SHELL/6.1.2.ps1
|
$CheckId = "6.1.2" $Title = "Ensure mailbox audit actions are configured" try { $AdminActions = @( "ApplyRecord", "Copy", "Create", "FolderBind", "HardDelete", "MailItemsAccessed", "Move", "MoveToDeletedItems", "SendAs", "SendOnBehalf", "Send", "SoftDelete", "Update", "UpdateCalendarDelegation", "UpdateFolderPermissions", "UpdateInboxRules" ) $DelegateActions = @( "ApplyRecord", "Create", "FolderBind", "HardDelete", "Move", "MailItemsAccessed", "MoveToDeletedItems", "SendAs", "SendOnBehalf", "SoftDelete", "Update", "UpdateFolderPermissions", "UpdateInboxRules" ) $OwnerActions = @( "ApplyRecord", "Create", "HardDelete", "MailboxLogin", "Move", "MailItemsAccessed", "MoveToDeletedItems", "Send", "SoftDelete", "Update", "UpdateCalendarDelegation", "UpdateFolderPermissions", "UpdateInboxRules" ) function Get-MissingActions { param( [string[]]$ExpectedActions, [string[]]$ActualActions ) return @($ExpectedActions | Where-Object { $_ -notin $ActualActions }) } $Mailboxes = @(Get-EXOMailbox -PropertySets Audit,Minimum -ResultSize Unlimited | Where-Object { $_.RecipientTypeDetails -eq "UserMailbox" }) $MailboxResults = @() foreach ($Mailbox in $Mailboxes) { $AdminMissing = Get-MissingActions -ExpectedActions $AdminActions -ActualActions @($Mailbox.AuditAdmin) $DelegateMissing = Get-MissingActions -ExpectedActions $DelegateActions -ActualActions @($Mailbox.AuditDelegate) $OwnerMissing = Get-MissingActions -ExpectedActions $OwnerActions -ActualActions @($Mailbox.AuditOwner) $AuditLogAgeDays = $null if ($Mailbox.AuditLogAgeLimit -is [TimeSpan]) { $AuditLogAgeDays = [math]::Round($Mailbox.AuditLogAgeLimit.TotalDays, 2) } $AuditAgeCompliant = $false if ($null -ne $AuditLogAgeDays) { $AuditAgeCompliant = ($AuditLogAgeDays -ge 180) } $IsCompliant = $Mailbox.AuditEnabled -eq $true -and @($AdminMissing).Count -eq 0 -and @($DelegateMissing).Count -eq 0 -and @($OwnerMissing).Count -eq 0 -and $AuditAgeCompliant $MailboxResults += [pscustomobject]@{ Mailbox = $Mailbox.UserPrincipalName AuditEnabled = [bool]$Mailbox.AuditEnabled AuditLogAgeDays = $AuditLogAgeDays AdminMissing = @($AdminMissing) DelegateMissing = @($DelegateMissing) OwnerMissing = @($OwnerMissing) Compliant = $IsCompliant } } $NonCompliant = @($MailboxResults | Where-Object { -not $_.Compliant }) $Pass = @($NonCompliant).Count -eq 0 [pscustomobject]@{ CheckId = $CheckId Title = $Title Status = if ($Pass) { "PASS" } else { "FAIL" } Pass = $Pass Evidence = [pscustomobject]@{ MailboxCount = @($Mailboxes).Count NonCompliantCount = @($NonCompliant).Count RequiredAuditLogAgeDays = 180 RequiredAdminActions = $AdminActions RequiredDelegateActions = $DelegateActions RequiredOwnerActions = $OwnerActions NonCompliantMailboxes = @($NonCompliant) } Error = $null Timestamp = Get-Date } } catch { [pscustomobject]@{ CheckId = $CheckId Title = $Title Status = "ERROR" Pass = $null Evidence = $null Error = $_.Exception.Message Timestamp = Get-Date } } |