mirror of
https://github.com/prowler-cloud/prowler.git
synced 2026-07-18 10:01:56 +00:00
feat(teams): add new check teams_meeting_dial_in_lobby_bypass_disabled (#7571)
Co-authored-by: Andoni A <14891798+andoniaf@users.noreply.github.com> Co-authored-by: Sergio Garcia <hello@mistercloudsec.com>
This commit is contained in:
committed by
GitHub
parent
d9782c7b8a
commit
d071dea7f7
@@ -29,6 +29,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
|
||||
- Add new check for DKIM enabled for service Defender in M365 [(#7485)](https://github.com/prowler-cloud/prowler/pull/7485)
|
||||
- Add new check `teams_meeting_anonymous_user_start_disabled` [(#7567)](https://github.com/prowler-cloud/prowler/pull/7567)
|
||||
- Add new check `teams_meeting_external_lobby_bypass_disabled` [(#7568)](https://github.com/prowler-cloud/prowler/pull/7568)
|
||||
- Add new check `teams_meeting_dial_in_lobby_bypass_disabled` [(#7571)](https://github.com/prowler-cloud/prowler/pull/7571)
|
||||
|
||||
### Fixed
|
||||
|
||||
|
||||
+30
@@ -0,0 +1,30 @@
|
||||
{
|
||||
"Provider": "m365",
|
||||
"CheckID": "teams_meeting_dial_in_lobby_bypass_disabled",
|
||||
"CheckTitle": "Ensure that dial-in users cannot bypass the lobby in Teams meetings",
|
||||
"CheckType": [],
|
||||
"ServiceName": "teams",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "",
|
||||
"Severity": "critical",
|
||||
"ResourceType": "Teams Global Meeting Policy",
|
||||
"Description": "Ensure that dial-in users cannot bypass the lobby in Teams meetings",
|
||||
"Risk": "Allowing dial-in users to bypass the lobby may result in unauthorized or unauthenticated individuals joining sensitive meetings without prior validation, increasing the risk of information leakage or meeting disruptions.",
|
||||
"RelatedUrl": "https://learn.microsoft.com/en-us/powershell/module/teams/set-csteamsmeetingpolicy?view=teams-ps",
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
"CLI": "Set-CsTeamsMeetingPolicy -Identity Global -AllowPSTNUsersToBypassLobby $false",
|
||||
"NativeIaC": "",
|
||||
"Other": "1. Navigate to Microsoft Teams admin center https://admin.teams.microsoft.com. 2. Click to expand Meetings select Meeting policies. 3. Click Global (Org-wide default). 4. Under meeting join & lobby set People dialing in can bypass the lobby to Off.",
|
||||
"Terraform": ""
|
||||
},
|
||||
"Recommendation": {
|
||||
"Text": "Require all users dialing in by phone to wait in the lobby until admitted by the meeting organizer, co-organizer, or presenter. This ensures proper vetting before granting access to potentially sensitive discussions.",
|
||||
"Url": "https://learn.microsoft.com/en-us/powershell/module/teams/set-csteamsmeetingpolicy?view=teams-ps"
|
||||
}
|
||||
},
|
||||
"Categories": [],
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": ""
|
||||
}
|
||||
+40
@@ -0,0 +1,40 @@
|
||||
from typing import List
|
||||
|
||||
from prowler.lib.check.models import Check, CheckReportM365
|
||||
from prowler.providers.m365.services.teams.teams_client import teams_client
|
||||
|
||||
|
||||
class teams_meeting_dial_in_lobby_bypass_disabled(Check):
|
||||
"""Check if users dialing in can't bypass the lobby.
|
||||
|
||||
Attributes:
|
||||
metadata: Metadata associated with the check (inherited from Check).
|
||||
"""
|
||||
|
||||
def execute(self) -> List[CheckReportM365]:
|
||||
"""Execute the check for users dialing in can't bypass the lobby.
|
||||
|
||||
This method checks if users dialing in can't bypass the lobby.
|
||||
|
||||
Returns:
|
||||
List[CheckReportM365]: A list of reports containing the result of the check.
|
||||
"""
|
||||
findings = []
|
||||
global_meeting_policy = teams_client.global_meeting_policy
|
||||
if global_meeting_policy:
|
||||
report = CheckReportM365(
|
||||
metadata=self.metadata(),
|
||||
resource=global_meeting_policy if global_meeting_policy else {},
|
||||
resource_name="Teams Meetings Global (Org-wide default) Policy",
|
||||
resource_id="teamsMeetingsGlobalPolicy",
|
||||
)
|
||||
report.status = "FAIL"
|
||||
report.status_extended = "Dial-in users can bypass the lobby."
|
||||
|
||||
if not global_meeting_policy.allow_pstn_users_to_bypass_lobby:
|
||||
report.status = "PASS"
|
||||
report.status_extended = "Dial-in users cannot bypass the lobby."
|
||||
|
||||
findings.append(report)
|
||||
|
||||
return findings
|
||||
@@ -55,6 +55,9 @@ class Teams(M365Service):
|
||||
allow_external_users_to_bypass_lobby=global_meeting_policy.get(
|
||||
"AutoAdmittedUsers", "Everyone"
|
||||
),
|
||||
allow_pstn_users_to_bypass_lobby=global_meeting_policy.get(
|
||||
"AllowPSTNUsersToBypassLobby", True
|
||||
),
|
||||
)
|
||||
except Exception as error:
|
||||
logger.error(
|
||||
@@ -99,6 +102,7 @@ class GlobalMeetingPolicy(BaseModel):
|
||||
allow_anonymous_users_to_join_meeting: bool = True
|
||||
allow_anonymous_users_to_start_meeting: bool = True
|
||||
allow_external_users_to_bypass_lobby: str = "Everyone"
|
||||
allow_pstn_users_to_bypass_lobby: bool = True
|
||||
|
||||
|
||||
class UserSettings(BaseModel):
|
||||
|
||||
+112
@@ -0,0 +1,112 @@
|
||||
from unittest import mock
|
||||
|
||||
from tests.providers.m365.m365_fixtures import DOMAIN, set_mocked_m365_provider
|
||||
|
||||
|
||||
class Test_teams_meeting_dial_in_lobby_bypass_disabled:
|
||||
def test_no_global_meeting_policy(self):
|
||||
teams_client = mock.MagicMock()
|
||||
teams_client.global_meeting_policy = None
|
||||
|
||||
with (
|
||||
mock.patch(
|
||||
"prowler.providers.common.provider.Provider.get_global_provider",
|
||||
return_value=set_mocked_m365_provider(),
|
||||
),
|
||||
mock.patch(
|
||||
"prowler.providers.m365.lib.powershell.m365_powershell.M365PowerShell.connect_microsoft_teams"
|
||||
),
|
||||
mock.patch(
|
||||
"prowler.providers.m365.services.teams.teams_meeting_dial_in_lobby_bypass_disabled.teams_meeting_dial_in_lobby_bypass_disabled.teams_client",
|
||||
new=teams_client,
|
||||
),
|
||||
):
|
||||
from prowler.providers.m365.services.teams.teams_meeting_dial_in_lobby_bypass_disabled.teams_meeting_dial_in_lobby_bypass_disabled import (
|
||||
teams_meeting_dial_in_lobby_bypass_disabled,
|
||||
)
|
||||
|
||||
check = teams_meeting_dial_in_lobby_bypass_disabled()
|
||||
result = check.execute()
|
||||
assert len(result) == 0
|
||||
|
||||
def test_dial_in_users_can_bypass_lobby(self):
|
||||
teams_client = mock.MagicMock()
|
||||
teams_client.audited_tenant = "audited_tenant"
|
||||
teams_client.audited_domain = DOMAIN
|
||||
|
||||
with (
|
||||
mock.patch(
|
||||
"prowler.providers.common.provider.Provider.get_global_provider",
|
||||
return_value=set_mocked_m365_provider(),
|
||||
),
|
||||
mock.patch(
|
||||
"prowler.providers.m365.lib.powershell.m365_powershell.M365PowerShell.connect_microsoft_teams"
|
||||
),
|
||||
mock.patch(
|
||||
"prowler.providers.m365.services.teams.teams_meeting_dial_in_lobby_bypass_disabled.teams_meeting_dial_in_lobby_bypass_disabled.teams_client",
|
||||
new=teams_client,
|
||||
),
|
||||
):
|
||||
from prowler.providers.m365.services.teams.teams_meeting_dial_in_lobby_bypass_disabled.teams_meeting_dial_in_lobby_bypass_disabled import (
|
||||
teams_meeting_dial_in_lobby_bypass_disabled,
|
||||
)
|
||||
from prowler.providers.m365.services.teams.teams_service import (
|
||||
GlobalMeetingPolicy,
|
||||
)
|
||||
|
||||
teams_client.global_meeting_policy = GlobalMeetingPolicy(
|
||||
allow_pstn_users_to_bypass_lobby=True
|
||||
)
|
||||
|
||||
check = teams_meeting_dial_in_lobby_bypass_disabled()
|
||||
result = check.execute()
|
||||
assert len(result) == 1
|
||||
assert result[0].status == "FAIL"
|
||||
assert result[0].status_extended == "Dial-in users can bypass the lobby."
|
||||
assert result[0].resource == teams_client.global_meeting_policy.dict()
|
||||
assert (
|
||||
result[0].resource_name
|
||||
== "Teams Meetings Global (Org-wide default) Policy"
|
||||
)
|
||||
assert result[0].resource_id == "teamsMeetingsGlobalPolicy"
|
||||
|
||||
def test_dial_in_users_cannot_bypass_lobby(self):
|
||||
teams_client = mock.MagicMock()
|
||||
teams_client.audited_tenant = "audited_tenant"
|
||||
teams_client.audited_domain = DOMAIN
|
||||
|
||||
with (
|
||||
mock.patch(
|
||||
"prowler.providers.common.provider.Provider.get_global_provider",
|
||||
return_value=set_mocked_m365_provider(),
|
||||
),
|
||||
mock.patch(
|
||||
"prowler.providers.m365.lib.powershell.m365_powershell.M365PowerShell.connect_microsoft_teams"
|
||||
),
|
||||
mock.patch(
|
||||
"prowler.providers.m365.services.teams.teams_meeting_dial_in_lobby_bypass_disabled.teams_meeting_dial_in_lobby_bypass_disabled.teams_client",
|
||||
new=teams_client,
|
||||
),
|
||||
):
|
||||
from prowler.providers.m365.services.teams.teams_meeting_dial_in_lobby_bypass_disabled.teams_meeting_dial_in_lobby_bypass_disabled import (
|
||||
teams_meeting_dial_in_lobby_bypass_disabled,
|
||||
)
|
||||
from prowler.providers.m365.services.teams.teams_service import (
|
||||
GlobalMeetingPolicy,
|
||||
)
|
||||
|
||||
teams_client.global_meeting_policy = GlobalMeetingPolicy(
|
||||
allow_pstn_users_to_bypass_lobby=False
|
||||
)
|
||||
|
||||
check = teams_meeting_dial_in_lobby_bypass_disabled()
|
||||
result = check.execute()
|
||||
assert len(result) == 1
|
||||
assert result[0].status == "PASS"
|
||||
assert result[0].status_extended == "Dial-in users cannot bypass the lobby."
|
||||
assert result[0].resource == teams_client.global_meeting_policy.dict()
|
||||
assert (
|
||||
result[0].resource_name
|
||||
== "Teams Meetings Global (Org-wide default) Policy"
|
||||
)
|
||||
assert result[0].resource_id == "teamsMeetingsGlobalPolicy"
|
||||
@@ -29,6 +29,7 @@ def mock_get_global_meeting_policy(_):
|
||||
allow_anonymous_users_to_join_meeting=False,
|
||||
allow_anonymous_users_to_start_meeting=False,
|
||||
allow_external_users_to_bypass_lobby="EveryoneInCompanyExcludingGuests",
|
||||
allow_pstn_users_to_bypass_lobby=False,
|
||||
)
|
||||
|
||||
|
||||
@@ -124,5 +125,6 @@ class Test_Teams_Service:
|
||||
allow_anonymous_users_to_join_meeting=False,
|
||||
allow_anonymous_users_to_start_meeting=False,
|
||||
allow_external_users_to_bypass_lobby="EveryoneInCompanyExcludingGuests",
|
||||
allow_pstn_users_to_bypass_lobby=False,
|
||||
)
|
||||
teams_client.powershell.close()
|
||||
|
||||
Reference in New Issue
Block a user