vibecoding/M365FoundationsCISReport
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add: Get-CISSpoOutput function and updated respective tests

Browse Source
This commit is contained in:
DrIOS
2024-06-23 16:06:31 -05:00
parent 4dd65a0140
commit bad103f0cf
16 changed files with 218 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

120
source/Private/Get-CISSpoOutput.ps1 Normal file
View File

@@ -0,0 +1,120 @@
<#
.SYNOPSIS
This is a sample Private function only visible within the module.
.DESCRIPTION
This sample function is not exported to the module and only return the data passed as parameter.
.EXAMPLE
$null = Get-CISSpoOutput -PrivateData 'NOTHING TO SEE HERE'
.PARAMETER PrivateData
The PrivateData parameter is what will be returned without transformation.
#>
function Get-CISSpoOutput {
[cmdletBinding()]
[OutputType([string])]
param(
[Parameter(Mandatory = $true)]
[String]
$Rec
)
begin {
# Begin Block #
<#
# Tests
7.2.1
7.2.2
7.2.3
7.2.4
7.2.5
7.2.6
7.2.7
7.2.9
7.2.10
7.3.1
7.3.2
7.3.4
# Test number array
$testNumbers = @('7.2.1', '7.2.2', '7.2.3', '7.2.4', '7.2.5', '7.2.6', '7.2.7', '7.2.9', '7.2.10', '7.3.1', '7.3.2', '7.3.4')
#>
}
process {
switch ($Rec) {
'7.2.1' {
# Test-ModernAuthSharePoint.ps1
$SPOTenant = Get-SPOTenant | Select-Object -Property LegacyAuthProtocolsEnabled
return $SPOTenant
}
'7.2.2' {
# Test-SharePointAADB2B.ps1
# 7.2.2 (L1) Ensure SharePoint and OneDrive integration with Azure AD B2B is enabled
$SPOTenantAzureADB2B = Get-SPOTenant | Select-Object EnableAzureADB2BIntegration
return $SPOTenantAzureADB2B
}
'7.2.3' {
# Test-RestrictExternalSharing.ps1
# 7.2.3 (L1) Ensure external content sharing is restricted
# Retrieve the SharingCapability setting for the SharePoint tenant
$SPOTenantSharingCapability = Get-SPOTenant | Select-Object SharingCapability
return $SPOTenantSharingCapability
}
'7.2.4' {
# Test-OneDriveContentRestrictions.ps1
$SPOTenant = Get-SPOTenant | Select-Object OneDriveSharingCapability
return $SPOTenant
}
'7.2.5' {
# Test-SharePointGuestsItemSharing.ps1
# 7.2.5 (L2) Ensure that SharePoint guest users cannot share items they don't own
$SPOTenant = Get-SPOTenant | Select-Object PreventExternalUsersFromResharing
return $SPOTenant
}
'7.2.6' {
# Test-SharePointExternalSharingDomains.ps1
# 7.2.6 (L2) Ensure SharePoint external sharing is managed through domain whitelist/blacklists
$SPOTenant = Get-SPOTenant | Select-Object SharingDomainRestrictionMode, SharingAllowedDomainList
return $SPOTenant
}
'7.2.7' {
# Test-LinkSharingRestrictions.ps1
# Retrieve link sharing configuration for SharePoint and OneDrive
$SPOTenantLinkSharing = Get-SPOTenant | Select-Object DefaultSharingLinkType
return $SPOTenantLinkSharing
}
'7.2.9' {
# Test-GuestAccessExpiration.ps1
# Retrieve SharePoint tenant settings related to guest access expiration
$SPOTenantGuestAccess = Get-SPOTenant | Select-Object ExternalUserExpirationRequired, ExternalUserExpireInDays
return $SPOTenantGuestAccess
}
'7.2.10' {
# Test-ReauthWithCode.ps1
# 7.2.10 (L1) Ensure reauthentication with verification code is restricted
# Retrieve reauthentication settings for SharePoint Online
$SPOTenantReauthentication = Get-SPOTenant | Select-Object EmailAttestationRequired, EmailAttestationReAuthDays
return $SPOTenantReauthentication
}
'7.3.1' {
# Test-DisallowInfectedFilesDownload.ps1
# Retrieve the SharePoint tenant configuration
$SPOTenantDisallowInfectedFileDownload = Get-SPOTenant | Select-Object DisallowInfectedFileDownload
return $SPOTenantDisallowInfectedFileDownload
}
'7.3.2' {
# Test-OneDriveSyncRestrictions.ps1
# Retrieve OneDrive sync client restriction settings
$SPOTenantSyncClientRestriction = Get-SPOTenantSyncClientRestriction | Select-Object TenantRestrictionEnabled, AllowedDomainList
return $SPOTenantSyncClientRestriction
}
'7.3.4' {
# Test-RestrictCustomScripts.ps1
# Retrieve all site collections and select necessary properties
$SPOSitesCustomScript = Get-SPOSite -Limit All | Select-Object Title, Url, DenyAddAndCustomizePages
return $SPOSitesCustomScript
}
default { throw "No match found for test: $Rec" }
}
}
end {
Write-Verbose "Retuning data for Rec: $Rec"
}
} # end function Get-CISMSTeamsOutput

32
source/Private/Get-UrlLine.ps1 Normal file
View File

@@ -0,0 +1,32 @@
<#
.SYNOPSIS
This is a sample Private function only visible within the module.
.DESCRIPTION
This sample function is not exported to the module and only return the data passed as parameter.
.EXAMPLE
$null = Get-UrlLine -PrivateData 'NOTHING TO SEE HERE'
.PARAMETER PrivateData
The PrivateData parameter is what will be returned without transformation.
#>
function Get-UrlLine {
[cmdletBinding()]
[OutputType([string])]
param (
[Parameter(Mandatory=$true)]
[string]$Output
)
# Split the output into lines
$Lines = $Output -split "`n"
# Iterate over each line
foreach ($Line in $Lines) {
# If the line starts with 'https', return it
if ($Line.StartsWith('https')) {
return $Line.Trim()
}
}
# If no line starts with 'https', return an empty string
return $null
}

2
source/tests/Test-DisallowInfectedFilesDownload.ps1
View File

@@ -34,7 +34,7 @@ function Test-DisallowInfectedFilesDownload {
# - Condition C: Verification using the PowerShell command indicates that the setting is incorrectly configured. # - Condition C: Verification using the PowerShell command indicates that the setting is incorrectly configured.
# Retrieve the SharePoint tenant configuration # Retrieve the SharePoint tenant configuration
$SPOTenantDisallowInfectedFileDownload = Get-SPOTenant | Select-Object DisallowInfectedFileDownload $SPOTenantDisallowInfectedFileDownload = Get-CISSpoOutput -Rec $recnum
# Condition A: The `DisallowInfectedFileDownload` setting is set to `True` # Condition A: The `DisallowInfectedFileDownload` setting is set to `True`
$isDisallowInfectedFileDownloadEnabled = $SPOTenantDisallowInfectedFileDownload.DisallowInfectedFileDownload $isDisallowInfectedFileDownloadEnabled = $SPOTenantDisallowInfectedFileDownload.DisallowInfectedFileDownload

2
source/tests/Test-GuestAccessExpiration.ps1
View File

@@ -34,7 +34,7 @@ function Test-GuestAccessExpiration {
# - Condition C: Verification using the SharePoint Admin Center indicates that guest access is not set to expire automatically after the specified number of days. # - Condition C: Verification using the SharePoint Admin Center indicates that guest access is not set to expire automatically after the specified number of days.
# Retrieve SharePoint tenant settings related to guest access expiration # Retrieve SharePoint tenant settings related to guest access expiration
$SPOTenantGuestAccess = Get-SPOTenant | Select-Object ExternalUserExpirationRequired, ExternalUserExpireInDays $SPOTenantGuestAccess = Get-CISSpoOutput -Rec $recnum
$isGuestAccessExpirationConfiguredCorrectly = $SPOTenantGuestAccess.ExternalUserExpirationRequired -and $SPOTenantGuestAccess.ExternalUserExpireInDays -le 30 $isGuestAccessExpirationConfiguredCorrectly = $SPOTenantGuestAccess.ExternalUserExpirationRequired -and $SPOTenantGuestAccess.ExternalUserExpireInDays -le 30
# Prepare failure reasons and details based on compliance # Prepare failure reasons and details based on compliance

2
source/tests/Test-LinkSharingRestrictions.ps1
View File

@@ -33,7 +33,7 @@ function Test-LinkSharingRestrictions {
# - Condition C: Verification using the UI indicates that the link sharing settings are not configured as recommended. # - Condition C: Verification using the UI indicates that the link sharing settings are not configured as recommended.
# Retrieve link sharing configuration for SharePoint and OneDrive # Retrieve link sharing configuration for SharePoint and OneDrive
$SPOTenantLinkSharing = Get-SPOTenant | Select-Object DefaultSharingLinkType $SPOTenantLinkSharing = Get-CISSpoOutput -Rec $recnum
$isLinkSharingRestricted = $SPOTenantLinkSharing.DefaultSharingLinkType -eq 'Direct' # Or 'SpecificPeople' as per the recommendation $isLinkSharingRestricted = $SPOTenantLinkSharing.DefaultSharingLinkType -eq 'Direct' # Or 'SpecificPeople' as per the recommendation
# Prepare failure reasons and details based on compliance # Prepare failure reasons and details based on compliance

2
source/tests/Test-ModernAuthSharePoint.ps1
View File

@@ -33,7 +33,7 @@ function Test-ModernAuthSharePoint {
process { process {
try { try {
# 7.2.1 (L1) Ensure modern authentication for SharePoint applications is required # 7.2.1 (L1) Ensure modern authentication for SharePoint applications is required
$SPOTenant = Get-SPOTenant | Select-Object -Property LegacyAuthProtocolsEnabled $SPOTenant = Get-CISSpoOutput -Rec $recnum
$modernAuthForSPRequired = -not $SPOTenant.LegacyAuthProtocolsEnabled $modernAuthForSPRequired = -not $SPOTenant.LegacyAuthProtocolsEnabled
# Prepare failure reasons and details based on compliance # Prepare failure reasons and details based on compliance

2
source/tests/Test-OneDriveContentRestrictions.ps1
View File

@@ -34,7 +34,7 @@ function Test-OneDriveContentRestrictions {
# 7.2.4 (L2) Ensure OneDrive content sharing is restricted # 7.2.4 (L2) Ensure OneDrive content sharing is restricted
# Retrieve OneDrive sharing capability settings # Retrieve OneDrive sharing capability settings
$SPOTenant = Get-SPOTenant | Select-Object OneDriveSharingCapability $SPOTenant = Get-CISSpoOutput -Rec $recnum
$isOneDriveSharingRestricted = $SPOTenant.OneDriveSharingCapability -eq 'Disabled' $isOneDriveSharingRestricted = $SPOTenant.OneDriveSharingCapability -eq 'Disabled'
# Prepare failure reasons and details based on compliance # Prepare failure reasons and details based on compliance

2
source/tests/Test-OneDriveSyncRestrictions.ps1
View File

@@ -32,7 +32,7 @@ function Test-OneDriveSyncRestrictions {
# - Condition C: "AllowedDomainList" does not contain the trusted domain GUIDs from the on-premises environment. # - Condition C: "AllowedDomainList" does not contain the trusted domain GUIDs from the on-premises environment.
# Retrieve OneDrive sync client restriction settings # Retrieve OneDrive sync client restriction settings
$SPOTenantSyncClientRestriction = Get-SPOTenantSyncClientRestriction | Select-Object TenantRestrictionEnabled, AllowedDomainList $SPOTenantSyncClientRestriction = Get-CISSpoOutput -Rec $recnum
$isSyncRestricted = $SPOTenantSyncClientRestriction.TenantRestrictionEnabled -and $SPOTenantSyncClientRestriction.AllowedDomainList $isSyncRestricted = $SPOTenantSyncClientRestriction.TenantRestrictionEnabled -and $SPOTenantSyncClientRestriction.AllowedDomainList
# Condition A: Check if TenantRestrictionEnabled is True # Condition A: Check if TenantRestrictionEnabled is True

2
source/tests/Test-ReauthWithCode.ps1
View File

@@ -34,7 +34,7 @@ function Test-ReauthWithCode {
# 7.2.10 (L1) Ensure reauthentication with verification code is restricted # 7.2.10 (L1) Ensure reauthentication with verification code is restricted
# Retrieve reauthentication settings for SharePoint Online # Retrieve reauthentication settings for SharePoint Online
$SPOTenantReauthentication = Get-SPOTenant | Select-Object EmailAttestationRequired, EmailAttestationReAuthDays $SPOTenantReauthentication = Get-CISSpoOutput -Rec $recnum
$isReauthenticationRestricted = $SPOTenantReauthentication.EmailAttestationRequired -and $SPOTenantReauthentication.EmailAttestationReAuthDays -le 15 $isReauthenticationRestricted = $SPOTenantReauthentication.EmailAttestationRequired -and $SPOTenantReauthentication.EmailAttestationReAuthDays -le 15
# Prepare failure reasons and details based on compliance # Prepare failure reasons and details based on compliance

2
source/tests/Test-RestrictCustomScripts.ps1
View File

@@ -32,7 +32,7 @@ function Test-RestrictCustomScripts {
# - Condition C: Verification using the SharePoint Admin Center indicates that the `DenyAddAndCustomizePages` setting is not enforced. # - Condition C: Verification using the SharePoint Admin Center indicates that the `DenyAddAndCustomizePages` setting is not enforced.
# Retrieve all site collections and select necessary properties # Retrieve all site collections and select necessary properties
$SPOSitesCustomScript = Get-SPOSite -Limit All | Select-Object Title, Url, DenyAddAndCustomizePages $SPOSitesCustomScript = Get-CISSpoOutput -Rec $recnum
# Process URLs to replace 'sharepoint.com' with '<SPUrl>' # Process URLs to replace 'sharepoint.com' with '<SPUrl>'
$processedUrls = $SPOSitesCustomScript | ForEach-Object { $processedUrls = $SPOSitesCustomScript | ForEach-Object {

2
source/tests/Test-RestrictExternalSharing.ps1
View File

@@ -36,7 +36,7 @@ function Test-RestrictExternalSharing {
# 7.2.3 (L1) Ensure external content sharing is restricted # 7.2.3 (L1) Ensure external content sharing is restricted
# Retrieve the SharingCapability setting for the SharePoint tenant # Retrieve the SharingCapability setting for the SharePoint tenant
$SPOTenantSharingCapability = Get-SPOTenant | Select-Object SharingCapability $SPOTenantSharingCapability = Get-CISSpoOutput -Rec $recnum
$isRestricted = $SPOTenantSharingCapability.SharingCapability -in @('ExternalUserSharingOnly', 'ExistingExternalUserSharingOnly', 'Disabled') $isRestricted = $SPOTenantSharingCapability.SharingCapability -in @('ExternalUserSharingOnly', 'ExistingExternalUserSharingOnly', 'Disabled')
# Prepare failure reasons and details based on compliance # Prepare failure reasons and details based on compliance

2
source/tests/Test-SharePointAADB2B.ps1
View File

@@ -33,7 +33,7 @@ function Test-SharePointAADB2B {
process { process {
try { try {
# 7.2.2 (L1) Ensure SharePoint and OneDrive integration with Azure AD B2B is enabled # 7.2.2 (L1) Ensure SharePoint and OneDrive integration with Azure AD B2B is enabled
$SPOTenantAzureADB2B = Get-SPOTenant | Select-Object EnableAzureADB2BIntegration $SPOTenantAzureADB2B = Get-CISSpoOutput -Rec $recnum
# Populate the auditResult object with the required properties # Populate the auditResult object with the required properties
$params = @{ $params = @{

2
source/tests/Test-SharePointExternalSharingDomains.ps1
View File

@@ -33,7 +33,7 @@ function Test-SharePointExternalSharingDomains {
process { process {
try { try {
# 7.2.6 (L2) Ensure SharePoint external sharing is managed through domain whitelist/blacklists # 7.2.6 (L2) Ensure SharePoint external sharing is managed through domain whitelist/blacklists
$SPOTenant = Get-SPOTenant | Select-Object SharingDomainRestrictionMode, SharingAllowedDomainList $SPOTenant = Get-CISSpoOutput -Rec $recnum
$isDomainRestrictionConfigured = $SPOTenant.SharingDomainRestrictionMode -eq 'AllowList' $isDomainRestrictionConfigured = $SPOTenant.SharingDomainRestrictionMode -eq 'AllowList'
# Populate the auditResult object with the required properties # Populate the auditResult object with the required properties

2
source/tests/Test-SharePointGuestsItemSharing.ps1
View File

@@ -33,7 +33,7 @@ function Test-SharePointGuestsItemSharing {
process { process {
try { try {
# 7.2.5 (L2) Ensure that SharePoint guest users cannot share items they don't own # 7.2.5 (L2) Ensure that SharePoint guest users cannot share items they don't own
$SPOTenant = Get-SPOTenant | Select-Object PreventExternalUsersFromResharing $SPOTenant = Get-CISSpoOutput -Rec $recnum
$isGuestResharingPrevented = $SPOTenant.PreventExternalUsersFromResharing $isGuestResharingPrevented = $SPOTenant.PreventExternalUsersFromResharing
# Populate the auditResult object with the required properties # Populate the auditResult object with the required properties

27
tests/Unit/Private/Get-CISSpoOutput.tests.ps1 Normal file
View File

@@ -0,0 +1,27 @@
$ProjectPath = "$PSScriptRoot\..\..\.." | Convert-Path
$ProjectName = ((Get-ChildItem -Path $ProjectPath\*\*.psd1).Where{
($_.Directory.Name -match 'source|src' -or $_.Directory.Name -eq $_.BaseName) -and
$(try { Test-ModuleManifest $_.FullName -ErrorAction Stop } catch { $false } )
}).BaseName
Import-Module $ProjectName
InModuleScope $ProjectName {
Describe Get-PrivateFunction {
Context 'Default' {
BeforeEach {
$return = Get-PrivateFunction -PrivateData 'string'
}
It 'Returns a single object' {
($return | Measure-Object).Count | Should -Be 1
}
It 'Returns a string based on the parameter PrivateData' {
$return | Should -Be 'string'
}
}
}
}

27
tests/Unit/Private/Get-UrlLine.tests.ps1 Normal file
View File

@@ -0,0 +1,27 @@
$ProjectPath = "$PSScriptRoot\..\..\.." | Convert-Path
$ProjectName = ((Get-ChildItem -Path $ProjectPath\*\*.psd1).Where{
($_.Directory.Name -match 'source|src' -or $_.Directory.Name -eq $_.BaseName) -and
$(try { Test-ModuleManifest $_.FullName -ErrorAction Stop } catch { $false } )
}).BaseName
Import-Module $ProjectName
InModuleScope $ProjectName {
Describe Get-PrivateFunction {
Context 'Default' {
BeforeEach {
$return = Get-PrivateFunction -PrivateData 'string'
}
It 'Returns a single object' {
($return | Measure-Object).Count | Should -Be 1
}
It 'Returns a string based on the parameter PrivateData' {
$return | Should -Be 'string'
}
}
}
}