vibecoding/M365FoundationsCISReport
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: SPO formatting and output

Browse Source
This commit is contained in:
DrIOS
2024-07-02 09:47:06 -05:00
parent 5ef32eb4b8
commit 5d11b46d96
7 changed files with 106 additions and 63 deletions
Download Patch File Download Diff File Expand all files Collapse all files

50
source/Private/Get-CISSpoOutput.ps1
View File

@@ -101,18 +101,39 @@ function Get-CISSpoOutput {
'7.2.6' { '7.2.6' {
# Test-SharePointExternalSharingDomains.ps1 # Test-SharePointExternalSharingDomains.ps1
# 7.2.6 (L2) Ensure SharePoint external sharing is managed through domain whitelist/blacklists # 7.2.6 (L2) Ensure SharePoint external sharing is managed through domain whitelist/blacklists
# Add Authorized Domains?
# $SPOTenant Mock Object
<#
$SPOTenant = [PSCustomObject]@{
SharingDomainRestrictionMode = "AllowList"
SharingAllowedDomainList = "domain1.com", "domain2.com"
}
#>
$SPOTenant = Get-SPOTenant | Select-Object SharingDomainRestrictionMode, SharingAllowedDomainList $SPOTenant = Get-SPOTenant | Select-Object SharingDomainRestrictionMode, SharingAllowedDomainList
return $SPOTenant return $SPOTenant
} }
'7.2.7' { '7.2.7' {
# Test-LinkSharingRestrictions.ps1 # Test-LinkSharingRestrictions.ps1
# Retrieve link sharing configuration for SharePoint and OneDrive # Retrieve link sharing configuration for SharePoint and OneDrive
# $SPOTenantLinkSharing Mock Object
<#
$$SPOTenantLinkSharing = [PSCustomObject]@{
DefaultSharingLinkType = "Direct"
}
#>
$SPOTenantLinkSharing = Get-SPOTenant | Select-Object DefaultSharingLinkType $SPOTenantLinkSharing = Get-SPOTenant | Select-Object DefaultSharingLinkType
return $SPOTenantLinkSharing return $SPOTenantLinkSharing
} }
'7.2.9' { '7.2.9' {
# Test-GuestAccessExpiration.ps1 # Test-GuestAccessExpiration.ps1
# Retrieve SharePoint tenant settings related to guest access expiration # Retrieve SharePoint tenant settings related to guest access expiration
# $SPOTenantGuestAccess Mock Object
<#
$SPOTenantGuestAccess = [PSCustomObject]@{
ExternalUserExpirationRequired = "$false"
ExternalUserExpireInDays = "60"
}
#>
$SPOTenantGuestAccess = Get-SPOTenant | Select-Object ExternalUserExpirationRequired, ExternalUserExpireInDays $SPOTenantGuestAccess = Get-SPOTenant | Select-Object ExternalUserExpirationRequired, ExternalUserExpireInDays
return $SPOTenantGuestAccess return $SPOTenantGuestAccess
} }
@@ -120,24 +141,53 @@ function Get-CISSpoOutput {
# Test-ReauthWithCode.ps1 # Test-ReauthWithCode.ps1
# 7.2.10 (L1) Ensure reauthentication with verification code is restricted # 7.2.10 (L1) Ensure reauthentication with verification code is restricted
# Retrieve reauthentication settings for SharePoint Online # Retrieve reauthentication settings for SharePoint Online
# $SPOTenantReauthentication Mock Object
<#
$SPOTenantReauthentication = [PSCustomObject]@{
EmailAttestationRequired = "$false"
EmailAttestationReAuthDays = "30"
}
#>
$SPOTenantReauthentication = Get-SPOTenant | Select-Object EmailAttestationRequired, EmailAttestationReAuthDays $SPOTenantReauthentication = Get-SPOTenant | Select-Object EmailAttestationRequired, EmailAttestationReAuthDays
return $SPOTenantReauthentication return $SPOTenantReauthentication
} }
'7.3.1' { '7.3.1' {
# Test-DisallowInfectedFilesDownload.ps1 # Test-DisallowInfectedFilesDownload.ps1
# Retrieve the SharePoint tenant configuration # Retrieve the SharePoint tenant configuration
# $SPOTenantDisallowInfectedFileDownload Mock Object
<#
$SPOTenantDisallowInfectedFileDownload = [PSCustomObject]@{
DisallowInfectedFileDownload = $false
}
#>
$SPOTenantDisallowInfectedFileDownload = Get-SPOTenant | Select-Object DisallowInfectedFileDownload $SPOTenantDisallowInfectedFileDownload = Get-SPOTenant | Select-Object DisallowInfectedFileDownload
return $SPOTenantDisallowInfectedFileDownload return $SPOTenantDisallowInfectedFileDownload
} }
'7.3.2' { '7.3.2' {
# Test-OneDriveSyncRestrictions.ps1 # Test-OneDriveSyncRestrictions.ps1
# Retrieve OneDrive sync client restriction settings # Retrieve OneDrive sync client restriction settings
# Add isHybrid paramter?
# $SPOTenantSyncClientRestriction Mock Object
<#
$SPOTenantSyncClientRestriction = [PSCustomObject]@{
TenantRestrictionEnabled = $true
AllowedDomainList = "786548DD-877B-4760-A749-6B1EFBC1190A", "877564FF-877B-4760-A749-6B1EFBC1190A"
}
#>
$SPOTenantSyncClientRestriction = Get-SPOTenantSyncClientRestriction | Select-Object TenantRestrictionEnabled, AllowedDomainList $SPOTenantSyncClientRestriction = Get-SPOTenantSyncClientRestriction | Select-Object TenantRestrictionEnabled, AllowedDomainList
return $SPOTenantSyncClientRestriction return $SPOTenantSyncClientRestriction
} }
'7.3.4' { '7.3.4' {
# Test-RestrictCustomScripts.ps1 # Test-RestrictCustomScripts.ps1
# Retrieve all site collections and select necessary properties # Retrieve all site collections and select necessary properties
# $SPOSitesCustomScript Mock Object
<#
$SPOSitesCustomScript = [PSCustomObject]@{
Title = "Site Collection 1"
Url = "https://contoso.sharepoint.com/sites/site1"
DenyAddAndCustomizePages = "Enabled"
}
#>
$SPOSitesCustomScript = Get-SPOSite -Limit All | Select-Object Title, Url, DenyAddAndCustomizePages $SPOSitesCustomScript = Get-SPOSite -Limit All | Select-Object Title, Url, DenyAddAndCustomizePages
return $SPOSitesCustomScript return $SPOSitesCustomScript
} }

22
source/tests/Test-DisallowInfectedFilesDownload.ps1
View File

@@ -5,17 +5,14 @@ function Test-DisallowInfectedFilesDownload {
# Aligned # Aligned
# Define your parameters here if needed # Define your parameters here if needed
) )
begin { begin {
# Dot source the class script if necessary # Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1 #. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed # Initialization code, if needed
$recnum = "7.3.1" $recnum = "7.3.1"
Write-Verbose "Running Test-DisallowInfectedFilesDownload for $recnum..."
} }
process { process {
try { try {
# 7.3.1 (L2) Ensure Office 365 SharePoint infected files are disallowed for download # 7.3.1 (L2) Ensure Office 365 SharePoint infected files are disallowed for download
# #
@@ -32,28 +29,30 @@ function Test-DisallowInfectedFilesDownload {
# - Condition A: The `DisallowInfectedFileDownload` setting is not set to `True`. # - Condition A: The `DisallowInfectedFileDownload` setting is not set to `True`.
# - Condition B: The setting does not prevent users from downloading infected files. # - Condition B: The setting does not prevent users from downloading infected files.
# - Condition C: Verification using the PowerShell command indicates that the setting is incorrectly configured. # - Condition C: Verification using the PowerShell command indicates that the setting is incorrectly configured.
# Retrieve the SharePoint tenant configuration # Retrieve the SharePoint tenant configuration
# $SPOTenantDisallowInfectedFileDownload Mock Object
<#
$SPOTenantDisallowInfectedFileDownload = [PSCustomObject]@{
DisallowInfectedFileDownload = $false
}
#>
$SPOTenantDisallowInfectedFileDownload = Get-CISSpoOutput -Rec $recnum $SPOTenantDisallowInfectedFileDownload = Get-CISSpoOutput -Rec $recnum
# Condition A: The `DisallowInfectedFileDownload` setting is set to `True` # Condition A: The `DisallowInfectedFileDownload` setting is set to `True`
$isDisallowInfectedFileDownloadEnabled = $SPOTenantDisallowInfectedFileDownload.DisallowInfectedFileDownload $isDisallowInfectedFileDownloadEnabled = $SPOTenantDisallowInfectedFileDownload.DisallowInfectedFileDownload
# Prepare failure reasons and details based on compliance # Prepare failure reasons and details based on compliance
$failureReasons = if (-not $isDisallowInfectedFileDownloadEnabled) { $failureReasons = if (-not $isDisallowInfectedFileDownloadEnabled) {
"Downloading infected files is not disallowed." # Condition B: The setting does not prevent users from downloading infected files "Downloading infected files is not disallowed. To ensure infected files cannot be downloaded, use the following command:`n" + ` # Condition B: The setting does not prevent users from downloading infected files
"Set-SPOTenant -DisallowInfectedFileDownload `$true"
} }
else { else {
"N/A" "N/A"
} }
$details = if ($isDisallowInfectedFileDownloadEnabled) { $details = if ($isDisallowInfectedFileDownloadEnabled) {
"DisallowInfectedFileDownload: True" # Condition C: Verification confirms the setting is correctly configured "DisallowInfectedFileDownload: True" # Condition C: Verification confirms the setting is correctly configured
} }
else { else {
"DisallowInfectedFileDownload: False" # Condition C: Verification indicates the setting is incorrectly configured "DisallowInfectedFileDownload: False" # Condition C: Verification indicates the setting is incorrectly configured
} }
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$params = @{ $params = @{
Rec = $recnum Rec = $recnum
@@ -69,9 +68,8 @@ function Test-DisallowInfectedFilesDownload {
$auditResult = Get-TestError -LastError $LastError -recnum $recnum $auditResult = Get-TestError -LastError $LastError -recnum $recnum
} }
} }
end { end {
# Return the audit result # Return the audit result
return $auditResult return $auditResult
} }
} }

20
source/tests/Test-GuestAccessExpiration.ps1
View File

@@ -5,17 +5,14 @@ function Test-GuestAccessExpiration {
# Aligned # Aligned
# Define your parameters here if needed # Define your parameters here if needed
) )
begin { begin {
# Dot source the class script if necessary # Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1 #. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed # Initialization code, if needed
$recnum = "7.2.9" $recnum = "7.2.9"
Write-Verbose "Running Test-GuestAccessExpiration for $recnum..."
} }
process { process {
try { try {
# 7.2.9 (L1) Ensure guest access to a site or OneDrive will expire automatically # 7.2.9 (L1) Ensure guest access to a site or OneDrive will expire automatically
# #
@@ -32,21 +29,25 @@ function Test-GuestAccessExpiration {
# - Condition A: The ExternalUserExpirationRequired setting in SharePoint is not set to True. # - Condition A: The ExternalUserExpirationRequired setting in SharePoint is not set to True.
# - Condition B: The ExternalUserExpireInDays setting in SharePoint is configured to more than 30 days. # - Condition B: The ExternalUserExpireInDays setting in SharePoint is configured to more than 30 days.
# - Condition C: Verification using the SharePoint Admin Center indicates that guest access is not set to expire automatically after the specified number of days. # - Condition C: Verification using the SharePoint Admin Center indicates that guest access is not set to expire automatically after the specified number of days.
# Retrieve SharePoint tenant settings related to guest access expiration # Retrieve SharePoint tenant settings related to guest access expiration
# $SPOTenantGuestAccess Mock Object
<#
$SPOTenantGuestAccess = [PSCustomObject]@{
ExternalUserExpirationRequired = "$false"
ExternalUserExpireInDays = "60"
}
#>
$SPOTenantGuestAccess = Get-CISSpoOutput -Rec $recnum $SPOTenantGuestAccess = Get-CISSpoOutput -Rec $recnum
$isGuestAccessExpirationConfiguredCorrectly = $SPOTenantGuestAccess.ExternalUserExpirationRequired -and $SPOTenantGuestAccess.ExternalUserExpireInDays -le 30 $isGuestAccessExpirationConfiguredCorrectly = $SPOTenantGuestAccess.ExternalUserExpirationRequired -and $SPOTenantGuestAccess.ExternalUserExpireInDays -le 30
# Prepare failure reasons and details based on compliance # Prepare failure reasons and details based on compliance
$failureReasons = if (-not $isGuestAccessExpirationConfiguredCorrectly) { $failureReasons = if (-not $isGuestAccessExpirationConfiguredCorrectly) {
"Guest access expiration is not configured to automatically expire within 30 days or less." "Guest access expiration is not configured to automatically expire within 30 days or less. To remediate this setting, use the Set-SPOTenant command:`n`n" + `
"Set-SPOTenant -ExternalUserExpirationRequired `$true -ExternalUserExpireInDays 30"
} }
else { else {
"N/A" "N/A"
} }
$details = "ExternalUserExpirationRequired: $($SPOTenantGuestAccess.ExternalUserExpirationRequired); ExternalUserExpireInDays: $($SPOTenantGuestAccess.ExternalUserExpireInDays)" $details = "ExternalUserExpirationRequired: $($SPOTenantGuestAccess.ExternalUserExpirationRequired); ExternalUserExpireInDays: $($SPOTenantGuestAccess.ExternalUserExpireInDays)"
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$params = @{ $params = @{
Rec = $recnum Rec = $recnum
@@ -62,7 +63,6 @@ function Test-GuestAccessExpiration {
$auditResult = Get-TestError -LastError $LastError -recnum $recnum $auditResult = Get-TestError -LastError $LastError -recnum $recnum
} }
} }
end { end {
# Return the audit result # Return the audit result
return $auditResult return $auditResult

18
source/tests/Test-LinkSharingRestrictions.ps1
View File

@@ -6,14 +6,13 @@ function Test-LinkSharingRestrictions {
# Define your parameters here # Define your parameters here
# Test behavior in prod # Test behavior in prod
) )
begin { begin {
# Dot source the class script if necessary # Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1 #. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed # Initialization code, if needed
$recnum = "7.2.7" $recnum = "7.2.7"
Write-Verbose "Running Test-LinkSharingRestrictions for $recnum..."
} }
process { process {
try { try {
# 7.2.7 (L1) Ensure link sharing is restricted in SharePoint and OneDrive # 7.2.7 (L1) Ensure link sharing is restricted in SharePoint and OneDrive
@@ -31,21 +30,24 @@ function Test-LinkSharingRestrictions {
# - Condition A: The `DefaultSharingLinkType` setting in SharePoint and OneDrive is not set to `Direct`. # - Condition A: The `DefaultSharingLinkType` setting in SharePoint and OneDrive is not set to `Direct`.
# - Condition B: The setting `Choose the type of link that's selected by default when users share files and folders in SharePoint and OneDrive` is not set to `Specific people (only the people the user specifies)`. # - Condition B: The setting `Choose the type of link that's selected by default when users share files and folders in SharePoint and OneDrive` is not set to `Specific people (only the people the user specifies)`.
# - Condition C: Verification using the UI indicates that the link sharing settings are not configured as recommended. # - Condition C: Verification using the UI indicates that the link sharing settings are not configured as recommended.
# Retrieve link sharing configuration for SharePoint and OneDrive # Retrieve link sharing configuration for SharePoint and OneDrive
# $SPOTenantLinkSharing Mock Object
<#
$$SPOTenantLinkSharing = [PSCustomObject]@{
DefaultSharingLinkType = "Direct"
}
#>
$SPOTenantLinkSharing = Get-CISSpoOutput -Rec $recnum $SPOTenantLinkSharing = Get-CISSpoOutput -Rec $recnum
$isLinkSharingRestricted = $SPOTenantLinkSharing.DefaultSharingLinkType -eq 'Direct' # Or 'SpecificPeople' as per the recommendation $isLinkSharingRestricted = $SPOTenantLinkSharing.DefaultSharingLinkType -eq 'Direct' # Or 'SpecificPeople' as per the recommendation
# Prepare failure reasons and details based on compliance # Prepare failure reasons and details based on compliance
$failureReasons = if (-not $isLinkSharingRestricted) { $failureReasons = if (-not $isLinkSharingRestricted) {
"Link sharing is not restricted to 'Specific people'. Current setting: $($SPOTenantLinkSharing.DefaultSharingLinkType)" "Link sharing is not restricted to 'Specific people'. Current setting: $($SPOTenantLinkSharing.DefaultSharingLinkType). To remediate this setting, use the Set-SPOTenant command:`n`n" + `
"Set-SPOTenant -DefaultSharingLinkType Direct"
} }
else { else {
"N/A" "N/A"
} }
$details = "DefaultSharingLinkType: $($SPOTenantLinkSharing.DefaultSharingLinkType)" $details = "DefaultSharingLinkType: $($SPOTenantLinkSharing.DefaultSharingLinkType)"
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$params = @{ $params = @{
Rec = $recnum Rec = $recnum
@@ -55,14 +57,12 @@ function Test-LinkSharingRestrictions {
FailureReason = $failureReasons FailureReason = $failureReasons
} }
$auditResult = Initialize-CISAuditResult @params $auditResult = Initialize-CISAuditResult @params
} }
catch { catch {
$LastError = $_ $LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum $auditResult = Get-TestError -LastError $LastError -recnum $recnum
} }
} }
end { end {
# Return the audit result # Return the audit result
return $auditResult return $auditResult

13
source/tests/Test-OneDriveSyncRestrictions.ps1
View File

@@ -5,14 +5,13 @@ function Test-OneDriveSyncRestrictions {
# Aligned # Aligned
# Define your parameters here # Define your parameters here
) )
begin { begin {
# Dot source the class script if necessary # Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1 #. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed # Initialization code, if needed
$recnum = "7.3.2" $recnum = "7.3.2"
Write-Verbose "Running Test-OneDriveSyncRestrictions for $recnum..."
} }
process { process {
try { try {
# 7.3.2 (L2) Ensure OneDrive sync is restricted for unmanaged devices # 7.3.2 (L2) Ensure OneDrive sync is restricted for unmanaged devices
@@ -30,20 +29,20 @@ function Test-OneDriveSyncRestrictions {
# - Condition A: "Allow syncing only on computers joined to specific domains" is not enabled. # - Condition A: "Allow syncing only on computers joined to specific domains" is not enabled.
# - Condition B: "TenantRestrictionEnabled" is set to False. # - Condition B: "TenantRestrictionEnabled" is set to False.
# - Condition C: "AllowedDomainList" does not contain the trusted domain GUIDs from the on-premises environment. # - Condition C: "AllowedDomainList" does not contain the trusted domain GUIDs from the on-premises environment.
# Retrieve OneDrive sync client restriction settings # Retrieve OneDrive sync client restriction settings
$SPOTenantSyncClientRestriction = Get-CISSpoOutput -Rec $recnum $SPOTenantSyncClientRestriction = Get-CISSpoOutput -Rec $recnum
$isSyncRestricted = $SPOTenantSyncClientRestriction.TenantRestrictionEnabled -and $SPOTenantSyncClientRestriction.AllowedDomainList $isSyncRestricted = $SPOTenantSyncClientRestriction.TenantRestrictionEnabled -and $SPOTenantSyncClientRestriction.AllowedDomainList
# Condition A: Check if TenantRestrictionEnabled is True # Condition A: Check if TenantRestrictionEnabled is True
# Condition B: Ensure AllowedDomainList contains trusted domains GUIDs # Condition B: Ensure AllowedDomainList contains trusted domains GUIDs
$failureReasons = if (-not $isSyncRestricted) { $failureReasons = if (-not $isSyncRestricted) {
"OneDrive sync is not restricted to managed devices. TenantRestrictionEnabled should be True and AllowedDomainList should contain trusted domains GUIDs." "OneDrive sync is not restricted to managed devices. For hybrid devices, TenantRestrictionEnabled should be True and AllowedDomainList should contain trusted domains GUIDs.`n" + `
"To remediate this setting, edit and use the Set-SPOTenantSyncClientRestriction command below:`n" + `
"Set-SPOTenantSyncClientRestriction -TenantRestrictionEnabled `$true -AllowedDomainList `"<GUID1>`",`"<GUID2>`"`n`n" + `
"Note: Utilize the -BlockMacSync:`$true parameter if you are not using conditional access to ensure Macs cannot sync."
} }
else { else {
"N/A" "N/A"
} }
# Condition C: Prepare details based on whether sync is restricted # Condition C: Prepare details based on whether sync is restricted
$details = if ($isSyncRestricted) { $details = if ($isSyncRestricted) {
"OneDrive sync is restricted for unmanaged devices." "OneDrive sync is restricted for unmanaged devices."
@@ -51,7 +50,6 @@ function Test-OneDriveSyncRestrictions {
else { else {
"TenantRestrictionEnabled: $($SPOTenantSyncClientRestriction.TenantRestrictionEnabled); AllowedDomainList: $($SPOTenantSyncClientRestriction.AllowedDomainList -join ', ')" "TenantRestrictionEnabled: $($SPOTenantSyncClientRestriction.TenantRestrictionEnabled); AllowedDomainList: $($SPOTenantSyncClientRestriction.AllowedDomainList -join ', ')"
} }
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$params = @{ $params = @{
Rec = $recnum Rec = $recnum
@@ -67,7 +65,6 @@ function Test-OneDriveSyncRestrictions {
$auditResult = Get-TestError -LastError $LastError -recnum $recnum $auditResult = Get-TestError -LastError $LastError -recnum $recnum
} }
} }
end { end {
# Return auditResult # Return auditResult
return $auditResult return $auditResult

19
source/tests/Test-ReauthWithCode.ps1
View File

@@ -5,7 +5,6 @@ function Test-ReauthWithCode {
# Aligned # Aligned
# Define your parameters here # Define your parameters here
) )
begin { begin {
<# <#
Conditions for 7.2.10 (L1) Ensure reauthentication with verification code is restricted Conditions for 7.2.10 (L1) Ensure reauthentication with verification code is restricted
@@ -22,31 +21,34 @@ function Test-ReauthWithCode {
# - Condition A: The `EmailAttestationRequired` property is set to `False`. # - Condition A: The `EmailAttestationRequired` property is set to `False`.
# - Condition B: The `EmailAttestationReAuthDays` property is set to more than `15`. # - Condition B: The `EmailAttestationReAuthDays` property is set to more than `15`.
#> #>
# Dot source the class script if necessary # Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1 #. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed # Initialization code, if needed
$recnum = "7.2.10" $recnum = "7.2.10"
Write-Verbose "Running Test-ReauthWithCode for $recnum..."
} }
process { process {
try { try {
# 7.2.10 (L1) Ensure reauthentication with verification code is restricted # 7.2.10 (L1) Ensure reauthentication with verification code is restricted
# Retrieve reauthentication settings for SharePoint Online # Retrieve reauthentication settings for SharePoint Online
# $SPOTenantReauthentication Mock Object
<#
$SPOTenantReauthentication = [PSCustomObject]@{
EmailAttestationRequired = "$false"
EmailAttestationReAuthDays = "30"
}
#>
$SPOTenantReauthentication = Get-CISSpoOutput -Rec $recnum $SPOTenantReauthentication = Get-CISSpoOutput -Rec $recnum
$isReauthenticationRestricted = $SPOTenantReauthentication.EmailAttestationRequired -and $SPOTenantReauthentication.EmailAttestationReAuthDays -le 15 $isReauthenticationRestricted = $SPOTenantReauthentication.EmailAttestationRequired -and $SPOTenantReauthentication.EmailAttestationReAuthDays -le 15
# Prepare failure reasons and details based on compliance # Prepare failure reasons and details based on compliance
$failureReasons = if (-not $isReauthenticationRestricted) { $failureReasons = if (-not $isReauthenticationRestricted) {
"Reauthentication with verification code does not require reauthentication within 15 days or less." "Reauthentication with verification code does not require reauthentication within 15 days or less. To remediate this setting, use the Set-SPOTenant command:`n" + `
"Set-SPOTenant -EmailAttestationRequired `$true -EmailAttestationReAuthDays 15"
} }
else { else {
"N/A" "N/A"
} }
$details = "EmailAttestationRequired: $($SPOTenantReauthentication.EmailAttestationRequired); EmailAttestationReAuthDays: $($SPOTenantReauthentication.EmailAttestationReAuthDays)" $details = "EmailAttestationRequired: $($SPOTenantReauthentication.EmailAttestationRequired); EmailAttestationReAuthDays: $($SPOTenantReauthentication.EmailAttestationReAuthDays)"
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$params = @{ $params = @{
Rec = $recnum Rec = $recnum
@@ -62,7 +64,6 @@ function Test-ReauthWithCode {
$auditResult = Get-TestError -LastError $LastError -recnum $recnum $auditResult = Get-TestError -LastError $LastError -recnum $recnum
} }
} }
end { end {
# Return auditResult # Return auditResult
return $auditResult return $auditResult

27
source/tests/Test-RestrictCustomScripts.ps1
View File

@@ -4,15 +4,13 @@ function Test-RestrictCustomScripts {
param ( param (
# Define your parameters here if needed # Define your parameters here if needed
) )
begin { begin {
# Dot source the class script if necessary # Dot source the class script if necessary
# . .\source\Classes\CISAuditResult.ps1 # . .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed # Initialization code, if needed
$recnum = "7.3.4" $recnum = "7.3.4"
Write-Verbose "Running Test-RestrictCustomScripts for $recnum..."
} }
process { process {
try { try {
# 7.3.4 (L1) Ensure custom script execution is restricted on site collections # 7.3.4 (L1) Ensure custom script execution is restricted on site collections
@@ -30,23 +28,27 @@ function Test-RestrictCustomScripts {
# - Condition A: The `DenyAddAndCustomizePages` setting is not set to `Enabled` for any site collection. # - Condition A: The `DenyAddAndCustomizePages` setting is not set to `Enabled` for any site collection.
# - Condition B: The setting is not validated through PowerShell commands, indicating misconfiguration. # - Condition B: The setting is not validated through PowerShell commands, indicating misconfiguration.
# - Condition C: Verification using the SharePoint Admin Center indicates that the `DenyAddAndCustomizePages` setting is not enforced. # - Condition C: Verification using the SharePoint Admin Center indicates that the `DenyAddAndCustomizePages` setting is not enforced.
# Retrieve all site collections and select necessary properties # Retrieve all site collections and select necessary properties
# $SPOSitesCustomScript Mock Object
<#
$SPOSitesCustomScript = [PSCustomObject]@{
Title = "Site Collection 1"
Url = "https://contoso.sharepoint.com/sites/site1"
DenyAddAndCustomizePages = "Enabled"
}
#>
$SPOSitesCustomScript = Get-CISSpoOutput -Rec $recnum $SPOSitesCustomScript = Get-CISSpoOutput -Rec $recnum
# Process URLs to replace 'sharepoint.com' with '<SPUrl>' # Process URLs to replace 'sharepoint.com' with '<SPUrl>'
$processedUrls = $SPOSitesCustomScript | ForEach-Object { $processedUrls = $SPOSitesCustomScript | ForEach-Object {
$_.Url = $_.Url -replace 'sharepoint\.com', '<SPUrl>' $_.Url = $_.Url -replace 'sharepoint\.com', '<SPUrl>'
$_ $_
} }
# Find sites where custom scripts are allowed # Find sites where custom scripts are allowed
$customScriptAllowedSites = $processedUrls | Where-Object { $_.DenyAddAndCustomizePages -ne 'Enabled' } $customScriptAllowedSites = $processedUrls | Where-Object { $_.DenyAddAndCustomizePages -ne 'Enabled' }
#$verbosePreference = 'Continue' #$verbosePreference = 'Continue'
# Check the total length of URLs # Check the total length of URLs
$totalUrlLength = ($customScriptAllowedSites.Url -join '').Length $totalUrlLength = ($customScriptAllowedSites.Url -join '').Length
Write-Verbose "Total length of URLs: $totalUrlLength" Write-Verbose "Total length of URLs: $totalUrlLength"
# Extract hostnames from allowed sites if the total length exceeds the limit # Extract hostnames from allowed sites if the total length exceeds the limit
$mostUsedHostname = $null $mostUsedHostname = $null
if ($totalUrlLength -gt 20000) { if ($totalUrlLength -gt 20000) {
@@ -57,7 +59,6 @@ function Test-RestrictCustomScripts {
} }
} }
Write-Verbose "Extracted hostnames: $($hostnames -join ', ')" Write-Verbose "Extracted hostnames: $($hostnames -join ', ')"
# Find the most used hostname using the Get-MostCommonWord function # Find the most used hostname using the Get-MostCommonWord function
$mostUsedHostname = Get-MostCommonWord -InputStrings $hostnames $mostUsedHostname = Get-MostCommonWord -InputStrings $hostnames
Write-Verbose "Most used hostname: $mostUsedHostname" Write-Verbose "Most used hostname: $mostUsedHostname"
@@ -65,7 +66,6 @@ function Test-RestrictCustomScripts {
#$verbosePreference = 'SilentlyContinue' #$verbosePreference = 'SilentlyContinue'
# Compliance is true if no sites allow custom scripts # Compliance is true if no sites allow custom scripts
$complianceResult = $customScriptAllowedSites.Count -eq 0 $complianceResult = $customScriptAllowedSites.Count -eq 0
# Gather details for non-compliant sites (where custom scripts are allowed) # Gather details for non-compliant sites (where custom scripts are allowed)
$nonCompliantSiteDetails = $customScriptAllowedSites | ForEach-Object { $nonCompliantSiteDetails = $customScriptAllowedSites | ForEach-Object {
$url = $_.Url $url = $_.Url
@@ -74,32 +74,29 @@ function Test-RestrictCustomScripts {
} }
"$(if ($_.Title) {$_.Title} else {"NoTitle"})|$url" "$(if ($_.Title) {$_.Title} else {"NoTitle"})|$url"
} }
# Prepare failure reasons and details based on compliance # Prepare failure reasons and details based on compliance
$failureReasons = if (-not $complianceResult) { $failureReasons = if (-not $complianceResult) {
"Some site collections are not restricting custom script execution. Review Details property for sites that are not aligned with the benchmark." "Some site collections are not restricting custom script execution. Review Details property for sites that are not aligned with the benchmark.`n" + `
"To remediate this setting, use the following command:`n" + `
"Set-SPOSite -Identity <SiteUrl> -DenyAddAndCustomizePages `$true"
} }
else { else {
"N/A" "N/A"
} }
$details = if ($complianceResult) { $details = if ($complianceResult) {
"All site collections have custom script execution restricted" "All site collections have custom script execution restricted"
} }
else { else {
"Title|Url`n" + ($nonCompliantSiteDetails -join "`n") "Title|Url`n" + ($nonCompliantSiteDetails -join "`n")
} }
# Convert details to PSObject and check length # Convert details to PSObject and check length
$detailsPSObject = $details | ConvertFrom-Csv -Delimiter '|' $detailsPSObject = $details | ConvertFrom-Csv -Delimiter '|'
$detailsLength = ($detailsPSObject | ForEach-Object { $_.Url }).Length $detailsLength = ($detailsPSObject | ForEach-Object { $_.Url }).Length
if ($detailsLength -gt 32767) { if ($detailsLength -gt 32767) {
# Create a preview of the first 10 results # Create a preview of the first 10 results
$preview = $detailsPSObject | Select-Object -First 10 | ForEach-Object { "$($_.Title)|$($_.Url)" } $preview = $detailsPSObject | Select-Object -First 10 | ForEach-Object { "$($_.Title)|$($_.Url)" }
$details = "The output is too large. Here is a preview of the first 10 results:`n`n" + ($preview -join "`n") + "`n`nPlease run the test with the following commands to get the full details:`n`nGet-SPOSite -Limit All | Where-Object { `$.DenyAddAndCustomizePages -ne 'Enabled' } | Select-Object Title, Url" $details = "The output is too large. Here is a preview of the first 10 results:`n`n" + ($preview -join "`n") + "`n`nPlease run the test with the following commands to get the full details:`n`nGet-SPOSite -Limit All | Where-Object { `$.DenyAddAndCustomizePages -ne 'Enabled' } | Select-Object Title, Url"
} }
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$params = @{ $params = @{
Rec = $recnum Rec = $recnum