2.2.1 first EntraID control, put back input_template

mitre · Feb 20, 2025 · 52ab304 · 52ab304
1 parent ad66c55
commit 52ab304
Show file tree

Hide file tree

Showing 5 changed files with 49 additions and 6 deletions.
diff --git a/.gitignore b/.gitignore
@@ -2,7 +2,7 @@
 *.gem
 *.rbc
 *results.json
-inputs_template.yml
+inputs.yml
 
 /.config
 /coverage/

diff --git a/controls/azure-foundations-cis-2.2.1.rb b/controls/azure-foundations-cis-2.2.1.rb
@@ -87,7 +87,35 @@
     ref 'https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition'
     ref 'https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-identity-management#im-7-restrict-resource-access-based-on--conditions'
 
-    describe 'benchmark' do
-        skip 'The check for this control needs to be done manually'
+    subscription_id = input('subscription_id')
+
+    script = <<-EOH
+        Set-AzContext -Subscription #{subscription_id} | Out-Null
+        Connect-MgGraph -NoWelcome
+        $results = Get-MgIdentityConditionalAccessNamedLocation | ForEach-Object {
+            [PSCustomObject]@{
+                DisplayName = $_.DisplayName;
+                IsTrusted   = $_.AdditionalProperties["isTrusted"]
+            }
+        }
+
+        $trusted = $results | Where-Object { $_.IsTrusted.ToString().ToLower() -eq "true" }
+
+        if ($trusted.Count -gt 0) {
+            Write-Output "At least one trusted location exists"
+        }
+        else {
+            Write-Output "No trusted locations found"
+        }
+    EOH
+
+    # pwsh_output = pwsh_graph_executor(script).run_script_in_graph
+    pwsh_output = powershell(script).stdout.strip
+
+    describe "Azure Conditional Access Named Locations" do
+        subject { pwsh_output}
+            it "should indicate that at least one trusted location exists" do
+                expect(subject).to eq("At least one trusted location exists")
+        end
     end
 end
diff --git a/controls/azure-foundations-cis-3.1.1.1.rb b/controls/azure-foundations-cis-3.1.1.1.rb
@@ -103,8 +103,8 @@
 
 	describe "Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs'" do
 		subject { pwsh_output.stdout.strip }
-		it "is set to 'On'" do
-			expect(subject).to eq('On')
+               it "is set to 'On'" do
+                    expect(subject).to eq('On')
 		end
 	end
 end
diff --git a/controls/azure-foundations-cis-3.2.1.rb b/controls/azure-foundations-cis-3.2.1.rb
@@ -1,4 +1,4 @@
-control 'azure-foundations-cis-2.2.1' do
+control 'azure-foundations-cis-3.2.1' do
     title "Ensure That Microsoft Defender for IoT Hub Is Set To 'On'"
     desc "Microsoft Defender for IoT acts as a central security hub for IoT devices within your organization."
 

diff --git a/inputs_template.yml b/inputs_template.yml
@@ -0,0 +1,15 @@
+#Required Inputs
+subscription_id: "00000000-0000-0000-0000-000000000000"
+resource_groups_and_storage_accounts: 
+  - "group1.account1"
+relevant_public_ip_addresses: #control 7.7
+  - "1"
+  - "2"
+resource_group_and_disk_name:
+  - "group1.disk1"
+unauthorized_extension_names: #control 8.7
+  - "test"
+unauthorized_extension_types: #control 8.7
+  - "google"
+unauthorized_provision_states: #control 8.7
+  - "test"