Modules/Support/Support.psm1
using module '..\ScubaConfig\ScubaConfig.psm1' function Copy-SCuBABaselineDocument { <# .SYNOPSIS Copy security baselines documents to a user specified location. .Description This function makes copies of the security baseline documents included with the installed ScubaGear module. .Parameter Destination Where to copy the baselines. Defaults to <user home>\ScubaGear\baselines .Example Copy-SCuBABaselineDocument .Functionality Public .NOTES SuppressMessage for PSReviewUnusedParameter due to linter bug. Open issue to remove if/when fixed. #> [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSReviewUnusedParameter', '')] param ( [Parameter(Mandatory = $false)] [ValidateScript({Test-Path -Path $_ -IsValid})] [string] $Destination = (Join-Path -Path $env:USERPROFILE -ChildPath "ScubaGear"), [Parameter(Mandatory = $false)] [switch] $Force ) if (-not (Test-Path -Path $Destination -PathType Container)){ New-Item -ItemType Directory -Path $Destination | Out-Null } @("teams", "exo", "defender", "aad", "powerbi", "powerplatform", "sharepoint") | ForEach-Object { $SourceFileName = Join-Path -Path $PSScriptRoot -ChildPath "..\..\baselines\$_.md" $TargetFileName = Join-Path -Path $Destination -ChildPath "$_.md" Copy-Item -Path $SourceFileName -Destination $Destination -Force:$Force -ErrorAction Stop 2> $null Set-ItemProperty -Path $TargetFileName -Name IsReadOnly -Value $true } } function Initialize-SCuBA { <# .SYNOPSIS This script installs the required Powershell modules used by the assessment tool .DESCRIPTION Installs the modules required to support SCuBAGear. If the Force switch is set then any existing module will be re-installed even if already at latest version. If the SkipUpdate switch is set then any existing module will not be updated to th latest version. .EXAMPLE Initialize-SCuBA .NOTES Executing the script with no switches set will install the latest version of a module if not already installed. #> [CmdletBinding()] param( [Parameter(Mandatory = $false, HelpMessage = 'Installs a given module and overrides warning messages about module installation conflicts. If a module with the same name already exists on the computer, Force allows for multiple versions to be installed. If there is an existing module with the same name and version, Force overwrites that version')] [switch] $Force, [Parameter(HelpMessage = 'If specified then modules will not be updated to latest version')] [switch] $SkipUpdate, [Parameter(HelpMessage = 'Do not automatically trust the PSGallery repository for module installation')] [switch] $DoNotAutoTrustRepository, [Parameter(HelpMessage = 'Do not download OPA')] [switch] $NoOPA, [Parameter(Mandatory = $false, HelpMessage = 'The version of OPA Rego to be downloaded, must be in "x.x.x" format')] [Alias('version')] [string] $ExpectedVersion = [ScubaConfig]::ScubaDefault('DefaultOPAVersion'), [Parameter(Mandatory = $false, HelpMessage = 'The operating system the program is running on')] [ValidateSet('Windows','MacOS','Linux')] [Alias('os')] [string] $OperatingSystem = "Windows", [Parameter(Mandatory = $false, HelpMessage = 'The file name that the opa executable is to be saved as')] [Alias('name')] [string] $OPAExe = "", [Parameter(Mandatory=$false, HelpMessage = 'Directory to contain ScubaGear artifacts. Defaults to <home>.')] [ValidateScript({Test-Path -Path $_ -PathType Container})] [string] $ScubaParentDirectory = $env:USERPROFILE ) Write-Output 'Initializing ScubaGear...' # Set preferences for writing messages $PreferenceStack = New-Object -TypeName System.Collections.Stack $PreferenceStack.Push($DebugPreference) $PreferenceStack.Push($InformationPreference) $DebugPreference = "Continue" $InformationPreference = "Continue" if (-not $DoNotAutoTrustRepository) { $Policy = Get-PSRepository -Name "PSGallery" | Select-Object -Property -InstallationPolicy if ($($Policy.InstallationPolicy) -ne "Trusted") { Set-PSRepository -Name "PSGallery" -InstallationPolicy Trusted Write-Information -MessageData "Setting PSGallery repository to trusted." } } # Start a stopwatch to time module installation elapsed time $Stopwatch = [System.Diagnostics.Stopwatch]::StartNew() # Need to determine where module is so we can get required versions info $ParentPath = Split-Path -parent $PSScriptRoot $ModulePath = Split-Path -parent $ParentPath # Removing the import below causes issues with testing, let it be. # Import module magic may be helping by: # * restricting the import so only that only function is exported # * imported function takes precedence over imported modules w/ function Import-Module $ModulePath -Function Initialize-Scuba $ModuleParentDir = Split-Path -Path (Get-Module ScubaGear).Path -Parent try { ($RequiredModulesPath = Join-Path -Path $ModuleParentDir -ChildPath 'RequiredVersions.ps1') *> $null . $RequiredModulesPath } catch { throw "Unable to find RequiredVersions.ps1 in expected directory:`n`t$ModuleParentDir" } if ($ModuleList) { # Add PowerShellGet to beginning of ModuleList for installing required modules. $ModuleList = ,@{ ModuleName = 'PowerShellGet' ModuleVersion = [version] '2.1.0' MaximumVersion = [version] '2.99.99999' } + $ModuleList } else { throw "Required modules list is required." } foreach ($Module in $ModuleList) { $ModuleName = $Module.ModuleName if (Get-Module -ListAvailable -Name $ModuleName) { $HighestInstalledVersion = (Get-Module -ListAvailable -Name $ModuleName | Sort-Object Version -Descending | Select-Object Version -First 1).Version $LatestVersion = [Version](Find-Module -Name $ModuleName -MinimumVersion $Module.ModuleVersion -MaximumVersion $Module.MaximumVersion).Version if ($HighestInstalledVersion -ge $LatestVersion) { Write-Debug "${ModuleName}: ${HighestInstalledVersion} already has latest installed." if ($Force -eq $true) { Install-Module -Name $ModuleName ` -Force ` -AllowClobber ` -Scope CurrentUser ` -MaximumVersion $Module.MaximumVersion Write-Information -MessageData "Re-installing module to latest acceptable version: ${ModuleName}." } } else { if ($SkipUpdate -eq $true) { Write-Debug "Skipping update for ${ModuleName}: ${HighestInstalledVersion} to newer version ${LatestVersion}." } else { Install-Module -Name $ModuleName ` -Force ` -AllowClobber ` -Scope CurrentUser ` -MaximumVersion $Module.MaximumVersion $MaxInstalledVersion = (Get-Module -ListAvailable -Name $ModuleName | Sort-Object Version -Descending | Select-Object Version -First 1).Version Write-Information -MessageData "${ModuleName}: ${HighestInstalledVersion} updated to version ${MaxInstalledVersion}." } } } else { Install-Module -Name $ModuleName ` -AllowClobber ` -Scope CurrentUser ` -MaximumVersion $Module.MaximumVersion $MaxInstalledVersion = (Get-Module -ListAvailable -Name $ModuleName | Sort-Object Version -Descending | Select-Object Version -First 1).Version Write-Information -MessageData "Installed the latest acceptable version of ${ModuleName}: ${MaxInstalledVersion}." } } if ($NoOPA -eq $true) { Write-Debug "Skipping Download for OPA.`n" } else { try { Install-OPAforSCuBA -OPAExe $OPAExe -ExpectedVersion $ExpectedVersion -OperatingSystem $OperatingSystem -ScubaParentDirectory $ScubaParentDirectory } catch { $Error[0] | Format-List -Property * -Force | Out-Host } } # Stop the clock and report total elapsed time $Stopwatch.stop() Write-Debug "ScubaGear setup time elapsed: $([math]::Round($stopwatch.Elapsed.TotalSeconds,0)) seconds." $InformationPreference = $PreferenceStack.Pop() $DebugPreference = $PreferenceStack.Pop() } function Install-OPAforSCuBA { <# .SYNOPSIS This script installs the required OPA executable used by the assessment tool .DESCRIPTION Installs the OPA executable required to support SCuBAGear. .EXAMPLE Install-OPAforSCuBA #> [CmdletBinding()] param( [Parameter(Mandatory = $false, HelpMessage = 'The version of OPA Rego to be downloaded, must be in "x.x.x" format')] [Alias('version')] [string] $ExpectedVersion = [ScubaConfig]::ScubaDefault('DefaultOPAVersion'), [Parameter(Mandatory = $false, HelpMessage = 'The file name that the opa executable is to be saved as')] [Alias('name')] [string] $OPAExe = "", [Parameter(Mandatory = $false, HelpMessage = 'The operating system the program is running on')] [ValidateSet('Windows','MacOS','Linux')] [Alias('os')] [string] $OperatingSystem = "Windows", [Parameter(Mandatory=$false, HelpMessage = 'Directory to contain ScubaGear artifacts. Defaults to <home>.')] [ValidateScript({Test-Path -Path $_ -PathType Container})] [string] $ScubaParentDirectory = $env:USERPROFILE ) # Constants $ACCEPTABLEVERSIONS = '0.59.0', '0.60.0', '0.61.0', '0.62.1', '0.63.0', '0.64.1', '0.65.0', [ScubaConfig]::ScubaDefault('DefaultOPAVersion') # End Versions $FILENAME = @{ Windows = "opa_windows_amd64.exe"; MacOS = "opa_darwin_amd64"; Linux = "opa_linux_amd64_static"} # Set prefernces for writing messages $PreferenceStack = New-Object -TypeName System.Collections.Stack $PreferenceStack.Push($DebugPreference) $PreferenceStack.Push($InformationPreference) $PreferenceStack.Push($ErrorActionPreference) $DebugPreference = "Continue" $InformationPreference = "Continue" $ErrorActionPreference = "Stop" $ScubaHiddenHome = Join-Path -Path $ScubaParentDirectory -ChildPath '.scubagear' $ScubaTools = Join-Path -Path $ScubaHiddenHome -ChildPath 'Tools' if((Test-Path -Path $ScubaTools) -eq $false) { New-Item -ItemType Directory -Force -Path $ScubaTools Write-Output "" | Out-Host } if(-not $ACCEPTABLEVERSIONS.Contains($ExpectedVersion)) { $AcceptableVersionsString = $ACCETABLEVERSIONS -join "`r`n" | Out-String throw "Version parameter entered, ${ExpectedVersion}, is not in the list of acceptable versions. Acceptable versions are:`r`n${AcceptableVersionsString}" } $Filename = $FILENAME.$OperatingSystem if($OPAExe -eq "") { $OPAExe = $Filename } if(Test-Path -Path ( Join-Path $ScubaTools $OPAExe) -PathType Leaf) { $Result = Confirm-OPAHash -out $OPAExe -version $ExpectedVersion -name $Filename if($Result[0]) { Write-Debug "${OPAExe}: ${ExpectedVersion} already has latest installed." } else { if($OPAExe -eq $Filename) { Write-Information "SHA256 verification failed, downloading new executable" | Out-Host InstallOPA -out $OPAExe -version $ExpectedVersion -name $Filename } else { Write-Warning "SHA256 verification failed, please confirm file name is correct & remove old file before running script" | Out-Host } } } else { InstallOPA -out $OPAExe -version $ExpectedVersion -name $Filename } $ErrorActionPreference = $PreferenceStack.Pop() $InformationPreference = $PreferenceStack.Pop() $DebugPreference = $PreferenceStack.Pop() } function Get-OPAFile { param ( [Parameter(Mandatory)] [ValidateNotNullOrEmpty()] [Alias('out')] [string]$OPAExe, [Parameter(Mandatory)] [ValidateNotNullOrEmpty()] [Alias('version')] [string]$ExpectedVersion, [Parameter(Mandatory)] [ValidateNotNullOrEmpty()] [Alias('name')] [string]$Filename ) <# .FUNCTIONALITY Internal #> $InstallUrl = "https://openpolicyagent.org/downloads/v$($ExpectedVersion)/$($Filename)" $OutFile = ( Join-Path $ScubaTools $OPAExe ) #(Join-Path (Get-Location).Path $OPAExe) try { $Display = "Downloading OPA executable" Start-BitsTransfer -Source $InstallUrl -Destination $OutFile -DisplayName $Display -MaxDownloadTime 300 Write-Information -MessageData "Installed the specified OPA version (${ExpectedVersion}) to ${OutFile}" | Out-Host } catch { $Error[0] | Format-List -Property * -Force | Out-Host throw "Unable to download OPA executable. To try manually downloading, see details in README under 'Download the required OPA executable'" | Out-Host } } function Get-ExeHash { param ( [Parameter(Mandatory)] [ValidateNotNullOrEmpty()] [Alias('name')] [string]$Filename, [Parameter(Mandatory)] [ValidateNotNullOrEmpty()] [Alias('version')] [string]$ExpectedVersion ) <# .FUNCTIONALITY Internal #> $InstallUrl = "https://openpolicyagent.org/downloads/v$($ExpectedVersion)/$($Filename).sha256" $OutFile = (Join-Path (Get-Location).Path $InstallUrl.SubString($InstallUrl.LastIndexOf('/'))) try { $WebClient = New-Object System.Net.WebClient $WebClient.DownloadFile($InstallUrl, $OutFile) } catch { $Error[0] | Format-List -Property * -Force | Out-Host Write-Error "Unable to download OPA SHA256 hash for verification" | Out-Host } finally { $WebClient.Dispose() } $Hash = ($(Get-Content $OutFile -raw) -split " ")[0] Remove-Item $OutFile return $Hash } function Confirm-OPAHash { <# .FUNCTIONALITY Internal #> param ( [Parameter(Mandatory)] [ValidateNotNullOrEmpty()] [Alias('out')] [string]$OPAExe, [Parameter(Mandatory)] [ValidateNotNullOrEmpty()] [Alias('version')] [string]$ExpectedVersion, [Parameter(Mandatory)] [ValidateNotNullOrEmpty()] [Alias('name')] [string] $Filename ) if ((Get-FileHash ( Join-Path $ScubaTools $OPAExe ) -Algorithm SHA256 ).Hash -ne $(Get-ExeHash -name $Filename -version $ExpectedVersion)) { return $false, "SHA256 verification failed, retry download or install manually. See README under 'Download the required OPA executable' for instructions." } return $true, "Downloaded OPA version ($ExpectedVersion) SHA256 verified successfully`n" } function InstallOPA { param ( [Parameter(Mandatory)] [ValidateNotNullOrEmpty()] [Alias('out')] [string]$OPAExe, [Parameter(Mandatory)] [ValidateNotNullOrEmpty()] [Alias('version')] [string]$ExpectedVersion, [Parameter(Mandatory)] [ValidateNotNullOrEmpty()] [Alias('name')] [string] $Filename ) <# .FUNCTIONALITY Internal #> Get-OPAFile -out $OPAExe -version $ExpectedVersion -name $Filename $Result = Confirm-OPAHash -out $OPAExe -version $ExpectedVersion -name $Filename $Result[1] | Out-Host } function Debug-SCuBA { <# .SYNOPSIS Gather diagnostic information from previous run(s) into a single archive bundle for error reporting and troubleshooting. .DESCRIPTION Assists development teams in diagnosing issues with the ScubaGear assessment tool by generating and bundling up information related to one or more previous assessment runs. .EXAMPLE Debug-SCuBA .NOTES Executing the script with no switches will cause it to create an archive of the latest SCuBAGear run report and result files in the current working directory. #> [CmdletBinding()] param ( [Parameter(Mandatory=$false, HelpMessage = 'Directory to contain debug report')] [string] $ReportPath = "$($($(Get-Item $PSScriptRoot).Parent).FullName)\Reports", [Parameter(Mandatory=$false, HelpMessage = 'Include ScubaGear report on tenant configuration?')] [switch] $IncludeReports = $false, [Parameter(Mandatory=$false, HelpMessage = 'Include all available ScubaGear report on tenant configuration?')] [switch] $AllReports = $false ) $PreferenceStack = New-Object -TypeName System.Collections.Stack $PreferenceStack.Push($DebugPreference) $DebugPreference = 'Continue' # Set registry key to inspect $regPath = 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' $regKey = 'AllowBasic' $Timestamp = Get-Date -Format yyyyMMdd_HHmmss Write-Debug "Script started from $PSScriptRoot" Write-Debug "Report Path is $ReportPath" Write-Debug "Timestamp set as $Timestamp" ## Create bundle directory timestamped inside current directory try { $DiagnosticPath = New-Item -ItemType Directory "ScubaGear_diag_$Timestamp" Write-Debug "Created new directory $($DiagnosticPath.FullName)" $EnvFile= New-Item -Path $(Join-Path -Path $DiagnosticPath -ChildPath EnvInfo_$Timestamp) -ItemType File Write-Debug "Created new environment info file at $($EnvFile.FullName)" } catch { Write-Error "ERRROR: Could not create diagnostics directory and/or files." } ## Get environment information "System Environment information from $Timestamp`n" >> $EnvFile "PowerShell Information" >> $EnvFile "----------------------" >> $EnvFile $PSVersionTable >> $EnvFile "`n" >> $EnvFile "WinRM Client Setting" >> $EnvFile "--------------------" >> $EnvFile if (Test-Path -LiteralPath $regPath){ try { $allowBasic = Get-ItemPropertyValue -Path $regPath -Name $regKey } catch [System.Management.Automation.PSArgumentException]{ "Key, $regKey, was not found`n" >> $EnvFile } catch{ "Unexpected error occured attempting to get registry key, $regKey.`n" >> $EnvFile } "AllowBasic = $allowBasic`n" >> $EnvFile } else { "Registry path not found: $regPath" >> $EnvFile } "Installed PowerShell Modules Available" >> $EnvFile "--------------------------------------" >> $EnvFile Get-Module -ListAvailable >> $EnvFile "Imported PowerShell Modules" >> $EnvFile "---------------------------" >> $EnvFile Get-Module >> $EnvFile if($IncludeReports) { # Generate list of ScubaGear Report folder(s) to include in diagnostics $ReportList = @() if($AllReports) { $ReportList = Get-ChildItem -Directory -Path $ReportPath -Filter "M365BaselineConformance*" } else { $ReportList = Get-ChildItem -Directory -Path $ReportPath -Filter "M365BaselineConformance*" | Sort-Object LastWriteTime -Descending | Select-Object -First 1 } Write-Debug "Reports to Include: $ReportList" if($ReportList.Count -eq 0) { Write-Warning "No ScubaGear report folders found at $ReportPath." } # Copy each report folder to diagnostics folder foreach ($ReportFolder in $ReportList) { Write-Debug "Copying $($ReportFolder.FullName) to diagnostic bundle" Copy-Item -Path $ReportFolder.FullName -Destination $DiagnosticPath -Recurse } } # Create archive bundle of report and results directory $ZipFile = "$($DiagnosticPath.FullName).zip" if(Test-Path -Path $ZipFile) { Write-Error "ERROR: Diagnostic archive bundle $ZipFile already exists" } else { Compress-Archive -Path $DiagnosticPath.FullName -DestinationPath $ZipFile } $DebugPreference = $PreferenceStack.Pop() } function Copy-SCuBASampleReport { <# .SYNOPSIS Copy sample reports to user defined location. .Description This function makes copies of the sample reports included with the installed ScubaGear module. .Parameter Destination Where to copy the samples. Defaults to <user home>\ScubaGear\samples\reports .Example Copy-SCuBASampleReport .Functionality Public .NOTES SuppressMessage for PSReviewUnusedParameter due to linter bug. Open issue to remove if/when fixed. #> [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSReviewUnusedParameter', '')] param ( [Parameter(Mandatory = $false)] [ValidateScript({Test-Path -Path $_ -IsValid})] [string] $DestinationDirectory = (Join-Path -Path $env:USERPROFILE -ChildPath "ScubaGear/samples/reports"), [Parameter(Mandatory = $false)] [switch] $Force ) $SourceDirectory = Join-Path -Path $PSScriptRoot -ChildPath "..\..\Sample-Reports\" Copy-ScubaModuleFile -SourceDirectory $SourceDirectory -DestinationDirectory $DestinationDirectory -Force:$Force } function Copy-SCuBASampleConfigFile { <# .SYNOPSIS Copy sample configuration files to user defined location. .Description This function makes copies of the sample configuration files included with the installed ScubaGear module. .Parameter Destination Where to copy the samples. Defaults to <user home>\ScubaGear\samples\config-files .Example Copy-SCuBASampleConfigFile .Functionality Public .NOTES SuppressMessage for PSReviewUnusedParameter due to linter bug. Open issue to remove if/when fixed. #> [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSReviewUnusedParameter', '')] param ( [Parameter(Mandatory = $false)] [ValidateScript({Test-Path -Path $_ -IsValid})] [string] $DestinationDirectory = (Join-Path -Path $env:USERPROFILE -ChildPath "ScubaGear/samples/config-files"), [Parameter(Mandatory = $false)] [switch] $Force ) $SourceDirectory = Join-Path -Path $PSScriptRoot -ChildPath "..\..\Sample-Config-Files\" Copy-ScubaModuleFile -SourceDirectory $SourceDirectory -DestinationDirectory $DestinationDirectory -Force:$Force } function Copy-ScubaModuleFile { <# .SYNOPSIS Copy Scuba module files (read-only) to user defined location. .Description This function makes copies of files included with the installed ScubaGear module. .Parameter Destination Where to copy the files. .Example Copy-ScubaModuleFile =Destination SomeWhere .Functionality Private .NOTES SuppressMessage for PSReviewUnusedParameter due to linter bug. Open issue to remove if/when fixed. #> [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSReviewUnusedParameter', '')] param ( [Parameter(Mandatory=$true)] [ValidateScript({Test-Path -Path $_ -PathType Container})] [string] $SourceDirectory, [Parameter(Mandatory = $true)] [ValidateScript({Test-Path -Path $_ -IsValid})] [string] $DestinationDirectory, [Parameter(Mandatory = $false)] [switch] $Force ) if (-not (Test-Path -Path $DestinationDirectory -PathType Container)){ New-Item -ItemType Directory -Path $DestinationDirectory | Out-Null } try { Get-ChildItem -Path $SourceDirectory | Copy-Item -Destination $DestinationDirectory -Recurse -Container -Force:$Force -ErrorAction Stop 2> $null Get-ChildItem -Path $DestinationDirectory -File -Recurse | ForEach-Object {$_.IsReadOnly = $true} } catch { throw "Scuba copy module files failed." } } function New-SCuBAConfig { <# .SYNOPSIS Generate a config file for the ScubaGear tool .Description Using provided user input generate a config file to run ScubaGear tailored to the end user .Parameter ProductNames A list of one or more M365 shortened product names that the tool will assess when it is executed. Acceptable product name values are listed below. To assess Azure Active Directory you would enter the value aad. To assess Exchange Online you would enter exo and so forth. - Azure Active Directory: aad - Defender for Office 365: defender - Exchange Online: exo - MS Power Platform: powerplatform - SharePoint Online: sharepoint - MS Teams: teams. Use '*' to run all baselines. .Parameter M365Environment This parameter is used to authenticate to the different commercial/government environments. Valid values include "commercial", "gcc", "gcchigh", or "dod". - For M365 tenants with E3/E5 licenses enter the value **"commercial"**. - For M365 Government Commercial Cloud tenants with G3/G5 licenses enter the value **"gcc"**. - For M365 Government Commercial Cloud High tenants enter the value **"gcchigh"**. - For M365 Department of Defense tenants enter the value **"dod"**. Default value is 'commercial'. .Parameter OPAPath The folder location of the OPA Rego executable file. The OPA Rego executable embedded with this project is located in the project's root folder. If you want to execute the tool using a version of OPA Rego located in another folder, then customize the variable value with the full path to the alternative OPA Rego exe file. .Parameter LogIn A `$true` or `$false` variable that if set to `$true` will prompt you to provide credentials if you want to establish a connection to the specified M365 products in the **$ProductNames** variable. For most use cases, leave this variable to be `$true`. A connection is established in the current PowerShell terminal session with the first authentication. If you want to run another verification in the same PowerShell session simply set this variable to be `$false` to bypass the reauthenticating in the same session. Default is $true. Note: defender will ask for authentication even if this variable is set to `$false` ;;;.Parameter Version ;;;Will output the current ScubaGear version to the terminal without running this cmdlet. .Parameter AppID The application ID of the service principal that's used during certificate based authentication. A valid value is the GUID of the application ID (service principal). .Parameter CertificateThumbprint The thumbprint value specifies the certificate that's used for certificate base authentication. The underlying PowerShell modules retrieve the certificate from the user's certificate store. As such, a copy of the certificate must be located there. .Parameter Organization Specify the organization that's used in certificate based authentication. Use the tenant's tenantname.onmicrosoft.com domain for the parameter value. .Parameter OutPath The folder path where both the output JSON and the HTML report will be created. The folder will be created if it does not exist. Defaults to current directory. .Parameter OutFolderName The name of the folder in OutPath where both the output JSON and the HTML report will be created. Defaults to "M365BaselineConformance". The client's local timestamp will be appended. .Parameter OutProviderFileName The name of the Provider output JSON created in the folder created in OutPath. Defaults to "ProviderSettingsExport". .Parameter OutRegoFileName The name of the Rego output JSON and CSV created in the folder created in OutPath. Defaults to "TestResults". .Parameter OutReportName The name of the main html file page created in the folder created in OutPath. Defaults to "BaselineReports". .Parameter DisconnectOnExit Set switch to disconnect all active connections on exit from ScubaGear (default: $false) .Parameter ConfigFilePath Local file path to a JSON or YAML formatted configuration file. Configuration file parameters can be used in place of command-line parameters. Additional parameters and variables not available on the command line can also be included in the file that will be provided to the tool for use in specific tests. .Parameter OmitPolicy A comma-separated list of policies to exclude from the ScubaGear report, e.g., MS.DEFENDER.1.1v1. Note that the rationales will need to be manually added to the resulting config file. .Functionality Public #> [CmdletBinding(DefaultParameterSetName='Report')] [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSReviewUnusedParameter', '')] param ( [Parameter(Mandatory = $false)] [ValidateNotNullOrEmpty()] [string] $Description = "YAML configuration file with default description", #(Join-Path -Path $env:USERPROFILE -ChildPath ".scubagear\Tools"), [Parameter(Mandatory = $false)] [ValidateNotNullOrEmpty()] [ValidateSet("teams", "exo", "defender", "aad", "powerplatform", "sharepoint", '*', IgnoreCase = $false)] [string[]] $ProductNames = @("aad", "defender", "exo", "sharepoint", "teams"), [Parameter(Mandatory = $false)] [ValidateSet("commercial", "gcc", "gcchigh", "dod", IgnoreCase = $false)] [ValidateNotNullOrEmpty()] [string] $M365Environment = "commercial", [Parameter(Mandatory = $false)] [ValidateScript({Test-Path -PathType Container $_})] [string] $OPAPath = ".", #(Join-Path -Path $env:USERPROFILE -ChildPath ".scubagear\Tools"), [Parameter(Mandatory = $false)] [ValidateNotNullOrEmpty()] [ValidateSet($true, $false)] [boolean] $LogIn = $true, [Parameter(Mandatory = $false)] [ValidateNotNullOrEmpty()] [ValidateSet($true, $false)] [boolean] $DisconnectOnExit = $false, [Parameter(Mandatory = $false)] [ValidateNotNullOrEmpty()] [string] $OutPath = '.', [Parameter(Mandatory = $false)] [ValidateNotNullOrEmpty()] [string] $AppID, [Parameter(Mandatory = $false)] [ValidateNotNullOrEmpty()] [string] $CertificateThumbprint, [Parameter(Mandatory = $false)] [ValidateNotNullOrEmpty()] [string] $Organization, [Parameter(Mandatory = $false)] [ValidateNotNullOrEmpty()] [string] $OutFolderName = "M365BaselineConformance", [Parameter(Mandatory = $false)] [ValidateNotNullOrEmpty()] [string] $OutProviderFileName = "ProviderSettingsExport", [Parameter(Mandatory = $false)] [ValidateNotNullOrEmpty()] [string] $OutRegoFileName = "TestResults", [Parameter(Mandatory = $false)] [ValidateNotNullOrEmpty()] [string] $OutReportName = "BaselineReports", [Parameter(Mandatory = $false)] [ValidateNotNullOrEmpty()] [string] $ConfigLocation = "./", [Parameter(Mandatory = $false)] [ValidateNotNullOrEmpty()] [string[]] $OmitPolicy = @() ) $Config = New-Object ([System.Collections.specialized.OrderedDictionary]) ($MyInvocation.MyCommand.Parameters ).Keys | ForEach-Object{ $Val = (Get-Variable -Name $_ -EA SilentlyContinue).Value if( $Val.length -gt 0 ) { #$config[$_] = $val $Config.add($_, $Val) } } if ($config.Contains("OmitPolicy")) { # We don't want to immediately save this parameter to the config, as it's not in the right # format yet. $config.Remove("OmitPolicy") } $CapExclusionNamespace = @( "MS.AAD.1.1v1", "MS.AAD.2.1v1", "MS.AAD.2.3v1", "MS.AAD.3.1v1", "MS.AAD.3.2v1", "MS.AAD.3.3v1", "MS.AAD.3.6v1", "MS.AAD.3.7v1", "MS.AAD.3.8v1" ) $RoleExclusionNamespace = "MS.AAD.7.4v1" $CommonSensitiveAccountFilterNamespace = @( "MS.DEFENDER.1.4v1", "MS.DEFENDER.1.5v1" ) $UserImpersonationProtectionNamespace = "MS.DEFENDER.2.1v1" $AgencyDomainImpersonationProtectionNamespace = "MS.DEFENDER.2.2v1" $PartnerDomainImpersonationProtectionNamespace = "MS.DEFENDER.2.3v1" $OmissionNamespace = "OmitPolicy" # List to track which policies the user specified in $OmitPolicies are properly formatted $OmitPolicyValidated = @() # Hashmap to structure the ignored policies template $config[$OmissionNamespace] = @{} foreach ($Policy in $OmitPolicy) { if (-not ($Policy -match "^ms\.[a-z]+\.[0-9]+\.[0-9]+v[0-9]+$")) { # Note that -match is a case insensitive match # Note that the regex does not validate the product name, this will be done # later $Warning = "The policy, $Policy, in the OmitPolicy parameter, is not a valid " $Warning += "policy ID. Expected format 'MS.[PRODUCT].[GROUP].[NUMBER]v[VERSION]', " $Warning += "e.g., 'MS.DEFENDER.1.1v1'. Skipping." Write-Warning $Warning Continue } $Product = ($Policy -Split "\.")[1] # Here's where the product name is validated if (-not ($ProductNames -Contains $Product)) { $Warning = "The policy, $Policy, in the OmitPolicy parameter, is not encompassed by " $Warning += "the products specified in the ProductName parameter. Skipping." Write-Warning $Warning Continue } # Ensure the policy ID is properly capitalized (i.e., all caps except for the "v1" portion) $PolicyCapitalized = $Policy.Substring(0, $Policy.Length-2).ToUpper() + $Policy.SubString($Policy.Length-2) $OmitPolicyValidated += $PolicyCapitalized $config[$OmissionNamespace][$PolicyCapitalized] = @{ "Rationale" = ""; "Expiration" = ""; } } $Warning = "The following policies have been configured for omission: $($OmitPolicyValidated -Join ', '). " $Warning += "Note that as the New-Config function does not support providing the rationale for omission via " $Warning += "the commandline, you will need to open the resulting config file and manually enter the rationales." Write-Warning $Warning $AadTemplate = New-Object ([System.Collections.specialized.OrderedDictionary]) $AadCapExclusions = New-Object ([System.Collections.specialized.OrderedDictionary]) $AadRoleExclusions = New-Object ([System.Collections.specialized.OrderedDictionary]) $DefenderTemplate = New-Object ([System.Collections.specialized.OrderedDictionary]) $DefenderCommonSensitiveAccountFilter = New-Object ([System.Collections.specialized.OrderedDictionary]) #$defenderUserImpersonationProtection = New-Object ([System.Collections.specialized.OrderedDictionary]) #$defenderAgencyDomainImpersonationProtection = New-Object ([System.Collections.specialized.OrderedDictionary]) #$defenderPartnerDomainImpersonationProtection = New-Object ([System.Collections.specialized.OrderedDictionary]) $AadCapExclusions = @{ CapExclusions = @{} } $AadCapExclusions["CapExclusions"].add("Users", @("")) $AadCapExclusions["CapExclusions"].add("Groups", @("")) $AadRoleExclusions = @{ RoleExclusions = @{} } $AadRoleExclusions["RoleExclusions"].add("Users", @("")) $AadRoleExclusions["RoleExclusions"].add("Groups", @("")) foreach ($Cap in $CapExclusionNamespace){ $AadTemplate.add($Cap, $AadCapExclusions) } $AadTemplate.add($RoleExclusionNamespace, $AadRoleExclusions) $DefenderCommonSensitiveAccountFilter = @{ SensitiveAccounts = @{} } $DefenderCommonSensitiveAccountFilter['SensitiveAccounts'].add("IncludedUsers", @("")) $DefenderCommonSensitiveAccountFilter['SensitiveAccounts'].add("IncludedGroups", @("")) $DefenderCommonSensitiveAccountFilter['SensitiveAccounts'].add("IncludedDomains", @("")) $DefenderCommonSensitiveAccountFilter['SensitiveAccounts'].add("ExcludedUsers", @("")) $DefenderCommonSensitiveAccountFilter['SensitiveAccounts'].add("ExcludedGroups", @("")) $DefenderCommonSensitiveAccountFilter['SensitiveAccounts'].add("ExcludedDomains", @("")) foreach ($Filter in $CommonSensitiveAccountFilterNamespace){ $DefenderTemplate.add($Filter, $DefenderCommonSensitiveAccountFilter) } $DefenderTemplate.add($UserImpersonationProtectionNamespace, @{ SensitiveUsers = @("") }) $DefenderTemplate.add($AgencyDomainImpersonationProtectionNamespace, @{ AgencyDomains = @("") }) $DefenderTemplate.add($PartnerDomainImpersonationProtectionNamespace, @{ PartnerDomains = @("") }) $Products = (Get-Variable -Name ProductNames -EA SilentlyContinue).Value foreach ($Product in $Products){ switch ($Product){ "aad" { $config.add("Aad", $AadTemplate) } "defender" { $config.add("Defender", $DefenderTemplate) } } } convertto-yaml $Config | set-content "$($ConfigLocation)/SampleConfig.yaml" } Export-ModuleMember -Function @( 'Copy-SCuBABaselineDocument', 'Install-OPAforSCuBA', 'Initialize-SCuBA', 'Debug-SCuBA', 'Copy-SCuBASampleReport', 'Copy-SCuBASampleConfigFile', 'New-SCuBAConfig' ) # SIG # Begin signature block # MIIuwAYJKoZIhvcNAQcCoIIusTCCLq0CAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG # KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCBOfyN7mZDBYimU # briYqSTmRVYUcftWHDIbwIcRgBWrnqCCE6MwggWQMIIDeKADAgECAhAFmxtXno4h # MuI5B72nd3VcMA0GCSqGSIb3DQEBDAUAMGIxCzAJBgNVBAYTAlVTMRUwEwYDVQQK # EwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xITAfBgNV # BAMTGERpZ2lDZXJ0IFRydXN0ZWQgUm9vdCBHNDAeFw0xMzA4MDExMjAwMDBaFw0z # ODAxMTUxMjAwMDBaMGIxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJ # bmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xITAfBgNVBAMTGERpZ2lDZXJ0 # IFRydXN0ZWQgUm9vdCBHNDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB # AL/mkHNo3rvkXUo8MCIwaTPswqclLskhPfKK2FnC4SmnPVirdprNrnsbhA3EMB/z # G6Q4FutWxpdtHauyefLKEdLkX9YFPFIPUh/GnhWlfr6fqVcWWVVyr2iTcMKyunWZ # anMylNEQRBAu34LzB4TmdDttceItDBvuINXJIB1jKS3O7F5OyJP4IWGbNOsFxl7s # Wxq868nPzaw0QF+xembud8hIqGZXV59UWI4MK7dPpzDZVu7Ke13jrclPXuU15zHL # 2pNe3I6PgNq2kZhAkHnDeMe2scS1ahg4AxCN2NQ3pC4FfYj1gj4QkXCrVYJBMtfb # BHMqbpEBfCFM1LyuGwN1XXhm2ToxRJozQL8I11pJpMLmqaBn3aQnvKFPObURWBf3 # JFxGj2T3wWmIdph2PVldQnaHiZdpekjw4KISG2aadMreSx7nDmOu5tTvkpI6nj3c # AORFJYm2mkQZK37AlLTSYW3rM9nF30sEAMx9HJXDj/chsrIRt7t/8tWMcCxBYKqx # YxhElRp2Yn72gLD76GSmM9GJB+G9t+ZDpBi4pncB4Q+UDCEdslQpJYls5Q5SUUd0 # viastkF13nqsX40/ybzTQRESW+UQUOsxxcpyFiIJ33xMdT9j7CFfxCBRa2+xq4aL # T8LWRV+dIPyhHsXAj6KxfgommfXkaS+YHS312amyHeUbAgMBAAGjQjBAMA8GA1Ud # EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMB0GA1UdDgQWBBTs1+OC0nFdZEzf # Lmc/57qYrhwPTzANBgkqhkiG9w0BAQwFAAOCAgEAu2HZfalsvhfEkRvDoaIAjeNk # aA9Wz3eucPn9mkqZucl4XAwMX+TmFClWCzZJXURj4K2clhhmGyMNPXnpbWvWVPjS # PMFDQK4dUPVS/JA7u5iZaWvHwaeoaKQn3J35J64whbn2Z006Po9ZOSJTROvIXQPK # 7VB6fWIhCoDIc2bRoAVgX+iltKevqPdtNZx8WorWojiZ83iL9E3SIAveBO6Mm0eB # cg3AFDLvMFkuruBx8lbkapdvklBtlo1oepqyNhR6BvIkuQkRUNcIsbiJeoQjYUIp # 5aPNoiBB19GcZNnqJqGLFNdMGbJQQXE9P01wI4YMStyB0swylIQNCAmXHE/A7msg # dDDS4Dk0EIUhFQEI6FUy3nFJ2SgXUE3mvk3RdazQyvtBuEOlqtPDBURPLDab4vri # RbgjU2wGb2dVf0a1TD9uKFp5JtKkqGKX0h7i7UqLvBv9R0oN32dmfrJbQdA75PQ7 # 9ARj6e/CVABRoIoqyc54zNXqhwQYs86vSYiv85KZtrPmYQ/ShQDnUBrkG5WdGaG5 # nLGbsQAe79APT0JsyQq87kP6OnGlyE0mpTX9iV28hWIdMtKgK1TtmlfB2/oQzxm3 # i0objwG2J5VT6LaJbVu8aNQj6ItRolb58KaAoNYes7wPD1N1KarqE3fk3oyBIa0H # EEcRrYc9B9F1vM/zZn4wggawMIIEmKADAgECAhAIrUCyYNKcTJ9ezam9k67ZMA0G # CSqGSIb3DQEBDAUAMGIxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJ # bmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xITAfBgNVBAMTGERpZ2lDZXJ0 # IFRydXN0ZWQgUm9vdCBHNDAeFw0yMTA0MjkwMDAwMDBaFw0zNjA0MjgyMzU5NTla # MGkxCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5EaWdpQ2VydCwgSW5jLjFBMD8GA1UE # AxM4RGlnaUNlcnQgVHJ1c3RlZCBHNCBDb2RlIFNpZ25pbmcgUlNBNDA5NiBTSEEz # ODQgMjAyMSBDQTEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDVtC9C # 0CiteLdd1TlZG7GIQvUzjOs9gZdwxbvEhSYwn6SOaNhc9es0JAfhS0/TeEP0F9ce # 2vnS1WcaUk8OoVf8iJnBkcyBAz5NcCRks43iCH00fUyAVxJrQ5qZ8sU7H/Lvy0da # E6ZMswEgJfMQ04uy+wjwiuCdCcBlp/qYgEk1hz1RGeiQIXhFLqGfLOEYwhrMxe6T # SXBCMo/7xuoc82VokaJNTIIRSFJo3hC9FFdd6BgTZcV/sk+FLEikVoQ11vkunKoA # FdE3/hoGlMJ8yOobMubKwvSnowMOdKWvObarYBLj6Na59zHh3K3kGKDYwSNHR7Oh # D26jq22YBoMbt2pnLdK9RBqSEIGPsDsJ18ebMlrC/2pgVItJwZPt4bRc4G/rJvmM # 1bL5OBDm6s6R9b7T+2+TYTRcvJNFKIM2KmYoX7BzzosmJQayg9Rc9hUZTO1i4F4z # 8ujo7AqnsAMrkbI2eb73rQgedaZlzLvjSFDzd5Ea/ttQokbIYViY9XwCFjyDKK05 # huzUtw1T0PhH5nUwjewwk3YUpltLXXRhTT8SkXbev1jLchApQfDVxW0mdmgRQRNY # mtwmKwH0iU1Z23jPgUo+QEdfyYFQc4UQIyFZYIpkVMHMIRroOBl8ZhzNeDhFMJlP # /2NPTLuqDQhTQXxYPUez+rbsjDIJAsxsPAxWEQIDAQABo4IBWTCCAVUwEgYDVR0T # AQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUaDfg67Y7+F8Rhvv+YXsIiGX0TkIwHwYD # VR0jBBgwFoAU7NfjgtJxXWRM3y5nP+e6mK4cD08wDgYDVR0PAQH/BAQDAgGGMBMG # A1UdJQQMMAoGCCsGAQUFBwMDMHcGCCsGAQUFBwEBBGswaTAkBggrBgEFBQcwAYYY # aHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEEGCCsGAQUFBzAChjVodHRwOi8vY2Fj # ZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkUm9vdEc0LmNydDBDBgNV # HR8EPDA6MDigNqA0hjJodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRU # cnVzdGVkUm9vdEc0LmNybDAcBgNVHSAEFTATMAcGBWeBDAEDMAgGBmeBDAEEATAN # BgkqhkiG9w0BAQwFAAOCAgEAOiNEPY0Idu6PvDqZ01bgAhql+Eg08yy25nRm95Ry # sQDKr2wwJxMSnpBEn0v9nqN8JtU3vDpdSG2V1T9J9Ce7FoFFUP2cvbaF4HZ+N3HL # IvdaqpDP9ZNq4+sg0dVQeYiaiorBtr2hSBh+3NiAGhEZGM1hmYFW9snjdufE5Btf # Q/g+lP92OT2e1JnPSt0o618moZVYSNUa/tcnP/2Q0XaG3RywYFzzDaju4ImhvTnh # OE7abrs2nfvlIVNaw8rpavGiPttDuDPITzgUkpn13c5UbdldAhQfQDN8A+KVssIh # dXNSy0bYxDQcoqVLjc1vdjcshT8azibpGL6QB7BDf5WIIIJw8MzK7/0pNVwfiThV # 9zeKiwmhywvpMRr/LhlcOXHhvpynCgbWJme3kuZOX956rEnPLqR0kq3bPKSchh/j # wVYbKyP/j7XqiHtwa+aguv06P0WmxOgWkVKLQcBIhEuWTatEQOON8BUozu3xGFYH # Ki8QxAwIZDwzj64ojDzLj4gLDb879M4ee47vtevLt/B3E+bnKD+sEq6lLyJsQfmC # XBVmzGwOysWGw/YmMwwHS6DTBwJqakAwSEs0qFEgu60bhQjiWQ1tygVQK+pKHJ6l # /aCnHwZ05/LWUpD9r4VIIflXO7ScA+2GRfS0YW6/aOImYIbqyK+p/pQd52MbOoZW # eE4wggdXMIIFP6ADAgECAhANkQ8dPvvR0q3Ytt4H0T3aMA0GCSqGSIb3DQEBCwUA # MGkxCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5EaWdpQ2VydCwgSW5jLjFBMD8GA1UE # AxM4RGlnaUNlcnQgVHJ1c3RlZCBHNCBDb2RlIFNpZ25pbmcgUlNBNDA5NiBTSEEz # ODQgMjAyMSBDQTEwHhcNMjQwMTMwMDAwMDAwWhcNMjUwMTI5MjM1OTU5WjBfMQsw # CQYDVQQGEwJVUzEdMBsGA1UECBMURGlzdHJpY3Qgb2YgQ29sdW1iaWExEzARBgNV # BAcTCldhc2hpbmd0b24xDTALBgNVBAoTBENJU0ExDTALBgNVBAMTBENJU0EwggIi # MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCT1y7uJCQax8JfiDEYgpiU9URj # EXCTRqtZbDALM9rPUudiuM3mj6A1SUSAAWYv6DTsvGPvxyMI2Idg0mQunl4Ms9DJ # yVwe5k4+Anj/73Nx1AbOPYP8xRZcD10FkctKGhV0PzvrDcwU15hsQWtiepFgg+bX # fHkGMeu426oc69f43vKE43DiqKTf0/UBX/qgpj3JZvJ3zc1kilBOv4sBCksfCjbW # tLZD0tqAgBsNPo3Oy5mQG31E1eZdTNvrdTnEXacSwb3k615z7mHy7nqBUkOruZ9E # tnvC2qla+uL3ks91O/e/LnKzH9Lj1JmEBf6jwPN/MYR9Dymni4Mi3AQ8mpQMyFmi # XcSHymibSNbtTMavpdBWjFfrcvPETX7krROUOoLzMQmNgHArceSh55tgvDRdSU5c # WK3BTvK3l3mgCdgjre7XGYxV3W8apyxk5+RKfHdbv9cpRwpSuDnI8sHeqmB3fnfo # Cr1PPu4WhKegt20CobhDVybiBdhDVqUdR53ful4N/coQOEHDrIExB5nJf9Pvdrza # DyIGKAMIXD79ba5/rQEo+2cA66oJkPlvB5hEGI/jtDcYwDBgalbwB7Kc8zAAhl6+ # JvHfYpXOkppSfEQbaRXZI+LGXWQAFa5pJDfDEAyZSXprStgw594sWUOysp+UOxFe # kSA4mBr0o1jVpdaulwIDAQABo4ICAzCCAf8wHwYDVR0jBBgwFoAUaDfg67Y7+F8R # hvv+YXsIiGX0TkIwHQYDVR0OBBYEFAmyTB5bcWyA+8+rq540jPRLJ1nYMD4GA1Ud # IAQ3MDUwMwYGZ4EMAQQBMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNl # cnQuY29tL0NQUzAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMw # gbUGA1UdHwSBrTCBqjBToFGgT4ZNaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0Rp # Z2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5j # cmwwU6BRoE+GTWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0 # ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMIGUBggrBgEF # BQcBAQSBhzCBhDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29t # MFwGCCsGAQUFBzAChlBodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNl # cnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNydDAJ # BgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4ICAQAh2Jnt9IPoBvOQlYQUlCP9iJ5y # XAvEWe1camOwedqMZsHEPpT2yd6+fMzPZmV3/bYJgaN2OrDS1snf62S7yc+AulVw # PAXSp1lSAiFEbZ6PFEdEBIag9B65Mp/cvRtJsIWQIc//jWqFMHpkU6r3MW9YARRu # vaIf5/0qlM4VEwn3lTf+jJdxhhyoOFTWWd3BrlMPcT06z6F6hFfyycQkZ3Y9wEJ3 # uOU9bCNLZL1HCjlKT+oI0WsgeRdbe2sYrnvv9NmDY9oEi8PEq+DGjiTgLbY5OcAX # uUogPPw6gbcuNn8Hq6FFKPIQxaksB8dF8Gw4m2lQoUWESPRF8Zaq9lmZN3+QzA79 # yskfJtAFqz3gUP5wJBdNfi/u1sGbLI0QnJQkIKfFuz7DfDPldw0gIl05BIYwZBmj # TpFRu1/+gIlP1Ul4L/wt9Lxk6pglObLsdxHP2UQrG30JaUN0gv3xZMBBByHGVVTe # cyU4qwJ0ulMdv/kjHwh+m58uOF8gHXLfyBmOjYpohN3+l0rS0qdArZMNSmLTA7N8 # n3V3AZLKB//1yhPt++gR4pCFdXmgwYDDLRxjlV0cMsG1UeSQUdI0aieh/grg5TQO # CergVXS5h3sz5U0ZQPWND41LJhA0gF2OGZNHdUc9+0dwTsfxAERrjaTdeZp0/rdZ # 9iGBoiRsS4U86S8xkDGCGnMwghpvAgEBMH0waTELMAkGA1UEBhMCVVMxFzAVBgNV # BAoTDkRpZ2lDZXJ0LCBJbmMuMUEwPwYDVQQDEzhEaWdpQ2VydCBUcnVzdGVkIEc0 # IENvZGUgU2lnbmluZyBSU0E0MDk2IFNIQTM4NCAyMDIxIENBMQIQDZEPHT770dKt # 2LbeB9E92jANBglghkgBZQMEAgEFAKCBhDAYBgorBgEEAYI3AgEMMQowCKACgACh # AoAAMBkGCSqGSIb3DQEJAzEMBgorBgEEAYI3AgEEMBwGCisGAQQBgjcCAQsxDjAM # BgorBgEEAYI3AgEVMC8GCSqGSIb3DQEJBDEiBCDJ/TaRHe3CGbvUbVUxz/AJI8SH # 24C4Mv9k4mBIYu57IjANBgkqhkiG9w0BAQEFAASCAgBVZXIWu6zj6Ucl/NW67CHV # z7i/GYrhJjbUcHuI57rmSMvtOvhqB7VJPr9mPcJrL2S8gW2Od1/B4XQZKes8tva/ # m3mOD/e7p7Twv5BkDMKQ2ReYQSiw8n8bX70+sXq9hH/GiEyf3LQJzzdY62Eak8Vn # bLZPbw4F5ME/p72I5vVA9ZuvkGeVW5B90BHAyl7bdKONjxSu1N49hNniSdkvcEpn # Z2D8YQKp7x2CVD9xCExHfJlhIR1FJWTZ0j+yQsLJk70T5ExY4br0Vd+7uvyJH9Lr # chWRliEW5q3OxlCw12wlJZbgmuCXyAZB+EEII/VIQIsr9A+CnCFYDu9Sfywk6onO # jvMpaSeVlBGzNymHKtsR/iYQtbmrDlqU4zJkUDpB7tBSZXaCgVZsiz9gH7VD9h0n # lRkof3e65BvevoAiBfUfnlOPDZi92BGqbPyKspqxj8WcqDBr2oVSloLLBsnWqums # o23eS/SW2o9djx5ZCN2tAamJ3BPn+zKdb2lmeJ5rfJ0moE/lPdQdJwMIjUr9XKES # H1UGHSaUA58fzZH3qiF0pXD7zOtD6sjUm9BLihkY9M8dD3UpoyG6HmtMu/oXxOTV # AIeoXK+1mx5aguRNGBr/14RBl1PDhfkqkEUWBzzn33kgBip/9DdPR8IHwNaeLyIK # MoHOx9HKA4gKFNtYiAHmVaGCF0Awghc8BgorBgEEAYI3AwMBMYIXLDCCFygGCSqG # SIb3DQEHAqCCFxkwghcVAgEDMQ8wDQYJYIZIAWUDBAIBBQAweAYLKoZIhvcNAQkQ # AQSgaQRnMGUCAQEGCWCGSAGG/WwHATAxMA0GCWCGSAFlAwQCAQUABCAnIwhb+V2V # rjdvebkWxNEkEIr8xIBEDbNDaEZaEo1bPAIRAL5WqpXagShrxa/Mg6k9GMgYDzIw # MjQwOTA0MTM0NDIxWqCCEwkwggbCMIIEqqADAgECAhAFRK/zlJ0IOaa/2z9f5WEW # MA0GCSqGSIb3DQEBCwUAMGMxCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5EaWdpQ2Vy # dCwgSW5jLjE7MDkGA1UEAxMyRGlnaUNlcnQgVHJ1c3RlZCBHNCBSU0E0MDk2IFNI # QTI1NiBUaW1lU3RhbXBpbmcgQ0EwHhcNMjMwNzE0MDAwMDAwWhcNMzQxMDEzMjM1 # OTU5WjBIMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xIDAe # BgNVBAMTF0RpZ2lDZXJ0IFRpbWVzdGFtcCAyMDIzMIICIjANBgkqhkiG9w0BAQEF # AAOCAg8AMIICCgKCAgEAo1NFhx2DjlusPlSzI+DPn9fl0uddoQ4J3C9Io5d6Oyqc # Z9xiFVjBqZMRp82qsmrdECmKHmJjadNYnDVxvzqX65RQjxwg6seaOy+WZuNp52n+ # W8PWKyAcwZeUtKVQgfLPywemMGjKg0La/H8JJJSkghraarrYO8pd3hkYhftF6g1h # bJ3+cV7EBpo88MUueQ8bZlLjyNY+X9pD04T10Mf2SC1eRXWWdf7dEKEbg8G45lKV # tUfXeCk5a+B4WZfjRCtK1ZXO7wgX6oJkTf8j48qG7rSkIWRw69XloNpjsy7pBe6q # 9iT1HbybHLK3X9/w7nZ9MZllR1WdSiQvrCuXvp/k/XtzPjLuUjT71Lvr1KAsNJvj # 3m5kGQc3AZEPHLVRzapMZoOIaGK7vEEbeBlt5NkP4FhB+9ixLOFRr7StFQYU6mII # E9NpHnxkTZ0P387RXoyqq1AVybPKvNfEO2hEo6U7Qv1zfe7dCv95NBB+plwKWEwA # PoVpdceDZNZ1zY8SdlalJPrXxGshuugfNJgvOuprAbD3+yqG7HtSOKmYCaFxsmxx # rz64b5bV4RAT/mFHCoz+8LbH1cfebCTwv0KCyqBxPZySkwS0aXAnDU+3tTbRyV8I # pHCj7ArxES5k4MsiK8rxKBMhSVF+BmbTO77665E42FEHypS34lCh8zrTioPLQHsC # AwEAAaOCAYswggGHMA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMBYGA1Ud # JQEB/wQMMAoGCCsGAQUFBwMIMCAGA1UdIAQZMBcwCAYGZ4EMAQQCMAsGCWCGSAGG # /WwHATAfBgNVHSMEGDAWgBS6FtltTYUvcyl2mi91jGogj57IbzAdBgNVHQ4EFgQU # pbbvE+fvzdBkodVWqWUxo97V40kwWgYDVR0fBFMwUTBPoE2gS4ZJaHR0cDovL2Ny # bDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0UlNBNDA5NlNIQTI1NlRp # bWVTdGFtcGluZ0NBLmNybDCBkAYIKwYBBQUHAQEEgYMwgYAwJAYIKwYBBQUHMAGG # GGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBYBggrBgEFBQcwAoZMaHR0cDovL2Nh # Y2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0UlNBNDA5NlNIQTI1 # NlRpbWVTdGFtcGluZ0NBLmNydDANBgkqhkiG9w0BAQsFAAOCAgEAgRrW3qCptZgX # vHCNT4o8aJzYJf/LLOTN6l0ikuyMIgKpuM+AqNnn48XtJoKKcS8Y3U623mzX4WCc # K+3tPUiOuGu6fF29wmE3aEl3o+uQqhLXJ4Xzjh6S2sJAOJ9dyKAuJXglnSoFeoQp # mLZXeY/bJlYrsPOnvTcM2Jh2T1a5UsK2nTipgedtQVyMadG5K8TGe8+c+njikxp2 # oml101DkRBK+IA2eqUTQ+OVJdwhaIcW0z5iVGlS6ubzBaRm6zxbygzc0brBBJt3e # WpdPM43UjXd9dUWhpVgmagNF3tlQtVCMr1a9TMXhRsUo063nQwBw3syYnhmJA+rU # kTfvTVLzyWAhxFZH7doRS4wyw4jmWOK22z75X7BC1o/jF5HRqsBV44a/rCcsQdCa # M0qoNtS5cpZ+l3k4SF/Kwtw9Mt911jZnWon49qfH5U81PAC9vpwqbHkB3NpE5jre # ODsHXjlY9HxzMVWggBHLFAx+rrz+pOt5Zapo1iLKO+uagjVXKBbLafIymrLS2Dq4 # sUaGa7oX/cR3bBVsrquvczroSUa31X/MtjjA2Owc9bahuEMs305MfR5ocMB3CtQC # 4Fxguyj/OOVSWtasFyIjTvTs0xf7UGv/B3cfcZdEQcm4RtNsMnxYL2dHZeUbc7aZ # +WssBkbvQR7w8F/g29mtkIBEr4AQQYowggauMIIElqADAgECAhAHNje3JFR82Ees # /ShmKl5bMA0GCSqGSIb3DQEBCwUAMGIxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxE # aWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xITAfBgNVBAMT # GERpZ2lDZXJ0IFRydXN0ZWQgUm9vdCBHNDAeFw0yMjAzMjMwMDAwMDBaFw0zNzAz # MjIyMzU5NTlaMGMxCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5EaWdpQ2VydCwgSW5j # LjE7MDkGA1UEAxMyRGlnaUNlcnQgVHJ1c3RlZCBHNCBSU0E0MDk2IFNIQTI1NiBU # aW1lU3RhbXBpbmcgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDG # hjUGSbPBPXJJUVXHJQPE8pE3qZdRodbSg9GeTKJtoLDMg/la9hGhRBVCX6SI82j6 # ffOciQt/nR+eDzMfUBMLJnOWbfhXqAJ9/UO0hNoR8XOxs+4rgISKIhjf69o9xBd/ # qxkrPkLcZ47qUT3w1lbU5ygt69OxtXXnHwZljZQp09nsad/ZkIdGAHvbREGJ3Hxq # V3rwN3mfXazL6IRktFLydkf3YYMZ3V+0VAshaG43IbtArF+y3kp9zvU5EmfvDqVj # bOSmxR3NNg1c1eYbqMFkdECnwHLFuk4fsbVYTXn+149zk6wsOeKlSNbwsDETqVcp # licu9Yemj052FVUmcJgmf6AaRyBD40NjgHt1biclkJg6OBGz9vae5jtb7IHeIhTZ # girHkr+g3uM+onP65x9abJTyUpURK1h0QCirc0PO30qhHGs4xSnzyqqWc0Jon7ZG # s506o9UD4L/wojzKQtwYSH8UNM/STKvvmz3+DrhkKvp1KCRB7UK/BZxmSVJQ9FHz # NklNiyDSLFc1eSuo80VgvCONWPfcYd6T/jnA+bIwpUzX6ZhKWD7TA4j+s4/TXkt2 # ElGTyYwMO1uKIqjBJgj5FBASA31fI7tk42PgpuE+9sJ0sj8eCXbsq11GdeJgo1gJ # ASgADoRU7s7pXcheMBK9Rp6103a50g5rmQzSM7TNsQIDAQABo4IBXTCCAVkwEgYD # VR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUuhbZbU2FL3MpdpovdYxqII+eyG8w # HwYDVR0jBBgwFoAU7NfjgtJxXWRM3y5nP+e6mK4cD08wDgYDVR0PAQH/BAQDAgGG # MBMGA1UdJQQMMAoGCCsGAQUFBwMIMHcGCCsGAQUFBwEBBGswaTAkBggrBgEFBQcw # AYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEEGCCsGAQUFBzAChjVodHRwOi8v # Y2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkUm9vdEc0LmNydDBD # BgNVHR8EPDA6MDigNqA0hjJodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNl # cnRUcnVzdGVkUm9vdEc0LmNybDAgBgNVHSAEGTAXMAgGBmeBDAEEAjALBglghkgB # hv1sBwEwDQYJKoZIhvcNAQELBQADggIBAH1ZjsCTtm+YqUQiAX5m1tghQuGwGC4Q # TRPPMFPOvxj7x1Bd4ksp+3CKDaopafxpwc8dB+k+YMjYC+VcW9dth/qEICU0MWfN # thKWb8RQTGIdDAiCqBa9qVbPFXONASIlzpVpP0d3+3J0FNf/q0+KLHqrhc1DX+1g # tqpPkWaeLJ7giqzl/Yy8ZCaHbJK9nXzQcAp876i8dU+6WvepELJd6f8oVInw1Ypx # dmXazPByoyP6wCeCRK6ZJxurJB4mwbfeKuv2nrF5mYGjVoarCkXJ38SNoOeY+/um # nXKvxMfBwWpx2cYTgAnEtp/Nh4cku0+jSbl3ZpHxcpzpSwJSpzd+k1OsOx0ISQ+U # zTl63f8lY5knLD0/a6fxZsNBzU+2QJshIUDQtxMkzdwdeDrknq3lNHGS1yZr5Dhz # q6YBT70/O3itTK37xJV77QpfMzmHQXh6OOmc4d0j/R0o08f56PGYX/sr2H7yRp11 # LB4nLCbbbxV7HhmLNriT1ObyF5lZynDwN7+YAN8gFk8n+2BnFqFmut1VwDophrCY # oCvtlUG3OtUVmDG0YgkPCr2B2RP+v6TR81fZvAT6gt4y3wSJ8ADNXcL50CN/AAvk # dgIm2fBldkKmKYcJRyvmfxqkhQ/8mJb2VVQrH4D6wPIOK+XW+6kvRBVK5xMOHds3 # OBqhK/bt1nz8MIIFjTCCBHWgAwIBAgIQDpsYjvnQLefv21DiCEAYWjANBgkqhkiG # 9w0BAQwFADBlMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkw # FwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1 # cmVkIElEIFJvb3QgQ0EwHhcNMjIwODAxMDAwMDAwWhcNMzExMTA5MjM1OTU5WjBi # MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 # d3cuZGlnaWNlcnQuY29tMSEwHwYDVQQDExhEaWdpQ2VydCBUcnVzdGVkIFJvb3Qg # RzQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC/5pBzaN675F1KPDAi # MGkz7MKnJS7JIT3yithZwuEppz1Yq3aaza57G4QNxDAf8xukOBbrVsaXbR2rsnny # yhHS5F/WBTxSD1Ifxp4VpX6+n6lXFllVcq9ok3DCsrp1mWpzMpTREEQQLt+C8weE # 5nQ7bXHiLQwb7iDVySAdYyktzuxeTsiT+CFhmzTrBcZe7FsavOvJz82sNEBfsXpm # 7nfISKhmV1efVFiODCu3T6cw2Vbuyntd463JT17lNecxy9qTXtyOj4DatpGYQJB5 # w3jHtrHEtWoYOAMQjdjUN6QuBX2I9YI+EJFwq1WCQTLX2wRzKm6RAXwhTNS8rhsD # dV14Ztk6MUSaM0C/CNdaSaTC5qmgZ92kJ7yhTzm1EVgX9yRcRo9k98FpiHaYdj1Z # XUJ2h4mXaXpI8OCiEhtmmnTK3kse5w5jrubU75KSOp493ADkRSWJtppEGSt+wJS0 # 0mFt6zPZxd9LBADMfRyVw4/3IbKyEbe7f/LVjHAsQWCqsWMYRJUadmJ+9oCw++hk # pjPRiQfhvbfmQ6QYuKZ3AeEPlAwhHbJUKSWJbOUOUlFHdL4mrLZBdd56rF+NP8m8 # 00ERElvlEFDrMcXKchYiCd98THU/Y+whX8QgUWtvsauGi0/C1kVfnSD8oR7FwI+i # sX4KJpn15GkvmB0t9dmpsh3lGwIDAQABo4IBOjCCATYwDwYDVR0TAQH/BAUwAwEB # /zAdBgNVHQ4EFgQU7NfjgtJxXWRM3y5nP+e6mK4cD08wHwYDVR0jBBgwFoAUReui # r/SSy4IxLVGLp6chnfNtyA8wDgYDVR0PAQH/BAQDAgGGMHkGCCsGAQUFBwEBBG0w # azAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEMGCCsGAQUF # BzAChjdodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRBc3N1cmVk # SURSb290Q0EuY3J0MEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly9jcmwzLmRpZ2lj # ZXJ0LmNvbS9EaWdpQ2VydEFzc3VyZWRJRFJvb3RDQS5jcmwwEQYDVR0gBAowCDAG # BgRVHSAAMA0GCSqGSIb3DQEBDAUAA4IBAQBwoL9DXFXnOF+go3QbPbYW1/e/Vwe9 # mqyhhyzshV6pGrsi+IcaaVQi7aSId229GhT0E0p6Ly23OO/0/4C5+KH38nLeJLxS # A8hO0Cre+i1Wz/n096wwepqLsl7Uz9FDRJtDIeuWcqFItJnLnU+nBgMTdydE1Od/ # 6Fmo8L8vC6bp8jQ87PcDx4eo0kxAGTVGamlUsLihVo7spNU96LHc/RzY9HdaXFSM # b++hUD38dglohJ9vytsgjTVgHAIDyyCwrFigDkBjxZgiwbJZ9VVrzyerbHbObyMt # 9H5xaiNrIv8SuFQtJ37YOtnwtoeW/VvRXKwYw02fc7cBqZ9Xql4o4rmUMYIDdjCC # A3ICAQEwdzBjMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4x # OzA5BgNVBAMTMkRpZ2lDZXJ0IFRydXN0ZWQgRzQgUlNBNDA5NiBTSEEyNTYgVGlt # ZVN0YW1waW5nIENBAhAFRK/zlJ0IOaa/2z9f5WEWMA0GCWCGSAFlAwQCAQUAoIHR # MBoGCSqGSIb3DQEJAzENBgsqhkiG9w0BCRABBDAcBgkqhkiG9w0BCQUxDxcNMjQw # OTA0MTM0NDIxWjArBgsqhkiG9w0BCRACDDEcMBowGDAWBBRm8CsywsLJD4JdzqqK # ycZPGZzPQDAvBgkqhkiG9w0BCQQxIgQg97Tvm4LtFlfmChRss9sXWqagm+KL0tYK # R3zHOG+PfzgwNwYLKoZIhvcNAQkQAi8xKDAmMCQwIgQg0vbkbe10IszR1EBXaEE2 # b4KK2lWarjMWr00amtQMeCgwDQYJKoZIhvcNAQEBBQAEggIARtYMsMtE0hOuy+3b # zrP6VkDNDgdfqyWDXYPnhtdVJ/oghMyT8PmDS/ejkk55iriQ6UHFIGCzq04dhL4U # x0lxLZ53uK9gDB4AAbLgf8sOxt1kseVkd5xyvq5XWuLPf+Eze/I1kfUxD4LyGTXP # 1aPpb/4ixv9+Ycevj+ehDnjYtxW4cKUIqDi+arGGCpiuOhLcH+gQzNOry3meeYJm # KlgbUBFpWre+KL/ED3IxnIjd6cdDwu9PbZAVpcjSdd6xHLBFOApeLOBTWWp9LNcl # lqKP9gCnJsaFiOObPWQ1egc8PRqsdOUoWvoKaIX6kV27JKWhJO3a3UDbeg2JmqAv # VoxLQKedDUOllukKagUaUxm38KysCZFUgHhYAHnnkitaWGsneLmX+gDziim4Iepa # fJ5JAYwRzqLeeKGuaoDVY8MCd/X9OShMMn7EaVlMH9caHh4QxiMfu0KXS9CtVO3J # +zIqHmkk40gOXBmNHBZn7RI2m66V4Zpy/yfgg+qkwOsf983pIUPoCbcK1w+droK9 # 3zwLBaS9rsi/kxFdl9ubBikjQCGnYQy6VTy360KCssubXgVyrVAFkWqZqmkitBF1 # L9aDRtgfYEukFV06LzUwEUl5jJ1i55FxBQuIvrEQyumX8CCGz8Xal2A0AhMwO+41 # mC3ryIPGVvR2m+Lhza7KCdkHycc= # SIG # End signature block |