Merge pull request #110 from CriticalSolutionsNetwork/Add-condition-c…

…omments-to-tests

Add condition comments to tests

CHANGELOG.md

@@ -4,6 +4,16 @@ The format is based on and uses the types of changes according to [Keep a Change
 
 ## [Unreleased]
 
+### Added
+
+- Added condition comments to each test.
+
+### Fixed
+
+- Fixed csv CIS controls that were not matched correctly.
+
+## [0.1.9] - 2024-06-10
+
 ### Fixed
 
 - Fixed bug in 1.1.1 that caused the test to fail/pass incorrectly. Added verbose output.
@@ -12,6 +22,7 @@ The format is based on and uses the types of changes according to [Keep a Change
 
 - Updated helper csv formatting for one cis control.
 
+
 ## [0.1.8] - 2024-06-09
 
 ### Added

helpers/Build-Help.ps1

@@ -4,7 +4,7 @@ Import-Module .\output\module\M365FoundationsCISReport\*\*.psd1
 
 
 <#
-    $ver = "v0.1.8"
+    $ver = "v0.1.9"
     git checkout main
     git pull origin main
     git tag -a $ver -m "Release version $ver refactor Update"

source/helper/TestDefinitions.csv

@@ -28,14 +28,14 @@
 27,Test-MailTipsEnabled.ps1,6.5.2,Ensure MailTips are enabled for end users,E3,L2,0,Explicitly Not Mapped,FALSE,FALSE,FALSE,TRUE,EXO
 28,Test-RestrictStorageProvidersOutlook.ps1,6.5.3,Ensure additional storage providers are restricted in Outlook on the web,E3,L2,3.3,Configure Data Access Control Lists,TRUE,TRUE,TRUE,TRUE,EXO
 29,Test-ModernAuthSharePoint.ps1,7.2.1,Modern Authentication for SharePoint Applications,E3,L1,3.1,Encrypt Sensitive Data in Transit,FALSE,TRUE,TRUE,TRUE,SPO
-30,Test-SharePointAADB2B.ps1,7.2.2,Ensure reauthentication with verification code is restricted,E3,L1,0,Explicitly Not Mapped,FALSE,FALSE,FALSE,TRUE,SPO
-31,Test-RestrictExternalSharing.ps1,7.2.3,Ensure SharePoint and OneDrive integration with Azure AD B2B is enabled,E3,L1,0,Explicitly Not Mapped,TRUE,TRUE,TRUE,TRUE,SPO
-32,Test-OneDriveContentRestrictions.ps1,7.2.4,Ensure external content sharing is restricted,E3,L2,3.3,Configure Data Access Control Lists,TRUE,TRUE,TRUE,TRUE,SPO
-33,Test-SharePointGuestsItemSharing.ps1,7.2.5,Ensure OneDrive content sharing is restricted,E3,L2,3.3,Configure Data Access Control Lists,TRUE,TRUE,TRUE,TRUE,SPO
-34,Test-SharePointExternalSharingDomains.ps1,7.2.6,Ensure that SharePoint guest users cannot share items they don't own,E3,L2,3.3,Configure Data Access Control Lists,TRUE,TRUE,TRUE,TRUE,SPO
-35,Test-LinkSharingRestrictions.ps1,7.2.7,Ensure SharePoint external sharing is managed through domain whitelist/blacklists,E3,L1,3.3,Configure Data Access Control Lists,TRUE,TRUE,TRUE,TRUE,SPO
-36,Test-GuestAccessExpiration.ps1,7.2.9,Ensure link sharing is restricted in SharePoint and OneDrive,E3,L1,3.3,Configure Data Access Control Lists,FALSE,FALSE,FALSE,TRUE,SPO
-37,Test-ReauthWithCode.ps1,7.2.10,Ensure guest access to a site or OneDrive will expire automatically,E3,L1,0,Explicitly Not Mapped,FALSE,FALSE,FALSE,TRUE,SPO
+30,Test-SharePointAADB2B.ps1,7.2.2,Ensure SharePoint and OneDrive integration with Azure AD B2B is enabled,E3,L1,0,Explicitly Not Mapped,FALSE,FALSE,FALSE,TRUE,SPO
+31,Test-RestrictExternalSharing.ps1,7.2.3,Ensure external content sharing is restricted,E3,L1,3.3,Configure Data Access Control Lists,TRUE,TRUE,TRUE,TRUE,SPO
+32,Test-OneDriveContentRestrictions.ps1,7.2.4,Ensure OneDrive content sharing is restricted,E3,L2,3.3,Configure Data Access Control Lists,TRUE,TRUE,TRUE,TRUE,SPO
+33,Test-SharePointGuestsItemSharing.ps1,7.2.5,Ensure that SharePoint guest users cannot share items they don't own,E3,L2,3.3,Configure Data Access Control Lists,TRUE,TRUE,TRUE,TRUE,SPO
+34,Test-SharePointExternalSharingDomains.ps1,7.2.6,Ensure SharePoint external sharing is managed through domain whitelist/blacklists,E3,L2,3.3,Configure Data Access Control Lists,TRUE,TRUE,TRUE,TRUE,SPO
+35,Test-LinkSharingRestrictions.ps1,7.2.7,Ensure link sharing is restricted in SharePoint and OneDrive,E3,L1,3.3,Configure Data Access Control Lists,TRUE,TRUE,TRUE,TRUE,SPO
+36,Test-GuestAccessExpiration.ps1,7.2.9,Ensure guest access to a site or OneDrive will expire automatically,E3,L1,0,Explicitly Not Mapped,FALSE,FALSE,FALSE,TRUE,SPO
+37,Test-ReauthWithCode.ps1,7.2.10,Ensure reauthentication with verification code is restricted,E3,L1,0,Explicitly Not Mapped,FALSE,FALSE,FALSE,TRUE,SPO
 38,Test-DisallowInfectedFilesDownload.ps1,7.3.1,Ensure Office 365 SharePoint infected files are disallowed for download,E5,L2,10.1,Deploy and Maintain Anti-Malware Software,TRUE,TRUE,TRUE,TRUE,SPO
 39,Test-OneDriveSyncRestrictions.ps1,7.3.2,Ensure OneDrive sync is restricted for unmanaged devices,E3,L2,0,Explicitly Not Mapped,FALSE,FALSE,FALSE,TRUE,SPO
 40,Test-RestrictCustomScripts.ps1,7.3.4,Ensure custom script execution is restricted on site collections,E3,L1,2.7,Allowlist Authorized Scripts,FALSE,FALSE,TRUE,TRUE,SPO

source/tests/Test-AntiPhishingPolicy.ps1

@@ -12,15 +12,31 @@ function Test-AntiPhishingPolicy {
         # Initialization code, if needed
         #$auditResults = @()
         $recnum = "2.1.7"
+
+        <#
+        Conditions for 2.1.7 (L1) Ensure that an anti-phishing policy has been created
+
+        Validate test for a pass:
+        - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
+        - Specific conditions to check:
+          - Condition A: Verify that an anti-phishing policy exists in the Microsoft 365 Security Center.
+          - Condition B: Using PowerShell, ensure the anti-phishing policy is configured with appropriate settings such as enabling impersonation protection and spoof intelligence.
+
+        Validate test for a fail:
+        - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
+        - Specific conditions to check:
+          - Condition A: No anti-phishing policy exists in the Microsoft 365 Security Center.
+          - Condition B: Using PowerShell, the anti-phishing policy is not configured with the required settings.
+        #>
     }
 
     process {
 
         try {
-            # 2.1.7 Ensure that an anti-phishing policy has been created
-
-            # Retrieve and validate the anti-phishing policies
+            # Condition A: Ensure that an anti-phishing policy has been created
             $antiPhishPolicies = Get-AntiPhishPolicy
+
+            # Condition B: Verify the anti-phishing policy settings using PowerShell
             $validatedPolicies = $antiPhishPolicies | Where-Object {
                 $_.Enabled -eq $true -and
                 $_.PhishThresholdLevel -ge 2 -and

source/tests/Test-AuditDisabledFalse.ps1

@@ -9,32 +9,48 @@ function Test-AuditDisabledFalse {
     begin {
         # Dot source the class script if necessary
         #. .\source\Classes\CISAuditResult.ps1
+
+        # Conditions for 6.1.1 (L1) Ensure 'AuditDisabled' organizationally is set to 'False'
+        #
+        # Validate test for a pass:
+        # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
+        # - Specific conditions to check:
+        #   - Condition A: The `AuditDisabled` organizational setting is set to `False` in the Microsoft 365 admin center.
+        #   - Condition B: Using PowerShell, the `AuditDisabled` property in the organization's configuration is set to `False`.
+        #   - Condition C: Ensure mailbox auditing is enabled by default at the organizational level.
+        #
+        # Validate test for a fail:
+        # - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
+        # - Specific conditions to check:
+        #   - Condition A: The `AuditDisabled` organizational setting is set to `True` in the Microsoft 365 admin center.
+        #   - Condition B: Using PowerShell, the `AuditDisabled` property in the organization's configuration is set to `True`.
+        #   - Condition C: Mailbox auditing is not enabled by default at the organizational level.
+
         # Initialization code, if needed
         $recnum = "6.1.1"
     }
 
     process {
-
         try {
             # 6.1.1 (L1) Ensure 'AuditDisabled' organizationally is set to 'False'
 
-            # Retrieve the AuditDisabled configuration
+            # Retrieve the AuditDisabled configuration (Condition B)
             $auditDisabledConfig = Get-OrganizationConfig | Select-Object AuditDisabled
             $auditNotDisabled = -not $auditDisabledConfig.AuditDisabled
 
             # Prepare failure reasons and details based on compliance
             $failureReasons = if (-not $auditNotDisabled) {
-                "AuditDisabled is set to True"
+                "AuditDisabled is set to True"  # Condition A Fail
             }
             else {
                 "N/A"
             }
 
             $details = if ($auditNotDisabled) {
-                "Audit is not disabled organizationally"
+                "Audit is not disabled organizationally"  # Condition C Pass
             }
             else {
-                "Audit is disabled organizationally"
+                "Audit is disabled organizationally"  # Condition C Fail
             }
 
             # Create and populate the CISAuditResult object

source/tests/Test-AuditLogSearch.ps1

@@ -11,6 +11,24 @@ function Test-AuditLogSearch {
         #. .\source\Classes\CISAuditResult.ps1
         # Initialization code, if needed
         $recnum = "3.1.1"
+
+        <#
+        Conditions for 3.1.1 (L1) Ensure Microsoft 365 audit log search is Enabled
+
+        Validate test for a pass:
+        - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
+        - Specific conditions to check:
+            - Condition A: Audit log search is enabled in the Microsoft Purview compliance portal.
+            - Condition B: The audit log retains user and admin activity for 90 days.
+            - Condition C: Audit log search capabilities are functional (search results are displayed for activities within the past 30 days).
+
+        Validate test for a fail:
+        - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
+        - Specific conditions to check:
+            - Condition A: Audit log search is not enabled in the Microsoft Purview compliance portal.
+            - Condition B: The audit log does not retain user and admin activity for 90 days.
+            - Condition C: Audit log search capabilities are non-functional (no search results are displayed for activities within the past 30 days).
+        #>
     }
 
     process {
@@ -24,13 +42,15 @@ function Test-AuditLogSearch {
 
             # Prepare failure reasons and details based on compliance
             $failureReasons = if (-not $auditLogResult) {
+                # Condition A (Fail): Audit log search is not enabled in the Microsoft Purview compliance portal
                 "Audit log search is not enabled"
             }
             else {
                 "N/A"
             }
 
             $details = if ($auditLogResult) {
+                # Condition A (Pass): Audit log search is enabled in the Microsoft Purview compliance portal
                 "UnifiedAuditLogIngestionEnabled: True"
             }
             else {

source/tests/Test-BlockChannelEmails.ps1

@@ -16,36 +16,50 @@ function Test-BlockChannelEmails {
     process {
 
         try {
-        # 8.1.2 (L1) Ensure users can't send emails to a channel email address
+            # 8.1.2 (L1) Ensure users can't send emails to a channel email address
+            #
+            # Validate test for a pass:
+            # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
+            # - Specific conditions to check:
+            #   - Condition A: The `AllowEmailIntoChannel` setting in Teams is set to `False`.
+            #   - Condition B: The setting `Users can send emails to a channel email address` is set to `Off` in the Teams admin center.
+            #   - Condition C: Verification using PowerShell confirms that the `AllowEmailIntoChannel` setting is disabled.
+            #
+            # Validate test for a fail:
+            # - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
+            # - Specific conditions to check:
+            #   - Condition A: The `AllowEmailIntoChannel` setting in Teams is not set to `False`.
+            #   - Condition B: The setting `Users can send emails to a channel email address` is not set to `Off` in the Teams admin center.
+            #   - Condition C: Verification using PowerShell indicates that the `AllowEmailIntoChannel` setting is enabled.
 
-        # Retrieve Teams client configuration
-        $teamsClientConfig = Get-CsTeamsClientConfiguration -Identity Global
-        $allowEmailIntoChannel = $teamsClientConfig.AllowEmailIntoChannel
+            # Retrieve Teams client configuration
+            $teamsClientConfig = Get-CsTeamsClientConfiguration -Identity Global
+            $allowEmailIntoChannel = $teamsClientConfig.AllowEmailIntoChannel
 
-        # Prepare failure reasons and details based on compliance
-        $failureReasons = if ($allowEmailIntoChannel) {
-            "Emails can be sent to a channel email address"
-        }
-        else {
-            "N/A"
-        }
+            # Prepare failure reasons and details based on compliance
+            $failureReasons = if ($allowEmailIntoChannel) {
+                "Emails can be sent to a channel email address" # Condition A Fail: AllowEmailIntoChannel is True
+            }
+            else {
+                "N/A" # Condition A Pass: AllowEmailIntoChannel is False
+            }
 
-        $details = if ($allowEmailIntoChannel) {
-            "AllowEmailIntoChannel is set to True"
-        }
-        else {
-            "AllowEmailIntoChannel is set to False"
-        }
+            $details = if ($allowEmailIntoChannel) {
+                "AllowEmailIntoChannel is set to True" # Condition B Fail: Emails are allowed
+            }
+            else {
+                "AllowEmailIntoChannel is set to False" # Condition B Pass: Emails are blocked
+            }
 
-        # Create and populate the CISAuditResult object
-        $params = @{
-            Rec            = $recnum
-            Result         = -not $allowEmailIntoChannel
-            Status         = if (-not $allowEmailIntoChannel) { "Pass" } else { "Fail" }
-            Details        = $details
-            FailureReason  = $failureReasons
-        }
-        $auditResult = Initialize-CISAuditResult @params
+            # Create and populate the CISAuditResult object
+            $params = @{
+                Rec            = $recnum
+                Result         = -not $allowEmailIntoChannel
+                Status         = if (-not $allowEmailIntoChannel) { "Pass" } else { "Fail" }
+                Details        = $details
+                FailureReason  = $failureReasons
+            }
+            $auditResult = Initialize-CISAuditResult @params
         }
         catch {
             Write-Error "An error occurred during the test: $_"

source/tests/Test-BlockMailForwarding.ps1

@@ -10,6 +10,24 @@ function Test-BlockMailForwarding {
         #. .\source\Classes\CISAuditResult.ps1
         # Initialization code, if needed
         $recnum = "6.2.1"
+
+        <#
+        Conditions for 6.2.1 (L1) Ensure all forms of mail forwarding are blocked and/or disabled
+
+        Validate test for a pass:
+        - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
+        - Specific conditions to check:
+          - Condition A: Transport rules do not forward email to external domains.
+          - Condition B: Anti-spam outbound policy is configured to disable automatic email forwarding to external domains.
+          - Condition C: No exceptions to the forwarding rules unless explicitly defined by organizational policy.
+
+        Validate test for a fail:
+        - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
+        - Specific conditions to check:
+          - Condition A: One or more transport rules forward email to external domains.
+          - Condition B: Anti-spam outbound policy does not disable automatic email forwarding to external domains.
+          - Condition C: Unapproved exceptions to the forwarding rules are present.
+        #>
     }
 
     process {
@@ -34,6 +52,7 @@ function Test-BlockMailForwarding {
             $details = @()
 
             if ($transportRules.Count -gt 0) {
+                # Fail Condition A
                 $failureReasons += "Mail forwarding rules found: $($transportRules.Name -join ', ')"
                 $details += "Transport Rules Details:`nRule Name|Redirects To"
                 $details += $transportRules | ForEach-Object {
@@ -43,6 +62,7 @@ function Test-BlockMailForwarding {
             }
 
             if ($nonCompliantSpamPoliciesArray.Count -gt 0) {
+                # Fail Condition B
                 $failureReasons += "Outbound spam policies allowing automatic forwarding found."
                 $details += "Outbound Spam Policies Details:`nPolicy|AutoForwardingMode"
                 $details += $nonCompliantSpamPoliciesArray | ForEach-Object {

source/tests/Test-BlockSharedMailboxSignIn.ps1

@@ -2,47 +2,63 @@ function Test-BlockSharedMailboxSignIn {
     [CmdletBinding()]
     [OutputType([CISAuditResult])]
     param (
-        # Aligned
         # Parameters can be added if needed
     )
 
     begin {
         # Dot source the class script if necessary
         #. .\source\Classes\CISAuditResult.ps1
+
         # Initialization code, if needed
         $recnum = "1.2.2"
+
+        # Conditions for 1.2.2 (L1) Ensure sign-in to shared mailboxes is blocked
+        #
+        # Validate test for a pass:
+        # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
+        # - Specific conditions to check:
+        #   - Condition A: No shared mailboxes have the "Sign-in blocked" option disabled in the properties pane on the Microsoft 365 admin center.
+        #   - Condition B: Using PowerShell, the `AccountEnabled` property for all shared mailboxes is set to `False`.
+        #
+        # Validate test for a fail:
+        # - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
+        # - Specific conditions to check:
+        #   - Condition A: One or more shared mailboxes have the "Sign-in blocked" option enabled in the properties pane on the Microsoft 365 admin center.
+        #   - Condition B: Using PowerShell, the `AccountEnabled` property for one or more shared mailboxes is set to `True`.
     }
 
     process {
-
         try {
-            # 1.2.2 (L1) Ensure sign-in to shared mailboxes is blocked
-
-            # Retrieve shared mailbox details
+            # Step: Retrieve shared mailbox details
             $MBX = Get-EXOMailbox -RecipientTypeDetails SharedMailbox
+
+            # Step: Retrieve details of shared mailboxes from Azure AD (Condition B: Pass/Fail)
             $sharedMailboxDetails = $MBX | ForEach-Object { Get-AzureADUser -ObjectId $_.ExternalDirectoryObjectId }
+
+            # Step: Identify enabled mailboxes (Condition B: Pass/Fail)
             $enabledMailboxes = $sharedMailboxDetails | Where-Object { $_.AccountEnabled } | ForEach-Object { $_.DisplayName }
             $allBlocked = $enabledMailboxes.Count -eq 0
 
-            # Prepare failure reasons and details based on compliance
+            # Step: Determine failure reasons based on enabled mailboxes (Condition A & B: Fail)
             $failureReasons = if (-not $allBlocked) {
                 "Some mailboxes have sign-in enabled: $($enabledMailboxes -join ', ')"
             }
             else {
                 "N/A"
             }
 
+            # Step: Prepare details for the audit result (Condition A & B: Pass/Fail)
             $details = if ($allBlocked) {
                 "All shared mailboxes have sign-in blocked."
             }
             else {
                 "Enabled Mailboxes: $($enabledMailboxes -join ', ')"
             }
 
-            # Create and populate the CISAuditResult object
+            # Step: Create and populate the CISAuditResult object
             $params = @{
                 Rec           = $recnum
-                Result        = $allBlocked
+                Result        = $allBlocked  # Pass: Condition A, Condition B
                 Status        = if ($allBlocked) { "Pass" } else { "Fail" }
                 Details       = $details
                 FailureReason = $failureReasons