From 5ef32eb4b8249027f9048fd79cc3934de74cab49 Mon Sep 17 00:00:00 2001 From: DrIOS <58635327+DrIOSX@users.noreply.github.com> Date: Tue, 2 Jul 2024 09:00:54 -0500 Subject: [PATCH] fix: up to 7.2.6 SPO formatting and output --- source/Private/Get-CISSpoOutput.ps1 | 31 +++++++++++++++++++ source/tests/Test-ModernAuthSharePoint.ps1 | 17 +++++----- .../Test-OneDriveContentRestrictions.ps1 | 18 +++++------ source/tests/Test-RestrictExternalSharing.ps1 | 21 ++++++------- source/tests/Test-SharePointAADB2B.ps1 | 15 ++++----- .../Test-SharePointExternalSharingDomains.ps1 | 14 +++++---- .../Test-SharePointGuestsItemSharing.ps1 | 15 ++++----- 7 files changed, 82 insertions(+), 49 deletions(-) diff --git a/source/Private/Get-CISSpoOutput.ps1 b/source/Private/Get-CISSpoOutput.ps1 index 06c56a4..cd94403 100644 --- a/source/Private/Get-CISSpoOutput.ps1 +++ b/source/Private/Get-CISSpoOutput.ps1 @@ -40,12 +40,24 @@ function Get-CISSpoOutput { switch ($Rec) { '7.2.1' { # Test-ModernAuthSharePoint.ps1 + # $SPOTenant Mock Object + <# + $SPOTenant = [PSCustomObject]@{ + LegacyAuthProtocolsEnabled = $true + } + #> $SPOTenant = Get-SPOTenant | Select-Object -Property LegacyAuthProtocolsEnabled return $SPOTenant } '7.2.2' { # Test-SharePointAADB2B.ps1 # 7.2.2 (L1) Ensure SharePoint and OneDrive integration with Azure AD B2B is enabled + # $SPOTenantAzureADB2B Mock Object + <# + $SPOTenantAzureADB2B = [PSCustomObject]@{ + EnableAzureADB2BIntegration = $false + } + #> $SPOTenantAzureADB2B = Get-SPOTenant | Select-Object EnableAzureADB2BIntegration return $SPOTenantAzureADB2B } @@ -53,17 +65,36 @@ function Get-CISSpoOutput { # Test-RestrictExternalSharing.ps1 # 7.2.3 (L1) Ensure external content sharing is restricted # Retrieve the SharingCapability setting for the SharePoint tenant + # $SPOTenantSharingCapability Mock Object + <# + $SPOTenantSharingCapability = [PSCustomObject]@{ + SharingCapability = "ExternalUserAndGuestSharing" + } + #> $SPOTenantSharingCapability = Get-SPOTenant | Select-Object SharingCapability return $SPOTenantSharingCapability } '7.2.4' { # Test-OneDriveContentRestrictions.ps1 + # 7.2.4 (L2) Ensure OneDrive content sharing is restricted + # $SPOTenant Mock Object + <# + $SPOTenant = [PSCustomObject]@{ + OneDriveSharingCapability = "ExternalUserAndGuestSharing" + } + #> $SPOTenant = Get-SPOTenant | Select-Object OneDriveSharingCapability return $SPOTenant } '7.2.5' { # Test-SharePointGuestsItemSharing.ps1 # 7.2.5 (L2) Ensure that SharePoint guest users cannot share items they don't own + # $SPOTenant Mock Object + <# + $SPOTenant = [PSCustomObject]@{ + PreventExternalUsersFromResharing = $false + } + #> $SPOTenant = Get-SPOTenant | Select-Object PreventExternalUsersFromResharing return $SPOTenant } diff --git a/source/tests/Test-ModernAuthSharePoint.ps1 b/source/tests/Test-ModernAuthSharePoint.ps1 index 64e2598..15fbb81 100644 --- a/source/tests/Test-ModernAuthSharePoint.ps1 +++ b/source/tests/Test-ModernAuthSharePoint.ps1 @@ -12,16 +12,14 @@ function Test-ModernAuthSharePoint { # Initialization code, if needed $recnum = "7.2.1" - + Write-Verbose "Running Test-ModernAuthSharePoint for $recnum..." <# # Conditions for 7.2.1 (L1) Ensure modern authentication for SharePoint applications is required - ## Validate test for a pass: # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark. # - Specific conditions to check: # - Condition A: The setting "Apps that don't use modern authentication" is set to "Block access" in the SharePoint admin center. # - Condition B: The PowerShell command `Get-SPOTenant | ft LegacyAuthProtocolsEnabled` returns `False`. - ## Validate test for a fail: # - Confirm that the failure conditions in the automated test are consistent with the manual audit results. # - Specific conditions to check: @@ -29,23 +27,25 @@ function Test-ModernAuthSharePoint { # - Condition B: The PowerShell command `Get-SPOTenant | ft LegacyAuthProtocolsEnabled` returns `True`. #> } - process { try { # 7.2.1 (L1) Ensure modern authentication for SharePoint applications is required + # $SPOTenant Mock Object + <# + $SPOTenant = [PSCustomObject]@{ + LegacyAuthProtocolsEnabled = $true + } + #> $SPOTenant = Get-CISSpoOutput -Rec $recnum $modernAuthForSPRequired = -not $SPOTenant.LegacyAuthProtocolsEnabled - # Prepare failure reasons and details based on compliance $failureReasons = if (-not $modernAuthForSPRequired) { - "Legacy authentication protocols are enabled" # Fail Condition B + "Legacy authentication protocols are enabled. The following command can be used to disable:`nSet-SPOTenant -LegacyAuthProtocolsEnabled `$false" # Fail Condition B } else { "N/A" } - $details = "LegacyAuthProtocolsEnabled: $($SPOTenant.LegacyAuthProtocolsEnabled)" # Details for Condition B - # Create and populate the CISAuditResult object $params = @{ Rec = $recnum @@ -61,7 +61,6 @@ function Test-ModernAuthSharePoint { $auditResult = Get-TestError -LastError $LastError -recnum $recnum } } - end { # Return the audit result return $auditResult diff --git a/source/tests/Test-OneDriveContentRestrictions.ps1 b/source/tests/Test-OneDriveContentRestrictions.ps1 index 44b9d7f..d97da01 100644 --- a/source/tests/Test-OneDriveContentRestrictions.ps1 +++ b/source/tests/Test-OneDriveContentRestrictions.ps1 @@ -5,7 +5,6 @@ function Test-OneDriveContentRestrictions { # Aligned # Define your parameters here ) - begin { # 7.2.4 (L2) Ensure OneDrive content sharing is restricted # @@ -22,36 +21,38 @@ function Test-OneDriveContentRestrictions { # - Condition A: The OneDriveSharingCapability setting is not configured to "Disabled" using the PowerShell cmdlet `Get-SPOTenant | fl OneDriveSharingCapability`. # - Condition B: The OneDriveSharingCapability is not set to "Only people in your organization" in the SharePoint admin center under Policies > Sharing > OneDrive. # - Condition C: OneDrive content sharing is more permissive than SharePoint content sharing. - # Dot source the class script if necessary #. .\source\Classes\CISAuditResult.ps1 # Initialization code, if needed $recnum = "7.2.4" + Write-Verbose "Running Test-OneDriveContentRestrictions for $recnum..." } - process { try { # 7.2.4 (L2) Ensure OneDrive content sharing is restricted - # Retrieve OneDrive sharing capability settings + # $SPOTenant Mock Object + <# + $SPOTenant = [PSCustomObject]@{ + OneDriveSharingCapability = "ExternalUserAndGuestSharing" + } + #> $SPOTenant = Get-CISSpoOutput -Rec $recnum $isOneDriveSharingRestricted = $SPOTenant.OneDriveSharingCapability -eq 'Disabled' - # Prepare failure reasons and details based on compliance $failureReasons = if (-not $isOneDriveSharingRestricted) { - "OneDrive content sharing is not restricted to 'Disabled'. Current setting: $($SPOTenant.OneDriveSharingCapability)" + "OneDrive content sharing is not restricted to 'Disabled'. To remediate this setting, use the Set-SPOTenant command.`n`n" + ` + "Set-SPOTenant -OneDriveSharingCapability Disabled" } else { "N/A" } - $details = if ($isOneDriveSharingRestricted) { "OneDrive content sharing is restricted." } else { "OneDriveSharingCapability: $($SPOTenant.OneDriveSharingCapability)" } - # Create and populate the CISAuditResult object $params = @{ Rec = $recnum @@ -67,7 +68,6 @@ function Test-OneDriveContentRestrictions { $auditResult = Get-TestError -LastError $LastError -recnum $recnum } } - end { # Return auditResult return $auditResult diff --git a/source/tests/Test-RestrictExternalSharing.ps1 b/source/tests/Test-RestrictExternalSharing.ps1 index d508445..a84a53e 100644 --- a/source/tests/Test-RestrictExternalSharing.ps1 +++ b/source/tests/Test-RestrictExternalSharing.ps1 @@ -5,18 +5,15 @@ function Test-RestrictExternalSharing { # Aligned # Define your parameters here ) - begin { <# Conditions for 7.2.3 (L1) Ensure external content sharing is restricted - Validate test for a pass: - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark. - Specific conditions to check: - Condition A: The SharingCapability is set to "ExternalUserSharingOnly" or more restrictive in the SharePoint admin center. - Condition B: Using PowerShell, the SharingCapability property for the SharePoint tenant is set to "ExternalUserSharingOnly", "ExistingExternalUserSharingOnly", or "Disabled". - Condition C: The external sharing settings in SharePoint Online and OneDrive are set to the same or a more restrictive level than the organization’s sharing settings. - Validate test for a fail: - Confirm that the failure conditions in the automated test are consistent with the manual audit results. - Specific conditions to check: @@ -24,34 +21,37 @@ function Test-RestrictExternalSharing { - Condition B: Using PowerShell, the SharingCapability property for the SharePoint tenant is set to "Anyone" or "ExternalUserAndGuestSharing". - Condition C: The external sharing settings in SharePoint Online and OneDrive are set to a more permissive level than the organization’s sharing settings. #> - # Dot source the class script if necessary #. .\source\Classes\CISAuditResult.ps1 # Initialization code, if needed $recnum = "7.2.3" + Write-Verbose "Running Test-RestrictExternalSharing for $recnum..." } - process { try { # 7.2.3 (L1) Ensure external content sharing is restricted - # Retrieve the SharingCapability setting for the SharePoint tenant + <# + $SPOTenantSharingCapability = [PSCustomObject]@{ + SharingCapability = "ExternalUserAndGuestSharing" + } + #> $SPOTenantSharingCapability = Get-CISSpoOutput -Rec $recnum $isRestricted = $SPOTenantSharingCapability.SharingCapability -in @('ExternalUserSharingOnly', 'ExistingExternalUserSharingOnly', 'Disabled') - # Prepare failure reasons and details based on compliance # Condition B: Using PowerShell, the SharingCapability property for the SharePoint tenant is set to "ExternalUserSharingOnly", "ExistingExternalUserSharingOnly", or "Disabled". $failureReasons = if (-not $isRestricted) { - "External content sharing is not adequately restricted. Current setting: $($SPOTenantSharingCapability.SharingCapability)" + "External content sharing is not adequately restricted. Current setting: $($SPOTenantSharingCapability.SharingCapability)`n" + ` + "The acceptable values for SharingCapability are: 'ExternalUserSharingOnly', 'ExistingExternalUserSharingOnly', or 'Disabled'.`n" + ` + "To remediate this setting, use the Set-SPOTenant cmdlet to set the SharingCapability property to an acceptable value:`n`n" + ` + "Set-SPOTenant -SharingCapability " } else { "N/A" } - # Condition A: The SharingCapability is set to "ExternalUserSharingOnly" or more restrictive in the SharePoint admin center. # Condition C: The external sharing settings in SharePoint Online and OneDrive are set to the same or a more restrictive level than the organization’s sharing settings. $details = "SharingCapability: $($SPOTenantSharingCapability.SharingCapability)" - # Create and populate the CISAuditResult object $params = @{ Rec = $recnum @@ -67,7 +67,6 @@ function Test-RestrictExternalSharing { $auditResult = Get-TestError -LastError $LastError -recnum $recnum } } - end { # Return auditResult return $auditResult diff --git a/source/tests/Test-SharePointAADB2B.ps1 b/source/tests/Test-SharePointAADB2B.ps1 index afbc0d9..f39e445 100644 --- a/source/tests/Test-SharePointAADB2B.ps1 +++ b/source/tests/Test-SharePointAADB2B.ps1 @@ -5,7 +5,6 @@ function Test-SharePointAADB2B { # Aligned # Define your parameters here ) - begin { # Conditions for 7.2.2 (L1) Ensure SharePoint and OneDrive integration with Azure AD B2B is enabled # @@ -22,26 +21,29 @@ function Test-SharePointAADB2B { # - Condition A: The `EnableAzureADB2BIntegration` property is set to `False` for the SharePoint tenant. # - Condition B: The integration between SharePoint, OneDrive, and Azure AD B2B is not active. # - Condition C: Guest accounts are not managed in Azure AD and are not subject to access policies. - # Dot source the class script if necessary #. .\source\Classes\CISAuditResult.ps1 # Initialization code, if needed - $recnum = "7.2.2" + Write-Verbose "Running Test-SharePointAADB2B for $recnum..." } - process { try { # 7.2.2 (L1) Ensure SharePoint and OneDrive integration with Azure AD B2B is enabled + # $SPOTenantAzureADB2B Mock Object + <# + $SPOTenantAzureADB2B = [PSCustomObject]@{ + EnableAzureADB2BIntegration = $false + } + #> $SPOTenantAzureADB2B = Get-CISSpoOutput -Rec $recnum - # Populate the auditResult object with the required properties $params = @{ Rec = $recnum Result = $SPOTenantAzureADB2B.EnableAzureADB2BIntegration Status = if ($SPOTenantAzureADB2B.EnableAzureADB2BIntegration) { "Pass" } else { "Fail" } Details = "EnableAzureADB2BIntegration: $($SPOTenantAzureADB2B.EnableAzureADB2BIntegration)" - FailureReason = if (-not $SPOTenantAzureADB2B.EnableAzureADB2BIntegration) { "Azure AD B2B integration is not enabled" } else { "N/A" } + FailureReason = if (-not $SPOTenantAzureADB2B.EnableAzureADB2BIntegration) { "Azure AD B2B integration is not enabled. The following command can be used to enable:`nSet-SPOTenant -EnableAzureADB2BIntegration `$true" } else { "N/A" } } $auditResult = Initialize-CISAuditResult @params } @@ -50,7 +52,6 @@ function Test-SharePointAADB2B { $auditResult = Get-TestError -LastError $LastError -recnum $recnum } } - end { # Return auditResult return $auditResult diff --git a/source/tests/Test-SharePointExternalSharingDomains.ps1 b/source/tests/Test-SharePointExternalSharingDomains.ps1 index 246c41c..1d26a5b 100644 --- a/source/tests/Test-SharePointExternalSharingDomains.ps1 +++ b/source/tests/Test-SharePointExternalSharingDomains.ps1 @@ -5,14 +5,12 @@ function Test-SharePointExternalSharingDomains { # Aligned # Define your parameters here ) - begin { # Dot source the class script if necessary #. .\source\Classes\CISAuditResult.ps1 - # Initialization code, if needed $recnum = "7.2.6" - + Write-Verbose "Running Test-SharePointExternalSharingDomains for $recnum..." # Conditions for 7.2.6 (L2) Ensure SharePoint external sharing is managed through domain whitelist/blacklists # # Validate test for a pass: @@ -29,13 +27,18 @@ function Test-SharePointExternalSharingDomains { # - Condition B: The "SharingDomainRestrictionMode" is not set to "AllowList" using PowerShell. # - Condition C: The "SharingAllowedDomainList" does not contain the domains trusted by the organization for external sharing. } - process { try { # 7.2.6 (L2) Ensure SharePoint external sharing is managed through domain whitelist/blacklists $SPOTenant = Get-CISSpoOutput -Rec $recnum + # $SPOTenant Mock Object + <# + $SPOTenant = [PSCustomObject]@{ + SharingDomainRestrictionMode = "AllowList" + SharingAllowedDomainList = "domain1.com", "domain2.com" + } + #> $isDomainRestrictionConfigured = $SPOTenant.SharingDomainRestrictionMode -eq 'AllowList' - # Populate the auditResult object with the required properties $params = @{ Rec = $recnum @@ -51,7 +54,6 @@ function Test-SharePointExternalSharingDomains { $auditResult = Get-TestError -LastError $LastError -recnum $recnum } } - end { # Return auditResult return $auditResult diff --git a/source/tests/Test-SharePointGuestsItemSharing.ps1 b/source/tests/Test-SharePointGuestsItemSharing.ps1 index 58c834f..f11fc4a 100644 --- a/source/tests/Test-SharePointGuestsItemSharing.ps1 +++ b/source/tests/Test-SharePointGuestsItemSharing.ps1 @@ -5,14 +5,12 @@ function Test-SharePointGuestsItemSharing { # Aligned # Define your parameters here ) - begin { # Dot source the class script if necessary #. .\source\Classes\CISAuditResult.ps1 # Initialization code, if needed - $recnum = "7.2.5" - + Write-Verbose "Running Test-SharePointGuestsItemSharing for $recnum..." # Conditions for 7.2.5 (L2) Ensure that SharePoint guest users cannot share items they don't own # # Validate test for a pass: @@ -29,20 +27,24 @@ function Test-SharePointGuestsItemSharing { # - Condition B: The SharePoint admin center setting "Allow guests to share items they don't own" is checked. # - Condition C: Ensure that external users can re-share items they don't own. } - process { try { # 7.2.5 (L2) Ensure that SharePoint guest users cannot share items they don't own + # $SPOTenant Mock Object + <# + $SPOTenant = [PSCustomObject]@{ + PreventExternalUsersFromResharing = $false + } + #> $SPOTenant = Get-CISSpoOutput -Rec $recnum $isGuestResharingPrevented = $SPOTenant.PreventExternalUsersFromResharing - # Populate the auditResult object with the required properties $params = @{ Rec = $recnum Result = $isGuestResharingPrevented Status = if ($isGuestResharingPrevented) { "Pass" } else { "Fail" } Details = "PreventExternalUsersFromResharing: $isGuestResharingPrevented" - FailureReason = if (-not $isGuestResharingPrevented) { "Guest users can reshare items they don't own." } else { "N/A" } + FailureReason = if (-not $isGuestResharingPrevented) { "Guest users can reshare items they don't own. To prevent external users from resharing content they don't own,`nuse the following command:`nSet-SPOTenant -PreventExternalUsersFromResharing `$True" } else { "N/A" } } $auditResult = Initialize-CISAuditResult @params } @@ -51,7 +53,6 @@ function Test-SharePointGuestsItemSharing { $auditResult = Get-TestError -LastError $LastError -recnum $recnum } } - end { # Return auditResult return $auditResult