fix: 2.1.1,2.1.4,2.1.5 surpress error messages and create a standard object when no e5
This commit is contained in:
DrIOS
@@ -1,10 +1,7 @@
|
|||||||
function Test-SafeAttachmentsPolicy {
|
function Test-SafeAttachmentsPolicy {
|
||||||
[CmdletBinding()]
|
[CmdletBinding()]
|
||||||
[OutputType([CISAuditResult])]
|
[OutputType([CISAuditResult])]
|
||||||
param (
|
param ()
|
||||||
# Aligned
|
|
||||||
# Parameters can be added if needed
|
|
||||||
)
|
|
||||||
|
|
||||||
begin {
|
begin {
|
||||||
# Dot source the class script if necessary
|
# Dot source the class script if necessary
|
||||||
@@ -31,44 +28,60 @@ function Test-SafeAttachmentsPolicy {
|
|||||||
- Condition B: The policy does not cover all recipients within the organization.
|
- Condition B: The policy does not cover all recipients within the organization.
|
||||||
- Condition C: The policy action is not set to "Dynamic Delivery" or "Quarantine".
|
- Condition C: The policy action is not set to "Dynamic Delivery" or "Quarantine".
|
||||||
- Condition D: The policy is disabled.
|
- Condition D: The policy is disabled.
|
||||||
#>
|
#>
|
||||||
}
|
}
|
||||||
|
|
||||||
process {
|
process {
|
||||||
# Retrieve all Safe Attachment policies where Enable is set to True
|
if (Get-Command Get-SafeAttachmentPolicy -ErrorAction SilentlyContinue) {
|
||||||
$safeAttachmentPolicies = Get-SafeAttachmentPolicy | Where-Object { $_.Enable -eq $true }
|
|
||||||
if ($null -ne $safeAttachmentPolicies) {
|
|
||||||
try {
|
try {
|
||||||
# 2.1.4 (L2) Ensure Safe Attachments policy is enabled
|
# Retrieve all Safe Attachment policies where Enable is set to True
|
||||||
|
$safeAttachmentPolicies = Get-SafeAttachmentPolicy -ErrorAction SilentlyContinue | Where-Object { $_.Enable -eq $true }
|
||||||
|
# Check if any Safe Attachments policy is enabled (Condition A)
|
||||||
|
|
||||||
# Condition A: Check if any Safe Attachments policy is enabled
|
|
||||||
$result = $null -ne $safeAttachmentPolicies -and $safeAttachmentPolicies.Count -gt 0
|
$result = $null -ne $safeAttachmentPolicies -and $safeAttachmentPolicies.Count -gt 0
|
||||||
|
|
||||||
# Condition B, C, D: Additional checks can be added here if more detailed policy attributes are required
|
# Initialize details and failure reasons
|
||||||
|
$details = @()
|
||||||
|
$failureReasons = @()
|
||||||
|
|
||||||
# Determine details and failure reasons based on the presence of enabled policies
|
foreach ($policy in $safeAttachmentPolicies) {
|
||||||
$details = if ($result) {
|
# Initialize policy detail and failed status
|
||||||
"Enabled Safe Attachments Policies: $($safeAttachmentPolicies.Name -join ', ')"
|
$failed = $false
|
||||||
}
|
|
||||||
else {
|
# Check if the policy action is set to "Dynamic Delivery" or "Quarantine" (Condition C)
|
||||||
"No Safe Attachments Policies are enabled."
|
if ($policy.Action -notin @("DynamicDelivery", "Quarantine")) {
|
||||||
|
$failureReasons += "Policy '$($policy.Name)' action is not set to 'Dynamic Delivery' or 'Quarantine'."
|
||||||
|
$failed = $true
|
||||||
|
}
|
||||||
|
|
||||||
|
# Check if the policy is not disabled (Condition D)
|
||||||
|
if (-not $policy.Enable) {
|
||||||
|
$failureReasons += "Policy '$($policy.Name)' is disabled."
|
||||||
|
$failed = $true
|
||||||
|
}
|
||||||
|
|
||||||
|
# Add policy details to the details array
|
||||||
|
$details += [PSCustomObject]@{
|
||||||
|
Policy = $policy.Name
|
||||||
|
Enabled = $policy.Enable
|
||||||
|
Action = $policy.Action
|
||||||
|
Failed = $failed
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
$failureReasons = if ($result) {
|
# The result is a pass if there are no failure reasons
|
||||||
"N/A"
|
$result = $failureReasons.Count -eq 0
|
||||||
}
|
|
||||||
else {
|
# Format details for output
|
||||||
"Safe Attachments policy is not enabled."
|
$detailsString = $details | Format-Table -AutoSize | Out-String
|
||||||
}
|
$failureReasonsString = ($failureReasons | ForEach-Object { $_ }) -join ' '
|
||||||
|
|
||||||
# Create and populate the CISAuditResult object
|
# Create and populate the CISAuditResult object
|
||||||
$params = @{
|
$params = @{
|
||||||
Rec = $recnum
|
Rec = $recnum
|
||||||
Result = $result
|
Result = $result
|
||||||
Status = if ($result) { "Pass" } else { "Fail" }
|
Status = if ($result) { "Pass" } else { "Fail" }
|
||||||
Details = $details
|
Details = $detailsString
|
||||||
FailureReason = $failureReasons
|
FailureReason = if ($result) { "N/A" } else { $failureReasonsString }
|
||||||
}
|
}
|
||||||
$auditResult = Initialize-CISAuditResult @params
|
$auditResult = Initialize-CISAuditResult @params
|
||||||
}
|
}
|
||||||
@@ -102,4 +115,3 @@ function Test-SafeAttachmentsPolicy {
|
|||||||
return $auditResult
|
return $auditResult
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -31,12 +31,11 @@ function Test-SafeAttachmentsTeams {
|
|||||||
}
|
}
|
||||||
|
|
||||||
process {
|
process {
|
||||||
# Retrieve the ATP policies for Office 365 and check Safe Attachments settings
|
if (Get-Command Get-AtpPolicyForO365 -ErrorAction SilentlyContinue) {
|
||||||
[void]($atpPolicies = Get-AtpPolicyForO365)
|
|
||||||
if ($null -ne $atpPolicies) {
|
|
||||||
try {
|
try {
|
||||||
# 2.1.5 (L2) Ensure Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is Enabled
|
# 2.1.5 (L2) Ensure Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is Enabled
|
||||||
|
# Retrieve the ATP policies for Office 365 and check Safe Attachments settings
|
||||||
|
$atpPolicies = Get-AtpPolicyForO365
|
||||||
# Check if the required ATP policies are enabled
|
# Check if the required ATP policies are enabled
|
||||||
$atpPolicyResult = $atpPolicies | Where-Object {
|
$atpPolicyResult = $atpPolicies | Where-Object {
|
||||||
$_.EnableATPForSPOTeamsODB -eq $true -and
|
$_.EnableATPForSPOTeamsODB -eq $true -and
|
||||||
@@ -92,8 +91,8 @@ function Test-SafeAttachmentsTeams {
|
|||||||
Rec = $recnum
|
Rec = $recnum
|
||||||
Result = $false
|
Result = $false
|
||||||
Status = "Fail"
|
Status = "Fail"
|
||||||
Details = "No M365 E3 licenses found."
|
Details = "No M365 E5 licenses found."
|
||||||
FailureReason = "The audit is for M365 E3 licenses, but no such licenses were found."
|
FailureReason = "The audit is for M365 E5 licenses and the required EXO commands will not be available otherwise."
|
||||||
}
|
}
|
||||||
$auditResult = Initialize-CISAuditResult @params
|
$auditResult = Initialize-CISAuditResult @params
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -40,12 +40,11 @@ function Test-SafeLinksOfficeApps {
|
|||||||
}
|
}
|
||||||
|
|
||||||
process {
|
process {
|
||||||
# Retrieve all Safe Links policies
|
if (Get-Command Get-SafeLinksPolicy -ErrorAction SilentlyContinue) {
|
||||||
[void]($policies = Get-SafeLinksPolicy)
|
|
||||||
if ($null -ne $policies) {
|
|
||||||
try {
|
try {
|
||||||
# 2.1.1 (L2) Ensure Safe Links for Office Applications is Enabled
|
# 2.1.1 (L2) Ensure Safe Links for Office Applications is Enabled
|
||||||
|
# Retrieve all Safe Links policies
|
||||||
|
$policies = Get-SafeLinksPolicy
|
||||||
# Initialize the details collection
|
# Initialize the details collection
|
||||||
$misconfiguredDetails = @()
|
$misconfiguredDetails = @()
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user