Skip to content

Commit

Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Implement MS.AAD.7.2v1 Policy to check Secure Score (#453)
Browse files Browse the repository at this point in the history
* Initial drop of secure baseline automation  (#336)

* initial teams drop

* Add markdown check

* Fix spelling

* Check action

* Test Action

* Check version

* Fix Markdown test

* Add path *.md

* Update anchor func

* Update AAD

* WIP

* WIP

* WIP

* WIP

* WIP

* Structural baseline updates (cleaned up) (#334)

* Update aad.md

all updates

* Update defender.md

all updates

* Update exchange.md

all updates

* Rename exchange.md to exo.md

* Update onedrive.md

* Update powerbi.md

all updates

* Update powerplatform.md

all updates

* Update sharepoint.md

all updates

* Update teams.md

all updates

* Update baselines/defender.md

good catch!

Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com>

* Update baselines/powerbi.md

Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com>

* Update baselines/powerbi.md

Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com>

* Update baselines/aad.md

Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com>

* Update aad.md

referenced old policy number

* Update powerbi.md

---------

Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com>

* WIP

* Structural baseline updates (cleaned up) (#334)

* Update aad.md

all updates

* Update defender.md

all updates

* Update exchange.md

all updates

* Rename exchange.md to exo.md

* Update onedrive.md

* Update powerbi.md

all updates

* Update powerplatform.md

all updates

* Update sharepoint.md

all updates

* Update teams.md

all updates

* Update baselines/defender.md

good catch!

Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com>

* Update baselines/powerbi.md

Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com>

* Update baselines/powerbi.md

Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com>

* Update baselines/aad.md

Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com>

* Update aad.md

referenced old policy number

* Update powerbi.md

---------

Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com>

* initial teams drop

* Update AAD

* WIP

* WIP

* WIP

* WIP

* WIP

* Structural baseline updates (cleaned up) (#334)

* Update aad.md

all updates

* Update defender.md

all updates

* Update exchange.md

all updates

* Rename exchange.md to exo.md

* Update onedrive.md

* Update powerbi.md

all updates

* Update powerplatform.md

all updates

* Update sharepoint.md

all updates

* Update teams.md

all updates

* Update baselines/defender.md

good catch!

Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com>

* Update baselines/powerbi.md

Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com>

* Update baselines/powerbi.md

Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com>

* Update baselines/aad.md

Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com>

* Update aad.md

referenced old policy number

* Update powerbi.md

---------

Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com>

* initial teams drop

* Update AAD

* WIP

* Structural baseline updates (cleaned up) (#334)

* Update aad.md

all updates

* Update defender.md

all updates

* Update exchange.md

all updates

* Rename exchange.md to exo.md

* Update onedrive.md

* Update powerbi.md

all updates

* Update powerplatform.md

all updates

* Update sharepoint.md

all updates

* Update teams.md

all updates

* Update baselines/defender.md

good catch!

Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com>

* Update baselines/powerbi.md

Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com>

* Update baselines/powerbi.md

Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com>

* Update baselines/aad.md

Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com>

* Update aad.md

referenced old policy number

* Update powerbi.md

---------

Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com>

* Fix UT errors

* Default baseline for testing

* Updates based on review comments

* Call Import-SecureBaseline once

* Update for review comments

* Review updates

* Add help comment

* remove unused import

* Fix OPA  check issues

* fix opa tests action

* Update action to test

* Action update

* Sum PS/Bug as Errors

* Update darkmode colors

* Fix UT after Rebase

* Fix UT

* Fix error log

* Update UT for NewReport

* Update link color

---------

Co-authored-by: Andrew Huynh <113476170+ahuynhMITRE@users.noreply.github.com>
Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com>
Co-authored-by: Sloane4 <cdiaz@mitre.org>

* Updates to ExportAADProvider

* Updates to ExportAADProvider

* Revert changes to AADConfig.reg

* Updates to aad 7.2v1

* Updates to ExportAADProvider

* Updates to ExportAADProvider

* Update to AAD 7.2 Rego Unit Test

* Fixes to aad 7.2 rego unit tests

* Updates to AADConfig_07_test.rego

* Removed TODO comment in RequredVersions.ps1

* Minor updates to AAD Rego

---------

Co-authored-by: Richard Crutchfield <crutchfield@users.noreply.github.com>
Co-authored-by: Andrew Huynh <113476170+ahuynhMITRE@users.noreply.github.com>
Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com>
Co-authored-by: Sloane4 <cdiaz@mitre.org>
5 people committed Sep 1, 2023
1 parent 9da44c1 commit dd43453
Showing 10 changed files with 904 additions and 1,243 deletions.
10 changes: 5 additions & 5 deletions .github/workflows/run_markdown_check.yaml
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
on:
on:
workflow_dispatch:
pull_request:
types: [opened, reopened]
branches:
- "main"
- "main"
pull_request_review:
types: [submitted]
types: [submitted]
push:
branches:
- "main"
@@ -14,13 +14,13 @@ on:
- "baselines/*.md"

name: Markdown Check

jobs:
Run-Markdown-Check:
runs-on: windows-latest
defaults:
run:
shell: powershell
shell: powershell
permissions:
contents: read
steps:
18 changes: 9 additions & 9 deletions PowerShell/ScubaGear/Modules/Providers/ExportAADProvider.psm1
Original file line number Diff line number Diff line change
@@ -12,13 +12,11 @@ function Export-AADProvider {
$Tracker = Get-CommandTracker

# The below cmdlet covers the following baselines
# - 1.1
# - 2.1
# - 2.2
# - 2.3 First Policy bullet
# - 2.4 First Policy bullet
# - 2.9
# - 2.10
# - 2.17 first part
# - 3.1
# - 4.2
# - 3.7
$AllPolicies = $Tracker.TryCommand("Get-MgIdentityConditionalAccessPolicy")

Import-Module $PSScriptRoot/ProviderHelpers/AADConditionalAccessHelper.psm1
@@ -91,13 +89,14 @@ function Export-AADProvider {
}
$ServicePlans = ConvertTo-Json -Depth 3 @($ServicePlans)

# 2.6, 2.7, & 2.18 1st/3rd Policy Bullets
# 5.1, 5.2, 8.1 & 8.3
$AuthZPolicies = ConvertTo-Json @($Tracker.TryCommand("Get-MgPolicyAuthorizationPolicy"))
$SecureScore = ConvertTo-Json -Depth 2 @($Tracker.TryCommand("Get-MgSecuritySecureScore", @{"Top"=1}).ControlScores | Where-Object {$_.ControlName -eq 'RoleOverlap'})

# 2.7 third bullet
# 5.4
$DirectorySettings = ConvertTo-Json -Depth 10 @($Tracker.TryCommand("Get-MgDirectorySetting"))

# 2.7 Policy Bullet 2]
# 5.3
$AdminConsentReqPolicies = ConvertTo-Json @($Tracker.TryCommand("Get-MgPolicyAdminConsentRequestPolicy"))

# Read the properties and relationships of an authentication method policy
@@ -111,6 +110,7 @@ function Export-AADProvider {
"conditional_access_policies": $AllPolicies,
"cap_table_data": $CapTableData,
"authorization_policies": $AuthZPolicies,
"secure_score": $SecureScore,
"admin_consent_policies": $AdminConsentReqPolicies,
"privileged_users": $PrivilegedUsers,
"privileged_roles": $PrivilegedRoles,
5 changes: 5 additions & 0 deletions PowerShell/ScubaGear/RequiredVersions.ps1
Original file line number Diff line number Diff line change
@@ -85,6 +85,11 @@ $ModuleList = @(
ModuleVersion = [version] '1.14.0'
MaximumVersion = [version] '1.99.99999'
},
@{
ModuleName = 'Microsoft.Graph.Security'
ModuleVersion = [version] '1.14.0'
MaximumVersion = [version] '1.99.99999'
},
@{
ModuleName = 'Microsoft.Graph.Teams' #TODO: Verify is needed
ModuleVersion = [version] '1.14.0'
24 changes: 13 additions & 11 deletions Rego/AADConfig.rego
Original file line number Diff line number Diff line change
@@ -705,22 +705,24 @@ tests[{
}
#--

#
# MS.AAD.7.2v1
#--
# At this time we are unable to test for user association to fine-grained privileged roles
# rather than Global Administrator due to runtime and data response size constraints
# Check for secure score value for RoleOverlap Control Category
# Requirements is met if score is equal to 1 (100%) and fails if it is less than 1
#--

tests[{
"PolicyId" : PolicyId,
"Criticality" : "Shall/Not-Implemented",
"Commandlet" : [],
"ActualValue" : [],
"ReportDetails" : NotCheckedDetails(PolicyId),
"RequirementMet" : false
"PolicyId" : "MS.AAD.7.2v1",
"Criticality" : "Shall",
"Commandlet" : ["Get-MgSecuritySecureScore"],
"ActualValue" : SecureScorePolicy,
"ReportDetails" : ReportDetailsBoolean(Status),
"RequirementMet" : Status
}] {
PolicyId := "MS.AAD.7.2v1"
true
SecureScorePolicy := input.secure_score[_]
Status := SecureScorePolicy.Score == 1.0
}

#--

#
Loading

0 comments on commit dd43453

Please sign in to comment.