Releases: cisagov/ScubaGear
v1.4.0
Major Changes
- Support policy check toggling via config file #1200
See configuration file documentation about omitting policies for further details. - Make ScubaResults.json the default result output #1316
See documentation for-KeepIndividualJSON
parameter to revert to previous version behavior. - Improve AAD assessment check performance #1196
- Modify MS.AAD.6.1v1 to account for federated domains #1185
- Remove deprecated MS.SHAREPOINT.4.1v1 policy, references, and assessment checks #1244
- Change MS.SHAREPOINT.1.4v1 check to
not-implemented
due to deprecated field #1270 - Add policy check for MS.SHAREPOINT.3.2v1 when using service principal and update MS.SHAREPOINT.4.2v1 check for deprecation #1309
- Add assessment check for MS.DEFENDER.6.2v1 #1241
- Add policy check for MS.AAD.3.7v1 to support exclusions #1190
- Realign MS.EXO.2.1v1 and MS.EXO.2.2v2 SPF assessment checks with updated policies #1130
- Add a backup path to look for the OPA executable in the current directory #1092
- Enhance CSV output to be consistent with data in HTML reports #1281
- Bump acceptable OPA version to v0.69.0 and set new accepted minimum to v0.69.0 #1348
- Add
-OutActionPlanFileName
for action plan remediation CSV output #1351 - Add report UUID to the ScubaResults.json filename #1426
- See full list of enhancements here
Bugs Fixed
- Correct bug with Connect-IPPSSession error handling #1199
- Extend Microsoft.Graph.* dependency max version from 2.19.x -> 2.x.x #1122
- Fix AAD 401 authentication errors against GCC high tenants #1266
- Fix encoding issue by removing BOM from provider output files #1302
- Fix AAD provider to handle nested PIM groups and refactor Get-PrivilegedUser #1310
- Pin PowerApps module dependency to last tested working version #1346
- Fix broken import path in
Initialize-SCuBA
#1363 - See full list of bug fixes here
Baselines
- Add MITRE ATT&CK Mappings to all M365 secure configuration baselines #1106
- Change Azure Active Directory namings in baselines to use Entra ID equivalent #1176
- Remove MS.SHAREPOINT.4.1v1 policy and references #1244
- Fix circular reference between MS.EXO.16.1v1 and MS.DEFENDER.5.1v1 implementation instructions #1198
- Revise MS.EXO.2.1v1 and MS.EXO.2.2v2 SPF requirements #1130
- Decouple the remaining EXO Shall/Should policies #1095
- Added notes about applicability to MS.TEAMS.2.2v1 and MS.TEAMS.3.1v1 #1219
- Updated MS.AAD.5.2v1 instructions to match updated UI buttonology #1117
- Update front matter and specific language in the Defender SCB to clarify licensing information #1398
- See full list of baseline updates here
Documentation
- Cleaning up and streamlining example config files #1137
- Minor documentation fixes and updates #1157
- Add additional shields.io badges to README #1167
- See full list of documentation changes here
Full Changelog: v1.3.0...v1.4.0
v1.3.0
Major Changes
- Add automated checks for policy MS.AAD.3.3v1 #1014
- Expand CAP exclusion note in Azure AD HTML report #1120
- Add policy group names to ScubaResults.json #1041
- Include reference URL in ScubaResults.json #1119
- Add license information table to Azure AD HTML report #1091
- Enhance Defender license warnings for impersonation protection and DLP checks #929
- Add more accessibility improvements to HTML reports #1105
- Bump latest supported OPA version from v0.63.0 to v0.64.1 #1079
- Bump ScubaGear PowerShell module dependency versions #1100
- See full list of enhancements here
Documentation
- Expand README.md into user guide and add PSGallery install instructions #1114
- See full list of documentation changes here
Bugs Fixed
- Fix SharePoint policy checks to only execute when applicable #1076
- Prevent multiple runs from duplicate product names #782
- Pin ExchangeOnlineManagement module version to <v3.5 #1116
- See full list of bug fixes here
Baselines
- Created markdown file for policies removed from M365 SCBs #1090
- Fixed erroneous criticality tags in SharePoint markdown #1083
Full Changelog: v1.2.0...v1.3.0
v1.2.0
ScubaGear is now available for installation through the PowerShell Gallery public repository here. Users can install ScubaGear via PSGallery using the Install-Module
cmdlet provided by PowerShellGet
. Once installed in this way, users do not need to use Import-Module
to have access to ScubaGear cmdlets and functions. ScubaGear still requires running Initialize-SCuBA
after installation to install its other dependencies.
Installation instructions for the ZIP release package below are included in the README.
Major Changes
- Publish ScubaGear module to PowerShell Gallery #959
- Add check for MS.AAD.7.2v1 using least privilege score #852
- Add authentication methods disabled checks for MS.AAD.3.5.v1 #902
- Update Azure AD 7.6-7.9 checks to support PIM for Groups #945
- Move and update support scripts to functions #870
- Add option to generate per product and merged JSON results #970
- Add accessibility features to HTML report #962
- Add tenant licensing details to Azure AD HTML report #1011
- Add
New-Config
cmdlet to generate a config file template #984 - See full list of enhancements here
Bugs Fixed
- Fix broken baseline links in HTML report #924
- Fix dark mode checkbox from being in incorrect state #991
- Fix MS.AAD.5.2v1 check response processing error #1043
- See full list of bug fixes here
Documentation
- Add RELEASES.md and CONTRIBUTING.md documentation #936
- Update sample reports to latest version output examples #1058
- Add TLP:CLEAR information note to PowerBI baseline #907
- Set consistent depth on README table of contents #933
- See full list of documentation changes here
Baselines
- Add PIM for Groups details to Azure AD 7.6-7.9 implementation instructions #926
- Revise MS.EXO.5.1 to remove incorrect note #939
- Update MS.AAD.5.3v1 and MS.AAD.5.4v1 instructions to match correct buttonology #1028
Full Changelog: v1.1.1...v1.2.0
v1.1.1
This maintenance release resolves errors that can result from issues with the latest versions of the MS Graph and SharePoint SDK PowerShell modules. This release pins the ScubaGear module dependencies to the latest working versions of those modules.
Major Changes
- No major changes
Bugs Fixed
- Add MSGraph and SPO library max versions #908
Documentation
- No changes
Baselines
- No changes.
Full Changelog: v1.1.0...v1.1.1
v1.1.0
Major Changes
- Add support for Azure AD PIM for groups #794
- Add automated check for MS.AAD.6.1v1 user password expiration #795
- Add terms of use property handling to Azure AD CAP table display #848
- Add support for command line parameter override of config file variables #761
- Adds tenant licensing info to JSON output #823
- Update reports to link to versioned baselines #866
- Refactor assessment checks and add support for latest OPA rego engine #642 #659 #660 #661 #662 #663 #664 #745
- See full list of enhancements here
Bugs Fixed
- Fix report module to handle italics and multiline processing in policy description #730
- Fix backslash escape sequence handling #822
- Remove DNS over HTTPS (DOH) NXDOMAIN retry #795
- See full list of bug fixes here
Documentation
- Add configuration file documentation to README #812
Baselines
- Move baseline documents inside ScubaGear module directory #802
- Fix MS.EXO.17 implementation instruction policy ID refs #864
- Add Azure AD PIM for Groups information to instructions #376
Full Changelog: v1.0.0...v1.1.0
v1.0.0
Major Changes
- Significant refresh of baseline assessment check updates to align with baseline changes
- Quicker install and setup process #514
- Improved error handling and user feedback #336
- Add support for non-NA regions when running Power Platform #338
- Update sample report files for v1.0 #683
- Update
ExchangeOnlineManagement
module minimum version to 3.2 #440 - Update
MSGraph
module to 2.0 #514 - See full list of 46 enhancements here
Bugs Fixed
- Teams email integration patch #333
- Fix versioned tag in URLs #651
- Fix MS.DEFENDER.4.3v1 where check would pass when action is
Block People Outside of Organization
rather thanBlock Everyone
#602 - Remove deprecated Exchange alert policies from check in MS.EXO.16.1 #527
- Fix MS.DEFENDER.4.2v1 check failing despite all locations being included #574
- See full list of 43 bug fixes here
Documentation
- Significant updates to README and add a Table of Contents #639
- Add section on
PowerShell Execution Policies
to work with signed scripts #208 - See full list of 7 documentation updates here
Baselines
- Add unique individual policy IDs for easier reference in reporting
- Add rationale to each policy item providing indication of related risks
- Major regrouping of policy items in each baseline
- Merge SharePoint and OneDrive into single baseline
- Change Defender baseline to use preset security policies instead of specifying individual settings in custom policy
- See full list of 111 baseline changes here
Full Changelog: 0.3.0...v1.0.0
v0.3.0
Major Changes
- Added non-interactive authentication mode using an Azure AD application service principal. This is to support running the tool in a pipeline or scheduled job. See the README sections that reference service principals, including the new -CertificateThumbprint parameter for
Invoke-SCuBA
. - Added Azure AD conditional access policies in the HTML report which makes it easier view all of your policies in a single interface. See the example file
/sample-report/IndividualReports/AADReport.html
to see what it looks like. - The Azure AD configuration export provider was updated to improve its execution speed.
- The report now contains a button to enable Dark Mode - enjoy 😃.
- Improved overall error handling to provide a more stable tool with predictable results during error conditions.
- The Open Policy Agent (OPA) executable was decoupled from the repository. Users can reference their own version or simply run Setup.ps1 to have it automatically download the required version from the OPA website.
- New -ConfigFilePath parameter for
Invoke-SCuBA
allows the user to specify a custom configuration file in YAML or JSON format. Currently the config file supports user-defined values for the standardInvoke-SCuBA
parameters defined in the README file (e.g ProductNames). See the/sample-config-files/sample-config.yaml
for an example. - Added the ability to configure a set of Users and Groups that are excluded from the Azure AD conditional access policy checks. This is so that known organizational exception cases are not flagged as Fail in the report. See the CapExclusions section in
/sample-config-files/aad-config
.yaml for an example. - ScubaGear code files are now signed which makes it easier to run on more Windows environments without warnings or execution prevention errors. See the PowerShell Execution Policies section in the README for details.
- For Exchange Online, added retry logic to DNS that attempts to retry against a public resolver. This is to address problems seen with certain split dns configurations.
- See full list of 17 enhancements here.
Bugs Fixed
- Corrected erroneous Defender GCCHigh and DOD endpoints (#144)
- Added filter to only check EXO transport rules that are enabled and enforced (#130)
- Explicitly set file encoding to UTF-8 (#20)
- Prevented empty cmdlet responses from producing invalid JSON results (#19)
- 21 additonal bugs fixed. See full list here.
Documentation
- Added examples to the README which show how to run ScubaGear non-interactively.
- Added a
sample-config-files
folder to the repository that contains sample user-defined configuration files. - Updated
sample-report
folder based on new version results
Baselines
- No changes. A new version of the security baseline documents are being updated and will be published in a future release.
v0.2.1
This maintenance release resolves an error in the Exchange Online provider that caused ScubaGear to fail with a duplicate keys exception.
Major Changes
- No major changes
Documentation
- No changes
Code
- Omit unused fields from Get-OrganizationConfig response in EXO provider (#138)
Rego/Policies
- No changes
Baselines
- No changes. We do not anticipate making edits to the baseline documents until Q2 2023.
v0.2.0
Major Changes
- Use cmdlet
Invoke-SCuBA
to start an assessment. RemovedRunSCuBA.ps1
. See README for more. - Added GCC-H/DOD endpoints. Use the
-M365Environment
parameter. - Exchange, Defender for Office 365, and Teams can now be run with the
Global Reader
role instead of administrator permissions. - Removed Graph API Scope
Policy.ReadWRITE.AuthenticationMethod
. - Added
Disconnect-SCuBATenant
cmdlet andInvoke-SCuBA -DisconnectOnExit
option to help manage connections to multiple tenants. Using either method will make your next run connect to a new tenant.
Documentation
- Significant changes to the README for clarity and new usage examples and a cool diagram.
- Updated links in the HTML report to reference CISA's SCuBA website and the baseline documents.
- Added the tenant name and tenantId to the HTML report to help determine which tenant was assessed.
- AAD report now includes a warning that exclusions to Conditional Access Policies are not evaluated and that may impact your compliance with certain controls.
- Added a
sample-report
folder to the repository that will be updated with the latest report template each release. Thanks to public suggestion. #2
Code
- Refactored the Power Platform exclusive
-Endpoint
parameter to the-M365Environment
parameter to support connecting to different endpoints for any product. - Required dependencies are now checked on module import.
- Added
*
parameter to theProductNames
parameter inInvoke-SCuBA
to run all products Setup.ps1
now only installs modules if they are not already installed based on a minimum version.- Improved error handling in some providers. Others will be updated in the next release.
- Improved code documentation to enable
Get-Help
functionality. - Tool now increases PowerShell's
$MaximumFunctionCount
to support all the cmdlets exported by MS Graph. - Fixed bug with Teams provider and JSON parsing. See: #12
Rego/Policies
- Fixed Rego check for OneDrive policy 2.4, which resulted in incorrect results.
- Fixed Rego check for Defender 2.7 and 2.8, which resulted in incorrect results.
- Added support for Exchange policy 2.6 bullet 8, which was not previously implemented.
- Removed automation support for part of SharePoint policy 2.5 (Prevent users from running custom script on personal sites), due to a bug with comparison logic. Hope to have it added back in the next release.
Baselines
- No changes. We do not anticipate making edits to the baseline documents until Q2 2023.
v0.1.0
Version 0.1.0
This is an initial alpha release. Reports could be incorrect and should be reviewed carefully.
See README for full instructions.
The following products are supported:
- Azure AD
- Defender for Office 365
- Exchange Online
- SharePoint Online
- Teams
- PowerBI (edit for clarity: Power BI is not supported in the tool. However, there is a baseline for Power BI.)
- Power Platform