diff --git a/source/Private/Get-CISExoOutput.ps1 b/source/Private/Get-CISExoOutput.ps1 index da7a5e3..615c421 100644 --- a/source/Private/Get-CISExoOutput.ps1 +++ b/source/Private/Get-CISExoOutput.ps1 @@ -349,7 +349,46 @@ function Get-CISExoOutput { } '2.1.7' { # Test-AntiPhishingPolicy.ps1 - # Condition A: Ensure that an anti-phishing policy has been created + <# + $antiPhishPolicies = @( + [PSCustomObject]@{ + Identity = "Strict Preset Security Policy" + Enabled = $true + PhishThresholdLevel = 4 + EnableMailboxIntelligenceProtection = $true + EnableMailboxIntelligence = $true + EnableSpoofIntelligence = $true + TargetedUsersToProtect = "John Doe;jdoe@contoso.net, Jane Does;janedoe@contoso.net" + }, + [PSCustomObject]@{ + Identity = "Office365 AntiPhish Default" + Enabled = $true + PhishThresholdLevel = 2 + EnableMailboxIntelligenceProtection = $true + EnableMailboxIntelligence = $true + EnableSpoofIntelligence = $true + TargetedUsersToProtect = $null # Assuming it targets all users as it's the default + }, + [PSCustomObject]@{ + Identity = "Admin" + Enabled = $true + PhishThresholdLevel = 2 + EnableMailboxIntelligenceProtection = $true + EnableMailboxIntelligence = $true + EnableSpoofIntelligence = $true + TargetedUsersToProtect = $null # Assuming it targets all users + }, + [PSCustomObject]@{ + Identity = "Standard Preset Security Policy" + Enabled = $true + PhishThresholdLevel = 3 + EnableMailboxIntelligenceProtection = $true + EnableMailboxIntelligence = $true + EnableSpoofIntelligence = $true + TargetedUsersToProtect = $null # Assuming it targets all users + } + ) + #> $antiPhishPolicies = Get-AntiPhishPolicy return $antiPhishPolicies } diff --git a/source/Private/Get-PhishPolicyDetail.ps1 b/source/Private/Get-PhishPolicyDetail.ps1 new file mode 100644 index 0000000..c9be82c --- /dev/null +++ b/source/Private/Get-PhishPolicyDetail.ps1 @@ -0,0 +1,18 @@ +function Get-PhishPolicyDetail { + param ( + [Parameter(Mandatory = $true)] + [pscustomobject]$policy, + + [Parameter(Mandatory = $true)] + [bool]$isCompliant + ) + + return "Policy: $($policy.Identity)`n" + + "Enabled: $($policy.Enabled)`n" + + "PhishThresholdLevel: $($policy.PhishThresholdLevel)`n" + + "MailboxIntelligenceProtection: $($policy.EnableMailboxIntelligenceProtection)`n" + + "MailboxIntelligence: $($policy.EnableMailboxIntelligence)`n" + + "SpoofIntelligence: $($policy.EnableSpoofIntelligence)`n" + + "TargetedUsersToProtect: $($policy.TargetedUsersToProtect -join ', ')`n" + + "IsCompliant: $isCompliant" +} \ No newline at end of file diff --git a/source/Private/Test-PhishPolicyCompliance.ps1 b/source/Private/Test-PhishPolicyCompliance.ps1 new file mode 100644 index 0000000..01b99aa --- /dev/null +++ b/source/Private/Test-PhishPolicyCompliance.ps1 @@ -0,0 +1,8 @@ +function Test-PhishPolicyCompliance { + param ($policy) + return ($policy.Enabled -eq $true -and + $policy.PhishThresholdLevel -ge 2 -and + $policy.EnableMailboxIntelligenceProtection -eq $true -and + $policy.EnableMailboxIntelligence -eq $true -and + $policy.EnableSpoofIntelligence -eq $true) +} \ No newline at end of file diff --git a/source/tests/Test-AntiPhishingPolicy.ps1 b/source/tests/Test-AntiPhishingPolicy.ps1 index 522aa69..34b84a4 100644 --- a/source/tests/Test-AntiPhishingPolicy.ps1 +++ b/source/tests/Test-AntiPhishingPolicy.ps1 @@ -1,5 +1,5 @@ -function Is-PolicyCompliant { +function Test-PhishPolicyCompliance { param ($policy) return ($policy.Enabled -eq $true -and $policy.PhishThresholdLevel -ge 2 -and @@ -8,24 +8,7 @@ function Is-PolicyCompliant { $policy.EnableSpoofIntelligence -eq $true) } -function Get-PolicyDetails { - param ( - [Parameter(Mandatory = $true)] - [pscustomobject]$policy, - [Parameter(Mandatory = $true)] - [bool]$isCompliant - ) - - return "Policy: $($policy.Identity)`n" + - "Enabled: $($policy.Enabled)`n" + - "PhishThresholdLevel: $($policy.PhishThresholdLevel)`n" + - "MailboxIntelligenceProtection: $($policy.EnableMailboxIntelligenceProtection)`n" + - "MailboxIntelligence: $($policy.EnableMailboxIntelligence)`n" + - "SpoofIntelligence: $($policy.EnableSpoofIntelligence)`n" + - "TargetedUsersToProtect: $($policy.TargetedUsersToProtect -join ', ')`n" + - "IsCompliant: $isCompliant" -} function Test-AntiPhishingPolicy { [CmdletBinding()] @@ -81,7 +64,7 @@ function Test-AntiPhishingPolicy { Write-Verbose "Evaluating policy: $($strictPolicy.Identity)" $policiesEvaluated += $strictPolicy.Identity # Check if policy is compliant - $isCompliant = Is-PolicyCompliant -policy $strictPolicy + $isCompliant = Test-PhishPolicyCompliance -policy $strictPolicy # Log failure reasons for non-compliant policies if (-not $isCompliant) { $failureReasons += "Policy $($strictPolicy.Identity) does not meet compliance criteria." @@ -89,7 +72,7 @@ function Test-AntiPhishingPolicy { $FailedTests += $strictPolicy.Identity } # Compile details of each policy using the new function - $details += Get-PolicyDetails -policy $strictPolicy -isCompliant $isCompliant + $details += Get-PhishPolicyDetail -policy $strictPolicy -isCompliant $isCompliant # Check if policy is Strict and covers all users if ($isCompliant) { $PassedTests += $strictPolicy.Identity @@ -111,7 +94,7 @@ function Test-AntiPhishingPolicy { Write-Verbose "Evaluating policy: $($standardPolicy.Identity)" $policiesEvaluated += $standardPolicy.Identity # Check if policy is compliant - $isCompliant = Is-PolicyCompliant -policy $standardPolicy + $isCompliant = Test-PhishPolicyCompliance -policy $standardPolicy # Log failure reasons for non-compliant policies if (-not $isCompliant) { $failureReasons += "$($standardPolicy.Identity) does not meet compliance criteria." @@ -119,7 +102,7 @@ function Test-AntiPhishingPolicy { $FailedTests += $standardPolicy.Identity } # Compile details of each policy using the new function - $details += Get-PolicyDetails -policy $standardPolicy -isCompliant $isCompliant + $details += Get-PhishPolicyDetail -policy $standardPolicy -isCompliant $isCompliant # Check if policy is Strict and covers all users if ($isCompliant) { Write-Verbose "$($standardPolicy.Identity) is compliant." @@ -138,8 +121,8 @@ function Test-AntiPhishingPolicy { } elseif ($null -ne $standardPolicy) { Write-Verbose "$($standardPolicy.Identity) was not evaluated." - $isCompliant = Is-PolicyCompliant -policy $standardPolicy - $details += Get-PolicyDetails -policy $standardPolicy -isCompliant $isCompliant + $isCompliant = Test-PhishPolicyCompliance -policy $standardPolicy + $details += Get-PhishPolicyDetail -policy $standardPolicy -isCompliant $isCompliant $details += "Is Full Coverage Policy: $($false)`n`n" } # Step 5: Check Custom Policies if no full coverage from Strict or Standard @@ -149,7 +132,7 @@ function Test-AntiPhishingPolicy { Write-Verbose "Evaluating policy: $($policy.Identity)" $policiesEvaluated += $policy.Identity # Check if policy is compliant - $isCompliant = Is-PolicyCompliant -policy $policy + $isCompliant = Test-PhishPolicyCompliance -policy $policy # Log failure reasons for non-compliant policies if (-not $isCompliant) { $failureReasons += "$($policy.Identity) Policy does not meet compliance criteria." @@ -157,7 +140,7 @@ function Test-AntiPhishingPolicy { $FailedTests += $policy.Identity } # Compile details of each policy using the new function - $details += Get-PolicyDetails -policy $policy -isCompliant $isCompliant + $details += Get-PhishPolicyDetail -policy $policy -isCompliant $isCompliant # Check if policy is Custom and covers all users if ($isCompliant) { Write-Verbose "$($policy.Identity) is compliant." @@ -176,8 +159,8 @@ function Test-AntiPhishingPolicy { } elseif ($compliantPolicy) { Write-Verbose "$($policy.Identity) was not evaluated." - $isCompliant = Is-PolicyCompliant -policy $policy - $details += Get-PolicyDetails -policy $policy -isCompliant $isCompliant + $isCompliant = Test-PhishPolicyCompliance -policy $policy + $details += Get-PhishPolicyDetail -policy $policy -isCompliant $isCompliant $details += "Is Full Coverage Policy: $($false)`n`n" } } @@ -185,8 +168,8 @@ function Test-AntiPhishingPolicy { elseif ($null -ne $customPolicies ) { foreach ($policy in $customPolicies) { Write-Verbose "$($policy.Identity) was not evaluated." - $isCompliant = Is-PolicyCompliant -policy $policy - $details += Get-PolicyDetails -policy $policy -isCompliant $isCompliant + $isCompliant = Test-PhishPolicyCompliance -policy $policy + $details += Get-PhishPolicyDetail -policy $policy -isCompliant $isCompliant $details += "Is Full Coverage Policy: $($false)`n`n" } } @@ -195,7 +178,7 @@ function Test-AntiPhishingPolicy { Write-Verbose "Evaluating policy: $($defaultPolicy.Identity)" $policiesEvaluated += $defaultPolicy.Identity # Check if policy is compliant - $isCompliant = Is-PolicyCompliant -policy $defaultPolicy + $isCompliant = Test-PhishPolicyCompliance -policy $defaultPolicy # Log failure reasons for non-compliant policies if (-not $isCompliant) { $failureReasons += "$($defaultPolicy.Identity) Policy does not meet compliance criteria." @@ -203,7 +186,7 @@ function Test-AntiPhishingPolicy { $FailedTests += $defaultPolicy.Identity } # Compile details of each policy using the new function - $details += Get-PolicyDetails -policy $defaultPolicy -isCompliant $isCompliant + $details += Get-PhishPolicyDetail -policy $defaultPolicy -isCompliant $isCompliant # Check if policy is Default and covers all users if ($isCompliant) { Write-Verbose "$($defaultPolicy.Identity) is compliant." @@ -222,20 +205,23 @@ function Test-AntiPhishingPolicy { } elseif ($null -ne $defaultPolicy) { Write-Verbose "$($defaultPolicy.Identity) was not evaluated." - $isCompliant = Is-PolicyCompliant -policy $defaultPolicy - $details += Get-PolicyDetails -policy $defaultPolicy -isCompliant $isCompliant + $isCompliant = Test-PhishPolicyCompliance -policy $defaultPolicy + $details += Get-PhishPolicyDetail -policy $defaultPolicy -isCompliant $isCompliant $details += "Is Full Coverage Policy: $($false)`n`n" } - # Need new steps for below: + # Determine overall compliance based on the evaluations $isOverallCompliant = $hasFullCoveragePolicy -and $null -ne $compliantPolicy + # Prepare result details $resultDetails = if ($isOverallCompliant) { "Compliant Policy: $($compliantPolicy.Identity)`nDetails:`n" + ($details -join "`n") } else { "Non-Compliant or No Policy Fully Covers All Users.`nDetails:`n" + ($details -join "`n") } - + # Verbose output for the overall compliance + Write-Verbose "Overall Compliance: $isOverallCompliant" $VerbosePreference = "SilentlyContinue" + # Prepare the parameters for the audit result $params = @{ Rec = $recnum Result = $isOverallCompliant @@ -243,6 +229,7 @@ function Test-AntiPhishingPolicy { Details = $resultDetails FailureReason = if (-not $isOverallCompliant) { $failureReasons -join "`n" } else { "All settings are correct based on the highest precedence policy that applies to all users." } } + # Initialize the audit result $auditResult = Initialize-CISAuditResult @params } catch { diff --git a/tests/Unit/Private/Get-PhishPolicyDetail.tests.ps1 b/tests/Unit/Private/Get-PhishPolicyDetail.tests.ps1 new file mode 100644 index 0000000..4a2aa69 --- /dev/null +++ b/tests/Unit/Private/Get-PhishPolicyDetail.tests.ps1 @@ -0,0 +1,27 @@ +$ProjectPath = "$PSScriptRoot\..\..\.." | Convert-Path +$ProjectName = ((Get-ChildItem -Path $ProjectPath\*\*.psd1).Where{ + ($_.Directory.Name -match 'source|src' -or $_.Directory.Name -eq $_.BaseName) -and + $(try { Test-ModuleManifest $_.FullName -ErrorAction Stop } catch { $false } ) + }).BaseName + + +Import-Module $ProjectName + +InModuleScope $ProjectName { + Describe Get-PrivateFunction { + Context 'Default' { + BeforeEach { + $return = Get-PrivateFunction -PrivateData 'string' + } + + It 'Returns a single object' { + ($return | Measure-Object).Count | Should -Be 1 + } + + It 'Returns a string based on the parameter PrivateData' { + $return | Should -Be 'string' + } + } + } +} + diff --git a/tests/Unit/Private/Test-PhishPolicyCompliance.tests.ps1 b/tests/Unit/Private/Test-PhishPolicyCompliance.tests.ps1 new file mode 100644 index 0000000..4a2aa69 --- /dev/null +++ b/tests/Unit/Private/Test-PhishPolicyCompliance.tests.ps1 @@ -0,0 +1,27 @@ +$ProjectPath = "$PSScriptRoot\..\..\.." | Convert-Path +$ProjectName = ((Get-ChildItem -Path $ProjectPath\*\*.psd1).Where{ + ($_.Directory.Name -match 'source|src' -or $_.Directory.Name -eq $_.BaseName) -and + $(try { Test-ModuleManifest $_.FullName -ErrorAction Stop } catch { $false } ) + }).BaseName + + +Import-Module $ProjectName + +InModuleScope $ProjectName { + Describe Get-PrivateFunction { + Context 'Default' { + BeforeEach { + $return = Get-PrivateFunction -PrivateData 'string' + } + + It 'Returns a single object' { + ($return | Measure-Object).Count | Should -Be 1 + } + + It 'Returns a string based on the parameter PrivateData' { + $return | Should -Be 'string' + } + } + } +} +