fix: up to 7.2.6 SPO formatting and output
This commit is contained in:
DrIOS
@@ -40,12 +40,24 @@ function Get-CISSpoOutput {
|
||||
switch ($Rec) {
|
||||
'7.2.1' {
|
||||
# Test-ModernAuthSharePoint.ps1
|
||||
# $SPOTenant Mock Object
|
||||
<#
|
||||
$SPOTenant = [PSCustomObject]@{
|
||||
LegacyAuthProtocolsEnabled = $true
|
||||
}
|
||||
#>
|
||||
$SPOTenant = Get-SPOTenant | Select-Object -Property LegacyAuthProtocolsEnabled
|
||||
return $SPOTenant
|
||||
}
|
||||
'7.2.2' {
|
||||
# Test-SharePointAADB2B.ps1
|
||||
# 7.2.2 (L1) Ensure SharePoint and OneDrive integration with Azure AD B2B is enabled
|
||||
# $SPOTenantAzureADB2B Mock Object
|
||||
<#
|
||||
$SPOTenantAzureADB2B = [PSCustomObject]@{
|
||||
EnableAzureADB2BIntegration = $false
|
||||
}
|
||||
#>
|
||||
$SPOTenantAzureADB2B = Get-SPOTenant | Select-Object EnableAzureADB2BIntegration
|
||||
return $SPOTenantAzureADB2B
|
||||
}
|
||||
@@ -53,17 +65,36 @@ function Get-CISSpoOutput {
|
||||
# Test-RestrictExternalSharing.ps1
|
||||
# 7.2.3 (L1) Ensure external content sharing is restricted
|
||||
# Retrieve the SharingCapability setting for the SharePoint tenant
|
||||
# $SPOTenantSharingCapability Mock Object
|
||||
<#
|
||||
$SPOTenantSharingCapability = [PSCustomObject]@{
|
||||
SharingCapability = "ExternalUserAndGuestSharing"
|
||||
}
|
||||
#>
|
||||
$SPOTenantSharingCapability = Get-SPOTenant | Select-Object SharingCapability
|
||||
return $SPOTenantSharingCapability
|
||||
}
|
||||
'7.2.4' {
|
||||
# Test-OneDriveContentRestrictions.ps1
|
||||
# 7.2.4 (L2) Ensure OneDrive content sharing is restricted
|
||||
# $SPOTenant Mock Object
|
||||
<#
|
||||
$SPOTenant = [PSCustomObject]@{
|
||||
OneDriveSharingCapability = "ExternalUserAndGuestSharing"
|
||||
}
|
||||
#>
|
||||
$SPOTenant = Get-SPOTenant | Select-Object OneDriveSharingCapability
|
||||
return $SPOTenant
|
||||
}
|
||||
'7.2.5' {
|
||||
# Test-SharePointGuestsItemSharing.ps1
|
||||
# 7.2.5 (L2) Ensure that SharePoint guest users cannot share items they don't own
|
||||
# $SPOTenant Mock Object
|
||||
<#
|
||||
$SPOTenant = [PSCustomObject]@{
|
||||
PreventExternalUsersFromResharing = $false
|
||||
}
|
||||
#>
|
||||
$SPOTenant = Get-SPOTenant | Select-Object PreventExternalUsersFromResharing
|
||||
return $SPOTenant
|
||||
}
|
||||
|
||||
@@ -12,16 +12,14 @@ function Test-ModernAuthSharePoint {
|
||||
|
||||
# Initialization code, if needed
|
||||
$recnum = "7.2.1"
|
||||
|
||||
Write-Verbose "Running Test-ModernAuthSharePoint for $recnum..."
|
||||
<#
|
||||
# Conditions for 7.2.1 (L1) Ensure modern authentication for SharePoint applications is required
|
||||
|
||||
## Validate test for a pass:
|
||||
# - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
|
||||
# - Specific conditions to check:
|
||||
# - Condition A: The setting "Apps that don't use modern authentication" is set to "Block access" in the SharePoint admin center.
|
||||
# - Condition B: The PowerShell command `Get-SPOTenant | ft LegacyAuthProtocolsEnabled` returns `False`.
|
||||
|
||||
## Validate test for a fail:
|
||||
# - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
|
||||
# - Specific conditions to check:
|
||||
@@ -29,23 +27,25 @@ function Test-ModernAuthSharePoint {
|
||||
# - Condition B: The PowerShell command `Get-SPOTenant | ft LegacyAuthProtocolsEnabled` returns `True`.
|
||||
#>
|
||||
}
|
||||
|
||||
process {
|
||||
try {
|
||||
# 7.2.1 (L1) Ensure modern authentication for SharePoint applications is required
|
||||
# $SPOTenant Mock Object
|
||||
<#
|
||||
$SPOTenant = [PSCustomObject]@{
|
||||
LegacyAuthProtocolsEnabled = $true
|
||||
}
|
||||
#>
|
||||
$SPOTenant = Get-CISSpoOutput -Rec $recnum
|
||||
$modernAuthForSPRequired = -not $SPOTenant.LegacyAuthProtocolsEnabled
|
||||
|
||||
# Prepare failure reasons and details based on compliance
|
||||
$failureReasons = if (-not $modernAuthForSPRequired) {
|
||||
"Legacy authentication protocols are enabled" # Fail Condition B
|
||||
"Legacy authentication protocols are enabled. The following command can be used to disable:`nSet-SPOTenant -LegacyAuthProtocolsEnabled `$false" # Fail Condition B
|
||||
}
|
||||
else {
|
||||
"N/A"
|
||||
}
|
||||
|
||||
$details = "LegacyAuthProtocolsEnabled: $($SPOTenant.LegacyAuthProtocolsEnabled)" # Details for Condition B
|
||||
|
||||
# Create and populate the CISAuditResult object
|
||||
$params = @{
|
||||
Rec = $recnum
|
||||
@@ -61,7 +61,6 @@ function Test-ModernAuthSharePoint {
|
||||
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
|
||||
}
|
||||
}
|
||||
|
||||
end {
|
||||
# Return the audit result
|
||||
return $auditResult
|
||||
|
||||
@@ -5,7 +5,6 @@ function Test-OneDriveContentRestrictions {
|
||||
# Aligned
|
||||
# Define your parameters here
|
||||
)
|
||||
|
||||
begin {
|
||||
# 7.2.4 (L2) Ensure OneDrive content sharing is restricted
|
||||
#
|
||||
@@ -22,36 +21,38 @@ function Test-OneDriveContentRestrictions {
|
||||
# - Condition A: The OneDriveSharingCapability setting is not configured to "Disabled" using the PowerShell cmdlet `Get-SPOTenant | fl OneDriveSharingCapability`.
|
||||
# - Condition B: The OneDriveSharingCapability is not set to "Only people in your organization" in the SharePoint admin center under Policies > Sharing > OneDrive.
|
||||
# - Condition C: OneDrive content sharing is more permissive than SharePoint content sharing.
|
||||
|
||||
# Dot source the class script if necessary
|
||||
#. .\source\Classes\CISAuditResult.ps1
|
||||
# Initialization code, if needed
|
||||
$recnum = "7.2.4"
|
||||
Write-Verbose "Running Test-OneDriveContentRestrictions for $recnum..."
|
||||
}
|
||||
|
||||
process {
|
||||
try {
|
||||
# 7.2.4 (L2) Ensure OneDrive content sharing is restricted
|
||||
|
||||
# Retrieve OneDrive sharing capability settings
|
||||
# $SPOTenant Mock Object
|
||||
<#
|
||||
$SPOTenant = [PSCustomObject]@{
|
||||
OneDriveSharingCapability = "ExternalUserAndGuestSharing"
|
||||
}
|
||||
#>
|
||||
$SPOTenant = Get-CISSpoOutput -Rec $recnum
|
||||
$isOneDriveSharingRestricted = $SPOTenant.OneDriveSharingCapability -eq 'Disabled'
|
||||
|
||||
# Prepare failure reasons and details based on compliance
|
||||
$failureReasons = if (-not $isOneDriveSharingRestricted) {
|
||||
"OneDrive content sharing is not restricted to 'Disabled'. Current setting: $($SPOTenant.OneDriveSharingCapability)"
|
||||
"OneDrive content sharing is not restricted to 'Disabled'. To remediate this setting, use the Set-SPOTenant command.`n`n" + `
|
||||
"Set-SPOTenant -OneDriveSharingCapability Disabled"
|
||||
}
|
||||
else {
|
||||
"N/A"
|
||||
}
|
||||
|
||||
$details = if ($isOneDriveSharingRestricted) {
|
||||
"OneDrive content sharing is restricted."
|
||||
}
|
||||
else {
|
||||
"OneDriveSharingCapability: $($SPOTenant.OneDriveSharingCapability)"
|
||||
}
|
||||
|
||||
# Create and populate the CISAuditResult object
|
||||
$params = @{
|
||||
Rec = $recnum
|
||||
@@ -67,7 +68,6 @@ function Test-OneDriveContentRestrictions {
|
||||
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
|
||||
}
|
||||
}
|
||||
|
||||
end {
|
||||
# Return auditResult
|
||||
return $auditResult
|
||||
|
||||
@@ -5,18 +5,15 @@ function Test-RestrictExternalSharing {
|
||||
# Aligned
|
||||
# Define your parameters here
|
||||
)
|
||||
|
||||
begin {
|
||||
<#
|
||||
Conditions for 7.2.3 (L1) Ensure external content sharing is restricted
|
||||
|
||||
Validate test for a pass:
|
||||
- Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
|
||||
- Specific conditions to check:
|
||||
- Condition A: The SharingCapability is set to "ExternalUserSharingOnly" or more restrictive in the SharePoint admin center.
|
||||
- Condition B: Using PowerShell, the SharingCapability property for the SharePoint tenant is set to "ExternalUserSharingOnly", "ExistingExternalUserSharingOnly", or "Disabled".
|
||||
- Condition C: The external sharing settings in SharePoint Online and OneDrive are set to the same or a more restrictive level than the organization’s sharing settings.
|
||||
|
||||
Validate test for a fail:
|
||||
- Confirm that the failure conditions in the automated test are consistent with the manual audit results.
|
||||
- Specific conditions to check:
|
||||
@@ -24,34 +21,37 @@ function Test-RestrictExternalSharing {
|
||||
- Condition B: Using PowerShell, the SharingCapability property for the SharePoint tenant is set to "Anyone" or "ExternalUserAndGuestSharing".
|
||||
- Condition C: The external sharing settings in SharePoint Online and OneDrive are set to a more permissive level than the organization’s sharing settings.
|
||||
#>
|
||||
|
||||
# Dot source the class script if necessary
|
||||
#. .\source\Classes\CISAuditResult.ps1
|
||||
# Initialization code, if needed
|
||||
$recnum = "7.2.3"
|
||||
Write-Verbose "Running Test-RestrictExternalSharing for $recnum..."
|
||||
}
|
||||
|
||||
process {
|
||||
try {
|
||||
# 7.2.3 (L1) Ensure external content sharing is restricted
|
||||
|
||||
# Retrieve the SharingCapability setting for the SharePoint tenant
|
||||
<#
|
||||
$SPOTenantSharingCapability = [PSCustomObject]@{
|
||||
SharingCapability = "ExternalUserAndGuestSharing"
|
||||
}
|
||||
#>
|
||||
$SPOTenantSharingCapability = Get-CISSpoOutput -Rec $recnum
|
||||
$isRestricted = $SPOTenantSharingCapability.SharingCapability -in @('ExternalUserSharingOnly', 'ExistingExternalUserSharingOnly', 'Disabled')
|
||||
|
||||
# Prepare failure reasons and details based on compliance
|
||||
# Condition B: Using PowerShell, the SharingCapability property for the SharePoint tenant is set to "ExternalUserSharingOnly", "ExistingExternalUserSharingOnly", or "Disabled".
|
||||
$failureReasons = if (-not $isRestricted) {
|
||||
"External content sharing is not adequately restricted. Current setting: $($SPOTenantSharingCapability.SharingCapability)"
|
||||
"External content sharing is not adequately restricted. Current setting: $($SPOTenantSharingCapability.SharingCapability)`n" + `
|
||||
"The acceptable values for SharingCapability are: 'ExternalUserSharingOnly', 'ExistingExternalUserSharingOnly', or 'Disabled'.`n" + `
|
||||
"To remediate this setting, use the Set-SPOTenant cmdlet to set the SharingCapability property to an acceptable value:`n`n" + `
|
||||
"Set-SPOTenant -SharingCapability <acceptable value from above>"
|
||||
}
|
||||
else {
|
||||
"N/A"
|
||||
}
|
||||
|
||||
# Condition A: The SharingCapability is set to "ExternalUserSharingOnly" or more restrictive in the SharePoint admin center.
|
||||
# Condition C: The external sharing settings in SharePoint Online and OneDrive are set to the same or a more restrictive level than the organization’s sharing settings.
|
||||
$details = "SharingCapability: $($SPOTenantSharingCapability.SharingCapability)"
|
||||
|
||||
# Create and populate the CISAuditResult object
|
||||
$params = @{
|
||||
Rec = $recnum
|
||||
@@ -67,7 +67,6 @@ function Test-RestrictExternalSharing {
|
||||
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
|
||||
}
|
||||
}
|
||||
|
||||
end {
|
||||
# Return auditResult
|
||||
return $auditResult
|
||||
|
||||
@@ -5,7 +5,6 @@ function Test-SharePointAADB2B {
|
||||
# Aligned
|
||||
# Define your parameters here
|
||||
)
|
||||
|
||||
begin {
|
||||
# Conditions for 7.2.2 (L1) Ensure SharePoint and OneDrive integration with Azure AD B2B is enabled
|
||||
#
|
||||
@@ -22,26 +21,29 @@ function Test-SharePointAADB2B {
|
||||
# - Condition A: The `EnableAzureADB2BIntegration` property is set to `False` for the SharePoint tenant.
|
||||
# - Condition B: The integration between SharePoint, OneDrive, and Azure AD B2B is not active.
|
||||
# - Condition C: Guest accounts are not managed in Azure AD and are not subject to access policies.
|
||||
|
||||
# Dot source the class script if necessary
|
||||
#. .\source\Classes\CISAuditResult.ps1
|
||||
# Initialization code, if needed
|
||||
|
||||
$recnum = "7.2.2"
|
||||
Write-Verbose "Running Test-SharePointAADB2B for $recnum..."
|
||||
}
|
||||
|
||||
process {
|
||||
try {
|
||||
# 7.2.2 (L1) Ensure SharePoint and OneDrive integration with Azure AD B2B is enabled
|
||||
# $SPOTenantAzureADB2B Mock Object
|
||||
<#
|
||||
$SPOTenantAzureADB2B = [PSCustomObject]@{
|
||||
EnableAzureADB2BIntegration = $false
|
||||
}
|
||||
#>
|
||||
$SPOTenantAzureADB2B = Get-CISSpoOutput -Rec $recnum
|
||||
|
||||
# Populate the auditResult object with the required properties
|
||||
$params = @{
|
||||
Rec = $recnum
|
||||
Result = $SPOTenantAzureADB2B.EnableAzureADB2BIntegration
|
||||
Status = if ($SPOTenantAzureADB2B.EnableAzureADB2BIntegration) { "Pass" } else { "Fail" }
|
||||
Details = "EnableAzureADB2BIntegration: $($SPOTenantAzureADB2B.EnableAzureADB2BIntegration)"
|
||||
FailureReason = if (-not $SPOTenantAzureADB2B.EnableAzureADB2BIntegration) { "Azure AD B2B integration is not enabled" } else { "N/A" }
|
||||
FailureReason = if (-not $SPOTenantAzureADB2B.EnableAzureADB2BIntegration) { "Azure AD B2B integration is not enabled. The following command can be used to enable:`nSet-SPOTenant -EnableAzureADB2BIntegration `$true" } else { "N/A" }
|
||||
}
|
||||
$auditResult = Initialize-CISAuditResult @params
|
||||
}
|
||||
@@ -50,7 +52,6 @@ function Test-SharePointAADB2B {
|
||||
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
|
||||
}
|
||||
}
|
||||
|
||||
end {
|
||||
# Return auditResult
|
||||
return $auditResult
|
||||
|
||||
@@ -5,14 +5,12 @@ function Test-SharePointExternalSharingDomains {
|
||||
# Aligned
|
||||
# Define your parameters here
|
||||
)
|
||||
|
||||
begin {
|
||||
# Dot source the class script if necessary
|
||||
#. .\source\Classes\CISAuditResult.ps1
|
||||
|
||||
# Initialization code, if needed
|
||||
$recnum = "7.2.6"
|
||||
|
||||
Write-Verbose "Running Test-SharePointExternalSharingDomains for $recnum..."
|
||||
# Conditions for 7.2.6 (L2) Ensure SharePoint external sharing is managed through domain whitelist/blacklists
|
||||
#
|
||||
# Validate test for a pass:
|
||||
@@ -29,13 +27,18 @@ function Test-SharePointExternalSharingDomains {
|
||||
# - Condition B: The "SharingDomainRestrictionMode" is not set to "AllowList" using PowerShell.
|
||||
# - Condition C: The "SharingAllowedDomainList" does not contain the domains trusted by the organization for external sharing.
|
||||
}
|
||||
|
||||
process {
|
||||
try {
|
||||
# 7.2.6 (L2) Ensure SharePoint external sharing is managed through domain whitelist/blacklists
|
||||
$SPOTenant = Get-CISSpoOutput -Rec $recnum
|
||||
# $SPOTenant Mock Object
|
||||
<#
|
||||
$SPOTenant = [PSCustomObject]@{
|
||||
SharingDomainRestrictionMode = "AllowList"
|
||||
SharingAllowedDomainList = "domain1.com", "domain2.com"
|
||||
}
|
||||
#>
|
||||
$isDomainRestrictionConfigured = $SPOTenant.SharingDomainRestrictionMode -eq 'AllowList'
|
||||
|
||||
# Populate the auditResult object with the required properties
|
||||
$params = @{
|
||||
Rec = $recnum
|
||||
@@ -51,7 +54,6 @@ function Test-SharePointExternalSharingDomains {
|
||||
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
|
||||
}
|
||||
}
|
||||
|
||||
end {
|
||||
# Return auditResult
|
||||
return $auditResult
|
||||
|
||||
@@ -5,14 +5,12 @@ function Test-SharePointGuestsItemSharing {
|
||||
# Aligned
|
||||
# Define your parameters here
|
||||
)
|
||||
|
||||
begin {
|
||||
# Dot source the class script if necessary
|
||||
#. .\source\Classes\CISAuditResult.ps1
|
||||
# Initialization code, if needed
|
||||
|
||||
$recnum = "7.2.5"
|
||||
|
||||
Write-Verbose "Running Test-SharePointGuestsItemSharing for $recnum..."
|
||||
# Conditions for 7.2.5 (L2) Ensure that SharePoint guest users cannot share items they don't own
|
||||
#
|
||||
# Validate test for a pass:
|
||||
@@ -29,20 +27,24 @@ function Test-SharePointGuestsItemSharing {
|
||||
# - Condition B: The SharePoint admin center setting "Allow guests to share items they don't own" is checked.
|
||||
# - Condition C: Ensure that external users can re-share items they don't own.
|
||||
}
|
||||
|
||||
process {
|
||||
try {
|
||||
# 7.2.5 (L2) Ensure that SharePoint guest users cannot share items they don't own
|
||||
# $SPOTenant Mock Object
|
||||
<#
|
||||
$SPOTenant = [PSCustomObject]@{
|
||||
PreventExternalUsersFromResharing = $false
|
||||
}
|
||||
#>
|
||||
$SPOTenant = Get-CISSpoOutput -Rec $recnum
|
||||
$isGuestResharingPrevented = $SPOTenant.PreventExternalUsersFromResharing
|
||||
|
||||
# Populate the auditResult object with the required properties
|
||||
$params = @{
|
||||
Rec = $recnum
|
||||
Result = $isGuestResharingPrevented
|
||||
Status = if ($isGuestResharingPrevented) { "Pass" } else { "Fail" }
|
||||
Details = "PreventExternalUsersFromResharing: $isGuestResharingPrevented"
|
||||
FailureReason = if (-not $isGuestResharingPrevented) { "Guest users can reshare items they don't own." } else { "N/A" }
|
||||
FailureReason = if (-not $isGuestResharingPrevented) { "Guest users can reshare items they don't own. To prevent external users from resharing content they don't own,`nuse the following command:`nSet-SPOTenant -PreventExternalUsersFromResharing `$True" } else { "N/A" }
|
||||
}
|
||||
$auditResult = Initialize-CISAuditResult @params
|
||||
}
|
||||
@@ -51,7 +53,6 @@ function Test-SharePointGuestsItemSharing {
|
||||
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
|
||||
}
|
||||
}
|
||||
|
||||
end {
|
||||
# Return auditResult
|
||||
return $auditResult
|
||||
|
||||
Reference in New Issue
Block a user