fix: 2.1.7 simplified output and added object comment-rc
This commit is contained in:
DrIOS
@@ -349,7 +349,46 @@ function Get-CISExoOutput {
|
||||
}
|
||||
'2.1.7' {
|
||||
# Test-AntiPhishingPolicy.ps1
|
||||
# Condition A: Ensure that an anti-phishing policy has been created
|
||||
<#
|
||||
$antiPhishPolicies = @(
|
||||
[PSCustomObject]@{
|
||||
Identity = "Strict Preset Security Policy"
|
||||
Enabled = $true
|
||||
PhishThresholdLevel = 4
|
||||
EnableMailboxIntelligenceProtection = $true
|
||||
EnableMailboxIntelligence = $true
|
||||
EnableSpoofIntelligence = $true
|
||||
TargetedUsersToProtect = "John Doe;jdoe@contoso.net, Jane Does;janedoe@contoso.net"
|
||||
},
|
||||
[PSCustomObject]@{
|
||||
Identity = "Office365 AntiPhish Default"
|
||||
Enabled = $true
|
||||
PhishThresholdLevel = 2
|
||||
EnableMailboxIntelligenceProtection = $true
|
||||
EnableMailboxIntelligence = $true
|
||||
EnableSpoofIntelligence = $true
|
||||
TargetedUsersToProtect = $null # Assuming it targets all users as it's the default
|
||||
},
|
||||
[PSCustomObject]@{
|
||||
Identity = "Admin"
|
||||
Enabled = $true
|
||||
PhishThresholdLevel = 2
|
||||
EnableMailboxIntelligenceProtection = $true
|
||||
EnableMailboxIntelligence = $true
|
||||
EnableSpoofIntelligence = $true
|
||||
TargetedUsersToProtect = $null # Assuming it targets all users
|
||||
},
|
||||
[PSCustomObject]@{
|
||||
Identity = "Standard Preset Security Policy"
|
||||
Enabled = $true
|
||||
PhishThresholdLevel = 3
|
||||
EnableMailboxIntelligenceProtection = $true
|
||||
EnableMailboxIntelligence = $true
|
||||
EnableSpoofIntelligence = $true
|
||||
TargetedUsersToProtect = $null # Assuming it targets all users
|
||||
}
|
||||
)
|
||||
#>
|
||||
$antiPhishPolicies = Get-AntiPhishPolicy
|
||||
return $antiPhishPolicies
|
||||
}
|
||||
|
||||
18
source/Private/Get-PhishPolicyDetail.ps1
Normal file
18
source/Private/Get-PhishPolicyDetail.ps1
Normal file
@@ -0,0 +1,18 @@
|
||||
function Get-PhishPolicyDetail {
|
||||
param (
|
||||
[Parameter(Mandatory = $true)]
|
||||
[pscustomobject]$policy,
|
||||
|
||||
[Parameter(Mandatory = $true)]
|
||||
[bool]$isCompliant
|
||||
)
|
||||
|
||||
return "Policy: $($policy.Identity)`n" +
|
||||
"Enabled: $($policy.Enabled)`n" +
|
||||
"PhishThresholdLevel: $($policy.PhishThresholdLevel)`n" +
|
||||
"MailboxIntelligenceProtection: $($policy.EnableMailboxIntelligenceProtection)`n" +
|
||||
"MailboxIntelligence: $($policy.EnableMailboxIntelligence)`n" +
|
||||
"SpoofIntelligence: $($policy.EnableSpoofIntelligence)`n" +
|
||||
"TargetedUsersToProtect: $($policy.TargetedUsersToProtect -join ', ')`n" +
|
||||
"IsCompliant: $isCompliant"
|
||||
}
|
||||
8
source/Private/Test-PhishPolicyCompliance.ps1
Normal file
8
source/Private/Test-PhishPolicyCompliance.ps1
Normal file
@@ -0,0 +1,8 @@
|
||||
function Test-PhishPolicyCompliance {
|
||||
param ($policy)
|
||||
return ($policy.Enabled -eq $true -and
|
||||
$policy.PhishThresholdLevel -ge 2 -and
|
||||
$policy.EnableMailboxIntelligenceProtection -eq $true -and
|
||||
$policy.EnableMailboxIntelligence -eq $true -and
|
||||
$policy.EnableSpoofIntelligence -eq $true)
|
||||
}
|
||||
@@ -1,5 +1,5 @@
|
||||
|
||||
function Is-PolicyCompliant {
|
||||
function Test-PhishPolicyCompliance {
|
||||
param ($policy)
|
||||
return ($policy.Enabled -eq $true -and
|
||||
$policy.PhishThresholdLevel -ge 2 -and
|
||||
@@ -8,24 +8,7 @@ function Is-PolicyCompliant {
|
||||
$policy.EnableSpoofIntelligence -eq $true)
|
||||
}
|
||||
|
||||
function Get-PolicyDetails {
|
||||
param (
|
||||
[Parameter(Mandatory = $true)]
|
||||
[pscustomobject]$policy,
|
||||
|
||||
[Parameter(Mandatory = $true)]
|
||||
[bool]$isCompliant
|
||||
)
|
||||
|
||||
return "Policy: $($policy.Identity)`n" +
|
||||
"Enabled: $($policy.Enabled)`n" +
|
||||
"PhishThresholdLevel: $($policy.PhishThresholdLevel)`n" +
|
||||
"MailboxIntelligenceProtection: $($policy.EnableMailboxIntelligenceProtection)`n" +
|
||||
"MailboxIntelligence: $($policy.EnableMailboxIntelligence)`n" +
|
||||
"SpoofIntelligence: $($policy.EnableSpoofIntelligence)`n" +
|
||||
"TargetedUsersToProtect: $($policy.TargetedUsersToProtect -join ', ')`n" +
|
||||
"IsCompliant: $isCompliant"
|
||||
}
|
||||
|
||||
function Test-AntiPhishingPolicy {
|
||||
[CmdletBinding()]
|
||||
@@ -81,7 +64,7 @@ function Test-AntiPhishingPolicy {
|
||||
Write-Verbose "Evaluating policy: $($strictPolicy.Identity)"
|
||||
$policiesEvaluated += $strictPolicy.Identity
|
||||
# Check if policy is compliant
|
||||
$isCompliant = Is-PolicyCompliant -policy $strictPolicy
|
||||
$isCompliant = Test-PhishPolicyCompliance -policy $strictPolicy
|
||||
# Log failure reasons for non-compliant policies
|
||||
if (-not $isCompliant) {
|
||||
$failureReasons += "Policy $($strictPolicy.Identity) does not meet compliance criteria."
|
||||
@@ -89,7 +72,7 @@ function Test-AntiPhishingPolicy {
|
||||
$FailedTests += $strictPolicy.Identity
|
||||
}
|
||||
# Compile details of each policy using the new function
|
||||
$details += Get-PolicyDetails -policy $strictPolicy -isCompliant $isCompliant
|
||||
$details += Get-PhishPolicyDetail -policy $strictPolicy -isCompliant $isCompliant
|
||||
# Check if policy is Strict and covers all users
|
||||
if ($isCompliant) {
|
||||
$PassedTests += $strictPolicy.Identity
|
||||
@@ -111,7 +94,7 @@ function Test-AntiPhishingPolicy {
|
||||
Write-Verbose "Evaluating policy: $($standardPolicy.Identity)"
|
||||
$policiesEvaluated += $standardPolicy.Identity
|
||||
# Check if policy is compliant
|
||||
$isCompliant = Is-PolicyCompliant -policy $standardPolicy
|
||||
$isCompliant = Test-PhishPolicyCompliance -policy $standardPolicy
|
||||
# Log failure reasons for non-compliant policies
|
||||
if (-not $isCompliant) {
|
||||
$failureReasons += "$($standardPolicy.Identity) does not meet compliance criteria."
|
||||
@@ -119,7 +102,7 @@ function Test-AntiPhishingPolicy {
|
||||
$FailedTests += $standardPolicy.Identity
|
||||
}
|
||||
# Compile details of each policy using the new function
|
||||
$details += Get-PolicyDetails -policy $standardPolicy -isCompliant $isCompliant
|
||||
$details += Get-PhishPolicyDetail -policy $standardPolicy -isCompliant $isCompliant
|
||||
# Check if policy is Strict and covers all users
|
||||
if ($isCompliant) {
|
||||
Write-Verbose "$($standardPolicy.Identity) is compliant."
|
||||
@@ -138,8 +121,8 @@ function Test-AntiPhishingPolicy {
|
||||
}
|
||||
elseif ($null -ne $standardPolicy) {
|
||||
Write-Verbose "$($standardPolicy.Identity) was not evaluated."
|
||||
$isCompliant = Is-PolicyCompliant -policy $standardPolicy
|
||||
$details += Get-PolicyDetails -policy $standardPolicy -isCompliant $isCompliant
|
||||
$isCompliant = Test-PhishPolicyCompliance -policy $standardPolicy
|
||||
$details += Get-PhishPolicyDetail -policy $standardPolicy -isCompliant $isCompliant
|
||||
$details += "Is Full Coverage Policy: $($false)`n`n"
|
||||
}
|
||||
# Step 5: Check Custom Policies if no full coverage from Strict or Standard
|
||||
@@ -149,7 +132,7 @@ function Test-AntiPhishingPolicy {
|
||||
Write-Verbose "Evaluating policy: $($policy.Identity)"
|
||||
$policiesEvaluated += $policy.Identity
|
||||
# Check if policy is compliant
|
||||
$isCompliant = Is-PolicyCompliant -policy $policy
|
||||
$isCompliant = Test-PhishPolicyCompliance -policy $policy
|
||||
# Log failure reasons for non-compliant policies
|
||||
if (-not $isCompliant) {
|
||||
$failureReasons += "$($policy.Identity) Policy does not meet compliance criteria."
|
||||
@@ -157,7 +140,7 @@ function Test-AntiPhishingPolicy {
|
||||
$FailedTests += $policy.Identity
|
||||
}
|
||||
# Compile details of each policy using the new function
|
||||
$details += Get-PolicyDetails -policy $policy -isCompliant $isCompliant
|
||||
$details += Get-PhishPolicyDetail -policy $policy -isCompliant $isCompliant
|
||||
# Check if policy is Custom and covers all users
|
||||
if ($isCompliant) {
|
||||
Write-Verbose "$($policy.Identity) is compliant."
|
||||
@@ -176,8 +159,8 @@ function Test-AntiPhishingPolicy {
|
||||
}
|
||||
elseif ($compliantPolicy) {
|
||||
Write-Verbose "$($policy.Identity) was not evaluated."
|
||||
$isCompliant = Is-PolicyCompliant -policy $policy
|
||||
$details += Get-PolicyDetails -policy $policy -isCompliant $isCompliant
|
||||
$isCompliant = Test-PhishPolicyCompliance -policy $policy
|
||||
$details += Get-PhishPolicyDetail -policy $policy -isCompliant $isCompliant
|
||||
$details += "Is Full Coverage Policy: $($false)`n`n"
|
||||
}
|
||||
}
|
||||
@@ -185,8 +168,8 @@ function Test-AntiPhishingPolicy {
|
||||
elseif ($null -ne $customPolicies ) {
|
||||
foreach ($policy in $customPolicies) {
|
||||
Write-Verbose "$($policy.Identity) was not evaluated."
|
||||
$isCompliant = Is-PolicyCompliant -policy $policy
|
||||
$details += Get-PolicyDetails -policy $policy -isCompliant $isCompliant
|
||||
$isCompliant = Test-PhishPolicyCompliance -policy $policy
|
||||
$details += Get-PhishPolicyDetail -policy $policy -isCompliant $isCompliant
|
||||
$details += "Is Full Coverage Policy: $($false)`n`n"
|
||||
}
|
||||
}
|
||||
@@ -195,7 +178,7 @@ function Test-AntiPhishingPolicy {
|
||||
Write-Verbose "Evaluating policy: $($defaultPolicy.Identity)"
|
||||
$policiesEvaluated += $defaultPolicy.Identity
|
||||
# Check if policy is compliant
|
||||
$isCompliant = Is-PolicyCompliant -policy $defaultPolicy
|
||||
$isCompliant = Test-PhishPolicyCompliance -policy $defaultPolicy
|
||||
# Log failure reasons for non-compliant policies
|
||||
if (-not $isCompliant) {
|
||||
$failureReasons += "$($defaultPolicy.Identity) Policy does not meet compliance criteria."
|
||||
@@ -203,7 +186,7 @@ function Test-AntiPhishingPolicy {
|
||||
$FailedTests += $defaultPolicy.Identity
|
||||
}
|
||||
# Compile details of each policy using the new function
|
||||
$details += Get-PolicyDetails -policy $defaultPolicy -isCompliant $isCompliant
|
||||
$details += Get-PhishPolicyDetail -policy $defaultPolicy -isCompliant $isCompliant
|
||||
# Check if policy is Default and covers all users
|
||||
if ($isCompliant) {
|
||||
Write-Verbose "$($defaultPolicy.Identity) is compliant."
|
||||
@@ -222,20 +205,23 @@ function Test-AntiPhishingPolicy {
|
||||
}
|
||||
elseif ($null -ne $defaultPolicy) {
|
||||
Write-Verbose "$($defaultPolicy.Identity) was not evaluated."
|
||||
$isCompliant = Is-PolicyCompliant -policy $defaultPolicy
|
||||
$details += Get-PolicyDetails -policy $defaultPolicy -isCompliant $isCompliant
|
||||
$isCompliant = Test-PhishPolicyCompliance -policy $defaultPolicy
|
||||
$details += Get-PhishPolicyDetail -policy $defaultPolicy -isCompliant $isCompliant
|
||||
$details += "Is Full Coverage Policy: $($false)`n`n"
|
||||
}
|
||||
# Need new steps for below:
|
||||
# Determine overall compliance based on the evaluations
|
||||
$isOverallCompliant = $hasFullCoveragePolicy -and $null -ne $compliantPolicy
|
||||
# Prepare result details
|
||||
$resultDetails = if ($isOverallCompliant) {
|
||||
"Compliant Policy: $($compliantPolicy.Identity)`nDetails:`n" + ($details -join "`n")
|
||||
}
|
||||
else {
|
||||
"Non-Compliant or No Policy Fully Covers All Users.`nDetails:`n" + ($details -join "`n")
|
||||
}
|
||||
|
||||
# Verbose output for the overall compliance
|
||||
Write-Verbose "Overall Compliance: $isOverallCompliant"
|
||||
$VerbosePreference = "SilentlyContinue"
|
||||
# Prepare the parameters for the audit result
|
||||
$params = @{
|
||||
Rec = $recnum
|
||||
Result = $isOverallCompliant
|
||||
@@ -243,6 +229,7 @@ function Test-AntiPhishingPolicy {
|
||||
Details = $resultDetails
|
||||
FailureReason = if (-not $isOverallCompliant) { $failureReasons -join "`n" } else { "All settings are correct based on the highest precedence policy that applies to all users." }
|
||||
}
|
||||
# Initialize the audit result
|
||||
$auditResult = Initialize-CISAuditResult @params
|
||||
}
|
||||
catch {
|
||||
|
||||
27
tests/Unit/Private/Get-PhishPolicyDetail.tests.ps1
Normal file
27
tests/Unit/Private/Get-PhishPolicyDetail.tests.ps1
Normal file
@@ -0,0 +1,27 @@
|
||||
$ProjectPath = "$PSScriptRoot\..\..\.." | Convert-Path
|
||||
$ProjectName = ((Get-ChildItem -Path $ProjectPath\*\*.psd1).Where{
|
||||
($_.Directory.Name -match 'source|src' -or $_.Directory.Name -eq $_.BaseName) -and
|
||||
$(try { Test-ModuleManifest $_.FullName -ErrorAction Stop } catch { $false } )
|
||||
}).BaseName
|
||||
|
||||
|
||||
Import-Module $ProjectName
|
||||
|
||||
InModuleScope $ProjectName {
|
||||
Describe Get-PrivateFunction {
|
||||
Context 'Default' {
|
||||
BeforeEach {
|
||||
$return = Get-PrivateFunction -PrivateData 'string'
|
||||
}
|
||||
|
||||
It 'Returns a single object' {
|
||||
($return | Measure-Object).Count | Should -Be 1
|
||||
}
|
||||
|
||||
It 'Returns a string based on the parameter PrivateData' {
|
||||
$return | Should -Be 'string'
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
27
tests/Unit/Private/Test-PhishPolicyCompliance.tests.ps1
Normal file
27
tests/Unit/Private/Test-PhishPolicyCompliance.tests.ps1
Normal file
@@ -0,0 +1,27 @@
|
||||
$ProjectPath = "$PSScriptRoot\..\..\.." | Convert-Path
|
||||
$ProjectName = ((Get-ChildItem -Path $ProjectPath\*\*.psd1).Where{
|
||||
($_.Directory.Name -match 'source|src' -or $_.Directory.Name -eq $_.BaseName) -and
|
||||
$(try { Test-ModuleManifest $_.FullName -ErrorAction Stop } catch { $false } )
|
||||
}).BaseName
|
||||
|
||||
|
||||
Import-Module $ProjectName
|
||||
|
||||
InModuleScope $ProjectName {
|
||||
Describe Get-PrivateFunction {
|
||||
Context 'Default' {
|
||||
BeforeEach {
|
||||
$return = Get-PrivateFunction -PrivateData 'string'
|
||||
}
|
||||
|
||||
It 'Returns a single object' {
|
||||
($return | Measure-Object).Count | Should -Be 1
|
||||
}
|
||||
|
||||
It 'Returns a string based on the parameter PrivateData' {
|
||||
$return | Should -Be 'string'
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user