Releases: cisagov/ScubaGear
Releases · cisagov/ScubaGear
v1.7.1
What's Changed
There was an issue with UNC path validation that caused a downstream impact to ScubaConnect. This change updates the configuration validation logic to correctly support UNC file paths for the OutPath property when specified in a ScubaGear configuration file.
- Fix UNC path validation for OutPath in configuration file by @DickTracyII in #1992
Full Changelog: v1.7.0...v1.7.1
Contributors
DickTracyII
Assets 3
v1.7.0
Major Changes
- Add a GUI to ScubaGear for creating configuration files by @DickTracyII in #1812
- Add authentication strength capability for MS.AAD.3.2v1 by @dagarwal-ecs in #1766
- Update policy migration state for MS.AAD.3.4v1 by @MichaelHicks-MSFT in #1778
- Risky delegated/application permissions update by @amart241 in #1757
- Add DNS configuration options by @adhilto in #1758
- Update MS.AAD.6.1v1 to consider non-root domains by @mitchelbaker-cisa in #1755
- Sort conditional access policies by state by @MichaelHicks-MSFT in #1787
- Modify the ScubaResults JSON schema to better define policy omission/annotation fields by @mitchelbaker-cisa in #1795
- Updated AAD provider for robust license handling by @dagarwal-ecs in #1791
- Add risky apps/service principals to the AAD HTML report by @mitchelbaker-cisa in #1780
- Update Invoke-CheckScubaGearVersion function by @MichaelHicks-MSFT in #1833
- Clean up the parameter battlefield location in Invoke-SCuBA by @skirkpatrickMSFT in #1832
- Add service principal module to ScubaGear by @MichaelHicks-MSFT in #1880
- Implement ScubaConfig validation with JSON schema and defaults by @DickTracyII in #1904
- Enhance module dependency checks and improve Initialize-SCuBA by @MichaelHicks-MSFT in #1948
- See full list of enhancements here
Bugs Fixed
- Fix bug when tenant has no conditional access policies by @adhilto in #1762
- Correct false negative for MS.TEAMS.1.7v2 by @dagarwal-ecs in #1775
- Updated manual download OPA pointer when OPA installation fails during initialization. by @ahuynhECS in #1771
- Update write permissions for the PS version bump workflow by @skirkpatrickMSFT in #1740
- Update Orchestrator.psm1 validation to terminate ScubaGear execution if config file is incorrect by @skirkpatrickMSFT in #1781
- Fix configuration documentation broken links by @DickTracyII in #1820
- Fix anchor tags issue by @dagarwal-ecs in #1806
- Fix version comparison to use System.Version rather than Strings by @buidav in #1861
- Refactor dependency status recommendations and improve version mismatch by @MichaelHicks-MSFT in #1857
- Update ResolutionDate from N/A to null by @dagarwal-ecs in #1891
- Fix policies missing from the config UI control JSON by @DickTracyII in #1872
- Fix encoding issue for Invoke-SCuBACached by @DickTracyII in #1906
- Set the default for -LogIn parameter to $false for Invoke-SCuBACached by @DickTracyII in #1905
- Detect single module versions outside min/max range by @MichaelHicks-MSFT in #1975
- See full list of bug fixes here
Baselines
BOD 25-01 required configuration policy changes
This section lists baseline policy changes that affect current BOD 25-01 Required Configurations.
Additions
No new required configuration policies added in this release.
Removals
- MS.TEAMS.3.1v1 (SHALL) - The option to restrict contact with Skype users found in policy MS.TEAMS.3.1v1 has been deprecated by Microsoft. All references, including the policy and its implementation steps, have been removed since the setting is no longer present.
Updates
- MS.TEAMS.1.2v2 (SHALL) - policy version bumped to v2 due to changes where the configuration settings are located.
- MS.TEAMS.2.1v2 (SHALL) - policy version bumped to v2 due to changes where the configuration settings are located.
- MS.TEAMS.2.2v2 (SHALL) - policy version bumped to v2 due to changes where the configuration settings are located.
Other baseline changes
- Update AAD baseline to reflect new Microsoft Entra ID portal changes by @Michael-Dahlke in #1744
- Microsoft Defender baseline UI updates by @Jeremye22 in #1764
- Update Teams baseline information with UI changes by @skirkpatrickMSFT in #1777
- See full list of baseline updates here
Documentation
- Add full config file to include all possible parameters by @DickTracyII in #1779
- Update documentation to include list of required min/max powershell module versions in Dependencies.md by @skirkpatrickMSFT in #1793
- Create update Instructions by @MichaelHicks-MSFT in #1804
- Enhance ScubaGear documentation and sample configurations by @DickTracyII in #1786
- Update parameters.md -DisconnectOnExit description by @jorenminer-nexus in #1850
- Add documentation for Invoke-SCuBACached by @DickTracyII in #1881
- Update service principal module documentation by @MichaelHicks-MSFT in #1953
- See full list of documentation updates here
Dependencies
- Bump AST version from 5.0.0 to 6.0.1 by @mitchelbaker-cisa in #1843
- Bump latest supported OPA version to v1.13.1 by GitHub Actions in #1957
- Bump maximum supported version for the MicrosoftTeams module to v7.5.0 by GitHub Actions in #1897
- Pin maximum supported version for the Microsoft.Graph.Authenticatino module to v2.25.0 by GitHub Actions in #1844
Full Changelog: v1.6.0...v1.7.0
Contributors
DickTracyII, Michael-Dahlke, and 9 other contributors
Assets 3
v1.6.0
Major Changes
- Update MS.EXO.1.1 to support automatic forwarding for domains on allow list #1615 (see baselines section for more details)
- Add support for dynamic Graph permissions generation for ScubaGear connections #1597
- Include results for omitted policies in Scuba results JSON #1604
- Add
ScubaGear may not function properlymessage to ScubaGear dependency warning #1641 - Add OPA support from v1.1.0 thru v1.3.0 #1550 #1659 #1669
- Decreased the total number of Microsoft Graph dependencies and improved performance of Entra ID by switching to direct Graph API calls #1660 #1713
- Added reporting for application and delegated permissions assigned to application/service principal objects #1682
- Rehaul DNS error handling and add DNS log tables to the Exchange Online HTML report #1685
- Added the capability to annotate results for individual policies. Annotated policies will be shown in the HTML with the
annotation appended to the details column #1738 - See full list of enhancements here
Bugs Fixed
- Change Teams policy group 5 report details from indicating meeting policies to app permission policies #1601
- Ignore coexistence domain for the DMARC controls #1563
- Add fix for invalid JSON primitive issues related to risky service principals #1682
- Add fix for the PowerPlatform DLP policy bug and remove Get-TenantDetailsFromGraph commandlet due to Azure AD Graph API deprecation #1723
- See full list of bug fixes here
Baselines
BOD 25-01 required configuration policy changes
This section lists baseline policy changes that affect current BOD 25-01 Required Configurations.
Additions
No new required configuration policies added in this release.
Removals
- MS.AAD.5.4v1 - Removed as Microsoft deprecated feature that allows group owners to consent to applications #1623
- MS.DEFENDER.6.2v1 / MS.EXO.17.2v1 - Removed due to Microsoft service updates for auditing that allow remaining Defender and Exchange Online auditing policy group baseline items to adequately cover the auditing requirements that previously required Purview Audit (Premium) #1625
Updates
- MS.AAD.3.3v2 - Updated version only checks for login context information if Microsoft Authenticator is enabled, phishing-resistant MFA not being enforced is no longer a condition for making the policy applicable/not applicable #1588
- MS.DEFENDER.6.1v1 / MS.EXO.17.1v1 - Updated audit logging language to better reflect ScubaGear check #1611
- MS.EXO.1.1v2 - Updated version allows automatic forwarding for specific, agency-approved domains #1615
Other baseline changes
- Add new SHOULD policy MS.AAD.3.9v1 to block device code authentication #1627
- Add note to MS.POWERPLATFORM.4.1v1 to highlight dataverse dependency #1608
- Update MS.TEAMS.1.6v1 and MS.TEAMS.1.7v2 to clarify restrictions on event and meeting recording #1626
- Update SharePoint policy notes to provide clarity on N/A cases #1616
- Remove MS.SHAREPOINT.1.4v1 from baseline due to setting deprecation #1593
- See full list of baseline updates here
Documentation
- Update ScubaGear logo URL #1576
- Update sample reports for v1.6.0 #1673
- See full list of documentation changes here
Full Changelog: v1.5.0...v1.6.0
v1.5.0
Major Changes
- Add high risk application/service principal permissions into results JSON #1462
ScubaGear now identifies Azure AD (aka Entra ID) registered applications and third-party service principals that have high risk permissions in a tenant. With this information you can conduct a review to flag suspicious and over-privileged applications and significantly reduce your attack surface from these commonly hard to manage assets. In the current release this information can be found in the ScubaResults JSON file. An upcoming release will add the data to the Azure AD HTML report. For now,risky_applicationsandrisky_third_party_service_principalskeys in the ScubaResults JSON file contains the details for review. - Add privileged service principals table to Azure AD baseline report #1467
- Add report UUID to the ScubaResults JSON filename #1426
- Add
-Scopeoption toInitialize-SCuBAto support module install asAllUsers#1388 - Add stacktraces to error output from ScubaGear #1468
- Remove HTML elements from ScubaResults.json #1384
- Revise Azure AD report header with new exclusion info and documentation name #1529
- Add version update notification on ScubaGear module import #1424
- Bump OPA version from v0.69.0 to v0.70.0 #1395
- Bump OPA version from v0.70.0 to v1.0.1 #1526
- Updated Microsoft.PowerApps.Administration.PowerShell min/max versions #1530
- See full list of enhancements here
Note
Microsoft has updated the permissions required to get configuration information from SharePoint Online. As a result, when running ScubaGear with interactive authentication, users only need to assign the Global Reader role. The user no longer requires the SharePoint Administrator role. This change enhances security by reducing the risk of unnecessary access and potential security vulnerabilities by limiting the permissions to only what is essential for ScubaGear to retrieve and assess SharePoint configuration details. ScubaGear never makes changes to the tenant,regardless of permissions of the user running it.
Bugs Fixed
- Fix crash when running OPA from UNC path #1387
- Improve performance of Defender query to count users without advanced auditing #1406
- Fix consistency of Entra checks for application & role exclusions #1537
- Fix Version Update check non-existent file reference #1481
- Fix Entra checks to test MS.AAD.3.3v1 policy for authenticator disabled #1549
- Config file error message for duplicate keys fixed and improved #1547
- See full list of bug fixes here
Baselines
- Update Front Matter across SCBs and specific language in the Defender SCB #1398
- Adding Conditional Access Policy Implementation Instructions to MS.AAD.1.1 #1312
- Update incorrect hyperlinks in SCB markdown #1413
- Remove extraneous SHALL from MS.DEFENDER.4.1 #1408
- Remove MS.SHAREPOINT4.2v1 due to Microsoft update to custom scripting settings #1447
- Update AAD.3.1v1 to include device-bound passkeys language and resource to MS.AAD.3.1 #1431
- Update MS.AAD.5.4v1 checks for teams group consent for deprecated setting #1460
- See full list of baseline updates here
Documentation
- Update HTML report template title (Security Baseline Conformation -> Secure Configuration Baseline) #1362
- Fix parameter default documentation typos #1374
- Correct omission in documentation about importing module when downloading from GitHub #1412
- Clarify License Requirements in assumptions.md #1439
- Add service principal setup to functional testing documentation #1423
- Document ability to add organizational metadata and complying with SCuBA policy checks via configuration file #1443
- Update SCB acronym to read as "Secure Configuration Baseline" #1440
- Update ScubaGear authentication documentation for additional GCC High, Defender, and SharePoint details #1557
- Update README with new ScubaGear graphic #1497
- Add Defender configuration options documentation #1515
- Remove outdated parameters from sample config files #1528
- See full list of documentation changes here
Full Changelog: v1.4.0...v1.5.0
v1.4.0
Major Changes
- Support policy check toggling via config file #1200
See configuration file documentation about omitting policies for further details. - Make ScubaResults.json the default result output #1316
See documentation for-KeepIndividualJSONparameter to revert to previous version behavior. - Improve AAD assessment check performance #1196
- Modify MS.AAD.6.1v1 to account for federated domains #1185
- Remove deprecated MS.SHAREPOINT.4.1v1 policy, references, and assessment checks #1244
- Change MS.SHAREPOINT.1.4v1 check to
not-implementeddue to deprecated field #1270 - Add policy check for MS.SHAREPOINT.3.2v1 when using service principal and update MS.SHAREPOINT.4.2v1 check for deprecation #1309
- Add assessment check for MS.DEFENDER.6.2v1 #1241
- Add policy check for MS.AAD.3.7v1 to support exclusions #1190
- Realign MS.EXO.2.1v1 and MS.EXO.2.2v2 SPF assessment checks with updated policies #1130
- Add a backup path to look for the OPA executable in the current directory #1092
- Enhance CSV output to be consistent with data in HTML reports #1281
- Bump acceptable OPA version to v0.69.0 and set new accepted minimum to v0.69.0 #1348
- Add
-OutActionPlanFileNamefor action plan remediation CSV output #1351 - Add report UUID to the ScubaResults.json filename #1426
- See full list of enhancements here
Bugs Fixed
- Correct bug with Connect-IPPSSession error handling #1199
- Extend Microsoft.Graph.* dependency max version from 2.19.x -> 2.x.x #1122
- Fix AAD 401 authentication errors against GCC high tenants #1266
- Fix encoding issue by removing BOM from provider output files #1302
- Fix AAD provider to handle nested PIM groups and refactor Get-PrivilegedUser #1310
- Pin PowerApps module dependency to last tested working version #1346
- Fix broken import path in
Initialize-SCuBA#1363 - See full list of bug fixes here
Baselines
- Add MITRE ATT&CK Mappings to all M365 secure configuration baselines #1106
- Change Azure Active Directory namings in baselines to use Entra ID equivalent #1176
- Remove MS.SHAREPOINT.4.1v1 policy and references #1244
- Fix circular reference between MS.EXO.16.1v1 and MS.DEFENDER.5.1v1 implementation instructions #1198
- Revise MS.EXO.2.1v1 and MS.EXO.2.2v2 SPF requirements #1130
- Decouple the remaining EXO Shall/Should policies #1095
- Added notes about applicability to MS.TEAMS.2.2v1 and MS.TEAMS.3.1v1 #1219
- Updated MS.AAD.5.2v1 instructions to match updated UI buttonology #1117
- Update front matter and specific language in the Defender SCB to clarify licensing information #1398
- See full list of baseline updates here
Documentation
- Cleaning up and streamlining example config files #1137
- Minor documentation fixes and updates #1157
- Add additional shields.io badges to README #1167
- See full list of documentation changes here
Full Changelog: v1.3.0...v1.4.0
v1.3.0
Major Changes
- Add automated checks for policy MS.AAD.3.3v1 #1014
- Expand CAP exclusion note in Azure AD HTML report #1120
- Add policy group names to ScubaResults.json #1041
- Include reference URL in ScubaResults.json #1119
- Add license information table to Azure AD HTML report #1091
- Enhance Defender license warnings for impersonation protection and DLP checks #929
- Add more accessibility improvements to HTML reports #1105
- Bump latest supported OPA version from v0.63.0 to v0.64.1 #1079
- Bump ScubaGear PowerShell module dependency versions #1100
- See full list of enhancements here
Documentation
- Expand README.md into user guide and add PSGallery install instructions #1114
- See full list of documentation changes here
Bugs Fixed
- Fix SharePoint policy checks to only execute when applicable #1076
- Prevent multiple runs from duplicate product names #782
- Pin ExchangeOnlineManagement module version to <v3.5 #1116
- See full list of bug fixes here
Baselines
- Created markdown file for policies removed from M365 SCBs #1090
- Fixed erroneous criticality tags in SharePoint markdown #1083
Full Changelog: v1.2.0...v1.3.0
v1.2.0
ScubaGear is now available for installation through the PowerShell Gallery public repository here. Users can install ScubaGear via PSGallery using the Install-Module cmdlet provided by PowerShellGet. Once installed in this way, users do not need to use Import-Module to have access to ScubaGear cmdlets and functions. ScubaGear still requires running Initialize-SCuBA after installation to install its other dependencies.
Installation instructions for the ZIP release package below are included in the README.
Major Changes
- Publish ScubaGear module to PowerShell Gallery #959
- Add check for MS.AAD.7.2v1 using least privilege score #852
- Add authentication methods disabled checks for MS.AAD.3.5.v1 #902
- Update Azure AD 7.6-7.9 checks to support PIM for Groups #945
- Move and update support scripts to functions #870
- Add option to generate per product and merged JSON results #970
- Add accessibility features to HTML report #962
- Add tenant licensing details to Azure AD HTML report #1011
- Add
New-Configcmdlet to generate a config file template #984 - See full list of enhancements here
Bugs Fixed
- Fix broken baseline links in HTML report #924
- Fix dark mode checkbox from being in incorrect state #991
- Fix MS.AAD.5.2v1 check response processing error #1043
- See full list of bug fixes here
Documentation
- Add RELEASES.md and CONTRIBUTING.md documentation #936
- Update sample reports to latest version output examples #1058
- Add TLP:CLEAR information note to PowerBI baseline #907
- Set consistent depth on README table of contents #933
- See full list of documentation changes here
Baselines
- Add PIM for Groups details to Azure AD 7.6-7.9 implementation instructions #926
- Revise MS.EXO.5.1 to remove incorrect note #939
- Update MS.AAD.5.3v1 and MS.AAD.5.4v1 instructions to match correct buttonology #1028
Full Changelog: v1.1.1...v1.2.0
v1.1.1
This maintenance release resolves errors that can result from issues with the latest versions of the MS Graph and SharePoint SDK PowerShell modules. This release pins the ScubaGear module dependencies to the latest working versions of those modules.
Major Changes
- No major changes
Bugs Fixed
- Add MSGraph and SPO library max versions #908
Documentation
- No changes
Baselines
- No changes.
Full Changelog: v1.1.0...v1.1.1
v1.1.0
Major Changes
- Add support for Azure AD PIM for groups #794
- Add automated check for MS.AAD.6.1v1 user password expiration #795
- Add terms of use property handling to Azure AD CAP table display #848
- Add support for command line parameter override of config file variables #761
- Adds tenant licensing info to JSON output #823
- Update reports to link to versioned baselines #866
- Refactor assessment checks and add support for latest OPA rego engine #642 #659 #660 #661 #662 #663 #664 #745
- See full list of enhancements here
Bugs Fixed
- Fix report module to handle italics and multiline processing in policy description #730
- Fix backslash escape sequence handling #822
- Remove DNS over HTTPS (DOH) NXDOMAIN retry #795
- See full list of bug fixes here
Documentation
- Add configuration file documentation to README #812
Baselines
- Move baseline documents inside ScubaGear module directory #802
- Fix MS.EXO.17 implementation instruction policy ID refs #864
- Add Azure AD PIM for Groups information to instructions #376
Full Changelog: v1.0.0...v1.1.0
v1.0.0
Major Changes
- Significant refresh of baseline assessment check updates to align with baseline changes
- Quicker install and setup process #514
- Improved error handling and user feedback #336
- Add support for non-NA regions when running Power Platform #338
- Update sample report files for v1.0 #683
- Update
ExchangeOnlineManagementmodule minimum version to 3.2 #440 - Update
MSGraphmodule to 2.0 #514 - See full list of 46 enhancements here
Bugs Fixed
- Teams email integration patch #333
- Fix versioned tag in URLs #651
- Fix MS.DEFENDER.4.3v1 where check would pass when action is
Block People Outside of Organizationrather thanBlock Everyone#602 - Remove deprecated Exchange alert policies from check in MS.EXO.16.1 #527
- Fix MS.DEFENDER.4.2v1 check failing despite all locations being included #574
- See full list of 43 bug fixes here
Documentation
- Significant updates to README and add a Table of Contents #639
- Add section on
PowerShell Execution Policiesto work with signed scripts #208 - See full list of 7 documentation updates here
Baselines
- Add unique individual policy IDs for easier reference in reporting
- Add rationale to each policy item providing indication of related risks
- Major regrouping of policy items in each baseline
- Merge SharePoint and OneDrive into single baseline
- Change Defender baseline to use preset security policies instead of specifying individual settings in custom policy
- See full list of 111 baseline changes here
Full Changelog: 0.3.0...v1.0.0