maester icon indicating copy to clipboard operation
maester copied to clipboard
verified publisher icon maester365

CIS.M365.2.1.2 Check default rule instead of rule named 'default'

Open cstaubli opened this issue 7 months ago • 2 comments

Hi @merill @NZLostboy

This is a similar bug to #859

Check CIS.M365.2.1.2 checks for a policy name 'default' instead of the active, default one (file Test-MtCisAttachmentFilter.ps1):

# We grab the default policy as that is what CIS checks
$policy = $policies | Where-Object { $_.Name -eq 'Default' }

This only checks default Microsoft policy, which at least in my tenats have 'EnableFileFilter' disabled. Wouldn't it make more sense to check the actual default policy like:

# We grab the default policy as that is what CIS checks
$policy = $policies | Where-Object { $_.IsDefault -eq $true}

Environment

Maester-Version: 1.1.2 PS-Version: 7.5.1

Kind regards Christian

cstaubli avatar May 20 '25 07:05 cstaubli

Good catch on these, and I think you are correct. I will build a PR for it shortly.

NZLostboy avatar May 20 '25 08:05 NZLostboy

Thanks Ben!

cstaubli avatar May 20 '25 09:05 cstaubli

This issue is slightly different to https://github.com/maester365/maester/issues/859

The default policy in this case can be changed. CIS focus's on the default policy but recommends that you check the higher priority policy if one exists, however Get-MalwareFilterPolicy does not provide the priority of the policies which isn't very useful.

In this case changing it from checking the name, to checking { $_.IsDefault -eq $true} doesn't actually change anything (unless I am missing something).

I will see if there is some other way we can get the policies, otherwise we will either have to check them all, or continue to just check the default one (in which I would change it to what you have above as its cleaner).

NZLostboy avatar Jun 03 '25 08:06 NZLostboy

We could just have it check every Malware policy, that is simple enough. It looks like currently the options are to check every policy, or only the default policy as there is no priority value returned. I feel like every policy would be the best coverage, but maybe there is a situation where you wouldn't want that? Thoughts @merill @cstaubli ?

NZLostboy avatar Jun 03 '25 09:06 NZLostboy

@soulemike thoughts?

merill avatar Jun 03 '25 12:06 merill

Since CIS calls out default specifically, I think this test is still valid. I think there is merit to actually checking which policies have a filter set though and what the real mail flow impact would be. That may be more an MT test and the MD for this test could reference that as a more comprehensive implementation of the test.

soulemike avatar Jun 03 '25 17:06 soulemike

Thanks everyone. @soulemike I think that makes sense, trying to stay true to CIS as close as possible.

I’ll update the way the check matches the default as the way suggested is clearer I think.

NZLostboy avatar Jun 03 '25 19:06 NZLostboy

Updated in PR https://github.com/maester365/maester/pull/972

NZLostboy avatar Jun 09 '25 09:06 NZLostboy