Skip to content

Releases: cisagov/ScubaGear

v1.4.0

26 Nov 20:49
Compare
Choose a tag to compare

Major Changes

  • Support policy check toggling via config file #1200
    See configuration file documentation about omitting policies for further details.
  • Make ScubaResults.json the default result output #1316
    See documentation for -KeepIndividualJSON parameter to revert to previous version behavior.
  • Improve AAD assessment check performance #1196
  • Modify MS.AAD.6.1v1 to account for federated domains #1185
  • Remove deprecated MS.SHAREPOINT.4.1v1 policy, references, and assessment checks #1244
  • Change MS.SHAREPOINT.1.4v1 check to not-implemented due to deprecated field #1270
  • Add policy check for MS.SHAREPOINT.3.2v1 when using service principal and update MS.SHAREPOINT.4.2v1 check for deprecation #1309
  • Add assessment check for MS.DEFENDER.6.2v1 #1241
  • Add policy check for MS.AAD.3.7v1 to support exclusions #1190
  • Realign MS.EXO.2.1v1 and MS.EXO.2.2v2 SPF assessment checks with updated policies #1130
  • Add a backup path to look for the OPA executable in the current directory #1092
  • Enhance CSV output to be consistent with data in HTML reports #1281
  • Bump acceptable OPA version to v0.69.0 and set new accepted minimum to v0.69.0 #1348
  • Add -OutActionPlanFileName for action plan remediation CSV output #1351
  • Add report UUID to the ScubaResults.json filename #1426
  • See full list of enhancements here

Bugs Fixed

  • Correct bug with Connect-IPPSSession error handling #1199
  • Extend Microsoft.Graph.* dependency max version from 2.19.x -> 2.x.x #1122
  • Fix AAD 401 authentication errors against GCC high tenants #1266
  • Fix encoding issue by removing BOM from provider output files #1302
  • Fix AAD provider to handle nested PIM groups and refactor Get-PrivilegedUser #1310
  • Pin PowerApps module dependency to last tested working version #1346
  • Fix broken import path in Initialize-SCuBA #1363
  • See full list of bug fixes here

Baselines

  • Add MITRE ATT&CK Mappings to all M365 secure configuration baselines #1106
  • Change Azure Active Directory namings in baselines to use Entra ID equivalent #1176
  • Remove MS.SHAREPOINT.4.1v1 policy and references #1244
  • Fix circular reference between MS.EXO.16.1v1 and MS.DEFENDER.5.1v1 implementation instructions #1198
  • Revise MS.EXO.2.1v1 and MS.EXO.2.2v2 SPF requirements #1130
  • Decouple the remaining EXO Shall/Should policies #1095
  • Added notes about applicability to MS.TEAMS.2.2v1 and MS.TEAMS.3.1v1 #1219
  • Updated MS.AAD.5.2v1 instructions to match updated UI buttonology #1117
  • Update front matter and specific language in the Defender SCB to clarify licensing information #1398
  • See full list of baseline updates here

Documentation

  • Cleaning up and streamlining example config files #1137
  • Minor documentation fixes and updates #1157
  • Add additional shields.io badges to README #1167
  • See full list of documentation changes here

Full Changelog: v1.3.0...v1.4.0

v1.3.0

07 Jun 00:53
faedc6b
Compare
Choose a tag to compare

Major Changes

  • Add automated checks for policy MS.AAD.3.3v1 #1014
  • Expand CAP exclusion note in Azure AD HTML report #1120
  • Add policy group names to ScubaResults.json #1041
  • Include reference URL in ScubaResults.json #1119
  • Add license information table to Azure AD HTML report #1091
  • Enhance Defender license warnings for impersonation protection and DLP checks #929
  • Add more accessibility improvements to HTML reports #1105
  • Bump latest supported OPA version from v0.63.0 to v0.64.1 #1079
  • Bump ScubaGear PowerShell module dependency versions #1100
  • See full list of enhancements here

Documentation

  • Expand README.md into user guide and add PSGallery install instructions #1114
  • See full list of documentation changes here

Bugs Fixed

  • Fix SharePoint policy checks to only execute when applicable #1076
  • Prevent multiple runs from duplicate product names #782
  • Pin ExchangeOnlineManagement module version to <v3.5 #1116
  • See full list of bug fixes here

Baselines

  • Created markdown file for policies removed from M365 SCBs #1090
  • Fixed erroneous criticality tags in SharePoint markdown #1083

Full Changelog: v1.2.0...v1.3.0

v1.2.0

03 May 14:09
8c185c8
Compare
Choose a tag to compare

ScubaGear is now available for installation through the PowerShell Gallery public repository here. Users can install ScubaGear via PSGallery using the Install-Module cmdlet provided by PowerShellGet. Once installed in this way, users do not need to use Import-Module to have access to ScubaGear cmdlets and functions. ScubaGear still requires running Initialize-SCuBA after installation to install its other dependencies.
Installation instructions for the ZIP release package below are included in the README.

Major Changes

  • Publish ScubaGear module to PowerShell Gallery #959
  • Add check for MS.AAD.7.2v1 using least privilege score #852
  • Add authentication methods disabled checks for MS.AAD.3.5.v1 #902
  • Update Azure AD 7.6-7.9 checks to support PIM for Groups #945
  • Move and update support scripts to functions #870
  • Add option to generate per product and merged JSON results #970
  • Add accessibility features to HTML report #962
  • Add tenant licensing details to Azure AD HTML report #1011
  • Add New-Config cmdlet to generate a config file template #984
  • See full list of enhancements here

Bugs Fixed

  • Fix broken baseline links in HTML report #924
  • Fix dark mode checkbox from being in incorrect state #991
  • Fix MS.AAD.5.2v1 check response processing error #1043
  • See full list of bug fixes here

Documentation

  • Add RELEASES.md and CONTRIBUTING.md documentation #936
  • Update sample reports to latest version output examples #1058
  • Add TLP:CLEAR information note to PowerBI baseline #907
  • Set consistent depth on README table of contents #933
  • See full list of documentation changes here

Baselines

  • Add PIM for Groups details to Azure AD 7.6-7.9 implementation instructions #926
  • Revise MS.EXO.5.1 to remove incorrect note #939
  • Update MS.AAD.5.3v1 and MS.AAD.5.4v1 instructions to match correct buttonology #1028

Full Changelog: v1.1.1...v1.2.0

v1.1.1

17 Feb 01:19
4f2d982
Compare
Choose a tag to compare

This maintenance release resolves errors that can result from issues with the latest versions of the MS Graph and SharePoint SDK PowerShell modules. This release pins the ScubaGear module dependencies to the latest working versions of those modules.

Major Changes

  • No major changes

Bugs Fixed

  • Add MSGraph and SPO library max versions #908

Documentation

  • No changes

Baselines

  • No changes.

Full Changelog: v1.1.0...v1.1.1

v1.1.0

01 Feb 19:17
86a1d55
Compare
Choose a tag to compare

Major Changes

  • Add support for Azure AD PIM for groups #794
  • Add automated check for MS.AAD.6.1v1 user password expiration #795
  • Add terms of use property handling to Azure AD CAP table display #848
  • Add support for command line parameter override of config file variables #761
  • Adds tenant licensing info to JSON output #823
  • Update reports to link to versioned baselines #866
  • Refactor assessment checks and add support for latest OPA rego engine #642 #659 #660 #661 #662 #663 #664 #745
  • See full list of enhancements here

Bugs Fixed

  • Fix report module to handle italics and multiline processing in policy description #730
  • Fix backslash escape sequence handling #822
  • Remove DNS over HTTPS (DOH) NXDOMAIN retry #795
  • See full list of bug fixes here

Documentation

  • Add configuration file documentation to README #812

Baselines

  • Move baseline documents inside ScubaGear module directory #802
  • Fix MS.EXO.17 implementation instruction policy ID refs #864
  • Add Azure AD PIM for Groups information to instructions #376

Full Changelog: v1.0.0...v1.1.0

v1.0.0

19 Dec 21:26
1c4b9dd
Compare
Choose a tag to compare

Major Changes

  • Significant refresh of baseline assessment check updates to align with baseline changes
  • Quicker install and setup process #514
  • Improved error handling and user feedback #336
  • Add support for non-NA regions when running Power Platform #338
  • Update sample report files for v1.0 #683
  • Update ExchangeOnlineManagement module minimum version to 3.2 #440
  • Update MSGraph module to 2.0 #514
  • See full list of 46 enhancements here

Bugs Fixed

  • Teams email integration patch #333
  • Fix versioned tag in URLs #651
  • Fix MS.DEFENDER.4.3v1 where check would pass when action is Block People Outside of Organization rather than Block Everyone #602
  • Remove deprecated Exchange alert policies from check in MS.EXO.16.1 #527
  • Fix MS.DEFENDER.4.2v1 check failing despite all locations being included #574
  • See full list of 43 bug fixes here

Documentation

  • Significant updates to README and add a Table of Contents #639
  • Add section on PowerShell Execution Policies to work with signed scripts #208
  • See full list of 7 documentation updates here

Baselines

  • Add unique individual policy IDs for easier reference in reporting
  • Add rationale to each policy item providing indication of related risks
  • Major regrouping of policy items in each baseline
  • Merge SharePoint and OneDrive into single baseline
  • Change Defender baseline to use preset security policies instead of specifying individual settings in custom policy
  • See full list of 111 baseline changes here

Full Changelog: 0.3.0...v1.0.0

v0.3.0

24 Mar 20:23
1d5201f
Compare
Choose a tag to compare

Major Changes

  • Added non-interactive authentication mode using an Azure AD application service principal. This is to support running the tool in a pipeline or scheduled job. See the README sections that reference service principals, including the new -CertificateThumbprint parameter for Invoke-SCuBA.
  • Added Azure AD conditional access policies in the HTML report which makes it easier view all of your policies in a single interface. See the example file /sample-report/IndividualReports/AADReport.html to see what it looks like.
  • The Azure AD configuration export provider was updated to improve its execution speed.
  • The report now contains a button to enable Dark Mode - enjoy 😃.
  • Improved overall error handling to provide a more stable tool with predictable results during error conditions.
  • The Open Policy Agent (OPA) executable was decoupled from the repository. Users can reference their own version or simply run Setup.ps1 to have it automatically download the required version from the OPA website.
  • New -ConfigFilePath parameter for Invoke-SCuBA allows the user to specify a custom configuration file in YAML or JSON format. Currently the config file supports user-defined values for the standard Invoke-SCuBA parameters defined in the README file (e.g ProductNames). See the /sample-config-files/sample-config.yaml for an example.
  • Added the ability to configure a set of Users and Groups that are excluded from the Azure AD conditional access policy checks. This is so that known organizational exception cases are not flagged as Fail in the report. See the CapExclusions section in /sample-config-files/aad-config.yaml for an example.
  • ScubaGear code files are now signed which makes it easier to run on more Windows environments without warnings or execution prevention errors. See the PowerShell Execution Policies section in the README for details.
  • For Exchange Online, added retry logic to DNS that attempts to retry against a public resolver. This is to address problems seen with certain split dns configurations.
  • See full list of 17 enhancements here.

Bugs Fixed

  • Corrected erroneous Defender GCCHigh and DOD endpoints (#144)
  • Added filter to only check EXO transport rules that are enabled and enforced (#130)
  • Explicitly set file encoding to UTF-8 (#20)
  • Prevented empty cmdlet responses from producing invalid JSON results (#19)
  • 21 additonal bugs fixed. See full list here.

Documentation

  • Added examples to the README which show how to run ScubaGear non-interactively.
  • Added a sample-config-files folder to the repository that contains sample user-defined configuration files.
  • Updated sample-report folder based on new version results

Baselines

  • No changes. A new version of the security baseline documents are being updated and will be published in a future release.

v0.2.1

27 Jan 19:59
Compare
Choose a tag to compare

This maintenance release resolves an error in the Exchange Online provider that caused ScubaGear to fail with a duplicate keys exception.

Major Changes

  • No major changes

Documentation

  • No changes

Code

  • Omit unused fields from Get-OrganizationConfig response in EXO provider (#138)

Rego/Policies

  • No changes

Baselines

  • No changes. We do not anticipate making edits to the baseline documents until Q2 2023.

v0.2.0

16 Dec 17:48
8a1bf47
Compare
Choose a tag to compare

Major Changes

  • Use cmdlet Invoke-SCuBA to start an assessment. Removed RunSCuBA.ps1. See README for more.
  • Added GCC-H/DOD endpoints. Use the -M365Environment parameter.
  • Exchange, Defender for Office 365, and Teams can now be run with the Global Reader role instead of administrator permissions.
  • Removed Graph API Scope Policy.ReadWRITE.AuthenticationMethod.
  • Added Disconnect-SCuBATenant cmdlet and Invoke-SCuBA -DisconnectOnExit option to help manage connections to multiple tenants. Using either method will make your next run connect to a new tenant.

Documentation

  • Significant changes to the README for clarity and new usage examples and a cool diagram.
  • Updated links in the HTML report to reference CISA's SCuBA website and the baseline documents.
  • Added the tenant name and tenantId to the HTML report to help determine which tenant was assessed.
  • AAD report now includes a warning that exclusions to Conditional Access Policies are not evaluated and that may impact your compliance with certain controls.
  • Added a sample-report folder to the repository that will be updated with the latest report template each release. Thanks to public suggestion. #2

Code

  • Refactored the Power Platform exclusive -Endpoint parameter to the -M365Environment parameter to support connecting to different endpoints for any product.
  • Required dependencies are now checked on module import.
  • Added * parameter to the ProductNames parameter in Invoke-SCuBA to run all products
  • Setup.ps1 now only installs modules if they are not already installed based on a minimum version.
  • Improved error handling in some providers. Others will be updated in the next release.
  • Improved code documentation to enable Get-Help functionality.
  • Tool now increases PowerShell's $MaximumFunctionCount to support all the cmdlets exported by MS Graph.
  • Fixed bug with Teams provider and JSON parsing. See: #12

Rego/Policies

  • Fixed Rego check for OneDrive policy 2.4, which resulted in incorrect results.
  • Fixed Rego check for Defender 2.7 and 2.8, which resulted in incorrect results.
  • Added support for Exchange policy 2.6 bullet 8, which was not previously implemented.
  • Removed automation support for part of SharePoint policy 2.5 (Prevent users from running custom script on personal sites), due to a bug with comparison logic. Hope to have it added back in the next release.

Baselines

  • No changes. We do not anticipate making edits to the baseline documents until Q2 2023.

v0.1.0

20 Oct 12:30
bdbbe55
Compare
Choose a tag to compare

Version 0.1.0

This is an initial alpha release. Reports could be incorrect and should be reviewed carefully.

See README for full instructions.

The following products are supported:

  • Azure AD
  • Defender for Office 365
  • Exchange Online
  • SharePoint Online
  • Teams
  • PowerBI (edit for clarity: Power BI is not supported in the tool. However, there is a baseline for Power BI.)
  • Power Platform