search

cisagov / ScubaGear

Automation to assess the state of your M365 tenant against CISA's baselines
https://www.cisa.gov/resources-tools/services/secure-cloud-business-applications-scuba-project
Creative Commons Zero v1.0 Universal
1.76k stars 226 forks source link

Power Platform DLP Policy bug #1396

Open desmay opened 2 weeks ago

desmay commented 2 weeks ago

🐛 Summary

Running Scuba on Power Platform it appears that the DLP Policy logic is not correct. I created a DLP policy that set for all environments and yet Scuba generates a warning that environments do not have a DLP policy set. Its also failing if I create DLP Policy for all but specific environments as well generating a warning saying environments missing DLP policy

To reproduce

Steps to reproduce the behavior:

  1. Create a DLP policy in PPAC and apply to all environments or even just a specific environments
  2. Then run Scuba for the PowerPlatform

Expected behavior

Pass message since environment has DLP policy set in PPAC.

Any helpful log output or screenshots

Paste the results here:

Add any screenshots of the problem here. Image

buidav commented 2 weeks ago

@desmay

  1. Which kind of M365 tenant are you running ScubaGear against? commercial, gcc...?

For example, run Invoke-SCuBA -M365Environment gcc if the tenant is a Government Community Cloud (gcc) tenant.

Running with the incorrect M365Environment can display false negative reports for Power Platform if the built-in environment check for ScubaGear fails. A warning message should've displayed on the terminal let us know if it didn't.

  1. What scope is the DLP Policy applying to all environments displaying? environment, org, or something else? Image
  1. Was the DLP Policy created in the GUI or via PowerShell?
desmay commented 2 weeks ago

GCC and it's a tenant level DLP policy created in GUI

desmay commented 2 weeks ago

Here is screen shot of DLP Policy it applies to all environments, yet Scuba generated warning that non default environments don't have policy Image

buidav commented 2 weeks ago

@desmay Thank you for the information and screenshot!

I was able to reproduce the issue. Something's changed with the underlying data structure and our Rego rules aren't evaluating the All environments option successfully anymore.

Though if you select the Add multiple environments when defining the DLP policy scope and manually add all of your environments in a single DLP policy, ScubaGear is still able to recognize that the DLP rule applies to all environments.
Not sure why this case still passes yet.

Image Image

We'll bundle a fix in a future release.

desmay commented 2 weeks ago

It fails also on exclude specific environments as well. So if you create a tenant policy and exclude except x number of environments you will get similar warning message from ScubaGear.

desmay commented 2 weeks ago

Here is exclusion failure just for reference Image Image

buidav commented 2 weeks ago

Here is exclusion failure just for reference Image Image

Thanks for the additional references!