View on GitHub

ScubaGear

Automation to assess the state of your M365 tenant against CISA's baselines

ScubaGear Logo

GitHub Release PSGallery Release CI Pipeline Functional Tests GitHub License GitHub Downloads PSGallery Downloads GitHub Issues

ScubaGear is an assessment tool that verifies that a Microsoft 365 (M365) tenant’s configuration conforms to the policies described in the Secure Cloud Business Applications (SCuBA) Secure Configuration Baseline documents.

[!NOTE] This documentation can be read using GitHub Pages.

Target Audience

ScubaGear is for M365 administrators who want to assess their tenant environments against CISA Secure Configuration Baselines.

Overview

ScubaGear uses a three-step process:

ScubaGear Assessment Process Diagram

Key Features

Baseline Security Coverage

SCuBA controls have been mapped to both NIST SP 800-53 and the MITRE ATT&CK framework.

ScubaGear Output

Getting Started

Before launching ScubaGear, it’s important to ensure your environment is properly configured. This includes having the necessary dependencies and permissions in place.

Please review the prerequisites section to verify that your system meets all requirements. This will help avoid errors during execution and ensure a smooth experience when using ScubaGear.

Quick Start Guide

ScubaGear can be run multiple times to properly evaluate baseline settings.

  1. First Run (No Configuration File): Start ScubaGear without a configuration file. This initial run generates a baseline template of your environment’s current settings. It does not make changes but helps you understand the default posture.

  2. Subsequent Runs (With Configuration File): After reviewing and editing the generated configuration file, run ScubaGear again with the configuration file as input. This allows ScubaGear to compare your intended settings against the actual environment and elevate discrepancies accordingly.

[!IMPORTANT] ScubaGear has specific prerequisites and relies on defined configuration values to properly evaluate your Microsoft 365 tenant. After your initial assessment run, review the results thoroughly. Address any identified gaps by updating your tenant configuration or documenting risk acceptances in a YAML configuration file using exclusions, annotations, or omissions. Refer to the sections below for detailed guidance.

This iterative approach ensures ScubaGear is aligned with your environment and that all policy evaluations are based on your customized baseline.

1. Install ScubaGear

To install ScubaGear from PSGallery, open a PowerShell 5 terminal on a Windows computer and install the module:

# Install ScubaGear
Install-Module -Name ScubaGear

2. Install Dependencies

# Install the minimum required dependencies
Initialize-SCuBA

3. Verify Installation

# Check the version
Invoke-SCuBA -Version

4. Run Your First Assessment

# Assess all products (basic command)
Invoke-SCuBA -ProductNames *

5. Build YAML configuration file

ScubaGear uses a YAML configuration file to define how your environment should be evaluated. This file serves several important purposes:

[!IMPORTANT] Without a properly defined YAML file, ScubaGear will assume a default configuration that may not reflect your organization’s actual policies or risk posture. It is required if the usage is for CISA’s Binding Operational Directive (BOD) 25-01

Reuse provided sample files

[!TIP] full_config.yaml is included to help you get started. This file should be customized to reflect your tenant’s unique configuration before using it with the ScubaGear module.

6: Run ScubaGear with a configuration File

When running Invoke-SCuBA for BOD 25-01 submissions:

# Run with a configuration file
Invoke-SCuBA -ConfigFilePath "path/to/your/config.yaml" -Organization 'example.onmicrosoft.com'

For all other instances:

# Run with a configuration file (no-BOD)
Invoke-SCuBA -ConfigFilePath "path/to/your/config.yaml" -SilenceBODWarnings

Table of Contents

Getting Started

Installation

#### Prerequisites

Configuration & Usage

Running Assessments

Troubleshooting & Support

Automation

Additional Resources

Project License

Unless otherwise noted, this project is distributed under the Creative Commons Zero license. With developer approval, contributions may be submitted with an alternate compatible license. If accepted, those contributions will be listed herein with the appropriate license.