vibecoding/M365FoundationsCISReport
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: formatting

Browse Source
This commit is contained in:
DrIOS
2024-06-29 19:54:32 -05:00
parent bd0ce158af
commit c7f7fe11cc
22 changed files with 19 additions and 195 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
source/tests/Test-AntiPhishingPolicy.ps1
View File

@@ -2,7 +2,6 @@ function Test-AntiPhishingPolicy {
[CmdletBinding()]
[OutputType([CISAuditResult])]
param ()
begin {
$recnum = "2.1.7"
Write-Verbose "Running Test-AntiPhishingPolicy for $recnum..."
@@ -22,14 +21,12 @@ function Test-AntiPhishingPolicy {
- Condition B: Critical security features like Spoof Intelligence or Mailbox Intelligence are disabled in the relevant policies.
#>
}
process {
try {
# Step 1: Retrieve all anti-phishing policies
#$VerbosePreference = "Continue"
Write-Verbose "Retrieving all anti-phishing policies..."
$antiPhishPolicies = Get-CISExoOutput -Rec $recnum
# Step 2: Initialize variables to track compliance and details
$compliantPolicy = $null
$details = @()
@@ -38,15 +35,12 @@ function Test-AntiPhishingPolicy {
$policiesEvaluated = @()
$PassedTests = @()
$FailedTests = @()
Write-Verbose "Evaluating each policy for compliance..."
# Separate policies based on type
$strictPolicy = $antiPhishPolicies | Where-Object { $_.Identity -match "Strict Preset Security Policy" }
$standardPolicy = $antiPhishPolicies | Where-Object { $_.Identity -match "Standard Preset Security Policy" }
$customPolicies = $antiPhishPolicies | Where-Object { -not ($_.Identity -match "Strict Preset Security Policy" -or $_.Identity -match "Standard Preset Security Policy" -or $_.IsDefault) }
$defaultPolicy = $antiPhishPolicies | Where-Object { $_.IsDefault }
# Step 3: Check for Strict Preset Security Policy
if ($null -ne $strictPolicy) {
Write-Verbose "Evaluating policy: $($strictPolicy.Identity)"
@@ -225,7 +219,6 @@ function Test-AntiPhishingPolicy {
$auditResult = Get-TestError -LastError $_ -recnum $recnum
}
}
end {
return $auditResult
}

10
source/tests/Test-AuditDisabledFalse.ps1
View File

@@ -5,11 +5,9 @@ function Test-AuditDisabledFalse {
param (
# Parameters can be added if needed
)
begin {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Conditions for 6.1.1 (L1) Ensure 'AuditDisabled' organizationally is set to 'False'
#
# Validate test for a pass:
@@ -25,18 +23,15 @@ function Test-AuditDisabledFalse {
# - Condition A: The `AuditDisabled` organizational setting is set to `True` in the Microsoft 365 admin center.
# - Condition B: Using PowerShell, the `AuditDisabled` property in the organization's configuration is set to `True`.
# - Condition C: Mailbox auditing is not enabled by default at the organizational level.
# Initialization code, if needed
$recnum = "6.1.1"
Write-Verbose "Running Test-AuditDisabledFalse for $recnum..."
}
process {
try {
# 6.1.1 (L1) Ensure 'AuditDisabled' organizationally is set to 'False'
# Retrieve the AuditDisabled configuration (Condition B)
$auditNotDisabled = Get-CISExoOutput -Rec $recnum
# Prepare failure reasons and details based on compliance
$failureReasons = if (-not $auditNotDisabled) {
"AuditDisabled is set to True" # Condition A Fail
@@ -44,14 +39,12 @@ function Test-AuditDisabledFalse {
else {
"N/A"
}
$details = if ($auditNotDisabled) {
"Audit is not disabled organizationally" # Condition C Pass
}
else {
"Audit is disabled organizationally" # Condition C Fail
}
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
@@ -67,7 +60,6 @@ function Test-AuditDisabledFalse {
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
}
}
end {
# Return the audit result
return $auditResult

12
source/tests/Test-AuditLogSearch.ps1
View File

@@ -5,23 +5,20 @@ function Test-AuditLogSearch {
# Aligned
# Parameters can be added if needed
)
begin {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "3.1.1"
Write-Verbose "Running Test-AuditLogSearch for $recnum..."
<#
Conditions for 3.1.1 (L1) Ensure Microsoft 365 audit log search is Enabled
Validate test for a pass:
- Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
- Specific conditions to check:
- Condition A: Audit log search is enabled in the Microsoft Purview compliance portal.
- Condition B: The audit log retains user and admin activity for 90 days.
- Condition C: Audit log search capabilities are functional (search results are displayed for activities within the past 30 days).
Validate test for a fail:
- Confirm that the failure conditions in the automated test are consistent with the manual audit results.
- Specific conditions to check:
@@ -30,14 +27,10 @@ function Test-AuditLogSearch {
- Condition C: Audit log search capabilities are non-functional (no search results are displayed for activities within the past 30 days).
#>
}
process {
try {
# 3.1.1 (L1) Ensure Microsoft 365 audit log search is Enabled
$auditLogResult = Get-CISExoOutput -Rec $recnum
# Prepare failure reasons and details based on compliance
$failureReasons = if (-not $auditLogResult) {
# Condition A (Fail): Audit log search is not enabled in the Microsoft Purview compliance portal
@@ -46,7 +39,6 @@ function Test-AuditLogSearch {
else {
"N/A"
}
$details = if ($auditLogResult) {
# Condition A (Pass): Audit log search is enabled in the Microsoft Purview compliance portal
"UnifiedAuditLogIngestionEnabled: True"
@@ -54,7 +46,6 @@ function Test-AuditLogSearch {
else {
"UnifiedAuditLogIngestionEnabled: False"
}
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
@@ -70,7 +61,6 @@ function Test-AuditLogSearch {
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
}
}
end {
# Return the audit result
return $auditResult

15
source/tests/Test-BlockMailForwarding.ps1
View File

@@ -4,23 +4,20 @@ function Test-BlockMailForwarding {
param (
# Parameters can be added if needed
)
begin {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "6.2.1"
Write-Verbose "Running Test-BlockMailForwarding for $recnum..."
<#
Conditions for 6.2.1 (L1) Ensure all forms of mail forwarding are blocked and/or disabled
Validate test for a pass:
- Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
- Specific conditions to check:
- Condition A: Transport rules do not forward email to external domains.
- Condition B: Anti-spam outbound policy is configured to disable automatic email forwarding to external domains.
- Condition C: No exceptions to the forwarding rules unless explicitly defined by organizational policy.
Validate test for a fail:
- Confirm that the failure conditions in the automated test are consistent with the manual audit results.
- Specific conditions to check:
@@ -29,26 +26,20 @@ function Test-BlockMailForwarding {
- Condition C: Unapproved exceptions to the forwarding rules are present.
#>
}
process {
try {
# 6.2.1 (L1) Ensure all forms of mail forwarding are blocked and/or disabled
# Step 1: Retrieve the transport rules that redirect messages
$transportRules,$nonCompliantSpamPolicies = Get-CISExoOutput -Rec $recnum
$transportForwardingBlocked = $transportRules.Count -eq 0
# Step 2: Check all anti-spam outbound policies
$nonCompliantSpamPoliciesArray = @($nonCompliantSpamPolicies)
$spamForwardingBlocked = $nonCompliantSpamPoliciesArray.Count -eq 0
# Determine overall compliance
$forwardingBlocked = $transportForwardingBlocked -and $spamForwardingBlocked
# Prepare failure reasons and details based on compliance
$failureReasons = @()
$details = @()
if ($transportRules -ne 1) {
# Fail Condition A
$failureReasons += "Mail forwarding rules found: $($transportRules.Name -join ', ')"
@@ -58,7 +49,6 @@ function Test-BlockMailForwarding {
}
$details += "`n"
}
if ($nonCompliantSpamPoliciesArray.Count -gt 0) {
# Fail Condition B
$failureReasons += "Outbound spam policies allowing automatic forwarding found."
@@ -67,7 +57,6 @@ function Test-BlockMailForwarding {
"$($_.Name)|$($_.AutoForwardingMode)"
}
}
if ($failureReasons.Count -eq 0) {
$failureReasons = "N/A"
$details = "Both transport rules and outbound spam policies are configured correctly to block forwarding."
@@ -76,7 +65,6 @@ function Test-BlockMailForwarding {
$failureReasons = $failureReasons -join " | "
$details = $details -join "`n"
}
# Populate the audit result
$params = @{
Rec = $recnum
@@ -92,7 +80,6 @@ function Test-BlockMailForwarding {
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
}
}
end {
# Return the audit result
return $auditResult

7
source/tests/Test-BlockSharedMailboxSignIn.ps1
View File

@@ -8,7 +8,6 @@ function Test-BlockSharedMailboxSignIn {
begin {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "1.2.2"
Write-Verbose "Running Test-BlockSharedMailboxSignIn for $recnum..."
@@ -26,7 +25,6 @@ function Test-BlockSharedMailboxSignIn {
# - Condition A: One or more shared mailboxes have the "Sign-in blocked" option enabled in the properties pane on the Microsoft 365 admin center.
# - Condition B: Using PowerShell, the `AccountEnabled` property for one or more shared mailboxes is set to `True`.
}
process {
try {
# Step: Retrieve shared mailbox details
@@ -63,11 +61,9 @@ function Test-BlockSharedMailboxSignIn {
$users = Get-CISAadOutput -Rec $recnum
# Step: Retrieve details of shared mailboxes from Azure AD (Condition B: Pass/Fail)
$sharedMailboxDetails = $users | Where-Object {$_.objectid -in $objectids}
# Step: Identify enabled mailboxes (Condition B: Pass/Fail)
$enabledMailboxes = $sharedMailboxDetails | Where-Object { $_.AccountEnabled } | ForEach-Object { $_.DisplayName }
$allBlocked = $enabledMailboxes.Count -eq 0
# Step: Determine failure reasons based on enabled mailboxes (Condition A & B: Fail)
$failureReasons = if (-not $allBlocked) {
"Some mailboxes have sign-in enabled (AccountEnabled:True):`n$($enabledMailboxes -join ', ')"
@@ -75,7 +71,6 @@ function Test-BlockSharedMailboxSignIn {
else {
"N/A"
}
# Step: Prepare details for the audit result (Condition A & B: Pass/Fail)
$details = if ($allBlocked) {
"All shared mailboxes have sign-in blocked."
@@ -83,7 +78,6 @@ function Test-BlockSharedMailboxSignIn {
else {
"AccountEnabled set to True Mailboxes: $($enabledMailboxes -join ', ')"
}
# Step: Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
@@ -99,7 +93,6 @@ function Test-BlockSharedMailboxSignIn {
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
}
}
end {
# Return the audit result
return $auditResult

1
source/tests/Test-CommonAttachmentFilter.ps1
View File

@@ -5,7 +5,6 @@ function Test-CommonAttachmentFilter {
# Aligned
# Parameters can be added if needed
)
begin {
<#
Conditions for 2.1.2 (L1) Ensure the Common Attachment Types Filter is enabled

4
source/tests/Test-CustomerLockbox.ps1
View File

@@ -29,7 +29,6 @@ function Test-CustomerLockbox {
# - Condition B: Using the SecureScore portal, the Customer Lockbox feature is not enabled.
# - Condition C: Using PowerShell, the Customer Lockbox feature is not set to `True`.
}
process {
try {
# Step: Retrieve the organization configuration (Condition C: Pass/Fail)
@@ -43,7 +42,6 @@ function Test-CustomerLockbox {
else {
"N/A"
}
# Step: Prepare details for the audit result (Condition A, B, & C: Pass/Fail)
$details = if ($customerLockboxEnabled) {
"Customer Lockbox Enabled: True"
@@ -51,7 +49,6 @@ function Test-CustomerLockbox {
else {
"Customer Lockbox Enabled: False"
}
# Step: Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
@@ -67,7 +64,6 @@ function Test-CustomerLockbox {
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
}
}
end {
# Return the audit result
return $auditResult

5
source/tests/Test-ExternalSharingCalendars.ps1
View File

@@ -5,11 +5,9 @@ function Test-ExternalSharingCalendars {
# Aligned
# Parameters can be added if needed
)
begin {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "1.3.3"
Write-Verbose "Running Test-ExternalSharingCalendars for $recnum..."
@@ -27,7 +25,6 @@ function Test-ExternalSharingCalendars {
# - Condition A: In the Microsoft 365 admin center, external calendar sharing is enabled.
# - Condition B: Using the Exchange Online PowerShell Module, the `OrganizationConfig` property `ExternalSharingEnabled` is set to `True`.
}
process {
try {
# Step: Retrieve sharing policies related to calendar sharing
@@ -87,7 +84,6 @@ function Test-ExternalSharingCalendars {
else {
"Enabled Sharing Policies:`n$($sharingPolicyDetails -join ', ')"
}
# Step: Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
@@ -103,7 +99,6 @@ function Test-ExternalSharingCalendars {
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
}
}
end {
# Return the audit result
return $auditResult

10
source/tests/Test-IdentifyExternalEmail.ps1
View File

@@ -9,10 +9,9 @@ function Test-IdentifyExternalEmail {
begin {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "6.2.3"
Write-Verbose "Running Test-IdentifyExternalEmail for $recnum..."
# Conditions for 6.2.3 (L1) Ensure email from external senders is identified
#
# Validate test for a pass:
@@ -29,16 +28,12 @@ function Test-IdentifyExternalEmail {
# - Condition B: The BypassAllowList contains unauthorized email addresses.
# - Condition C: External sender tag does not appear in email messages received from external sources.
}
process {
try {
# 6.2.3 (L1) Ensure email from external senders is identified
# Retrieve external sender tagging configuration
$externalInOutlook = Get-CISExoOutput -Rec $recnum
$externalTaggingEnabled = ($externalInOutlook | ForEach-Object { $_.Enabled }) -contains $true
# Prepare failure reasons and details based on compliance
$failureReasons = if (-not $externalTaggingEnabled) {
# Condition A: External tagging is not enabled using PowerShell for all identities.
@@ -47,10 +42,8 @@ function Test-IdentifyExternalEmail {
else {
"N/A"
}
# Details for external tagging configuration
$details = "Enabled: $($externalTaggingEnabled); AllowList: $($externalInOutlook.AllowList)"
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
@@ -66,7 +59,6 @@ function Test-IdentifyExternalEmail {
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
}
}
end {
# Return the audit result
return $auditResult

12
source/tests/Test-MailTipsEnabled.ps1
View File

@@ -5,15 +5,12 @@ function Test-MailTipsEnabled {
# Aligned
# Parameters can be added if needed
)
begin {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$auditResult = [CISAuditResult]::new()
$recnum = "6.5.2"
Write-Verbose "Running Test-MailTipsEnabled for $recnum..."
# Conditions for 6.5.2 (L2) Ensure MailTips are enabled for end users
#
# Validate test for a pass:
@@ -32,18 +29,14 @@ function Test-MailTipsEnabled {
# - Condition C: MailTipsGroupMetricsEnabled is not set to True.
# - Condition D: MailTipsLargeAudienceThreshold is not set to an acceptable value (default is 25).
}
process {
try {
# 6.5.2 (L2) Ensure MailTips are enabled for end users
# Retrieve organization configuration for MailTips settings
$orgConfig = Get-CISExoOutput -Rec $recnum
# Check the MailTips settings (Conditions A, B, C, D)
$allTipsEnabled = $orgConfig.MailTipsAllTipsEnabled -and $orgConfig.MailTipsGroupMetricsEnabled -and $orgConfig.MailTipsLargeAudienceThreshold -eq 25
$externalRecipientsTipsEnabled = $orgConfig.MailTipsExternalRecipientsTipsEnabled
# Prepare failure reasons and details based on compliance
$failureReasons = if (-not ($allTipsEnabled -and $externalRecipientsTipsEnabled)) {
"One or more MailTips settings are not configured as required."
@@ -51,14 +44,12 @@ function Test-MailTipsEnabled {
else {
"N/A"
}
$details = if ($allTipsEnabled -and $externalRecipientsTipsEnabled) {
"MailTipsAllTipsEnabled: $($orgConfig.MailTipsAllTipsEnabled); MailTipsExternalRecipientsTipsEnabled: $($orgConfig.MailTipsExternalRecipientsTipsEnabled); MailTipsGroupMetricsEnabled: $($orgConfig.MailTipsGroupMetricsEnabled); MailTipsLargeAudienceThreshold: $($orgConfig.MailTipsLargeAudienceThreshold)"
}
else {
"One or more MailTips settings are not configured as required."
}
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
@@ -74,7 +65,6 @@ function Test-MailTipsEnabled {
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
}
}
end {
# Return the audit result
return $auditResult

23
source/tests/Test-MailboxAuditingE3.ps1
View File

@@ -4,11 +4,9 @@ function Test-MailboxAuditingE3 {
param (
# Parameters can be added if needed
)
begin {
<#
Conditions for 6.1.2 (L1) Ensure mailbox auditing for E3 users is Enabled
Validate test for a pass:
- Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
- Specific conditions to check:
@@ -16,7 +14,6 @@ function Test-MailboxAuditingE3 {
- Condition B: The `AuditAdmin` actions include `ApplyRecord`, `Create`, `HardDelete`, `MoveToDeletedItems`, `SendAs`, `SendOnBehalf`, `SoftDelete`, `Update`, `UpdateCalendarDelegation`, `UpdateFolderPermissions`, and `UpdateInboxRules`.
- Condition C: The `AuditDelegate` actions include `ApplyRecord`, `Create`, `HardDelete`, `MoveToDeletedItems`, `SendAs`, `SendOnBehalf`, `SoftDelete`, `Update`, `UpdateFolderPermissions`, and `UpdateInboxRules`.
- Condition D: The `AuditOwner` actions include `ApplyRecord`, `HardDelete`, `MoveToDeletedItems`, `SoftDelete`, `Update`, `UpdateCalendarDelegation`, `UpdateFolderPermissions`, and `UpdateInboxRules`.
Validate test for a fail:
- Confirm that the failure conditions in the automated test are consistent with the manual audit results.
- Specific conditions to check:
@@ -25,24 +22,19 @@ function Test-MailboxAuditingE3 {
- Condition C: The `AuditDelegate` actions do not include `ApplyRecord`, `Create`, `HardDelete`, `MoveToDeletedItems`, `SendAs`, `SendOnBehalf`, `SoftDelete`, `Update`, `UpdateFolderPermissions`, and `UpdateInboxRules`.
- Condition D: The `AuditOwner` actions do not include `ApplyRecord`, `HardDelete`, `MoveToDeletedItems`, `SoftDelete`, `Update`, `UpdateCalendarDelegation`, `UpdateFolderPermissions`, and `UpdateInboxRules`.
#>
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
$actionDictionaries = Get-Action -Dictionaries
# E3 specific actions
$AdminActions = $actionDictionaries.AdminActions.Keys | Where-Object { $_ -notin @("MailItemsAccessed", "Send") }
$DelegateActions = $actionDictionaries.DelegateActions.Keys | Where-Object { $_ -notin @("MailItemsAccessed") }
$OwnerActions = $actionDictionaries.OwnerActions.Keys | Where-Object { $_ -notin @("MailItemsAccessed", "Send") }
$allFailures = @()
$recnum = "6.1.2"
Write-Verbose "Running Test-MailboxAuditingE3 for $recnum..."
$allUsers = Get-CISMgOutput -Rec $recnum
$processedUsers = @{} # Dictionary to track processed users
}
process {
if ($null -ne $allUsers) {
$mailboxes = Get-CISExoOutput -Rec $recnum
@@ -52,14 +44,11 @@ function Test-MailboxAuditingE3 {
Write-Verbose "Skipping already processed user: $($user.UserPrincipalName)"
continue
}
$userUPN = $user.UserPrincipalName
$mailbox = $mailboxes | Where-Object { $_.UserPrincipalName -eq $user.UserPrincipalName }
$missingAdminActions = @()
$missingDelegateActions = @()
$missingOwnerActions = @()
if ($mailbox.AuditEnabled) {
foreach ($action in $AdminActions) {
if ($mailbox.AuditAdmin -notcontains $action) {
@@ -76,7 +65,6 @@ function Test-MailboxAuditingE3 {
$missingOwnerActions += (Get-Action -Actions $action -ActionType "Owner")
}
}
if ($missingAdminActions.Count -gt 0 -or $missingDelegateActions.Count -gt 0 -or $missingOwnerActions.Count -gt 0) {
$allFailures += "$userUPN|True|$($missingAdminActions -join ',')|$($missingDelegateActions -join ',')|$($missingOwnerActions -join ',')"
}
@@ -84,11 +72,9 @@ function Test-MailboxAuditingE3 {
else {
$allFailures += "$userUPN|False|||" # Condition A for fail
}
# Mark the user as processed
$processedUsers[$user.UserPrincipalName] = $true
}
# Prepare failure reasons and details based on compliance
if ($allFailures.Count -eq 0) {
$failureReasons = "N/A"
@@ -102,7 +88,6 @@ function Test-MailboxAuditingE3 {
else {
"UserPrincipalName|AuditEnabled|AdminActionsMissing|DelegateActionsMissing|OwnerActionsMissing`n" + ($allFailures -join "`n")
}
# Populate the audit result
$params = @{
Rec = $recnum
@@ -115,13 +100,10 @@ function Test-MailboxAuditingE3 {
}
catch {
Write-Error "An error occurred during the test: $_"
# Retrieve the description from the test definitions
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
$description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
$script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
# Call Initialize-CISAuditResult with error parameters
$auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
}
@@ -137,15 +119,12 @@ function Test-MailboxAuditingE3 {
$auditResult = Initialize-CISAuditResult @params
}
}
end {
$detailsLength = $details.Length
Write-Verbose "Character count of the details: $detailsLength"
if ($detailsLength -gt 32767) {
Write-Verbose "Warning: The character count exceeds the limit for Excel cells."
}
return $auditResult
}
}

18
source/tests/Test-MailboxAuditingE5.ps1
View File

@@ -4,11 +4,9 @@ function Test-MailboxAuditingE5 {
param (
# Parameters can be added if needed
)
begin {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Conditions for 6.1.3 (L1) Ensure mailbox auditing for E5 users is Enabled
#
# Validate test for a pass:
@@ -26,18 +24,16 @@ function Test-MailboxAuditingE5 {
# - Condition B: AuditAdmin actions do not include all of the following: ApplyRecord, Create, HardDelete, MailItemsAccessed, MoveToDeletedItems, Send, SendAs, SendOnBehalf, SoftDelete, Update, UpdateCalendarDelegation, UpdateFolderPermissions, UpdateInboxRules.
# - Condition C: AuditDelegate actions do not include all of the following: ApplyRecord, Create, HardDelete, MailItemsAccessed, MoveToDeletedItems, SendAs, SendOnBehalf, SoftDelete, Update, UpdateFolderPermissions, UpdateInboxRules.
# - Condition D: AuditOwner actions do not include all of the following: ApplyRecord, HardDelete, MailItemsAccessed, MoveToDeletedItems, Send, SoftDelete, Update, UpdateCalendarDelegation, UpdateFolderPermissions, UpdateInboxRules.
$actionDictionaries = Get-Action -Dictionaries
$AdminActions = $actionDictionaries.AdminActions.Keys
$DelegateActions = $actionDictionaries.DelegateActions.Keys
$OwnerActions = $actionDictionaries.OwnerActions.Keys
$allFailures = @()
$processedUsers = @{}
$recnum = "6.1.3"
Write-Verbose "Running Test-MailboxAuditingE5 for $recnum..."
$allUsers = Get-CISMgOutput -Rec $recnum
}
process {
if ($null -ne $allUsers) {
$mailboxes = Get-CISExoOutput -Rec $recnum
@@ -47,14 +43,11 @@ function Test-MailboxAuditingE5 {
Write-Verbose "Skipping already processed user: $($user.UserPrincipalName)"
continue
}
$mailbox = $mailboxes | Where-Object { $_.UserPrincipalName -eq $user.UserPrincipalName }
$userUPN = $user.UserPrincipalName
$missingAdminActions = @()
$missingDelegateActions = @()
$missingOwnerActions = @()
if ($mailbox.AuditEnabled) {
# Validate Admin actions
foreach ($action in $AdminActions) {
@@ -74,7 +67,6 @@ function Test-MailboxAuditingE5 {
$missingOwnerActions += (Get-Action -Actions $action -ActionType "Owner") # Condition D
}
}
if ($missingAdminActions.Count -gt 0 -or $missingDelegateActions.Count -gt 0 -or $missingOwnerActions.Count -gt 0) {
$allFailures += "$userUPN|True|$($missingAdminActions -join ',')|$($missingDelegateActions -join ',')|$($missingOwnerActions -join ',')"
}
@@ -82,11 +74,9 @@ function Test-MailboxAuditingE5 {
else {
$allFailures += "$userUPN|False|||" # Condition A for fail
}
# Mark the user as processed
$processedUsers[$user.UserPrincipalName] = $true
}
# Prepare failure reasons and details based on compliance
if ($allFailures.Count -eq 0) {
$failureReasons = "N/A"
@@ -113,13 +103,10 @@ function Test-MailboxAuditingE5 {
}
catch {
Write-Error "An error occurred during the test: $_"
# Retrieve the description from the test definitions
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
$description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
$script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
# Call Initialize-CISAuditResult with error parameters
$auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
}
@@ -135,15 +122,12 @@ function Test-MailboxAuditingE5 {
$auditResult = Initialize-CISAuditResult @params
}
}
end {
$detailsLength = $details.Length
Write-Verbose "Character count of the details: $detailsLength"
if ($detailsLength -gt 32767) {
Write-Verbose "Warning: The character count exceeds the limit for Excel cells."
}
return $auditResult
}
}

12
source/tests/Test-ModernAuthExchangeOnline.ps1
View File

@@ -5,11 +5,9 @@ function Test-ModernAuthExchangeOnline {
# Aligned
# Define your parameters here
)
begin {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Conditions for 6.5.1 (L1) Ensure modern authentication for Exchange Online is enabled
#
# Validate test for a pass:
@@ -25,17 +23,14 @@ function Test-ModernAuthExchangeOnline {
# - Condition A: Modern authentication for Exchange Online is not enabled.
# - Condition B: Exchange Online clients do not use modern authentication to log in to Microsoft 365 mailboxes.
# - Condition C: Users of older email clients, such as Outlook 2013 and Outlook 2016, are still able to authenticate to Exchange using Basic Authentication.
$recnum = "6.5.1"
Write-Verbose "Running Test-ModernAuthExchangeOnline for $recnum..."
}
process {
try {
# 6.5.1 (L1) Ensure modern authentication for Exchange Online is enabled
# Check modern authentication setting in Exchange Online configuration (Condition A and B)
$orgConfig = Get-CISExoOutput -Rec $recnum
# Prepare failure reasons and details based on compliance
$failureReasons = if (-not $orgConfig.OAuth2ClientProfileEnabled) {
"Modern authentication is disabled"
@@ -43,10 +38,8 @@ function Test-ModernAuthExchangeOnline {
else {
"N/A"
}
# Details include the current setting (Condition A and B)
$details = "OAuth2ClientProfileEnabled: $($orgConfig.OAuth2ClientProfileEnabled) for Organization: $($orgConfig.Name)"
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
@@ -56,15 +49,12 @@ function Test-ModernAuthExchangeOnline {
FailureReason = $failureReasons
}
$auditResult = Initialize-CISAuditResult @params
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
}
}
end {
# Return the audit result
return $auditResult

11
source/tests/Test-NoWhitelistDomains.ps1
View File

@@ -5,24 +5,20 @@ function Test-NoWhitelistDomains {
# Aligned
# Define your parameters here
)
begin {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "6.2.2"
Write-Verbose "Running Test-NoWhitelistDomains for $recnum..."
<#
Conditions for 6.2.2 (L1) Ensure mail transport rules do not whitelist specific domains (Automated)
Validate test for a pass:
- Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
- Specific conditions to check:
- Condition A: No mail transport rules whitelist any specific domains.
- Condition B: Verification of mail transport rules using PowerShell shows no domains are whitelisted.
- Condition C: Manual review in Exchange Online admin center confirms no whitelisted domains in transport rules.
Validate test for a fail:
- Confirm that the failure conditions in the automated test are consistent with the manual audit results.
- Specific conditions to check:
@@ -31,11 +27,9 @@ function Test-NoWhitelistDomains {
- Condition C: Manual review in Exchange Online admin center shows whitelisted domains in transport rules.
#>
}
process {
try {
# 6.2.2 (L1) Ensure mail transport rules do not whitelist specific domains
# Retrieve transport rules that whitelist specific domains
# Condition A: Checking for transport rules that whitelist specific domains
$whitelistedRules = Get-CISExoOutput -Rec $recnum
@@ -47,7 +41,6 @@ function Test-NoWhitelistDomains {
else {
"N/A"
}
# Condition C: Prepare details about the whitelisted rules if found
$details = if ($whitelistedRules) {
$ruleDetails = $whitelistedRules | ForEach-Object { "{0}: {1}" -f $_.Name, ($_.SenderDomainIs -join ', ') }
@@ -56,7 +49,6 @@ function Test-NoWhitelistDomains {
else {
"No transport rules whitelisting specific domains found."
}
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
@@ -72,7 +64,6 @@ function Test-NoWhitelistDomains {
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
}
}
end {
# Return auditResult
return $auditResult

9
source/tests/Test-NotifyMalwareInternal.ps1
View File

@@ -5,7 +5,6 @@ function Test-NotifyMalwareInternal {
# Aligned
# Parameters can be added if needed
)
begin {
<#
# Conditions for 2.1.3 (L1) Ensure notifications for internal users sending malware is Enabled
@@ -22,14 +21,12 @@ function Test-NotifyMalwareInternal {
# - Condition A: Notifications for internal users sending malware are not enabled in the Microsoft 365 Security & Compliance Center.
# - Condition B: Using PowerShell, the `NotifyInternal` property in the anti-malware policy is set to `False` or does not include any valid email addresses for notifications.
#>
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "2.1.3"
Write-Verbose "Running Test-NotifyMalwareInternal for $recnum..."
}
process {
try {
# 2.1.3 Ensure notifications for internal users sending malware is Enabled
@@ -51,7 +48,6 @@ function Test-NotifyMalwareInternal {
)
#>
$malwareNotifications = Get-CISExoOutput -Rec $recnum
# Condition B: Using PowerShell, the `NotifyInternal` property in the anti-malware policy is set to `True` and includes at least one valid email address for notifications.
$policiesToReport = @()
foreach ($policy in $malwareNotifications) {
@@ -59,10 +55,8 @@ function Test-NotifyMalwareInternal {
$policiesToReport += "$($policy.Identity): Notifications Disabled"
}
}
# Determine the result based on the presence of custom policies without notifications
$result = $policiesToReport.Count -eq 0
# Prepare failure reasons and details based on compliance
$failureReasons = if ($result) {
"N/A"
@@ -71,14 +65,12 @@ function Test-NotifyMalwareInternal {
# Condition A: Notifications for internal users sending malware are not enabled in the Microsoft 365 Security & Compliance Center.
"Some custom policies do not have notifications for internal users sending malware enabled."
}
$details = if ($result) {
"All custom malware policies have notifications enabled."
}
else {
"Misconfigured Policies: $($policiesToReport -join '`n')"
}
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
@@ -94,7 +86,6 @@ function Test-NotifyMalwareInternal {
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
}
}
end {
# Return the audit result
return $auditResult

8
source/tests/Test-ReportSecurityInTeams.ps1
View File

@@ -5,20 +5,17 @@ function Test-ReportSecurityInTeams {
# Aligned
# Parameters can be defined here if needed
)
begin {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "8.6.1"
Write-Verbose "Running Test-ReportSecurityInTeams for $recnum..."
}
process {
try {
# Test-ReportSecurityInTeams.ps1
# 8.6.1 (L1) Ensure users can report security concerns in Teams
# Retrieve the necessary settings for Teams and Exchange Online
# Condition A: Ensure the 'Report a security concern' setting in the Teams admin center is set to 'On'.
$CsTeamsMessagingPolicy = Get-CISMSTeamsOutput -Rec $recnum
@@ -35,7 +32,6 @@ function Test-ReportSecurityInTeams {
$null -ne $ReportSubmissionPolicy.ReportPhishAddresses -and
$ReportSubmissionPolicy.ReportChatMessageToCustomizedAddressEnabled -and
-not $ReportSubmissionPolicy.ReportChatMessageEnabled
$detailsString = @"
The following settings are required for users to report security concerns in Teams:
@@ -75,7 +71,6 @@ ReportChatMessageToCustomizedAddressEnabled: True
else {
$faildetailstring
}
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
@@ -91,7 +86,6 @@ ReportChatMessageToCustomizedAddressEnabled: True
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
}
}
end {
# Return the audit result
return $auditResult

12
source/tests/Test-RestrictOutlookAddins.ps1
View File

@@ -5,16 +5,14 @@ function Test-RestrictOutlookAddins {
# Aligned
# Parameters could include credentials or other necessary data
)
begin {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code
$defaultPolicyFailureDetails = @()
$relevantRoles = @('My Custom Apps', 'My Marketplace Apps', 'My ReadWriteMailbox Apps')
$recnum = "6.3.1"
Write-Verbose "Running Test-RestrictOutlookAddins for $recnum..."
# Conditions for 6.3.1 (L2) Ensure users installing Outlook add-ins is not allowed
#
# Validate test for a pass:
@@ -29,21 +27,17 @@ function Test-RestrictOutlookAddins {
# - Condition A: One or more of the roles MyCustomApps, MyMarketplaceApps, and MyReadWriteMailboxApps are checked under Other roles.
# - Condition B: Using PowerShell, verify that MyCustomApps, MyMarketplaceApps, and MyReadWriteMailboxApps are assigned to users.
}
process {
try {
# 6.3.1 (L2) Ensure users installing Outlook add-ins is not allowed
# Check all mailboxes for custom policies with unallowed add-ins
# Check Default Role Assignment Policy
$customPolicyFailures, $defaultPolicy = Get-CISExoOutput -Rec $recnum
$defaultPolicyRoles = $defaultPolicy.AssignedRoles | Where-Object { $_ -in $relevantRoles }
# Condition A: Verify that the roles MyCustomApps, MyMarketplaceApps, and MyReadWriteMailboxApps are unchecked under Other roles.
if ($defaultPolicyRoles) {
$defaultPolicyFailureDetails = $defaultPolicyRoles
}
# Prepare result details string
$detailsString = ""
if ($customPolicyFailures) {
@@ -53,7 +47,6 @@ function Test-RestrictOutlookAddins {
else {
$detailsString += "Custom Policy Failures: None | "
}
$detailsString += "Default Role Assignment Policy: "
if ($defaultPolicyFailureDetails) {
$detailsString += ($defaultPolicyFailureDetails -join ', ')
@@ -61,10 +54,8 @@ function Test-RestrictOutlookAddins {
else {
$detailsString += "Compliant"
}
# Determine result based on findings
$isCompliant = -not ($customPolicyFailures -or $defaultPolicyFailureDetails)
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
@@ -80,7 +71,6 @@ function Test-RestrictOutlookAddins {
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
}
}
end {
# Return the audit result
return $auditResult

10
source/tests/Test-RestrictStorageProvidersOutlook.ps1
View File

@@ -5,7 +5,6 @@ function Test-RestrictStorageProvidersOutlook {
# Aligned
# Parameters can be added here if needed
)
begin {
<#
# 6.5.3 (L2) Ensure additional storage providers are restricted in Outlook on the web
@@ -22,25 +21,21 @@ function Test-RestrictStorageProvidersOutlook {
# - Condition A: Using PowerShell, verify that `AdditionalStorageProvidersAvailable` is not set to `False` in the OwaMailboxPolicy.
# - Condition B: Ensure that the command `Get-OwaMailboxPolicy | Format-Table Name, AdditionalStorageProvidersAvailable` does not return `False`.
#>
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "6.5.3"
Write-Verbose "Running Test-RestrictStorageProvidersOutlook for $recnum..."
}
process {
try {
# 6.5.3 (L2) Ensure additional storage providers are restricted in Outlook on the web
# Retrieve all OwaMailbox policies
$owaPolicies = Get-CISExoOutput -Rec $recnum
# Condition A: Check if AdditionalStorageProvidersAvailable is set to False
$nonCompliantPolicies = $owaPolicies | Where-Object { $_.AdditionalStorageProvidersAvailable }
# Determine compliance
$allPoliciesRestricted = $nonCompliantPolicies.Count -eq 0
# Prepare failure reasons and details based on compliance
$failureReasons = if ($allPoliciesRestricted) {
"N/A"
@@ -48,14 +43,12 @@ function Test-RestrictStorageProvidersOutlook {
else {
"One or more OwaMailbox policies allow AdditionalStorageProvidersAvailable."
}
$details = if ($allPoliciesRestricted) {
"All OwaMailbox policies restrict AdditionalStorageProvidersAvailable"
}
else {
"Non-compliant OwaMailbox policies: $($nonCompliantPolicies.Name -join ', ')"
}
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
@@ -71,7 +64,6 @@ function Test-RestrictStorageProvidersOutlook {
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
}
}
end {
# Return the audit result
return $auditResult

12
source/tests/Test-SafeAttachmentsPolicy.ps1
View File

@@ -2,7 +2,6 @@ function Test-SafeAttachmentsPolicy {
[CmdletBinding()]
[OutputType([CISAuditResult])]
param ()
begin {
$recnum = "2.1.4"
Write-Verbose "Running Test-SafeAttachmentsPolicy for $recnum..."
@@ -13,7 +12,6 @@ function Test-SafeAttachmentsPolicy {
- Check if the policy's action is set to 'Block'.
- Confirm the QuarantineTag is set to 'AdminOnlyAccessPolicy'.
- Verify that the Redirect setting is disabled.
Validate test for a fail:
- If the highest priority Safe Attachments policy's action is not set to 'Block'.
- If the QuarantineTag is not set to 'AdminOnlyAccessPolicy'.
@@ -55,11 +53,11 @@ function Test-SafeAttachmentsPolicy {
# The result is a pass if there are no failure reasons
$result = $failureReasons.Count -eq 0
$details = [PSCustomObject]@{
Policy = $highestPriorityPolicy.Identity
Action = $highestPriorityPolicy.Action
QuarantineTag = $highestPriorityPolicy.QuarantineTag
Redirect = $highestPriorityPolicy.Redirect
Enabled = $highestPriorityPolicy.Enable
Policy = $highestPriorityPolicy.Identity
Action = $highestPriorityPolicy.Action
QuarantineTag = $highestPriorityPolicy.QuarantineTag
Redirect = $highestPriorityPolicy.Redirect
Enabled = $highestPriorityPolicy.Enable
}
# Format details for output manually
$detailsString = "Policy|Action|QuarantineTag|Redirect|Enabled`n" + ($details |

2
source/tests/Test-SafeAttachmentsTeams.ps1
View File

@@ -8,7 +8,6 @@ function Test-SafeAttachmentsTeams {
begin {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Conditions for 2.1.5 (L2) Ensure Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is Enabled
#
# Validate test for a pass:
@@ -24,7 +23,6 @@ function Test-SafeAttachmentsTeams {
# - Condition A: Safe Attachments for SharePoint is not enabled.
# - Condition B: Safe Attachments for OneDrive is not enabled.
# - Condition C: Safe Attachments for Microsoft Teams is not enabled.
# Initialization code, if needed
$recnum = "2.1.5"
Write-Verbose "Running Test-SafeAttachmentsTeams for $recnum..."

9
source/tests/Test-SafeLinksOfficeApps.ps1
View File

@@ -5,7 +5,6 @@ function Test-SafeLinksOfficeApps {
# Aligned
# Define your parameters here if needed
)
begin {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
@@ -14,7 +13,6 @@ function Test-SafeLinksOfficeApps {
Write-Verbose "Running Test-SafeLinksOfficeApps for $recnum..."
<#
Conditions for 2.1.1 (L2) Ensure Safe Links for Office Applications is Enabled
Validate test for a pass:
- Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
- Specific conditions to check:
@@ -25,7 +23,6 @@ function Test-SafeLinksOfficeApps {
- Click protection settings: On
- Do not track when users click safe links: Off
- Condition B: Using the Exchange Online PowerShell Module, Safe Links policies are retrieved, and the relevant policy shows Safe Links for Office applications is enabled.
Validate test for a fail:
- Confirm that the failure conditions in the automated test are consistent with the manual audit results.
- Specific conditions to check:
@@ -38,7 +35,6 @@ function Test-SafeLinksOfficeApps {
- Condition B: Using the Exchange Online PowerShell Module, Safe Links policies are retrieved, and the relevant policy shows Safe Links for Office applications is not enabled.
#>
}
process {
# 2.1.1 (L2) Ensure Safe Links for Office Applications is Enabled
# Retrieve all Safe Links policies
@@ -51,7 +47,6 @@ function Test-SafeLinksOfficeApps {
$result = $misconfiguredDetails.Count -eq 0
$details = if ($result) { "All Safe Links policies are correctly configured." } else { $misconfiguredDetails -join '`n' }
$failureReasons = if ($result) { "N/A" } else { "The following Safe Links policies settings do not meet the recommended configuration: $($misconfiguredDetails -join ' | ')" }
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
@@ -64,13 +59,10 @@ function Test-SafeLinksOfficeApps {
}
catch {
Write-Error "An error occurred during the test: $_"
# Retrieve the description from the test definitions
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
$description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
$script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
# Call Initialize-CISAuditResult with error parameters
$auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
}
@@ -86,7 +78,6 @@ function Test-SafeLinksOfficeApps {
$auditResult = Initialize-CISAuditResult @params
}
}
end {
# Return the audit result
return $auditResult

1
source/tests/Test-SpamPolicyAdminNotify.ps1
View File

@@ -2,7 +2,6 @@ function Test-SpamPolicyAdminNotify {
[CmdletBinding()]
[OutputType([CISAuditResult])]
param ()
begin {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1