vibecoding/M365FoundationsCISReport
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: 2.1.7 simplified output and added object comment-rc

Browse Source
This commit is contained in:
DrIOS
2024-06-29 15:32:19 -05:00
parent db38fe827e
commit d660f46eeb
6 changed files with 143 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

41
source/Private/Get-CISExoOutput.ps1
View File

@@ -349,7 +349,46 @@ function Get-CISExoOutput {
} }
'2.1.7' { '2.1.7' {
# Test-AntiPhishingPolicy.ps1 # Test-AntiPhishingPolicy.ps1
# Condition A: Ensure that an anti-phishing policy has been created <#
$antiPhishPolicies = @(
[PSCustomObject]@{
Identity = "Strict Preset Security Policy"
Enabled = $true
PhishThresholdLevel = 4
EnableMailboxIntelligenceProtection = $true
EnableMailboxIntelligence = $true
EnableSpoofIntelligence = $true
TargetedUsersToProtect = "John Doe;jdoe@contoso.net, Jane Does;janedoe@contoso.net"
},
[PSCustomObject]@{
Identity = "Office365 AntiPhish Default"
Enabled = $true
PhishThresholdLevel = 2
EnableMailboxIntelligenceProtection = $true
EnableMailboxIntelligence = $true
EnableSpoofIntelligence = $true
TargetedUsersToProtect = $null # Assuming it targets all users as it's the default
},
[PSCustomObject]@{
Identity = "Admin"
Enabled = $true
PhishThresholdLevel = 2
EnableMailboxIntelligenceProtection = $true
EnableMailboxIntelligence = $true
EnableSpoofIntelligence = $true
TargetedUsersToProtect = $null # Assuming it targets all users
},
[PSCustomObject]@{
Identity = "Standard Preset Security Policy"
Enabled = $true
PhishThresholdLevel = 3
EnableMailboxIntelligenceProtection = $true
EnableMailboxIntelligence = $true
EnableSpoofIntelligence = $true
TargetedUsersToProtect = $null # Assuming it targets all users
}
)
#>
$antiPhishPolicies = Get-AntiPhishPolicy $antiPhishPolicies = Get-AntiPhishPolicy
return $antiPhishPolicies return $antiPhishPolicies
} }

18
source/Private/Get-PhishPolicyDetail.ps1 Normal file
View File

@@ -0,0 +1,18 @@
function Get-PhishPolicyDetail {
param (
[Parameter(Mandatory = $true)]
[pscustomobject]$policy,
[Parameter(Mandatory = $true)]
[bool]$isCompliant
)
return "Policy: $($policy.Identity)`n" +
"Enabled: $($policy.Enabled)`n" +
"PhishThresholdLevel: $($policy.PhishThresholdLevel)`n" +
"MailboxIntelligenceProtection: $($policy.EnableMailboxIntelligenceProtection)`n" +
"MailboxIntelligence: $($policy.EnableMailboxIntelligence)`n" +
"SpoofIntelligence: $($policy.EnableSpoofIntelligence)`n" +
"TargetedUsersToProtect: $($policy.TargetedUsersToProtect -join ', ')`n" +
"IsCompliant: $isCompliant"
}

8
source/Private/Test-PhishPolicyCompliance.ps1 Normal file
View File

@@ -0,0 +1,8 @@
function Test-PhishPolicyCompliance {
param ($policy)
return ($policy.Enabled -eq $true -and
$policy.PhishThresholdLevel -ge 2 -and
$policy.EnableMailboxIntelligenceProtection -eq $true -and
$policy.EnableMailboxIntelligence -eq $true -and
$policy.EnableSpoofIntelligence -eq $true)
}

59
source/tests/Test-AntiPhishingPolicy.ps1
View File

@@ -1,5 +1,5 @@
function Is-PolicyCompliant { function Test-PhishPolicyCompliance {
param ($policy) param ($policy)
return ($policy.Enabled -eq $true -and return ($policy.Enabled -eq $true -and
$policy.PhishThresholdLevel -ge 2 -and $policy.PhishThresholdLevel -ge 2 -and
@@ -8,24 +8,7 @@ function Is-PolicyCompliant {
$policy.EnableSpoofIntelligence -eq $true) $policy.EnableSpoofIntelligence -eq $true)
} }
function Get-PolicyDetails {
param (
[Parameter(Mandatory = $true)]
[pscustomobject]$policy,
[Parameter(Mandatory = $true)]
[bool]$isCompliant
)
return "Policy: $($policy.Identity)`n" +
"Enabled: $($policy.Enabled)`n" +
"PhishThresholdLevel: $($policy.PhishThresholdLevel)`n" +
"MailboxIntelligenceProtection: $($policy.EnableMailboxIntelligenceProtection)`n" +
"MailboxIntelligence: $($policy.EnableMailboxIntelligence)`n" +
"SpoofIntelligence: $($policy.EnableSpoofIntelligence)`n" +
"TargetedUsersToProtect: $($policy.TargetedUsersToProtect -join ', ')`n" +
"IsCompliant: $isCompliant"
}
function Test-AntiPhishingPolicy { function Test-AntiPhishingPolicy {
[CmdletBinding()] [CmdletBinding()]
@@ -81,7 +64,7 @@ function Test-AntiPhishingPolicy {
Write-Verbose "Evaluating policy: $($strictPolicy.Identity)" Write-Verbose "Evaluating policy: $($strictPolicy.Identity)"
$policiesEvaluated += $strictPolicy.Identity $policiesEvaluated += $strictPolicy.Identity
# Check if policy is compliant # Check if policy is compliant
$isCompliant = Is-PolicyCompliant -policy $strictPolicy $isCompliant = Test-PhishPolicyCompliance -policy $strictPolicy
# Log failure reasons for non-compliant policies # Log failure reasons for non-compliant policies
if (-not $isCompliant) { if (-not $isCompliant) {
$failureReasons += "Policy $($strictPolicy.Identity) does not meet compliance criteria." $failureReasons += "Policy $($strictPolicy.Identity) does not meet compliance criteria."
@@ -89,7 +72,7 @@ function Test-AntiPhishingPolicy {
$FailedTests += $strictPolicy.Identity $FailedTests += $strictPolicy.Identity
} }
# Compile details of each policy using the new function # Compile details of each policy using the new function
$details += Get-PolicyDetails -policy $strictPolicy -isCompliant $isCompliant $details += Get-PhishPolicyDetail -policy $strictPolicy -isCompliant $isCompliant
# Check if policy is Strict and covers all users # Check if policy is Strict and covers all users
if ($isCompliant) { if ($isCompliant) {
$PassedTests += $strictPolicy.Identity $PassedTests += $strictPolicy.Identity
@@ -111,7 +94,7 @@ function Test-AntiPhishingPolicy {
Write-Verbose "Evaluating policy: $($standardPolicy.Identity)" Write-Verbose "Evaluating policy: $($standardPolicy.Identity)"
$policiesEvaluated += $standardPolicy.Identity $policiesEvaluated += $standardPolicy.Identity
# Check if policy is compliant # Check if policy is compliant
$isCompliant = Is-PolicyCompliant -policy $standardPolicy $isCompliant = Test-PhishPolicyCompliance -policy $standardPolicy
# Log failure reasons for non-compliant policies # Log failure reasons for non-compliant policies
if (-not $isCompliant) { if (-not $isCompliant) {
$failureReasons += "$($standardPolicy.Identity) does not meet compliance criteria." $failureReasons += "$($standardPolicy.Identity) does not meet compliance criteria."
@@ -119,7 +102,7 @@ function Test-AntiPhishingPolicy {
$FailedTests += $standardPolicy.Identity $FailedTests += $standardPolicy.Identity
} }
# Compile details of each policy using the new function # Compile details of each policy using the new function
$details += Get-PolicyDetails -policy $standardPolicy -isCompliant $isCompliant $details += Get-PhishPolicyDetail -policy $standardPolicy -isCompliant $isCompliant
# Check if policy is Strict and covers all users # Check if policy is Strict and covers all users
if ($isCompliant) { if ($isCompliant) {
Write-Verbose "$($standardPolicy.Identity) is compliant." Write-Verbose "$($standardPolicy.Identity) is compliant."
@@ -138,8 +121,8 @@ function Test-AntiPhishingPolicy {
} }
elseif ($null -ne $standardPolicy) { elseif ($null -ne $standardPolicy) {
Write-Verbose "$($standardPolicy.Identity) was not evaluated." Write-Verbose "$($standardPolicy.Identity) was not evaluated."
$isCompliant = Is-PolicyCompliant -policy $standardPolicy $isCompliant = Test-PhishPolicyCompliance -policy $standardPolicy
$details += Get-PolicyDetails -policy $standardPolicy -isCompliant $isCompliant $details += Get-PhishPolicyDetail -policy $standardPolicy -isCompliant $isCompliant
$details += "Is Full Coverage Policy: $($false)`n`n" $details += "Is Full Coverage Policy: $($false)`n`n"
} }
# Step 5: Check Custom Policies if no full coverage from Strict or Standard # Step 5: Check Custom Policies if no full coverage from Strict or Standard
@@ -149,7 +132,7 @@ function Test-AntiPhishingPolicy {
Write-Verbose "Evaluating policy: $($policy.Identity)" Write-Verbose "Evaluating policy: $($policy.Identity)"
$policiesEvaluated += $policy.Identity $policiesEvaluated += $policy.Identity
# Check if policy is compliant # Check if policy is compliant
$isCompliant = Is-PolicyCompliant -policy $policy $isCompliant = Test-PhishPolicyCompliance -policy $policy
# Log failure reasons for non-compliant policies # Log failure reasons for non-compliant policies
if (-not $isCompliant) { if (-not $isCompliant) {
$failureReasons += "$($policy.Identity) Policy does not meet compliance criteria." $failureReasons += "$($policy.Identity) Policy does not meet compliance criteria."
@@ -157,7 +140,7 @@ function Test-AntiPhishingPolicy {
$FailedTests += $policy.Identity $FailedTests += $policy.Identity
} }
# Compile details of each policy using the new function # Compile details of each policy using the new function
$details += Get-PolicyDetails -policy $policy -isCompliant $isCompliant $details += Get-PhishPolicyDetail -policy $policy -isCompliant $isCompliant
# Check if policy is Custom and covers all users # Check if policy is Custom and covers all users
if ($isCompliant) { if ($isCompliant) {
Write-Verbose "$($policy.Identity) is compliant." Write-Verbose "$($policy.Identity) is compliant."
@@ -176,8 +159,8 @@ function Test-AntiPhishingPolicy {
} }
elseif ($compliantPolicy) { elseif ($compliantPolicy) {
Write-Verbose "$($policy.Identity) was not evaluated." Write-Verbose "$($policy.Identity) was not evaluated."
$isCompliant = Is-PolicyCompliant -policy $policy $isCompliant = Test-PhishPolicyCompliance -policy $policy
$details += Get-PolicyDetails -policy $policy -isCompliant $isCompliant $details += Get-PhishPolicyDetail -policy $policy -isCompliant $isCompliant
$details += "Is Full Coverage Policy: $($false)`n`n" $details += "Is Full Coverage Policy: $($false)`n`n"
} }
} }
@@ -185,8 +168,8 @@ function Test-AntiPhishingPolicy {
elseif ($null -ne $customPolicies ) { elseif ($null -ne $customPolicies ) {
foreach ($policy in $customPolicies) { foreach ($policy in $customPolicies) {
Write-Verbose "$($policy.Identity) was not evaluated." Write-Verbose "$($policy.Identity) was not evaluated."
$isCompliant = Is-PolicyCompliant -policy $policy $isCompliant = Test-PhishPolicyCompliance -policy $policy
$details += Get-PolicyDetails -policy $policy -isCompliant $isCompliant $details += Get-PhishPolicyDetail -policy $policy -isCompliant $isCompliant
$details += "Is Full Coverage Policy: $($false)`n`n" $details += "Is Full Coverage Policy: $($false)`n`n"
} }
} }
@@ -195,7 +178,7 @@ function Test-AntiPhishingPolicy {
Write-Verbose "Evaluating policy: $($defaultPolicy.Identity)" Write-Verbose "Evaluating policy: $($defaultPolicy.Identity)"
$policiesEvaluated += $defaultPolicy.Identity $policiesEvaluated += $defaultPolicy.Identity
# Check if policy is compliant # Check if policy is compliant
$isCompliant = Is-PolicyCompliant -policy $defaultPolicy $isCompliant = Test-PhishPolicyCompliance -policy $defaultPolicy
# Log failure reasons for non-compliant policies # Log failure reasons for non-compliant policies
if (-not $isCompliant) { if (-not $isCompliant) {
$failureReasons += "$($defaultPolicy.Identity) Policy does not meet compliance criteria." $failureReasons += "$($defaultPolicy.Identity) Policy does not meet compliance criteria."
@@ -203,7 +186,7 @@ function Test-AntiPhishingPolicy {
$FailedTests += $defaultPolicy.Identity $FailedTests += $defaultPolicy.Identity
} }
# Compile details of each policy using the new function # Compile details of each policy using the new function
$details += Get-PolicyDetails -policy $defaultPolicy -isCompliant $isCompliant $details += Get-PhishPolicyDetail -policy $defaultPolicy -isCompliant $isCompliant
# Check if policy is Default and covers all users # Check if policy is Default and covers all users
if ($isCompliant) { if ($isCompliant) {
Write-Verbose "$($defaultPolicy.Identity) is compliant." Write-Verbose "$($defaultPolicy.Identity) is compliant."
@@ -222,20 +205,23 @@ function Test-AntiPhishingPolicy {
} }
elseif ($null -ne $defaultPolicy) { elseif ($null -ne $defaultPolicy) {
Write-Verbose "$($defaultPolicy.Identity) was not evaluated." Write-Verbose "$($defaultPolicy.Identity) was not evaluated."
$isCompliant = Is-PolicyCompliant -policy $defaultPolicy $isCompliant = Test-PhishPolicyCompliance -policy $defaultPolicy
$details += Get-PolicyDetails -policy $defaultPolicy -isCompliant $isCompliant $details += Get-PhishPolicyDetail -policy $defaultPolicy -isCompliant $isCompliant
$details += "Is Full Coverage Policy: $($false)`n`n" $details += "Is Full Coverage Policy: $($false)`n`n"
} }
# Need new steps for below: # Determine overall compliance based on the evaluations
$isOverallCompliant = $hasFullCoveragePolicy -and $null -ne $compliantPolicy $isOverallCompliant = $hasFullCoveragePolicy -and $null -ne $compliantPolicy
# Prepare result details
$resultDetails = if ($isOverallCompliant) { $resultDetails = if ($isOverallCompliant) {
"Compliant Policy: $($compliantPolicy.Identity)`nDetails:`n" + ($details -join "`n") "Compliant Policy: $($compliantPolicy.Identity)`nDetails:`n" + ($details -join "`n")
} }
else { else {
"Non-Compliant or No Policy Fully Covers All Users.`nDetails:`n" + ($details -join "`n") "Non-Compliant or No Policy Fully Covers All Users.`nDetails:`n" + ($details -join "`n")
} }
# Verbose output for the overall compliance
Write-Verbose "Overall Compliance: $isOverallCompliant"
$VerbosePreference = "SilentlyContinue" $VerbosePreference = "SilentlyContinue"
# Prepare the parameters for the audit result
$params = @{ $params = @{
Rec = $recnum Rec = $recnum
Result = $isOverallCompliant Result = $isOverallCompliant
@@ -243,6 +229,7 @@ function Test-AntiPhishingPolicy {
Details = $resultDetails Details = $resultDetails
FailureReason = if (-not $isOverallCompliant) { $failureReasons -join "`n" } else { "All settings are correct based on the highest precedence policy that applies to all users." } FailureReason = if (-not $isOverallCompliant) { $failureReasons -join "`n" } else { "All settings are correct based on the highest precedence policy that applies to all users." }
} }
# Initialize the audit result
$auditResult = Initialize-CISAuditResult @params $auditResult = Initialize-CISAuditResult @params
} }
catch { catch {

27
tests/Unit/Private/Get-PhishPolicyDetail.tests.ps1 Normal file
View File

@@ -0,0 +1,27 @@
$ProjectPath = "$PSScriptRoot\..\..\.." | Convert-Path
$ProjectName = ((Get-ChildItem -Path $ProjectPath\*\*.psd1).Where{
($_.Directory.Name -match 'source|src' -or $_.Directory.Name -eq $_.BaseName) -and
$(try { Test-ModuleManifest $_.FullName -ErrorAction Stop } catch { $false } )
}).BaseName
Import-Module $ProjectName
InModuleScope $ProjectName {
Describe Get-PrivateFunction {
Context 'Default' {
BeforeEach {
$return = Get-PrivateFunction -PrivateData 'string'
}
It 'Returns a single object' {
($return | Measure-Object).Count | Should -Be 1
}
It 'Returns a string based on the parameter PrivateData' {
$return | Should -Be 'string'
}
}
}
}

27
tests/Unit/Private/Test-PhishPolicyCompliance.tests.ps1 Normal file
View File

@@ -0,0 +1,27 @@
$ProjectPath = "$PSScriptRoot\..\..\.." | Convert-Path
$ProjectName = ((Get-ChildItem -Path $ProjectPath\*\*.psd1).Where{
($_.Directory.Name -match 'source|src' -or $_.Directory.Name -eq $_.BaseName) -and
$(try { Test-ModuleManifest $_.FullName -ErrorAction Stop } catch { $false } )
}).BaseName
Import-Module $ProjectName
InModuleScope $ProjectName {
Describe Get-PrivateFunction {
Context 'Default' {
BeforeEach {
$return = Get-PrivateFunction -PrivateData 'string'
}
It 'Returns a single object' {
($return | Measure-Object).Count | Should -Be 1
}
It 'Returns a string based on the parameter PrivateData' {
$return | Should -Be 'string'
}
}
}
}