search

cisagov / ScubaGear

Automation to assess the state of your M365 tenant against CISA's baselines
https://www.cisa.gov/resources-tools/services/secure-cloud-business-applications-scuba-project
Creative Commons Zero v1.0 Universal
1.58k stars 213 forks source link

Sharepoint incorrectly produces N/A for policy 3.2 when using service principal but it should perform the policy check because the needed fields exist #1221

Open tkol2022 opened 1 month ago

tkol2022 commented 1 month ago

💡 Summary

The Rego code for Sharepoint policy 3.2 incorrectly produces an N/A when you run with a service principal. I guess the coder thought that the Get-PnPTenant cmdlet does not contain the necessary fields, but based on my testing, it does contain them. I temporarily changed the Rego code and it worked when running with a service principal. The fix to correct this is easy and I provide a code snippet below that I tested with. The fields needed are FileAnonymousLinkType and FolderAnonymousLinkType.

Screenshots of the problem

Run the Sharepoint provider with a service principal and you will get the following:

image

After I fixed the code, this is what the report looks like. It matches the output when running with interactive authentication.

image

Code Fix

I commented out the lines that should be removed.

tests contains {
    "PolicyId": "MS.SHAREPOINT.3.2v1",
    "Criticality": "Shall",
    "Commandlet": ["Get-SPOTenant", "Get-PnPTenant"],
    "ActualValue": [FileLinkType, FolderLinkType],
    "ReportDetails": FileAndFolderLinkPermission(FileLinkType, FolderLinkType),
    "RequirementMet": Status
} if {
    # input.OneDrive_PnP_Flag == false
    SharingCapability == ANYONE

    FileLinkType := Tenant.FileAnonymousLinkType
    FolderLinkType := Tenant.FolderAnonymousLinkType
    Conditions := [
        FileLinkType == 1,
        FolderLinkType == 1
    ]
    Status := count(FilterArray(Conditions, true)) == 2
}

# Test for N/A case
tests contains {
    "PolicyId": PolicyId,
    "Criticality": "Shall/Not-Implemented",
    "Commandlet": ["Get-SPOTenant", "Get-PnPTenant"],
    "ActualValue": [],
    "ReportDetails": CheckedSkippedDetails(PolicyId, Reason),
    "RequirementMet": false
} if {
    PolicyId := "MS.SHAREPOINT.3.2v1"
    # input.OneDrive_PnP_Flag == false
    SharingCapability != ANYONE
    Reason := NAString(SliderSettings(2))
}

# tests contains {
#     "PolicyId": PolicyId,
#     "Criticality": "Shall/Not-Implemented",
#     "Commandlet": [],
#     "ActualValue": [],
#     "ReportDetails": NotCheckedDetails(PolicyId),
#     "RequirementMet": false
# } if {
#     PolicyId := "MS.SHAREPOINT.3.2v1"
#     input.OneDrive_PnP_Flag == true
# }
#--

Implementation notes

tkol2022 commented 1 month ago

@mitchelbaker-cisa You can lump this with the quick fix in #1220.

tkol2022 commented 1 month ago

You can probably take care of this one at the same time as well to maximize pull request resources: #1268 If you agree, you can self-assign.