vibecoding/M365FoundationsCISReport
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

format: update recnum to RecNum

Browse Source
This commit is contained in:
DrIOS
2024-12-26 09:28:33 -06:00
parent 391be439b0
commit d9b8bf2941
54 changed files with 290 additions and 290 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
source/Private/Get-TestError.ps1
View File

@@ -19,15 +19,15 @@ function Get-TestError {
[cmdletBinding()]
param (
$LastError,
$recnum
$RecNum
)
# Retrieve the description from the test definitions
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $RecNum }
$description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
$script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $LastError })
$script:FailedTests.Add([PSCustomObject]@{ Rec = $RecNum; Description = $description; Error = $LastError })
# Call Initialize-CISAuditResult with error parameters
$auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
Write-Verbose "An error occurred during the test $recnum`: `n$LastError" -Verbose
$auditResult = Initialize-CISAuditResult -Rec $RecNum -Failure
Write-Verbose "An error occurred during the test $RecNum`: `n$LastError" -Verbose
return $auditResult
}

2
source/Private/Invoke-TestFunction.ps1
View File

@@ -33,7 +33,7 @@ function Invoke-TestFunction {
return $result
}
catch {
Write-Error "An error occurred during the test $recnum`:: $_"
Write-Error "An error occurred during the test $RecNum`:: $_"
$script:FailedTests.Add([PSCustomObject]@{ Test = $functionName; Error = $_ })
# Call Initialize-CISAuditResult with error parameters

10
source/tests/Test-AdministrativeAccountCompliance.ps1
View File

@@ -7,14 +7,14 @@ function Test-AdministrativeAccountCompliance {
# Condition B: The account is assigned a valid license (e.g., Microsoft Entra ID P1 or P2).
# Condition C: The administrative account does not have any other application assignments (only valid licenses).
$validLicenses = @('AAD_PREMIUM', 'AAD_PREMIUM_P2')
$recnum = "1.1.1"
Write-Verbose "Starting Test-AdministrativeAccountCompliance with Rec: $recnum"
$RecNum = "1.1.1"
Write-Verbose "Starting Test-AdministrativeAccountCompliance with Rec: $RecNum"
}
process {
try {
# Retrieve admin roles, assignments, and user details including licenses
Write-Verbose "Retrieving admin roles, assignments, and user details including licenses"
$adminRoleAssignments = Get-CISMgOutput -Rec $recnum
$adminRoleAssignments = Get-CISMgOutput -Rec $RecNum
$adminRoleUsers = @()
foreach ($roleName in $adminRoleAssignments.Keys) {
$assignments = $adminRoleAssignments[$roleName]
@@ -80,7 +80,7 @@ function Test-AdministrativeAccountCompliance {
Write-Verbose "Assessment completed. Result: $status"
# Create the parameter splat
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $result
Status = $status
Details = $details
@@ -90,7 +90,7 @@ function Test-AdministrativeAccountCompliance {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

12
source/tests/Test-AntiPhishingPolicy.ps1
View File

@@ -3,8 +3,8 @@ function Test-AntiPhishingPolicy {
[OutputType([CISAuditResult])]
param ()
begin {
$recnum = "2.1.7"
Write-Verbose "Running Test-AntiPhishingPolicy for $recnum..."
$RecNum = "2.1.7"
Write-Verbose "Running Test-AntiPhishingPolicy for $RecNum..."
#. .\source\Classes\CISAuditResult.ps1
<#
Conditions for 2.1.7 (L1) Ensure robust anti-phishing policies are enforced
@@ -26,7 +26,7 @@ function Test-AntiPhishingPolicy {
# Step 1: Retrieve all anti-phishing policies
#$VerbosePreference = "Continue"
Write-Verbose "Retrieving all anti-phishing policies..."
$antiPhishPolicies = Get-CISExoOutput -Rec $recnum
$antiPhishPolicies = Get-CISExoOutput -Rec $RecNum
# Step 2: Initialize variables to track compliance and details
$compliantPolicy = $null
$details = @()
@@ -205,7 +205,7 @@ function Test-AntiPhishingPolicy {
#$VerbosePreference = "SilentlyContinue"
# Prepare the parameters for the audit result
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $isOverallCompliant
Status = if ($isOverallCompliant) { "Pass" } else { "Fail" }
Details = $resultDetails
@@ -215,8 +215,8 @@ function Test-AntiPhishingPolicy {
$auditResult = Initialize-CISAuditResult @params
}
catch {
Write-Error "An error occurred during the test $recnum`:: $_"
$auditResult = Get-TestError -LastError $_ -recnum $recnum
Write-Error "An error occurred during the test $RecNum`:: $_"
$auditResult = Get-TestError -LastError $_ -RecNum $RecNum
}
}
end {

10
source/tests/Test-AuditDisabledFalse.ps1
View File

@@ -24,14 +24,14 @@ function Test-AuditDisabledFalse {
# - Condition B: Using PowerShell, the `AuditDisabled` property in the organization's configuration is set to `True`.
# - Condition C: Mailbox auditing is not enabled by default at the organizational level.
# Initialization code, if needed
$recnum = "6.1.1"
Write-Verbose "Running Test-AuditDisabledFalse for $recnum..."
$RecNum = "6.1.1"
Write-Verbose "Running Test-AuditDisabledFalse for $RecNum..."
}
process {
try {
# 6.1.1 (L1) Ensure 'AuditDisabled' organizationally is set to 'False'
# Retrieve the AuditDisabled configuration (Condition B)
$auditNotDisabled = Get-CISExoOutput -Rec $recnum
$auditNotDisabled = Get-CISExoOutput -Rec $RecNum
# Prepare failure reasons and details based on compliance
$failureReasons = if (-not $auditNotDisabled) {
"AuditDisabled is set to True" # Condition A Fail
@@ -47,7 +47,7 @@ function Test-AuditDisabledFalse {
}
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $auditNotDisabled
Status = if ($auditNotDisabled) { "Pass" } else { "Fail" }
Details = $details
@@ -57,7 +57,7 @@ function Test-AuditDisabledFalse {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

10
source/tests/Test-AuditLogSearch.ps1
View File

@@ -9,8 +9,8 @@ function Test-AuditLogSearch {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "3.1.1"
Write-Verbose "Running Test-AuditLogSearch for $recnum..."
$RecNum = "3.1.1"
Write-Verbose "Running Test-AuditLogSearch for $RecNum..."
<#
Conditions for 3.1.1 (L1) Ensure Microsoft 365 audit log search is Enabled
Validate test for a pass:
@@ -30,7 +30,7 @@ function Test-AuditLogSearch {
process {
try {
# 3.1.1 (L1) Ensure Microsoft 365 audit log search is Enabled
$auditLogResult = Get-CISExoOutput -Rec $recnum
$auditLogResult = Get-CISExoOutput -Rec $RecNum
# Prepare failure reasons and details based on compliance
$failureReasons = if (-not $auditLogResult) {
# Condition A (Fail): Audit log search is not enabled in the Microsoft Purview compliance portal
@@ -48,7 +48,7 @@ function Test-AuditLogSearch {
}
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $auditLogResult
Status = if ($auditLogResult) { "Pass" } else { "Fail" }
Details = $details
@@ -58,7 +58,7 @@ function Test-AuditLogSearch {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

10
source/tests/Test-BlockChannelEmails.ps1
View File

@@ -9,8 +9,8 @@ function Test-BlockChannelEmails {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "8.1.2"
Write-Verbose "Running Test-BlockChannelEmails for $recnum..."
$RecNum = "8.1.2"
Write-Verbose "Running Test-BlockChannelEmails for $RecNum..."
}
process {
try {
@@ -30,7 +30,7 @@ function Test-BlockChannelEmails {
# - Condition B: The setting `Users can send emails to a channel email address` is not set to `Off` in the Teams admin center.
# - Condition C: Verification using PowerShell indicates that the `AllowEmailIntoChannel` setting is enabled.
# Retrieve Teams client configuration
$teamsClientConfig = Get-CISMSTeamsOutput -Rec $recnum
$teamsClientConfig = Get-CISMSTeamsOutput -Rec $RecNum
$allowEmailIntoChannel = $teamsClientConfig.AllowEmailIntoChannel
# Prepare failure reasons and details based on compliance
$failureReasons = if ($allowEmailIntoChannel) {
@@ -47,7 +47,7 @@ function Test-BlockChannelEmails {
}
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = -not $allowEmailIntoChannel
Status = if (-not $allowEmailIntoChannel) { "Pass" } else { "Fail" }
Details = $details
@@ -57,7 +57,7 @@ function Test-BlockChannelEmails {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

10
source/tests/Test-BlockMailForwarding.ps1
View File

@@ -8,8 +8,8 @@ function Test-BlockMailForwarding {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "6.2.1"
Write-Verbose "Running Test-BlockMailForwarding for $recnum..."
$RecNum = "6.2.1"
Write-Verbose "Running Test-BlockMailForwarding for $RecNum..."
<#
Conditions for 6.2.1 (L1) Ensure all forms of mail forwarding are blocked and/or disabled
Validate test for a pass:
@@ -30,7 +30,7 @@ function Test-BlockMailForwarding {
try {
# 6.2.1 (L1) Ensure all forms of mail forwarding are blocked and/or disabled
# Step 1: Retrieve the transport rules that redirect messages
$transportRules,$nonCompliantSpamPolicies = Get-CISExoOutput -Rec $recnum
$transportRules,$nonCompliantSpamPolicies = Get-CISExoOutput -Rec $RecNum
$transportForwardingBlocked = $transportRules.Count -eq 0
# Step 2: Check all anti-spam outbound policies
$nonCompliantSpamPoliciesArray = @($nonCompliantSpamPolicies)
@@ -67,7 +67,7 @@ function Test-BlockMailForwarding {
}
# Populate the audit result
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $forwardingBlocked
Status = if ($forwardingBlocked) { "Pass" } else { "Fail" }
Details = $details
@@ -77,7 +77,7 @@ function Test-BlockMailForwarding {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

12
source/tests/Test-BlockSharedMailboxSignIn.ps1
View File

@@ -9,8 +9,8 @@ function Test-BlockSharedMailboxSignIn {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "1.2.2"
Write-Verbose "Running Test-BlockSharedMailboxSignIn for $recnum..."
$RecNum = "1.2.2"
Write-Verbose "Running Test-BlockSharedMailboxSignIn for $RecNum..."
# Conditions for 1.2.2 (L1) Ensure sign-in to shared mailboxes is blocked
#
# Validate test for a pass:
@@ -36,7 +36,7 @@ function Test-BlockSharedMailboxSignIn {
"abcddcba-98fe-76dc-a456-426614174000"
)
#>
$objectids = Get-CISExoOutput -Rec $recnum
$objectids = Get-CISExoOutput -Rec $RecNum
# Step: Retrieve user details from Azure AD
# $users Mock Object
<#
@@ -58,7 +58,7 @@ function Test-BlockSharedMailboxSignIn {
}
)
#>
$users = Get-CISMgOutput -Rec $recnum
$users = Get-CISMgOutput -Rec $RecNum
# Step: Retrieve details of shared mailboxes from Azure AD (Condition B: Pass/Fail)
$sharedMailboxDetails = $users | Where-Object {$_.id -in $objectids}
# Step: Identify enabled mailboxes (Condition B: Pass/Fail)
@@ -80,7 +80,7 @@ function Test-BlockSharedMailboxSignIn {
}
# Step: Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $allBlocked # Pass: Condition A, Condition B
Status = if ($allBlocked) { "Pass" } else { "Fail" }
Details = $details
@@ -90,7 +90,7 @@ function Test-BlockSharedMailboxSignIn {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

10
source/tests/Test-CommonAttachmentFilter.ps1
View File

@@ -24,8 +24,8 @@ function Test-CommonAttachmentFilter {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "2.1.2"
Write-Verbose "Running Test-CommonAttachmentFilter for $recnum..."
$RecNum = "2.1.2"
Write-Verbose "Running Test-CommonAttachmentFilter for $RecNum..."
}
process {
try {
@@ -35,7 +35,7 @@ function Test-CommonAttachmentFilter {
# Retrieve the attachment filter policy
# $result Mock Object
# $result = $true
$result = Get-CISExoOutput -Rec $recnum
$result = Get-CISExoOutput -Rec $RecNum
# Prepare failure reasons and details based on compliance
$failureReasons = if (-not $result) {
# Condition A: The Common Attachment Types Filter is not enabled in the Microsoft 365 Security & Compliance Center.
@@ -53,7 +53,7 @@ function Test-CommonAttachmentFilter {
}
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $result
Status = if ($result) { "Pass" } else { "Fail" }
Details = $details
@@ -63,7 +63,7 @@ function Test-CommonAttachmentFilter {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

10
source/tests/Test-CustomerLockbox.ps1
View File

@@ -11,8 +11,8 @@ function Test-CustomerLockbox {
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "1.3.6"
Write-Verbose "Running Test-CustomerLockbox for $recnum..."
$RecNum = "1.3.6"
Write-Verbose "Running Test-CustomerLockbox for $RecNum..."
# Conditions for 1.3.6 (L2) Ensure the customer lockbox feature is enabled (Automated)
#
# Validate test for a pass:
@@ -34,7 +34,7 @@ function Test-CustomerLockbox {
# Step: Retrieve the organization configuration (Condition C: Pass/Fail)
# $customerLockboxEnabled Mock Object
# $customerLockboxEnabled = $true
$customerLockboxEnabled = Get-CISExoOutput -Rec $recnum
$customerLockboxEnabled = Get-CISExoOutput -Rec $RecNum
# Step: Prepare failure reasons and details based on compliance (Condition A, B, & C: Fail)
$failureReasons = if (-not $customerLockboxEnabled) {
"Customer lockbox feature is not enabled."
@@ -51,7 +51,7 @@ function Test-CustomerLockbox {
}
# Step: Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $customerLockboxEnabled
Status = if ($customerLockboxEnabled) { "Pass" } else { "Fail" }
Details = $details
@@ -61,7 +61,7 @@ function Test-CustomerLockbox {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

10
source/tests/Test-DialInBypassLobby.ps1
View File

@@ -9,8 +9,8 @@ function Test-DialInBypassLobby {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "8.5.4"
Write-Verbose "Running Test-DialInBypassLobby for $recnum..."
$RecNum = "8.5.4"
Write-Verbose "Running Test-DialInBypassLobby for $RecNum..."
}
process {
try {
@@ -36,7 +36,7 @@ function Test-DialInBypassLobby {
AllowPSTNUsersToBypassLobby = $true
}
#>
$CsTeamsMeetingPolicyPSTN = Get-CISMSTeamsOutput -Rec $recnum
$CsTeamsMeetingPolicyPSTN = Get-CISMSTeamsOutput -Rec $RecNum
$PSTNBypassDisabled = -not $CsTeamsMeetingPolicyPSTN.AllowPSTNUsersToBypassLobby
# Prepare failure reasons and details based on compliance
$failureReasons = if (-not $PSTNBypassDisabled) {
@@ -53,7 +53,7 @@ function Test-DialInBypassLobby {
}
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $PSTNBypassDisabled
Status = if ($PSTNBypassDisabled) { "Pass" } else { "Fail" }
Details = $details
@@ -63,7 +63,7 @@ function Test-DialInBypassLobby {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

10
source/tests/Test-DisallowInfectedFilesDownload.ps1
View File

@@ -9,8 +9,8 @@ function Test-DisallowInfectedFilesDownload {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "7.3.1"
Write-Verbose "Running Test-DisallowInfectedFilesDownload for $recnum..."
$RecNum = "7.3.1"
Write-Verbose "Running Test-DisallowInfectedFilesDownload for $RecNum..."
}
process {
try {
@@ -36,7 +36,7 @@ function Test-DisallowInfectedFilesDownload {
DisallowInfectedFileDownload = $false
}
#>
$SPOTenantDisallowInfectedFileDownload = Get-CISSpoOutput -Rec $recnum
$SPOTenantDisallowInfectedFileDownload = Get-CISSpoOutput -Rec $RecNum
# Condition A: The `DisallowInfectedFileDownload` setting is set to `True`
$isDisallowInfectedFileDownloadEnabled = $SPOTenantDisallowInfectedFileDownload.DisallowInfectedFileDownload
# Prepare failure reasons and details based on compliance
@@ -55,7 +55,7 @@ function Test-DisallowInfectedFilesDownload {
}
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $isDisallowInfectedFileDownloadEnabled
Status = if ($isDisallowInfectedFileDownloadEnabled) { "Pass" } else { "Fail" }
Details = $details
@@ -65,7 +65,7 @@ function Test-DisallowInfectedFilesDownload {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

10
source/tests/Test-EnableDKIM.ps1
View File

@@ -10,8 +10,8 @@ function Test-EnableDKIM {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "2.1.9"
Write-Verbose "Running Test-EnableDKIM for $recnum..."
$RecNum = "2.1.9"
Write-Verbose "Running Test-EnableDKIM for $RecNum..."
<#
Conditions for 2.1.9 (L1) Ensure DKIM is enabled for all Exchange Online Domains (Automated)
Validate test for a pass:
@@ -30,7 +30,7 @@ function Test-EnableDKIM {
try {
# 2.1.9 (L1) Ensure DKIM is enabled for all Exchange Online Domains
# Retrieve DKIM configuration for all domains
$dkimConfig = Get-CISExoOutput -Rec $recnum
$dkimConfig = Get-CISExoOutput -Rec $RecNum
if (-not $DomainName) {
$dkimResult = ($dkimConfig | ForEach-Object { $_.Enabled }) -notcontains $false
$dkimFailedDomains = $dkimConfig | Where-Object { -not $_.Enabled } | ForEach-Object { $_.Domain }
@@ -62,7 +62,7 @@ function Test-EnableDKIM {
}
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $dkimResult
Status = if ($dkimResult) { "Pass" } else { "Fail" }
Details = $details
@@ -72,7 +72,7 @@ function Test-EnableDKIM {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

10
source/tests/Test-ExternalNoControl.ps1
View File

@@ -9,8 +9,8 @@ function Test-ExternalNoControl {
# Dot source the class script if necessary
# . .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "8.5.7"
Write-Verbose "Running Test-ExternalNoControl for $recnum..."
$RecNum = "8.5.7"
Write-Verbose "Running Test-ExternalNoControl for $RecNum..."
}
process {
try {
@@ -36,7 +36,7 @@ function Test-ExternalNoControl {
AllowExternalParticipantGiveRequestControl = $true
}
#>
$CsTeamsMeetingPolicyControl = Get-CISMSTeamsOutput -Rec $recnum
$CsTeamsMeetingPolicyControl = Get-CISMSTeamsOutput -Rec $RecNum
# Check if external participants can give or request control
$externalControlRestricted = -not $CsTeamsMeetingPolicyControl.AllowExternalParticipantGiveRequestControl
# Prepare failure reasons and details based on compliance
@@ -54,7 +54,7 @@ function Test-ExternalNoControl {
}
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $externalControlRestricted
Status = if ($externalControlRestricted) { "Pass" } else { "Fail" }
Details = $details
@@ -64,7 +64,7 @@ function Test-ExternalNoControl {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

8
source/tests/Test-ExternalSharingCalendars.ps1
View File

@@ -11,7 +11,7 @@ function Test-ExternalSharingCalendars {
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "1.3.3"
$RecNum = "1.3.3"
# Conditions for 1.3.3 (L2) Ensure 'External sharing' of calendars is not available (Automated)
#
@@ -31,7 +31,7 @@ function Test-ExternalSharingCalendars {
process {
try {
# Step: Retrieve sharing policies related to calendar sharing
$sharingPolicies = Get-CISExoOutput -Rec $recnum
$sharingPolicies = Get-CISExoOutput -Rec $RecNum
# Step (Condition A & B: Pass/Fail): Check if calendar sharing is disabled in all applicable policies
$isExternalSharingDisabled = $true
@@ -85,7 +85,7 @@ foreach ($mailbox in $mailboxes) {
# Step: Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $isExternalSharingDisabled
Status = if ($isExternalSharingDisabled) { "Pass" } else { "Fail" }
Details = $details
@@ -95,7 +95,7 @@ foreach ($mailbox in $mailboxes) {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}

10
source/tests/Test-GlobalAdminsCount.ps1
View File

@@ -23,12 +23,12 @@ function Test-GlobalAdminsCount {
# - Condition B: The number of global admins is more than 4.
# - Condition C: Any discrepancies or errors in retrieving the list of global admin usernames.
# Initialization code, if needed
$recnum = "1.1.3"
Write-Verbose "Starting Test-GlobalAdminsCount with Rec: $recnum"
$RecNum = "1.1.3"
Write-Verbose "Starting Test-GlobalAdminsCount with Rec: $RecNum"
}
process {
try {
$globalAdmins = Get-CISMgOutput -Rec $recnum
$globalAdmins = Get-CISMgOutput -Rec $RecNum
# Step: Count the number of global admins
$globalAdminCount = $globalAdmins.Count
# Step: Retrieve and format the usernames of global admins
@@ -49,7 +49,7 @@ function Test-GlobalAdminsCount {
$details = "Count: $globalAdminCount; Users: $globalAdminUsernames"
# Step: Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $globalAdminCount -ge 2 -and $globalAdminCount -le 4
Status = if ($globalAdminCount -ge 2 -and $globalAdminCount -le 4) { "Pass" } else { "Fail" }
Details = $details
@@ -59,7 +59,7 @@ function Test-GlobalAdminsCount {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

10
source/tests/Test-GuestAccessExpiration.ps1
View File

@@ -9,8 +9,8 @@ function Test-GuestAccessExpiration {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "7.2.9"
Write-Verbose "Running Test-GuestAccessExpiration for $recnum..."
$RecNum = "7.2.9"
Write-Verbose "Running Test-GuestAccessExpiration for $RecNum..."
}
process {
try {
@@ -37,7 +37,7 @@ function Test-GuestAccessExpiration {
ExternalUserExpireInDays = "60"
}
#>
$SPOTenantGuestAccess = Get-CISSpoOutput -Rec $recnum
$SPOTenantGuestAccess = Get-CISSpoOutput -Rec $RecNum
$isGuestAccessExpirationConfiguredCorrectly = $SPOTenantGuestAccess.ExternalUserExpirationRequired -and $SPOTenantGuestAccess.ExternalUserExpireInDays -le 30
# Prepare failure reasons and details based on compliance
$failureReasons = if (-not $isGuestAccessExpirationConfiguredCorrectly) {
@@ -50,7 +50,7 @@ function Test-GuestAccessExpiration {
$details = "ExternalUserExpirationRequired: $($SPOTenantGuestAccess.ExternalUserExpirationRequired); ExternalUserExpireInDays: $($SPOTenantGuestAccess.ExternalUserExpireInDays)"
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $isGuestAccessExpirationConfiguredCorrectly
Status = if ($isGuestAccessExpirationConfiguredCorrectly) { "Pass" } else { "Fail" }
Details = $details
@@ -60,7 +60,7 @@ function Test-GuestAccessExpiration {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

6
source/tests/Test-GuestUsersBiweeklyReview.ps1
View File

@@ -11,7 +11,7 @@ function Test-GuestUsersBiweeklyReview {
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "1.1.4"
$RecNum = "1.1.4"
}
process {
@@ -41,7 +41,7 @@ function Test-GuestUsersBiweeklyReview {
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = -not $guestUsers
Status = if ($guestUsers) { "Fail" } else { "Pass" }
Details = $details
@@ -51,7 +51,7 @@ function Test-GuestUsersBiweeklyReview {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}

10
source/tests/Test-IdentifyExternalEmail.ps1
View File

@@ -10,8 +10,8 @@ function Test-IdentifyExternalEmail {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "6.2.3"
Write-Verbose "Running Test-IdentifyExternalEmail for $recnum..."
$RecNum = "6.2.3"
Write-Verbose "Running Test-IdentifyExternalEmail for $RecNum..."
# Conditions for 6.2.3 (L1) Ensure email from external senders is identified
#
# Validate test for a pass:
@@ -32,7 +32,7 @@ function Test-IdentifyExternalEmail {
try {
# 6.2.3 (L1) Ensure email from external senders is identified
# Retrieve external sender tagging configuration
$externalInOutlook = Get-CISExoOutput -Rec $recnum
$externalInOutlook = Get-CISExoOutput -Rec $RecNum
$externalTaggingEnabled = ($externalInOutlook | ForEach-Object { $_.Enabled }) -contains $true
# Prepare failure reasons and details based on compliance
$failureReasons = if (-not $externalTaggingEnabled) {
@@ -46,7 +46,7 @@ function Test-IdentifyExternalEmail {
$details = "Enabled: $($externalTaggingEnabled); AllowList: $($externalInOutlook.AllowList)"
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $externalTaggingEnabled
Status = if ($externalTaggingEnabled) { "Pass" } else { "Fail" }
Details = $details
@@ -56,7 +56,7 @@ function Test-IdentifyExternalEmail {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

10
source/tests/Test-LinkSharingRestrictions.ps1
View File

@@ -10,8 +10,8 @@ function Test-LinkSharingRestrictions {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "7.2.7"
Write-Verbose "Running Test-LinkSharingRestrictions for $recnum..."
$RecNum = "7.2.7"
Write-Verbose "Running Test-LinkSharingRestrictions for $RecNum..."
}
process {
try {
@@ -37,7 +37,7 @@ function Test-LinkSharingRestrictions {
DefaultSharingLinkType = "Direct"
}
#>
$SPOTenantLinkSharing = Get-CISSpoOutput -Rec $recnum
$SPOTenantLinkSharing = Get-CISSpoOutput -Rec $RecNum
$isLinkSharingRestricted = $SPOTenantLinkSharing.DefaultSharingLinkType -eq 'Direct' # Or 'SpecificPeople' as per the recommendation
# Prepare failure reasons and details based on compliance
$failureReasons = if (-not $isLinkSharingRestricted) {
@@ -50,7 +50,7 @@ function Test-LinkSharingRestrictions {
$details = "DefaultSharingLinkType: $($SPOTenantLinkSharing.DefaultSharingLinkType)"
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $isLinkSharingRestricted
Status = if ($isLinkSharingRestricted) { "Pass" } else { "Fail" }
Details = $details
@@ -60,7 +60,7 @@ function Test-LinkSharingRestrictions {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

10
source/tests/Test-MailTipsEnabled.ps1
View File

@@ -9,8 +9,8 @@ function Test-MailTipsEnabled {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "6.5.2"
Write-Verbose "Running Test-MailTipsEnabled for $recnum..."
$RecNum = "6.5.2"
Write-Verbose "Running Test-MailTipsEnabled for $RecNum..."
# Conditions for 6.5.2 (L2) Ensure MailTips are enabled for end users
#
# Validate test for a pass:
@@ -33,7 +33,7 @@ function Test-MailTipsEnabled {
try {
# 6.5.2 (L2) Ensure MailTips are enabled for end users
# Retrieve organization configuration for MailTips settings
$orgConfig = Get-CISExoOutput -Rec $recnum
$orgConfig = Get-CISExoOutput -Rec $RecNum
# Check the MailTips settings (Conditions A, B, C, D)
$allTipsEnabled = $orgConfig.MailTipsAllTipsEnabled -and $orgConfig.MailTipsGroupMetricsEnabled -and $orgConfig.MailTipsLargeAudienceThreshold -eq 25
$externalRecipientsTipsEnabled = $orgConfig.MailTipsExternalRecipientsTipsEnabled
@@ -52,7 +52,7 @@ function Test-MailTipsEnabled {
}
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $allTipsEnabled -and $externalRecipientsTipsEnabled
Status = if ($allTipsEnabled -and $externalRecipientsTipsEnabled) { "Pass" } else { "Fail" }
Details = $details
@@ -62,7 +62,7 @@ function Test-MailTipsEnabled {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

22
source/tests/Test-MailboxAuditingE3.ps1
View File

@@ -24,8 +24,8 @@ function Test-MailboxAuditingE3 {
#>
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
$recnum = "6.1.2"
$version = $recnum
$RecNum = "6.1.2"
$version = $RecNum
$actionDictionaries = Get-Action -Dictionaries -Version $version
# E3 specific actions
$AdminActions = $actionDictionaries.AdminActions.Keys
@@ -33,13 +33,13 @@ function Test-MailboxAuditingE3 {
$OwnerActions = $actionDictionaries.OwnerActions.Keys
$allFailures = @()
Write-Verbose "Running Test-MailboxAuditingE3 for $recnum..."
$allUsers = Get-CISMgOutput -Rec $recnum
Write-Verbose "Running Test-MailboxAuditingE3 for $RecNum..."
$allUsers = Get-CISMgOutput -Rec $RecNum
$processedUsers = @{} # Dictionary to track processed users
}
process {
if ($null -ne $allUsers) {
$mailboxes = Get-CISExoOutput -Rec $recnum
$mailboxes = Get-CISExoOutput -Rec $RecNum
try {
foreach ($user in $allUsers) {
if ($processedUsers.ContainsKey($user.UserPrincipalName)) {
@@ -92,7 +92,7 @@ function Test-MailboxAuditingE3 {
}
# Populate the audit result
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $allFailures.Count -eq 0
Status = if ($allFailures.Count -eq 0) { "Pass" } else { "Fail" }
Details = $details
@@ -101,18 +101,18 @@ function Test-MailboxAuditingE3 {
$auditResult = Initialize-CISAuditResult @params
}
catch {
Write-Error "An error occurred during the test $recnum`:: $_"
Write-Error "An error occurred during the test $RecNum`:: $_"
# Retrieve the description from the test definitions
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $RecNum }
$description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
$script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
$script:FailedTests.Add([PSCustomObject]@{ Rec = $RecNum; Description = $description; Error = $_ })
# Call Initialize-CISAuditResult with error parameters
$auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
$auditResult = Initialize-CISAuditResult -Rec $RecNum -Failure
}
}
else {
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $false
Status = "Fail"
Details = "No M365 E3 licenses found."

22
source/tests/Test-MailboxAuditingE5.ps1
View File

@@ -24,20 +24,20 @@ function Test-MailboxAuditingE5 {
# - Condition B: AuditAdmin actions do not include all of the following: ApplyRecord, Create, HardDelete, MailItemsAccessed, MoveToDeletedItems, Send, SendAs, SendOnBehalf, SoftDelete, Update, UpdateCalendarDelegation, UpdateFolderPermissions, UpdateInboxRules.
# - Condition C: AuditDelegate actions do not include all of the following: ApplyRecord, Create, HardDelete, MailItemsAccessed, MoveToDeletedItems, SendAs, SendOnBehalf, SoftDelete, Update, UpdateFolderPermissions, UpdateInboxRules.
# - Condition D: AuditOwner actions do not include all of the following: ApplyRecord, HardDelete, MailItemsAccessed, MoveToDeletedItems, Send, SoftDelete, Update, UpdateCalendarDelegation, UpdateFolderPermissions, UpdateInboxRules.
$recnum = "6.1.3"
$version = $recnum
$RecNum = "6.1.3"
$version = $RecNum
$actionDictionaries = Get-Action -Dictionaries -Version $version
$AdminActions = $actionDictionaries.AdminActions.Keys
$DelegateActions = $actionDictionaries.DelegateActions.Keys
$OwnerActions = $actionDictionaries.OwnerActions.Keys
$allFailures = @()
$processedUsers = @{}
Write-Verbose "Running Test-MailboxAuditingE5 for $recnum..."
$allUsers = Get-CISMgOutput -Rec $recnum
Write-Verbose "Running Test-MailboxAuditingE5 for $RecNum..."
$allUsers = Get-CISMgOutput -Rec $RecNum
}
process {
if ($null -ne $allUsers) {
$mailboxes = Get-CISExoOutput -Rec $recnum
$mailboxes = Get-CISExoOutput -Rec $RecNum
try {
foreach ($user in $allUsers) {
if ($processedUsers.ContainsKey($user.UserPrincipalName)) {
@@ -94,7 +94,7 @@ function Test-MailboxAuditingE5 {
# $details = Initialize-LargeTestTable -lineCount 3000 # Adjust the lineCount to exceed 32,000 characters
# Populate the audit result
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $allFailures.Count -eq 0
Status = if ($allFailures.Count -eq 0) { "Pass" } else { "Fail" }
Details = $details
@@ -103,18 +103,18 @@ function Test-MailboxAuditingE5 {
$auditResult = Initialize-CISAuditResult @params
}
catch {
Write-Error "An error occurred during the test $recnum`:: $_"
Write-Error "An error occurred during the test $RecNum`:: $_"
# Retrieve the description from the test definitions
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $RecNum }
$description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
$script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
$script:FailedTests.Add([PSCustomObject]@{ Rec = $RecNum; Description = $description; Error = $_ })
# Call Initialize-CISAuditResult with error parameters
$auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
$auditResult = Initialize-CISAuditResult -Rec $RecNum -Failure
}
}
else {
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $false
Status = "Fail"
Details = "No M365 E5 licenses found."

10
source/tests/Test-ManagedApprovedPublicGroups.ps1
View File

@@ -8,8 +8,8 @@ function Test-ManagedApprovedPublicGroups {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "1.2.1"
Write-Verbose "Starting Test-ManagedApprovedPublicGroups with Rec: $recnum"
$RecNum = "1.2.1"
Write-Verbose "Starting Test-ManagedApprovedPublicGroups with Rec: $RecNum"
# Conditions for 1.2.1 (L2) Ensure that only organizationally managed/approved public groups exist (Automated)
#
# Validate test for a pass:
@@ -27,7 +27,7 @@ function Test-ManagedApprovedPublicGroups {
process {
try {
# Step: Retrieve all groups with visibility set to 'Public'
$allGroups = Get-CISMgOutput -Rec $recnum
$allGroups = Get-CISMgOutput -Rec $RecNum
# Step: Determine failure reasons based on the presence of public groups
$failureReasons = if ($null -ne $allGroups -and $allGroups.Count -gt 0) {
"There are public groups present that are not organizationally managed/approved."
@@ -45,7 +45,7 @@ function Test-ManagedApprovedPublicGroups {
}
# Step: Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $null -eq $allGroups -or $allGroups.Count -eq 0
Status = if ($null -eq $allGroups -or $allGroups.Count -eq 0) { "Pass" } else { "Fail" }
Details = $details
@@ -55,7 +55,7 @@ function Test-ManagedApprovedPublicGroups {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

10
source/tests/Test-MeetingChatNoAnonymous.ps1
View File

@@ -9,8 +9,8 @@ function Test-MeetingChatNoAnonymous {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "8.5.5"
Write-Verbose "Running Test-MeetingChatNoAnonymous for $recnum..."
$RecNum = "8.5.5"
Write-Verbose "Running Test-MeetingChatNoAnonymous for $RecNum..."
}
process {
try {
@@ -36,7 +36,7 @@ function Test-MeetingChatNoAnonymous {
MeetingChatEnabledType = "Enabled"
}
#>
$CsTeamsMeetingPolicyChat = Get-CISMSTeamsOutput -Rec $recnum
$CsTeamsMeetingPolicyChat = Get-CISMSTeamsOutput -Rec $RecNum
# Condition A: Check if the MeetingChatEnabledType is set to 'EnabledExceptAnonymous'
$chatAnonDisabled = $CsTeamsMeetingPolicyChat.MeetingChatEnabledType -eq 'EnabledExceptAnonymous'
# Prepare failure reasons and details based on compliance
@@ -49,7 +49,7 @@ function Test-MeetingChatNoAnonymous {
$details = "MeetingChatEnabledType is set to $($CsTeamsMeetingPolicyChat.MeetingChatEnabledType)"
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $chatAnonDisabled
Status = if ($chatAnonDisabled) { "Pass" } else { "Fail" }
Details = $details
@@ -59,7 +59,7 @@ function Test-MeetingChatNoAnonymous {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

10
source/tests/Test-ModernAuthExchangeOnline.ps1
View File

@@ -23,14 +23,14 @@ function Test-ModernAuthExchangeOnline {
# - Condition A: Modern authentication for Exchange Online is not enabled.
# - Condition B: Exchange Online clients do not use modern authentication to log in to Microsoft 365 mailboxes.
# - Condition C: Users of older email clients, such as Outlook 2013 and Outlook 2016, are still able to authenticate to Exchange using Basic Authentication.
$recnum = "6.5.1"
Write-Verbose "Running Test-ModernAuthExchangeOnline for $recnum..."
$RecNum = "6.5.1"
Write-Verbose "Running Test-ModernAuthExchangeOnline for $RecNum..."
}
process {
try {
# 6.5.1 (L1) Ensure modern authentication for Exchange Online is enabled
# Check modern authentication setting in Exchange Online configuration (Condition A and B)
$orgConfig = Get-CISExoOutput -Rec $recnum
$orgConfig = Get-CISExoOutput -Rec $RecNum
# Prepare failure reasons and details based on compliance
$failureReasons = if (-not $orgConfig.OAuth2ClientProfileEnabled) {
"Modern authentication is disabled"
@@ -42,7 +42,7 @@ function Test-ModernAuthExchangeOnline {
$details = "OAuth2ClientProfileEnabled: $($orgConfig.OAuth2ClientProfileEnabled) for Organization: $($orgConfig.Name)"
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $orgConfig.OAuth2ClientProfileEnabled
Status = if ($orgConfig.OAuth2ClientProfileEnabled) { "Pass" } else { "Fail" }
Details = $details
@@ -52,7 +52,7 @@ function Test-ModernAuthExchangeOnline {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

10
source/tests/Test-ModernAuthSharePoint.ps1
View File

@@ -11,8 +11,8 @@ function Test-ModernAuthSharePoint {
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "7.2.1"
Write-Verbose "Running Test-ModernAuthSharePoint for $recnum..."
$RecNum = "7.2.1"
Write-Verbose "Running Test-ModernAuthSharePoint for $RecNum..."
<#
# Conditions for 7.2.1 (L1) Ensure modern authentication for SharePoint applications is required
## Validate test for a pass:
@@ -36,7 +36,7 @@ function Test-ModernAuthSharePoint {
LegacyAuthProtocolsEnabled = $true
}
#>
$SPOTenant = Get-CISSpoOutput -Rec $recnum
$SPOTenant = Get-CISSpoOutput -Rec $RecNum
$modernAuthForSPRequired = -not $SPOTenant.LegacyAuthProtocolsEnabled
# Prepare failure reasons and details based on compliance
$failureReasons = if (-not $modernAuthForSPRequired) {
@@ -48,7 +48,7 @@ function Test-ModernAuthSharePoint {
$details = "LegacyAuthProtocolsEnabled: $($SPOTenant.LegacyAuthProtocolsEnabled)" # Details for Condition B
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $modernAuthForSPRequired
Status = if ($modernAuthForSPRequired) { "Pass" } else { "Fail" }
Details = $details
@@ -58,7 +58,7 @@ function Test-ModernAuthSharePoint {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

10
source/tests/Test-NoAnonymousMeetingJoin.ps1
View File

@@ -9,8 +9,8 @@ function Test-NoAnonymousMeetingJoin {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "8.5.1"
Write-Verbose "Running Test-NoAnonymousMeetingJoin for $recnum..."
$RecNum = "8.5.1"
Write-Verbose "Running Test-NoAnonymousMeetingJoin for $RecNum..."
}
process {
try {
@@ -36,7 +36,7 @@ function Test-NoAnonymousMeetingJoin {
AllowAnonymousUsersToJoinMeeting = $true
}
#>
$teamsMeetingPolicy = Get-CISMSTeamsOutput -Rec $recnum
$teamsMeetingPolicy = Get-CISMSTeamsOutput -Rec $RecNum
$allowAnonymousUsersToJoinMeeting = $teamsMeetingPolicy.AllowAnonymousUsersToJoinMeeting
# Prepare failure reasons and details based on compliance
$failureReasons = if ($allowAnonymousUsersToJoinMeeting) {
@@ -48,7 +48,7 @@ function Test-NoAnonymousMeetingJoin {
$details = "AllowAnonymousUsersToJoinMeeting is set to $allowAnonymousUsersToJoinMeeting"
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = -not $allowAnonymousUsersToJoinMeeting
Status = if (-not $allowAnonymousUsersToJoinMeeting) { "Pass" } else { "Fail" }
Details = $details
@@ -58,7 +58,7 @@ function Test-NoAnonymousMeetingJoin {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

10
source/tests/Test-NoAnonymousMeetingStart.ps1
View File

@@ -9,8 +9,8 @@ function Test-NoAnonymousMeetingStart {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "8.5.2"
Write-Verbose "Running Test-NoAnonymousMeetingStart for $recnum..."
$RecNum = "8.5.2"
Write-Verbose "Running Test-NoAnonymousMeetingStart for $RecNum..."
}
process {
try {
@@ -31,7 +31,7 @@ function Test-NoAnonymousMeetingStart {
# - Condition C: Verification using the UI indicates that the setting `Anonymous users and dial-in callers can start a meeting` is not set to `Off`.
# Connect to Teams PowerShell using Connect-MicrosoftTeams
# Retrieve the Teams meeting policy for the global scope and check if anonymous users can start meetings
$CsTeamsMeetingPolicyAnonymous = Get-CISMSTeamsOutput -Rec $recnum
$CsTeamsMeetingPolicyAnonymous = Get-CISMSTeamsOutput -Rec $RecNum
$anonymousStartDisabled = -not $CsTeamsMeetingPolicyAnonymous.AllowAnonymousUsersToStartMeeting
# Prepare failure reasons and details based on compliance
$failureReasons = if ($anonymousStartDisabled) {
@@ -43,7 +43,7 @@ function Test-NoAnonymousMeetingStart {
$details = "AllowAnonymousUsersToStartMeeting is set to $($CsTeamsMeetingPolicyAnonymous.AllowAnonymousUsersToStartMeeting)" # Condition C
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $anonymousStartDisabled
Status = if ($anonymousStartDisabled) { "Pass" } else { "Fail" }
Details = $details
@@ -53,7 +53,7 @@ function Test-NoAnonymousMeetingStart {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

10
source/tests/Test-NoWhitelistDomains.ps1
View File

@@ -9,8 +9,8 @@ function Test-NoWhitelistDomains {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "6.2.2"
Write-Verbose "Running Test-NoWhitelistDomains for $recnum..."
$RecNum = "6.2.2"
Write-Verbose "Running Test-NoWhitelistDomains for $RecNum..."
<#
Conditions for 6.2.2 (L1) Ensure mail transport rules do not whitelist specific domains (Automated)
Validate test for a pass:
@@ -32,7 +32,7 @@ function Test-NoWhitelistDomains {
# 6.2.2 (L1) Ensure mail transport rules do not whitelist specific domains
# Retrieve transport rules that whitelist specific domains
# Condition A: Checking for transport rules that whitelist specific domains
$whitelistedRules = Get-CISExoOutput -Rec $recnum
$whitelistedRules = Get-CISExoOutput -Rec $RecNum
# Prepare failure reasons and details based on compliance
# Condition B: Prepare failure reasons based on the presence of whitelisted rules
$failureReasons = if ($whitelistedRules) {
@@ -51,7 +51,7 @@ function Test-NoWhitelistDomains {
}
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = -not $whitelistedRules
Status = if ($whitelistedRules) { "Fail" } else { "Pass" }
Details = $details
@@ -61,7 +61,7 @@ function Test-NoWhitelistDomains {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

10
source/tests/Test-NotifyMalwareInternal.ps1
View File

@@ -24,8 +24,8 @@ function Test-NotifyMalwareInternal {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "2.1.3"
Write-Verbose "Running Test-NotifyMalwareInternal for $recnum..."
$RecNum = "2.1.3"
Write-Verbose "Running Test-NotifyMalwareInternal for $RecNum..."
}
process {
try {
@@ -47,7 +47,7 @@ function Test-NotifyMalwareInternal {
}
)
#>
$malwareNotifications = Get-CISExoOutput -Rec $recnum
$malwareNotifications = Get-CISExoOutput -Rec $RecNum
# Condition B: Using PowerShell, the `NotifyInternal` property in the anti-malware policy is set to `True` and includes at least one valid email address for notifications.
$policiesToReport = @()
foreach ($policy in $malwareNotifications) {
@@ -73,7 +73,7 @@ function Test-NotifyMalwareInternal {
}
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $result
Status = if ($result) { "Pass" } else { "Fail" }
Details = $details
@@ -83,7 +83,7 @@ function Test-NotifyMalwareInternal {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

10
source/tests/Test-OneDriveContentRestrictions.ps1
View File

@@ -24,8 +24,8 @@ function Test-OneDriveContentRestrictions {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "7.2.4"
Write-Verbose "Running Test-OneDriveContentRestrictions for $recnum..."
$RecNum = "7.2.4"
Write-Verbose "Running Test-OneDriveContentRestrictions for $RecNum..."
}
process {
try {
@@ -37,7 +37,7 @@ function Test-OneDriveContentRestrictions {
OneDriveSharingCapability = "ExternalUserAndGuestSharing"
}
#>
$SPOTenant = Get-CISSpoOutput -Rec $recnum
$SPOTenant = Get-CISSpoOutput -Rec $RecNum
$isOneDriveSharingRestricted = $SPOTenant.OneDriveSharingCapability -eq 'Disabled'
# Prepare failure reasons and details based on compliance
$failureReasons = if (-not $isOneDriveSharingRestricted) {
@@ -55,7 +55,7 @@ function Test-OneDriveContentRestrictions {
}
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $isOneDriveSharingRestricted
Status = if ($isOneDriveSharingRestricted) { "Pass" } else { "Fail" }
Details = $details
@@ -65,7 +65,7 @@ function Test-OneDriveContentRestrictions {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

10
source/tests/Test-OneDriveSyncRestrictions.ps1
View File

@@ -9,8 +9,8 @@ function Test-OneDriveSyncRestrictions {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "7.3.2"
Write-Verbose "Running Test-OneDriveSyncRestrictions for $recnum..."
$RecNum = "7.3.2"
Write-Verbose "Running Test-OneDriveSyncRestrictions for $RecNum..."
}
process {
try {
@@ -30,7 +30,7 @@ function Test-OneDriveSyncRestrictions {
# - Condition B: "TenantRestrictionEnabled" is set to False.
# - Condition C: "AllowedDomainList" does not contain the trusted domain GUIDs from the on-premises environment.
# Retrieve OneDrive sync client restriction settings
$SPOTenantSyncClientRestriction = Get-CISSpoOutput -Rec $recnum
$SPOTenantSyncClientRestriction = Get-CISSpoOutput -Rec $RecNum
$isSyncRestricted = $SPOTenantSyncClientRestriction.TenantRestrictionEnabled -and $SPOTenantSyncClientRestriction.AllowedDomainList
# Condition A: Check if TenantRestrictionEnabled is True
# Condition B: Ensure AllowedDomainList contains trusted domains GUIDs
@@ -52,7 +52,7 @@ function Test-OneDriveSyncRestrictions {
}
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $isSyncRestricted
Status = if ($isSyncRestricted) { "Pass" } else { "Fail" }
Details = $details
@@ -62,7 +62,7 @@ function Test-OneDriveSyncRestrictions {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

10
source/tests/Test-OrgOnlyBypassLobby.ps1
View File

@@ -9,8 +9,8 @@ function Test-OrgOnlyBypassLobby {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "8.5.3"
Write-Verbose "Running Test-OrgOnlyBypassLobby for $recnum..."
$RecNum = "8.5.3"
Write-Verbose "Running Test-OrgOnlyBypassLobby for $RecNum..."
}
process {
try {
@@ -31,7 +31,7 @@ function Test-OrgOnlyBypassLobby {
# - Condition C: Verification using the Microsoft Teams admin center indicates that the meeting join & lobby settings are not configured as recommended.
# Connect to Teams PowerShell using Connect-MicrosoftTeams
# Retrieve the Teams meeting policy for lobby bypass settings
$CsTeamsMeetingPolicyLobby = Get-CISMSTeamsOutput -Rec $recnum
$CsTeamsMeetingPolicyLobby = Get-CISMSTeamsOutput -Rec $RecNum
$lobbyBypassRestricted = $CsTeamsMeetingPolicyLobby.AutoAdmittedUsers -eq 'EveryoneInCompanyExcludingGuests'
# Prepare failure reasons and details based on compliance
$failureReasons = if (-not $lobbyBypassRestricted) {
@@ -49,7 +49,7 @@ function Test-OrgOnlyBypassLobby {
}
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $lobbyBypassRestricted
Status = if ($lobbyBypassRestricted) { "Pass" } else { "Fail" }
Details = $details
@@ -59,7 +59,7 @@ function Test-OrgOnlyBypassLobby {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

10
source/tests/Test-OrganizersPresent.ps1
View File

@@ -9,8 +9,8 @@ function Test-OrganizersPresent {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "8.5.6"
Write-Verbose "Running Test-OrganizersPresent for $recnum..."
$RecNum = "8.5.6"
Write-Verbose "Running Test-OrganizersPresent for $RecNum..."
}
process {
try {
@@ -36,7 +36,7 @@ function Test-OrganizersPresent {
DesignatedPresenterRoleMode = "Enabled"
}
#>
$CsTeamsMeetingPolicyPresenters = Get-CISMSTeamsOutput -Rec $recnum
$CsTeamsMeetingPolicyPresenters = Get-CISMSTeamsOutput -Rec $RecNum
$presenterRoleRestricted = $CsTeamsMeetingPolicyPresenters.DesignatedPresenterRoleMode -eq 'OrganizerOnlyUserOverride'
# Prepare failure reasons and details based on compliance
$failureReasons = if (-not $presenterRoleRestricted) {
@@ -53,7 +53,7 @@ function Test-OrganizersPresent {
}
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $presenterRoleRestricted
Status = if ($presenterRoleRestricted) { "Pass" } else { "Fail" }
Details = $details
@@ -63,7 +63,7 @@ function Test-OrganizersPresent {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

10
source/tests/Test-PasswordHashSync.ps1
View File

@@ -24,14 +24,14 @@ function Test-PasswordHashSync {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "5.1.8.1"
Write-Verbose "Starting Test-PasswordHashSync with Rec: $recnum"
$RecNum = "5.1.8.1"
Write-Verbose "Starting Test-PasswordHashSync with Rec: $RecNum"
}
process {
try {
# 5.1.8.1 (L1) Ensure password hash sync is enabled for hybrid deployments
# Retrieve password hash sync status (Condition A and C)
$passwordHashSync = Get-CISMgOutput -Rec $recnum
$passwordHashSync = Get-CISMgOutput -Rec $RecNum
$hashSyncResult = $passwordHashSync
# Prepare failure reasons and details based on compliance
$failureReasons = if (-not $hashSyncResult) {
@@ -43,7 +43,7 @@ function Test-PasswordHashSync {
$details = "OnPremisesSyncEnabled: $($passwordHashSync)"
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $hashSyncResult
Status = if ($hashSyncResult) { "Pass" } else { "Fail" }
Details = $details
@@ -53,7 +53,7 @@ function Test-PasswordHashSync {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

8
source/tests/Test-PasswordNeverExpirePolicy.ps1
View File

@@ -11,7 +11,7 @@ function Test-PasswordNeverExpirePolicy {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "1.3.1"
$RecNum = "1.3.1"
$overallResult = $true
$detailsList = @()
$failureReasonsList = @()
@@ -39,7 +39,7 @@ function Test-PasswordNeverExpirePolicy {
process {
try {
# Step: Retrieve all domains or a specific domain
$domains = Get-CISMgOutput -Rec $recnum -DomainName $DomainName
$domains = Get-CISMgOutput -Rec $RecNum -DomainName $DomainName
foreach ($domain in $domains) {
$domainName = $domain.Id
$isDefault = $domain.IsDefault
@@ -68,7 +68,7 @@ function Test-PasswordNeverExpirePolicy {
$finalDetails = $detailsList -join "`n"
# Step: Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $overallResult
Status = if ($overallResult) { "Pass" } else { "Fail" }
Details = $finalDetails
@@ -78,7 +78,7 @@ function Test-PasswordNeverExpirePolicy {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

10
source/tests/Test-ReauthWithCode.ps1
View File

@@ -24,8 +24,8 @@ function Test-ReauthWithCode {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "7.2.10"
Write-Verbose "Running Test-ReauthWithCode for $recnum..."
$RecNum = "7.2.10"
Write-Verbose "Running Test-ReauthWithCode for $RecNum..."
}
process {
try {
@@ -38,7 +38,7 @@ function Test-ReauthWithCode {
EmailAttestationReAuthDays = "30"
}
#>
$SPOTenantReauthentication = Get-CISSpoOutput -Rec $recnum
$SPOTenantReauthentication = Get-CISSpoOutput -Rec $RecNum
$isReauthenticationRestricted = $SPOTenantReauthentication.EmailAttestationRequired -and $SPOTenantReauthentication.EmailAttestationReAuthDays -le 15
# Prepare failure reasons and details based on compliance
$failureReasons = if (-not $isReauthenticationRestricted) {
@@ -51,7 +51,7 @@ function Test-ReauthWithCode {
$details = "EmailAttestationRequired: $($SPOTenantReauthentication.EmailAttestationRequired); EmailAttestationReAuthDays: $($SPOTenantReauthentication.EmailAttestationReAuthDays)"
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $isReauthenticationRestricted
Status = if ($isReauthenticationRestricted) { "Pass" } else { "Fail" }
Details = $details
@@ -61,7 +61,7 @@ function Test-ReauthWithCode {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

12
source/tests/Test-ReportSecurityInTeams.ps1
View File

@@ -9,8 +9,8 @@ function Test-ReportSecurityInTeams {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "8.6.1"
Write-Verbose "Running Test-ReportSecurityInTeams for $recnum..."
$RecNum = "8.6.1"
Write-Verbose "Running Test-ReportSecurityInTeams for $RecNum..."
}
process {
try {
@@ -24,7 +24,7 @@ function Test-ReportSecurityInTeams {
AllowSecurityEndUserReporting = $true
}
#>
$CsTeamsMessagingPolicy = Get-CISMSTeamsOutput -Rec $recnum
$CsTeamsMessagingPolicy = Get-CISMSTeamsOutput -Rec $RecNum
# Condition B: Verify that 'Monitor reported messages in Microsoft Teams' is checked in the Microsoft 365 Defender portal.
# Condition C: Ensure the 'Send reported messages to' setting in the Microsoft 365 Defender portal is set to 'My reporting mailbox only' with the correct report email addresses.
# $ReportSubmissionPolicy Mock Object
@@ -40,7 +40,7 @@ function Test-ReportSecurityInTeams {
ReportChatMessageToCustomizedAddressEnabled = $false
}
#>
$ReportSubmissionPolicy = Get-CISExoOutput -Rec $recnum
$ReportSubmissionPolicy = Get-CISExoOutput -Rec $RecNum
# Check if all the required settings are enabled
$securityReportEnabled = $CsTeamsMessagingPolicy.AllowSecurityEndUserReporting -and
$ReportSubmissionPolicy.ReportJunkToCustomizedAddress -and
@@ -92,7 +92,7 @@ ReportChatMessageToCustomizedAddressEnabled: True
}
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $securityReportEnabled
Status = if ($securityReportEnabled) { "Pass" } else { "Fail" }
Details = $details
@@ -102,7 +102,7 @@ ReportChatMessageToCustomizedAddressEnabled: True
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

10
source/tests/Test-RestrictCustomScripts.ps1
View File

@@ -8,8 +8,8 @@ function Test-RestrictCustomScripts {
# Dot source the class script if necessary
# . .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "7.3.4"
Write-Verbose "Running Test-RestrictCustomScripts for $recnum..."
$RecNum = "7.3.4"
Write-Verbose "Running Test-RestrictCustomScripts for $RecNum..."
}
process {
try {
@@ -37,7 +37,7 @@ function Test-RestrictCustomScripts {
DenyAddAndCustomizePages = "Enabled"
}
#>
$SPOSitesCustomScript = Get-CISSpoOutput -Rec $recnum
$SPOSitesCustomScript = Get-CISSpoOutput -Rec $RecNum
# Process URLs to replace 'sharepoint.com' with '<SPUrl>'
$processedUrls = $SPOSitesCustomScript | ForEach-Object {
$_.Url = $_.Url -replace 'sharepoint\.com', '<SPUrl>'
@@ -99,7 +99,7 @@ function Test-RestrictCustomScripts {
}
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $complianceResult
Status = if ($complianceResult) { "Pass" } else { "Fail" }
Details = $details
@@ -109,7 +109,7 @@ function Test-RestrictCustomScripts {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}

10
source/tests/Test-RestrictExternalSharing.ps1
View File

@@ -24,8 +24,8 @@ function Test-RestrictExternalSharing {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "7.2.3"
Write-Verbose "Running Test-RestrictExternalSharing for $recnum..."
$RecNum = "7.2.3"
Write-Verbose "Running Test-RestrictExternalSharing for $RecNum..."
}
process {
try {
@@ -36,7 +36,7 @@ function Test-RestrictExternalSharing {
SharingCapability = "ExternalUserAndGuestSharing"
}
#>
$SPOTenantSharingCapability = Get-CISSpoOutput -Rec $recnum
$SPOTenantSharingCapability = Get-CISSpoOutput -Rec $RecNum
$isRestricted = $SPOTenantSharingCapability.SharingCapability -in @('ExternalUserSharingOnly', 'ExistingExternalUserSharingOnly', 'Disabled')
# Prepare failure reasons and details based on compliance
# Condition B: Using PowerShell, the SharingCapability property for the SharePoint tenant is set to "ExternalUserSharingOnly", "ExistingExternalUserSharingOnly", or "Disabled".
@@ -54,7 +54,7 @@ function Test-RestrictExternalSharing {
$details = "SharingCapability: $($SPOTenantSharingCapability.SharingCapability)"
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $isRestricted
Status = if ($isRestricted) { "Pass" } else { "Fail" }
Details = $details
@@ -64,7 +64,7 @@ function Test-RestrictExternalSharing {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

10
source/tests/Test-RestrictOutlookAddins.ps1
View File

@@ -11,8 +11,8 @@ function Test-RestrictOutlookAddins {
# Initialization code
$defaultPolicyFailureDetails = @()
$relevantRoles = @('My Custom Apps', 'My Marketplace Apps', 'My ReadWriteMailbox Apps')
$recnum = "6.3.1"
Write-Verbose "Running Test-RestrictOutlookAddins for $recnum..."
$RecNum = "6.3.1"
Write-Verbose "Running Test-RestrictOutlookAddins for $RecNum..."
# Conditions for 6.3.1 (L2) Ensure users installing Outlook add-ins is not allowed
#
# Validate test for a pass:
@@ -32,7 +32,7 @@ function Test-RestrictOutlookAddins {
# 6.3.1 (L2) Ensure users installing Outlook add-ins is not allowed
# Check all mailboxes for custom policies with unallowed add-ins
# Check Default Role Assignment Policy
$customPolicyFailures, $defaultPolicy = Get-CISExoOutput -Rec $recnum
$customPolicyFailures, $defaultPolicy = Get-CISExoOutput -Rec $RecNum
$defaultPolicyRoles = $defaultPolicy.AssignedRoles | Where-Object { $_ -in $relevantRoles }
# Condition A: Verify that the roles MyCustomApps, MyMarketplaceApps, and MyReadWriteMailboxApps are unchecked under Other roles.
if ($defaultPolicyRoles) {
@@ -58,7 +58,7 @@ function Test-RestrictOutlookAddins {
$isCompliant = -not ($customPolicyFailures -or $defaultPolicyFailureDetails)
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $isCompliant
Status = if ($isCompliant) { "Pass" } else { "Fail" }
Details = $detailsString
@@ -68,7 +68,7 @@ function Test-RestrictOutlookAddins {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

10
source/tests/Test-RestrictStorageProvidersOutlook.ps1
View File

@@ -24,14 +24,14 @@ function Test-RestrictStorageProvidersOutlook {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "6.5.3"
Write-Verbose "Running Test-RestrictStorageProvidersOutlook for $recnum..."
$RecNum = "6.5.3"
Write-Verbose "Running Test-RestrictStorageProvidersOutlook for $RecNum..."
}
process {
try {
# 6.5.3 (L2) Ensure additional storage providers are restricted in Outlook on the web
# Retrieve all OwaMailbox policies
$owaPolicies = Get-CISExoOutput -Rec $recnum
$owaPolicies = Get-CISExoOutput -Rec $RecNum
# Condition A: Check if AdditionalStorageProvidersAvailable is set to False
$nonCompliantPolicies = $owaPolicies | Where-Object { $_.AdditionalStorageProvidersAvailable }
# Determine compliance
@@ -51,7 +51,7 @@ function Test-RestrictStorageProvidersOutlook {
}
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $allPoliciesRestricted
Status = if ($allPoliciesRestricted) { "Pass" } else { "Fail" }
Details = $details
@@ -61,7 +61,7 @@ function Test-RestrictStorageProvidersOutlook {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

10
source/tests/Test-RestrictTenantCreation.ps1
View File

@@ -9,8 +9,8 @@ function Test-RestrictTenantCreation {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "5.1.2.3"
Write-Verbose "Starting Test-RestrictTenantCreation with Rec: $recnum"
$RecNum = "5.1.2.3"
Write-Verbose "Starting Test-RestrictTenantCreation with Rec: $RecNum"
<#
Conditions for 5.1.2.3 (L1) Ensure 'Restrict non-admin users from creating tenants' is set to 'Yes'
Validate test for a pass:
@@ -29,7 +29,7 @@ function Test-RestrictTenantCreation {
try {
# 5.1.2.3 (L1) Ensure 'Restrict non-admin users from creating tenants' is set to 'Yes'
# Retrieve the tenant creation policy
$tenantCreationPolicy = Get-CISMgOutput -Rec $recnum
$tenantCreationPolicy = Get-CISMgOutput -Rec $RecNum
$tenantCreationResult = -not $tenantCreationPolicy.AllowedToCreateTenants
# Prepare failure reasons and details based on compliance
$failureReasons = if ($tenantCreationResult) {
@@ -41,7 +41,7 @@ function Test-RestrictTenantCreation {
$details = "AllowedToCreateTenants: $($tenantCreationPolicy.AllowedToCreateTenants)"
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $tenantCreationResult
Status = if ($tenantCreationResult) { "Pass" } else { "Fail" }
Details = $details
@@ -51,7 +51,7 @@ function Test-RestrictTenantCreation {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

18
source/tests/Test-SafeAttachmentsPolicy.ps1
View File

@@ -6,8 +6,8 @@ function Test-SafeAttachmentsPolicy {
[string]$DomainName
)
begin {
$recnum = "2.1.4"
Write-Verbose "Running Test-SafeAttachmentsPolicy for $recnum..."
$RecNum = "2.1.4"
Write-Verbose "Running Test-SafeAttachmentsPolicy for $RecNum..."
<#
Conditions for 2.1.4 (L2) Ensure Safe Attachments policy is enabled:
Validate test for a pass:
@@ -36,7 +36,7 @@ function Test-SafeAttachmentsPolicy {
}
)
#>
$safeAttachmentPolicies, $safeAttachmentRules = Get-CISExoOutput -Rec $recnum
$safeAttachmentPolicies, $safeAttachmentRules = Get-CISExoOutput -Rec $RecNum
$safeAttachmentPolicies = $safeAttachmentPolicies | Where-Object { $_.Identity -in $safeAttachmentRules.SafeAttachmentPolicy }
if ($safeAttachmentPolicies -ne 1) {
try {
@@ -81,7 +81,7 @@ function Test-SafeAttachmentsPolicy {
$failureReasonsString = ($failureReasons -join "`n")
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $result
Status = if ($result) { "Pass" } else { "Fail" }
Details = $detailsString
@@ -90,18 +90,18 @@ function Test-SafeAttachmentsPolicy {
$auditResult = Initialize-CISAuditResult @params
}
catch {
Write-Error "An error occurred during the test $recnum`:: $_"
Write-Error "An error occurred during the test $RecNum`:: $_"
# Retrieve the description from the test definitions
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $RecNum }
$description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
$script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
$script:FailedTests.Add([PSCustomObject]@{ Rec = $RecNum; Description = $description; Error = $_ })
# Call Initialize-CISAuditResult with error parameters
$auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
$auditResult = Initialize-CISAuditResult -Rec $RecNum -Failure
}
}
else {
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $false
Status = "Fail"
Details = "No Safe Attachments policies found."

18
source/tests/Test-SafeAttachmentsTeams.ps1
View File

@@ -24,8 +24,8 @@ function Test-SafeAttachmentsTeams {
# - Condition B: Safe Attachments for OneDrive is not enabled.
# - Condition C: Safe Attachments for Microsoft Teams is not enabled.
# Initialization code, if needed
$recnum = "2.1.5"
Write-Verbose "Running Test-SafeAttachmentsTeams for $recnum..."
$RecNum = "2.1.5"
Write-Verbose "Running Test-SafeAttachmentsTeams for $RecNum..."
}
process {
# $atpPolicyResult Mock Object
@@ -39,7 +39,7 @@ function Test-SafeAttachmentsTeams {
}
)
#>
$atpPolicyResult = Get-CISExoOutput -Rec $recnum
$atpPolicyResult = Get-CISExoOutput -Rec $RecNum
if ($atpPolicyResult -ne 1) {
try {
# Condition A: Check Safe Attachments for SharePoint
@@ -79,7 +79,7 @@ AllowSafeDocsOpen: $($_.AllowSafeDocsOpen)
}
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $result
Status = if ($result) { "Pass" } else { "Fail" }
Details = $details
@@ -88,18 +88,18 @@ AllowSafeDocsOpen: $($_.AllowSafeDocsOpen)
$auditResult = Initialize-CISAuditResult @params
}
catch {
Write-Error "An error occurred during the test $recnum`:: $_"
Write-Error "An error occurred during the test $RecNum`:: $_"
# Retrieve the description from the test definitions
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $RecNum }
$description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
$script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
$script:FailedTests.Add([PSCustomObject]@{ Rec = $RecNum; Description = $description; Error = $_ })
# Call Initialize-CISAuditResult with error parameters
$auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
$auditResult = Initialize-CISAuditResult -Rec $RecNum -Failure
}
}
else {
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $false
Status = "Fail"
Details = "No M365 E5 licenses found."

18
source/tests/Test-SafeLinksOfficeApps.ps1
View File

@@ -9,8 +9,8 @@ function Test-SafeLinksOfficeApps {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "2.1.1"
Write-Verbose "Running Test-SafeLinksOfficeApps for $recnum..."
$RecNum = "2.1.1"
Write-Verbose "Running Test-SafeLinksOfficeApps for $RecNum..."
<#
Conditions for 2.1.1 (L2) Ensure Safe Links for Office Applications is Enabled
Validate test for a pass:
@@ -38,7 +38,7 @@ function Test-SafeLinksOfficeApps {
process {
# 2.1.1 (L2) Ensure Safe Links for Office Applications is Enabled
# Retrieve all Safe Links policies
$misconfiguredDetails = Get-CISExoOutput -Rec $recnum
$misconfiguredDetails = Get-CISExoOutput -Rec $RecNum
# Misconfigured details returns 1 if EXO Commands needed for the test are not available
if ($misconfiguredDetails -ne 1) {
try {
@@ -49,7 +49,7 @@ function Test-SafeLinksOfficeApps {
$failureReasons = if ($result) { "N/A" } else { "The following Safe Links policies settings do not meet the recommended configuration: $($misconfiguredDetails -join ' | ')" }
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $result
Status = if ($result) { "Pass" } else { "Fail" }
Details = $details
@@ -58,18 +58,18 @@ function Test-SafeLinksOfficeApps {
$auditResult = Initialize-CISAuditResult @params
}
catch {
Write-Error "An error occurred during the test $recnum`:: $_"
Write-Error "An error occurred during the test $RecNum`:: $_"
# Retrieve the description from the test definitions
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $RecNum }
$description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
$script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
$script:FailedTests.Add([PSCustomObject]@{ Rec = $RecNum; Description = $description; Error = $_ })
# Call Initialize-CISAuditResult with error parameters
$auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
$auditResult = Initialize-CISAuditResult -Rec $RecNum -Failure
}
}
else {
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $false
Status = "Fail"
Details = "No M365 E5 licenses found."

10
source/tests/Test-SharePointAADB2B.ps1
View File

@@ -24,8 +24,8 @@ function Test-SharePointAADB2B {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "7.2.2"
Write-Verbose "Running Test-SharePointAADB2B for $recnum..."
$RecNum = "7.2.2"
Write-Verbose "Running Test-SharePointAADB2B for $RecNum..."
}
process {
try {
@@ -36,10 +36,10 @@ function Test-SharePointAADB2B {
EnableAzureADB2BIntegration = $false
}
#>
$SPOTenantAzureADB2B = Get-CISSpoOutput -Rec $recnum
$SPOTenantAzureADB2B = Get-CISSpoOutput -Rec $RecNum
# Populate the auditResult object with the required properties
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $SPOTenantAzureADB2B.EnableAzureADB2BIntegration
Status = if ($SPOTenantAzureADB2B.EnableAzureADB2BIntegration) { "Pass" } else { "Fail" }
Details = "EnableAzureADB2BIntegration: $($SPOTenantAzureADB2B.EnableAzureADB2BIntegration)"
@@ -49,7 +49,7 @@ function Test-SharePointAADB2B {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

10
source/tests/Test-SharePointExternalSharingDomains.ps1
View File

@@ -9,8 +9,8 @@ function Test-SharePointExternalSharingDomains {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "7.2.6"
Write-Verbose "Running Test-SharePointExternalSharingDomains for $recnum..."
$RecNum = "7.2.6"
Write-Verbose "Running Test-SharePointExternalSharingDomains for $RecNum..."
# Conditions for 7.2.6 (L2) Ensure SharePoint external sharing is managed through domain whitelist/blacklists
#
# Validate test for a pass:
@@ -30,7 +30,7 @@ function Test-SharePointExternalSharingDomains {
process {
try {
# 7.2.6 (L2) Ensure SharePoint external sharing is managed through domain whitelist/blacklists
$SPOTenant = Get-CISSpoOutput -Rec $recnum
$SPOTenant = Get-CISSpoOutput -Rec $RecNum
# $SPOTenant Mock Object
<#
$SPOTenant = [PSCustomObject]@{
@@ -41,7 +41,7 @@ function Test-SharePointExternalSharingDomains {
$isDomainRestrictionConfigured = $SPOTenant.SharingDomainRestrictionMode -eq 'AllowList'
# Populate the auditResult object with the required properties
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $isDomainRestrictionConfigured
Status = if ($isDomainRestrictionConfigured) { "Pass" } else { "Fail" }
Details = "SharingDomainRestrictionMode: $($SPOTenant.SharingDomainRestrictionMode); SharingAllowedDomainList: $($SPOTenant.SharingAllowedDomainList)"
@@ -51,7 +51,7 @@ function Test-SharePointExternalSharingDomains {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

10
source/tests/Test-SharePointGuestsItemSharing.ps1
View File

@@ -9,8 +9,8 @@ function Test-SharePointGuestsItemSharing {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "7.2.5"
Write-Verbose "Running Test-SharePointGuestsItemSharing for $recnum..."
$RecNum = "7.2.5"
Write-Verbose "Running Test-SharePointGuestsItemSharing for $RecNum..."
# Conditions for 7.2.5 (L2) Ensure that SharePoint guest users cannot share items they don't own
#
# Validate test for a pass:
@@ -36,11 +36,11 @@ function Test-SharePointGuestsItemSharing {
PreventExternalUsersFromResharing = $false
}
#>
$SPOTenant = Get-CISSpoOutput -Rec $recnum
$SPOTenant = Get-CISSpoOutput -Rec $RecNum
$isGuestResharingPrevented = $SPOTenant.PreventExternalUsersFromResharing
# Populate the auditResult object with the required properties
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $isGuestResharingPrevented
Status = if ($isGuestResharingPrevented) { "Pass" } else { "Fail" }
Details = "PreventExternalUsersFromResharing: $isGuestResharingPrevented"
@@ -50,7 +50,7 @@ function Test-SharePointGuestsItemSharing {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

12
source/tests/Test-SpamPolicyAdminNotify.ps1
View File

@@ -23,8 +23,8 @@ function Test-SpamPolicyAdminNotify {
Note:
- While the primary focus is on the default policy, the function also retrieves and displays settings from additional policies that are not default, providing comprehensive insight into the organization's configuration. These additional policies are not used to determine the test's pass/fail status but are included in the details for informational purposes.
#>
$recnum = "2.1.6"
Write-Verbose "Running Test-SpamPolicyAdminNotify for $recnum..."
$RecNum = "2.1.6"
Write-Verbose "Running Test-SpamPolicyAdminNotify for $RecNum..."
}
process {
try {
@@ -57,7 +57,7 @@ function Test-SpamPolicyAdminNotify {
}
)
#>
$spamPolicies = Get-CISExoOutput -Rec $recnum
$spamPolicies = Get-CISExoOutput -Rec $RecNum
$defaultPolicy = $spamPolicies | Where-Object { $_.IsDefault -eq $true }
$additionalPolicies = $spamPolicies | Where-Object { $_.IsDefault -eq $false }
$details = @()
@@ -99,7 +99,7 @@ function Test-SpamPolicyAdminNotify {
$failureReasonsString = $failureReasons -join "`n"
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $result
Status = if ($result) { "Pass" } else { "Fail" }
Details = $detailsString
@@ -108,8 +108,8 @@ function Test-SpamPolicyAdminNotify {
$auditResult = Initialize-CISAuditResult @params
}
catch {
Write-Error "An error occurred during the test $recnum`:: $_"
$auditResult = Get-TestError -LastError $_ -recnum $recnum
Write-Error "An error occurred during the test $RecNum`:: $_"
$auditResult = Get-TestError -LastError $_ -RecNum $RecNum
}
}
end {

10
source/tests/Test-TeamsExternalAccess.ps1
View File

@@ -9,8 +9,8 @@ function Test-TeamsExternalAccess {
# Dot source the class script if necessary
# . .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "8.2.1"
Write-Verbose "Running Test-TeamsExternalAccess for $recnum..."
$RecNum = "8.2.1"
Write-Verbose "Running Test-TeamsExternalAccess for $RecNum..."
}
process {
try {
@@ -45,7 +45,7 @@ function Test-TeamsExternalAccess {
AllowTeamsConsumerInbound = $true
}
#>
$externalAccessConfig = Get-CISMSTeamsOutput -Rec $recnum
$externalAccessConfig = Get-CISMSTeamsOutput -Rec $RecNum
# Testing
#$externalAccessConfig.AllowedDomains = @("msn.com", "google.com")
#$externalAccessConfig.AllowTeamsConsumer = $false
@@ -71,7 +71,7 @@ function Test-TeamsExternalAccess {
$isCompliant = -not $externalAccessConfig.AllowTeamsConsumer -and -not $externalAccessConfig.AllowPublicUsers -and (-not $externalAccessConfig.AllowFederatedUsers -or ($allowedDomainsLimited -and $allowedDomainsMatch))
# Create an instance of CISAuditResult and populate it
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $isCompliant
Status = if ($isCompliant) { "Pass" } else { "Fail" }
Details = "AllowTeamsConsumer: $($externalAccessConfig.AllowTeamsConsumer); AllowPublicUsers: $($externalAccessConfig.AllowPublicUsers); AllowFederatedUsers: $($externalAccessConfig.AllowFederatedUsers); AllowedDomains limited: $allowedDomainsLimited; AllowedDomains match: $allowedDomainsMatch; Invalid Domains: $($invalidDomains -join ', ')"
@@ -81,7 +81,7 @@ function Test-TeamsExternalAccess {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

10
source/tests/Test-TeamsExternalFileSharing.ps1
View File

@@ -9,8 +9,8 @@ function Test-TeamsExternalFileSharing {
# Dot source the class script if necessary
# . .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "8.1.1"
Write-Verbose "Running Test-TeamsExternalFileSharing for $recnum..."
$RecNum = "8.1.1"
Write-Verbose "Running Test-TeamsExternalFileSharing for $RecNum..."
}
process {
try {
@@ -24,7 +24,7 @@ function Test-TeamsExternalFileSharing {
# Assuming that 'approvedProviders' is a list of approved cloud storage service names
# This list must be defined according to your organization's approved cloud storage services
# Retrieve the current Teams client configuration
$clientConfig = Get-CISMSTeamsOutput -Rec $recnum
$clientConfig = Get-CISMSTeamsOutput -Rec $RecNum
# Testing
#$clientconfig.AllowGoogleDrive = $false
#$clientconfig.AllowBox = $false
@@ -57,7 +57,7 @@ function Test-TeamsExternalFileSharing {
}
# Create an instance of CISAuditResult and populate it
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $isCompliant
Status = if ($isCompliant) { "Pass" } else { "Fail" }
Details = if (-not $isCompliant) { "Non-approved providers enabled: $($nonCompliantProviders -join ', ')" } else { $basePassDetails }
@@ -67,7 +67,7 @@ function Test-TeamsExternalFileSharing {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {