
@@ -11,40 +12,55 @@ function Test-MailTipsEnabled {
# Initialization code, if needed # Initialization code, if needed
$auditResult = [CISAuditResult]::new() $auditResult = [CISAuditResult]::new()
$recnum = "6.5.2"
} }
process { process {
# 6.5.2 (L2) Ensure MailTips are enabled for end users try {
# 6.5.2 (L2) Ensure MailTips are enabled for end users
# Retrieve organization configuration for MailTips settings # Retrieve organization configuration for MailTips settings
$orgConfig = Get-OrganizationConfig | Select-Object MailTipsAllTipsEnabled, MailTipsExternalRecipientsTipsEnabled, MailTipsGroupMetricsEnabled, MailTipsLargeAudienceThreshold $orgConfig = Get-OrganizationConfig | Select-Object MailTipsAllTipsEnabled, MailTipsExternalRecipientsTipsEnabled, MailTipsGroupMetricsEnabled, MailTipsLargeAudienceThreshold
$allTipsEnabled = $orgConfig.MailTipsAllTipsEnabled -and $orgConfig.MailTipsGroupMetricsEnabled -and $orgConfig.MailTipsLargeAudienceThreshold -eq 25 $allTipsEnabled = $orgConfig.MailTipsAllTipsEnabled -and $orgConfig.MailTipsGroupMetricsEnabled -and $orgConfig.MailTipsLargeAudienceThreshold -eq 25
$externalRecipientsTipsEnabled = $orgConfig.MailTipsExternalRecipientsTipsEnabled $externalRecipientsTipsEnabled = $orgConfig.MailTipsExternalRecipientsTipsEnabled
# Prepare failure reasons and details based on compliance # Prepare failure reasons and details based on compliance
$failureReasons = if (-not ($allTipsEnabled -and $externalRecipientsTipsEnabled)) { $failureReasons = if (-not ($allTipsEnabled -and $externalRecipientsTipsEnabled)) {
"One or more MailTips settings are not configured as required." "One or more MailTips settings are not configured as required."
} }
else { else {
"N/A" "N/A"
} }
$details = if ($allTipsEnabled -and $externalRecipientsTipsEnabled) { $details = if ($allTipsEnabled -and $externalRecipientsTipsEnabled) {
"MailTipsAllTipsEnabled: $($orgConfig.MailTipsAllTipsEnabled); MailTipsExternalRecipientsTipsEnabled: $($orgConfig.MailTipsExternalRecipientsTipsEnabled); MailTipsGroupMetricsEnabled: $($orgConfig.MailTipsGroupMetricsEnabled); MailTipsLargeAudienceThreshold: $($orgConfig.MailTipsLargeAudienceThreshold)" "MailTipsAllTipsEnabled: $($orgConfig.MailTipsAllTipsEnabled); MailTipsExternalRecipientsTipsEnabled: $($orgConfig.MailTipsExternalRecipientsTipsEnabled); MailTipsGroupMetricsEnabled: $($orgConfig.MailTipsGroupMetricsEnabled); MailTipsLargeAudienceThreshold: $($orgConfig.MailTipsLargeAudienceThreshold)"
} }
else { else {
"One or more MailTips settings are not configured as required." "One or more MailTips settings are not configured as required."
} }
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$params = @{ $params = @{
Rec = "6.5.2" Rec = $recnum
Result = $allTipsEnabled -and $externalRecipientsTipsEnabled Result = $allTipsEnabled -and $externalRecipientsTipsEnabled
Status = if ($allTipsEnabled -and $externalRecipientsTipsEnabled) { "Pass" } else { "Fail" } Status = if ($allTipsEnabled -and $externalRecipientsTipsEnabled) { "Pass" } else { "Fail" }
Details = $details Details = $details
FailureReason = $failureReasons FailureReason = $failureReasons
}
$auditResult = Initialize-CISAuditResult @params
}
catch {
Write-Error "An error occurred during the test: $_"
# Retrieve the description from the test definitions
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
$description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
$script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
# Call Initialize-CISAuditResult with error parameters
$auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
} }
$auditResult = Initialize-CISAuditResult @params
} }
end { end {

109
source/tests/Test-MailboxAuditingE3.ps1
View File

@@ -1,8 +1,7 @@
function Test-MailboxAuditingE3 { function Test-MailboxAuditingE3 {
[CmdletBinding()] [CmdletBinding()]
[OutputType([CISAuditResult])]
param ( param (
# Aligned
# Create Table for Details
# Parameters can be added if needed # Parameters can be added if needed
) )
@@ -15,19 +14,20 @@ function Test-MailboxAuditingE3 {
$DelegateActions = @("ApplyRecord", "Create", "FolderBind", "HardDelete", "Move", "MoveToDeletedItems", "SendAs", "SendOnBehalf", "SoftDelete", "Update", "UpdateFolderPermissions", "UpdateInboxRules") $DelegateActions = @("ApplyRecord", "Create", "FolderBind", "HardDelete", "Move", "MoveToDeletedItems", "SendAs", "SendOnBehalf", "SoftDelete", "Update", "UpdateFolderPermissions", "UpdateInboxRules")
$OwnerActions = @("ApplyRecord", "Create", "HardDelete", "MailboxLogin", "Move", "MoveToDeletedItems", "SoftDelete", "Update", "UpdateCalendarDelegation", "UpdateFolderPermissions", "UpdateInboxRules") $OwnerActions = @("ApplyRecord", "Create", "HardDelete", "MailboxLogin", "Move", "MoveToDeletedItems", "SoftDelete", "Update", "UpdateCalendarDelegation", "UpdateFolderPermissions", "UpdateInboxRules")
$allFailures = @() $allFailures = @()
$allUsers = Get-AzureADUser -All $true $allUsers = Get-AzureADUser -All $true
$processedUsers = @{} # Dictionary to track processed users $processedUsers = @{} # Dictionary to track processed users
$recnum = "6.1.2"
} }
process { process {
foreach ($user in $allUsers) { try {
if ($processedUsers.ContainsKey($user.UserPrincipalName)) { foreach ($user in $allUsers) {
Write-Verbose "Skipping already processed user: $($user.UserPrincipalName)" if ($processedUsers.ContainsKey($user.UserPrincipalName)) {
continue Write-Verbose "Skipping already processed user: $($user.UserPrincipalName)"
} continue
try { }
$licenseDetails = Get-MgUserLicenseDetail -UserId $user.UserPrincipalName $licenseDetails = Get-MgUserLicenseDetail -UserId $user.UserPrincipalName
$hasOfficeE3 = ($licenseDetails | Where-Object { $_.SkuPartNumber -in $e3SkuPartNumbers }).Count -gt 0 $hasOfficeE3 = ($licenseDetails | Where-Object { $_.SkuPartNumber -in $e3SkuPartNumbers }).Count -gt 0
Write-Verbose "Evaluating user $($user.UserPrincipalName) for Office E3 license." Write-Verbose "Evaluating user $($user.UserPrincipalName) for Office E3 license."
@@ -47,68 +47,63 @@ function Test-MailboxAuditingE3 {
foreach ($action in $OwnerActions) { foreach ($action in $OwnerActions) {
if ($mailbox.AuditOwner -notcontains $action) { $missingActions += "Owner action '$action' missing" } if ($mailbox.AuditOwner -notcontains $action) { $missingActions += "Owner action '$action' missing" }
} }
if ($missingActions.Count -gt 0) {
$formattedActions = Format-MissingAction -missingActions $missingActions
$allFailures += "$userUPN|True|$($formattedActions.Admin)|$($formattedActions.Delegate)|$($formattedActions.Owner)"
}
} }
else { else {
$allFailures += "$userUPN`: AuditEnabled - False" $allFailures += "$userUPN|False|||"
continue
} }
if ($missingActions) {
$formattedActions = Format-MissingActions $missingActions
$allFailures += "$userUPN`: AuditEnabled - True; $formattedActions"
}
# Mark the user as processed # Mark the user as processed
$processedUsers[$user.UserPrincipalName] = $true $processedUsers[$user.UserPrincipalName] = $true
} }
} }
catch {
Write-Warning "Could not retrieve license details for user $($user.UserPrincipalName): $_" # Prepare failure reasons and details based on compliance
$failureReasons = if ($allFailures.Count -eq 0) { "N/A" } else { "Audit issues detected." }
$details = if ($allFailures.Count -eq 0) {
"All Office E3 users have correct mailbox audit settings."
}
else {
"UserPrincipalName|AuditEnabled|AdminActionsMissing|DelegateActionsMissing|OwnerActionsMissing`n" + ($allFailures -join "`n")
} }
}
# Prepare failure reasons and details based on compliance # Populate the audit result
$failureReasons = if ($allFailures.Count -eq 0) { "N/A" } else { "Audit issues detected." } $params = @{
$details = if ($allFailures.Count -eq 0) { "All Office E3 users have correct mailbox audit settings." } else { $allFailures -join " | " } Rec = $recnum
Result = $allFailures.Count -eq 0
# Populate the audit result Status = if ($allFailures.Count -eq 0) { "Pass" } else { "Fail" }
$params = @{ Details = $details
Rec = "6.1.2" FailureReason = $failureReasons
Result = $allFailures.Count -eq 0 }
Status = if ($allFailures.Count -eq 0) { "Pass" } else { "Fail" } $auditResult = Initialize-CISAuditResult @params
Details = $details }
FailureReason = $failureReasons catch {
Write-Error "An error occurred during the test: $_"
# Retrieve the description from the test definitions
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
$description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
$script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
# Call Initialize-CISAuditResult with error parameters
$auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
} }
$auditResult = Initialize-CISAuditResult @params
} }
end { end {
#$verbosePreference = 'Continue'
$detailsLength = $details.Length
Write-Verbose "Character count of the details: $detailsLength"
if ($detailsLength -gt 32767) {
Write-Verbose "Warning: The character count exceeds the limit for Excel cells."
}
#$verbosePreference = 'SilentlyContinue'
return $auditResult return $auditResult
} }
} }
function Format-MissingActions {
param ([array]$missingActions)
$actionGroups = @{
"Admin" = @()
"Delegate" = @()
"Owner" = @()
}
foreach ($action in $missingActions) {
if ($action -match "(Admin|Delegate|Owner) action '([^']+)' missing") {
$type = $matches[1]
$actionName = $matches[2]
$actionGroups[$type] += $actionName
}
}
$formattedResults = @()
foreach ($type in $actionGroups.Keys) {
if ($actionGroups[$type].Count -gt 0) {
$formattedResults += "$($type) actions missing: $($actionGroups[$type] -join ', ')"
}
}
return $formattedResults -join '; '
}

117
source/tests/Test-MailboxAuditingE5.ps1
View File

@@ -1,8 +1,7 @@
function Test-MailboxAuditingE5 { function Test-MailboxAuditingE5 {
[CmdletBinding()] [CmdletBinding()]
[OutputType([CISAuditResult])]
param ( param (
# Aligned
# Create Table for Details
# Parameters can be added if needed # Parameters can be added if needed
) )
@@ -15,23 +14,24 @@ function Test-MailboxAuditingE5 {
$DelegateActions = @("ApplyRecord", "Create", "FolderBind", "HardDelete", "MailItemsAccessed", "Move", "MoveToDeletedItems", "SendAs", "SendOnBehalf", "SoftDelete", "Update", "UpdateFolderPermissions", "UpdateInboxRules") $DelegateActions = @("ApplyRecord", "Create", "FolderBind", "HardDelete", "MailItemsAccessed", "Move", "MoveToDeletedItems", "SendAs", "SendOnBehalf", "SoftDelete", "Update", "UpdateFolderPermissions", "UpdateInboxRules")
$OwnerActions = @("ApplyRecord", "Create", "HardDelete", "MailboxLogin", "Move", "MailItemsAccessed", "MoveToDeletedItems", "Send", "SoftDelete", "Update", "UpdateCalendarDelegation", "UpdateFolderPermissions", "UpdateInboxRules") $OwnerActions = @("ApplyRecord", "Create", "HardDelete", "MailboxLogin", "Move", "MailItemsAccessed", "MoveToDeletedItems", "Send", "SoftDelete", "Update", "UpdateCalendarDelegation", "UpdateFolderPermissions", "UpdateInboxRules")
$allFailures = @() $allFailures = @()
$allUsers = Get-AzureADUser -All $true $allUsers = Get-AzureADUser -All $true
$processedUsers = @{} # Dictionary to track processed users $processedUsers = @{} # Dictionary to track processed users
$recnum = "6.1.3"
} }
process { process {
foreach ($user in $allUsers) { try {
if ($processedUsers.ContainsKey($user.UserPrincipalName)) { foreach ($user in $allUsers) {
continue if ($processedUsers.ContainsKey($user.UserPrincipalName)) {
} Write-Verbose "Skipping already processed user: $($user.UserPrincipalName)"
continue
}
try {
$licenseDetails = Get-MgUserLicenseDetail -UserId $user.UserPrincipalName $licenseDetails = Get-MgUserLicenseDetail -UserId $user.UserPrincipalName
$hasOfficeE5 = ($licenseDetails | Where-Object { $_.SkuPartNumber -in $e5SkuPartNumbers }).Count -gt 0 $hasOfficeE5 = ($licenseDetails | Where-Object { $_.SkuPartNumber -in $e5SkuPartNumbers }).Count -gt 0
Write-Verbose "Evaluating user $($user.UserPrincipalName) for Office E5 license." Write-Verbose "Evaluating user $($user.UserPrincipalName) for Office E5 license."
if ($hasOfficeE5) { if ($hasOfficeE5) {
$userUPN = $user.UserPrincipalName $userUPN = $user.UserPrincipalName
$mailbox = Get-EXOMailbox -Identity $userUPN -PropertySets Audit $mailbox = Get-EXOMailbox -Identity $userUPN -PropertySets Audit
@@ -47,74 +47,63 @@ function Test-MailboxAuditingE5 {
foreach ($action in $OwnerActions) { foreach ($action in $OwnerActions) {
if ($mailbox.AuditOwner -notcontains $action) { $missingActions += "Owner action '$action' missing" } if ($mailbox.AuditOwner -notcontains $action) { $missingActions += "Owner action '$action' missing" }
} }
if ($missingActions.Count -gt 0) {
$formattedActions = Format-MissingAction -missingActions $missingActions
$allFailures += "$userUPN|True|$($formattedActions.Admin)|$($formattedActions.Delegate)|$($formattedActions.Owner)"
}
} }
else { else {
$allFailures += "$userUPN`: AuditEnabled - False" $allFailures += "$userUPN|False|||"
continue
} }
if ($missingActions) { # Mark the user as processed
$formattedActions = Format-MissingActions $missingActions
$allFailures += "$userUPN`: AuditEnabled - True; $formattedActions"
}
else {
Write-Verbose "User $($user.UserPrincipalName) passed the mailbox audit checks."
}
$processedUsers[$user.UserPrincipalName] = $true $processedUsers[$user.UserPrincipalName] = $true
} }
else {
# Adding verbose output to indicate the user does not have an E5 license
Write-Verbose "User $($user.UserPrincipalName) does not have an Office E5 license."
}
} }
catch {
Write-Warning "Could not retrieve license details for user $($user.UserPrincipalName): $_" # Prepare failure reasons and details based on compliance
$failureReasons = if ($allFailures.Count -eq 0) { "N/A" } else { "Audit issues detected." }
$details = if ($allFailures.Count -eq 0) {
"All Office E5 users have correct mailbox audit settings."
}
else {
"UserPrincipalName|AuditEnabled|AdminActionsMissing|DelegateActionsMissing|OwnerActionsMissing`n" + ($allFailures -join "`n")
} }
}
# Prepare failure reasons and details based on compliance # Populate the audit result
$failureReasons = if ($allFailures.Count -eq 0) { "N/A" } else { "Audit issues detected." } $params = @{
$details = if ($allFailures.Count -eq 0) { "All Office E5 users have correct mailbox audit settings." } else { $allFailures -join " | " } Rec = $recnum
Result = $allFailures.Count -eq 0
# Populate the audit result Status = if ($allFailures.Count -eq 0) { "Pass" } else { "Fail" }
$params = @{ Details = $details
Rec = "6.1.3" FailureReason = $failureReasons
Result = $allFailures.Count -eq 0 }
Status = if ($allFailures.Count -eq 0) { "Pass" } else { "Fail" } $auditResult = Initialize-CISAuditResult @params
Details = $details }
FailureReason = $failureReasons catch {
Write-Error "An error occurred during the test: $_"
# Retrieve the description from the test definitions
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
$description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
$script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
# Call Initialize-CISAuditResult with error parameters
$auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
} }
$auditResult = Initialize-CISAuditResult @params
} }
end { end {
#$verbosePreference = 'Continue'
$detailsLength = $details.Length
Write-Verbose "Character count of the details: $detailsLength"
if ($detailsLength -gt 32767) {
Write-Verbose "Warning: The character count exceeds the limit for Excel cells."
}
#$verbosePreference = 'SilentlyContinue'
return $auditResult return $auditResult
} }
} }
function Format-MissingActions {
param ([array]$missingActions)
$actionGroups = @{
"Admin" = @()
"Delegate" = @()
"Owner" = @()
}
foreach ($action in $missingActions) {
if ($action -match "(Admin|Delegate|Owner) action '([^']+)' missing") {
$type = $matches[1]
$actionName = $matches[2]
$actionGroups[$type] += $actionName
}
}
$formattedResults = @()
foreach ($type in $actionGroups.Keys) {
if ($actionGroups[$type].Count -gt 0) {
$formattedResults += "$($type) actions missing: $($actionGroups[$type] -join ', ')"
}
}
return $formattedResults -join '; '
}

67
source/tests/Test-ManagedApprovedPublicGroups.ps1
View File

@@ -1,5 +1,6 @@
function Test-ManagedApprovedPublicGroups { function Test-ManagedApprovedPublicGroups {
[CmdletBinding()] [CmdletBinding()]
[OutputType([CISAuditResult])]
param ( param (
# Aligned # Aligned
# Parameters can be added if needed # Parameters can be added if needed
@@ -9,40 +10,54 @@ function Test-ManagedApprovedPublicGroups {
# Dot source the class script if necessary # Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1 #. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed # Initialization code, if needed
$recnum = "1.2.1"
} }
process { process {
# 1.2.1 (L2) Ensure that only organizationally managed/approved public groups exist (Automated) try {
# 1.2.1 (L2) Ensure that only organizationally managed/approved public groups exist (Automated)
# Retrieve all public groups # Retrieve all public groups
$allGroups = Get-MgGroup -All | Where-Object { $_.Visibility -eq "Public" } | Select-Object DisplayName, Visibility $allGroups = Get-MgGroup -All | Where-Object { $_.Visibility -eq "Public" } | Select-Object DisplayName, Visibility
# Prepare failure reasons and details based on compliance # Prepare failure reasons and details based on compliance
$failureReasons = if ($null -ne $allGroups -and $allGroups.Count -gt 0) { $failureReasons = if ($null -ne $allGroups -and $allGroups.Count -gt 0) {
"There are public groups present that are not organizationally managed/approved." "There are public groups present that are not organizationally managed/approved."
} }
else { else {
"N/A" "N/A"
} }
$details = if ($null -eq $allGroups -or $allGroups.Count -eq 0) { $details = if ($null -eq $allGroups -or $allGroups.Count -eq 0) {
"No public groups found." "No public groups found."
} }
else { else {
$groupDetails = $allGroups | ForEach-Object { $_.DisplayName + " (" + $_.Visibility + ")" } $groupDetails = $allGroups | ForEach-Object { $_.DisplayName + " (" + $_.Visibility + ")" }
"Public groups found: $($groupDetails -join ', ')" "Public groups found: $($groupDetails -join ', ')"
} }
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$params = @{ $params = @{
Rec = "1.2.1" Rec = $recnum
Result = $null -eq $allGroups -or $allGroups.Count -eq 0 Result = $null -eq $allGroups -or $allGroups.Count -eq 0
Status = if ($null -eq $allGroups -or $allGroups.Count -eq 0) { "Pass" } else { "Fail" } Status = if ($null -eq $allGroups -or $allGroups.Count -eq 0) { "Pass" } else { "Fail" }
Details = $details Details = $details
FailureReason = $failureReasons FailureReason = $failureReasons
}
$auditResult = Initialize-CISAuditResult @params
}
catch {
Write-Error "An error occurred during the test: $_"
# Retrieve the description from the test definitions
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
$description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
$script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
# Call Initialize-CISAuditResult with error parameters
$auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
} }
$auditResult = Initialize-CISAuditResult @params
} }
end { end {

56
source/tests/Test-MeetingChatNoAnonymous.ps1
View File

@@ -1,5 +1,6 @@
function Test-MeetingChatNoAnonymous { function Test-MeetingChatNoAnonymous {
[CmdletBinding()] [CmdletBinding()]
[OutputType([CISAuditResult])]
param ( param (
# Aligned # Aligned
# Parameters can be defined here if needed # Parameters can be defined here if needed
@@ -9,36 +10,51 @@ function Test-MeetingChatNoAnonymous {
# Dot source the class script if necessary # Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1 #. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed # Initialization code, if needed
$recnum = "8.5.5"
} }
process { process {
# 8.5.5 (L2) Ensure meeting chat does not allow anonymous users try {
# 8.5.5 (L2) Ensure meeting chat does not allow anonymous users
# Connect to Teams PowerShell using Connect-MicrosoftTeams # Connect to Teams PowerShell using Connect-MicrosoftTeams
# Retrieve the Teams meeting policy for meeting chat # Retrieve the Teams meeting policy for meeting chat
$CsTeamsMeetingPolicyChat = Get-CsTeamsMeetingPolicy -Identity Global | Select-Object -Property MeetingChatEnabledType $CsTeamsMeetingPolicyChat = Get-CsTeamsMeetingPolicy -Identity Global | Select-Object -Property MeetingChatEnabledType
$chatAnonDisabled = $CsTeamsMeetingPolicyChat.MeetingChatEnabledType -eq 'EnabledExceptAnonymous' $chatAnonDisabled = $CsTeamsMeetingPolicyChat.MeetingChatEnabledType -eq 'EnabledExceptAnonymous'
# Prepare failure reasons and details based on compliance # Prepare failure reasons and details based on compliance
$failureReasons = if ($chatAnonDisabled) { $failureReasons = if ($chatAnonDisabled) {
"N/A" "N/A"
} }
else { else {
"Meeting chat allows anonymous users" "Meeting chat allows anonymous users"
}
$details = "MeetingChatEnabledType is set to $($CsTeamsMeetingPolicyChat.MeetingChatEnabledType)"
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Result = $chatAnonDisabled
Status = if ($chatAnonDisabled) { "Pass" } else { "Fail" }
Details = $details
FailureReason = $failureReasons
}
$auditResult = Initialize-CISAuditResult @params
} }
catch {
Write-Error "An error occurred during the test: $_"
$details = "MeetingChatEnabledType is set to $($CsTeamsMeetingPolicyChat.MeetingChatEnabledType)" # Retrieve the description from the test definitions
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
$description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
# Create and populate the CISAuditResult object $script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
$params = @{
Rec = "8.5.5" # Call Initialize-CISAuditResult with error parameters
Result = $chatAnonDisabled $auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
Status = if ($chatAnonDisabled) { "Pass" } else { "Fail" }
Details = $details
FailureReason = $failureReasons
} }
$auditResult = Initialize-CISAuditResult @params
} }
end { end {

24
source/tests/Test-ModernAuthExchangeOnline.ps1
View File

@@ -1,5 +1,6 @@
function Test-ModernAuthExchangeOnline { function Test-ModernAuthExchangeOnline {
[CmdletBinding()] [CmdletBinding()]
[OutputType([CISAuditResult])]
param ( param (
# Aligned # Aligned
# Define your parameters here # Define your parameters here
@@ -9,6 +10,7 @@ function Test-ModernAuthExchangeOnline {
# Dot source the class script if necessary # Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1 #. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed # Initialization code, if needed
$recnum = "6.5.1"
} }
process { process {
@@ -30,18 +32,28 @@ function Test-ModernAuthExchangeOnline {
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$params = @{ $params = @{
Rec = "6.5.1" Rec = $recnum
Result = $orgConfig.OAuth2ClientProfileEnabled Result = $orgConfig.OAuth2ClientProfileEnabled
Status = if ($orgConfig.OAuth2ClientProfileEnabled) { "Pass" } else { "Fail" } Status = if ($orgConfig.OAuth2ClientProfileEnabled) { "Pass" } else { "Fail" }
Details = $details Details = $details
FailureReason = $failureReasons FailureReason = $failureReasons
} }
$auditResult = Initialize-CISAuditResult @params $auditResult = Initialize-CISAuditResult @params
} }
catch { catch {
Write-Error "An error occurred while testing modern authentication for Exchange Online: $_" Write-Error "An error occurred during the test: $_"
# Retrieve the description from the test definitions
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
$description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
$script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
# Call Initialize-CISAuditResult with error parameters
$auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
} }
} }
end { end {

54
source/tests/Test-ModernAuthSharePoint.ps1
View File

@@ -1,5 +1,6 @@
function Test-ModernAuthSharePoint { function Test-ModernAuthSharePoint {
[CmdletBinding()] [CmdletBinding()]
[OutputType([CISAuditResult])]
param ( param (
# Aligned # Aligned
# Define your parameters here # Define your parameters here
@@ -9,32 +10,47 @@ function Test-ModernAuthSharePoint {
# Dot source the class script if necessary # Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1 #. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed # Initialization code, if needed
$recnum = "7.2.1"
} }
process { process {
# 7.2.1 (L1) Ensure modern authentication for SharePoint applications is required try {
$SPOTenant = Get-SPOTenant | Select-Object -Property LegacyAuthProtocolsEnabled # 7.2.1 (L1) Ensure modern authentication for SharePoint applications is required
$modernAuthForSPRequired = -not $SPOTenant.LegacyAuthProtocolsEnabled $SPOTenant = Get-SPOTenant | Select-Object -Property LegacyAuthProtocolsEnabled
$modernAuthForSPRequired = -not $SPOTenant.LegacyAuthProtocolsEnabled
# Prepare failure reasons and details based on compliance # Prepare failure reasons and details based on compliance
$failureReasons = if (-not $modernAuthForSPRequired) { $failureReasons = if (-not $modernAuthForSPRequired) {
"Legacy authentication protocols are enabled" "Legacy authentication protocols are enabled"
} }
else { else {
"N/A" "N/A"
} }
$details = "LegacyAuthProtocolsEnabled: $($SPOTenant.LegacyAuthProtocolsEnabled)" $details = "LegacyAuthProtocolsEnabled: $($SPOTenant.LegacyAuthProtocolsEnabled)"
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$params = @{ $params = @{
Rec = "7.2.1" Rec = $recnum
Result = $modernAuthForSPRequired Result = $modernAuthForSPRequired
Status = if ($modernAuthForSPRequired) { "Pass" } else { "Fail" } Status = if ($modernAuthForSPRequired) { "Pass" } else { "Fail" }
Details = $details Details = $details
FailureReason = $failureReasons FailureReason = $failureReasons
}
$auditResult = Initialize-CISAuditResult @params
}
catch {
Write-Error "An error occurred during the test: $_"
# Retrieve the description from the test definitions
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
$description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
$script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
# Call Initialize-CISAuditResult with error parameters
$auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
} }
$auditResult = Initialize-CISAuditResult @params
} }
end { end {

54
source/tests/Test-NoAnonymousMeetingJoin.ps1
View File

@@ -1,5 +1,6 @@
function Test-NoAnonymousMeetingJoin { function Test-NoAnonymousMeetingJoin {
[CmdletBinding()] [CmdletBinding()]
[OutputType([CISAuditResult])]
param ( param (
# Aligned # Aligned
# Parameters can be defined here if needed # Parameters can be defined here if needed
@@ -9,35 +10,50 @@ function Test-NoAnonymousMeetingJoin {
# Dot source the class script if necessary # Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1 #. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed # Initialization code, if needed
$recnum = "8.5.1"
} }
process { process {
# 8.5.1 (L2) Ensure anonymous users can't join a meeting try {
# 8.5.1 (L2) Ensure anonymous users can't join a meeting
# Connect to Teams PowerShell using Connect-MicrosoftTeams # Connect to Teams PowerShell using Connect-MicrosoftTeams
$teamsMeetingPolicy = Get-CsTeamsMeetingPolicy -Identity Global $teamsMeetingPolicy = Get-CsTeamsMeetingPolicy -Identity Global
$allowAnonymousUsersToJoinMeeting = $teamsMeetingPolicy.AllowAnonymousUsersToJoinMeeting $allowAnonymousUsersToJoinMeeting = $teamsMeetingPolicy.AllowAnonymousUsersToJoinMeeting
# Prepare failure reasons and details based on compliance # Prepare failure reasons and details based on compliance
$failureReasons = if ($allowAnonymousUsersToJoinMeeting) { $failureReasons = if ($allowAnonymousUsersToJoinMeeting) {
"Anonymous users are allowed to join meetings" "Anonymous users are allowed to join meetings"
} }
else { else {
"N/A" "N/A"
}
$details = "AllowAnonymousUsersToJoinMeeting is set to $allowAnonymousUsersToJoinMeeting"
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Result = -not $allowAnonymousUsersToJoinMeeting
Status = if (-not $allowAnonymousUsersToJoinMeeting) { "Pass" } else { "Fail" }
Details = $details
FailureReason = $failureReasons
}
$auditResult = Initialize-CISAuditResult @params
} }
catch {
Write-Error "An error occurred during the test: $_"
$details = "AllowAnonymousUsersToJoinMeeting is set to $allowAnonymousUsersToJoinMeeting" # Retrieve the description from the test definitions
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
$description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
# Create and populate the CISAuditResult object $script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
$params = @{
Rec = "8.5.1" # Call Initialize-CISAuditResult with error parameters
Result = -not $allowAnonymousUsersToJoinMeeting $auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
Status = if (-not $allowAnonymousUsersToJoinMeeting) { "Pass" } else { "Fail" }
Details = $details
FailureReason = $failureReasons
} }
$auditResult = Initialize-CISAuditResult @params
} }
end { end {

54
source/tests/Test-NoAnonymousMeetingStart.ps1
View File

@@ -1,5 +1,6 @@
function Test-NoAnonymousMeetingStart { function Test-NoAnonymousMeetingStart {
[CmdletBinding()] [CmdletBinding()]
[OutputType([CISAuditResult])]
param ( param (
# Aligned # Aligned
# Parameters can be defined here if needed # Parameters can be defined here if needed
@@ -9,35 +10,50 @@ function Test-NoAnonymousMeetingStart {
# Dot source the class script if necessary # Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1 #. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed # Initialization code, if needed
$recnum = "8.5.2"
} }
process { process {
# 8.5.2 (L1) Ensure anonymous users and dial-in callers can't start a meeting try {
# 8.5.2 (L1) Ensure anonymous users and dial-in callers can't start a meeting
# Connect to Teams PowerShell using Connect-MicrosoftTeams # Connect to Teams PowerShell using Connect-MicrosoftTeams
$CsTeamsMeetingPolicyAnonymous = Get-CsTeamsMeetingPolicy -Identity Global | Select-Object -Property AllowAnonymousUsersToStartMeeting $CsTeamsMeetingPolicyAnonymous = Get-CsTeamsMeetingPolicy -Identity Global | Select-Object -Property AllowAnonymousUsersToStartMeeting
$anonymousStartDisabled = -not $CsTeamsMeetingPolicyAnonymous.AllowAnonymousUsersToStartMeeting $anonymousStartDisabled = -not $CsTeamsMeetingPolicyAnonymous.AllowAnonymousUsersToStartMeeting
# Prepare failure reasons and details based on compliance # Prepare failure reasons and details based on compliance
$failureReasons = if ($anonymousStartDisabled) { $failureReasons = if ($anonymousStartDisabled) {
"N/A" "N/A"
} }
else { else {
"Anonymous users and dial-in callers can start a meeting" "Anonymous users and dial-in callers can start a meeting"
}
$details = "AllowAnonymousUsersToStartMeeting is set to $($CsTeamsMeetingPolicyAnonymous.AllowAnonymousUsersToStartMeeting)"
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Result = $anonymousStartDisabled
Status = if ($anonymousStartDisabled) { "Pass" } else { "Fail" }
Details = $details
FailureReason = $failureReasons
}
$auditResult = Initialize-CISAuditResult @params
} }
catch {
Write-Error "An error occurred during the test: $_"
$details = "AllowAnonymousUsersToStartMeeting is set to $($CsTeamsMeetingPolicyAnonymous.AllowAnonymousUsersToStartMeeting)" # Retrieve the description from the test definitions
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
$description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
# Create and populate the CISAuditResult object $script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
$params = @{
Rec = "8.5.2" # Call Initialize-CISAuditResult with error parameters
Result = $anonymousStartDisabled $auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
Status = if ($anonymousStartDisabled) { "Pass" } else { "Fail" }
Details = $details
FailureReason = $failureReasons
} }
$auditResult = Initialize-CISAuditResult @params
} }
end { end {

66
source/tests/Test-NoWhitelistDomains.ps1
View File

@@ -1,5 +1,6 @@
function Test-NoWhitelistDomains { function Test-NoWhitelistDomains {
[CmdletBinding()] [CmdletBinding()]
[OutputType([CISAuditResult])]
param ( param (
# Aligned # Aligned
# Define your parameters here # Define your parameters here
@@ -9,39 +10,54 @@ function Test-NoWhitelistDomains {
# Dot source the class script if necessary # Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1 #. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed # Initialization code, if needed
$recnum = "6.2.2"
} }
process { process {
# 6.2.2 (L1) Ensure mail transport rules do not whitelist specific domains try {
# 6.2.2 (L1) Ensure mail transport rules do not whitelist specific domains
# Retrieve transport rules that whitelist specific domains # Retrieve transport rules that whitelist specific domains
$whitelistedRules = Get-TransportRule | Where-Object { $_.SetSCL -eq -1 -and $null -ne $_.SenderDomainIs } $whitelistedRules = Get-TransportRule | Where-Object { $_.SetSCL -eq -1 -and $null -ne $_.SenderDomainIs }
# Prepare failure reasons and details based on compliance # Prepare failure reasons and details based on compliance
$failureReasons = if ($whitelistedRules) { $failureReasons = if ($whitelistedRules) {
"There are transport rules whitelisting specific domains." "There are transport rules whitelisting specific domains."
} }
else { else {
"N/A" "N/A"
} }
$details = if ($whitelistedRules) { $details = if ($whitelistedRules) {
$ruleDetails = $whitelistedRules | ForEach-Object { "{0}: {1}" -f $_.Name, ($_.SenderDomainIs -join ', ') } $ruleDetails = $whitelistedRules | ForEach-Object { "{0}: {1}" -f $_.Name, ($_.SenderDomainIs -join ', ') }
"Whitelisted Rules: $($ruleDetails -join '; ')" "Whitelisted Rules: $($ruleDetails -join '; ')"
} }
else { else {
"No transport rules whitelisting specific domains found." "No transport rules whitelisting specific domains found."
} }
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$params = @{ $params = @{
Rec = "6.2.2" Rec = $recnum
Result = -not $whitelistedRules Result = -not $whitelistedRules
Status = if ($whitelistedRules) { "Fail" } else { "Pass" } Status = if ($whitelistedRules) { "Fail" } else { "Pass" }
Details = $details Details = $details
FailureReason = $failureReasons FailureReason = $failureReasons
}
$auditResult = Initialize-CISAuditResult @params
}
catch {
Write-Error "An error occurred during the test: $_"
# Retrieve the description from the test definitions
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
$description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
$script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
# Call Initialize-CISAuditResult with error parameters
$auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
} }
$auditResult = Initialize-CISAuditResult @params
} }
end { end {

78
source/tests/Test-NotifyMalwareInternal.ps1
View File

@@ -1,5 +1,6 @@
function Test-NotifyMalwareInternal { function Test-NotifyMalwareInternal {
[CmdletBinding()] [CmdletBinding()]
[OutputType([CISAuditResult])]
param ( param (
# Aligned # Aligned
# Parameters can be added if needed # Parameters can be added if needed
@@ -9,48 +10,63 @@ function Test-NotifyMalwareInternal {
# Dot source the class script if necessary # Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1 #. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed # Initialization code, if needed
$recnum = "2.1.3"
} }
process { process {
# 2.1.3 Ensure notifications for internal users sending malware is Enabled try {
# 2.1.3 Ensure notifications for internal users sending malware is Enabled
# Retrieve all 'Custom' malware filter policies and check notification settings # Retrieve all 'Custom' malware filter policies and check notification settings
$malwareNotifications = Get-MalwareFilterPolicy | Where-Object { $_.RecommendedPolicyType -eq 'Custom' } $malwareNotifications = Get-MalwareFilterPolicy | Where-Object { $_.RecommendedPolicyType -eq 'Custom' }
$policiesToReport = @() $policiesToReport = @()
foreach ($policy in $malwareNotifications) { foreach ($policy in $malwareNotifications) {
if ($policy.EnableInternalSenderAdminNotifications -ne $true) { if ($policy.EnableInternalSenderAdminNotifications -ne $true) {
$policiesToReport += "$($policy.Identity): Notifications Disabled" $policiesToReport += "$($policy.Identity): Notifications Disabled"
}
} }
}
# Determine the result based on the presence of custom policies without notifications # Determine the result based on the presence of custom policies without notifications
$result = $policiesToReport.Count -eq 0 $result = $policiesToReport.Count -eq 0
# Prepare failure reasons and details based on compliance # Prepare failure reasons and details based on compliance
$failureReasons = if ($result) { $failureReasons = if ($result) {
"N/A" "N/A"
} }
else { else {
"Some custom policies do not have notifications for internal users sending malware enabled." "Some custom policies do not have notifications for internal users sending malware enabled."
} }
$details = if ($result) { $details = if ($result) {
"All custom malware policies have notifications enabled." "All custom malware policies have notifications enabled."
} }
else { else {
"Misconfigured Policies: $($policiesToReport -join ', ')" "Misconfigured Policies: $($policiesToReport -join ', ')"
} }
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$params = @{ $params = @{
Rec = "2.1.3" Rec = $recnum
Result = $result Result = $result
Status = if ($result) { "Pass" } else { "Fail" } Status = if ($result) { "Pass" } else { "Fail" }
Details = $details Details = $details
FailureReason = $failureReasons FailureReason = $failureReasons
}
$auditResult = Initialize-CISAuditResult @params
}
catch {
Write-Error "An error occurred during the test: $_"
# Retrieve the description from the test definitions
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
$description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
$script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
# Call Initialize-CISAuditResult with error parameters
$auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
} }
$auditResult = Initialize-CISAuditResult @params
} }
end { end {

66
source/tests/Test-OneDriveContentRestrictions.ps1
View File

@@ -1,5 +1,6 @@
function Test-OneDriveContentRestrictions { function Test-OneDriveContentRestrictions {
[CmdletBinding()] [CmdletBinding()]
[OutputType([CISAuditResult])]
param ( param (
# Aligned # Aligned
# Define your parameters here # Define your parameters here
@@ -9,39 +10,54 @@ function Test-OneDriveContentRestrictions {
# Dot source the class script if necessary # Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1 #. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed # Initialization code, if needed
$recnum = "7.2.4"
} }
process { process {
# 7.2.4 (L2) Ensure OneDrive content sharing is restricted try {
# 7.2.4 (L2) Ensure OneDrive content sharing is restricted
# Retrieve OneDrive sharing capability settings # Retrieve OneDrive sharing capability settings
$SPOTenant = Get-SPOTenant | Select-Object OneDriveSharingCapability $SPOTenant = Get-SPOTenant | Select-Object OneDriveSharingCapability
$isOneDriveSharingRestricted = $SPOTenant.OneDriveSharingCapability -eq 'Disabled' $isOneDriveSharingRestricted = $SPOTenant.OneDriveSharingCapability -eq 'Disabled'
# Prepare failure reasons and details based on compliance # Prepare failure reasons and details based on compliance
$failureReasons = if (-not $isOneDriveSharingRestricted) { $failureReasons = if (-not $isOneDriveSharingRestricted) {
"OneDrive content sharing is not restricted to 'Disabled'. Current setting: $($SPOTenant.OneDriveSharingCapability)" "OneDrive content sharing is not restricted to 'Disabled'. Current setting: $($SPOTenant.OneDriveSharingCapability)"
} }
else { else {
"N/A" "N/A"
} }
$details = if ($isOneDriveSharingRestricted) { $details = if ($isOneDriveSharingRestricted) {
"OneDrive content sharing is restricted." "OneDrive content sharing is restricted."
} }
else { else {
"OneDriveSharingCapability: $($SPOTenant.OneDriveSharingCapability)" "OneDriveSharingCapability: $($SPOTenant.OneDriveSharingCapability)"
} }
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$params = @{ $params = @{
Rec = "7.2.4" Rec = $recnum
Result = $isOneDriveSharingRestricted Result = $isOneDriveSharingRestricted
Status = if ($isOneDriveSharingRestricted) { "Pass" } else { "Fail" } Status = if ($isOneDriveSharingRestricted) { "Pass" } else { "Fail" }
Details = $details Details = $details
FailureReason = $failureReasons FailureReason = $failureReasons
}
$auditResult = Initialize-CISAuditResult @params
}
catch {
Write-Error "An error occurred during the test: $_"
# Retrieve the description from the test definitions
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
$description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
$script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
# Call Initialize-CISAuditResult with error parameters
$auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
} }
$auditResult = Initialize-CISAuditResult @params
} }
end { end {

66
source/tests/Test-OneDriveSyncRestrictions.ps1
View File

@@ -1,5 +1,6 @@
function Test-OneDriveSyncRestrictions { function Test-OneDriveSyncRestrictions {
[CmdletBinding()] [CmdletBinding()]
[OutputType([CISAuditResult])]
param ( param (
# Aligned # Aligned
# Define your parameters here # Define your parameters here
@@ -9,39 +10,54 @@ function Test-OneDriveSyncRestrictions {
# Dot source the class script if necessary # Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1 #. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed # Initialization code, if needed
$recnum = "7.3.2"
} }
process { process {
# 7.3.2 (L2) Ensure OneDrive sync is restricted for unmanaged devices try {
# 7.3.2 (L2) Ensure OneDrive sync is restricted for unmanaged devices
# Retrieve OneDrive sync client restriction settings # Retrieve OneDrive sync client restriction settings
$SPOTenantSyncClientRestriction = Get-SPOTenantSyncClientRestriction | Select-Object TenantRestrictionEnabled, AllowedDomainList $SPOTenantSyncClientRestriction = Get-SPOTenantSyncClientRestriction | Select-Object TenantRestrictionEnabled, AllowedDomainList
$isSyncRestricted = $SPOTenantSyncClientRestriction.TenantRestrictionEnabled -and $SPOTenantSyncClientRestriction.AllowedDomainList $isSyncRestricted = $SPOTenantSyncClientRestriction.TenantRestrictionEnabled -and $SPOTenantSyncClientRestriction.AllowedDomainList
# Prepare failure reasons and details based on compliance # Prepare failure reasons and details based on compliance
$failureReasons = if (-not $isSyncRestricted) { $failureReasons = if (-not $isSyncRestricted) {
"OneDrive sync is not restricted to managed devices. TenantRestrictionEnabled should be True and AllowedDomainList should contain trusted domains GUIDs." "OneDrive sync is not restricted to managed devices. TenantRestrictionEnabled should be True and AllowedDomainList should contain trusted domains GUIDs."
} }
else { else {
"N/A" "N/A"
} }
$details = if ($isSyncRestricted) { $details = if ($isSyncRestricted) {
"OneDrive sync is restricted for unmanaged devices." "OneDrive sync is restricted for unmanaged devices."
} }
else { else {
"TenantRestrictionEnabled: $($SPOTenantSyncClientRestriction.TenantRestrictionEnabled); AllowedDomainList: $($SPOTenantSyncClientRestriction.AllowedDomainList -join ', ')" "TenantRestrictionEnabled: $($SPOTenantSyncClientRestriction.TenantRestrictionEnabled); AllowedDomainList: $($SPOTenantSyncClientRestriction.AllowedDomainList -join ', ')"
} }
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$params = @{ $params = @{
Rec = "7.3.2" Rec = $recnum
Result = $isSyncRestricted Result = $isSyncRestricted
Status = if ($isSyncRestricted) { "Pass" } else { "Fail" } Status = if ($isSyncRestricted) { "Pass" } else { "Fail" }
Details = $details Details = $details
FailureReason = $failureReasons FailureReason = $failureReasons
}
$auditResult = Initialize-CISAuditResult @params
}
catch {
Write-Error "An error occurred during the test: $_"
# Retrieve the description from the test definitions
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
$description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
$script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
# Call Initialize-CISAuditResult with error parameters
$auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
} }
$auditResult = Initialize-CISAuditResult @params
} }
end { end {

68
source/tests/Test-OrgOnlyBypassLobby.ps1
View File

@@ -1,5 +1,6 @@
function Test-OrgOnlyBypassLobby { function Test-OrgOnlyBypassLobby {
[CmdletBinding()] [CmdletBinding()]
[OutputType([CISAuditResult])]
param ( param (
# Aligned # Aligned
# Parameters can be defined here if needed # Parameters can be defined here if needed
@@ -9,41 +10,56 @@ function Test-OrgOnlyBypassLobby {
# Dot source the class script if necessary # Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1 #. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed # Initialization code, if needed
$recnum = "8.5.3"
} }
process { process {
# 8.5.3 (L1) Ensure only people in my org can bypass the lobby try {
# 8.5.3 (L1) Ensure only people in my org can bypass the lobby
# Connect to Teams PowerShell using Connect-MicrosoftTeams # Connect to Teams PowerShell using Connect-MicrosoftTeams
# Retrieve the Teams meeting policy for lobby bypass settings # Retrieve the Teams meeting policy for lobby bypass settings
$CsTeamsMeetingPolicyLobby = Get-CsTeamsMeetingPolicy -Identity Global | Select-Object -Property AutoAdmittedUsers $CsTeamsMeetingPolicyLobby = Get-CsTeamsMeetingPolicy -Identity Global | Select-Object -Property AutoAdmittedUsers
$lobbyBypassRestricted = $CsTeamsMeetingPolicyLobby.AutoAdmittedUsers -eq 'EveryoneInCompanyExcludingGuests' $lobbyBypassRestricted = $CsTeamsMeetingPolicyLobby.AutoAdmittedUsers -eq 'EveryoneInCompanyExcludingGuests'
# Prepare failure reasons and details based on compliance # Prepare failure reasons and details based on compliance
$failureReasons = if (-not $lobbyBypassRestricted) { $failureReasons = if (-not $lobbyBypassRestricted) {
"External participants can bypass the lobby" "External participants can bypass the lobby"
} }
else { else {
"N/A" "N/A"
} }
$details = if ($lobbyBypassRestricted) { $details = if ($lobbyBypassRestricted) {
"Only people in the organization can bypass the lobby." "Only people in the organization can bypass the lobby."
} }
else { else {
"AutoAdmittedUsers is set to $($CsTeamsMeetingPolicyLobby.AutoAdmittedUsers)" "AutoAdmittedUsers is set to $($CsTeamsMeetingPolicyLobby.AutoAdmittedUsers)"
} }
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$params = @{ $params = @{
Rec = "8.5.3" Rec = $recnum
Result = $lobbyBypassRestricted Result = $lobbyBypassRestricted
Status = if ($lobbyBypassRestricted) { "Pass" } else { "Fail" } Status = if ($lobbyBypassRestricted) { "Pass" } else { "Fail" }
Details = $details Details = $details
FailureReason = $failureReasons FailureReason = $failureReasons
}
$auditResult = Initialize-CISAuditResult @params
}
catch {
Write-Error "An error occurred during the test: $_"
# Retrieve the description from the test definitions
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
$description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
$script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
# Call Initialize-CISAuditResult with error parameters
$auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
} }
$auditResult = Initialize-CISAuditResult @params
} }
end { end {

68
source/tests/Test-OrganizersPresent.ps1
View File

@@ -1,5 +1,6 @@
function Test-OrganizersPresent { function Test-OrganizersPresent {
[CmdletBinding()] [CmdletBinding()]
[OutputType([CISAuditResult])]
param ( param (
# Aligned # Aligned
# Parameters can be defined here if needed # Parameters can be defined here if needed
@@ -9,41 +10,56 @@ function Test-OrganizersPresent {
# Dot source the class script if necessary # Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1 #. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed # Initialization code, if needed
$recnum = "8.5.6"
} }
process { process {
# 8.5.6 (L2) Ensure only organizers and co-organizers can present try {
# 8.5.6 (L2) Ensure only organizers and co-organizers can present
# Connect to Teams PowerShell using Connect-MicrosoftTeams # Connect to Teams PowerShell using Connect-MicrosoftTeams
# Retrieve the Teams meeting policy for presenters # Retrieve the Teams meeting policy for presenters
$CsTeamsMeetingPolicyPresenters = Get-CsTeamsMeetingPolicy -Identity Global | Select-Object -Property DesignatedPresenterRoleMode $CsTeamsMeetingPolicyPresenters = Get-CsTeamsMeetingPolicy -Identity Global | Select-Object -Property DesignatedPresenterRoleMode
$presenterRoleRestricted = $CsTeamsMeetingPolicyPresenters.DesignatedPresenterRoleMode -eq 'OrganizerOnlyUserOverride' $presenterRoleRestricted = $CsTeamsMeetingPolicyPresenters.DesignatedPresenterRoleMode -eq 'OrganizerOnlyUserOverride'
# Prepare failure reasons and details based on compliance # Prepare failure reasons and details based on compliance
$failureReasons = if (-not $presenterRoleRestricted) { $failureReasons = if (-not $presenterRoleRestricted) {
"Others besides organizers and co-organizers can present" "Others besides organizers and co-organizers can present"
} }
else { else {
"N/A" "N/A"
} }
$details = if ($presenterRoleRestricted) { $details = if ($presenterRoleRestricted) {
"Only organizers and co-organizers can present." "Only organizers and co-organizers can present."
} }
else { else {
"DesignatedPresenterRoleMode is set to $($CsTeamsMeetingPolicyPresenters.DesignatedPresenterRoleMode)" "DesignatedPresenterRoleMode is set to $($CsTeamsMeetingPolicyPresenters.DesignatedPresenterRoleMode)"
} }
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$params = @{ $params = @{
Rec = "8.5.6" Rec = $recnum
Result = $presenterRoleRestricted Result = $presenterRoleRestricted
Status = if ($presenterRoleRestricted) { "Pass" } else { "Fail" } Status = if ($presenterRoleRestricted) { "Pass" } else { "Fail" }
Details = $details Details = $details
FailureReason = $failureReasons FailureReason = $failureReasons
}
$auditResult = Initialize-CISAuditResult @params
}
catch {
Write-Error "An error occurred during the test: $_"
# Retrieve the description from the test definitions
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
$description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
$script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
# Call Initialize-CISAuditResult with error parameters
$auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
} }
$auditResult = Initialize-CISAuditResult @params
} }
end { end {

56
source/tests/Test-PasswordHashSync.ps1
View File

@@ -1,5 +1,6 @@
function Test-PasswordHashSync { function Test-PasswordHashSync {
[CmdletBinding()] [CmdletBinding()]
[OutputType([CISAuditResult])]
param ( param (
# Aligned # Aligned
# Parameters can be added if needed # Parameters can be added if needed
@@ -9,35 +10,50 @@ function Test-PasswordHashSync {
# Dot source the class script if necessary # Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1 #. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed # Initialization code, if needed
$recnum = "5.1.8.1"
} }
process { process {
# 5.1.8.1 (L1) Ensure password hash sync is enabled for hybrid deployments try {
# Pass if OnPremisesSyncEnabled is True. Fail otherwise. # 5.1.8.1 (L1) Ensure password hash sync is enabled for hybrid deployments
# Pass if OnPremisesSyncEnabled is True. Fail otherwise.
# Retrieve password hash sync status # Retrieve password hash sync status
$passwordHashSync = Get-MgOrganization | Select-Object -ExpandProperty OnPremisesSyncEnabled $passwordHashSync = Get-MgOrganization | Select-Object -ExpandProperty OnPremisesSyncEnabled
$hashSyncResult = $passwordHashSync $hashSyncResult = $passwordHashSync
# Prepare failure reasons and details based on compliance # Prepare failure reasons and details based on compliance
$failureReasons = if (-not $hashSyncResult) { $failureReasons = if (-not $hashSyncResult) {
"Password hash sync for hybrid deployments is not enabled" "Password hash sync for hybrid deployments is not enabled"
} }
else { else {
"N/A" "N/A"
}
$details = "OnPremisesSyncEnabled: $($passwordHashSync)"
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Result = $hashSyncResult
Status = if ($hashSyncResult) { "Pass" } else { "Fail" }
Details = $details
FailureReason = $failureReasons
}
$auditResult = Initialize-CISAuditResult @params
} }
catch {
Write-Error "An error occurred during the test: $_"
$details = "OnPremisesSyncEnabled: $($passwordHashSync)" # Retrieve the description from the test definitions
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
$description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
# Create and populate the CISAuditResult object $script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
$params = @{
Rec = "5.1.8.1" # Call Initialize-CISAuditResult with error parameters
Result = $hashSyncResult $auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
Status = if ($hashSyncResult) { "Pass" } else { "Fail" }
Details = $details
FailureReason = $failureReasons
} }
$auditResult = Initialize-CISAuditResult @params
} }
end { end {

54
source/tests/Test-PasswordNeverExpirePolicy.ps1
View File

@@ -1,5 +1,6 @@
function Test-PasswordNeverExpirePolicy { function Test-PasswordNeverExpirePolicy {
[CmdletBinding()] [CmdletBinding()]
[OutputType([CISAuditResult])]
param ( param (
# Aligned # Aligned
[Parameter(Mandatory)] [Parameter(Mandatory)]
@@ -10,34 +11,49 @@ function Test-PasswordNeverExpirePolicy {
# Dot source the class script if necessary # Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1 #. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed # Initialization code, if needed
$recnum = "1.3.1"
} }
process { process {
# 1.3.1 (L1) Ensure the 'Password expiration policy' is set to 'Set passwords to never expire' try {
# Pass if PasswordValidityPeriodInDays is 0. Fail otherwise. # 1.3.1 (L1) Ensure the 'Password expiration policy' is set to 'Set passwords to never expire'
# Pass if PasswordValidityPeriodInDays is 0. Fail otherwise.
# Retrieve password expiration policy # Retrieve password expiration policy
$passwordPolicy = Get-MgDomain -DomainId $DomainName | Select-Object -ExpandProperty PasswordValidityPeriodInDays $passwordPolicy = Get-MgDomain -DomainId $DomainName | Select-Object -ExpandProperty PasswordValidityPeriodInDays
# Prepare failure reasons and details based on compliance # Prepare failure reasons and details based on compliance
$failureReasons = if ($passwordPolicy -ne 0) { $failureReasons = if ($passwordPolicy -ne 0) {
"Password expiration is not set to never expire" "Password expiration is not set to never expire"
} }
else { else {
"N/A" "N/A"
}
$details = "Validity Period: $passwordPolicy days"
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Result = $passwordPolicy -eq 0
Status = if ($passwordPolicy -eq 0) { "Pass" } else { "Fail" }
Details = $details
FailureReason = $failureReasons
}
$auditResult = Initialize-CISAuditResult @params
} }
catch {
Write-Error "An error occurred during the test: $_"
$details = "Validity Period: $passwordPolicy days" # Retrieve the description from the test definitions
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
$description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
# Create and populate the CISAuditResult object $script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
$params = @{
Rec = "1.3.1" # Call Initialize-CISAuditResult with error parameters
Result = $passwordPolicy -eq 0 $auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
Status = if ($passwordPolicy -eq 0) { "Pass" } else { "Fail" }
Details = $details
FailureReason = $failureReasons
} }
$auditResult = Initialize-CISAuditResult @params
} }
end { end {

54
source/tests/Test-ReauthWithCode.ps1
View File

@@ -1,5 +1,6 @@
function Test-ReauthWithCode { function Test-ReauthWithCode {
[CmdletBinding()] [CmdletBinding()]
[OutputType([CISAuditResult])]
param ( param (
# Aligned # Aligned
# Define your parameters here # Define your parameters here
@@ -9,34 +10,49 @@ function Test-ReauthWithCode {
# Dot source the class script if necessary # Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1 #. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed # Initialization code, if needed
$recnum = "7.2.10"
} }
process { process {
# 7.2.10 (L1) Ensure reauthentication with verification code is restricted try {
# 7.2.10 (L1) Ensure reauthentication with verification code is restricted
# Retrieve reauthentication settings for SharePoint Online # Retrieve reauthentication settings for SharePoint Online
$SPOTenantReauthentication = Get-SPOTenant | Select-Object EmailAttestationRequired, EmailAttestationReAuthDays $SPOTenantReauthentication = Get-SPOTenant | Select-Object EmailAttestationRequired, EmailAttestationReAuthDays
$isReauthenticationRestricted = $SPOTenantReauthentication.EmailAttestationRequired -and $SPOTenantReauthentication.EmailAttestationReAuthDays -le 15 $isReauthenticationRestricted = $SPOTenantReauthentication.EmailAttestationRequired -and $SPOTenantReauthentication.EmailAttestationReAuthDays -le 15
# Prepare failure reasons and details based on compliance # Prepare failure reasons and details based on compliance
$failureReasons = if (-not $isReauthenticationRestricted) { $failureReasons = if (-not $isReauthenticationRestricted) {
"Reauthentication with verification code does not require reauthentication within 15 days or less." "Reauthentication with verification code does not require reauthentication within 15 days or less."
} }
else { else {
"N/A" "N/A"
}
$details = "EmailAttestationRequired: $($SPOTenantReauthentication.EmailAttestationRequired); EmailAttestationReAuthDays: $($SPOTenantReauthentication.EmailAttestationReAuthDays)"
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Result = $isReauthenticationRestricted
Status = if ($isReauthenticationRestricted) { "Pass" } else { "Fail" }
Details = $details
FailureReason = $failureReasons
}
$auditResult = Initialize-CISAuditResult @params
} }
catch {
Write-Error "An error occurred during the test: $_"
$details = "EmailAttestationRequired: $($SPOTenantReauthentication.EmailAttestationRequired); EmailAttestationReAuthDays: $($SPOTenantReauthentication.EmailAttestationReAuthDays)" # Retrieve the description from the test definitions
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
$description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
# Create and populate the CISAuditResult object $script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
$params = @{
Rec = "7.2.10" # Call Initialize-CISAuditResult with error parameters
Result = $isReauthenticationRestricted $auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
Status = if ($isReauthenticationRestricted) { "Pass" } else { "Fail" }
Details = $details
FailureReason = $failureReasons
} }
$auditResult = Initialize-CISAuditResult @params
} }
end { end {

72
source/tests/Test-ReportSecurityInTeams.ps1
View File

@@ -1,5 +1,6 @@
function Test-ReportSecurityInTeams { function Test-ReportSecurityInTeams {
[CmdletBinding()] [CmdletBinding()]
[OutputType([CISAuditResult])]
param ( param (
# Aligned # Aligned
# Parameters can be defined here if needed # Parameters can be defined here if needed
@@ -9,44 +10,59 @@ function Test-ReportSecurityInTeams {
# Dot source the class script if necessary # Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1 #. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed # Initialization code, if needed
$recnum = "8.6.1"
} }
process { process {
# 8.6.1 (L1) Ensure users can report security concerns in Teams try {
# 8.6.1 (L1) Ensure users can report security concerns in Teams
# Retrieve the necessary settings for Teams and Exchange Online # Retrieve the necessary settings for Teams and Exchange Online
$CsTeamsMessagingPolicy = Get-CsTeamsMessagingPolicy -Identity Global | Select-Object -Property AllowSecurityEndUserReporting $CsTeamsMessagingPolicy = Get-CsTeamsMessagingPolicy -Identity Global | Select-Object -Property AllowSecurityEndUserReporting
$ReportSubmissionPolicy = Get-ReportSubmissionPolicy | Select-Object -Property ReportJunkToCustomizedAddress, ReportNotJunkToCustomizedAddress, ReportPhishToCustomizedAddress, ReportChatMessageToCustomizedAddressEnabled $ReportSubmissionPolicy = Get-ReportSubmissionPolicy | Select-Object -Property ReportJunkToCustomizedAddress, ReportNotJunkToCustomizedAddress, ReportPhishToCustomizedAddress, ReportChatMessageToCustomizedAddressEnabled
$securityReportEnabled = $CsTeamsMessagingPolicy.AllowSecurityEndUserReporting -and $securityReportEnabled = $CsTeamsMessagingPolicy.AllowSecurityEndUserReporting -and
$ReportSubmissionPolicy.ReportJunkToCustomizedAddress -and $ReportSubmissionPolicy.ReportJunkToCustomizedAddress -and
$ReportSubmissionPolicy.ReportNotJunkToCustomizedAddress -and $ReportSubmissionPolicy.ReportNotJunkToCustomizedAddress -and
$ReportSubmissionPolicy.ReportPhishToCustomizedAddress -and $ReportSubmissionPolicy.ReportPhishToCustomizedAddress -and
$ReportSubmissionPolicy.ReportChatMessageToCustomizedAddressEnabled $ReportSubmissionPolicy.ReportChatMessageToCustomizedAddressEnabled
# Prepare failure reasons and details based on compliance # Prepare failure reasons and details based on compliance
$failureReasons = if (-not $securityReportEnabled) { $failureReasons = if (-not $securityReportEnabled) {
"Users cannot report security concerns in Teams due to one or more incorrect settings" "Users cannot report security concerns in Teams due to one or more incorrect settings"
} }
else { else {
"N/A" "N/A"
}
$details = "AllowSecurityEndUserReporting: $($CsTeamsMessagingPolicy.AllowSecurityEndUserReporting); " +
"ReportJunkToCustomizedAddress: $($ReportSubmissionPolicy.ReportJunkToCustomizedAddress); " +
"ReportNotJunkToCustomizedAddress: $($ReportSubmissionPolicy.ReportNotJunkToCustomizedAddress); " +
"ReportPhishToCustomizedAddress: $($ReportSubmissionPolicy.ReportPhishToCustomizedAddress); " +
"ReportChatMessageToCustomizedAddressEnabled: $($ReportSubmissionPolicy.ReportChatMessageToCustomizedAddressEnabled)"
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Result = $securityReportEnabled
Status = if ($securityReportEnabled) { "Pass" } else { "Fail" }
Details = $details
FailureReason = $failureReasons
}
$auditResult = Initialize-CISAuditResult @params
} }
catch {
Write-Error "An error occurred during the test: $_"
$details = "AllowSecurityEndUserReporting: $($CsTeamsMessagingPolicy.AllowSecurityEndUserReporting); " + # Retrieve the description from the test definitions
"ReportJunkToCustomizedAddress: $($ReportSubmissionPolicy.ReportJunkToCustomizedAddress); " + $testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
"ReportNotJunkToCustomizedAddress: $($ReportSubmissionPolicy.ReportNotJunkToCustomizedAddress); " + $description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
"ReportPhishToCustomizedAddress: $($ReportSubmissionPolicy.ReportPhishToCustomizedAddress); " +
"ReportChatMessageToCustomizedAddressEnabled: $($ReportSubmissionPolicy.ReportChatMessageToCustomizedAddressEnabled)"
# Create and populate the CISAuditResult object $script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
$params = @{
Rec = "8.6.1" # Call Initialize-CISAuditResult with error parameters
Result = $securityReportEnabled $auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
Status = if ($securityReportEnabled) { "Pass" } else { "Fail" }
Details = $details
FailureReason = $failureReasons
} }
$auditResult = Initialize-CISAuditResult @params
} }
end { end {

132
source/tests/Test-RestrictCustomScripts.ps1
View File

@@ -1,60 +1,126 @@
function Test-RestrictCustomScripts { function Test-RestrictCustomScripts {
[CmdletBinding()] [CmdletBinding()]
[OutputType([CISAuditResult])]
param ( param (
# Aligned
# Define your parameters here if needed # Define your parameters here if needed
) )
begin { begin {
# Dot source the class script if necessary # Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1 # . .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed # Initialization code, if needed
$recnum = "7.3.4"
} }
process { process {
# 7.3.4 (L1) Ensure custom script execution is restricted on site collections
# Retrieve all site collections and select necessary properties try {
$SPOSitesCustomScript = Get-SPOSite -Limit All | Select-Object Title, Url, DenyAddAndCustomizePages # 7.3.4 (L1) Ensure custom script execution is restricted on site collections
# Find sites where custom scripts are allowed (DenyAddAndCustomizePages is not 'Enabled') # Retrieve all site collections and select necessary properties
$customScriptAllowedSites = $SPOSitesCustomScript | Where-Object { $_.DenyAddAndCustomizePages -ne 'Enabled' } $SPOSitesCustomScript = Get-SPOSite -Limit All | Select-Object Title, Url, DenyAddAndCustomizePages
# Compliance is true if no sites allow custom scripts # Replace 'sharepoint.com' with '<SPUrl>'
$complianceResult = $customScriptAllowedSites.Count -eq 0 $processedUrls = $SPOSitesCustomScript | ForEach-Object {
$_.Url = $_.Url -replace 'sharepoint\.com', '<SPUrl>'
$_
}
# Gather details for non-compliant sites (where custom scripts are allowed) # Find sites where custom scripts are allowed
$nonCompliantSiteDetails = $customScriptAllowedSites | ForEach-Object { $customScriptAllowedSites = $processedUrls | Where-Object { $_.DenyAddAndCustomizePages -ne 'Enabled' }
"$($_.Title) ($($_.Url)): Custom Script Allowed" #$verbosePreference = 'Continue'
# Check the total length of URLs
$totalUrlLength = ($customScriptAllowedSites.Url -join '').Length
Write-Verbose "Total length of URLs: $totalUrlLength"
# Extract hostnames from allowed sites if the total length exceeds the limit
$mostUsedHostname = $null
if ($totalUrlLength -gt 20000) {
Write-Verbose "Extracting hostnames from URLs..."
$hostnames = $customScriptAllowedSites.Url | ForEach-Object {
if ($_ -match '^https://([^\.]+)\.') {
$matches[1]
}
}
Write-Verbose "Extracted hostnames: $($hostnames -join ', ')"
# Find the most used hostname using the Get-MostCommonWord function
$mostUsedHostname = Get-MostCommonWord -InputStrings $hostnames
Write-Verbose "Most used hostname: $mostUsedHostname"
}
#$verbosePreference = 'SilentlyContinue'
# Compliance is true if no sites allow custom scripts
$complianceResult = $customScriptAllowedSites.Count -eq 0
# Gather details for non-compliant sites (where custom scripts are allowed)
$nonCompliantSiteDetails = $customScriptAllowedSites | ForEach-Object {
$url = $_.Url
if ($null -ne $mostUsedHostname -and $url -match "^https://$mostUsedHostname\.<SPUrl>") {
$url = $url -replace "^https://$mostUsedHostname\.<SPUrl>", "https://<corp>.<SPUrl>"
}
"$(if ($_.Title) {$_.Title} else {"NoTitle"})|$url"
}
# Prepare failure reasons and details based on compliance
$failureReasons = if (-not $complianceResult) {
"Some site collections are not restricting custom script execution. Review Details property for sites that are not aligned with the benchmark."
}
else {
"N/A"
}
$details = if ($complianceResult) {
"All site collections have custom script execution restricted"
}
else {
"Title|Url`n" + ($nonCompliantSiteDetails -join "`n")
}
# Convert details to PSObject and check length
$detailsPSObject = $details | ConvertFrom-Csv -Delimiter '|'
$detailsLength = ($detailsPSObject | ForEach-Object { $_.Url }).Length
if ($detailsLength -gt 32767) {
# Create a preview of the first 10 results
$preview = $detailsPSObject | Select-Object -First 10 | ForEach-Object { "$($_.Title)|$($_.Url)" }
$details = "The output is too large. Here is a preview of the first 10 results:`n`n" + ($preview -join "`n") + "`n`nPlease run the test with the following commands to get the full details:`n`nGet-SPOSite -Limit All | Where-Object { `$.DenyAddAndCustomizePages -ne 'Enabled' } | Select-Object Title, Url"
}
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Result = $complianceResult
Status = if ($complianceResult) { "Pass" } else { "Fail" }
Details = $details
FailureReason = $failureReasons
}
$auditResult = Initialize-CISAuditResult @params
} }
catch {
Write-Error "An error occurred during the test: $_"
# Prepare failure reasons and details based on compliance # Retrieve the description from the test definitions
$failureReasons = if (-not $complianceResult) { $testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
"The following site collections allow custom script execution: " + ($nonCompliantSiteDetails -join "; ") $description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
}
else {
"N/A"
}
$details = if ($complianceResult) { $script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
"All site collections have custom script execution restricted"
}
else {
$nonCompliantSiteDetails -join "; "
}
# Create and populate the CISAuditResult object # Call Initialize-CISAuditResult with error parameters
$params = @{ $auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
Rec = "7.3.4"
Result = $complianceResult
Status = if ($complianceResult) { "Pass" } else { "Fail" }
Details = $details
FailureReason = $failureReasons
} }
$auditResult = Initialize-CISAuditResult @params
} }
end { end {
# Measure the character count of the details
#$verbosePreference = 'Continue'
$detailsLength = $details.Length
Write-Verbose "Character count of the details: $detailsLength"
if ($detailsLength -gt 32767) {
Write-Verbose "Warning: The character count exceeds the limit for Excel cells."
}
#$verbosePreference = 'SilentlyContinue'
# Return auditResult # Return auditResult
return $auditResult return $auditResult
} }

54
source/tests/Test-RestrictExternalSharing.ps1
View File

@@ -1,5 +1,6 @@
function Test-RestrictExternalSharing { function Test-RestrictExternalSharing {
[CmdletBinding()] [CmdletBinding()]
[OutputType([CISAuditResult])]
param ( param (
# Aligned # Aligned
# Define your parameters here # Define your parameters here
@@ -9,34 +10,49 @@ function Test-RestrictExternalSharing {
# Dot source the class script if necessary # Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1 #. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed # Initialization code, if needed
$recnum = "7.2.3"
} }
process { process {
# 7.2.3 (L1) Ensure external content sharing is restricted try {
# 7.2.3 (L1) Ensure external content sharing is restricted
# Retrieve the SharingCapability setting for the SharePoint tenant # Retrieve the SharingCapability setting for the SharePoint tenant
$SPOTenantSharingCapability = Get-SPOTenant | Select-Object SharingCapability $SPOTenantSharingCapability = Get-SPOTenant | Select-Object SharingCapability
$isRestricted = $SPOTenantSharingCapability.SharingCapability -in @('ExternalUserSharingOnly', 'ExistingExternalUserSharingOnly', 'Disabled') $isRestricted = $SPOTenantSharingCapability.SharingCapability -in @('ExternalUserSharingOnly', 'ExistingExternalUserSharingOnly', 'Disabled')
# Prepare failure reasons and details based on compliance # Prepare failure reasons and details based on compliance
$failureReasons = if (-not $isRestricted) { $failureReasons = if (-not $isRestricted) {
"External content sharing is not adequately restricted. Current setting: $($SPOTenantSharingCapability.SharingCapability)" "External content sharing is not adequately restricted. Current setting: $($SPOTenantSharingCapability.SharingCapability)"
} }
else { else {
"N/A" "N/A"
}
$details = "SharingCapability: $($SPOTenantSharingCapability.SharingCapability)"
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Result = $isRestricted
Status = if ($isRestricted) { "Pass" } else { "Fail" }
Details = $details
FailureReason = $failureReasons
}
$auditResult = Initialize-CISAuditResult @params
} }
catch {
Write-Error "An error occurred during the test: $_"
$details = "SharingCapability: $($SPOTenantSharingCapability.SharingCapability)" # Retrieve the description from the test definitions
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
$description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
# Create and populate the CISAuditResult object $script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
$params = @{
Rec = "7.2.3" # Call Initialize-CISAuditResult with error parameters
Result = $isRestricted $auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
Status = if ($isRestricted) { "Pass" } else { "Fail" }
Details = $details
FailureReason = $failureReasons
} }
$auditResult = Initialize-CISAuditResult @params
} }
end { end {

102
source/tests/Test-RestrictOutlookAddins.ps1
View File

@@ -1,5 +1,6 @@
function Test-RestrictOutlookAddins { function Test-RestrictOutlookAddins {
[CmdletBinding()] [CmdletBinding()]
[OutputType([CISAuditResult])]
param ( param (
# Aligned # Aligned
# Parameters could include credentials or other necessary data # Parameters could include credentials or other necessary data
@@ -12,63 +13,78 @@ function Test-RestrictOutlookAddins {
$customPolicyFailures = @() $customPolicyFailures = @()
$defaultPolicyFailureDetails = @() $defaultPolicyFailureDetails = @()
$relevantRoles = @('My Custom Apps', 'My Marketplace Apps', 'My ReadWriteMailbox Apps') $relevantRoles = @('My Custom Apps', 'My Marketplace Apps', 'My ReadWriteMailbox Apps')
$recnum = "6.3.1"
} }
process { process {
# 6.3.1 (L2) Ensure users installing Outlook add-ins is not allowed try {
# 6.3.1 (L2) Ensure users installing Outlook add-ins is not allowed
# Check all mailboxes for custom policies with unallowed add-ins # Check all mailboxes for custom policies with unallowed add-ins
$roleAssignmentPolicies = Get-EXOMailbox | Select-Object -Unique RoleAssignmentPolicy $roleAssignmentPolicies = Get-EXOMailbox | Select-Object -Unique RoleAssignmentPolicy
if ($roleAssignmentPolicies.RoleAssignmentPolicy) { if ($roleAssignmentPolicies.RoleAssignmentPolicy) {
foreach ($policy in $roleAssignmentPolicies) { foreach ($policy in $roleAssignmentPolicies) {
if ($policy.RoleAssignmentPolicy) { if ($policy.RoleAssignmentPolicy) {
$rolePolicyDetails = Get-RoleAssignmentPolicy -Identity $policy.RoleAssignmentPolicy $rolePolicyDetails = Get-RoleAssignmentPolicy -Identity $policy.RoleAssignmentPolicy
$foundRoles = $rolePolicyDetails.AssignedRoles | Where-Object { $_ -in $relevantRoles } $foundRoles = $rolePolicyDetails.AssignedRoles | Where-Object { $_ -in $relevantRoles }
if ($foundRoles) { if ($foundRoles) {
$customPolicyFailures += "Policy: $($policy.RoleAssignmentPolicy): Roles: $($foundRoles -join ', ')" $customPolicyFailures += "Policy: $($policy.RoleAssignmentPolicy): Roles: $($foundRoles -join ', ')"
}
} }
} }
} }
}
# Check Default Role Assignment Policy # Check Default Role Assignment Policy
$defaultPolicy = Get-RoleAssignmentPolicy "Default Role Assignment Policy" $defaultPolicy = Get-RoleAssignmentPolicy "Default Role Assignment Policy"
$defaultPolicyRoles = $defaultPolicy.AssignedRoles | Where-Object { $_ -in $relevantRoles } $defaultPolicyRoles = $defaultPolicy.AssignedRoles | Where-Object { $_ -in $relevantRoles }
if ($defaultPolicyRoles) { if ($defaultPolicyRoles) {
$defaultPolicyFailureDetails = $defaultPolicyRoles $defaultPolicyFailureDetails = $defaultPolicyRoles
} }
# Prepare result details string # Prepare result details string
$detailsString = "" $detailsString = ""
if ($customPolicyFailures) { if ($customPolicyFailures) {
$detailsString += "Custom Policy Failures: | " $detailsString += "Custom Policy Failures: | "
$detailsString += ($customPolicyFailures -join " | ") $detailsString += ($customPolicyFailures -join " | ")
} }
else { else {
$detailsString += "Custom Policy Failures: None | " $detailsString += "Custom Policy Failures: None | "
} }
$detailsString += "Default Role Assignment Policy: " $detailsString += "Default Role Assignment Policy: "
if ($defaultPolicyFailureDetails) { if ($defaultPolicyFailureDetails) {
$detailsString += ($defaultPolicyFailureDetails -join ', ') $detailsString += ($defaultPolicyFailureDetails -join ', ')
} }
else { else {
$detailsString += "Compliant" $detailsString += "Compliant"
} }
# Determine result based on findings # Determine result based on findings
$isCompliant = -not ($customPolicyFailures -or $defaultPolicyFailureDetails) $isCompliant = -not ($customPolicyFailures -or $defaultPolicyFailureDetails)
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$params = @{ $params = @{
Rec = "6.3.1" Rec = $recnum
Result = $isCompliant Result = $isCompliant
Status = if ($isCompliant) { "Pass" } else { "Fail" } Status = if ($isCompliant) { "Pass" } else { "Fail" }
Details = $detailsString Details = $detailsString
FailureReason = if ($isCompliant) { "N/A" } else { "Unauthorized Outlook add-ins found in custom or default policies." } FailureReason = if ($isCompliant) { "N/A" } else { "Unauthorized Outlook add-ins found in custom or default policies." }
}
$auditResult = Initialize-CISAuditResult @params
}
catch {
Write-Error "An error occurred during the test: $_"
# Retrieve the description from the test definitions
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
$description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
$script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
# Call Initialize-CISAuditResult with error parameters
$auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
} }
$auditResult = Initialize-CISAuditResult @params
} }
end { end {

70
source/tests/Test-RestrictStorageProvidersOutlook.ps1
View File

@@ -1,5 +1,6 @@
function Test-RestrictStorageProvidersOutlook { function Test-RestrictStorageProvidersOutlook {
[CmdletBinding()] [CmdletBinding()]
[OutputType([CISAuditResult])]
param ( param (
# Aligned # Aligned
# Parameters can be added here if needed # Parameters can be added here if needed
@@ -9,42 +10,57 @@ function Test-RestrictStorageProvidersOutlook {
# Dot source the class script if necessary # Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1 #. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed # Initialization code, if needed
$recnum = "6.5.3"
} }
process { process {
# 6.5.3 (L2) Ensure additional storage providers are restricted in Outlook on the web try {
# 6.5.3 (L2) Ensure additional storage providers are restricted in Outlook on the web
# Retrieve all OwaMailbox policies # Retrieve all OwaMailbox policies
$owaPolicies = Get-OwaMailboxPolicy $owaPolicies = Get-OwaMailboxPolicy
$nonCompliantPolicies = $owaPolicies | Where-Object { $_.AdditionalStorageProvidersAvailable } $nonCompliantPolicies = $owaPolicies | Where-Object { $_.AdditionalStorageProvidersAvailable }
# Determine compliance # Determine compliance
$allPoliciesRestricted = $nonCompliantPolicies.Count -eq 0 $allPoliciesRestricted = $nonCompliantPolicies.Count -eq 0
# Prepare failure reasons and details based on compliance # Prepare failure reasons and details based on compliance
$failureReasons = if ($allPoliciesRestricted) { $failureReasons = if ($allPoliciesRestricted) {
"N/A" "N/A"
} }
else { else {
"One or more OwaMailbox policies allow AdditionalStorageProvidersAvailable." "One or more OwaMailbox policies allow AdditionalStorageProvidersAvailable."
} }
$details = if ($allPoliciesRestricted) { $details = if ($allPoliciesRestricted) {
"All OwaMailbox policies restrict AdditionalStorageProvidersAvailable" "All OwaMailbox policies restrict AdditionalStorageProvidersAvailable"
} }
else { else {
"Non-compliant OwaMailbox policies: $($nonCompliantPolicies.Name -join ', ')" "Non-compliant OwaMailbox policies: $($nonCompliantPolicies.Name -join ', ')"
} }
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$params = @{ $params = @{
Rec = "6.5.3" Rec = $recnum
Result = $allPoliciesRestricted Result = $allPoliciesRestricted
Status = if ($allPoliciesRestricted) { "Pass" } else { "Fail" } Status = if ($allPoliciesRestricted) { "Pass" } else { "Fail" }
Details = $details Details = $details
FailureReason = $failureReasons FailureReason = $failureReasons
}
$auditResult = Initialize-CISAuditResult @params
}
catch {
Write-Error "An error occurred during the test: $_"
# Retrieve the description from the test definitions
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
$description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
$script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
# Call Initialize-CISAuditResult with error parameters
$auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
} }
$auditResult = Initialize-CISAuditResult @params
} }
end { end {

54
source/tests/Test-RestrictTenantCreation.ps1
View File

@@ -1,5 +1,6 @@
function Test-RestrictTenantCreation { function Test-RestrictTenantCreation {
[CmdletBinding()] [CmdletBinding()]
[OutputType([CISAuditResult])]
param ( param (
# Aligned # Aligned
# Parameters can be added if needed # Parameters can be added if needed
@@ -9,34 +10,49 @@ function Test-RestrictTenantCreation {
# Dot source the class script if necessary # Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1 #. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed # Initialization code, if needed
$recnum = "5.1.2.3"
} }
process { process {
# 5.1.2.3 (L1) Ensure 'Restrict non-admin users from creating tenants' is set to 'Yes' try {
# 5.1.2.3 (L1) Ensure 'Restrict non-admin users from creating tenants' is set to 'Yes'
# Retrieve the tenant creation policy # Retrieve the tenant creation policy
$tenantCreationPolicy = (Get-MgPolicyAuthorizationPolicy).DefaultUserRolePermissions | Select-Object AllowedToCreateTenants $tenantCreationPolicy = (Get-MgPolicyAuthorizationPolicy).DefaultUserRolePermissions | Select-Object AllowedToCreateTenants
$tenantCreationResult = -not $tenantCreationPolicy.AllowedToCreateTenants $tenantCreationResult = -not $tenantCreationPolicy.AllowedToCreateTenants
# Prepare failure reasons and details based on compliance # Prepare failure reasons and details based on compliance
$failureReasons = if ($tenantCreationResult) { $failureReasons = if ($tenantCreationResult) {
"N/A" "N/A"
} }
else { else {
"Non-admin users can create tenants" "Non-admin users can create tenants"
}
$details = "AllowedToCreateTenants: $($tenantCreationPolicy.AllowedToCreateTenants)"
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Result = $tenantCreationResult
Status = if ($tenantCreationResult) { "Pass" } else { "Fail" }
Details = $details
FailureReason = $failureReasons
}
$auditResult = Initialize-CISAuditResult @params
} }
catch {
Write-Error "An error occurred during the test: $_"
$details = "AllowedToCreateTenants: $($tenantCreationPolicy.AllowedToCreateTenants)" # Retrieve the description from the test definitions
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
$description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
# Create and populate the CISAuditResult object $script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
$params = @{
Rec = "5.1.2.3" # Call Initialize-CISAuditResult with error parameters
Result = $tenantCreationResult $auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
Status = if ($tenantCreationResult) { "Pass" } else { "Fail" }
Details = $details
FailureReason = $failureReasons
} }
$auditResult = Initialize-CISAuditResult @params
} }
end { end {

66
source/tests/Test-SafeAttachmentsPolicy.ps1
View File

@@ -1,5 +1,6 @@
function Test-SafeAttachmentsPolicy { function Test-SafeAttachmentsPolicy {
[CmdletBinding()] [CmdletBinding()]
[OutputType([CISAuditResult])]
param ( param (
# Aligned # Aligned
# Parameters can be added if needed # Parameters can be added if needed
@@ -9,39 +10,54 @@ function Test-SafeAttachmentsPolicy {
# Dot source the class script if necessary # Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1 #. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed # Initialization code, if needed
$recnum = "2.1.4"
} }
process { process {
# 2.1.4 (L2) Ensure Safe Attachments policy is enabled try {
# 2.1.4 (L2) Ensure Safe Attachments policy is enabled
# Retrieve all Safe Attachment policies where Enable is set to True # Retrieve all Safe Attachment policies where Enable is set to True
$safeAttachmentPolicies = Get-SafeAttachmentPolicy | Where-Object { $_.Enable -eq $true } $safeAttachmentPolicies = Get-SafeAttachmentPolicy | Where-Object { $_.Enable -eq $true }
# Determine result and details based on the presence of enabled policies # Determine result and details based on the presence of enabled policies
$result = $null -ne $safeAttachmentPolicies -and $safeAttachmentPolicies.Count -gt 0 $result = $null -ne $safeAttachmentPolicies -and $safeAttachmentPolicies.Count -gt 0
$details = if ($result) { $details = if ($result) {
"Enabled Safe Attachments Policies: $($safeAttachmentPolicies.Name -join ', ')" "Enabled Safe Attachments Policies: $($safeAttachmentPolicies.Name -join ', ')"
} }
else { else {
"No Safe Attachments Policies are enabled." "No Safe Attachments Policies are enabled."
} }
$failureReasons = if ($result) { $failureReasons = if ($result) {
"N/A" "N/A"
} }
else { else {
"Safe Attachments policy is not enabled." "Safe Attachments policy is not enabled."
} }
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$params = @{ $params = @{
Rec = "2.1.4" Rec = $recnum
Result = $result Result = $result
Status = if ($result) { "Pass" } else { "Fail" } Status = if ($result) { "Pass" } else { "Fail" }
Details = $details Details = $details
FailureReason = $failureReasons FailureReason = $failureReasons
}
$auditResult = Initialize-CISAuditResult @params
}
catch {
Write-Error "An error occurred during the test: $_"
# Retrieve the description from the test definitions
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
$description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
$script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
# Call Initialize-CISAuditResult with error parameters
$auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
} }
$auditResult = Initialize-CISAuditResult @params
} }
end { end {

78
source/tests/Test-SafeAttachmentsTeams.ps1
View File

@@ -1,5 +1,6 @@
function Test-SafeAttachmentsTeams { function Test-SafeAttachmentsTeams {
[CmdletBinding()] [CmdletBinding()]
[OutputType([CISAuditResult])]
param ( param (
# Aligned # Aligned
# Parameters can be added if needed # Parameters can be added if needed
@@ -9,46 +10,61 @@ function Test-SafeAttachmentsTeams {
# Dot source the class script if necessary # Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1 #. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed # Initialization code, if needed
$recnum = "2.1.5"
} }
process { process {
# 2.1.5 (L2) Ensure Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is Enabled try {
# 2.1.5 (L2) Ensure Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is Enabled
# Retrieve the ATP policies for Office 365 and check Safe Attachments settings # Retrieve the ATP policies for Office 365 and check Safe Attachments settings
$atpPolicies = Get-AtpPolicyForO365 $atpPolicies = Get-AtpPolicyForO365
# Check if the required ATP policies are enabled # Check if the required ATP policies are enabled
$atpPolicyResult = $atpPolicies | Where-Object { $atpPolicyResult = $atpPolicies | Where-Object {
$_.EnableATPForSPOTeamsODB -eq $true -and $_.EnableATPForSPOTeamsODB -eq $true -and
$_.EnableSafeDocs -eq $true -and $_.EnableSafeDocs -eq $true -and
$_.AllowSafeDocsOpen -eq $false $_.AllowSafeDocsOpen -eq $false
} }
# Determine the result based on the ATP policy settings # Determine the result based on the ATP policy settings
$result = $null -ne $atpPolicyResult $result = $null -ne $atpPolicyResult
$details = if ($result) { $details = if ($result) {
"ATP for SharePoint, OneDrive, and Teams is enabled with correct settings." "ATP for SharePoint, OneDrive, and Teams is enabled with correct settings."
} }
else { else {
"ATP for SharePoint, OneDrive, and Teams is not enabled with correct settings." "ATP for SharePoint, OneDrive, and Teams is not enabled with correct settings."
} }
$failureReasons = if ($result) { $failureReasons = if ($result) {
"N/A" "N/A"
} }
else { else {
"ATP policy for SharePoint, OneDrive, and Microsoft Teams is not correctly configured." "ATP policy for SharePoint, OneDrive, and Microsoft Teams is not correctly configured."
} }
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$params = @{ $params = @{
Rec = "2.1.5" Rec = $recnum
Result = $result Result = $result
Status = if ($result) { "Pass" } else { "Fail" } Status = if ($result) { "Pass" } else { "Fail" }
Details = $details Details = $details
FailureReason = $failureReasons FailureReason = $failureReasons
}
$auditResult = Initialize-CISAuditResult @params
}
catch {
Write-Error "An error occurred during the test: $_"
# Retrieve the description from the test definitions
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
$description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
$script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
# Call Initialize-CISAuditResult with error parameters
$auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
} }
$auditResult = Initialize-CISAuditResult @params
} }
end { end {

86
source/tests/Test-SafeLinksOfficeApps.ps1
View File

@@ -1,5 +1,6 @@
function Test-SafeLinksOfficeApps { function Test-SafeLinksOfficeApps {
[CmdletBinding()] [CmdletBinding()]
[OutputType([CISAuditResult])]
param ( param (
# Aligned # Aligned
# Define your parameters here if needed # Define your parameters here if needed
@@ -9,53 +10,68 @@ function Test-SafeLinksOfficeApps {
# Dot source the class script if necessary # Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1 #. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed # Initialization code, if needed
$recnum = "2.1.1"
} }
process { process {
# 2.1.1 (L2) Ensure Safe Links for Office Applications is Enabled try {
# 2.1.1 (L2) Ensure Safe Links for Office Applications is Enabled
# Retrieve all Safe Links policies # Retrieve all Safe Links policies
$policies = Get-SafeLinksPolicy $policies = Get-SafeLinksPolicy
# Initialize the details collection # Initialize the details collection
$misconfiguredDetails = @() $misconfiguredDetails = @()
foreach ($policy in $policies) { foreach ($policy in $policies) {
# Get the detailed configuration of each policy # Get the detailed configuration of each policy
$policyDetails = Get-SafeLinksPolicy -Identity $policy.Name $policyDetails = Get-SafeLinksPolicy -Identity $policy.Name
# Check each required property and record failures # Check each required property and record failures
$failures = @() $failures = @()
if ($policyDetails.EnableSafeLinksForEmail -ne $true) { $failures += "EnableSafeLinksForEmail: False" } if ($policyDetails.EnableSafeLinksForEmail -ne $true) { $failures += "EnableSafeLinksForEmail: False" }
if ($policyDetails.EnableSafeLinksForTeams -ne $true) { $failures += "EnableSafeLinksForTeams: False" } if ($policyDetails.EnableSafeLinksForTeams -ne $true) { $failures += "EnableSafeLinksForTeams: False" }
if ($policyDetails.EnableSafeLinksForOffice -ne $true) { $failures += "EnableSafeLinksForOffice: False" } if ($policyDetails.EnableSafeLinksForOffice -ne $true) { $failures += "EnableSafeLinksForOffice: False" }
if ($policyDetails.TrackClicks -ne $true) { $failures += "TrackClicks: False" } if ($policyDetails.TrackClicks -ne $true) { $failures += "TrackClicks: False" }
if ($policyDetails.AllowClickThrough -ne $false) { $failures += "AllowClickThrough: True" } if ($policyDetails.AllowClickThrough -ne $false) { $failures += "AllowClickThrough: True" }
if ($policyDetails.ScanUrls -ne $true) { $failures += "ScanUrls: False" } if ($policyDetails.ScanUrls -ne $true) { $failures += "ScanUrls: False" }
if ($policyDetails.EnableForInternalSenders -ne $true) { $failures += "EnableForInternalSenders: False" } if ($policyDetails.EnableForInternalSenders -ne $true) { $failures += "EnableForInternalSenders: False" }
if ($policyDetails.DeliverMessageAfterScan -ne $true) { $failures += "DeliverMessageAfterScan: False" } if ($policyDetails.DeliverMessageAfterScan -ne $true) { $failures += "DeliverMessageAfterScan: False" }
if ($policyDetails.DisableUrlRewrite -ne $false) { $failures += "DisableUrlRewrite: True" } if ($policyDetails.DisableUrlRewrite -ne $false) { $failures += "DisableUrlRewrite: True" }
# Only add details for policies that have misconfigurations # Only add details for policies that have misconfigurations
if ($failures.Count -gt 0) { if ($failures.Count -gt 0) {
$misconfiguredDetails += "Policy: $($policy.Name); Failures: $($failures -join ', ')" $misconfiguredDetails += "Policy: $($policy.Name); Failures: $($failures -join ', ')"
}
} }
}
# Prepare the final result # Prepare the final result
$result = $misconfiguredDetails.Count -eq 0 $result = $misconfiguredDetails.Count -eq 0
$details = if ($result) { "All Safe Links policies are correctly configured." } else { $misconfiguredDetails -join ' | ' } $details = if ($result) { "All Safe Links policies are correctly configured." } else { $misconfiguredDetails -join ' | ' }
$failureReasons = if ($result) { "N/A" } else { "The following Safe Links policies settings do not meet the recommended configuration: $($misconfiguredDetails -join ' | ')" } $failureReasons = if ($result) { "N/A" } else { "The following Safe Links policies settings do not meet the recommended configuration: $($misconfiguredDetails -join ' | ')" }
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$params = @{ $params = @{
Rec = "2.1.1" Rec = $recnum
Result = $result Result = $result
Status = if ($result) { "Pass" } else { "Fail" } Status = if ($result) { "Pass" } else { "Fail" }
Details = $details Details = $details
FailureReason = $failureReasons FailureReason = $failureReasons
}
$auditResult = Initialize-CISAuditResult @params
}
catch {
Write-Error "An error occurred during the test: $_"
# Retrieve the description from the test definitions
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
$description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
$script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
# Call Initialize-CISAuditResult with error parameters
$auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
} }
$auditResult = Initialize-CISAuditResult @params
} }
end { end {

36
source/tests/Test-SharePointAADB2B.ps1
View File

@@ -1,5 +1,6 @@
function Test-SharePointAADB2B { function Test-SharePointAADB2B {
[CmdletBinding()] [CmdletBinding()]
[OutputType([CISAuditResult])]
param ( param (
# Aligned # Aligned
# Define your parameters here # Define your parameters here
@@ -11,21 +12,36 @@ function Test-SharePointAADB2B {
# Initialization code, if needed # Initialization code, if needed
$auditResult = [CISAuditResult]::new() $auditResult = [CISAuditResult]::new()
$recnum = "7.2.2"
} }
process { process {
# 7.2.2 (L1) Ensure SharePoint and OneDrive integration with Azure AD B2B is enabled try {
$SPOTenantAzureADB2B = Get-SPOTenant | Select-Object EnableAzureADB2BIntegration # 7.2.2 (L1) Ensure SharePoint and OneDrive integration with Azure AD B2B is enabled
$SPOTenantAzureADB2B = Get-SPOTenant | Select-Object EnableAzureADB2BIntegration
# Populate the auditResult object with the required properties # Populate the auditResult object with the required properties
$params = @{ $params = @{
Rec = "7.2.2" Rec = $recnum
Result = $SPOTenantAzureADB2B.EnableAzureADB2BIntegration Result = $SPOTenantAzureADB2B.EnableAzureADB2BIntegration
Status = if ($SPOTenantAzureADB2B.EnableAzureADB2BIntegration) { "Pass" } else { "Fail" } Status = if ($SPOTenantAzureADB2B.EnableAzureADB2BIntegration) { "Pass" } else { "Fail" }
Details = "EnableAzureADB2BIntegration: $($SPOTenantAzureADB2B.EnableAzureADB2BIntegration)" Details = "EnableAzureADB2BIntegration: $($SPOTenantAzureADB2B.EnableAzureADB2BIntegration)"
FailureReason = if (-not $SPOTenantAzureADB2B.EnableAzureADB2BIntegration) { "Azure AD B2B integration is not enabled" } else { "N/A" } FailureReason = if (-not $SPOTenantAzureADB2B.EnableAzureADB2BIntegration) { "Azure AD B2B integration is not enabled" } else { "N/A" }
}
$auditResult = Initialize-CISAuditResult @params
}
catch {
Write-Error "An error occurred during the test: $_"
# Retrieve the description from the test definitions
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
$description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
$script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
# Call Initialize-CISAuditResult with error parameters
$auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
} }
$auditResult = Initialize-CISAuditResult @params
} }
end { end {

38
source/tests/Test-SharePointExternalSharingDomains.ps1
View File

@@ -1,5 +1,6 @@
function Test-SharePointExternalSharingDomains { function Test-SharePointExternalSharingDomains {
[CmdletBinding()] [CmdletBinding()]
[OutputType([CISAuditResult])]
param ( param (
# Aligned # Aligned
# Define your parameters here # Define your parameters here
@@ -11,22 +12,37 @@ function Test-SharePointExternalSharingDomains {
# Initialization code, if needed # Initialization code, if needed
$auditResult = [CISAuditResult]::new() $auditResult = [CISAuditResult]::new()
$recnum = "7.2.6"
} }
process { process {
# 7.2.6 (L2) Ensure SharePoint external sharing is managed through domain whitelist/blacklists try {
$SPOTenant = Get-SPOTenant | Select-Object SharingDomainRestrictionMode, SharingAllowedDomainList # 7.2.6 (L2) Ensure SharePoint external sharing is managed through domain whitelist/blacklists
$isDomainRestrictionConfigured = $SPOTenant.SharingDomainRestrictionMode -eq 'AllowList' $SPOTenant = Get-SPOTenant | Select-Object SharingDomainRestrictionMode, SharingAllowedDomainList
$isDomainRestrictionConfigured = $SPOTenant.SharingDomainRestrictionMode -eq 'AllowList'
# Populate the auditResult object with the required properties # Populate the auditResult object with the required properties
$params = @{ $params = @{
Rec = "7.2.6" Rec = $recnum
Result = $isDomainRestrictionConfigured Result = $isDomainRestrictionConfigured
Status = if ($isDomainRestrictionConfigured) { "Pass" } else { "Fail" } Status = if ($isDomainRestrictionConfigured) { "Pass" } else { "Fail" }
Details = "SharingDomainRestrictionMode: $($SPOTenant.SharingDomainRestrictionMode); SharingAllowedDomainList: $($SPOTenant.SharingAllowedDomainList)" Details = "SharingDomainRestrictionMode: $($SPOTenant.SharingDomainRestrictionMode); SharingAllowedDomainList: $($SPOTenant.SharingAllowedDomainList)"
FailureReason = if (-not $isDomainRestrictionConfigured) { "Domain restrictions for SharePoint external sharing are not configured to 'AllowList'. Current setting: $($SPOTenant.SharingDomainRestrictionMode)" } else { "N/A" } FailureReason = if (-not $isDomainRestrictionConfigured) { "Domain restrictions for SharePoint external sharing are not configured to 'AllowList'. Current setting: $($SPOTenant.SharingDomainRestrictionMode)" } else { "N/A" }
}
$auditResult = Initialize-CISAuditResult @params
}
catch {
Write-Error "An error occurred during the test: $_"
# Retrieve the description from the test definitions
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
$description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
$script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
# Call Initialize-CISAuditResult with error parameters
$auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
} }
$auditResult = Initialize-CISAuditResult @params
} }
end { end {

38
source/tests/Test-SharePointGuestsItemSharing.ps1
View File

@@ -1,5 +1,6 @@
function Test-SharePointGuestsItemSharing { function Test-SharePointGuestsItemSharing {
[CmdletBinding()] [CmdletBinding()]
[OutputType([CISAuditResult])]
param ( param (
# Aligned # Aligned
# Define your parameters here # Define your parameters here
@@ -11,22 +12,37 @@ function Test-SharePointGuestsItemSharing {
# Initialization code, if needed # Initialization code, if needed
$auditResult = [CISAuditResult]::new() $auditResult = [CISAuditResult]::new()
$recnum = "7.2.5"
} }
process { process {
# 7.2.5 (L2) Ensure that SharePoint guest users cannot share items they don't own try {
$SPOTenant = Get-SPOTenant | Select-Object PreventExternalUsersFromResharing # 7.2.5 (L2) Ensure that SharePoint guest users cannot share items they don't own
$isGuestResharingPrevented = $SPOTenant.PreventExternalUsersFromResharing $SPOTenant = Get-SPOTenant | Select-Object PreventExternalUsersFromResharing
$isGuestResharingPrevented = $SPOTenant.PreventExternalUsersFromResharing
# Populate the auditResult object with the required properties # Populate the auditResult object with the required properties
$params = @{ $params = @{
Rec = "7.2.5" Rec = $recnum
Result = $isGuestResharingPrevented Result = $isGuestResharingPrevented
Status = if ($isGuestResharingPrevented) { "Pass" } else { "Fail" } Status = if ($isGuestResharingPrevented) { "Pass" } else { "Fail" }
Details = "PreventExternalUsersFromResharing: $isGuestResharingPrevented" Details = "PreventExternalUsersFromResharing: $isGuestResharingPrevented"
FailureReason = if (-not $isGuestResharingPrevented) { "Guest users can reshare items they don't own." } else { "N/A" } FailureReason = if (-not $isGuestResharingPrevented) { "Guest users can reshare items they don't own." } else { "N/A" }
}
$auditResult = Initialize-CISAuditResult @params
}
catch {
Write-Error "An error occurred during the test: $_"
# Retrieve the description from the test definitions
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
$description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
$script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
# Call Initialize-CISAuditResult with error parameters
$auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
} }
$auditResult = Initialize-CISAuditResult @params
} }
end { end {

60
source/tests/Test-SpamPolicyAdminNotify.ps1
View File

@@ -1,5 +1,6 @@
function Test-SpamPolicyAdminNotify { function Test-SpamPolicyAdminNotify {
[CmdletBinding()] [CmdletBinding()]
[OutputType([CISAuditResult])]
param ( param (
# Aligned # Aligned
# Parameters can be added if needed # Parameters can be added if needed
@@ -11,37 +12,52 @@ function Test-SpamPolicyAdminNotify {
# Initialization code, if needed # Initialization code, if needed
$auditResult = [CISAuditResult]::new() $auditResult = [CISAuditResult]::new()
$recnum = "2.1.6"
} }
process { process {
# 2.1.6 Ensure Exchange Online Spam Policies are set to notify administrators try {
# 2.1.6 Ensure Exchange Online Spam Policies are set to notify administrators
# Get the default hosted outbound spam filter policy # Get the default hosted outbound spam filter policy
$hostedOutboundSpamFilterPolicy = Get-HostedOutboundSpamFilterPolicy | Where-Object { $_.IsDefault -eq $true } $hostedOutboundSpamFilterPolicy = Get-HostedOutboundSpamFilterPolicy | Where-Object { $_.IsDefault -eq $true }
# Check if both settings are enabled # Check if both settings are enabled
$bccSuspiciousOutboundMailEnabled = $hostedOutboundSpamFilterPolicy.BccSuspiciousOutboundMail $bccSuspiciousOutboundMailEnabled = $hostedOutboundSpamFilterPolicy.BccSuspiciousOutboundMail
$notifyOutboundSpamEnabled = $hostedOutboundSpamFilterPolicy.NotifyOutboundSpam $notifyOutboundSpamEnabled = $hostedOutboundSpamFilterPolicy.NotifyOutboundSpam
$areSettingsEnabled = $bccSuspiciousOutboundMailEnabled -and $notifyOutboundSpamEnabled $areSettingsEnabled = $bccSuspiciousOutboundMailEnabled -and $notifyOutboundSpamEnabled
# Prepare failure details if any setting is not enabled # Prepare failure details if any setting is not enabled
$failureDetails = @() $failureDetails = @()
if (-not $bccSuspiciousOutboundMailEnabled) { if (-not $bccSuspiciousOutboundMailEnabled) {
$failureDetails += "BccSuspiciousOutboundMail is not enabled." $failureDetails += "BccSuspiciousOutboundMail is not enabled."
} }
if (-not $notifyOutboundSpamEnabled) { if (-not $notifyOutboundSpamEnabled) {
$failureDetails += "NotifyOutboundSpam is not enabled." $failureDetails += "NotifyOutboundSpam is not enabled."
}
# Create an instance of CISAuditResult and populate it
$params = @{
Rec = $recnum
Result = $areSettingsEnabled
Status = if ($areSettingsEnabled) { "Pass" } else { "Fail" }
Details = if ($areSettingsEnabled) { "Both BccSuspiciousOutboundMail and NotifyOutboundSpam are enabled." } else { $failureDetails -join ' ' }
FailureReason = if (-not $areSettingsEnabled) { "One or both spam policies are not set to notify administrators." } else { "N/A" }
}
$auditResult = Initialize-CISAuditResult @params
} }
catch {
Write-Error "An error occurred during the test: $_"
# Create an instance of CISAuditResult and populate it # Retrieve the description from the test definitions
$params = @{ $testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
Rec = "2.1.6" $description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
Result = $areSettingsEnabled
Status = if ($areSettingsEnabled) { "Pass" } else { "Fail" } $script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
Details = if ($areSettingsEnabled) { "Both BccSuspiciousOutboundMail and NotifyOutboundSpam are enabled." } else { $failureDetails -join ' ' }
FailureReason = if (-not $areSettingsEnabled) { "One or both spam policies are not set to notify administrators." } else { "N/A" } # Call Initialize-CISAuditResult with error parameters
$auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
} }
$auditResult = Initialize-CISAuditResult @params
} }
end { end {

48
source/tests/Test-TeamsExternalAccess.ps1
View File

@@ -1,5 +1,6 @@
function Test-TeamsExternalAccess { function Test-TeamsExternalAccess {
[CmdletBinding()] [CmdletBinding()]
[OutputType([CISAuditResult])]
param ( param (
# Aligned # Aligned
# Parameters can be defined here if needed # Parameters can be defined here if needed
@@ -11,32 +12,47 @@ function Test-TeamsExternalAccess {
# Initialization code, if needed # Initialization code, if needed
$auditResult = [CISAuditResult]::new() $auditResult = [CISAuditResult]::new()
$recnum = "8.2.1"
} }
process { process {
# 8.2.1 (L1) Ensure 'external access' is restricted in the Teams admin center try {
# 8.2.1 (L1) Ensure 'external access' is restricted in the Teams admin center
# Connect to Teams PowerShell using Connect-MicrosoftTeams # Connect to Teams PowerShell using Connect-MicrosoftTeams
$externalAccessConfig = Get-CsTenantFederationConfiguration $externalAccessConfig = Get-CsTenantFederationConfiguration
$allowedDomainsLimited = $false $allowedDomainsLimited = $false
if ($externalAccessConfig.AllowFederatedUsers -and $externalAccessConfig.AllowedDomains -and $externalAccessConfig.AllowedDomains.AllowedDomain.Count -gt 0) { if ($externalAccessConfig.AllowFederatedUsers -and $externalAccessConfig.AllowedDomains -and $externalAccessConfig.AllowedDomains.AllowedDomain.Count -gt 0) {
$allowedDomainsLimited = $true $allowedDomainsLimited = $true
}
# Check if the configurations are as recommended
$isCompliant = -not $externalAccessConfig.AllowTeamsConsumer -and -not $externalAccessConfig.AllowPublicUsers -and (-not $externalAccessConfig.AllowFederatedUsers -or $allowedDomainsLimited)
# Create an instance of CISAuditResult and populate it
$params = @{
Rec = $recnum
Result = $isCompliant
Status = if ($isCompliant) { "Pass" } else { "Fail" }
Details = "AllowTeamsConsumer: $($externalAccessConfig.AllowTeamsConsumer); AllowPublicUsers: $($externalAccessConfig.AllowPublicUsers); AllowFederatedUsers: $($externalAccessConfig.AllowFederatedUsers); AllowedDomains limited: $allowedDomainsLimited"
FailureReason = if (-not $isCompliant) { "One or more external access configurations are not compliant." } else { "N/A" }
}
$auditResult = Initialize-CISAuditResult @params
} }
catch {
Write-Error "An error occurred during the test: $_"
# Check if the configurations are as recommended # Retrieve the description from the test definitions
$isCompliant = -not $externalAccessConfig.AllowTeamsConsumer -and -not $externalAccessConfig.AllowPublicUsers -and (-not $externalAccessConfig.AllowFederatedUsers -or $allowedDomainsLimited) $testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
$description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
# Create an instance of CISAuditResult and populate it $script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
$params = @{
Rec = "8.2.1" # Call Initialize-CISAuditResult with error parameters
Result = $isCompliant $auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
Status = if ($isCompliant) { "Pass" } else { "Fail" }
Details = "AllowTeamsConsumer: $($externalAccessConfig.AllowTeamsConsumer); AllowPublicUsers: $($externalAccessConfig.AllowPublicUsers); AllowFederatedUsers: $($externalAccessConfig.AllowFederatedUsers); AllowedDomains limited: $allowedDomainsLimited"
FailureReason = if (-not $isCompliant) { "One or more external access configurations are not compliant." } else { "N/A" }
} }
$auditResult = Initialize-CISAuditResult @params
} }
end { end {

58
source/tests/Test-TeamsExternalFileSharing.ps1
View File

@@ -1,5 +1,6 @@
function Test-TeamsExternalFileSharing { function Test-TeamsExternalFileSharing {
[CmdletBinding()] [CmdletBinding()]
[OutputType([CISAuditResult])]
param ( param (
# Aligned # Aligned
# Parameters can be added here if needed # Parameters can be added here if needed
@@ -11,36 +12,51 @@ function Test-TeamsExternalFileSharing {
# Initialization code, if needed # Initialization code, if needed
$auditResult = [CISAuditResult]::new() $auditResult = [CISAuditResult]::new()
$recnum = "8.1.1"
} }
process { process {
# 8.1.1 (L2) Ensure external file sharing in Teams is enabled for only approved cloud storage services try {
# Connect to Teams PowerShell using Connect-MicrosoftTeams # 8.1.1 (L2) Ensure external file sharing in Teams is enabled for only approved cloud storage services
# Connect to Teams PowerShell using Connect-MicrosoftTeams
# Assuming that 'approvedProviders' is a list of approved cloud storage service names # Assuming that 'approvedProviders' is a list of approved cloud storage service names
# This list must be defined according to your organization's approved cloud storage services # This list must be defined according to your organization's approved cloud storage services
$approvedProviders = @("AllowDropBox", "AllowBox", "AllowGoogleDrive", "AllowShareFile", "AllowEgnyte") $approvedProviders = @("AllowDropBox", "AllowBox", "AllowGoogleDrive", "AllowShareFile", "AllowEgnyte")
$clientConfig = Get-CsTeamsClientConfiguration $clientConfig = Get-CsTeamsClientConfiguration
$isCompliant = $true $isCompliant = $true
$nonCompliantProviders = @() $nonCompliantProviders = @()
foreach ($provider in $approvedProviders) { foreach ($provider in $approvedProviders) {
if (-not $clientConfig.$provider) { if (-not $clientConfig.$provider) {
$isCompliant = $false $isCompliant = $false
$nonCompliantProviders += $provider $nonCompliantProviders += $provider
}
} }
}
# Create an instance of CISAuditResult and populate it # Create an instance of CISAuditResult and populate it
$params = @{ $params = @{
Rec = "8.1.1" Rec = $recnum
Result = $isCompliant Result = $isCompliant
Status = if ($isCompliant) { "Pass" } else { "Fail" } Status = if ($isCompliant) { "Pass" } else { "Fail" }
Details = if (-not $isCompliant) { "Non-approved providers enabled: $($nonCompliantProviders -join ', ')" } else { "All cloud storage services are approved providers" } Details = if (-not $isCompliant) { "Non-approved providers enabled: $($nonCompliantProviders -join ', ')" } else { "All cloud storage services are approved providers" }
FailureReason = if (-not $isCompliant) { "The following non-approved providers are enabled: $($nonCompliantProviders -join ', ')" } else { "N/A" } FailureReason = if (-not $isCompliant) { "The following non-approved providers are enabled: $($nonCompliantProviders -join ', ')" } else { "N/A" }
}
$auditResult = Initialize-CISAuditResult @params
}
catch {
Write-Error "An error occurred during the test: $_"
# Retrieve the description from the test definitions
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
$description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
$script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
# Call Initialize-CISAuditResult with error parameters
$auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
} }
$auditResult = Initialize-CISAuditResult @params
} }
end { end {

27
tests/Unit/Private/Get-MostCommonWord.tests.ps1 Normal file
View File

@@ -0,0 +1,27 @@
$ProjectPath = "$PSScriptRoot\..\..\.." | Convert-Path
$ProjectName = ((Get-ChildItem -Path $ProjectPath\*\*.psd1).Where{
($_.Directory.Name -match 'source|src' -or $_.Directory.Name -eq $_.BaseName) -and
$(try { Test-ModuleManifest $_.FullName -ErrorAction Stop } catch { $false } )
}).BaseName
Import-Module $ProjectName
InModuleScope $ProjectName {
Describe Get-PrivateFunction {
Context 'Default' {
BeforeEach {
$return = Get-PrivateFunction -PrivateData 'string'
}
It 'Returns a single object' {
($return | Measure-Object).Count | Should -Be 1
}
It 'Returns a string based on the parameter PrivateData' {
$return | Should -Be 'string'
}
}
}
}

27
tests/Unit/Private/Get-RequiredModule.tests.ps1 Normal file
View File

@@ -0,0 +1,27 @@
$ProjectPath = "$PSScriptRoot\..\..\.." | Convert-Path
$ProjectName = ((Get-ChildItem -Path $ProjectPath\*\*.psd1).Where{
($_.Directory.Name -match 'source|src' -or $_.Directory.Name -eq $_.BaseName) -and
$(try { Test-ModuleManifest $_.FullName -ErrorAction Stop } catch { $false } )
}).BaseName
Import-Module $ProjectName
InModuleScope $ProjectName {
Describe Get-PrivateFunction {
Context 'Default' {
BeforeEach {
$return = Get-PrivateFunction -PrivateData 'string'
}
It 'Returns a single object' {
($return | Measure-Object).Count | Should -Be 1
}
It 'Returns a string based on the parameter PrivateData' {
$return | Should -Be 'string'
}
}
}
}

27
tests/Unit/Private/Invoke-TestFunction.tests.ps1 Normal file
View File

@@ -0,0 +1,27 @@
$ProjectPath = "$PSScriptRoot\..\..\.." | Convert-Path
$ProjectName = ((Get-ChildItem -Path $ProjectPath\*\*.psd1).Where{
($_.Directory.Name -match 'source|src' -or $_.Directory.Name -eq $_.BaseName) -and
$(try { Test-ModuleManifest $_.FullName -ErrorAction Stop } catch { $false } )
}).BaseName
Import-Module $ProjectName
InModuleScope $ProjectName {
Describe Get-PrivateFunction {
Context 'Default' {
BeforeEach {
$return = Get-PrivateFunction -PrivateData 'string'
}
It 'Returns a single object' {
($return | Measure-Object).Count | Should -Be 1
}
It 'Returns a string based on the parameter PrivateData' {
$return | Should -Be 'string'
}
}
}
}

27
tests/Unit/Private/Measure-AuditResult.tests.ps1 Normal file
View File

@@ -0,0 +1,27 @@
$ProjectPath = "$PSScriptRoot\..\..\.." | Convert-Path
$ProjectName = ((Get-ChildItem -Path $ProjectPath\*\*.psd1).Where{
($_.Directory.Name -match 'source|src' -or $_.Directory.Name -eq $_.BaseName) -and
$(try { Test-ModuleManifest $_.FullName -ErrorAction Stop } catch { $false } )
}).BaseName
Import-Module $ProjectName
InModuleScope $ProjectName {
Describe Get-PrivateFunction {
Context 'Default' {
BeforeEach {
$return = Get-PrivateFunction -PrivateData 'string'
}
It 'Returns a single object' {
($return | Measure-Object).Count | Should -Be 1
}
It 'Returns a string based on the parameter PrivateData' {
$return | Should -Be 'string'
}
}
}
}

27
tests/Unit/Private/New-MergedObject.tests.ps1 Normal file
View File

@@ -0,0 +1,27 @@
$ProjectPath = "$PSScriptRoot\..\..\.." | Convert-Path
$ProjectName = ((Get-ChildItem -Path $ProjectPath\*\*.psd1).Where{
($_.Directory.Name -match 'source|src' -or $_.Directory.Name -eq $_.BaseName) -and
$(try { Test-ModuleManifest $_.FullName -ErrorAction Stop } catch { $false } )
}).BaseName
Import-Module $ProjectName
InModuleScope $ProjectName {
Describe Get-PrivateFunction {
Context 'Default' {
BeforeEach {
$return = Get-PrivateFunction -PrivateData 'string'
}
It 'Returns a single object' {
($return | Measure-Object).Count | Should -Be 1
}
It 'Returns a string based on the parameter PrivateData' {
$return | Should -Be 'string'
}
}
}
}