fix: Add parameter for approved storage providers for 8.1.1
This commit is contained in:
DrIOS
@@ -49,6 +49,7 @@ function Get-CISMSTeamsOutput {
|
|||||||
|
|
||||||
# Assuming that 'approvedProviders' is a list of approved cloud storage service names
|
# Assuming that 'approvedProviders' is a list of approved cloud storage service names
|
||||||
# This list must be defined according to your organization's approved cloud storage services
|
# This list must be defined according to your organization's approved cloud storage services
|
||||||
|
# Add option for approved providers.
|
||||||
$clientConfig = Get-CsTeamsClientConfiguration
|
$clientConfig = Get-CsTeamsClientConfiguration
|
||||||
return $clientConfig
|
return $clientConfig
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -3,9 +3,10 @@ function Invoke-TestFunction {
|
|||||||
param (
|
param (
|
||||||
[Parameter(Mandatory = $true)]
|
[Parameter(Mandatory = $true)]
|
||||||
[PSObject]$FunctionFile,
|
[PSObject]$FunctionFile,
|
||||||
|
|
||||||
[Parameter(Mandatory = $false)]
|
[Parameter(Mandatory = $false)]
|
||||||
[string]$DomainName
|
[string]$DomainName,
|
||||||
|
[Parameter(Mandatory = $false)]
|
||||||
|
[string[]]$ApprovedCloudStorageProvider
|
||||||
)
|
)
|
||||||
|
|
||||||
$functionName = $FunctionFile.BaseName
|
$functionName = $FunctionFile.BaseName
|
||||||
@@ -16,7 +17,9 @@ function Invoke-TestFunction {
|
|||||||
if ('DomainName' -in $functionCmd.Parameters.Keys) {
|
if ('DomainName' -in $functionCmd.Parameters.Keys) {
|
||||||
$paramList.DomainName = $DomainName
|
$paramList.DomainName = $DomainName
|
||||||
}
|
}
|
||||||
|
if ('ApprovedCloudStorageProvider' -in $functionCmd.Parameters.Keys) {
|
||||||
|
$paramList.ApprovedCloudStorageProvider = $ApprovedCloudStorageProvider
|
||||||
|
}
|
||||||
# Use splatting to pass parameters
|
# Use splatting to pass parameters
|
||||||
Write-Verbose "Running $functionName..."
|
Write-Verbose "Running $functionName..."
|
||||||
try {
|
try {
|
||||||
|
|||||||
@@ -21,6 +21,8 @@
|
|||||||
Specifies specific recommendations to include in the audit. Accepts an array of recommendation numbers.
|
Specifies specific recommendations to include in the audit. Accepts an array of recommendation numbers.
|
||||||
.PARAMETER SkipRecommendation
|
.PARAMETER SkipRecommendation
|
||||||
Specifies specific recommendations to exclude from the audit. Accepts an array of recommendation numbers.
|
Specifies specific recommendations to exclude from the audit. Accepts an array of recommendation numbers.
|
||||||
|
.PARAMETER ApprovedCloudStorageProvider
|
||||||
|
Specifies the approved cloud storage providers for the audit. Accepts an array of cloud storage provider names.
|
||||||
.PARAMETER DoNotConnect
|
.PARAMETER DoNotConnect
|
||||||
If specified, the cmdlet will not establish a connection to Microsoft 365 services.
|
If specified, the cmdlet will not establish a connection to Microsoft 365 services.
|
||||||
.PARAMETER DoNotDisconnect
|
.PARAMETER DoNotDisconnect
|
||||||
@@ -134,26 +136,26 @@ function Invoke-M365SecurityAudit {
|
|||||||
[string]$DomainName,
|
[string]$DomainName,
|
||||||
|
|
||||||
# E-Level with optional ProfileLevel selection
|
# E-Level with optional ProfileLevel selection
|
||||||
[Parameter(Mandatory = $true, ParameterSetName = 'ELevelFilter')]
|
[Parameter(Mandatory = $true, ParameterSetName = 'ELevelFilter', HelpMessage = "Specifies the E-Level (E3 or E5) for the audit.")]
|
||||||
[ValidateSet('E3', 'E5')]
|
[ValidateSet('E3', 'E5')]
|
||||||
[string]$ELevel,
|
[string]$ELevel,
|
||||||
|
|
||||||
[Parameter(Mandatory = $true, ParameterSetName = 'ELevelFilter')]
|
[Parameter(Mandatory = $true, ParameterSetName = 'ELevelFilter', HelpMessage = "Specifies the profile level (L1 or L2) for the audit.")]
|
||||||
[ValidateSet('L1', 'L2')]
|
[ValidateSet('L1', 'L2')]
|
||||||
[string]$ProfileLevel,
|
[string]$ProfileLevel,
|
||||||
|
|
||||||
# IG Filters, one at a time
|
# IG Filters, one at a time
|
||||||
[Parameter(Mandatory = $true, ParameterSetName = 'IG1Filter')]
|
[Parameter(Mandatory = $true, ParameterSetName = 'IG1Filter', HelpMessage = "Includes tests where IG1 is true.")]
|
||||||
[switch]$IncludeIG1,
|
[switch]$IncludeIG1,
|
||||||
|
|
||||||
[Parameter(Mandatory = $true, ParameterSetName = 'IG2Filter')]
|
[Parameter(Mandatory = $true, ParameterSetName = 'IG2Filter', HelpMessage = "Includes tests where IG2 is true.")]
|
||||||
[switch]$IncludeIG2,
|
[switch]$IncludeIG2,
|
||||||
|
|
||||||
[Parameter(Mandatory = $true, ParameterSetName = 'IG3Filter')]
|
[Parameter(Mandatory = $true, ParameterSetName = 'IG3Filter', HelpMessage = "Includes tests where IG3 is true.")]
|
||||||
[switch]$IncludeIG3,
|
[switch]$IncludeIG3,
|
||||||
|
|
||||||
# Inclusion of specific recommendation numbers
|
# Inclusion of specific recommendation numbers
|
||||||
[Parameter(Mandatory = $true, ParameterSetName = 'RecFilter')]
|
[Parameter(Mandatory = $true, ParameterSetName = 'RecFilter', HelpMessage = "Specifies specific recommendations to include in the audit. Accepts an array of recommendation numbers.")]
|
||||||
[ValidateSet(
|
[ValidateSet(
|
||||||
'1.1.1', '1.1.3', '1.2.1', '1.2.2', '1.3.1', '1.3.3', '1.3.6', '2.1.1', '2.1.2', `
|
'1.1.1', '1.1.3', '1.2.1', '1.2.2', '1.3.1', '1.3.3', '1.3.6', '2.1.1', '2.1.2', `
|
||||||
'2.1.3', '2.1.4', '2.1.5', '2.1.6', '2.1.7', '2.1.9', '3.1.1', '5.1.2.3', `
|
'2.1.3', '2.1.4', '2.1.5', '2.1.6', '2.1.7', '2.1.9', '3.1.1', '5.1.2.3', `
|
||||||
@@ -166,7 +168,7 @@ function Invoke-M365SecurityAudit {
|
|||||||
[string[]]$IncludeRecommendation,
|
[string[]]$IncludeRecommendation,
|
||||||
|
|
||||||
# Exclusion of specific recommendation numbers
|
# Exclusion of specific recommendation numbers
|
||||||
[Parameter(Mandatory = $true, ParameterSetName = 'SkipRecFilter')]
|
[Parameter(Mandatory = $true, ParameterSetName = 'SkipRecFilter', HelpMessage = "Specifies specific recommendations to exclude from the audit. Accepts an array of recommendation numbers.")]
|
||||||
[ValidateSet(
|
[ValidateSet(
|
||||||
'1.1.1', '1.1.3', '1.2.1', '1.2.2', '1.3.1', '1.3.3', '1.3.6', '2.1.1', '2.1.2', `
|
'1.1.1', '1.1.3', '1.2.1', '1.2.2', '1.3.1', '1.3.3', '1.3.6', '2.1.1', '2.1.2', `
|
||||||
'2.1.3', '2.1.4', '2.1.5', '2.1.6', '2.1.7', '2.1.9', '3.1.1', '5.1.2.3', `
|
'2.1.3', '2.1.4', '2.1.5', '2.1.6', '2.1.7', '2.1.9', '3.1.1', '5.1.2.3', `
|
||||||
@@ -179,12 +181,24 @@ function Invoke-M365SecurityAudit {
|
|||||||
[string[]]$SkipRecommendation,
|
[string[]]$SkipRecommendation,
|
||||||
|
|
||||||
# Common parameters for all parameter sets
|
# Common parameters for all parameter sets
|
||||||
|
[Parameter(Mandatory = $false, HelpMessage = "Specifies the approved cloud storage providers for the audit. Accepts an array of cloud storage provider names.")]
|
||||||
|
[ValidateSet(
|
||||||
|
'GoogleDrive', 'ShareFile', 'Box', 'DropBox', 'Egnyte'
|
||||||
|
)]
|
||||||
|
[string[]]$ApprovedCloudStorageProvider = @(),
|
||||||
|
|
||||||
|
[Parameter(Mandatory = $false, HelpMessage = "Specifies that the cmdlet will not establish a connection to Microsoft 365 services.")]
|
||||||
[switch]$DoNotConnect,
|
[switch]$DoNotConnect,
|
||||||
|
|
||||||
|
[Parameter(Mandatory = $false, HelpMessage = "Specifies that the cmdlet will not disconnect from Microsoft 365 services after execution.")]
|
||||||
[switch]$DoNotDisconnect,
|
[switch]$DoNotDisconnect,
|
||||||
|
|
||||||
|
[Parameter(Mandatory = $false, HelpMessage = "Specifies that the cmdlet will not check for the presence of required modules.")]
|
||||||
[switch]$NoModuleCheck,
|
[switch]$NoModuleCheck,
|
||||||
|
|
||||||
|
[Parameter(Mandatory = $false, HelpMessage = "Specifies that the cmdlet will not prompt for confirmation before proceeding with established connections and will disconnect from all of them.")]
|
||||||
[switch]$DoNotConfirmConnections
|
[switch]$DoNotConfirmConnections
|
||||||
)
|
)
|
||||||
|
|
||||||
Begin {
|
Begin {
|
||||||
if ($script:MaximumFunctionCount -lt 8192) {
|
if ($script:MaximumFunctionCount -lt 8192) {
|
||||||
$script:MaximumFunctionCount = 8192
|
$script:MaximumFunctionCount = 8192
|
||||||
@@ -286,7 +300,7 @@ function Invoke-M365SecurityAudit {
|
|||||||
Write-Progress -Activity "Executing Tests" -Status "Executing $($currentTestIndex) of $($totalTests): $($testFunction.Name)" -PercentComplete (($currentTestIndex / $totalTests) * 100)
|
Write-Progress -Activity "Executing Tests" -Status "Executing $($currentTestIndex) of $($totalTests): $($testFunction.Name)" -PercentComplete (($currentTestIndex / $totalTests) * 100)
|
||||||
$functionName = $testFunction.BaseName
|
$functionName = $testFunction.BaseName
|
||||||
if ($PSCmdlet.ShouldProcess($functionName, "Execute test")) {
|
if ($PSCmdlet.ShouldProcess($functionName, "Execute test")) {
|
||||||
$auditResult = Invoke-TestFunction -FunctionFile $testFunction -DomainName $DomainName
|
$auditResult = Invoke-TestFunction -FunctionFile $testFunction -DomainName $DomainName -ApprovedCloudStorageProvider $ApprovedCloudStorageProvider
|
||||||
# Add the result to the collection
|
# Add the result to the collection
|
||||||
[void]$allAuditResults.Add($auditResult)
|
[void]$allAuditResults.Add($auditResult)
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -2,17 +2,15 @@ function Test-TeamsExternalFileSharing {
|
|||||||
[CmdletBinding()]
|
[CmdletBinding()]
|
||||||
[OutputType([CISAuditResult])]
|
[OutputType([CISAuditResult])]
|
||||||
param (
|
param (
|
||||||
# Aligned
|
[Parameter(Mandatory = $false)]
|
||||||
# Parameters can be added here if needed
|
[string[]]$ApprovedCloudStorageProvider
|
||||||
)
|
)
|
||||||
|
|
||||||
begin {
|
begin {
|
||||||
# Dot source the class script if necessary
|
# Dot source the class script if necessary
|
||||||
# . .\source\Classes\CISAuditResult.ps1
|
# . .\source\Classes\CISAuditResult.ps1
|
||||||
# Initialization code, if needed
|
# Initialization code, if needed
|
||||||
$recnum = "8.1.1"
|
$recnum = "8.1.1"
|
||||||
}
|
}
|
||||||
|
|
||||||
process {
|
process {
|
||||||
try {
|
try {
|
||||||
# 8.1.1 (L2) Ensure external file sharing in Teams is enabled for only approved cloud storage services
|
# 8.1.1 (L2) Ensure external file sharing in Teams is enabled for only approved cloud storage services
|
||||||
@@ -26,25 +24,44 @@ function Test-TeamsExternalFileSharing {
|
|||||||
|
|
||||||
# Assuming that 'approvedProviders' is a list of approved cloud storage service names
|
# Assuming that 'approvedProviders' is a list of approved cloud storage service names
|
||||||
# This list must be defined according to your organization's approved cloud storage services
|
# This list must be defined according to your organization's approved cloud storage services
|
||||||
|
# Retrieve the current Teams client configuration
|
||||||
$clientConfig = Get-CISMSTeamsOutput -Rec $recnum
|
$clientConfig = Get-CISMSTeamsOutput -Rec $recnum
|
||||||
$unapprovedProviders = @("AllowDropBox", "AllowBox", "AllowGoogleDrive", "AllowShareFile", "AllowEgnyte")
|
# Testing
|
||||||
|
#$clientconfig.AllowGoogleDrive = $false
|
||||||
|
#$clientconfig.AllowBox = $false
|
||||||
|
#$clientconfig.AllowShareFile = $false
|
||||||
|
#$clientconfig.AllowEgnyte = $false
|
||||||
|
#$clientconfig.AllowDropBox = $false
|
||||||
|
# Define all possible cloud storage providers
|
||||||
|
$allProviders = @("AllowDropBox", "AllowBox", "AllowGoogleDrive", "AllowShareFile", "AllowEgnyte")
|
||||||
|
# If ApprovedCloudStorageProvider is provided, map it to the corresponding settings
|
||||||
|
if ($PSBoundParameters.ContainsKey('ApprovedCloudStorageProvider')) {
|
||||||
|
$approvedProviders = @()
|
||||||
|
foreach ($provider in $ApprovedCloudStorageProvider) {
|
||||||
|
$approvedProviders += "Allow$provider"
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
# Default approved providers
|
||||||
|
$approvedProviders = @()
|
||||||
|
}
|
||||||
$isCompliant = $true
|
$isCompliant = $true
|
||||||
$nonCompliantProviders = @()
|
$nonCompliantProviders = @()
|
||||||
|
foreach ($provider in $allProviders) {
|
||||||
foreach ($provider in $unapprovedProviders) {
|
if ($clientConfig.$provider -and -not $approvedProviders.Contains($provider)) {
|
||||||
if ($clientConfig.$provider) {
|
|
||||||
$isCompliant = $false
|
$isCompliant = $false
|
||||||
$nonCompliantProviders += $provider
|
$nonCompliantProviders += $provider
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
$basePassDetails = "All cloud storage services are approved providers"
|
||||||
# Create an instance of CISAuditResult and populate it
|
if ($ApprovedCloudStorageProvider) {
|
||||||
|
$basePassDetails = "Approved cloud storage services: $($ApprovedCloudStorageProvider -join ', ')"
|
||||||
|
}
|
||||||
# Create an instance of CISAuditResult and populate it
|
# Create an instance of CISAuditResult and populate it
|
||||||
$params = @{
|
$params = @{
|
||||||
Rec = $recnum
|
Rec = $recnum
|
||||||
Result = $isCompliant
|
Result = $isCompliant
|
||||||
Status = if ($isCompliant) { "Pass" } else { "Fail" }
|
Status = if ($isCompliant) { "Pass" } else { "Fail" }
|
||||||
Details = if (-not $isCompliant) { "Non-approved providers enabled: $($nonCompliantProviders -join ', ')" } else { "All cloud storage services are approved providers" }
|
Details = if (-not $isCompliant) { "Non-approved providers enabled: $($nonCompliantProviders -join ', ')" } else { $basePassDetails }
|
||||||
FailureReason = if (-not $isCompliant) { "The following non-approved providers are enabled: $($nonCompliantProviders -join ', ')" } else { "N/A" }
|
FailureReason = if (-not $isCompliant) { "The following non-approved providers are enabled: $($nonCompliantProviders -join ', ')" } else { "N/A" }
|
||||||
}
|
}
|
||||||
$auditResult = Initialize-CISAuditResult @params
|
$auditResult = Initialize-CISAuditResult @params
|
||||||
@@ -54,7 +71,6 @@ function Test-TeamsExternalFileSharing {
|
|||||||
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
|
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
end {
|
end {
|
||||||
# Return auditResult
|
# Return auditResult
|
||||||
return $auditResult
|
return $auditResult
|
||||||
|
|||||||
Reference in New Issue
Block a user