Substantiative changes to Sharepoint Baseline minus Rationale (#360)

* Structural baseline updates (cleaned up) (#334) --------- * Split policies for testing purposes * Addition for github issue: Add a new SharePoint Guest sign in Policy #307 * Updated for github issue: Direct the user to save in policy implementation SharePoint #301 * Initial drop of secure baseline automation (#336) * initial teams drop * Add markdown check * Structural baseline updates (cleaned up) (#334) * Update aad.md all updates * Update defender.md all updates * Update exchange.md all updates * Rename exchange.md to exo.md * Update onedrive.md * Update powerbi.md all updates all updates * Update sharepoint.md all updates * Update teams.md all updates * Update baselines/defender.md * Structural baseline updates (cleaned up) (#334) * Update aad.md all updates * Update defender.md all updates * Update exchange.md all updates * Rename exchange.md to exo.md * Update onedrive.md * Update powerbi.md all updates * Update powerplatform.md all updates * Update sharepoint.md all updates * Update teams.md all updates * Update baselines/defender.md good catch! Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com> * Update baselines/powerbi.md Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com> * Update baselines/powerbi.md Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com> * Update baselines/aad.md Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com> * Update aad.md referenced old policy number * Update powerbi.md --------- Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com> * initial teams drop * Update AAD * WIP * WIP * WIP * WIP * WIP * Structural baseline updates (cleaned up) (#334) * Update aad.md all updates * Update defender.md all updates * Update exchange.md all updates * Rename exchange.md to exo.md * Update onedrive.md * Update powerbi.md all updates * Update powerplatform.md all updates * Update sharepoint.md all updates * Update teams.md all updates * Update baselines/defender.md good catch! Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com> * Update baselines/powerbi.md Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com> * Update baselines/powerbi.md Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com> * Update baselines/aad.md Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com> * Update aad.md referenced old policy number * Update powerbi.md --------- Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com> * initial teams drop * Update AAD * WIP * Structural baseline updates (cleaned up) (#334) * Update aad.md all updates * Update defender.md all updates * Update exchange.md all updates * Rename exchange.md to exo.md * Update onedrive.md * Update powerbi.md all updates * Update powerplatform.md all updates * Update sharepoint.md all updates * Update teams.md all updates * Update baselines/defender.md good catch! Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com> * Update baselines/powerbi.md Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com> * Update baselines/powerbi.md Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com> * Update baselines/aad.md Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com> * Update aad.md referenced old policy number * Update powerbi.md --------- Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com> * Fix UT errors * Default baseline for testing * Updates based on review comments * Call Import-SecureBaseline once * Update for review comments * Review updates * Add help comment * remove unused import * Fix OPA check issues * fix opa tests action * Update action to test * Action update * Sum PS/Bug as Errors * Update darkmode colors * Fix UT after Rebase * Fix UT * Fix error log * Update UT for NewReport * Update link color --------- Co-authored-by: Andrew Huynh <113476170+ahuynhMITRE@users.noreply.github.com> Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com> Co-authored-by: Sloane4 <cdiaz@mitre.org> * Update for github issue Sharepoint 2.3 Sharing settings cannot be more restrictive than the tenant level #288 * Updat for github issue Update SharePoint Policy 2.4 Code #300 * Additional changes for #288 * Update with correct implementations * Update for github issue #303 * Added some rational & fixed policy numbers * Split policy 5 to improve setting check & report. * Updated for duplicates with onedrive * Add resource for details about reauthentication github issue #299 * Removed Should & Shall from intro paragraphs. * Split implementation for each policy item * Updated code to match baseline TODO Unit tests * Updated unit tests * Fixed policy 4 * Update commandlet for MS.SHAREPOINT.5.2v1 * Updated content style guide for new rego structure * Readded comments to MS.SHAREPOINT.5.2v1 * Baseline updated with requested fixes (addam) * Move updates to content style guide to new branch (not part of current scope) * Update ErrMsg for MS.SHAREPOINT.4 to be more readable --------- Co-authored-by: Andrew Huynh <113476170+ahuynhMITRE@users.noreply.github.com> Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com> Co-authored-by: Richard Crutchfield <crutchfield@users.noreply.github.com>
cisagov · Jul 21, 2023 · 0c18dc3 · 0c18dc3
1 parent 0ee5add
commit 0c18dc3
Show file tree

Hide file tree

Showing 10 changed files with 2,833 additions and 2,864 deletions.
diff --git a/Rego/SharepointConfig.rego b/Rego/SharepointConfig.rego
@@ -2,96 +2,123 @@ package sharepoint
 import future.keywords
 import data.report.utils.NotCheckedDetails
 import data.report.utils.ReportDetailsBoolean
+import data.report.utils.ReportDetailsString
+
+###################
+# MS.SHAREPOINT.1 #
+###################
 
 #
 # MS.SHAREPOINT.1.1v1
 #--
+
+# SharingCapability == 0 Only People In Organization
+# SharingCapability == 3 Existing Guests
+# SharingCapability == 1 New and Existing Guests
+# SharingCapability == 2 Anyone
+
 tests[{
     "PolicyId" : "MS.SHAREPOINT.1.1v1",
-    "Criticality" : "Shall",
+    "Criticality" : "Should",
     "Commandlet" : ["Get-SPOTenant", "Get-PnPTenant"],
-    "ActualValue" : Policy.DefaultSharingLinkType,
+    "ActualValue" : [Policy.SharingCapability],
     "ReportDetails" : ReportDetailsBoolean(Status),
     "RequirementMet" : Status
 }] {
     Policy := input.SPO_tenant[_]
-    Status := Policy.DefaultSharingLinkType == 1
+    Conditions := [Policy.SharingCapability == 0, Policy.SharingCapability == 3]
+    Status := count([Condition | Condition = Conditions[_]; Condition == true]) == 1
 }
 #--
+
 #
 # MS.SHAREPOINT.1.2v1
 #--
+
+# SharingDomainRestrictionMode == 0 Unchecked
+# SharingDomainRestrictionMode == 1 Checked
+# SharingAllowedDomainList == "domains" Domain list
+
+tests[{
+    "PolicyId" : "MS.SHAREPOINT.1.2v1",
+    "Criticality" : "Should",
+    "Commandlet" : ["Get-SPOTenant", "Get-PnPTenant"],
+    "ActualValue" : [Policy.SharingDomainRestrictionMode],
+    "ReportDetails" : ReportDetailsBoolean(Status),
+    "RequirementMet" : Status
+}] {
+    Policy := input.SPO_tenant[_]
+    Status := Policy.SharingDomainRestrictionMode == 1
+}
+#--
+
+#
+# MS.SHAREPOINT.1.3v1
+#--
+# At this time we are unable to test for approved security groups
+# because we have yet to find the setting to check
 tests[{
     "PolicyId" : PolicyId,
-    "Criticality" : "Shall/Not-Implemented",
+    "Criticality" : "Should/Not-Implemented",
     "Commandlet" : [],
     "ActualValue" : [],
     "ReportDetails" : NotCheckedDetails(PolicyId),
     "RequirementMet" : false
 }] {
-    PolicyId := "MS.SHAREPOINT.1.2v1"
+    PolicyId := "MS.SHAREPOINT.1.3v1"
     true
 }
 #--
 
 #
-# MS.SHAREPOINT.1.3v1
+# MS.SHAREPOINT.1.4v1
 #--
 tests[{
-    "PolicyId" : "MS.SHAREPOINT.1.3v1",
+    "PolicyId" : "MS.SHAREPOINT.1.4v1",
     "Criticality" : "Should",
     "Commandlet" : ["Get-SPOTenant", "Get-PnPTenant"],
-    "ActualValue" : Policy.SharingCapability,
+    "ActualValue" : [Policy.RequireAcceptingAccountMatchInvitedAccount],
     "ReportDetails" : ReportDetailsBoolean(Status),
     "RequirementMet" : Status
 }] {
     Policy := input.SPO_tenant[_]
-    Status := Policy.SharingCapability != 2
+    Status := Policy.RequireAcceptingAccountMatchInvitedAccount == true
 }
 #--
 
-#
-# Baseline 2.2: Policy 2
-#--
-#tests[{
-#    "Requirement" : "External sharing SHOULD be limited to approved domains and security groups per interagency collaboration needs",
-#    "Control" : "Sharepoint 2.2",
-#    "Criticality" : "Should",
-#    "Commandlet" : ["Get-SPOTenant", "Get-PnPTenant"],
-#    "ActualValue" : Policy.SharingDomainRestrictionMode,
-#    "ReportDetails" : ReportDetailsBoolean(Status),
-#    "RequirementMet" : Status
-#}] {
-#    Policy := input.SPO_tenant[_]
-#    Status := Policy.SharingDomainRestrictionMode == 1
-#}
-#--
+###################
+# MS.SHAREPOINT.2 #
+###################
 
 #
-# Baseline 2.2: Policy 3
+# MS.SHAREPOINT.2.1v1
 #--
-#tests[{
-#    "Requirement" : "External sharing SHOULD be limited to approved domains and security groups per interagency collaboration needs",
-#    "Control" : "Sharepoint 2.2",
-#    "Criticality" : "Should",
-#    "Commandlet" : ["Get-SPOTenant", "Get-PnPTenant"],
-#    "ActualValue" : [Policy.SharingCapability, Policy.SharingDomainRestrictionMode],
-#    "ReportDetails" : ReportDetails2_2(Policy),
-#    "RequirementMet" : Status
-#}] {
-#    Policy := input.SPO_tenant[_]
-    # TODO: Missing Allow only users in specific security groups to share externally
-#}
+
+# DefaultSharingLinkType == 1 for Specific People
+# DefaultSharingLinkType == 2 for Only people in your organization
+
+tests[{
+    "PolicyId" : "MS.SHAREPOINT.2.1v1",
+    "Criticality" : "Shall",
+    "Commandlet" : ["Get-SPOTenant", "Get-PnPTenant"],
+    "ActualValue" : [Policy.DefaultSharingLinkType],
+    "ReportDetails" : ReportDetailsBoolean(Status),
+    "RequirementMet" : Status
+}] {
+    Policy := input.SPO_tenant[_]
+    Status := Policy.DefaultSharingLinkType == 1
+}
 #--
 
-################
-# Baseline 2.3 #
-################
+###################
+# MS.SHAREPOINT.3 #
+###################
 
 #
-# MS.SHAREPOINT.2.1v1
+# MS.SHAREPOINT.3.1v1
 #--
-# At this time we are unable to test for X because of Y
+# At this time we are unable to test for sharing settings of specific SharePoint sites
+# because we have yet to find the setting to check
 tests[{
     "PolicyId" : PolicyId,
     "Criticality" : "Should/Not-Implemented",
@@ -100,158 +127,159 @@ tests[{
     "ReportDetails" : NotCheckedDetails(PolicyId),
     "RequirementMet" : false
 }] {
-    PolicyId := "MS.SHAREPOINT.2.1v1"
+    PolicyId := "MS.SHAREPOINT.3.1v1"
     true
 }
 #--
 
+###################
+# MS.SHAREPOINT.4 #
+###################
+
 #
-# MS.SHAREPOINT.3.1v1
+# MS.SHAREPOINT.4.1v1
 #--
-ReportDetails2_4_1(Policy) = Description if {
+ExpirationTimersGuestAccess(Policy) = [ErrMsg, Status] if {
     Policy.SharingCapability == 0
-	Description := "Requirement met"
+    ErrMsg := ""
+    Status := true
 }
 
-ReportDetails2_4_1(Policy) = Description if {
+ExpirationTimersGuestAccess(Policy) = [ErrMsg, Status] if {
     Policy.SharingCapability != 0
     Policy.ExternalUserExpirationRequired == true
-    Policy.ExternalUserExpireInDays == 30
-	Description := "Requirement met"
+    Policy.ExternalUserExpireInDays <= 30
+    ErrMsg := ""
+    Status := true
 }
 
-ReportDetails2_4_1(Policy) = Description if {
+ExpirationTimersGuestAccess(Policy) = [ErrMsg, Status] if {
     Policy.SharingCapability != 0
     Policy.ExternalUserExpirationRequired == false
-    Policy.ExternalUserExpireInDays == 30
-	Description := "Requirement not met: Expiration timer for 'Guest access to a site or OneDrive' NOT enabled"
+    Policy.ExternalUserExpireInDays <= 30
+    ErrMsg := "Requirement not met: Expiration timer for 'Guest access to a site or OneDrive' NOT enabled"
+    Status := false
 }
 
-ReportDetails2_4_1(Policy) = Description if {
+ExpirationTimersGuestAccess(Policy) = [ErrMsg, Status] if {
     Policy.SharingCapability != 0
     Policy.ExternalUserExpirationRequired == true
-    Policy.ExternalUserExpireInDays != 30
-	Description := "Requirement not met: Expiration timer for 'Guest access to a site or OneDrive' NOT set to 30 days"
+    Policy.ExternalUserExpireInDays > 30
+    ErrMsg := "Requirement not met: Expiration timer for 'Guest access to a site or OneDrive' NOT set to 30 days or less"
+    Status := false
 }
 
-ReportDetails2_4_1(Policy) = Description if {
+ExpirationTimersGuestAccess(Policy) = [ErrMsg, Status] if {
     Policy.SharingCapability != 0
     Policy.ExternalUserExpirationRequired == false
-    Policy.ExternalUserExpireInDays != 30
-	Description := "Requirement not met"
+    Policy.ExternalUserExpireInDays > 30
+    ErrMsg := "Requirement not met: Expiration timer for 'Guest access to a site or OneDrive' NOT enabled and set to greater 30 days"
+    Status := false
 }
-
 tests[{
-    "PolicyId" : "MS.SHAREPOINT.3.1v1",
+    "PolicyId" : "MS.SHAREPOINT.4.1v1",
     "Criticality" : "Should",
     "Commandlet" : ["Get-SPOTenant", "Get-PnPTenant"],
     "ActualValue" : [Policy.SharingCapability, Policy.ExternalUserExpirationRequired, Policy.ExternalUserExpireInDays],
-    "ReportDetails" : ReportDetails2_4_1(Policy),
+    "ReportDetails" : ReportDetailsString(Status, ErrMsg),
     "RequirementMet" : Status
 }] {
     Policy := input.SPO_tenant[_]
-
-    # Role policy requires assignment expiration, but maximum duration is 30 days
-    Conditions1 := [Policy.ExternalUserExpirationRequired == true, Policy.ExternalUserExpireInDays == 30]
-    Case := count([Condition | Condition = Conditions1[_]; Condition == false]) == 0
-
-    # Filter: only include rules that meet one of the two cases
-    Conditions2 := [Policy.SharingCapability == 0, Case]
-    Status := count([Condition | Condition = Conditions2[_]; Condition == true]) > 0
+    [ErrMsg, Status] := ExpirationTimersGuestAccess(Policy)
 }
 #--
 
-# TODO: Resolve Policy Id
-# Baseline 2.4: Policy 2
+#
+# MS.SHAREPOINT.4.2v1
 #--
-ReportDetails2_4_2(Policy) = Description if {
+ExpirationTimersVerificationCode(Policy) = [ErrMsg, Status] if {
     Policy.SharingCapability == 0
-	Description := "Requirement met"
+    ErrMsg := ""
+    Status := true
 }
 
-ReportDetails2_4_2(Policy) = Description if {
+ExpirationTimersVerificationCode(Policy) = [ErrMsg, Status] if {
     Policy.SharingCapability != 0
     Policy.EmailAttestationRequired == true
-    Policy.EmailAttestationReAuthDays == 30
-	Description := "Requirement met"
+    Policy.EmailAttestationReAuthDays <= 30
+    ErrMsg := ""
+    Status := true
 }
 
-ReportDetails2_4_2(Policy) = Description if {
+ExpirationTimersVerificationCode(Policy) = [ErrMsg, Status] if {
     Policy.SharingCapability != 0
     Policy.EmailAttestationRequired == false
-    Policy.EmailAttestationReAuthDays == 30
-	Description := "Requirement not met: Expiration timer for 'People who use a verification code' NOT enabled"
+    Policy.EmailAttestationReAuthDays <= 30
+    ErrMsg := "Requirement not met: Expiration timer for 'People who use a verification code' NOT enabled"
+    Status := false
 }
 
-ReportDetails2_4_2(Policy) = Description if {
+ExpirationTimersVerificationCode(Policy) = [ErrMsg, Status] if {
     Policy.SharingCapability != 0
     Policy.EmailAttestationRequired == true
-    Policy.EmailAttestationReAuthDays != 30
-	Description := "Requirement not met: Expiration timer for 'People who use a verification code' NOT set to 30 days"
+    Policy.EmailAttestationReAuthDays > 30
+    ErrMsg := "Requirement not met: Expiration timer for 'People who use a verification code' NOT set to 30 days"
+    Status := false
 }
 
-ReportDetails2_4_2(Policy) = Description if {
+ExpirationTimersVerificationCode(Policy) = [ErrMsg, Status] if {
     Policy.SharingCapability != 0
     Policy.EmailAttestationRequired == false
-    Policy.EmailAttestationReAuthDays != 30
-	Description := "Requirement not met"
+    Policy.EmailAttestationReAuthDays > 30
+    ErrMsg := "Requirement not met: Expiration timer for 'People who use a verification code' NOT enabled and set to greater 30 days"
+    Status := false
 }
-
 tests[{
-    "Requirement" : "Expiration timer for 'People who use a verification code' should be set to 30 days",
-    "Control" : "Sharepoint 2.4",
+    "PolicyId" : "MS.SHAREPOINT.4.2v1",
     "Criticality" : "Should",
     "Commandlet" : ["Get-SPOTenant", "Get-PnPTenant"],
     "ActualValue" : [Policy.SharingCapability, Policy.EmailAttestationRequired, Policy.EmailAttestationReAuthDays],
-    "ReportDetails" : ReportDetails2_4_2(Policy),
+    "ReportDetails" : ReportDetailsString(Status, ErrMsg),
     "RequirementMet" : Status
 }] {
     Policy := input.SPO_tenant[_]
-
-    # Role policy requires assignment expiration, but maximum duration is 30 days
-    Conditions1 := [Policy.EmailAttestationRequired == true, Policy.EmailAttestationReAuthDays == 30]
-    Case := count([Condition | Condition = Conditions1[_]; Condition == false]) == 0
-
-    # Filter: only include rules that meet one of the two cases
-    Conditions2 := [Policy.SharingCapability == 0, Case]
-    Status := count([Condition | Condition = Conditions2[_]; Condition == true]) > 0
+    [ErrMsg, Status] := ExpirationTimersVerificationCode(Policy)
 }
 #--
 
-# TODO: Resolve Policy Id
-# Baseline 2.5: Policy 1
+###################
+# MS.SHAREPOINT.5 #
+###################
+
+#
+# MS.SHAREPOINT.5.1v1
 #--
-# At this time we are unable to test for X because of Y
+# At this time we are unable to test for running custom scripts on personal sites
+# because we have yet to find the setting to check
 tests[{
-    "Requirement" : "Users SHALL be prevented from running custom scripts on personal sites (OneDrive)",
-    "Control" : "Sharepoint 2.5",
     "PolicyId" : PolicyId,
     "Criticality" : "Shall/Not-Implemented",
     "Commandlet" : [],
     "ActualValue" : [],
     "ReportDetails" : NotCheckedDetails(PolicyId),
     "RequirementMet" : false
 }] {
-    PolicyId := "MS.SHAREPOINT.TBD"
+    PolicyId := "MS.SHAREPOINT.5.1v1"
     true
 }
 #--
 
-# TODO: Resolve Policy Id
-# Baseline 2.5: Policy 2
+#
+# MS.SHAREPOINT.5.2v1
 #--
+
+# 1 == Allow users to run custom script on self-service created sites
+# 2 == Prevent users from running custom script on self-service created sites
+
 tests[{
-    "Requirement" : "Users SHALL be prevented from running custom scripts on self-service created sites",
-    "Control" : "Sharepoint 2.5",
+    "PolicyId" : "MS.SHAREPOINT.5.2v1",
     "Criticality" : "Shall",
     "Commandlet" : ["Get-SPOSite", "Get-PnPTenantSite"],
-    "ActualValue" : Policy.DenyAddAndCustomizePages,
+    "ActualValue" : [Policy.DenyAddAndCustomizePages],
     "ReportDetails" : ReportDetailsBoolean(Status),
     "RequirementMet" : Status
 }] {
     Policy := input.SPO_site[_]
-    # 1 == Allow users to run custom script on self-service created sites
-    # 2 == Prevent users from running custom script on self-service created sites
     Status := Policy.DenyAddAndCustomizePages == 2
 }
 #--