vibecoding/M365FoundationsCISReport
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add: Tests for 2.17

Browse Source
This commit is contained in:
DrIOS
2024-12-27 11:05:28 -06:00
parent 022dcde49b
commit 4e12eae6a9
5 changed files with 218 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
CHANGELOG.md
View File

@@ -11,10 +11,12 @@ The format is based on and uses the types of changes according to [Keep a Change
- Test Definition Placeholders - Test Definition Placeholders
- Steps to function to account for new logic and create an updated test definition object when version 4.0.0 is selected. - Steps to function to account for new logic and create an updated test definition object when version 4.0.0 is selected.
- Test-AdministrativeAccountCompliance4 function for v4.0.0 rec# 1.1.1 test. - Test-AdministrativeAccountCompliance4 function for v4.0.0 rec# 1.1.1 test.
- Updated Get-CISMgOutput function to include the new test definition case for 1.1.1. - Updated Get-CISMgOutput function to include the new test definition case for 1.1.1,1.1.4 and 2.1.7.
- New public function for generating version specific lists of recommendation numbers. - New public function for generating version specific lists of recommendation numbers.
- Check in main public function to check for 4.0.0 rec numbers when 3.0.0 is selected as the M365 benchmark version. - Check in main public function to check for 4.0.0 rec numbers when 3.0.0 is selected as the M365 benchmark version.
- Rec numbers to include and exclude rec numbers for version 4.0.0 so the 'validate set' works correctly. - Rec numbers to include and exclude rec numbers for version 4.0.0 so the 'validate set' works correctly.
- Get-PhishPolicyCompliance and Get-ScopeOverlap private functions for 2.1.7 v4.
- Test-PhishPolicyCompliance4 function for 2.1.7 v4.
### Fixed ### Fixed

7
source/Private/Get-CISExoOutput.ps1
View File

@@ -339,8 +339,15 @@ function Get-CISExoOutput {
) )
#> #>
$antiPhishPolicies = Get-AntiPhishPolicy $antiPhishPolicies = Get-AntiPhishPolicy
if ($script:Version400) {
Write-Verbose 'Retrieving associated AntiPhishRules...'
$antiPhishRules = Get-AntiPhishRule
return $antiPhishPolicies, $antiPhishRules
}
else {
return $antiPhishPolicies return $antiPhishPolicies
} }
}
'2.1.9' { '2.1.9' {
# Test-EnableDKIM.ps1 # Test-EnableDKIM.ps1
# 2.1.9 (L1) Ensure DKIM is enabled for all Exchange Online Domains # 2.1.9 (L1) Ensure DKIM is enabled for all Exchange Online Domains

45
source/Private/Get-PhishPolicyCompliance.ps1 Normal file
View File

@@ -0,0 +1,45 @@
function Get-PhishPolicyCompliance {
[CmdletBinding()]
param (
[Parameter(Mandatory = $true)]
[PSCustomObject]$Policy
)
# Define the compliance criteria for an anti-phishing policy
$complianceCriteria = @{
Enabled = $true # Policy must be enabled
EnableTargetedUserProtection = $true # Targeted user protection must be enabled
EnableOrganizationDomainsProtection = $true # Organization domains protection must be enabled
EnableMailboxIntelligence = $true # Mailbox intelligence must be enabled
EnableMailboxIntelligenceProtection = $true # Mailbox intelligence protection must be enabled
EnableSpoofIntelligence = $true # Spoof intelligence must be enabled
TargetedUserProtectionAction = 'Quarantine' # Actions for targeted user protection must be 'Quarantine'
TargetedDomainProtectionAction = 'Quarantine' # Actions for targeted domain protection must be 'Quarantine'
MailboxIntelligenceProtectionAction = 'Quarantine' # Actions for mailbox intelligence protection must be 'Quarantine'
EnableFirstContactSafetyTips = $true # First contact safety tips must be enabled
EnableSimilarUsersSafetyTips = $true # Similar users safety tips must be enabled
EnableSimilarDomainsSafetyTips = $true # Similar domains safety tips must be enabled
EnableUnusualCharactersSafetyTips = $true # Unusual characters safety tips must be enabled
HonorDmarcPolicy = $true # Honor DMARC policy must be enabled
}
# Initialize compliance state and a list to track non-compliance reasons
$isCompliant = $true
$nonCompliantReasons = @()
# Iterate through the compliance criteria and check each property of the policy
foreach ($key in $complianceCriteria.Keys) {
if ($Policy.PSObject.Properties[$key] -and $Policy.$key -ne $complianceCriteria[$key]) {
$isCompliant = $false # Mark as non-compliant if the value doesn't match
$nonCompliantReasons += "$key`: Expected $($complianceCriteria[$key]), Found $($Policy.$key)" # Record the discrepancy
}
}
# Special case: Ensure PhishThresholdLevel is at least 3
if ($Policy.PSObject.Properties['PhishThresholdLevel'] -and $Policy.PhishThresholdLevel -lt 3) {
$isCompliant = $false # Mark as non-compliant if threshold is below 3
$nonCompliantReasons += "PhishThresholdLevel: Expected at least 3, Found $($Policy.PhishThresholdLevel)" # Record the issue
}
# Log the reasons for non-compliance if the policy is not compliant
if (-not $isCompliant) {
Write-Verbose "Policy $($Policy.Name) is not compliant. Reasons: $($nonCompliantReasons -join '; ')"
}
# Return whether the policy is compliant
return $isCompliant
}

48
source/Private/Get-ScopeOverlap.ps1 Normal file
View File

@@ -0,0 +1,48 @@
function Get-ScopeOverlap {
[CmdletBinding()]
param (
[Parameter(Mandatory = $true)]
[PSCustomObject]$Policy, # The primary policy whose scope we are evaluating
[Parameter(Mandatory = $true)]
[PSCustomObject[]]$OtherPolicies # A list of other policies to compare for scope overlap
)
# Write a verbose message indicating the policy being evaluated for overlap
Write-Verbose "Checking for scope overlap with $($Policy.Name)..."
# Initialize variables to track overlap status and overlapping entities
$overlapDetected = $false # Tracks if any overlap is detected
$overlappingEntities = @() # Stores details of overlapping entities for logging
# Build the scope string of the current policy by concatenating users, groups, and domains
$policyScope = @(
$Policy.Users -join ',', # Users within the policy's scope
$Policy.Groups -join ',', # Groups within the policy's scope
$Policy.Domains -join ',' # Domains within the policy's scope
) -join ',' # Combine all into a single string
# Iterate through each policy in the list of other policies
foreach ($otherPolicy in $OtherPolicies) {
if ($null -ne $otherPolicy) { # Skip null or empty policies
# Build the scope string for the other policy
$otherScope = @(
$otherPolicy.Users -join ',', # Users within the other policy's scope
$otherPolicy.Groups -join ',', # Groups within the other policy's scope
$otherPolicy.Domains -join ',' # Domains within the other policy's scope
) -join ',' # Combine all into a single string
# Check if the current policy's scope matches any part of the other policy's scope
if ($policyScope -match $otherScope) {
$overlapDetected = $true # Mark overlap as detected
# Log overlapping entities for clarity
$overlappingEntities += @(
"Users: $($otherPolicy.Users)",
"Groups: $($otherPolicy.Groups)",
"Domains: $($otherPolicy.Domains)"
)
Write-Verbose "Overlap detected between $($Policy.Name) and $($otherPolicy.Name)." # Log the overlap
}
}
}
# If overlap is detected, log the specific overlapping entities
if ($overlapDetected) {
Write-Verbose "Overlapping entities: $($overlappingEntities -join '; ')" # Log overlapping users, groups, or domains
}
# Return whether overlap was detected (true/false)
return $overlapDetected
}

114
source/tests/Test-AntiPhishingPolicy4.ps1 Normal file
View File

@@ -0,0 +1,114 @@
function Test-AntiPhishingPolicy4 {
[CmdletBinding()]
[OutputType([CISAuditResult])]
param ()
begin {
# Set the record number and start the process
$RecNum = '2.1.7'
Write-Verbose "Running Test-AntiPhishingPolicy4 for $RecNum..."
}
process {
try {
# Step 1: Retrieve all anti-phishing policies and rules
Write-Verbose 'Retrieving all anti-phishing policies and rules...'
$antiPhishPolicies, $antiPhishRules = Get-CISExoOutput -Rec $RecNum
if ($null -eq $antiPhishPolicies -or $antiPhishPolicies.Count -eq 0) {
throw 'No Anti-Phishing policies found.'
}
# Initialize lists to track compliant and non-compliant policies and reasons for failures
$compliantPolicies = @()
$failureReasons = @()
$nonCompliantPolicies = @()
# Step 2: Evaluate strict and standard preset policies
Write-Verbose 'Evaluating strict and standard preset policies...'
$strictPolicy = $antiPhishPolicies | Where-Object { $_.Name -eq 'Strict Preset Security Policy' }
$standardPolicy = $antiPhishPolicies | Where-Object { $_.Name -eq 'Standard Preset Security Policy' }
$strictStandardCompliant = $false
foreach ($policy in @($strictPolicy, $standardPolicy)) {
if ($null -ne $policy) {
# Check if the strict or standard policy is compliant
$isCompliant = Get-PhishPolicyCompliance -policy $policy
if ($isCompliant) {
$strictStandardCompliant = $true
$compliantPolicies += $policy.Name
} else {
$nonCompliantPolicies += $policy.Name
}
}
}
# Step 3: Evaluate custom policies if strict and standard are not compliant
if (-not $strictStandardCompliant) {
Write-Verbose 'Evaluating custom policies for compliance...'
# Filter custom policies that match any rules in $antiPhishRules and sort by priority
$customPolicies = $antiPhishPolicies | Where-Object { $antiPhishRules.AntiPhishPolicy -contains $_.Name }
$customPolicies = $customPolicies | Sort-Object -Property { $antiPhishRules | Where-Object { $_.AntiPhishPolicy -eq $_.Name } | Select-Object -ExpandProperty Priority }
foreach ($policy in $customPolicies) {
# Check for scope overlap between custom policies and strict/standard policies
$scopeOverlap = Get-ScopeOverlap -Policy $policy -OtherPolicies @($strictPolicy, $standardPolicy)
if ($scopeOverlap) {
$failureReasons += "Custom policy $($policy.Name) overlaps with strict or standard preset policies."
$nonCompliantPolicies += $policy.Name
} else {
# Check if the custom policy is compliant
$isCompliant = Get-PhishPolicyCompliance -policy $policy
if ($isCompliant) {
$compliantPolicies += $policy.Name
} else {
$nonCompliantPolicies += $policy.Name
}
}
}
}
# Step 4: Evaluate the default policy if no compliant custom, strict, or standard policies
if ($compliantPolicies.Count -eq 0) {
Write-Verbose 'Evaluating default policy for compliance...'
$defaultPolicy = $antiPhishPolicies | Where-Object { $_.Name -eq 'Office365 AntiPhish Default' }
if ($null -ne $defaultPolicy) {
# Check for scope overlap between the default policy and other policies
$scopeOverlap = Get-ScopeOverlap -Policy $defaultPolicy -OtherPolicies @($strictPolicy, $standardPolicy, $antiPhishPolicies | Where-Object { $_.Name -ne 'Office365 AntiPhish Default' })
if ($scopeOverlap) {
$failureReasons += "Default policy overlaps with other scoped policies."
$nonCompliantPolicies += $defaultPolicy.Name
} else {
# Check if the default policy is compliant
$isCompliant = Get-PhishPolicyCompliance -policy $defaultPolicy
if ($isCompliant) {
$compliantPolicies += $defaultPolicy.Name
} else {
$nonCompliantPolicies += $defaultPolicy.Name
}
}
}
}
# Step 5: Determine overall compliance
$isOverallCompliant = ($compliantPolicies.Count -gt 0) -and ($failureReasons.Count -eq 0)
# Step 6: Prepare result details
$resultDetails = if ($isOverallCompliant) {
# Prepare details for compliant policies
"Compliant Policies: $($compliantPolicies -join ', ')"
}
else {
# Prepare details for non-compliant policies and reasons
"Non-Compliant Policies: $($nonCompliantPolicies -join ', ')`nFailure Reasons:`n" + ($failureReasons -join "`n")
}
# Step 7: Prepare the audit result object
$params = @{
Rec = $RecNum
Result = $isOverallCompliant
Status = if ($isOverallCompliant) { 'Pass' } else { 'Fail' }
Details = $resultDetails
FailureReason = if (-not $isOverallCompliant) { $failureReasons -join "`n" } else { 'None' }
}
$auditResult = Initialize-CISAuditResult @params
}
catch {
# Handle errors and return the error result
Write-Error "An error occurred during the test $RecNum`: $_"
$auditResult = Get-TestError -LastError $_ -RecNum $RecNum
}
}
end {
# Return the audit result object
return $auditResult
}
}