vibecoding/M365FoundationsCISReport
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs: Comment conditions on each test

Browse Source
This commit is contained in:
DrIOS
2024-06-11 18:41:19 -05:00
parent e6b6e064bf
commit cf7fbadbe7
14 changed files with 307 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
source/tests/Test-AntiPhishingPolicy.ps1
View File

@@ -12,15 +12,31 @@ function Test-AntiPhishingPolicy {
# Initialization code, if needed # Initialization code, if needed
#$auditResults = @() #$auditResults = @()
$recnum = "2.1.7" $recnum = "2.1.7"
<#
Conditions for 2.1.7 (L1) Ensure that an anti-phishing policy has been created
Validate test for a pass:
- Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
- Specific conditions to check:
- Condition A: Verify that an anti-phishing policy exists in the Microsoft 365 Security Center.
- Condition B: Using PowerShell, ensure the anti-phishing policy is configured with appropriate settings such as enabling impersonation protection and spoof intelligence.
Validate test for a fail:
- Confirm that the failure conditions in the automated test are consistent with the manual audit results.
- Specific conditions to check:
- Condition A: No anti-phishing policy exists in the Microsoft 365 Security Center.
- Condition B: Using PowerShell, the anti-phishing policy is not configured with the required settings.
#>
} }
process { process {
try { try {
# 2.1.7 Ensure that an anti-phishing policy has been created # Condition A: Ensure that an anti-phishing policy has been created
# Retrieve and validate the anti-phishing policies
$antiPhishPolicies = Get-AntiPhishPolicy $antiPhishPolicies = Get-AntiPhishPolicy
# Condition B: Verify the anti-phishing policy settings using PowerShell
$validatedPolicies = $antiPhishPolicies | Where-Object { $validatedPolicies = $antiPhishPolicies | Where-Object {
$_.Enabled -eq $true -and $_.Enabled -eq $true -and
$_.PhishThresholdLevel -ge 2 -and $_.PhishThresholdLevel -ge 2 -and

26
source/tests/Test-AuditDisabledFalse.ps1
View File

@@ -9,32 +9,48 @@ function Test-AuditDisabledFalse {
begin { begin {
# Dot source the class script if necessary # Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1 #. .\source\Classes\CISAuditResult.ps1
# Conditions for 6.1.1 (L1) Ensure 'AuditDisabled' organizationally is set to 'False'
#
# Validate test for a pass:
# - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
# - Specific conditions to check:
# - Condition A: The `AuditDisabled` organizational setting is set to `False` in the Microsoft 365 admin center.
# - Condition B: Using PowerShell, the `AuditDisabled` property in the organization's configuration is set to `False`.
# - Condition C: Ensure mailbox auditing is enabled by default at the organizational level.
#
# Validate test for a fail:
# - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
# - Specific conditions to check:
# - Condition A: The `AuditDisabled` organizational setting is set to `True` in the Microsoft 365 admin center.
# - Condition B: Using PowerShell, the `AuditDisabled` property in the organization's configuration is set to `True`.
# - Condition C: Mailbox auditing is not enabled by default at the organizational level.
# Initialization code, if needed # Initialization code, if needed
$recnum = "6.1.1" $recnum = "6.1.1"
} }
process { process {
try { try {
# 6.1.1 (L1) Ensure 'AuditDisabled' organizationally is set to 'False' # 6.1.1 (L1) Ensure 'AuditDisabled' organizationally is set to 'False'
# Retrieve the AuditDisabled configuration # Retrieve the AuditDisabled configuration (Condition B)
$auditDisabledConfig = Get-OrganizationConfig | Select-Object AuditDisabled $auditDisabledConfig = Get-OrganizationConfig | Select-Object AuditDisabled
$auditNotDisabled = -not $auditDisabledConfig.AuditDisabled $auditNotDisabled = -not $auditDisabledConfig.AuditDisabled
# Prepare failure reasons and details based on compliance # Prepare failure reasons and details based on compliance
$failureReasons = if (-not $auditNotDisabled) { $failureReasons = if (-not $auditNotDisabled) {
"AuditDisabled is set to True" "AuditDisabled is set to True" # Condition A Fail
} }
else { else {
"N/A" "N/A"
} }
$details = if ($auditNotDisabled) { $details = if ($auditNotDisabled) {
"Audit is not disabled organizationally" "Audit is not disabled organizationally" # Condition C Pass
} }
else { else {
"Audit is disabled organizationally" "Audit is disabled organizationally" # Condition C Fail
} }
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object

20
source/tests/Test-AuditLogSearch.ps1
View File

@@ -11,6 +11,24 @@ function Test-AuditLogSearch {
#. .\source\Classes\CISAuditResult.ps1 #. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed # Initialization code, if needed
$recnum = "3.1.1" $recnum = "3.1.1"
<#
Conditions for 3.1.1 (L1) Ensure Microsoft 365 audit log search is Enabled
Validate test for a pass:
- Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
- Specific conditions to check:
- Condition A: Audit log search is enabled in the Microsoft Purview compliance portal.
- Condition B: The audit log retains user and admin activity for 90 days.
- Condition C: Audit log search capabilities are functional (search results are displayed for activities within the past 30 days).
Validate test for a fail:
- Confirm that the failure conditions in the automated test are consistent with the manual audit results.
- Specific conditions to check:
- Condition A: Audit log search is not enabled in the Microsoft Purview compliance portal.
- Condition B: The audit log does not retain user and admin activity for 90 days.
- Condition C: Audit log search capabilities are non-functional (no search results are displayed for activities within the past 30 days).
#>
} }
process { process {
@@ -24,6 +42,7 @@ function Test-AuditLogSearch {
# Prepare failure reasons and details based on compliance # Prepare failure reasons and details based on compliance
$failureReasons = if (-not $auditLogResult) { $failureReasons = if (-not $auditLogResult) {
# Condition A (Fail): Audit log search is not enabled in the Microsoft Purview compliance portal
"Audit log search is not enabled" "Audit log search is not enabled"
} }
else { else {
@@ -31,6 +50,7 @@ function Test-AuditLogSearch {
} }
$details = if ($auditLogResult) { $details = if ($auditLogResult) {
# Condition A (Pass): Audit log search is enabled in the Microsoft Purview compliance portal
"UnifiedAuditLogIngestionEnabled: True" "UnifiedAuditLogIngestionEnabled: True"
} }
else { else {

20
source/tests/Test-BlockMailForwarding.ps1
View File

@@ -10,6 +10,24 @@ function Test-BlockMailForwarding {
#. .\source\Classes\CISAuditResult.ps1 #. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed # Initialization code, if needed
$recnum = "6.2.1" $recnum = "6.2.1"
<#
Conditions for 6.2.1 (L1) Ensure all forms of mail forwarding are blocked and/or disabled
Validate test for a pass:
- Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
- Specific conditions to check:
- Condition A: Transport rules do not forward email to external domains.
- Condition B: Anti-spam outbound policy is configured to disable automatic email forwarding to external domains.
- Condition C: No exceptions to the forwarding rules unless explicitly defined by organizational policy.
Validate test for a fail:
- Confirm that the failure conditions in the automated test are consistent with the manual audit results.
- Specific conditions to check:
- Condition A: One or more transport rules forward email to external domains.
- Condition B: Anti-spam outbound policy does not disable automatic email forwarding to external domains.
- Condition C: Unapproved exceptions to the forwarding rules are present.
#>
} }
process { process {
@@ -34,6 +52,7 @@ function Test-BlockMailForwarding {
$details = @() $details = @()
if ($transportRules.Count -gt 0) { if ($transportRules.Count -gt 0) {
# Fail Condition A
$failureReasons += "Mail forwarding rules found: $($transportRules.Name -join ', ')" $failureReasons += "Mail forwarding rules found: $($transportRules.Name -join ', ')"
$details += "Transport Rules Details:`nRule Name|Redirects To" $details += "Transport Rules Details:`nRule Name|Redirects To"
$details += $transportRules | ForEach-Object { $details += $transportRules | ForEach-Object {
@@ -43,6 +62,7 @@ function Test-BlockMailForwarding {
} }
if ($nonCompliantSpamPoliciesArray.Count -gt 0) { if ($nonCompliantSpamPoliciesArray.Count -gt 0) {
# Fail Condition B
$failureReasons += "Outbound spam policies allowing automatic forwarding found." $failureReasons += "Outbound spam policies allowing automatic forwarding found."
$details += "Outbound Spam Policies Details:`nPolicy|AutoForwardingMode" $details += "Outbound Spam Policies Details:`nPolicy|AutoForwardingMode"
$details += $nonCompliantSpamPoliciesArray | ForEach-Object { $details += $nonCompliantSpamPoliciesArray | ForEach-Object {

23
source/tests/Test-EnableDKIM.ps1
View File

@@ -9,8 +9,25 @@ function Test-EnableDKIM {
begin { begin {
# Dot source the class script if necessary # Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1 #. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed # Initialization code, if needed
$recnum = "2.1.9" $recnum = "2.1.9"
<#
Conditions for 2.1.9 (L1) Ensure DKIM is enabled for all Exchange Online Domains (Automated)
Validate test for a pass:
- Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
- Specific conditions to check:
- Condition A: DKIM is enabled for all Exchange Online domains in the Microsoft 365 security center.
- Condition B: Using the Exchange Online PowerShell Module, the `CnameConfiguration.Enabled` property for each domain is set to `True`.
Validate test for a fail:
- Confirm that the failure conditions in the automated test are consistent with the manual audit results.
- Specific conditions to check:
- Condition A: DKIM is not enabled for one or more Exchange Online domains in the Microsoft 365 security center.
- Condition B: Using the Exchange Online PowerShell Module, the `CnameConfiguration.Enabled` property for one or more domains is set to `False`.
#>
} }
process { process {
@@ -25,17 +42,17 @@ function Test-EnableDKIM {
# Prepare failure reasons and details based on compliance # Prepare failure reasons and details based on compliance
$failureReasons = if (-not $dkimResult) { $failureReasons = if (-not $dkimResult) {
"DKIM is not enabled for some domains" "DKIM is not enabled for some domains" # Condition A fail
} }
else { else {
"N/A" "N/A"
} }
$details = if ($dkimResult) { $details = if ($dkimResult) {
"All domains have DKIM enabled" "All domains have DKIM enabled" # Condition A pass
} }
else { else {
"DKIM not enabled for: $($dkimFailedDomains -join ', ')" "DKIM not enabled for: $($dkimFailedDomains -join ', ')" # Condition B fail
} }
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object

18
source/tests/Test-IdentifyExternalEmail.ps1
View File

@@ -12,6 +12,22 @@ function Test-IdentifyExternalEmail {
# Initialization code, if needed # Initialization code, if needed
$recnum = "6.2.3" $recnum = "6.2.3"
# Conditions for 6.2.3 (L1) Ensure email from external senders is identified
#
# Validate test for a pass:
# - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
# - Specific conditions to check:
# - Condition A: External tagging is enabled using PowerShell for all identities.
# - Condition B: The BypassAllowList only contains email addresses the organization has permitted to bypass external tagging.
# - Condition C: External sender tag appears in email messages received from external sources.
#
# Validate test for a fail:
# - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
# - Specific conditions to check:
# - Condition A: External tagging is not enabled using PowerShell for all identities.
# - Condition B: The BypassAllowList contains unauthorized email addresses.
# - Condition C: External sender tag does not appear in email messages received from external sources.
} }
process { process {
@@ -25,12 +41,14 @@ function Test-IdentifyExternalEmail {
# Prepare failure reasons and details based on compliance # Prepare failure reasons and details based on compliance
$failureReasons = if (-not $externalTaggingEnabled) { $failureReasons = if (-not $externalTaggingEnabled) {
# Condition A: External tagging is not enabled using PowerShell for all identities.
"External sender tagging is disabled" "External sender tagging is disabled"
} }
else { else {
"N/A" "N/A"
} }
# Details for external tagging configuration
$details = "Enabled: $($externalTaggingEnabled); AllowList: $($externalInOutlook.AllowList)" $details = "Enabled: $($externalTaggingEnabled); AllowList: $($externalInOutlook.AllowList)"
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object

20
source/tests/Test-MailTipsEnabled.ps1
View File

@@ -13,6 +13,24 @@ function Test-MailTipsEnabled {
$auditResult = [CISAuditResult]::new() $auditResult = [CISAuditResult]::new()
$recnum = "6.5.2" $recnum = "6.5.2"
# Conditions for 6.5.2 (L2) Ensure MailTips are enabled for end users
#
# Validate test for a pass:
# - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
# - Specific conditions to check:
# - Condition A: MailTipsAllTipsEnabled is set to True.
# - Condition B: MailTipsExternalRecipientsTipsEnabled is set to True.
# - Condition C: MailTipsGroupMetricsEnabled is set to True.
# - Condition D: MailTipsLargeAudienceThreshold is set to an acceptable value (default is 25).
#
# Validate test for a fail:
# - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
# - Specific conditions to check:
# - Condition A: MailTipsAllTipsEnabled is not set to True.
# - Condition B: MailTipsExternalRecipientsTipsEnabled is not set to True.
# - Condition C: MailTipsGroupMetricsEnabled is not set to True.
# - Condition D: MailTipsLargeAudienceThreshold is not set to an acceptable value (default is 25).
} }
process { process {
@@ -21,6 +39,8 @@ function Test-MailTipsEnabled {
# Retrieve organization configuration for MailTips settings # Retrieve organization configuration for MailTips settings
$orgConfig = Get-OrganizationConfig | Select-Object MailTipsAllTipsEnabled, MailTipsExternalRecipientsTipsEnabled, MailTipsGroupMetricsEnabled, MailTipsLargeAudienceThreshold $orgConfig = Get-OrganizationConfig | Select-Object MailTipsAllTipsEnabled, MailTipsExternalRecipientsTipsEnabled, MailTipsGroupMetricsEnabled, MailTipsLargeAudienceThreshold
# Check the MailTips settings (Conditions A, B, C, D)
$allTipsEnabled = $orgConfig.MailTipsAllTipsEnabled -and $orgConfig.MailTipsGroupMetricsEnabled -and $orgConfig.MailTipsLargeAudienceThreshold -eq 25 $allTipsEnabled = $orgConfig.MailTipsAllTipsEnabled -and $orgConfig.MailTipsGroupMetricsEnabled -and $orgConfig.MailTipsLargeAudienceThreshold -eq 25
$externalRecipientsTipsEnabled = $orgConfig.MailTipsExternalRecipientsTipsEnabled $externalRecipientsTipsEnabled = $orgConfig.MailTipsExternalRecipientsTipsEnabled

24
source/tests/Test-MailboxAuditingE3.ps1
View File

@@ -6,6 +6,26 @@ function Test-MailboxAuditingE3 {
) )
begin { begin {
<#
Conditions for 6.1.2 (L1) Ensure mailbox auditing for E3 users is Enabled
Validate test for a pass:
- Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
- Specific conditions to check:
- Condition A: Mailbox audit logging is enabled for all user mailboxes.
- Condition B: The `AuditAdmin` actions include `ApplyRecord`, `Create`, `HardDelete`, `MoveToDeletedItems`, `SendAs`, `SendOnBehalf`, `SoftDelete`, `Update`, `UpdateCalendarDelegation`, `UpdateFolderPermissions`, and `UpdateInboxRules`.
- Condition C: The `AuditDelegate` actions include `ApplyRecord`, `Create`, `HardDelete`, `MoveToDeletedItems`, `SendAs`, `SendOnBehalf`, `SoftDelete`, `Update`, `UpdateFolderPermissions`, and `UpdateInboxRules`.
- Condition D: The `AuditOwner` actions include `ApplyRecord`, `HardDelete`, `MoveToDeletedItems`, `SoftDelete`, `Update`, `UpdateCalendarDelegation`, `UpdateFolderPermissions`, and `UpdateInboxRules`.
Validate test for a fail:
- Confirm that the failure conditions in the automated test are consistent with the manual audit results.
- Specific conditions to check:
- Condition A: Mailbox audit logging is not enabled for all user mailboxes.
- Condition B: The `AuditAdmin` actions do not include `ApplyRecord`, `Create`, `HardDelete`, `MoveToDeletedItems`, `SendAs`, `SendOnBehalf`, `SoftDelete`, `Update`, `UpdateCalendarDelegation`, `UpdateFolderPermissions`, and `UpdateInboxRules`.
- Condition C: The `AuditDelegate` actions do not include `ApplyRecord`, `Create`, `HardDelete`, `MoveToDeletedItems`, `SendAs`, `SendOnBehalf`, `SoftDelete`, `Update`, `UpdateFolderPermissions`, and `UpdateInboxRules`.
- Condition D: The `AuditOwner` actions do not include `ApplyRecord`, `HardDelete`, `MoveToDeletedItems`, `SoftDelete`, `Update`, `UpdateCalendarDelegation`, `UpdateFolderPermissions`, and `UpdateInboxRules`.
#>
# Dot source the class script if necessary # Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1 #. .\source\Classes\CISAuditResult.ps1
@@ -39,12 +59,15 @@ function Test-MailboxAuditingE3 {
$missingActions = @() $missingActions = @()
if ($mailbox.AuditEnabled) { if ($mailbox.AuditEnabled) {
foreach ($action in $AdminActions) { foreach ($action in $AdminActions) {
# Condition B: Checking if the `AuditAdmin` actions include required actions
if ($mailbox.AuditAdmin -notcontains $action) { $missingActions += "Admin action '$action' missing" } if ($mailbox.AuditAdmin -notcontains $action) { $missingActions += "Admin action '$action' missing" }
} }
foreach ($action in $DelegateActions) { foreach ($action in $DelegateActions) {
# Condition C: Checking if the `AuditDelegate` actions include required actions
if ($mailbox.AuditDelegate -notcontains $action) { $missingActions += "Delegate action '$action' missing" } if ($mailbox.AuditDelegate -notcontains $action) { $missingActions += "Delegate action '$action' missing" }
} }
foreach ($action in $OwnerActions) { foreach ($action in $OwnerActions) {
# Condition D: Checking if the `AuditOwner` actions include required actions
if ($mailbox.AuditOwner -notcontains $action) { $missingActions += "Owner action '$action' missing" } if ($mailbox.AuditOwner -notcontains $action) { $missingActions += "Owner action '$action' missing" }
} }
@@ -54,6 +77,7 @@ function Test-MailboxAuditingE3 {
} }
} }
else { else {
# Condition A: Checking if mailbox audit logging is enabled
$allFailures += "$userUPN|False|||" $allFailures += "$userUPN|False|||"
} }

31
source/tests/Test-MailboxAuditingE5.ps1
View File

@@ -9,6 +9,24 @@ function Test-MailboxAuditingE5 {
# Dot source the class script if necessary # Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1 #. .\source\Classes\CISAuditResult.ps1
# Conditions for 6.1.3 (L1) Ensure mailbox auditing for E5 users is Enabled
#
# Validate test for a pass:
# - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
# - Specific conditions to check:
# - Condition A: Mailbox auditing is enabled for E5 users.
# - Condition B: AuditAdmin actions include ApplyRecord, Create, HardDelete, MailItemsAccessed, MoveToDeletedItems, Send, SendAs, SendOnBehalf, SoftDelete, Update, UpdateCalendarDelegation, UpdateFolderPermissions, UpdateInboxRules.
# - Condition C: AuditDelegate actions include ApplyRecord, Create, HardDelete, MailItemsAccessed, MoveToDeletedItems, SendAs, SendOnBehalf, SoftDelete, Update, UpdateFolderPermissions, UpdateInboxRules.
# - Condition D: AuditOwner actions include ApplyRecord, HardDelete, MailItemsAccessed, MoveToDeletedItems, Send, SoftDelete, Update, UpdateCalendarDelegation, UpdateFolderPermissions, UpdateInboxRules.
#
# Validate test for a fail:
# - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
# - Specific conditions to check:
# - Condition A: Mailbox auditing is not enabled for E5 users.
# - Condition B: AuditAdmin actions do not include all of the following: ApplyRecord, Create, HardDelete, MailItemsAccessed, MoveToDeletedItems, Send, SendAs, SendOnBehalf, SoftDelete, Update, UpdateCalendarDelegation, UpdateFolderPermissions, UpdateInboxRules.
# - Condition C: AuditDelegate actions do not include all of the following: ApplyRecord, Create, HardDelete, MailItemsAccessed, MoveToDeletedItems, SendAs, SendOnBehalf, SoftDelete, Update, UpdateFolderPermissions, UpdateInboxRules.
# - Condition D: AuditOwner actions do not include all of the following: ApplyRecord, HardDelete, MailItemsAccessed, MoveToDeletedItems, Send, SoftDelete, Update, UpdateCalendarDelegation, UpdateFolderPermissions, UpdateInboxRules.
$e5SkuPartNumbers = @("SPE_E5", "ENTERPRISEPREMIUM", "OFFICEE5") $e5SkuPartNumbers = @("SPE_E5", "ENTERPRISEPREMIUM", "OFFICEE5")
$AdminActions = @("ApplyRecord", "Copy", "Create", "FolderBind", "HardDelete", "MailItemsAccessed", "Move", "MoveToDeletedItems", "SendAs", "SendOnBehalf", "Send", "SoftDelete", "Update", "UpdateCalendarDelegation", "UpdateFolderPermissions", "UpdateInboxRules") $AdminActions = @("ApplyRecord", "Copy", "Create", "FolderBind", "HardDelete", "MailItemsAccessed", "Move", "MoveToDeletedItems", "SendAs", "SendOnBehalf", "Send", "SoftDelete", "Update", "UpdateCalendarDelegation", "UpdateFolderPermissions", "UpdateInboxRules")
$DelegateActions = @("ApplyRecord", "Create", "FolderBind", "HardDelete", "MailItemsAccessed", "Move", "MoveToDeletedItems", "SendAs", "SendOnBehalf", "SoftDelete", "Update", "UpdateFolderPermissions", "UpdateInboxRules") $DelegateActions = @("ApplyRecord", "Create", "FolderBind", "HardDelete", "MailItemsAccessed", "Move", "MoveToDeletedItems", "SendAs", "SendOnBehalf", "SoftDelete", "Update", "UpdateFolderPermissions", "UpdateInboxRules")
@@ -38,14 +56,17 @@ function Test-MailboxAuditingE5 {
$missingActions = @() $missingActions = @()
if ($mailbox.AuditEnabled) { if ($mailbox.AuditEnabled) {
# Validate Admin actions
foreach ($action in $AdminActions) { foreach ($action in $AdminActions) {
if ($mailbox.AuditAdmin -notcontains $action) { $missingActions += "Admin action '$action' missing" } if ($mailbox.AuditAdmin -notcontains $action) { $missingActions += "Admin action '$action' missing" } # Condition B
} }
# Validate Delegate actions
foreach ($action in $DelegateActions) { foreach ($action in $DelegateActions) {
if ($mailbox.AuditDelegate -notcontains $action) { $missingActions += "Delegate action '$action' missing" } if ($mailbox.AuditDelegate -notcontains $action) { $missingActions += "Delegate action '$action' missing" } # Condition C
} }
# Validate Owner actions
foreach ($action in $OwnerActions) { foreach ($action in $OwnerActions) {
if ($mailbox.AuditOwner -notcontains $action) { $missingActions += "Owner action '$action' missing" } if ($mailbox.AuditOwner -notcontains $action) { $missingActions += "Owner action '$action' missing" } # Condition D
} }
if ($missingActions.Count -gt 0) { if ($missingActions.Count -gt 0) {
@@ -65,10 +86,10 @@ function Test-MailboxAuditingE5 {
# Prepare failure reasons and details based on compliance # Prepare failure reasons and details based on compliance
$failureReasons = if ($allFailures.Count -eq 0) { "N/A" } else { "Audit issues detected." } $failureReasons = if ($allFailures.Count -eq 0) { "N/A" } else { "Audit issues detected." }
$details = if ($allFailures.Count -eq 0) { $details = if ($allFailures.Count -eq 0) {
"All Office E5 users have correct mailbox audit settings." "All Office E5 users have correct mailbox audit settings." # Condition A for pass
} }
else { else {
"UserPrincipalName|AuditEnabled|AdminActionsMissing|DelegateActionsMissing|OwnerActionsMissing`n" + ($allFailures -join "`n") "UserPrincipalName|AuditEnabled|AdminActionsMissing|DelegateActionsMissing|OwnerActionsMissing`n" + ($allFailures -join "`n") # Condition A for fail
} }
# Populate the audit result # Populate the audit result

21
source/tests/Test-ModernAuthExchangeOnline.ps1
View File

@@ -9,7 +9,23 @@ function Test-ModernAuthExchangeOnline {
begin { begin {
# Dot source the class script if necessary # Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1 #. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
# Conditions for 6.5.1 (L1) Ensure modern authentication for Exchange Online is enabled
#
# Validate test for a pass:
# - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
# - Specific conditions to check:
# - Condition A: Modern authentication for Exchange Online is enabled.
# - Condition B: Exchange Online clients use modern authentication to log in to Microsoft 365 mailboxes.
# - Condition C: Users of older email clients, such as Outlook 2013 and Outlook 2016, are no longer able to authenticate to Exchange using Basic Authentication.
#
# Validate test for a fail:
# - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
# - Specific conditions to check:
# - Condition A: Modern authentication for Exchange Online is not enabled.
# - Condition B: Exchange Online clients do not use modern authentication to log in to Microsoft 365 mailboxes.
# - Condition C: Users of older email clients, such as Outlook 2013 and Outlook 2016, are still able to authenticate to Exchange using Basic Authentication.
$recnum = "6.5.1" $recnum = "6.5.1"
} }
@@ -18,6 +34,8 @@ function Test-ModernAuthExchangeOnline {
# Ensuring the ExchangeOnlineManagement module is available # Ensuring the ExchangeOnlineManagement module is available
# 6.5.1 (L1) Ensure modern authentication for Exchange Online is enabled # 6.5.1 (L1) Ensure modern authentication for Exchange Online is enabled
# Check modern authentication setting in Exchange Online configuration (Condition A and B)
$orgConfig = Get-OrganizationConfig | Select-Object -Property Name, OAuth2ClientProfileEnabled $orgConfig = Get-OrganizationConfig | Select-Object -Property Name, OAuth2ClientProfileEnabled
# Prepare failure reasons and details based on compliance # Prepare failure reasons and details based on compliance
@@ -28,6 +46,7 @@ function Test-ModernAuthExchangeOnline {
"N/A" "N/A"
} }
# Details include the current setting (Condition A and B)
$details = "OAuth2ClientProfileEnabled: $($orgConfig.OAuth2ClientProfileEnabled) for Organization: $($orgConfig.Name)" $details = "OAuth2ClientProfileEnabled: $($orgConfig.OAuth2ClientProfileEnabled) for Organization: $($orgConfig.Name)"
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object

22
source/tests/Test-NoWhitelistDomains.ps1
View File

@@ -9,8 +9,27 @@ function Test-NoWhitelistDomains {
begin { begin {
# Dot source the class script if necessary # Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1 #. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed # Initialization code, if needed
$recnum = "6.2.2" $recnum = "6.2.2"
<#
Conditions for 6.2.2 (L1) Ensure mail transport rules do not whitelist specific domains (Automated)
Validate test for a pass:
- Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
- Specific conditions to check:
- Condition A: No mail transport rules whitelist any specific domains.
- Condition B: Verification of mail transport rules using PowerShell shows no domains are whitelisted.
- Condition C: Manual review in Exchange Online admin center confirms no whitelisted domains in transport rules.
Validate test for a fail:
- Confirm that the failure conditions in the automated test are consistent with the manual audit results.
- Specific conditions to check:
- Condition A: One or more mail transport rules whitelist specific domains.
- Condition B: Verification of mail transport rules using PowerShell shows one or more domains are whitelisted.
- Condition C: Manual review in Exchange Online admin center shows whitelisted domains in transport rules.
#>
} }
process { process {
@@ -18,9 +37,11 @@ function Test-NoWhitelistDomains {
# 6.2.2 (L1) Ensure mail transport rules do not whitelist specific domains # 6.2.2 (L1) Ensure mail transport rules do not whitelist specific domains
# Retrieve transport rules that whitelist specific domains # Retrieve transport rules that whitelist specific domains
# Condition A: Checking for transport rules that whitelist specific domains
$whitelistedRules = Get-TransportRule | Where-Object { $_.SetSCL -eq -1 -and $null -ne $_.SenderDomainIs } $whitelistedRules = Get-TransportRule | Where-Object { $_.SetSCL -eq -1 -and $null -ne $_.SenderDomainIs }
# Prepare failure reasons and details based on compliance # Prepare failure reasons and details based on compliance
# Condition B: Prepare failure reasons based on the presence of whitelisted rules
$failureReasons = if ($whitelistedRules) { $failureReasons = if ($whitelistedRules) {
"There are transport rules whitelisting specific domains." "There are transport rules whitelisting specific domains."
} }
@@ -28,6 +49,7 @@ function Test-NoWhitelistDomains {
"N/A" "N/A"
} }
# Condition C: Prepare details about the whitelisted rules if found
$details = if ($whitelistedRules) { $details = if ($whitelistedRules) {
$ruleDetails = $whitelistedRules | ForEach-Object { "{0}: {1}" -f $_.Name, ($_.SenderDomainIs -join ', ') } $ruleDetails = $whitelistedRules | ForEach-Object { "{0}: {1}" -f $_.Name, ($_.SenderDomainIs -join ', ') }
"Whitelisted Rules: $($ruleDetails -join '; ')" "Whitelisted Rules: $($ruleDetails -join '; ')"

19
source/tests/Test-PasswordHashSync.ps1
View File

@@ -7,6 +7,22 @@ function Test-PasswordHashSync {
) )
begin { begin {
# Conditions for 5.1.8.1 (L1) Ensure password hash sync is enabled for hybrid deployments
#
# Validate test for a pass:
# - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
# - Specific conditions to check:
# - Condition A: Password hash sync is enabled in the Azure AD Connect tool on the on-premises server.
# - Condition B: Password hash sync is verified as enabled in the Azure AD Connect Sync section in the Microsoft Entra admin center.
# - Condition C: Using Microsoft Graph PowerShell, the verification command returns the expected result indicating that password sync is enabled for the on-premises AD.
#
# Validate test for a fail:
# - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
# - Specific conditions to check:
# - Condition A: Password hash sync is not enabled in the Azure AD Connect tool on the on-premises server.
# - Condition B: Password hash sync is not verified as enabled in the Azure AD Connect Sync section in the Microsoft Entra admin center.
# - Condition C: Using Microsoft Graph PowerShell, the verification command returns no result indicating that password sync is not enabled for the on-premises AD.
# Dot source the class script if necessary # Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1 #. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed # Initialization code, if needed
@@ -16,9 +32,8 @@ function Test-PasswordHashSync {
process { process {
try { try {
# 5.1.8.1 (L1) Ensure password hash sync is enabled for hybrid deployments # 5.1.8.1 (L1) Ensure password hash sync is enabled for hybrid deployments
# Pass if OnPremisesSyncEnabled is True. Fail otherwise.
# Retrieve password hash sync status # Retrieve password hash sync status (Condition A and C)
$passwordHashSync = Get-MgOrganization | Select-Object -ExpandProperty OnPremisesSyncEnabled $passwordHashSync = Get-MgOrganization | Select-Object -ExpandProperty OnPremisesSyncEnabled
$hashSyncResult = $passwordHashSync $hashSyncResult = $passwordHashSync

19
source/tests/Test-RestrictOutlookAddins.ps1
View File

@@ -9,11 +9,26 @@ function Test-RestrictOutlookAddins {
begin { begin {
# Dot source the class script if necessary # Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1 #. .\source\Classes\CISAuditResult.ps1
# Initialization code # Initialization code
$customPolicyFailures = @() $customPolicyFailures = @()
$defaultPolicyFailureDetails = @() $defaultPolicyFailureDetails = @()
$relevantRoles = @('My Custom Apps', 'My Marketplace Apps', 'My ReadWriteMailbox Apps') $relevantRoles = @('My Custom Apps', 'My Marketplace Apps', 'My ReadWriteMailbox Apps')
$recnum = "6.3.1" $recnum = "6.3.1"
# Conditions for 6.3.1 (L2) Ensure users installing Outlook add-ins is not allowed
#
# Validate test for a pass:
# - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
# - Specific conditions to check:
# - Condition A: Verify that the roles MyCustomApps, MyMarketplaceApps, and MyReadWriteMailboxApps are unchecked under Other roles.
# - Condition B: Using PowerShell, verify that MyCustomApps, MyMarketplaceApps, and MyReadWriteMailboxApps are not assigned to users.
#
# Validate test for a fail:
# - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
# - Specific conditions to check:
# - Condition A: One or more of the roles MyCustomApps, MyMarketplaceApps, and MyReadWriteMailboxApps are checked under Other roles.
# - Condition B: Using PowerShell, verify that MyCustomApps, MyMarketplaceApps, and MyReadWriteMailboxApps are assigned to users.
} }
process { process {
@@ -28,6 +43,8 @@ function Test-RestrictOutlookAddins {
if ($policy.RoleAssignmentPolicy) { if ($policy.RoleAssignmentPolicy) {
$rolePolicyDetails = Get-RoleAssignmentPolicy -Identity $policy.RoleAssignmentPolicy $rolePolicyDetails = Get-RoleAssignmentPolicy -Identity $policy.RoleAssignmentPolicy
$foundRoles = $rolePolicyDetails.AssignedRoles | Where-Object { $_ -in $relevantRoles } $foundRoles = $rolePolicyDetails.AssignedRoles | Where-Object { $_ -in $relevantRoles }
# Condition B: Using PowerShell, verify that MyCustomApps, MyMarketplaceApps, and MyReadWriteMailboxApps are not assigned to users.
if ($foundRoles) { if ($foundRoles) {
$customPolicyFailures += "Policy: $($policy.RoleAssignmentPolicy): Roles: $($foundRoles -join ', ')" $customPolicyFailures += "Policy: $($policy.RoleAssignmentPolicy): Roles: $($foundRoles -join ', ')"
} }
@@ -38,6 +55,8 @@ function Test-RestrictOutlookAddins {
# Check Default Role Assignment Policy # Check Default Role Assignment Policy
$defaultPolicy = Get-RoleAssignmentPolicy "Default Role Assignment Policy" $defaultPolicy = Get-RoleAssignmentPolicy "Default Role Assignment Policy"
$defaultPolicyRoles = $defaultPolicy.AssignedRoles | Where-Object { $_ -in $relevantRoles } $defaultPolicyRoles = $defaultPolicy.AssignedRoles | Where-Object { $_ -in $relevantRoles }
# Condition A: Verify that the roles MyCustomApps, MyMarketplaceApps, and MyReadWriteMailboxApps are unchecked under Other roles.
if ($defaultPolicyRoles) { if ($defaultPolicyRoles) {
$defaultPolicyFailureDetails = $defaultPolicyRoles $defaultPolicyFailureDetails = $defaultPolicyRoles
} }

19
source/tests/Test-RestrictTenantCreation.ps1
View File

@@ -9,8 +9,25 @@ function Test-RestrictTenantCreation {
begin { begin {
# Dot source the class script if necessary # Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1 #. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed # Initialization code, if needed
$recnum = "5.1.2.3" $recnum = "5.1.2.3"
<#
Conditions for 5.1.2.3 (L1) Ensure 'Restrict non-admin users from creating tenants' is set to 'Yes'
Validate test for a pass:
- Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
- Specific conditions to check:
- Condition A: Restrict non-admin users from creating tenants is set to 'Yes' in the Azure AD and Entra administration portal.
- Condition B: Using PowerShell, the setting for restricting non-admin users from creating tenants is set to 'Yes'.
Validate test for a fail:
- Confirm that the failure conditions in the automated test are consistent with the manual audit results.
- Specific conditions to check:
- Condition A: Restrict non-admin users from creating tenants is not set to 'Yes' in the Azure AD and Entra administration portal.
- Condition B: Using PowerShell, the setting for restricting non-admin users from creating tenants is not set to 'Yes'.
#>
} }
process { process {
@@ -60,5 +77,3 @@ function Test-RestrictTenantCreation {
return $auditResult return $auditResult
} }
} }
# Additional helper functions (if any)