Skip to content

v0.2.0

Compare
Choose a tag to compare
@ethanb-cisa ethanb-cisa released this 16 Dec 17:48
· 398 commits to main since this release
8a1bf47

Major Changes

  • Use cmdlet Invoke-SCuBA to start an assessment. Removed RunSCuBA.ps1. See README for more.
  • Added GCC-H/DOD endpoints. Use the -M365Environment parameter.
  • Exchange, Defender for Office 365, and Teams can now be run with the Global Reader role instead of administrator permissions.
  • Removed Graph API Scope Policy.ReadWRITE.AuthenticationMethod.
  • Added Disconnect-SCuBATenant cmdlet and Invoke-SCuBA -DisconnectOnExit option to help manage connections to multiple tenants. Using either method will make your next run connect to a new tenant.

Documentation

  • Significant changes to the README for clarity and new usage examples and a cool diagram.
  • Updated links in the HTML report to reference CISA's SCuBA website and the baseline documents.
  • Added the tenant name and tenantId to the HTML report to help determine which tenant was assessed.
  • AAD report now includes a warning that exclusions to Conditional Access Policies are not evaluated and that may impact your compliance with certain controls.
  • Added a sample-report folder to the repository that will be updated with the latest report template each release. Thanks to public suggestion. #2

Code

  • Refactored the Power Platform exclusive -Endpoint parameter to the -M365Environment parameter to support connecting to different endpoints for any product.
  • Required dependencies are now checked on module import.
  • Added * parameter to the ProductNames parameter in Invoke-SCuBA to run all products
  • Setup.ps1 now only installs modules if they are not already installed based on a minimum version.
  • Improved error handling in some providers. Others will be updated in the next release.
  • Improved code documentation to enable Get-Help functionality.
  • Tool now increases PowerShell's $MaximumFunctionCount to support all the cmdlets exported by MS Graph.
  • Fixed bug with Teams provider and JSON parsing. See: #12

Rego/Policies

  • Fixed Rego check for OneDrive policy 2.4, which resulted in incorrect results.
  • Fixed Rego check for Defender 2.7 and 2.8, which resulted in incorrect results.
  • Added support for Exchange policy 2.6 bullet 8, which was not previously implemented.
  • Removed automation support for part of SharePoint policy 2.5 (Prevent users from running custom script on personal sites), due to a bug with comparison logic. Hope to have it added back in the next release.

Baselines

  • No changes. We do not anticipate making edits to the baseline documents until Q2 2023.