search

cisagov / ScubaGear

Automation to assess the state of your M365 tenant against CISA's baselines
https://www.cisa.gov/resources-tools/services/secure-cloud-business-applications-scuba-project
Creative Commons Zero v1.0 Universal
1.6k stars 215 forks source link

Using unsupported OPA version results in warning #1161

Closed grepcatman closed 2 weeks ago

grepcatman commented 3 months ago

🐛 Summary

My inaugural run of ScubaGear, I followed the instructions. Initialize-Scuba ran OK except for warning: " Unable to download OPA executable. To try manually downloading, see details in README under 'Download the required OPA executable'".

I then downloaded the most recent version of the OPA executable (opa_windows_amd64.exe), which was v0.65.0 and installed it, but Invoke-SCuBA failed on all modules. It did generate a folder properly, but only dropped one file: "ProviderSettingsExport.json". I then installed the older version of the OPA executable, version 64.1, and the reports were generated properly.

To reproduce

Steps to reproduce the behavior:

  1. Install-Module -Name ScubaGear
  2. Initialize-SCuBA
  3. Install OPA v0.65.0
  4. Invoke-SCuBA -OPAPath "C:\TEMP\" -outpath "c:\temp\"

Expected behavior

I expected a folder with a report for each individual report, plus the baseline report.

Any helpful log output or screenshots

PS C:\Windows\system32> # Install-Module -Name ScubaGear                                                                                                                                                                                                               Untrusted repository                                                                                                    
You are installing the modules from an untrusted repository. If you trust this repository, change its InstallationPolicy value by running the Set-PSRepository cmdlet. Are you sure you want to install the modules from      'PSGallery'?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "N"): A
PS C:\Windows\system32> Initialize-SCuBA
WARNING:
    The required supporting PowerShell modules are not installed with a supported version.
    Run Initialize-SCuBA to install all required dependencies.
    See Get-Help Initialize-SCuBA for more help.
Setting PSGallery repository to trusted.
PowerShellGet: 1.0.0.1 updated to version 2.2.5.    
Installed the latest acceptable version of MicrosoftTeams: 5.9.0.                                                                                 
ExchangeOnlineManagement: 3.3.0 updated to version 3.5.0.   
Installed the latest acceptable version of Microsoft.Online.SharePoint.PowerShell: 16.0.24322.12000.                                               
Installed the latest acceptable version of PnP.PowerShell: 1.12.0.                                                                                
Installed the latest acceptable version of Microsoft.PowerApps.Administration.PowerShell: 2.0.189.                                                
Installed the latest acceptable version of Microsoft.PowerApps.PowerShell: 1.0.40.                                                                 
Installed the latest acceptable version of Microsoft.Graph.Authentication: 2.15.0.                                                                 
Installed the latest acceptable version of Microsoft.Graph.Beta.Users: 2.15.0.                                                                     
Installed the latest acceptable version of Microsoft.Graph.Beta.Groups: 2.15.0.
Installed the latest acceptable version of Microsoft.Graph.Beta.Identity.DirectoryManagement: 2.15.0.
Installed the latest acceptable version of Microsoft.Graph.Beta.Identity.Governance: 2.15.0.
Installed the latest acceptable version of Microsoft.Graph.Beta.Identity.SignIns: 2.15.0.                                                          
Installed the latest acceptable version of powershell-yaml: 0.4.7.                                                                                                                                                                                                                                                                                                                                                                                           Directory: C:\Users\...\.scubagear                                                                                                                                                                                                                                                                                                                                                                                                              Mode                 LastWriteTime         Length Name                                                                                             ----                 -------------         ------ ----                                                                                             d-----         6/11/2024   1:16 PM                Tools                                                                                                                                                                                                                                               Unable to download OPA executable. To try manually downloading, see details in README under 'Download the required OPA executable'                 DEBUG: ScubaGear setup time elapsed: 129 seconds.   
                                                                                                                                                                                                                                                                                                                                                                                                     PS C:\Windows\system32> Initialize-SCuBA                                                                                                           
Setting PSGallery repository to trusted.                                                                                                           
DEBUG: PowerShellGet: 2.2.5 already has latest installed.                                                                                          
DEBUG: MicrosoftTeams: 5.9.0 already has latest installed.                                                                                         
DEBUG: ExchangeOnlineManagement: 3.5.0 already has latest installed.                                                                               
DEBUG: Microsoft.Online.SharePoint.PowerShell: 16.0.24322.12000 already has latest installed.                                                      
DEBUG: PnP.PowerShell: 1.12.0 already has latest installed.                                                                                        
DEBUG: Microsoft.PowerApps.Administration.PowerShell: 2.0.189 already has latest installed.                                                        
DEBUG: Microsoft.PowerApps.PowerShell: 1.0.40 already has latest installed.                                                                        
DEBUG: Microsoft.Graph.Authentication: 2.15.0 already has latest installed.                                                                        
DEBUG: Microsoft.Graph.Beta.Users: 2.15.0 already has latest installed.                                                                            
DEBUG: Microsoft.Graph.Beta.Groups: 2.15.0 already has latest installed.                                                                           
DEBUG: Microsoft.Graph.Beta.Identity.DirectoryManagement: 2.15.0 already has latest installed.                                                     
DEBUG: Microsoft.Graph.Beta.Identity.Governance: 2.15.0 already has latest installed.                                                              
DEBUG: Microsoft.Graph.Beta.Identity.SignIns: 2.15.0 already has latest installed.
DEBUG: powershell-yaml: 0.4.7 already has latest installed.
Unable to download OPA executable. To try manually downloading, see details in README under 'Download the required OPA executable'
DEBUG: ScubaGear setup time elapsed: 34 seconds.                                                                                                   
PS C:\Windows\system32> e:                                                                                                                        
PS E:\> cd .\Downloads\                                                                                                                            
PS E:\Downloads> .\opa_windows_amd64.exe version                                                                                                   
Version: 0.65.0                                                                                                                                   
Build Commit: f05497530d337dfd30dbd31851209d3a25c1cf95
Build Timestamp: 2024-05-30T14:54:05Z
Build Hostname: ae9da0bc1647
Go Version: go1.22.3
Platform: windows/amd64
WebAssembly: available
PS E:\Downloads> Invoke-SCuBA -OPAPath "C:\TEMP\" -outpath "c:\temp\"
Invoke-RunRego : Error with the AAD Rego invocation. See the exception message for more details:  Error calling the OPA executable: Invalid JSON
primitive: rrors occurred:
CreateFile \Program Files\WindowsPowerShell\Modules\ScubaGear\1.2.0\Rego\AADConfig.rego: The system cannot find the path specified.
CreateFile \Program Files\WindowsPowerShell\Modules\ScubaGear\1.2.0\Rego\Utils: The system cannot find the path specified.
.
At C:\Program Files\WindowsPowerShell\Modules\ScubaGear\1.2.0\Modules\Orchestrator.psm1:378 char:31
+             $ProdRegoFailed = Invoke-RunRego @RegoParams
+                               ~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Invoke-RunRego

WARNING: aad will be omitted from the output because of the failure above
Invoke-RunRego : Error with the Defender Rego invocation. See the exception message for more details:  Error calling the OPA executable: Invalid
JSON primitive: rrors occurred:
CreateFile \Program Files\WindowsPowerShell\Modules\ScubaGear\1.2.0\Rego\DefenderConfig.rego: The system cannot find the path specified.
CreateFile \Program Files\WindowsPowerShell\Modules\ScubaGear\1.2.0\Rego\Utils: The system cannot find the path specified.
.
At C:\Program Files\WindowsPowerShell\Modules\ScubaGear\1.2.0\Modules\Orchestrator.psm1:378 char:31
+             $ProdRegoFailed = Invoke-RunRego @RegoParams
+                               ~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Invoke-RunRego

WARNING: defender will be omitted from the output because of the failure above
Invoke-RunRego : Error with the EXO Rego invocation. See the exception message for more details:  Error calling the OPA executable: Invalid JSON
primitive: rrors occurred:
CreateFile \Program Files\WindowsPowerShell\Modules\ScubaGear\1.2.0\Rego\EXOConfig.rego: The system cannot find the path specified.
CreateFile \Program Files\WindowsPowerShell\Modules\ScubaGear\1.2.0\Rego\Utils: The system cannot find the path specified.
.
At C:\Program Files\WindowsPowerShell\Modules\ScubaGear\1.2.0\Modules\Orchestrator.psm1:378 char:31
+             $ProdRegoFailed = Invoke-RunRego @RegoParams
+                               ~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Invoke-RunRego
buidav commented 3 months ago

Thanks for opening an issue on this. Our latest supported OPA version is actually v0.64.1 There's a PR on the list ~#1132~ #1186 To take a look at v0.65 to see if there are issues and correct any found.

Note for the dev team here is to implement a warning message if the user is running an unsupported OPA version.

buidav commented 2 months ago

@grepcatman From our testing, OPA versions 0.65.0 and 0.66.0 had no effect on ScubaGear execution. Could you retry with those latest versions and see if the error persists?