@etcsec-com/etc-collector 1.4.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.env.example +60 -0
- package/.env.test.example +33 -0
- package/.github/workflows/ci.yml +83 -0
- package/.github/workflows/release.yml +246 -0
- package/.prettierrc.json +10 -0
- package/CHANGELOG.md +15 -0
- package/Dockerfile +57 -0
- package/LICENSE +190 -0
- package/README.md +194 -0
- package/dist/api/controllers/audit.controller.d.ts +21 -0
- package/dist/api/controllers/audit.controller.d.ts.map +1 -0
- package/dist/api/controllers/audit.controller.js +179 -0
- package/dist/api/controllers/audit.controller.js.map +1 -0
- package/dist/api/controllers/auth.controller.d.ts +16 -0
- package/dist/api/controllers/auth.controller.d.ts.map +1 -0
- package/dist/api/controllers/auth.controller.js +146 -0
- package/dist/api/controllers/auth.controller.js.map +1 -0
- package/dist/api/controllers/export.controller.d.ts +27 -0
- package/dist/api/controllers/export.controller.d.ts.map +1 -0
- package/dist/api/controllers/export.controller.js +80 -0
- package/dist/api/controllers/export.controller.js.map +1 -0
- package/dist/api/controllers/health.controller.d.ts +5 -0
- package/dist/api/controllers/health.controller.d.ts.map +1 -0
- package/dist/api/controllers/health.controller.js +16 -0
- package/dist/api/controllers/health.controller.js.map +1 -0
- package/dist/api/controllers/jobs.controller.d.ts +13 -0
- package/dist/api/controllers/jobs.controller.d.ts.map +1 -0
- package/dist/api/controllers/jobs.controller.js +125 -0
- package/dist/api/controllers/jobs.controller.js.map +1 -0
- package/dist/api/controllers/providers.controller.d.ts +15 -0
- package/dist/api/controllers/providers.controller.d.ts.map +1 -0
- package/dist/api/controllers/providers.controller.js +112 -0
- package/dist/api/controllers/providers.controller.js.map +1 -0
- package/dist/api/dto/AuditRequest.dto.d.ts +6 -0
- package/dist/api/dto/AuditRequest.dto.d.ts.map +1 -0
- package/dist/api/dto/AuditRequest.dto.js +3 -0
- package/dist/api/dto/AuditRequest.dto.js.map +1 -0
- package/dist/api/dto/AuditResponse.dto.d.ts +17 -0
- package/dist/api/dto/AuditResponse.dto.d.ts.map +1 -0
- package/dist/api/dto/AuditResponse.dto.js +3 -0
- package/dist/api/dto/AuditResponse.dto.js.map +1 -0
- package/dist/api/dto/TokenRequest.dto.d.ts +6 -0
- package/dist/api/dto/TokenRequest.dto.d.ts.map +1 -0
- package/dist/api/dto/TokenRequest.dto.js +3 -0
- package/dist/api/dto/TokenRequest.dto.js.map +1 -0
- package/dist/api/dto/TokenResponse.dto.d.ts +12 -0
- package/dist/api/dto/TokenResponse.dto.d.ts.map +1 -0
- package/dist/api/dto/TokenResponse.dto.js +3 -0
- package/dist/api/dto/TokenResponse.dto.js.map +1 -0
- package/dist/api/middlewares/authenticate.d.ts +12 -0
- package/dist/api/middlewares/authenticate.d.ts.map +1 -0
- package/dist/api/middlewares/authenticate.js +141 -0
- package/dist/api/middlewares/authenticate.js.map +1 -0
- package/dist/api/middlewares/errorHandler.d.ts +3 -0
- package/dist/api/middlewares/errorHandler.d.ts.map +1 -0
- package/dist/api/middlewares/errorHandler.js +30 -0
- package/dist/api/middlewares/errorHandler.js.map +1 -0
- package/dist/api/middlewares/rateLimit.d.ts +3 -0
- package/dist/api/middlewares/rateLimit.d.ts.map +1 -0
- package/dist/api/middlewares/rateLimit.js +34 -0
- package/dist/api/middlewares/rateLimit.js.map +1 -0
- package/dist/api/middlewares/validate.d.ts +4 -0
- package/dist/api/middlewares/validate.d.ts.map +1 -0
- package/dist/api/middlewares/validate.js +31 -0
- package/dist/api/middlewares/validate.js.map +1 -0
- package/dist/api/routes/audit.routes.d.ts +5 -0
- package/dist/api/routes/audit.routes.d.ts.map +1 -0
- package/dist/api/routes/audit.routes.js +24 -0
- package/dist/api/routes/audit.routes.js.map +1 -0
- package/dist/api/routes/auth.routes.d.ts +6 -0
- package/dist/api/routes/auth.routes.d.ts.map +1 -0
- package/dist/api/routes/auth.routes.js +22 -0
- package/dist/api/routes/auth.routes.js.map +1 -0
- package/dist/api/routes/export.routes.d.ts +5 -0
- package/dist/api/routes/export.routes.d.ts.map +1 -0
- package/dist/api/routes/export.routes.js +16 -0
- package/dist/api/routes/export.routes.js.map +1 -0
- package/dist/api/routes/health.routes.d.ts +4 -0
- package/dist/api/routes/health.routes.d.ts.map +1 -0
- package/dist/api/routes/health.routes.js +11 -0
- package/dist/api/routes/health.routes.js.map +1 -0
- package/dist/api/routes/index.d.ts +10 -0
- package/dist/api/routes/index.d.ts.map +1 -0
- package/dist/api/routes/index.js +20 -0
- package/dist/api/routes/index.js.map +1 -0
- package/dist/api/routes/providers.routes.d.ts +5 -0
- package/dist/api/routes/providers.routes.d.ts.map +1 -0
- package/dist/api/routes/providers.routes.js +13 -0
- package/dist/api/routes/providers.routes.js.map +1 -0
- package/dist/api/validators/audit.schemas.d.ts +60 -0
- package/dist/api/validators/audit.schemas.d.ts.map +1 -0
- package/dist/api/validators/audit.schemas.js +55 -0
- package/dist/api/validators/audit.schemas.js.map +1 -0
- package/dist/api/validators/auth.schemas.d.ts +17 -0
- package/dist/api/validators/auth.schemas.d.ts.map +1 -0
- package/dist/api/validators/auth.schemas.js +21 -0
- package/dist/api/validators/auth.schemas.js.map +1 -0
- package/dist/app.d.ts +3 -0
- package/dist/app.d.ts.map +1 -0
- package/dist/app.js +62 -0
- package/dist/app.js.map +1 -0
- package/dist/config/config.schema.d.ts +65 -0
- package/dist/config/config.schema.d.ts.map +1 -0
- package/dist/config/config.schema.js +95 -0
- package/dist/config/config.schema.js.map +1 -0
- package/dist/config/index.d.ts +4 -0
- package/dist/config/index.d.ts.map +1 -0
- package/dist/config/index.js +75 -0
- package/dist/config/index.js.map +1 -0
- package/dist/container.d.ts +47 -0
- package/dist/container.d.ts.map +1 -0
- package/dist/container.js +137 -0
- package/dist/container.js.map +1 -0
- package/dist/data/database.d.ts +13 -0
- package/dist/data/database.d.ts.map +1 -0
- package/dist/data/database.js +68 -0
- package/dist/data/database.js.map +1 -0
- package/dist/data/jobs/token-cleanup.job.d.ts +23 -0
- package/dist/data/jobs/token-cleanup.job.d.ts.map +1 -0
- package/dist/data/jobs/token-cleanup.job.js +96 -0
- package/dist/data/jobs/token-cleanup.job.js.map +1 -0
- package/dist/data/migrations/migration.runner.d.ts +13 -0
- package/dist/data/migrations/migration.runner.d.ts.map +1 -0
- package/dist/data/migrations/migration.runner.js +136 -0
- package/dist/data/migrations/migration.runner.js.map +1 -0
- package/dist/data/models/Token.model.d.ts +30 -0
- package/dist/data/models/Token.model.d.ts.map +1 -0
- package/dist/data/models/Token.model.js +3 -0
- package/dist/data/models/Token.model.js.map +1 -0
- package/dist/data/repositories/token.repository.d.ts +16 -0
- package/dist/data/repositories/token.repository.d.ts.map +1 -0
- package/dist/data/repositories/token.repository.js +97 -0
- package/dist/data/repositories/token.repository.js.map +1 -0
- package/dist/providers/azure/auth.provider.d.ts +5 -0
- package/dist/providers/azure/auth.provider.d.ts.map +1 -0
- package/dist/providers/azure/auth.provider.js +13 -0
- package/dist/providers/azure/auth.provider.js.map +1 -0
- package/dist/providers/azure/azure-errors.d.ts +40 -0
- package/dist/providers/azure/azure-errors.d.ts.map +1 -0
- package/dist/providers/azure/azure-errors.js +121 -0
- package/dist/providers/azure/azure-errors.js.map +1 -0
- package/dist/providers/azure/azure-retry.d.ts +41 -0
- package/dist/providers/azure/azure-retry.d.ts.map +1 -0
- package/dist/providers/azure/azure-retry.js +85 -0
- package/dist/providers/azure/azure-retry.js.map +1 -0
- package/dist/providers/azure/graph-client.d.ts +26 -0
- package/dist/providers/azure/graph-client.d.ts.map +1 -0
- package/dist/providers/azure/graph-client.js +146 -0
- package/dist/providers/azure/graph-client.js.map +1 -0
- package/dist/providers/azure/graph.provider.d.ts +23 -0
- package/dist/providers/azure/graph.provider.d.ts.map +1 -0
- package/dist/providers/azure/graph.provider.js +161 -0
- package/dist/providers/azure/graph.provider.js.map +1 -0
- package/dist/providers/azure/queries/app.queries.d.ts +6 -0
- package/dist/providers/azure/queries/app.queries.d.ts.map +1 -0
- package/dist/providers/azure/queries/app.queries.js +9 -0
- package/dist/providers/azure/queries/app.queries.js.map +1 -0
- package/dist/providers/azure/queries/policy.queries.d.ts +6 -0
- package/dist/providers/azure/queries/policy.queries.d.ts.map +1 -0
- package/dist/providers/azure/queries/policy.queries.js +9 -0
- package/dist/providers/azure/queries/policy.queries.js.map +1 -0
- package/dist/providers/azure/queries/user.queries.d.ts +7 -0
- package/dist/providers/azure/queries/user.queries.d.ts.map +1 -0
- package/dist/providers/azure/queries/user.queries.js +10 -0
- package/dist/providers/azure/queries/user.queries.js.map +1 -0
- package/dist/providers/interfaces/IGraphProvider.d.ts +31 -0
- package/dist/providers/interfaces/IGraphProvider.d.ts.map +1 -0
- package/dist/providers/interfaces/IGraphProvider.js +3 -0
- package/dist/providers/interfaces/IGraphProvider.js.map +1 -0
- package/dist/providers/interfaces/ILDAPProvider.d.ts +37 -0
- package/dist/providers/interfaces/ILDAPProvider.d.ts.map +1 -0
- package/dist/providers/interfaces/ILDAPProvider.js +3 -0
- package/dist/providers/interfaces/ILDAPProvider.js.map +1 -0
- package/dist/providers/ldap/acl-parser.d.ts +8 -0
- package/dist/providers/ldap/acl-parser.d.ts.map +1 -0
- package/dist/providers/ldap/acl-parser.js +157 -0
- package/dist/providers/ldap/acl-parser.js.map +1 -0
- package/dist/providers/ldap/ad-mappers.d.ts +8 -0
- package/dist/providers/ldap/ad-mappers.d.ts.map +1 -0
- package/dist/providers/ldap/ad-mappers.js +162 -0
- package/dist/providers/ldap/ad-mappers.js.map +1 -0
- package/dist/providers/ldap/ldap-client.d.ts +33 -0
- package/dist/providers/ldap/ldap-client.d.ts.map +1 -0
- package/dist/providers/ldap/ldap-client.js +195 -0
- package/dist/providers/ldap/ldap-client.js.map +1 -0
- package/dist/providers/ldap/ldap-errors.d.ts +48 -0
- package/dist/providers/ldap/ldap-errors.d.ts.map +1 -0
- package/dist/providers/ldap/ldap-errors.js +120 -0
- package/dist/providers/ldap/ldap-errors.js.map +1 -0
- package/dist/providers/ldap/ldap-retry.d.ts +14 -0
- package/dist/providers/ldap/ldap-retry.d.ts.map +1 -0
- package/dist/providers/ldap/ldap-retry.js +102 -0
- package/dist/providers/ldap/ldap-retry.js.map +1 -0
- package/dist/providers/ldap/ldap-sanitizer.d.ts +12 -0
- package/dist/providers/ldap/ldap-sanitizer.d.ts.map +1 -0
- package/dist/providers/ldap/ldap-sanitizer.js +104 -0
- package/dist/providers/ldap/ldap-sanitizer.js.map +1 -0
- package/dist/providers/ldap/ldap.provider.d.ts +21 -0
- package/dist/providers/ldap/ldap.provider.d.ts.map +1 -0
- package/dist/providers/ldap/ldap.provider.js +165 -0
- package/dist/providers/ldap/ldap.provider.js.map +1 -0
- package/dist/providers/ldap/queries/computer.queries.d.ts +6 -0
- package/dist/providers/ldap/queries/computer.queries.d.ts.map +1 -0
- package/dist/providers/ldap/queries/computer.queries.js +9 -0
- package/dist/providers/ldap/queries/computer.queries.js.map +1 -0
- package/dist/providers/ldap/queries/group.queries.d.ts +6 -0
- package/dist/providers/ldap/queries/group.queries.d.ts.map +1 -0
- package/dist/providers/ldap/queries/group.queries.js +9 -0
- package/dist/providers/ldap/queries/group.queries.js.map +1 -0
- package/dist/providers/ldap/queries/user.queries.d.ts +7 -0
- package/dist/providers/ldap/queries/user.queries.d.ts.map +1 -0
- package/dist/providers/ldap/queries/user.queries.js +10 -0
- package/dist/providers/ldap/queries/user.queries.js.map +1 -0
- package/dist/providers/smb/smb.provider.d.ts +68 -0
- package/dist/providers/smb/smb.provider.d.ts.map +1 -0
- package/dist/providers/smb/smb.provider.js +382 -0
- package/dist/providers/smb/smb.provider.js.map +1 -0
- package/dist/server.d.ts +2 -0
- package/dist/server.d.ts.map +1 -0
- package/dist/server.js +44 -0
- package/dist/server.js.map +1 -0
- package/dist/services/audit/ad-audit.service.d.ts +70 -0
- package/dist/services/audit/ad-audit.service.d.ts.map +1 -0
- package/dist/services/audit/ad-audit.service.js +1019 -0
- package/dist/services/audit/ad-audit.service.js.map +1 -0
- package/dist/services/audit/attack-graph.service.d.ts +62 -0
- package/dist/services/audit/attack-graph.service.d.ts.map +1 -0
- package/dist/services/audit/attack-graph.service.js +702 -0
- package/dist/services/audit/attack-graph.service.js.map +1 -0
- package/dist/services/audit/audit.service.d.ts +4 -0
- package/dist/services/audit/audit.service.d.ts.map +1 -0
- package/dist/services/audit/audit.service.js +10 -0
- package/dist/services/audit/audit.service.js.map +1 -0
- package/dist/services/audit/azure-audit.service.d.ts +37 -0
- package/dist/services/audit/azure-audit.service.d.ts.map +1 -0
- package/dist/services/audit/azure-audit.service.js +153 -0
- package/dist/services/audit/azure-audit.service.js.map +1 -0
- package/dist/services/audit/detectors/ad/accounts.detector.d.ts +37 -0
- package/dist/services/audit/detectors/ad/accounts.detector.d.ts.map +1 -0
- package/dist/services/audit/detectors/ad/accounts.detector.js +881 -0
- package/dist/services/audit/detectors/ad/accounts.detector.js.map +1 -0
- package/dist/services/audit/detectors/ad/adcs.detector.d.ts +21 -0
- package/dist/services/audit/detectors/ad/adcs.detector.d.ts.map +1 -0
- package/dist/services/audit/detectors/ad/adcs.detector.js +227 -0
- package/dist/services/audit/detectors/ad/adcs.detector.js.map +1 -0
- package/dist/services/audit/detectors/ad/advanced.detector.d.ts +63 -0
- package/dist/services/audit/detectors/ad/advanced.detector.d.ts.map +1 -0
- package/dist/services/audit/detectors/ad/advanced.detector.js +867 -0
- package/dist/services/audit/detectors/ad/advanced.detector.js.map +1 -0
- package/dist/services/audit/detectors/ad/attack-paths.detector.d.ts +16 -0
- package/dist/services/audit/detectors/ad/attack-paths.detector.d.ts.map +1 -0
- package/dist/services/audit/detectors/ad/attack-paths.detector.js +369 -0
- package/dist/services/audit/detectors/ad/attack-paths.detector.js.map +1 -0
- package/dist/services/audit/detectors/ad/compliance.detector.d.ts +28 -0
- package/dist/services/audit/detectors/ad/compliance.detector.d.ts.map +1 -0
- package/dist/services/audit/detectors/ad/compliance.detector.js +896 -0
- package/dist/services/audit/detectors/ad/compliance.detector.js.map +1 -0
- package/dist/services/audit/detectors/ad/computers.detector.d.ts +30 -0
- package/dist/services/audit/detectors/ad/computers.detector.d.ts.map +1 -0
- package/dist/services/audit/detectors/ad/computers.detector.js +799 -0
- package/dist/services/audit/detectors/ad/computers.detector.js.map +1 -0
- package/dist/services/audit/detectors/ad/gpo.detector.d.ts +17 -0
- package/dist/services/audit/detectors/ad/gpo.detector.d.ts.map +1 -0
- package/dist/services/audit/detectors/ad/gpo.detector.js +257 -0
- package/dist/services/audit/detectors/ad/gpo.detector.js.map +1 -0
- package/dist/services/audit/detectors/ad/groups.detector.d.ts +19 -0
- package/dist/services/audit/detectors/ad/groups.detector.d.ts.map +1 -0
- package/dist/services/audit/detectors/ad/groups.detector.js +488 -0
- package/dist/services/audit/detectors/ad/groups.detector.js.map +1 -0
- package/dist/services/audit/detectors/ad/index.d.ts +15 -0
- package/dist/services/audit/detectors/ad/index.d.ts.map +1 -0
- package/dist/services/audit/detectors/ad/index.js +51 -0
- package/dist/services/audit/detectors/ad/index.js.map +1 -0
- package/dist/services/audit/detectors/ad/kerberos.detector.d.ts +17 -0
- package/dist/services/audit/detectors/ad/kerberos.detector.d.ts.map +1 -0
- package/dist/services/audit/detectors/ad/kerberos.detector.js +293 -0
- package/dist/services/audit/detectors/ad/kerberos.detector.js.map +1 -0
- package/dist/services/audit/detectors/ad/monitoring.detector.d.ts +23 -0
- package/dist/services/audit/detectors/ad/monitoring.detector.d.ts.map +1 -0
- package/dist/services/audit/detectors/ad/monitoring.detector.js +328 -0
- package/dist/services/audit/detectors/ad/monitoring.detector.js.map +1 -0
- package/dist/services/audit/detectors/ad/network.detector.d.ts +39 -0
- package/dist/services/audit/detectors/ad/network.detector.d.ts.map +1 -0
- package/dist/services/audit/detectors/ad/network.detector.js +257 -0
- package/dist/services/audit/detectors/ad/network.detector.js.map +1 -0
- package/dist/services/audit/detectors/ad/password.detector.d.ts +14 -0
- package/dist/services/audit/detectors/ad/password.detector.d.ts.map +1 -0
- package/dist/services/audit/detectors/ad/password.detector.js +235 -0
- package/dist/services/audit/detectors/ad/password.detector.js.map +1 -0
- package/dist/services/audit/detectors/ad/permissions.detector.d.ts +20 -0
- package/dist/services/audit/detectors/ad/permissions.detector.d.ts.map +1 -0
- package/dist/services/audit/detectors/ad/permissions.detector.js +392 -0
- package/dist/services/audit/detectors/ad/permissions.detector.js.map +1 -0
- package/dist/services/audit/detectors/ad/trusts.detector.d.ts +11 -0
- package/dist/services/audit/detectors/ad/trusts.detector.d.ts.map +1 -0
- package/dist/services/audit/detectors/ad/trusts.detector.js +186 -0
- package/dist/services/audit/detectors/ad/trusts.detector.js.map +1 -0
- package/dist/services/audit/detectors/azure/app-security.detector.d.ts +11 -0
- package/dist/services/audit/detectors/azure/app-security.detector.d.ts.map +1 -0
- package/dist/services/audit/detectors/azure/app-security.detector.js +184 -0
- package/dist/services/audit/detectors/azure/app-security.detector.js.map +1 -0
- package/dist/services/audit/detectors/azure/conditional-access.detector.d.ts +10 -0
- package/dist/services/audit/detectors/azure/conditional-access.detector.d.ts.map +1 -0
- package/dist/services/audit/detectors/azure/conditional-access.detector.js +130 -0
- package/dist/services/audit/detectors/azure/conditional-access.detector.js.map +1 -0
- package/dist/services/audit/detectors/azure/privilege-security.detector.d.ts +8 -0
- package/dist/services/audit/detectors/azure/privilege-security.detector.d.ts.map +1 -0
- package/dist/services/audit/detectors/azure/privilege-security.detector.js +113 -0
- package/dist/services/audit/detectors/azure/privilege-security.detector.js.map +1 -0
- package/dist/services/audit/detectors/azure/user-security.detector.d.ts +14 -0
- package/dist/services/audit/detectors/azure/user-security.detector.d.ts.map +1 -0
- package/dist/services/audit/detectors/azure/user-security.detector.js +198 -0
- package/dist/services/audit/detectors/azure/user-security.detector.js.map +1 -0
- package/dist/services/audit/detectors/index.d.ts +2 -0
- package/dist/services/audit/detectors/index.d.ts.map +1 -0
- package/dist/services/audit/detectors/index.js +38 -0
- package/dist/services/audit/detectors/index.js.map +1 -0
- package/dist/services/audit/response-formatter.d.ts +176 -0
- package/dist/services/audit/response-formatter.d.ts.map +1 -0
- package/dist/services/audit/response-formatter.js +240 -0
- package/dist/services/audit/response-formatter.js.map +1 -0
- package/dist/services/audit/scoring.service.d.ts +15 -0
- package/dist/services/audit/scoring.service.d.ts.map +1 -0
- package/dist/services/audit/scoring.service.js +139 -0
- package/dist/services/audit/scoring.service.js.map +1 -0
- package/dist/services/auth/crypto.service.d.ts +19 -0
- package/dist/services/auth/crypto.service.d.ts.map +1 -0
- package/dist/services/auth/crypto.service.js +135 -0
- package/dist/services/auth/crypto.service.js.map +1 -0
- package/dist/services/auth/errors.d.ts +19 -0
- package/dist/services/auth/errors.d.ts.map +1 -0
- package/dist/services/auth/errors.js +46 -0
- package/dist/services/auth/errors.js.map +1 -0
- package/dist/services/auth/token.service.d.ts +41 -0
- package/dist/services/auth/token.service.d.ts.map +1 -0
- package/dist/services/auth/token.service.js +208 -0
- package/dist/services/auth/token.service.js.map +1 -0
- package/dist/services/config/config.service.d.ts +6 -0
- package/dist/services/config/config.service.d.ts.map +1 -0
- package/dist/services/config/config.service.js +64 -0
- package/dist/services/config/config.service.js.map +1 -0
- package/dist/services/export/export.service.d.ts +28 -0
- package/dist/services/export/export.service.d.ts.map +1 -0
- package/dist/services/export/export.service.js +28 -0
- package/dist/services/export/export.service.js.map +1 -0
- package/dist/services/export/formatters/csv.formatter.d.ts +8 -0
- package/dist/services/export/formatters/csv.formatter.d.ts.map +1 -0
- package/dist/services/export/formatters/csv.formatter.js +46 -0
- package/dist/services/export/formatters/csv.formatter.js.map +1 -0
- package/dist/services/export/formatters/json.formatter.d.ts +40 -0
- package/dist/services/export/formatters/json.formatter.d.ts.map +1 -0
- package/dist/services/export/formatters/json.formatter.js +58 -0
- package/dist/services/export/formatters/json.formatter.js.map +1 -0
- package/dist/services/jobs/azure-job-runner.d.ts +38 -0
- package/dist/services/jobs/azure-job-runner.d.ts.map +1 -0
- package/dist/services/jobs/azure-job-runner.js +199 -0
- package/dist/services/jobs/azure-job-runner.js.map +1 -0
- package/dist/services/jobs/index.d.ts +4 -0
- package/dist/services/jobs/index.d.ts.map +1 -0
- package/dist/services/jobs/index.js +20 -0
- package/dist/services/jobs/index.js.map +1 -0
- package/dist/services/jobs/job-runner.d.ts +64 -0
- package/dist/services/jobs/job-runner.d.ts.map +1 -0
- package/dist/services/jobs/job-runner.js +952 -0
- package/dist/services/jobs/job-runner.js.map +1 -0
- package/dist/services/jobs/job-store.d.ts +27 -0
- package/dist/services/jobs/job-store.d.ts.map +1 -0
- package/dist/services/jobs/job-store.js +261 -0
- package/dist/services/jobs/job-store.js.map +1 -0
- package/dist/services/jobs/job.types.d.ts +67 -0
- package/dist/services/jobs/job.types.d.ts.map +1 -0
- package/dist/services/jobs/job.types.js +36 -0
- package/dist/services/jobs/job.types.js.map +1 -0
- package/dist/types/ad.types.d.ts +74 -0
- package/dist/types/ad.types.d.ts.map +1 -0
- package/dist/types/ad.types.js +3 -0
- package/dist/types/ad.types.js.map +1 -0
- package/dist/types/adcs.types.d.ts +58 -0
- package/dist/types/adcs.types.d.ts.map +1 -0
- package/dist/types/adcs.types.js +38 -0
- package/dist/types/adcs.types.js.map +1 -0
- package/dist/types/attack-graph.types.d.ts +135 -0
- package/dist/types/attack-graph.types.d.ts.map +1 -0
- package/dist/types/attack-graph.types.js +58 -0
- package/dist/types/attack-graph.types.js.map +1 -0
- package/dist/types/audit.types.d.ts +34 -0
- package/dist/types/audit.types.d.ts.map +1 -0
- package/dist/types/audit.types.js +3 -0
- package/dist/types/audit.types.js.map +1 -0
- package/dist/types/azure.types.d.ts +61 -0
- package/dist/types/azure.types.d.ts.map +1 -0
- package/dist/types/azure.types.js +3 -0
- package/dist/types/azure.types.js.map +1 -0
- package/dist/types/config.types.d.ts +63 -0
- package/dist/types/config.types.d.ts.map +1 -0
- package/dist/types/config.types.js +3 -0
- package/dist/types/config.types.js.map +1 -0
- package/dist/types/error.types.d.ts +33 -0
- package/dist/types/error.types.d.ts.map +1 -0
- package/dist/types/error.types.js +70 -0
- package/dist/types/error.types.js.map +1 -0
- package/dist/types/finding.types.d.ts +133 -0
- package/dist/types/finding.types.d.ts.map +1 -0
- package/dist/types/finding.types.js +3 -0
- package/dist/types/finding.types.js.map +1 -0
- package/dist/types/gpo.types.d.ts +39 -0
- package/dist/types/gpo.types.d.ts.map +1 -0
- package/dist/types/gpo.types.js +15 -0
- package/dist/types/gpo.types.js.map +1 -0
- package/dist/types/token.types.d.ts +26 -0
- package/dist/types/token.types.d.ts.map +1 -0
- package/dist/types/token.types.js +3 -0
- package/dist/types/token.types.js.map +1 -0
- package/dist/types/trust.types.d.ts +45 -0
- package/dist/types/trust.types.d.ts.map +1 -0
- package/dist/types/trust.types.js +71 -0
- package/dist/types/trust.types.js.map +1 -0
- package/dist/utils/entity-converter.d.ts +17 -0
- package/dist/utils/entity-converter.d.ts.map +1 -0
- package/dist/utils/entity-converter.js +285 -0
- package/dist/utils/entity-converter.js.map +1 -0
- package/dist/utils/graph.util.d.ts +66 -0
- package/dist/utils/graph.util.d.ts.map +1 -0
- package/dist/utils/graph.util.js +382 -0
- package/dist/utils/graph.util.js.map +1 -0
- package/dist/utils/logger.d.ts +7 -0
- package/dist/utils/logger.d.ts.map +1 -0
- package/dist/utils/logger.js +86 -0
- package/dist/utils/logger.js.map +1 -0
- package/dist/utils/type-name-normalizer.d.ts +5 -0
- package/dist/utils/type-name-normalizer.d.ts.map +1 -0
- package/dist/utils/type-name-normalizer.js +218 -0
- package/dist/utils/type-name-normalizer.js.map +1 -0
- package/docker-compose.yml +26 -0
- package/docs/api/README.md +178 -0
- package/docs/api/openapi.yaml +1524 -0
- package/eslint.config.js +54 -0
- package/jest.config.js +38 -0
- package/package.json +97 -0
- package/scripts/fetch-ad-cert.sh +142 -0
- package/src/.gitkeep +0 -0
- package/src/api/.gitkeep +0 -0
- package/src/api/controllers/.gitkeep +0 -0
- package/src/api/controllers/audit.controller.ts +313 -0
- package/src/api/controllers/auth.controller.ts +258 -0
- package/src/api/controllers/export.controller.ts +153 -0
- package/src/api/controllers/health.controller.ts +16 -0
- package/src/api/controllers/jobs.controller.ts +187 -0
- package/src/api/controllers/providers.controller.ts +165 -0
- package/src/api/dto/.gitkeep +0 -0
- package/src/api/dto/AuditRequest.dto.ts +8 -0
- package/src/api/dto/AuditResponse.dto.ts +19 -0
- package/src/api/dto/TokenRequest.dto.ts +8 -0
- package/src/api/dto/TokenResponse.dto.ts +14 -0
- package/src/api/middlewares/.gitkeep +0 -0
- package/src/api/middlewares/authenticate.ts +203 -0
- package/src/api/middlewares/errorHandler.ts +54 -0
- package/src/api/middlewares/rateLimit.ts +35 -0
- package/src/api/middlewares/validate.ts +32 -0
- package/src/api/routes/.gitkeep +0 -0
- package/src/api/routes/audit.routes.ts +77 -0
- package/src/api/routes/auth.routes.ts +71 -0
- package/src/api/routes/export.routes.ts +34 -0
- package/src/api/routes/health.routes.ts +14 -0
- package/src/api/routes/index.ts +40 -0
- package/src/api/routes/providers.routes.ts +24 -0
- package/src/api/validators/.gitkeep +0 -0
- package/src/api/validators/audit.schemas.ts +59 -0
- package/src/api/validators/auth.schemas.ts +59 -0
- package/src/app.ts +87 -0
- package/src/config/.gitkeep +0 -0
- package/src/config/config.schema.ts +108 -0
- package/src/config/index.ts +82 -0
- package/src/container.ts +221 -0
- package/src/data/.gitkeep +0 -0
- package/src/data/database.ts +78 -0
- package/src/data/jobs/token-cleanup.job.ts +166 -0
- package/src/data/migrations/.gitkeep +0 -0
- package/src/data/migrations/001_initial_schema.sql +47 -0
- package/src/data/migrations/migration.runner.ts +125 -0
- package/src/data/models/.gitkeep +0 -0
- package/src/data/models/Token.model.ts +35 -0
- package/src/data/repositories/.gitkeep +0 -0
- package/src/data/repositories/token.repository.ts +160 -0
- package/src/providers/.gitkeep +0 -0
- package/src/providers/azure/.gitkeep +0 -0
- package/src/providers/azure/auth.provider.ts +14 -0
- package/src/providers/azure/azure-errors.ts +189 -0
- package/src/providers/azure/azure-retry.ts +168 -0
- package/src/providers/azure/graph-client.ts +315 -0
- package/src/providers/azure/graph.provider.ts +294 -0
- package/src/providers/azure/queries/app.queries.ts +9 -0
- package/src/providers/azure/queries/policy.queries.ts +9 -0
- package/src/providers/azure/queries/user.queries.ts +10 -0
- package/src/providers/interfaces/.gitkeep +0 -0
- package/src/providers/interfaces/IGraphProvider.ts +117 -0
- package/src/providers/interfaces/ILDAPProvider.ts +142 -0
- package/src/providers/ldap/.gitkeep +0 -0
- package/src/providers/ldap/acl-parser.ts +231 -0
- package/src/providers/ldap/ad-mappers.ts +280 -0
- package/src/providers/ldap/ldap-client.ts +259 -0
- package/src/providers/ldap/ldap-errors.ts +188 -0
- package/src/providers/ldap/ldap-retry.ts +267 -0
- package/src/providers/ldap/ldap-sanitizer.ts +273 -0
- package/src/providers/ldap/ldap.provider.ts +293 -0
- package/src/providers/ldap/queries/computer.queries.ts +9 -0
- package/src/providers/ldap/queries/group.queries.ts +9 -0
- package/src/providers/ldap/queries/user.queries.ts +10 -0
- package/src/providers/smb/smb.provider.ts +653 -0
- package/src/server.ts +60 -0
- package/src/services/.gitkeep +0 -0
- package/src/services/audit/.gitkeep +0 -0
- package/src/services/audit/ad-audit.service.ts +1481 -0
- package/src/services/audit/attack-graph.service.ts +1104 -0
- package/src/services/audit/audit.service.ts +12 -0
- package/src/services/audit/azure-audit.service.ts +286 -0
- package/src/services/audit/detectors/ad/accounts.detector.ts +1232 -0
- package/src/services/audit/detectors/ad/adcs.detector.ts +449 -0
- package/src/services/audit/detectors/ad/advanced.detector.ts +1270 -0
- package/src/services/audit/detectors/ad/attack-paths.detector.ts +600 -0
- package/src/services/audit/detectors/ad/compliance.detector.ts +1421 -0
- package/src/services/audit/detectors/ad/computers.detector.ts +1188 -0
- package/src/services/audit/detectors/ad/gpo.detector.ts +485 -0
- package/src/services/audit/detectors/ad/groups.detector.ts +685 -0
- package/src/services/audit/detectors/ad/index.ts +84 -0
- package/src/services/audit/detectors/ad/kerberos.detector.ts +424 -0
- package/src/services/audit/detectors/ad/monitoring.detector.ts +501 -0
- package/src/services/audit/detectors/ad/network.detector.ts +538 -0
- package/src/services/audit/detectors/ad/password.detector.ts +324 -0
- package/src/services/audit/detectors/ad/permissions.detector.ts +637 -0
- package/src/services/audit/detectors/ad/trusts.detector.ts +315 -0
- package/src/services/audit/detectors/azure/app-security.detector.ts +246 -0
- package/src/services/audit/detectors/azure/conditional-access.detector.ts +186 -0
- package/src/services/audit/detectors/azure/privilege-security.detector.ts +176 -0
- package/src/services/audit/detectors/azure/user-security.detector.ts +280 -0
- package/src/services/audit/detectors/index.ts +18 -0
- package/src/services/audit/response-formatter.ts +604 -0
- package/src/services/audit/scoring.service.ts +234 -0
- package/src/services/auth/.gitkeep +0 -0
- package/src/services/auth/crypto.service.ts +230 -0
- package/src/services/auth/errors.ts +47 -0
- package/src/services/auth/token.service.ts +420 -0
- package/src/services/config/.gitkeep +0 -0
- package/src/services/config/config.service.ts +75 -0
- package/src/services/export/.gitkeep +0 -0
- package/src/services/export/export.service.ts +99 -0
- package/src/services/export/formatters/csv.formatter.ts +124 -0
- package/src/services/export/formatters/json.formatter.ts +160 -0
- package/src/services/jobs/azure-job-runner.ts +312 -0
- package/src/services/jobs/index.ts +9 -0
- package/src/services/jobs/job-runner.ts +1280 -0
- package/src/services/jobs/job-store.ts +384 -0
- package/src/services/jobs/job.types.ts +182 -0
- package/src/types/.gitkeep +0 -0
- package/src/types/ad.types.ts +91 -0
- package/src/types/adcs.types.ts +107 -0
- package/src/types/attack-graph.types.ts +260 -0
- package/src/types/audit.types.ts +42 -0
- package/src/types/azure.types.ts +68 -0
- package/src/types/config.types.ts +79 -0
- package/src/types/error.types.ts +69 -0
- package/src/types/finding.types.ts +284 -0
- package/src/types/gpo.types.ts +72 -0
- package/src/types/smb2.d.ts +73 -0
- package/src/types/token.types.ts +32 -0
- package/src/types/trust.types.ts +140 -0
- package/src/utils/.gitkeep +0 -0
- package/src/utils/entity-converter.ts +453 -0
- package/src/utils/graph.util.ts +609 -0
- package/src/utils/logger.ts +111 -0
- package/src/utils/type-name-normalizer.ts +302 -0
- package/tests/.gitkeep +0 -0
- package/tests/e2e/.gitkeep +0 -0
- package/tests/fixtures/.gitkeep +0 -0
- package/tests/integration/.gitkeep +0 -0
- package/tests/integration/README.md +156 -0
- package/tests/integration/ad-audit.integration.test.ts +216 -0
- package/tests/integration/api/.gitkeep +0 -0
- package/tests/integration/api/endpoints.integration.test.ts +431 -0
- package/tests/integration/auth/jwt-authentication.integration.test.ts +358 -0
- package/tests/integration/providers/.gitkeep +0 -0
- package/tests/integration/providers/azure-basic.integration.test.ts +167 -0
- package/tests/integration/providers/ldap-basic.integration.test.ts +152 -0
- package/tests/integration/providers/ldap-connectivity.test.ts +44 -0
- package/tests/integration/providers/ldap-provider.integration.test.ts +347 -0
- package/tests/mocks/.gitkeep +0 -0
- package/tests/setup.ts +16 -0
- package/tests/unit/.gitkeep +0 -0
- package/tests/unit/api/middlewares/authenticate.test.ts +446 -0
- package/tests/unit/providers/.gitkeep +0 -0
- package/tests/unit/providers/azure/azure-errors.test.ts +193 -0
- package/tests/unit/providers/azure/azure-retry.test.ts +254 -0
- package/tests/unit/providers/azure/graph-provider.test.ts +313 -0
- package/tests/unit/providers/ldap/ad-mappers.test.ts +392 -0
- package/tests/unit/providers/ldap/ldap-provider.test.ts +376 -0
- package/tests/unit/providers/ldap/ldap-retry.test.ts +377 -0
- package/tests/unit/providers/ldap/ldap-sanitizer.test.ts +301 -0
- package/tests/unit/sample.test.ts +19 -0
- package/tests/unit/services/.gitkeep +0 -0
- package/tests/unit/services/audit/detectors/ad/accounts.detector.test.ts +393 -0
- package/tests/unit/services/audit/detectors/ad/advanced.detector.test.ts +380 -0
- package/tests/unit/services/audit/detectors/ad/computers.detector.test.ts +440 -0
- package/tests/unit/services/audit/detectors/ad/groups.detector.test.ts +276 -0
- package/tests/unit/services/audit/detectors/ad/kerberos.detector.test.ts +215 -0
- package/tests/unit/services/audit/detectors/ad/password.detector.test.ts +226 -0
- package/tests/unit/services/audit/detectors/ad/permissions.detector.test.ts +244 -0
- package/tests/unit/services/audit/detectors/azure/app-security.detector.test.ts +349 -0
- package/tests/unit/services/audit/detectors/azure/conditional-access.detector.test.ts +374 -0
- package/tests/unit/services/audit/detectors/azure/privilege-security.detector.test.ts +374 -0
- package/tests/unit/services/audit/detectors/azure/user-security.detector.test.ts +297 -0
- package/tests/unit/services/auth/crypto.service.test.ts +296 -0
- package/tests/unit/services/auth/token.service.test.ts +579 -0
- package/tests/unit/services/export/export.service.test.ts +241 -0
- package/tests/unit/services/export/formatters/csv.formatter.test.ts +270 -0
- package/tests/unit/services/export/formatters/json.formatter.test.ts +258 -0
- package/tests/unit/utils/.gitkeep +0 -0
- package/tsconfig.json +50 -0
|
@@ -0,0 +1,184 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.detectAppExcessiveGraphPerms = detectAppExcessiveGraphPerms;
|
|
4
|
+
exports.detectAppCredentialExpired = detectAppCredentialExpired;
|
|
5
|
+
exports.detectAppLongLivedCreds = detectAppLongLivedCreds;
|
|
6
|
+
exports.detectAppMultitenantUnverified = detectAppMultitenantUnverified;
|
|
7
|
+
exports.detectAppCredentialExpiring = detectAppCredentialExpiring;
|
|
8
|
+
exports.detectSpDisabledWithCreds = detectSpDisabledWithCreds;
|
|
9
|
+
exports.detectAppNoOwner = detectAppNoOwner;
|
|
10
|
+
exports.detectAppSecurityVulnerabilities = detectAppSecurityVulnerabilities;
|
|
11
|
+
const entity_converter_1 = require("../../../../utils/entity-converter");
|
|
12
|
+
function detectAppExcessiveGraphPerms(apps, includeDetails) {
|
|
13
|
+
const dangerousPermissionIds = [
|
|
14
|
+
'1bfefb4e-e0b5-418b-a88f-73c46d1986e9',
|
|
15
|
+
'19dbc75e-c2e2-444c-a770-ec69d8559fc7',
|
|
16
|
+
'9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8',
|
|
17
|
+
'741f803b-c850-494e-b5df-cde7c675a1ca',
|
|
18
|
+
'62a82d76-70ea-41e2-9197-370581804d09',
|
|
19
|
+
];
|
|
20
|
+
const dangerousPermissionNames = [
|
|
21
|
+
'Application.ReadWrite.All',
|
|
22
|
+
'Directory.ReadWrite.All',
|
|
23
|
+
'RoleManagement.ReadWrite.Directory',
|
|
24
|
+
'User.ReadWrite.All',
|
|
25
|
+
'Group.ReadWrite.All',
|
|
26
|
+
];
|
|
27
|
+
const affected = apps.filter((app) => {
|
|
28
|
+
const permissions = app.requiredResourceAccess || [];
|
|
29
|
+
return permissions.some((resource) => {
|
|
30
|
+
if (resource.resourceAppId === '00000003-0000-0000-c000-000000000000') {
|
|
31
|
+
return resource.resourceAccess?.some((access) => {
|
|
32
|
+
if (dangerousPermissionIds.includes(access.id)) {
|
|
33
|
+
return true;
|
|
34
|
+
}
|
|
35
|
+
if (access.value && dangerousPermissionNames.includes(access.value)) {
|
|
36
|
+
return true;
|
|
37
|
+
}
|
|
38
|
+
return false;
|
|
39
|
+
});
|
|
40
|
+
}
|
|
41
|
+
return false;
|
|
42
|
+
});
|
|
43
|
+
});
|
|
44
|
+
return {
|
|
45
|
+
type: 'AZURE_APP_EXCESSIVE_GRAPH_PERMS',
|
|
46
|
+
severity: 'critical',
|
|
47
|
+
category: 'applications',
|
|
48
|
+
title: 'Excessive Microsoft Graph Permissions',
|
|
49
|
+
description: 'Application with high-privilege Graph API permissions. Can access sensitive data across tenant.',
|
|
50
|
+
count: affected.length,
|
|
51
|
+
affectedEntities: includeDetails ? (0, entity_converter_1.toAffectedAppEntities)(affected) : undefined,
|
|
52
|
+
};
|
|
53
|
+
}
|
|
54
|
+
function detectAppCredentialExpired(apps, includeDetails) {
|
|
55
|
+
const now = Date.now();
|
|
56
|
+
const affected = apps.filter((app) => {
|
|
57
|
+
const credentials = [
|
|
58
|
+
...(app.passwordCredentials || []),
|
|
59
|
+
...(app.keyCredentials || []),
|
|
60
|
+
];
|
|
61
|
+
return credentials.some((cred) => {
|
|
62
|
+
if (!cred.endDateTime)
|
|
63
|
+
return false;
|
|
64
|
+
return new Date(cred.endDateTime).getTime() < now;
|
|
65
|
+
});
|
|
66
|
+
});
|
|
67
|
+
return {
|
|
68
|
+
type: 'AZURE_APP_CREDENTIAL_EXPIRED',
|
|
69
|
+
severity: 'high',
|
|
70
|
+
category: 'applications',
|
|
71
|
+
title: 'Application Credential Expired',
|
|
72
|
+
description: 'Application with expired secret or certificate. May cause service disruption.',
|
|
73
|
+
count: affected.length,
|
|
74
|
+
affectedEntities: includeDetails ? (0, entity_converter_1.toAffectedAppEntities)(affected) : undefined,
|
|
75
|
+
};
|
|
76
|
+
}
|
|
77
|
+
function detectAppLongLivedCreds(apps, includeDetails) {
|
|
78
|
+
const now = Date.now();
|
|
79
|
+
const oneYearFromNow = now + 365 * 24 * 60 * 60 * 1000;
|
|
80
|
+
const affected = apps.filter((app) => {
|
|
81
|
+
const credentials = [
|
|
82
|
+
...(app.passwordCredentials || []),
|
|
83
|
+
...(app.keyCredentials || []),
|
|
84
|
+
];
|
|
85
|
+
return credentials.some((cred) => {
|
|
86
|
+
if (!cred.endDateTime)
|
|
87
|
+
return false;
|
|
88
|
+
return new Date(cred.endDateTime).getTime() > oneYearFromNow;
|
|
89
|
+
});
|
|
90
|
+
});
|
|
91
|
+
return {
|
|
92
|
+
type: 'AZURE_APP_LONG_LIVED_CREDS',
|
|
93
|
+
severity: 'high',
|
|
94
|
+
category: 'applications',
|
|
95
|
+
title: 'Long-Lived Application Credentials',
|
|
96
|
+
description: 'Application credential valid for more than 1 year. Increases risk if credential is compromised.',
|
|
97
|
+
count: affected.length,
|
|
98
|
+
affectedEntities: includeDetails ? (0, entity_converter_1.toAffectedAppEntities)(affected) : undefined,
|
|
99
|
+
};
|
|
100
|
+
}
|
|
101
|
+
function detectAppMultitenantUnverified(apps, includeDetails) {
|
|
102
|
+
const affected = apps.filter((app) => {
|
|
103
|
+
const isMultiTenant = app.signInAudience === 'AzureADMultipleOrgs' || app.signInAudience === 'AzureADandPersonalMicrosoftAccount';
|
|
104
|
+
const isVerified = app.publisherDomain && app.verifiedPublisher;
|
|
105
|
+
return isMultiTenant && !isVerified;
|
|
106
|
+
});
|
|
107
|
+
return {
|
|
108
|
+
type: 'AZURE_APP_MULTITENANT_UNVERIFIED',
|
|
109
|
+
severity: 'high',
|
|
110
|
+
category: 'applications',
|
|
111
|
+
title: 'Unverified Multi-Tenant Application',
|
|
112
|
+
description: 'Multi-tenant application without verified publisher. Users from other tenants may be at risk.',
|
|
113
|
+
count: affected.length,
|
|
114
|
+
affectedEntities: includeDetails ? (0, entity_converter_1.toAffectedAppEntities)(affected) : undefined,
|
|
115
|
+
};
|
|
116
|
+
}
|
|
117
|
+
function detectAppCredentialExpiring(apps, includeDetails) {
|
|
118
|
+
const now = Date.now();
|
|
119
|
+
const thirtyDaysFromNow = now + 30 * 24 * 60 * 60 * 1000;
|
|
120
|
+
const affected = apps.filter((app) => {
|
|
121
|
+
const credentials = [
|
|
122
|
+
...(app.passwordCredentials || []),
|
|
123
|
+
...(app.keyCredentials || []),
|
|
124
|
+
];
|
|
125
|
+
return credentials.some((cred) => {
|
|
126
|
+
if (!cred.endDateTime)
|
|
127
|
+
return false;
|
|
128
|
+
const expiry = new Date(cred.endDateTime).getTime();
|
|
129
|
+
return expiry > now && expiry < thirtyDaysFromNow;
|
|
130
|
+
});
|
|
131
|
+
});
|
|
132
|
+
return {
|
|
133
|
+
type: 'AZURE_APP_CREDENTIAL_EXPIRING',
|
|
134
|
+
severity: 'medium',
|
|
135
|
+
category: 'applications',
|
|
136
|
+
title: 'Application Credential Expiring Soon',
|
|
137
|
+
description: 'Application credential expiring within 30 days. Action required to avoid service disruption.',
|
|
138
|
+
count: affected.length,
|
|
139
|
+
affectedEntities: includeDetails ? (0, entity_converter_1.toAffectedAppEntities)(affected) : undefined,
|
|
140
|
+
};
|
|
141
|
+
}
|
|
142
|
+
function detectSpDisabledWithCreds(apps, includeDetails) {
|
|
143
|
+
const affected = apps.filter((app) => {
|
|
144
|
+
const isDisabled = app.accountEnabled === false;
|
|
145
|
+
const hasCredentials = (app.passwordCredentials?.length > 0) || (app.keyCredentials?.length > 0);
|
|
146
|
+
return isDisabled && hasCredentials;
|
|
147
|
+
});
|
|
148
|
+
return {
|
|
149
|
+
type: 'AZURE_SP_DISABLED_WITH_CREDS',
|
|
150
|
+
severity: 'medium',
|
|
151
|
+
category: 'applications',
|
|
152
|
+
title: 'Disabled Service Principal with Credentials',
|
|
153
|
+
description: 'Disabled service principal still has active credentials. Credentials should be removed.',
|
|
154
|
+
count: affected.length,
|
|
155
|
+
affectedEntities: includeDetails ? (0, entity_converter_1.toAffectedAppEntities)(affected) : undefined,
|
|
156
|
+
};
|
|
157
|
+
}
|
|
158
|
+
function detectAppNoOwner(apps, includeDetails) {
|
|
159
|
+
const affected = apps.filter((app) => {
|
|
160
|
+
const owners = app.owners || [];
|
|
161
|
+
return owners.length === 0;
|
|
162
|
+
});
|
|
163
|
+
return {
|
|
164
|
+
type: 'AZURE_APP_NO_OWNER',
|
|
165
|
+
severity: 'medium',
|
|
166
|
+
category: 'applications',
|
|
167
|
+
title: 'Application without Owner',
|
|
168
|
+
description: 'Application has no assigned owners. Orphaned applications are difficult to manage.',
|
|
169
|
+
count: affected.length,
|
|
170
|
+
affectedEntities: includeDetails ? (0, entity_converter_1.toAffectedAppEntities)(affected) : undefined,
|
|
171
|
+
};
|
|
172
|
+
}
|
|
173
|
+
function detectAppSecurityVulnerabilities(apps, includeDetails) {
|
|
174
|
+
return [
|
|
175
|
+
detectAppExcessiveGraphPerms(apps, includeDetails),
|
|
176
|
+
detectAppCredentialExpired(apps, includeDetails),
|
|
177
|
+
detectAppLongLivedCreds(apps, includeDetails),
|
|
178
|
+
detectAppMultitenantUnverified(apps, includeDetails),
|
|
179
|
+
detectAppCredentialExpiring(apps, includeDetails),
|
|
180
|
+
detectSpDisabledWithCreds(apps, includeDetails),
|
|
181
|
+
detectAppNoOwner(apps, includeDetails),
|
|
182
|
+
].filter((finding) => finding.count > 0);
|
|
183
|
+
}
|
|
184
|
+
//# sourceMappingURL=app-security.detector.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"app-security.detector.js","sourceRoot":"","sources":["../../../../../src/services/audit/detectors/azure/app-security.detector.ts"],"names":[],"mappings":";;AA4BA,oEAgDC;AAKD,gEAwBC;AAKD,0DAyBC;AAKD,wEAiBC;AAKD,kEA0BC;AAKD,8DAiBC;AAKD,4CAeC;AAKD,4EAUC;AA9ND,yEAA2E;AAK3E,SAAgB,4BAA4B,CAAC,IAAgB,EAAE,cAAuB;IAEpF,MAAM,sBAAsB,GAAG;QAC7B,sCAAsC;QACtC,sCAAsC;QACtC,sCAAsC;QACtC,sCAAsC;QACtC,sCAAsC;KACvC,CAAC;IAEF,MAAM,wBAAwB,GAAG;QAC/B,2BAA2B;QAC3B,yBAAyB;QACzB,oCAAoC;QACpC,oBAAoB;QACpB,qBAAqB;KACtB,CAAC;IAEF,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE;QACnC,MAAM,WAAW,GAAI,GAAW,CAAC,sBAAsB,IAAI,EAAE,CAAC;QAC9D,OAAO,WAAW,CAAC,IAAI,CAAC,CAAC,QAAa,EAAE,EAAE;YACxC,IAAI,QAAQ,CAAC,aAAa,KAAK,sCAAsC,EAAE,CAAC;gBAEtE,OAAO,QAAQ,CAAC,cAAc,EAAE,IAAI,CAAC,CAAC,MAAW,EAAE,EAAE;oBAEnD,IAAI,sBAAsB,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC;wBAC/C,OAAO,IAAI,CAAC;oBACd,CAAC;oBAED,IAAI,MAAM,CAAC,KAAK,IAAI,wBAAwB,CAAC,QAAQ,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;wBACpE,OAAO,IAAI,CAAC;oBACd,CAAC;oBACD,OAAO,KAAK,CAAC;gBACf,CAAC,CAAC,CAAC;YACL,CAAC;YACD,OAAO,KAAK,CAAC;QACf,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,OAAO;QACL,IAAI,EAAE,iCAAiC;QACvC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,cAAc;QACxB,KAAK,EAAE,uCAAuC;QAC9C,WAAW,EAAE,iGAAiG;QAC9G,KAAK,EAAE,QAAQ,CAAC,MAAM;QACtB,gBAAgB,EAAE,cAAc,CAAC,CAAC,CAAC,IAAA,wCAAqB,EAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,SAAS;KAC/E,CAAC;AACJ,CAAC;AAKD,SAAgB,0BAA0B,CAAC,IAAgB,EAAE,cAAuB;IAClF,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAEvB,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE;QACnC,MAAM,WAAW,GAAG;YAClB,GAAG,CAAE,GAAW,CAAC,mBAAmB,IAAI,EAAE,CAAC;YAC3C,GAAG,CAAE,GAAW,CAAC,cAAc,IAAI,EAAE,CAAC;SACvC,CAAC;QAEF,OAAO,WAAW,CAAC,IAAI,CAAC,CAAC,IAAS,EAAE,EAAE;YACpC,IAAI,CAAC,IAAI,CAAC,WAAW;gBAAE,OAAO,KAAK,CAAC;YACpC,OAAO,IAAI,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,OAAO,EAAE,GAAG,GAAG,CAAC;QACpD,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,OAAO;QACL,IAAI,EAAE,8BAA8B;QACpC,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,cAAc;QACxB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EAAE,+EAA+E;QAC5F,KAAK,EAAE,QAAQ,CAAC,MAAM;QACtB,gBAAgB,EAAE,cAAc,CAAC,CAAC,CAAC,IAAA,wCAAqB,EAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,SAAS;KAC/E,CAAC;AACJ,CAAC;AAKD,SAAgB,uBAAuB,CAAC,IAAgB,EAAE,cAAuB;IAC/E,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,MAAM,cAAc,GAAG,GAAG,GAAG,GAAG,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;IAEvD,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE;QACnC,MAAM,WAAW,GAAG;YAClB,GAAG,CAAE,GAAW,CAAC,mBAAmB,IAAI,EAAE,CAAC;YAC3C,GAAG,CAAE,GAAW,CAAC,cAAc,IAAI,EAAE,CAAC;SACvC,CAAC;QAEF,OAAO,WAAW,CAAC,IAAI,CAAC,CAAC,IAAS,EAAE,EAAE;YACpC,IAAI,CAAC,IAAI,CAAC,WAAW;gBAAE,OAAO,KAAK,CAAC;YACpC,OAAO,IAAI,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,OAAO,EAAE,GAAG,cAAc,CAAC;QAC/D,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,OAAO;QACL,IAAI,EAAE,4BAA4B;QAClC,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,cAAc;QACxB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EAAE,iGAAiG;QAC9G,KAAK,EAAE,QAAQ,CAAC,MAAM;QACtB,gBAAgB,EAAE,cAAc,CAAC,CAAC,CAAC,IAAA,wCAAqB,EAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,SAAS;KAC/E,CAAC;AACJ,CAAC;AAKD,SAAgB,8BAA8B,CAAC,IAAgB,EAAE,cAAuB;IACtF,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE;QACnC,MAAM,aAAa,GAAG,GAAG,CAAC,cAAc,KAAK,qBAAqB,IAAI,GAAG,CAAC,cAAc,KAAK,oCAAoC,CAAC;QAClI,MAAM,UAAU,GAAI,GAAW,CAAC,eAAe,IAAK,GAAW,CAAC,iBAAiB,CAAC;QAElF,OAAO,aAAa,IAAI,CAAC,UAAU,CAAC;IACtC,CAAC,CAAC,CAAC;IAEH,OAAO;QACL,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,cAAc;QACxB,KAAK,EAAE,qCAAqC;QAC5C,WAAW,EAAE,+FAA+F;QAC5G,KAAK,EAAE,QAAQ,CAAC,MAAM;QACtB,gBAAgB,EAAE,cAAc,CAAC,CAAC,CAAC,IAAA,wCAAqB,EAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,SAAS;KAC/E,CAAC;AACJ,CAAC;AAKD,SAAgB,2BAA2B,CAAC,IAAgB,EAAE,cAAuB;IACnF,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,MAAM,iBAAiB,GAAG,GAAG,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;IAEzD,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE;QACnC,MAAM,WAAW,GAAG;YAClB,GAAG,CAAE,GAAW,CAAC,mBAAmB,IAAI,EAAE,CAAC;YAC3C,GAAG,CAAE,GAAW,CAAC,cAAc,IAAI,EAAE,CAAC;SACvC,CAAC;QAEF,OAAO,WAAW,CAAC,IAAI,CAAC,CAAC,IAAS,EAAE,EAAE;YACpC,IAAI,CAAC,IAAI,CAAC,WAAW;gBAAE,OAAO,KAAK,CAAC;YACpC,MAAM,MAAM,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,OAAO,EAAE,CAAC;YACpD,OAAO,MAAM,GAAG,GAAG,IAAI,MAAM,GAAG,iBAAiB,CAAC;QACpD,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,OAAO;QACL,IAAI,EAAE,+BAA+B;QACrC,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,cAAc;QACxB,KAAK,EAAE,sCAAsC;QAC7C,WAAW,EAAE,8FAA8F;QAC3G,KAAK,EAAE,QAAQ,CAAC,MAAM;QACtB,gBAAgB,EAAE,cAAc,CAAC,CAAC,CAAC,IAAA,wCAAqB,EAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,SAAS;KAC/E,CAAC;AACJ,CAAC;AAKD,SAAgB,yBAAyB,CAAC,IAAgB,EAAE,cAAuB;IACjF,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE;QACnC,MAAM,UAAU,GAAI,GAAW,CAAC,cAAc,KAAK,KAAK,CAAC;QACzD,MAAM,cAAc,GAAG,CAAE,GAAW,CAAC,mBAAmB,EAAE,MAAM,GAAG,CAAC,CAAC,IAAI,CAAE,GAAW,CAAC,cAAc,EAAE,MAAM,GAAG,CAAC,CAAC,CAAC;QAEnH,OAAO,UAAU,IAAI,cAAc,CAAC;IACtC,CAAC,CAAC,CAAC;IAEH,OAAO;QACL,IAAI,EAAE,8BAA8B;QACpC,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,cAAc;QACxB,KAAK,EAAE,6CAA6C;QACpD,WAAW,EAAE,yFAAyF;QACtG,KAAK,EAAE,QAAQ,CAAC,MAAM;QACtB,gBAAgB,EAAE,cAAc,CAAC,CAAC,CAAC,IAAA,wCAAqB,EAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,SAAS;KAC/E,CAAC;AACJ,CAAC;AAKD,SAAgB,gBAAgB,CAAC,IAAgB,EAAE,cAAuB;IACxE,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE;QACnC,MAAM,MAAM,GAAI,GAAW,CAAC,MAAM,IAAI,EAAE,CAAC;QACzC,OAAO,MAAM,CAAC,MAAM,KAAK,CAAC,CAAC;IAC7B,CAAC,CAAC,CAAC;IAEH,OAAO;QACL,IAAI,EAAE,oBAAoB;QAC1B,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,cAAc;QACxB,KAAK,EAAE,2BAA2B;QAClC,WAAW,EAAE,oFAAoF;QACjG,KAAK,EAAE,QAAQ,CAAC,MAAM;QACtB,gBAAgB,EAAE,cAAc,CAAC,CAAC,CAAC,IAAA,wCAAqB,EAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,SAAS;KAC/E,CAAC;AACJ,CAAC;AAKD,SAAgB,gCAAgC,CAAC,IAAgB,EAAE,cAAuB;IACxF,OAAO;QACL,4BAA4B,CAAC,IAAI,EAAE,cAAc,CAAC;QAClD,0BAA0B,CAAC,IAAI,EAAE,cAAc,CAAC;QAChD,uBAAuB,CAAC,IAAI,EAAE,cAAc,CAAC;QAC7C,8BAA8B,CAAC,IAAI,EAAE,cAAc,CAAC;QACpD,2BAA2B,CAAC,IAAI,EAAE,cAAc,CAAC;QACjD,yBAAyB,CAAC,IAAI,EAAE,cAAc,CAAC;QAC/C,gBAAgB,CAAC,IAAI,EAAE,cAAc,CAAC;KACvC,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC;AAC3C,CAAC"}
|
|
@@ -0,0 +1,10 @@
|
|
|
1
|
+
import { AzurePolicy } from '../../../../types/azure.types';
|
|
2
|
+
import { Finding } from '../../../../types/finding.types';
|
|
3
|
+
export declare function detectNoMfaCaPolicy(policies: AzurePolicy[], includeDetails: boolean): Finding;
|
|
4
|
+
export declare function detectNoLegacyAuthBlock(policies: AzurePolicy[], includeDetails: boolean): Finding;
|
|
5
|
+
export declare function detectCaPolicyDisabled(policies: AzurePolicy[], includeDetails: boolean): Finding;
|
|
6
|
+
export declare function detectCaPolicyHasExclusions(policies: AzurePolicy[], includeDetails: boolean): Finding;
|
|
7
|
+
export declare function detectNoDeviceComplianceCa(policies: AzurePolicy[], includeDetails: boolean): Finding;
|
|
8
|
+
export declare function detectCaPolicyReportOnly(policies: AzurePolicy[], includeDetails: boolean): Finding;
|
|
9
|
+
export declare function detectConditionalAccessVulnerabilities(policies: AzurePolicy[], includeDetails: boolean): Finding[];
|
|
10
|
+
//# sourceMappingURL=conditional-access.detector.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"conditional-access.detector.d.ts","sourceRoot":"","sources":["../../../../../src/services/audit/detectors/azure/conditional-access.detector.ts"],"names":[],"mappings":"AAoBA,OAAO,EAAE,WAAW,EAAE,MAAM,+BAA+B,CAAC;AAC5D,OAAO,EAAE,OAAO,EAAE,MAAM,iCAAiC,CAAC;AAK1D,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,WAAW,EAAE,EAAE,cAAc,EAAE,OAAO,GAAG,OAAO,CAoB7F;AAKD,wBAAgB,uBAAuB,CAAC,QAAQ,EAAE,WAAW,EAAE,EAAE,cAAc,EAAE,OAAO,GAAG,OAAO,CAyBjG;AAKD,wBAAgB,sBAAsB,CAAC,QAAQ,EAAE,WAAW,EAAE,EAAE,cAAc,EAAE,OAAO,GAAG,OAAO,CAchG;AAKD,wBAAgB,2BAA2B,CAAC,QAAQ,EAAE,WAAW,EAAE,EAAE,cAAc,EAAE,OAAO,GAAG,OAAO,CAwBrG;AAKD,wBAAgB,0BAA0B,CAAC,QAAQ,EAAE,WAAW,EAAE,EAAE,cAAc,EAAE,OAAO,GAAG,OAAO,CAoBpG;AAKD,wBAAgB,wBAAwB,CAAC,QAAQ,EAAE,WAAW,EAAE,EAAE,cAAc,EAAE,OAAO,GAAG,OAAO,CAclG;AAKD,wBAAgB,sCAAsC,CACpD,QAAQ,EAAE,WAAW,EAAE,EACvB,cAAc,EAAE,OAAO,GACtB,OAAO,EAAE,CASX"}
|
|
@@ -0,0 +1,130 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.detectNoMfaCaPolicy = detectNoMfaCaPolicy;
|
|
4
|
+
exports.detectNoLegacyAuthBlock = detectNoLegacyAuthBlock;
|
|
5
|
+
exports.detectCaPolicyDisabled = detectCaPolicyDisabled;
|
|
6
|
+
exports.detectCaPolicyHasExclusions = detectCaPolicyHasExclusions;
|
|
7
|
+
exports.detectNoDeviceComplianceCa = detectNoDeviceComplianceCa;
|
|
8
|
+
exports.detectCaPolicyReportOnly = detectCaPolicyReportOnly;
|
|
9
|
+
exports.detectConditionalAccessVulnerabilities = detectConditionalAccessVulnerabilities;
|
|
10
|
+
function detectNoMfaCaPolicy(policies, includeDetails) {
|
|
11
|
+
const hasMfaPolicy = policies.some((policy) => {
|
|
12
|
+
if (policy.state !== 'enabled')
|
|
13
|
+
return false;
|
|
14
|
+
const grantControls = policy.grantControls;
|
|
15
|
+
if (!grantControls)
|
|
16
|
+
return false;
|
|
17
|
+
const builtInControls = grantControls.builtInControls || [];
|
|
18
|
+
return builtInControls.includes('mfa');
|
|
19
|
+
});
|
|
20
|
+
return {
|
|
21
|
+
type: 'AZURE_NO_MFA_CA_POLICY',
|
|
22
|
+
severity: 'critical',
|
|
23
|
+
category: 'conditionalAccess',
|
|
24
|
+
title: 'No MFA Enforcement via Conditional Access',
|
|
25
|
+
description: 'No Conditional Access policy enforcing MFA. Users can authenticate without multi-factor authentication.',
|
|
26
|
+
count: hasMfaPolicy ? 0 : 1,
|
|
27
|
+
affectedEntities: includeDetails && !hasMfaPolicy ? ['Tenant-wide'] : undefined,
|
|
28
|
+
};
|
|
29
|
+
}
|
|
30
|
+
function detectNoLegacyAuthBlock(policies, includeDetails) {
|
|
31
|
+
const hasLegacyAuthBlock = policies.some((policy) => {
|
|
32
|
+
if (policy.state !== 'enabled')
|
|
33
|
+
return false;
|
|
34
|
+
const conditions = policy.conditions;
|
|
35
|
+
const clientAppTypes = conditions?.clientAppTypes || [];
|
|
36
|
+
const blocksLegacyAuth = clientAppTypes.includes('exchangeActiveSync') ||
|
|
37
|
+
clientAppTypes.includes('other') ||
|
|
38
|
+
(clientAppTypes.includes('all') && policy.grantControls?.builtInControls?.includes('block'));
|
|
39
|
+
return blocksLegacyAuth;
|
|
40
|
+
});
|
|
41
|
+
return {
|
|
42
|
+
type: 'AZURE_NO_LEGACY_AUTH_BLOCK',
|
|
43
|
+
severity: 'critical',
|
|
44
|
+
category: 'conditionalAccess',
|
|
45
|
+
title: 'No Policy Blocking Legacy Authentication',
|
|
46
|
+
description: 'No Conditional Access policy blocking legacy authentication protocols. Legacy auth bypasses MFA.',
|
|
47
|
+
count: hasLegacyAuthBlock ? 0 : 1,
|
|
48
|
+
affectedEntities: includeDetails && !hasLegacyAuthBlock ? ['Tenant-wide'] : undefined,
|
|
49
|
+
};
|
|
50
|
+
}
|
|
51
|
+
function detectCaPolicyDisabled(policies, includeDetails) {
|
|
52
|
+
const affected = policies.filter((policy) => {
|
|
53
|
+
return policy.state === 'disabled';
|
|
54
|
+
});
|
|
55
|
+
return {
|
|
56
|
+
type: 'AZURE_CA_POLICY_DISABLED',
|
|
57
|
+
severity: 'medium',
|
|
58
|
+
category: 'conditionalAccess',
|
|
59
|
+
title: 'Disabled Conditional Access Policy',
|
|
60
|
+
description: 'Conditional Access policy is disabled. Security controls are not being enforced.',
|
|
61
|
+
count: affected.length,
|
|
62
|
+
affectedEntities: includeDetails ? affected.map((p) => p.displayName) : undefined,
|
|
63
|
+
};
|
|
64
|
+
}
|
|
65
|
+
function detectCaPolicyHasExclusions(policies, includeDetails) {
|
|
66
|
+
const affected = policies.filter((policy) => {
|
|
67
|
+
if (policy.state !== 'enabled')
|
|
68
|
+
return false;
|
|
69
|
+
const conditions = policy.conditions;
|
|
70
|
+
const users = conditions?.users;
|
|
71
|
+
const hasExclusions = (users?.excludeUsers && users.excludeUsers.length > 0) ||
|
|
72
|
+
(users?.excludeGroups && users.excludeGroups.length > 0) ||
|
|
73
|
+
(users?.excludeRoles && users.excludeRoles.length > 0);
|
|
74
|
+
return hasExclusions;
|
|
75
|
+
});
|
|
76
|
+
return {
|
|
77
|
+
type: 'AZURE_CA_POLICY_HAS_EXCLUSIONS',
|
|
78
|
+
severity: 'medium',
|
|
79
|
+
category: 'conditionalAccess',
|
|
80
|
+
title: 'Conditional Access Policy with Exclusions',
|
|
81
|
+
description: 'CA policy has user, group, or role exclusions. Excluded identities bypass security controls.',
|
|
82
|
+
count: affected.length,
|
|
83
|
+
affectedEntities: includeDetails ? affected.map((p) => p.displayName) : undefined,
|
|
84
|
+
};
|
|
85
|
+
}
|
|
86
|
+
function detectNoDeviceComplianceCa(policies, includeDetails) {
|
|
87
|
+
const hasDeviceCompliancePolicy = policies.some((policy) => {
|
|
88
|
+
if (policy.state !== 'enabled')
|
|
89
|
+
return false;
|
|
90
|
+
const grantControls = policy.grantControls;
|
|
91
|
+
if (!grantControls)
|
|
92
|
+
return false;
|
|
93
|
+
const builtInControls = grantControls.builtInControls || [];
|
|
94
|
+
return builtInControls.includes('compliantDevice') || builtInControls.includes('domainJoinedDevice');
|
|
95
|
+
});
|
|
96
|
+
return {
|
|
97
|
+
type: 'AZURE_NO_DEVICE_COMPLIANCE_CA',
|
|
98
|
+
severity: 'medium',
|
|
99
|
+
category: 'conditionalAccess',
|
|
100
|
+
title: 'No Device Compliance Requirement',
|
|
101
|
+
description: 'No Conditional Access policy requiring compliant devices. Unmanaged devices can access resources.',
|
|
102
|
+
count: hasDeviceCompliancePolicy ? 0 : 1,
|
|
103
|
+
affectedEntities: includeDetails && !hasDeviceCompliancePolicy ? ['Tenant-wide'] : undefined,
|
|
104
|
+
};
|
|
105
|
+
}
|
|
106
|
+
function detectCaPolicyReportOnly(policies, includeDetails) {
|
|
107
|
+
const affected = policies.filter((policy) => {
|
|
108
|
+
return policy.state === 'enabledForReportingButNotEnforced';
|
|
109
|
+
});
|
|
110
|
+
return {
|
|
111
|
+
type: 'AZURE_CA_POLICY_REPORT_ONLY',
|
|
112
|
+
severity: 'low',
|
|
113
|
+
category: 'conditionalAccess',
|
|
114
|
+
title: 'Conditional Access Policy in Report-Only Mode',
|
|
115
|
+
description: 'CA policy in report-only mode. Security controls are not being enforced, only logged.',
|
|
116
|
+
count: affected.length,
|
|
117
|
+
affectedEntities: includeDetails ? affected.map((p) => p.displayName) : undefined,
|
|
118
|
+
};
|
|
119
|
+
}
|
|
120
|
+
function detectConditionalAccessVulnerabilities(policies, includeDetails) {
|
|
121
|
+
return [
|
|
122
|
+
detectNoMfaCaPolicy(policies, includeDetails),
|
|
123
|
+
detectNoLegacyAuthBlock(policies, includeDetails),
|
|
124
|
+
detectCaPolicyDisabled(policies, includeDetails),
|
|
125
|
+
detectCaPolicyHasExclusions(policies, includeDetails),
|
|
126
|
+
detectNoDeviceComplianceCa(policies, includeDetails),
|
|
127
|
+
detectCaPolicyReportOnly(policies, includeDetails),
|
|
128
|
+
].filter((finding) => finding.count > 0);
|
|
129
|
+
}
|
|
130
|
+
//# sourceMappingURL=conditional-access.detector.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"conditional-access.detector.js","sourceRoot":"","sources":["../../../../../src/services/audit/detectors/azure/conditional-access.detector.ts"],"names":[],"mappings":";;AA0BA,kDAoBC;AAKD,0DAyBC;AAKD,wDAcC;AAKD,kEAwBC;AAKD,gEAoBC;AAKD,4DAcC;AAKD,wFAYC;AA/JD,SAAgB,mBAAmB,CAAC,QAAuB,EAAE,cAAuB;IAClF,MAAM,YAAY,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE;QAC5C,IAAI,MAAM,CAAC,KAAK,KAAK,SAAS;YAAE,OAAO,KAAK,CAAC;QAE7C,MAAM,aAAa,GAAI,MAAc,CAAC,aAAa,CAAC;QACpD,IAAI,CAAC,aAAa;YAAE,OAAO,KAAK,CAAC;QAEjC,MAAM,eAAe,GAAG,aAAa,CAAC,eAAe,IAAI,EAAE,CAAC;QAC5D,OAAO,eAAe,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IACzC,CAAC,CAAC,CAAC;IAEH,OAAO;QACL,IAAI,EAAE,wBAAwB;QAC9B,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,mBAAmB;QAC7B,KAAK,EAAE,2CAA2C;QAClD,WAAW,EAAE,yGAAyG;QACtH,KAAK,EAAE,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QAC3B,gBAAgB,EAAE,cAAc,IAAI,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,SAAS;KAChF,CAAC;AACJ,CAAC;AAKD,SAAgB,uBAAuB,CAAC,QAAuB,EAAE,cAAuB;IACtF,MAAM,kBAAkB,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE;QAClD,IAAI,MAAM,CAAC,KAAK,KAAK,SAAS;YAAE,OAAO,KAAK,CAAC;QAE7C,MAAM,UAAU,GAAI,MAAc,CAAC,UAAU,CAAC;QAC9C,MAAM,cAAc,GAAG,UAAU,EAAE,cAAc,IAAI,EAAE,CAAC;QAGxD,MAAM,gBAAgB,GACpB,cAAc,CAAC,QAAQ,CAAC,oBAAoB,CAAC;YAC7C,cAAc,CAAC,QAAQ,CAAC,OAAO,CAAC;YAChC,CAAC,cAAc,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAK,MAAc,CAAC,aAAa,EAAE,eAAe,EAAE,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;QAExG,OAAO,gBAAgB,CAAC;IAC1B,CAAC,CAAC,CAAC;IAEH,OAAO;QACL,IAAI,EAAE,4BAA4B;QAClC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,mBAAmB;QAC7B,KAAK,EAAE,0CAA0C;QACjD,WAAW,EAAE,kGAAkG;QAC/G,KAAK,EAAE,kBAAkB,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACjC,gBAAgB,EAAE,cAAc,IAAI,CAAC,kBAAkB,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,SAAS;KACtF,CAAC;AACJ,CAAC;AAKD,SAAgB,sBAAsB,CAAC,QAAuB,EAAE,cAAuB;IACrF,MAAM,QAAQ,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,MAAM,EAAE,EAAE;QAC1C,OAAO,MAAM,CAAC,KAAK,KAAK,UAAU,CAAC;IACrC,CAAC,CAAC,CAAC;IAEH,OAAO;QACL,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,mBAAmB;QAC7B,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EAAE,kFAAkF;QAC/F,KAAK,EAAE,QAAQ,CAAC,MAAM;QACtB,gBAAgB,EAAE,cAAc,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,SAAS;KAClF,CAAC;AACJ,CAAC;AAKD,SAAgB,2BAA2B,CAAC,QAAuB,EAAE,cAAuB;IAC1F,MAAM,QAAQ,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,MAAM,EAAE,EAAE;QAC1C,IAAI,MAAM,CAAC,KAAK,KAAK,SAAS;YAAE,OAAO,KAAK,CAAC;QAE7C,MAAM,UAAU,GAAI,MAAc,CAAC,UAAU,CAAC;QAC9C,MAAM,KAAK,GAAG,UAAU,EAAE,KAAK,CAAC;QAEhC,MAAM,aAAa,GACjB,CAAC,KAAK,EAAE,YAAY,IAAI,KAAK,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC;YACtD,CAAC,KAAK,EAAE,aAAa,IAAI,KAAK,CAAC,aAAa,CAAC,MAAM,GAAG,CAAC,CAAC;YACxD,CAAC,KAAK,EAAE,YAAY,IAAI,KAAK,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;QAEzD,OAAO,aAAa,CAAC;IACvB,CAAC,CAAC,CAAC;IAEH,OAAO;QACL,IAAI,EAAE,gCAAgC;QACtC,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,mBAAmB;QAC7B,KAAK,EAAE,2CAA2C;QAClD,WAAW,EAAE,8FAA8F;QAC3G,KAAK,EAAE,QAAQ,CAAC,MAAM;QACtB,gBAAgB,EAAE,cAAc,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,SAAS;KAClF,CAAC;AACJ,CAAC;AAKD,SAAgB,0BAA0B,CAAC,QAAuB,EAAE,cAAuB;IACzF,MAAM,yBAAyB,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE;QACzD,IAAI,MAAM,CAAC,KAAK,KAAK,SAAS;YAAE,OAAO,KAAK,CAAC;QAE7C,MAAM,aAAa,GAAI,MAAc,CAAC,aAAa,CAAC;QACpD,IAAI,CAAC,aAAa;YAAE,OAAO,KAAK,CAAC;QAEjC,MAAM,eAAe,GAAG,aAAa,CAAC,eAAe,IAAI,EAAE,CAAC;QAC5D,OAAO,eAAe,CAAC,QAAQ,CAAC,iBAAiB,CAAC,IAAI,eAAe,CAAC,QAAQ,CAAC,oBAAoB,CAAC,CAAC;IACvG,CAAC,CAAC,CAAC;IAEH,OAAO;QACL,IAAI,EAAE,+BAA+B;QACrC,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,mBAAmB;QAC7B,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,mGAAmG;QAChH,KAAK,EAAE,yBAAyB,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACxC,gBAAgB,EAAE,cAAc,IAAI,CAAC,yBAAyB,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,SAAS;KAC7F,CAAC;AACJ,CAAC;AAKD,SAAgB,wBAAwB,CAAC,QAAuB,EAAE,cAAuB;IACvF,MAAM,QAAQ,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,MAAM,EAAE,EAAE;QAC1C,OAAO,MAAM,CAAC,KAAK,KAAK,mCAAmC,CAAC;IAC9D,CAAC,CAAC,CAAC;IAEH,OAAO;QACL,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,KAAK;QACf,QAAQ,EAAE,mBAAmB;QAC7B,KAAK,EAAE,+CAA+C;QACtD,WAAW,EAAE,uFAAuF;QACpG,KAAK,EAAE,QAAQ,CAAC,MAAM;QACtB,gBAAgB,EAAE,cAAc,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,SAAS;KAClF,CAAC;AACJ,CAAC;AAKD,SAAgB,sCAAsC,CACpD,QAAuB,EACvB,cAAuB;IAEvB,OAAO;QACL,mBAAmB,CAAC,QAAQ,EAAE,cAAc,CAAC;QAC7C,uBAAuB,CAAC,QAAQ,EAAE,cAAc,CAAC;QACjD,sBAAsB,CAAC,QAAQ,EAAE,cAAc,CAAC;QAChD,2BAA2B,CAAC,QAAQ,EAAE,cAAc,CAAC;QACrD,0BAA0B,CAAC,QAAQ,EAAE,cAAc,CAAC;QACpD,wBAAwB,CAAC,QAAQ,EAAE,cAAc,CAAC;KACnD,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC;AAC3C,CAAC"}
|
|
@@ -0,0 +1,8 @@
|
|
|
1
|
+
import { AzureUser, AzureGroup } from '../../../../types/azure.types';
|
|
2
|
+
import { Finding } from '../../../../types/finding.types';
|
|
3
|
+
export declare function detectGuestPrivilegedAccess(users: AzureUser[], roles: Map<string, string[]>, includeDetails: boolean): Finding;
|
|
4
|
+
export declare function detectServiceAccountPrivileged(users: AzureUser[], roles: Map<string, string[]>, includeDetails: boolean): Finding;
|
|
5
|
+
export declare function detectTooManyGlobalAdmins(users: AzureUser[], roles: Map<string, string[]>, includeDetails: boolean): Finding;
|
|
6
|
+
export declare function detectGroupDynamicRiskyRule(groups: AzureGroup[], includeDetails: boolean): Finding;
|
|
7
|
+
export declare function detectPrivilegeSecurityVulnerabilities(users: AzureUser[], groups: AzureGroup[], roles: Map<string, string[]>, includeDetails: boolean): Finding[];
|
|
8
|
+
//# sourceMappingURL=privilege-security.detector.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"privilege-security.detector.d.ts","sourceRoot":"","sources":["../../../../../src/services/audit/detectors/azure/privilege-security.detector.ts"],"names":[],"mappings":"AAgBA,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,+BAA+B,CAAC;AACtE,OAAO,EAAE,OAAO,EAAE,MAAM,iCAAiC,CAAC;AAM1D,wBAAgB,2BAA2B,CACzC,KAAK,EAAE,SAAS,EAAE,EAClB,KAAK,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,EAC5B,cAAc,EAAE,OAAO,GACtB,OAAO,CA4BT;AAKD,wBAAgB,8BAA8B,CAC5C,KAAK,EAAE,SAAS,EAAE,EAClB,KAAK,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,EAC5B,cAAc,EAAE,OAAO,GACtB,OAAO,CA+BT;AAKD,wBAAgB,yBAAyB,CACvC,KAAK,EAAE,SAAS,EAAE,EAClB,KAAK,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,EAC5B,cAAc,EAAE,OAAO,GACtB,OAAO,CAoBT;AAKD,wBAAgB,2BAA2B,CAAC,MAAM,EAAE,UAAU,EAAE,EAAE,cAAc,EAAE,OAAO,GAAG,OAAO,CA6BlG;AAKD,wBAAgB,sCAAsC,CACpD,KAAK,EAAE,SAAS,EAAE,EAClB,MAAM,EAAE,UAAU,EAAE,EACpB,KAAK,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,EAC5B,cAAc,EAAE,OAAO,GACtB,OAAO,EAAE,CAOX"}
|
|
@@ -0,0 +1,113 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.detectGuestPrivilegedAccess = detectGuestPrivilegedAccess;
|
|
4
|
+
exports.detectServiceAccountPrivileged = detectServiceAccountPrivileged;
|
|
5
|
+
exports.detectTooManyGlobalAdmins = detectTooManyGlobalAdmins;
|
|
6
|
+
exports.detectGroupDynamicRiskyRule = detectGroupDynamicRiskyRule;
|
|
7
|
+
exports.detectPrivilegeSecurityVulnerabilities = detectPrivilegeSecurityVulnerabilities;
|
|
8
|
+
const entity_converter_1 = require("../../../../utils/entity-converter");
|
|
9
|
+
function detectGuestPrivilegedAccess(users, roles, includeDetails) {
|
|
10
|
+
const privilegedRoleIds = [
|
|
11
|
+
'62e90394-69f5-4237-9190-012177145e10',
|
|
12
|
+
'e8611ab8-c189-46e8-94e1-60213ab1f814',
|
|
13
|
+
'194ae4cb-b126-40b2-bd5b-6091b380977d',
|
|
14
|
+
'29232cdf-9323-42fd-ade2-1d097af3e4de',
|
|
15
|
+
'f28a1f50-f6e7-4571-818b-6a12f2af6b6c',
|
|
16
|
+
'729827e3-9c14-49f7-bb1b-9608f156bbb8',
|
|
17
|
+
'b0f54661-2d74-4c50-afa3-1ec803f12efe',
|
|
18
|
+
];
|
|
19
|
+
const affected = users.filter((u) => {
|
|
20
|
+
const isGuest = u.userType === 'Guest';
|
|
21
|
+
const userRoles = roles.get(u.id) || [];
|
|
22
|
+
const hasPrivilegedRole = userRoles.some((r) => privilegedRoleIds.includes(r));
|
|
23
|
+
return isGuest && hasPrivilegedRole;
|
|
24
|
+
});
|
|
25
|
+
return {
|
|
26
|
+
type: 'AZURE_GUEST_PRIVILEGED_ACCESS',
|
|
27
|
+
severity: 'critical',
|
|
28
|
+
category: 'privilegedAccess',
|
|
29
|
+
title: 'Guest User with Privileged Role',
|
|
30
|
+
description: 'Guest user from external domain assigned privileged role. High risk from external account compromise.',
|
|
31
|
+
count: affected.length,
|
|
32
|
+
affectedEntities: includeDetails ? (0, entity_converter_1.toAffectedAzureUserEntities)(affected) : undefined,
|
|
33
|
+
};
|
|
34
|
+
}
|
|
35
|
+
function detectServiceAccountPrivileged(users, roles, includeDetails) {
|
|
36
|
+
const privilegedRoleIds = [
|
|
37
|
+
'62e90394-69f5-4237-9190-012177145e10',
|
|
38
|
+
'e8611ab8-c189-46e8-94e1-60213ab1f814',
|
|
39
|
+
'194ae4cb-b126-40b2-bd5b-6091b380977d',
|
|
40
|
+
];
|
|
41
|
+
const affected = users.filter((u) => {
|
|
42
|
+
const isServiceAccount = !u.lastSignInDateTime ||
|
|
43
|
+
u.userPrincipalName?.toLowerCase().includes('svc') ||
|
|
44
|
+
u.userPrincipalName?.toLowerCase().includes('service') ||
|
|
45
|
+
u.displayName?.toLowerCase().includes('service') ||
|
|
46
|
+
u.userType === 'Application';
|
|
47
|
+
const userRoles = roles.get(u.id) || [];
|
|
48
|
+
const hasPrivilegedRole = userRoles.some((r) => privilegedRoleIds.includes(r));
|
|
49
|
+
return isServiceAccount && hasPrivilegedRole;
|
|
50
|
+
});
|
|
51
|
+
return {
|
|
52
|
+
type: 'AZURE_SERVICE_ACCOUNT_PRIVILEGED',
|
|
53
|
+
severity: 'critical',
|
|
54
|
+
category: 'privilegedAccess',
|
|
55
|
+
title: 'Service Account with Privileged Role',
|
|
56
|
+
description: 'Service/application account with privileged role. Service accounts should use managed identities.',
|
|
57
|
+
count: affected.length,
|
|
58
|
+
affectedEntities: includeDetails ? (0, entity_converter_1.toAffectedAzureUserEntities)(affected) : undefined,
|
|
59
|
+
};
|
|
60
|
+
}
|
|
61
|
+
function detectTooManyGlobalAdmins(users, roles, includeDetails) {
|
|
62
|
+
const globalAdminRoleId = '62e90394-69f5-4237-9190-012177145e10';
|
|
63
|
+
const affected = users.filter((u) => {
|
|
64
|
+
const userRoles = roles.get(u.id) || [];
|
|
65
|
+
return userRoles.includes(globalAdminRoleId);
|
|
66
|
+
});
|
|
67
|
+
const threshold = 5;
|
|
68
|
+
const count = affected.length > threshold ? 1 : 0;
|
|
69
|
+
return {
|
|
70
|
+
type: 'AZURE_TOO_MANY_GLOBAL_ADMINS',
|
|
71
|
+
severity: 'high',
|
|
72
|
+
category: 'privilegedAccess',
|
|
73
|
+
title: 'Too Many Global Administrators',
|
|
74
|
+
description: `Tenant has ${affected.length} Global Administrators (recommended: ≤${threshold}). Excessive admin accounts increase attack surface.`,
|
|
75
|
+
count,
|
|
76
|
+
affectedEntities: includeDetails && count > 0 ? [`${affected.length} Global Admins`] : undefined,
|
|
77
|
+
};
|
|
78
|
+
}
|
|
79
|
+
function detectGroupDynamicRiskyRule(groups, includeDetails) {
|
|
80
|
+
const riskyPatterns = [
|
|
81
|
+
'accountEnabled eq true',
|
|
82
|
+
'userType eq "Member"',
|
|
83
|
+
'userType eq "Guest"',
|
|
84
|
+
'objectId ne null',
|
|
85
|
+
'mail contains "@"',
|
|
86
|
+
];
|
|
87
|
+
const affected = groups.filter((g) => {
|
|
88
|
+
const membershipRule = g.membershipRule;
|
|
89
|
+
if (!membershipRule || g.groupTypes?.includes('DynamicMembership') === false) {
|
|
90
|
+
return false;
|
|
91
|
+
}
|
|
92
|
+
const lowerRule = membershipRule.toLowerCase();
|
|
93
|
+
return riskyPatterns.some((pattern) => lowerRule.includes(pattern.toLowerCase()));
|
|
94
|
+
});
|
|
95
|
+
return {
|
|
96
|
+
type: 'AZURE_GROUP_DYNAMIC_RISKY_RULE',
|
|
97
|
+
severity: 'high',
|
|
98
|
+
category: 'privilegedAccess',
|
|
99
|
+
title: 'Dynamic Group with Risky Membership Rule',
|
|
100
|
+
description: 'Dynamic group with overly permissive membership rule. May grant unintended access.',
|
|
101
|
+
count: affected.length,
|
|
102
|
+
affectedEntities: includeDetails ? (0, entity_converter_1.toAffectedAzureGroupEntities)(affected) : undefined,
|
|
103
|
+
};
|
|
104
|
+
}
|
|
105
|
+
function detectPrivilegeSecurityVulnerabilities(users, groups, roles, includeDetails) {
|
|
106
|
+
return [
|
|
107
|
+
detectGuestPrivilegedAccess(users, roles, includeDetails),
|
|
108
|
+
detectServiceAccountPrivileged(users, roles, includeDetails),
|
|
109
|
+
detectTooManyGlobalAdmins(users, roles, includeDetails),
|
|
110
|
+
detectGroupDynamicRiskyRule(groups, includeDetails),
|
|
111
|
+
].filter((finding) => finding.count > 0);
|
|
112
|
+
}
|
|
113
|
+
//# sourceMappingURL=privilege-security.detector.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"privilege-security.detector.js","sourceRoot":"","sources":["../../../../../src/services/audit/detectors/azure/privilege-security.detector.ts"],"names":[],"mappings":";;AAuBA,kEAgCC;AAKD,wEAmCC;AAKD,8DAwBC;AAKD,kEA6BC;AAKD,wFAYC;AA7JD,yEAA+G;AAK/G,SAAgB,2BAA2B,CACzC,KAAkB,EAClB,KAA4B,EAC5B,cAAuB;IAEvB,MAAM,iBAAiB,GAAG;QACxB,sCAAsC;QACtC,sCAAsC;QACtC,sCAAsC;QACtC,sCAAsC;QACtC,sCAAsC;QACtC,sCAAsC;QACtC,sCAAsC;KACvC,CAAC;IAEF,MAAM,QAAQ,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;QAClC,MAAM,OAAO,GAAI,CAAS,CAAC,QAAQ,KAAK,OAAO,CAAC;QAChD,MAAM,SAAS,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,EAAE,CAAC;QACxC,MAAM,iBAAiB,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;QAE/E,OAAO,OAAO,IAAI,iBAAiB,CAAC;IACtC,CAAC,CAAC,CAAC;IAEH,OAAO;QACL,IAAI,EAAE,+BAA+B;QACrC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,kBAAkB;QAC5B,KAAK,EAAE,iCAAiC;QACxC,WAAW,EAAE,uGAAuG;QACpH,KAAK,EAAE,QAAQ,CAAC,MAAM;QACtB,gBAAgB,EAAE,cAAc,CAAC,CAAC,CAAC,IAAA,8CAA2B,EAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,SAAS;KACrF,CAAC;AACJ,CAAC;AAKD,SAAgB,8BAA8B,CAC5C,KAAkB,EAClB,KAA4B,EAC5B,cAAuB;IAEvB,MAAM,iBAAiB,GAAG;QACxB,sCAAsC;QACtC,sCAAsC;QACtC,sCAAsC;KACvC,CAAC;IAEF,MAAM,QAAQ,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;QAElC,MAAM,gBAAgB,GACpB,CAAC,CAAC,CAAC,kBAAkB;YACrB,CAAC,CAAC,iBAAiB,EAAE,WAAW,EAAE,CAAC,QAAQ,CAAC,KAAK,CAAC;YAClD,CAAC,CAAC,iBAAiB,EAAE,WAAW,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC;YACtD,CAAC,CAAC,WAAW,EAAE,WAAW,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC;YAC/C,CAAS,CAAC,QAAQ,KAAK,aAAa,CAAC;QAExC,MAAM,SAAS,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,EAAE,CAAC;QACxC,MAAM,iBAAiB,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;QAE/E,OAAO,gBAAgB,IAAI,iBAAiB,CAAC;IAC/C,CAAC,CAAC,CAAC;IAEH,OAAO;QACL,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,kBAAkB;QAC5B,KAAK,EAAE,sCAAsC;QAC7C,WAAW,EAAE,mGAAmG;QAChH,KAAK,EAAE,QAAQ,CAAC,MAAM;QACtB,gBAAgB,EAAE,cAAc,CAAC,CAAC,CAAC,IAAA,8CAA2B,EAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,SAAS;KACrF,CAAC;AACJ,CAAC;AAKD,SAAgB,yBAAyB,CACvC,KAAkB,EAClB,KAA4B,EAC5B,cAAuB;IAEvB,MAAM,iBAAiB,GAAG,sCAAsC,CAAC;IAEjE,MAAM,QAAQ,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;QAClC,MAAM,SAAS,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,EAAE,CAAC;QACxC,OAAO,SAAS,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAC;IAC/C,CAAC,CAAC,CAAC;IAEH,MAAM,SAAS,GAAG,CAAC,CAAC;IACpB,MAAM,KAAK,GAAG,QAAQ,CAAC,MAAM,GAAG,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAElD,OAAO;QACL,IAAI,EAAE,8BAA8B;QACpC,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,kBAAkB;QAC5B,KAAK,EAAE,gCAAgC;QACvC,WAAW,EAAE,cAAc,QAAQ,CAAC,MAAM,yCAAyC,SAAS,sDAAsD;QAClJ,KAAK;QACL,gBAAgB,EAAE,cAAc,IAAI,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,QAAQ,CAAC,MAAM,gBAAgB,CAAC,CAAC,CAAC,CAAC,SAAS;KACjG,CAAC;AACJ,CAAC;AAKD,SAAgB,2BAA2B,CAAC,MAAoB,EAAE,cAAuB;IACvF,MAAM,aAAa,GAAG;QACpB,wBAAwB;QACxB,sBAAsB;QACtB,qBAAqB;QACrB,kBAAkB;QAClB,mBAAmB;KACpB,CAAC;IAEF,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;QACnC,MAAM,cAAc,GAAI,CAAS,CAAC,cAAc,CAAC;QACjD,IAAI,CAAC,cAAc,IAAK,CAAS,CAAC,UAAU,EAAE,QAAQ,CAAC,mBAAmB,CAAC,KAAK,KAAK,EAAE,CAAC;YACtF,OAAO,KAAK,CAAC;QACf,CAAC;QAGD,MAAM,SAAS,GAAG,cAAc,CAAC,WAAW,EAAE,CAAC;QAC/C,OAAO,aAAa,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC;IACpF,CAAC,CAAC,CAAC;IAEH,OAAO;QACL,IAAI,EAAE,gCAAgC;QACtC,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,kBAAkB;QAC5B,KAAK,EAAE,0CAA0C;QACjD,WAAW,EAAE,oFAAoF;QACjG,KAAK,EAAE,QAAQ,CAAC,MAAM;QACtB,gBAAgB,EAAE,cAAc,CAAC,CAAC,CAAC,IAAA,+CAA4B,EAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,SAAS;KACtF,CAAC;AACJ,CAAC;AAKD,SAAgB,sCAAsC,CACpD,KAAkB,EAClB,MAAoB,EACpB,KAA4B,EAC5B,cAAuB;IAEvB,OAAO;QACL,2BAA2B,CAAC,KAAK,EAAE,KAAK,EAAE,cAAc,CAAC;QACzD,8BAA8B,CAAC,KAAK,EAAE,KAAK,EAAE,cAAc,CAAC;QAC5D,yBAAyB,CAAC,KAAK,EAAE,KAAK,EAAE,cAAc,CAAC;QACvD,2BAA2B,CAAC,MAAM,EAAE,cAAc,CAAC;KACpD,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC;AAC3C,CAAC"}
|
|
@@ -0,0 +1,14 @@
|
|
|
1
|
+
import { AzureUser } from '../../../../types/azure.types';
|
|
2
|
+
import { Finding } from '../../../../types/finding.types';
|
|
3
|
+
export declare function detectGlobalAdminNoMfa(users: AzureUser[], roles: Map<string, string[]>, includeDetails: boolean): Finding;
|
|
4
|
+
export declare function detectPrivilegedUserNoMfa(users: AzureUser[], roles: Map<string, string[]>, includeDetails: boolean): Finding;
|
|
5
|
+
export declare function detectRiskyUserHigh(users: AzureUser[], includeDetails: boolean): Finding;
|
|
6
|
+
export declare function detectUserInactive(users: AzureUser[], includeDetails: boolean): Finding;
|
|
7
|
+
export declare function detectPasswordNeverExpires(users: AzureUser[], includeDetails: boolean): Finding;
|
|
8
|
+
export declare function detectRiskyUserMedium(users: AzureUser[], includeDetails: boolean): Finding;
|
|
9
|
+
export declare function detectPasswordOld(users: AzureUser[], includeDetails: boolean): Finding;
|
|
10
|
+
export declare function detectUserNeverSignedIn(users: AzureUser[], includeDetails: boolean): Finding;
|
|
11
|
+
export declare function detectUserUnlicensed(users: AzureUser[], includeDetails: boolean): Finding;
|
|
12
|
+
export declare function detectUserExternalMember(users: AzureUser[], includeDetails: boolean): Finding;
|
|
13
|
+
export declare function detectUserSecurityVulnerabilities(users: AzureUser[], roles: Map<string, string[]>, includeDetails: boolean): Finding[];
|
|
14
|
+
//# sourceMappingURL=user-security.detector.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"user-security.detector.d.ts","sourceRoot":"","sources":["../../../../../src/services/audit/detectors/azure/user-security.detector.ts"],"names":[],"mappings":"AAwBA,OAAO,EAAE,SAAS,EAAE,MAAM,+BAA+B,CAAC;AAC1D,OAAO,EAAE,OAAO,EAAE,MAAM,iCAAiC,CAAC;AAM1D,wBAAgB,sBAAsB,CACpC,KAAK,EAAE,SAAS,EAAE,EAClB,KAAK,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,EAC5B,cAAc,EAAE,OAAO,GACtB,OAAO,CAoBT;AAKD,wBAAgB,yBAAyB,CACvC,KAAK,EAAE,SAAS,EAAE,EAClB,KAAK,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,EAC5B,cAAc,EAAE,OAAO,GACtB,OAAO,CA0BT;AAKD,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,SAAS,EAAE,EAAE,cAAc,EAAE,OAAO,GAAG,OAAO,CAexF;AAKD,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,SAAS,EAAE,EAAE,cAAc,EAAE,OAAO,GAAG,OAAO,CAmBvF;AAKD,wBAAgB,0BAA0B,CAAC,KAAK,EAAE,SAAS,EAAE,EAAE,cAAc,EAAE,OAAO,GAAG,OAAO,CAc/F;AAKD,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,SAAS,EAAE,EAAE,cAAc,EAAE,OAAO,GAAG,OAAO,CAe1F;AAKD,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,SAAS,EAAE,EAAE,cAAc,EAAE,OAAO,GAAG,OAAO,CAmBtF;AAKD,wBAAgB,uBAAuB,CAAC,KAAK,EAAE,SAAS,EAAE,EAAE,cAAc,EAAE,OAAO,GAAG,OAAO,CAc5F;AAKD,wBAAgB,oBAAoB,CAAC,KAAK,EAAE,SAAS,EAAE,EAAE,cAAc,EAAE,OAAO,GAAG,OAAO,CAezF;AAKD,wBAAgB,wBAAwB,CAAC,KAAK,EAAE,SAAS,EAAE,EAAE,cAAc,EAAE,OAAO,GAAG,OAAO,CAgB7F;AAKD,wBAAgB,iCAAiC,CAC/C,KAAK,EAAE,SAAS,EAAE,EAClB,KAAK,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,EAC5B,cAAc,EAAE,OAAO,GACtB,OAAO,EAAE,CAaX"}
|