ScubaGear – Secure Cloud Business Applications (SCuBA) Secure Configuration Baseline

ScubeGear was released by CISA and assesses your Microsoft Cloud against “Secure Cloud Business Applications” (SCuBA) baseline policies.

More can be found on CISA’s Github: https://github.com/cisagov/ScubaGear

This post will serve as a quick starting guide.

Download the ScubaGear Powershell application

Download their latest release from Github: https://github.com/cisagov/ScubaGear/releases

(You can also install it directly from Powershell but I prefer the manual approach)

Once downloaded, extract it to e.g. c:\Temp

Extracted

Installation

(Most of the below is directly from https://github.com/cisagov/ScubaGear/blob/main/docs/installation/github.md)

Navigate to where you extracted it (e.g. C:\temp\ScubaGear-1.4.0\ScubaGear-1.4.0) and run:

Import-Module .\PowerShell\ScubaGear 

Ensure your PowerShell execution policy is set to “Remote Signed”:

Get-ExecutionPolicy

If it is not Remote Signed, then change it:

# Set execution policy to Remote Signed
Set-ExecutionPolicy `
  -ExecutionPolicy RemoteSigned `
  -Scope LocalMachine

Next, initialize Scuba:

Initialize-SCuBA 

And then double check that is is installed successfully:

Invoke-SCuBA -Version

Run ScubaGear

I had some issues when running ScubaGear with the below command, i.e. on all products:

Invoke-SCuBA -ProductNames *

I then looked at the error and found ScubaGear supports the following product list:

$ProductDetails = @{
        aad = "Azure Active Directory"
        defender = "Microsoft 365 Defender"
        exo = "Exchange Online"
        powerplatform = "Microsoft Power Platform"
        sharepoint = "SharePoint Online"
        teams = "Microsoft Teams"
    }

(I found the product list in \ScubaGear-1.4.0\PowerShell\ScubaGear\Modules\Orchestrator.psm1)

I then decided to run ScubaGear as such to only assess AAD:

Invoke-SCuBA -ProductNames aad

You will need to provide admin consent, so ensure your user can, otherwise approve the consent in https://entra.microsoft.com/ under Admin Consent Requests.

You will notice a new App Registration was created after granting consent with a whole bunch of permissions:

New app registration

Report

When ScubaGear is done running, it will open a browser with the report. The report is saved on disk here:

Report location

The report provides extremely detailed information, with links to external resources by CISA to help you remediate the findings.

Report example


necrolingus

Tech enthusiast and home labber