Merge pull request #1 from mitre/sujay-dev

M365 Profile Control Files - at v3.1 of the CIS Benchmark

.devcontainer/devcontainer.json

@@ -0,0 +1,5 @@
+{
+  "features": {
+  },
+   "image": "ubuntu:22.04" 
+}

.github/workflows/test_profile.yml

@@ -0,0 +1,97 @@
+name: Test the CIS M365 Profile
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+jobs:
+  validate:
+    name: Validate my profile
+    runs-on: ubuntu-latest
+    env:
+      CHEF_LICENSE: accept-silent
+      CHEF_LICENSE_KEY: ${{ secrets.SAF_CHEF_LICENSE_KEY }}
+      PLATFORM: "m365"
+      LC_ALL: "en_US.UTF-8"
+    steps:
+      - name: Add needed packages
+        run: |
+          sudo apt-get update
+          sudo apt-get -y install jq
+
+      - name: Check out repository
+        uses: actions/checkout@v4
+
+      - name: Set short git commit SHA
+        id: vars
+        run: |
+          calculatedSha=$(git rev-parse --short ${{ github.sha }})
+          echo "COMMIT_SHORT_SHA=$calculatedSha" >> $GITHUB_ENV
+
+      - name: Confirm git commit SHA output
+        run: echo ${{ env.COMMIT_SHORT_SHA }}
+
+      - name: Setup Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: "3.1"
+
+      - name: Disable ri and rdoc
+        run: 'echo "gem: --no-ri --no-rdoc" >> ~/.gemrc'
+
+      - name: Run Bundle Install
+        run: bundle install
+
+      - name: Check Inspec version
+        run: bundle exec inspec version
+
+      - name: Vendor the Profile
+        run: bundle exec inspec vendor . --overwrite
+
+      - name: Collect certificate file
+        env:
+          AUTH: ${{ secrets.SAF_M365_CERTIFICATE }}
+        run: |
+          echo "$AUTH" | base64 --decode > cert.pfx 
+          chmod 0400 cert.pfx
+
+      - name: Run Inspec test
+        continue-on-error: true
+        run: |
+          bundle exec inspec exec . \
+          --input client_id=${{secrets.SAF_M365_CLIENT_ID}} tenant_id=${{secrets.SAF_M365_TENANT_ID}} client_secret=${{secrets.SAF_M365_CLIENT_SECRET}} certificate_path=cert.pfx certificate_password=${{secrets.SAF_M365_CERTIFICATE_PASSWORD}} organization=${{secrets.SAF_M365_ORGANIZATION}} \
+          --input-file=inputs.yml \
+          --enhanced-outcomes \
+          --reporter json:${{ env.PLATFORM }}-results.json
+
+      - name: View results summary
+        continue-on-error: true
+        uses: mitre/[email protected]
+        with:
+          command_string: "view summary -j -i ${{ env.PLATFORM }}-results.json -o ${{ env.PLATFORM }}-summary.json"
+
+      - name: Upload to Heimdall
+        continue-on-error: true
+        run: |
+          curl -# -s -F data=@${{ env.PLATFORM }}-results.json -F "filename=${{ env.PLATFORM }}_${{ env.COMMIT_SHORT_SHA }}.json" -F "public=true" -F "evaluationTags=${{ env.COMMIT_SHORT_SHA }},${{ github.repository }},${{ github.workflow }}" -H "Authorization: Api-Key ${{ secrets.SAF_HEIMDALL_UPLOAD_KEY }}" "${{ vars.SAF_HEIMDALL_URL }}/evaluations"
+
+      - name: Generate Markdown Summary
+        continue-on-error: true
+        id: generate-summary
+        run: |
+          python markdown-summary.py ${{ env.PLATFORM }}-summary.json > ${{ env.PLATFORM }}-markdown-summary.md
+          cat ${{ env.PLATFORM }}-markdown-summary.md >> $GITHUB_STEP_SUMMARY
+
+      - name: Ensure the scan meets our results threshold
+        uses: mitre/[email protected]
+        with:
+          command_string: "validate threshold -i ${{ env.PLATFORM }}-results.json -F threshold.yml"
+
+      - name: Save Files from the Workflow
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ env.COMMIT_SHORT_SHA }}-artifacts
+          path: |
+              ./*.json

.gitignore

@@ -0,0 +1,76 @@
+.DS_Store
+*.gem
+*.rbc
+/.config
+/coverage/
+/InstalledFiles
+/pkg/
+/spec/reports/
+/spec/examples.txt
+/test/tmp/
+/test/version_tmp/
+/tmp/
+spec/results/**
+.kitchen
+.kitchen.local.yml
+Gemfile.lock
+inspec.lock
+.kitchen
+vendor/**
+saf-cli.log
+*results.json
+
+# Used by dotenv library to load environment variables.
+# .env
+
+# Ignore Byebug command history file.
+.byebug_history
+
+## Specific to RubyMotion:
+.dat*
+.repl_history
+build/
+*.bridgesupport
+build-iPhoneOS/
+build-iPhoneSimulator/
+
+## Specific to RubyMotion (use of CocoaPods):
+#
+# We recommend against adding the Pods directory to your .gitignore. However
+# you should judge for yourself, the pros and cons are mentioned at:
+# https://guides.cocoapods.org/using/using-cocoapods.html#should-i-check-the-pods-directory-into-source-control
+#
+# vendor/Pods/
+
+## Documentation cache and generated files:
+/.yardoc/
+/_yardoc/
+/doc/
+/rdoc/
+
+## Environment normalization:
+/.bundle/
+/vendor/bundle
+/lib/bundler/man/
+
+# for a library or gem, you might want to ignore these files since the code is
+# intended to run in multiple environments; otherwise, check them in:
+# Gemfile.lock
+# .ruby-version
+# .ruby-gemset
+
+# unless supporting rvm < 1.11.0 or doing something fancy, ignore this:
+.rvmrc
+
+# Used by RuboCop. Remote config files pulled in from inherit_from directive.
+# .rubocop-https?--*
+
+# VS CODE / VSCODIUM
+.vscode
+
+# delta files
+delta.json
+report.md
+*xccdf.xml
+check-results.txt
+kitchen.local.ec2.yml

.rubocop.yml

@@ -0,0 +1,58 @@
+AllCops:
+  Exclude:
+  - "libraries/**/*"
+
+Layout/LineLength:
+  Max: 1500
+  AllowURI: true
+  IgnoreCopDirectives: true
+
+Naming/FileName:
+  Enabled: false
+
+Metrics/BlockLength:
+  Max: 1000
+
+Lint/ConstantDefinitionInBlock:
+  Enabled: false
+
+# Required for Profiles as it can introduce profile errors
+Style/NumericPredicate:
+  Enabled: false
+
+Style/WordArray:
+  Description: "Use %w or %W for an array of words. (https://rubystyle.guide#percent-w)"
+  Enabled: false
+
+Style/RedundantPercentQ:
+  Enabled: true
+
+Style/NestedParenthesizedCalls:
+  Enabled: false
+
+Style/TrailingCommaInHashLiteral:
+  Description: "https://docs.rubocop.org/rubocop/cops_style.html#styletrailingcommainhashliteral"
+  Enabled: true
+  EnforcedStyleForMultiline: no_comma
+
+Style/TrailingCommaInArrayLiteral:
+  Enabled: true
+  EnforcedStyleForMultiline: no_comma
+
+Style/BlockDelimiters:
+  Enabled: false
+
+Lint/AmbiguousBlockAssociation:
+  Enabled: false
+
+Metrics/BlockNesting:
+  Enabled: false
+
+Lint/ShadowingOuterLocalVariable:
+  Enabled: false
+
+Style/FormatStringToken:
+  Enabled: false
+
+Style/FrozenStringLiteralComment:
+  Enabled: false

CODE_OF_CONDUCT.md

@@ -0,0 +1,128 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+We as members, contributors, and leaders pledge to make participation in our
+community a harassment-free experience for everyone, regardless of age, body
+size, visible or invisible disability, ethnicity, sex characteristics, gender
+identity and expression, level of experience, education, socio-economic status,
+nationality, personal appearance, race, religion, or sexual identity
+and orientation.
+
+We pledge to act and interact in ways that contribute to an open, welcoming,
+diverse, inclusive, and healthy community.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment for our
+community include:
+
+* Demonstrating empathy and kindness toward other people
+* Being respectful of differing opinions, viewpoints, and experiences
+* Giving and gracefully accepting constructive feedback
+* Accepting responsibility and apologizing to those affected by our mistakes,
+  and learning from the experience
+* Focusing on what is best not just for us as individuals, but for the
+  overall community
+
+Examples of unacceptable behavior include:
+
+* The use of sexualized language or imagery, and sexual attention or
+  advances of any kind
+* Trolling, insulting or derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or email
+  address, without their explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Enforcement Responsibilities
+
+Community leaders are responsible for clarifying and enforcing our standards of
+acceptable behavior and will take appropriate and fair corrective action in
+response to any behavior that they deem inappropriate, threatening, offensive,
+or harmful.
+
+Community leaders have the right and responsibility to remove, edit, or reject
+comments, commits, code, wiki edits, issues, and other contributions that are
+not aligned to this Code of Conduct, and will communicate reasons for moderation
+decisions when appropriate.
+
+## Scope
+
+This Code of Conduct applies within all community spaces, and also applies when
+an individual is officially representing the community in public spaces.
+Examples of representing our community include using an official e-mail address,
+posting via an official social media account, or acting as an appointed
+representative at an online or offline event.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported to the community leaders responsible for enforcement at
+[email protected].
+All complaints will be reviewed and investigated promptly and fairly.
+
+All community leaders are obligated to respect the privacy and security of the
+reporter of any incident.
+
+## Enforcement Guidelines
+
+Community leaders will follow these Community Impact Guidelines in determining
+the consequences for any action they deem in violation of this Code of Conduct:
+
+### 1. Correction
+
+**Community Impact**: Use of inappropriate language or other behavior deemed
+unprofessional or unwelcome in the community.
+
+**Consequence**: A private, written warning from community leaders, providing
+clarity around the nature of the violation and an explanation of why the
+behavior was inappropriate. A public apology may be requested.
+
+### 2. Warning
+
+**Community Impact**: A violation through a single incident or series
+of actions.
+
+**Consequence**: A warning with consequences for continued behavior. No
+interaction with the people involved, including unsolicited interaction with
+those enforcing the Code of Conduct, for a specified period of time. This
+includes avoiding interactions in community spaces as well as external channels
+like social media. Violating these terms may lead to a temporary or
+permanent ban.
+
+### 3. Temporary Ban
+
+**Community Impact**: A serious violation of community standards, including
+sustained inappropriate behavior.
+
+**Consequence**: A temporary ban from any sort of interaction or public
+communication with the community for a specified period of time. No public or
+private interaction with the people involved, including unsolicited interaction
+with those enforcing the Code of Conduct, is allowed during this period.
+Violating these terms may lead to a permanent ban.
+
+### 4. Permanent Ban
+
+**Community Impact**: Demonstrating a pattern of violation of community
+standards, including sustained inappropriate behavior,  harassment of an
+individual, or aggression toward or disparagement of classes of individuals.
+
+**Consequence**: A permanent ban from any sort of public interaction within
+the community.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage],
+version 2.0, available at
+https://www.contributor-covenant.org/version/2/0/code_of_conduct.html.
+
+Community Impact Guidelines were inspired by [Mozilla's code of conduct
+enforcement ladder](https://github.com/mozilla/diversity).
+
+[homepage]: https://www.contributor-covenant.org
+
+For answers to common questions about this code of conduct, see the FAQ at
+https://www.contributor-covenant.org/faq. Translations are available at
+https://www.contributor-covenant.org/translations.

Gemfile

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+source 'https://rubygems.org'
+
+gem 'cookstyle'
+gem 'highline'
+gem 'inspec', '>= 6.8.1'
+gem 'inspec-bin'
+gem 'inspec-core'
+gem 'json'
+gem 'kitchen-ansible'
+gem 'kitchen-inspec'
+gem 'kitchen-sync'
+gem 'pry-byebug'
+gem 'rake'
+gem 'rubocop'
+gem 'rubocop-rake'
+gem 'test-kitchen'