Andreas/noid-privacy
1
0
Fork 0
mirror of https://github.com/NexusOne23/noid-privacy.git synced 2026-02-07 12:11:53 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
noid-privacy/Modules/Privacy/Test-PrivacyCompliance.ps1

177 lines
7.6 KiB
PowerShell
Raw Normal View History

v2.2.0 - Complete Security Hardening Framework (632 Settings)
2025-12-08 10:32:49 +01:00
function Test-PrivacyCompliance {
<#
.SYNOPSIS
Verify privacy settings compliance
.DESCRIPTION
Checks if all privacy settings were applied correctly according to the selected mode
.PARAMETER Config
Configuration object to verify against
.EXAMPLE
Test-PrivacyCompliance -Config $config
#>
[CmdletBinding()]
param(
[Parameter(Mandatory = $true)]
[PSCustomObject]$Config
)
try {
Write-Log -Level INFO -Message "Verifying privacy settings compliance..." -Module "Privacy"
$compliant = $true
$totalChecks = 0
$passed = 0
$failed = @()
# Verify registry settings from Privacy config
$categories = @("DataCollection", "Personalization", "SearchAndCloud", "InputAndSync", "LocationAndAppPrivacy")
foreach ($category in $categories) {
if ($Config.PSObject.Properties.Name -contains $category) {
foreach ($keyPath in $Config.$category.PSObject.Properties.Name) {
foreach ($valueName in $Config.$category.$keyPath.PSObject.Properties.Name) {
$totalChecks++
$expected = $Config.$category.$keyPath.$valueName.Value
try {
$actual = (Get-ItemProperty -Path $keyPath -Name $valueName -ErrorAction Stop).$valueName
if ($actual -eq $expected) {
$passed++
} else {
$failMsg = "MISMATCH: $keyPath\$valueName = $actual (expected: $expected)"
Write-Log -Level WARNING -Message $failMsg -Module "Privacy"
$failed += $failMsg
$compliant = $false
}
} catch {
$failMsg = "NOT FOUND: $keyPath\$valueName (expected: $expected)"
Write-Log -Level WARNING -Message $failMsg -Module "Privacy"
$failed += $failMsg
$compliant = $false
}
}
}
}
}
# Also verify OneDrive.json settings (6 additional settings)
$oneDriveConfigPath = Join-Path $PSScriptRoot "Config\OneDrive.json"
if (Test-Path $oneDriveConfigPath) {
$oneDriveConfig = Get-Content $oneDriveConfigPath -Raw | ConvertFrom-Json
$oneDriveCategories = @("OneDrivePolicies", "StorePolicies")
foreach ($category in $oneDriveCategories) {
if ($oneDriveConfig.PSObject.Properties.Name -contains $category) {
foreach ($keyPath in $oneDriveConfig.$category.PSObject.Properties.Name) {
foreach ($valueName in $oneDriveConfig.$category.$keyPath.PSObject.Properties.Name) {
$totalChecks++
$expected = $oneDriveConfig.$category.$keyPath.$valueName.Value
try {
$actual = (Get-ItemProperty -Path $keyPath -Name $valueName -ErrorAction Stop).$valueName
if ($actual -eq $expected) {
$passed++
} else {
$failMsg = "MISMATCH: $keyPath\$valueName = $actual (expected: $expected)"
Write-Log -Level WARNING -Message $failMsg -Module "Privacy"
$failed += $failMsg
$compliant = $false
}
} catch {
$failMsg = "NOT FOUND: $keyPath\$valueName (expected: $expected)"
Write-Log -Level WARNING -Message $failMsg -Module "Privacy"
$failed += $failMsg
$compliant = $false
}
}
}
}
}
}
# Verify services
if ($Config.Services.Count -gt 0) {
foreach ($svc in $Config.Services) {
$totalChecks++
$service = Get-Service -Name $svc.Name -ErrorAction SilentlyContinue
if ($service -and $service.StartType -eq "Disabled") {
$passed++
} else {
$failMsg = "SERVICE: $($svc.Name) not disabled (current: $($service.StartType))"
Write-Log -Level WARNING -Message $failMsg -Module "Privacy"
$failed += $failMsg
$compliant = $false
}
}
}
# Verify scheduled tasks
if ($Config.ScheduledTasks.Count -gt 0) {
foreach ($taskPath in $Config.ScheduledTasks) {
$totalChecks++
$taskName = Split-Path $taskPath -Leaf
$taskFolder = Split-Path $taskPath -Parent
$task = Get-ScheduledTask -TaskName $taskName -TaskPath $taskFolder -ErrorAction SilentlyContinue
if ($task) {
if ($task.State -eq "Disabled") {
$passed++
} else {
$failMsg = "TASK: $taskPath not disabled (current: $($task.State))"
Write-Log -Level WARNING -Message $failMsg -Module "Privacy"
$failed += $failMsg
$compliant = $false
}
} else {
# Task not found - effectively disabled/removed
$passed++
}
}
}
# Avoid division by zero if no checks were performed
if ($totalChecks -eq 0) {
Write-Log -Level WARNING -Message "No compliance checks could be performed (config may be empty or incompatible)" -Module "Privacy"
return [PSCustomObject]@{
Compliant = $true
TotalChecks = 0
Passed = 0
Failed = 0
Percentage = 100
FailedChecks = @()
}
}
$percentage = [math]::Round(($passed / $totalChecks) * 100, 1)
Write-Log -Level INFO -Message "Compliance check: $passed/$totalChecks checks passed ($percentage%)" -Module "Privacy"
if ($compliant) {
Write-Log -Level SUCCESS -Message "Privacy settings are fully compliant" -Module "Privacy"
} else {
Write-Log -Level WARNING -Message "Some privacy settings are not compliant - $($failed.Count) issue(s) found" -Module "Privacy"
# Log each failed check individually
foreach ($fail in $failed) {
Write-Log -Level WARNING -Message " - $fail" -Module "Privacy"
}
}
# Return detailed result object instead of just boolean
return [PSCustomObject]@{
Compliant = $compliant
TotalChecks = $totalChecks
Passed = $passed
Failed = ($totalChecks - $passed)
Percentage = $percentage
FailedChecks = $failed
}
} catch {
Write-Log -Level ERROR -Message "Compliance verification failed: $_" -Module "Privacy"
return $false
}
}
Reference in a new issue Copy permalink