diff --git a/source/tests/Test-SafeAttachmentsPolicy.ps1 b/source/tests/Test-SafeAttachmentsPolicy.ps1 index d9dfca4..b3cb316 100644 --- a/source/tests/Test-SafeAttachmentsPolicy.ps1 +++ b/source/tests/Test-SafeAttachmentsPolicy.ps1 @@ -1,10 +1,7 @@ function Test-SafeAttachmentsPolicy { [CmdletBinding()] [OutputType([CISAuditResult])] - param ( - # Aligned - # Parameters can be added if needed - ) + param () begin { # Dot source the class script if necessary @@ -31,44 +28,60 @@ function Test-SafeAttachmentsPolicy { - Condition B: The policy does not cover all recipients within the organization. - Condition C: The policy action is not set to "Dynamic Delivery" or "Quarantine". - Condition D: The policy is disabled. - #> + #> } + process { - # Retrieve all Safe Attachment policies where Enable is set to True - $safeAttachmentPolicies = Get-SafeAttachmentPolicy | Where-Object { $_.Enable -eq $true } - if ($null -ne $safeAttachmentPolicies) { + if (Get-Command Get-SafeAttachmentPolicy -ErrorAction SilentlyContinue) { try { - # 2.1.4 (L2) Ensure Safe Attachments policy is enabled - - - - # Condition A: Check if any Safe Attachments policy is enabled + # Retrieve all Safe Attachment policies where Enable is set to True + $safeAttachmentPolicies = Get-SafeAttachmentPolicy -ErrorAction SilentlyContinue | Where-Object { $_.Enable -eq $true } + # Check if any Safe Attachments policy is enabled (Condition A) $result = $null -ne $safeAttachmentPolicies -and $safeAttachmentPolicies.Count -gt 0 - # Condition B, C, D: Additional checks can be added here if more detailed policy attributes are required + # Initialize details and failure reasons + $details = @() + $failureReasons = @() - # Determine details and failure reasons based on the presence of enabled policies - $details = if ($result) { - "Enabled Safe Attachments Policies: $($safeAttachmentPolicies.Name -join ', ')" - } - else { - "No Safe Attachments Policies are enabled." + foreach ($policy in $safeAttachmentPolicies) { + # Initialize policy detail and failed status + $failed = $false + + # Check if the policy action is set to "Dynamic Delivery" or "Quarantine" (Condition C) + if ($policy.Action -notin @("DynamicDelivery", "Quarantine")) { + $failureReasons += "Policy '$($policy.Name)' action is not set to 'Dynamic Delivery' or 'Quarantine'." + $failed = $true + } + + # Check if the policy is not disabled (Condition D) + if (-not $policy.Enable) { + $failureReasons += "Policy '$($policy.Name)' is disabled." + $failed = $true + } + + # Add policy details to the details array + $details += [PSCustomObject]@{ + Policy = $policy.Name + Enabled = $policy.Enable + Action = $policy.Action + Failed = $failed + } } - $failureReasons = if ($result) { - "N/A" - } - else { - "Safe Attachments policy is not enabled." - } + # The result is a pass if there are no failure reasons + $result = $failureReasons.Count -eq 0 + + # Format details for output + $detailsString = $details | Format-Table -AutoSize | Out-String + $failureReasonsString = ($failureReasons | ForEach-Object { $_ }) -join ' ' # Create and populate the CISAuditResult object $params = @{ Rec = $recnum Result = $result Status = if ($result) { "Pass" } else { "Fail" } - Details = $details - FailureReason = $failureReasons + Details = $detailsString + FailureReason = if ($result) { "N/A" } else { $failureReasonsString } } $auditResult = Initialize-CISAuditResult @params } @@ -102,4 +115,3 @@ function Test-SafeAttachmentsPolicy { return $auditResult } } - diff --git a/source/tests/Test-SafeAttachmentsTeams.ps1 b/source/tests/Test-SafeAttachmentsTeams.ps1 index 588eb57..ceb7547 100644 --- a/source/tests/Test-SafeAttachmentsTeams.ps1 +++ b/source/tests/Test-SafeAttachmentsTeams.ps1 @@ -31,12 +31,11 @@ function Test-SafeAttachmentsTeams { } process { - # Retrieve the ATP policies for Office 365 and check Safe Attachments settings - [void]($atpPolicies = Get-AtpPolicyForO365) - if ($null -ne $atpPolicies) { + if (Get-Command Get-AtpPolicyForO365 -ErrorAction SilentlyContinue) { try { # 2.1.5 (L2) Ensure Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is Enabled - + # Retrieve the ATP policies for Office 365 and check Safe Attachments settings + $atpPolicies = Get-AtpPolicyForO365 # Check if the required ATP policies are enabled $atpPolicyResult = $atpPolicies | Where-Object { $_.EnableATPForSPOTeamsODB -eq $true -and @@ -92,8 +91,8 @@ function Test-SafeAttachmentsTeams { Rec = $recnum Result = $false Status = "Fail" - Details = "No M365 E3 licenses found." - FailureReason = "The audit is for M365 E3 licenses, but no such licenses were found." + Details = "No M365 E5 licenses found." + FailureReason = "The audit is for M365 E5 licenses and the required EXO commands will not be available otherwise." } $auditResult = Initialize-CISAuditResult @params } diff --git a/source/tests/Test-SafeLinksOfficeApps.ps1 b/source/tests/Test-SafeLinksOfficeApps.ps1 index 86cdac4..8bd329b 100644 --- a/source/tests/Test-SafeLinksOfficeApps.ps1 +++ b/source/tests/Test-SafeLinksOfficeApps.ps1 @@ -40,12 +40,11 @@ function Test-SafeLinksOfficeApps { } process { - # Retrieve all Safe Links policies - [void]($policies = Get-SafeLinksPolicy) - if ($null -ne $policies) { + if (Get-Command Get-SafeLinksPolicy -ErrorAction SilentlyContinue) { try { # 2.1.1 (L2) Ensure Safe Links for Office Applications is Enabled - + # Retrieve all Safe Links policies + $policies = Get-SafeLinksPolicy # Initialize the details collection $misconfiguredDetails = @()