From c7cdaa4bf6f17401dbfd38f0181ab3e9f3e7c552 Mon Sep 17 00:00:00 2001 From: DrIOS <58635327+DrIOSX@users.noreply.github.com> Date: Tue, 28 May 2024 13:24:10 -0500 Subject: [PATCH] fix: 7.3.4 aligned with test-template --- source/tests/Test-RestrictCustomScripts.ps1 | 66 ++++++++++----------- 1 file changed, 32 insertions(+), 34 deletions(-) diff --git a/source/tests/Test-RestrictCustomScripts.ps1 b/source/tests/Test-RestrictCustomScripts.ps1 index 3702ebd..454be84 100644 --- a/source/tests/Test-RestrictCustomScripts.ps1 +++ b/source/tests/Test-RestrictCustomScripts.ps1 @@ -1,21 +1,20 @@ function Test-RestrictCustomScripts { [CmdletBinding()] param ( + # Aligned # Define your parameters here if needed ) -#Limit All - begin { - # .TODO Test behavior in Prod - # Dot source the class script - $auditResults = @() + begin { + # Dot source the class script if necessary + #. .\source\Classes\CISAuditResult.ps1 + # Initialization code, if needed } process { - # CIS 2.7 Ensure custom script execution is restricted on site collections - # Pass if DenyAddAndCustomizePages is set to true (Enabled). Fail otherwise. + # 7.3.4 (L1) Ensure custom script execution is restricted on site collections - # Get all site collections and select necessary properties + # Retrieve all site collections and select necessary properties $SPOSitesCustomScript = Get-SPOSite -Limit All | Select-Object Title, Url, DenyAddAndCustomizePages # Find sites where custom scripts are allowed (DenyAddAndCustomizePages is not 'Enabled') @@ -29,42 +28,41 @@ function Test-RestrictCustomScripts { "$($_.Title) ($($_.Url)): Custom Script Allowed" } - # Create an instance of CISAuditResult and populate it + # Prepare failure reasons and details based on compliance + $failureReasons = if (-not $complianceResult) { + "The following site collections allow custom script execution: " + ($nonCompliantSiteDetails -join "; ") + } + else { + "N/A" + } + + $details = if ($complianceResult) { + "All site collections have custom script execution restricted" + } + else { + $nonCompliantSiteDetails -join "; " + } + + # Create and populate the CISAuditResult object $auditResult = [CISAuditResult]::new() + $auditResult.Status = if ($complianceResult) { "Pass" } else { "Fail" } + $auditResult.ELevel = "E3" + $auditResult.ProfileLevel = "L1" + $auditResult.Rec = "7.3.4" + $auditResult.RecDescription = "Ensure custom script execution is restricted on site collections" $auditResult.CISControlVer = "v8" $auditResult.CISControl = "2.7" $auditResult.CISDescription = "Allowlist Authorized Scripts" - $auditResult.Rec = "7.3.4" - $auditResult.ELevel = "E3" - $auditResult.ProfileLevel = "L1" $auditResult.IG1 = $false $auditResult.IG2 = $false $auditResult.IG3 = $true - $auditResult.RecDescription = "Ensure custom script execution is restricted on site collections" $auditResult.Result = $complianceResult - $auditResult.Details = if (-not $complianceResult) { - $nonCompliantSiteDetails -join "; " - } else { - "All site collections have custom script execution restricted" - } - $auditResult.FailureReason = if (-not $complianceResult) { - "The following site collections allow custom script execution: " + ($nonCompliantSiteDetails -join "; ") - } else { - "N/A" - } - $auditResult.Status = if ($complianceResult) { - "Pass" - } else { - "Fail" - } - - $auditResults += $auditResult + $auditResult.Details = $details + $auditResult.FailureReason = $failureReasons } - - end { - # Return auditResults - return $auditResults + # Return auditResult + return $auditResult } }