npm - @etcsec-com/etc-collector - Versions diffs - 1.4.0 - Mend

@etcsec-com/etc-collector 1.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (617) hide show

package/.env.example +60 -0
package/.env.test.example +33 -0
package/.github/workflows/ci.yml +83 -0
package/.github/workflows/release.yml +246 -0
package/.prettierrc.json +10 -0
package/CHANGELOG.md +15 -0
package/Dockerfile +57 -0
package/LICENSE +190 -0
package/README.md +194 -0
package/dist/api/controllers/audit.controller.d.ts +21 -0
package/dist/api/controllers/audit.controller.d.ts.map +1 -0
package/dist/api/controllers/audit.controller.js +179 -0
package/dist/api/controllers/audit.controller.js.map +1 -0
package/dist/api/controllers/auth.controller.d.ts +16 -0
package/dist/api/controllers/auth.controller.d.ts.map +1 -0
package/dist/api/controllers/auth.controller.js +146 -0
package/dist/api/controllers/auth.controller.js.map +1 -0
package/dist/api/controllers/export.controller.d.ts +27 -0
package/dist/api/controllers/export.controller.d.ts.map +1 -0
package/dist/api/controllers/export.controller.js +80 -0
package/dist/api/controllers/export.controller.js.map +1 -0
package/dist/api/controllers/health.controller.d.ts +5 -0
package/dist/api/controllers/health.controller.d.ts.map +1 -0
package/dist/api/controllers/health.controller.js +16 -0
package/dist/api/controllers/health.controller.js.map +1 -0
package/dist/api/controllers/jobs.controller.d.ts +13 -0
package/dist/api/controllers/jobs.controller.d.ts.map +1 -0
package/dist/api/controllers/jobs.controller.js +125 -0
package/dist/api/controllers/jobs.controller.js.map +1 -0
package/dist/api/controllers/providers.controller.d.ts +15 -0
package/dist/api/controllers/providers.controller.d.ts.map +1 -0
package/dist/api/controllers/providers.controller.js +112 -0
package/dist/api/controllers/providers.controller.js.map +1 -0
package/dist/api/dto/AuditRequest.dto.d.ts +6 -0
package/dist/api/dto/AuditRequest.dto.d.ts.map +1 -0
package/dist/api/dto/AuditRequest.dto.js +3 -0
package/dist/api/dto/AuditRequest.dto.js.map +1 -0
package/dist/api/dto/AuditResponse.dto.d.ts +17 -0
package/dist/api/dto/AuditResponse.dto.d.ts.map +1 -0
package/dist/api/dto/AuditResponse.dto.js +3 -0
package/dist/api/dto/AuditResponse.dto.js.map +1 -0
package/dist/api/dto/TokenRequest.dto.d.ts +6 -0
package/dist/api/dto/TokenRequest.dto.d.ts.map +1 -0
package/dist/api/dto/TokenRequest.dto.js +3 -0
package/dist/api/dto/TokenRequest.dto.js.map +1 -0
package/dist/api/dto/TokenResponse.dto.d.ts +12 -0
package/dist/api/dto/TokenResponse.dto.d.ts.map +1 -0
package/dist/api/dto/TokenResponse.dto.js +3 -0
package/dist/api/dto/TokenResponse.dto.js.map +1 -0
package/dist/api/middlewares/authenticate.d.ts +12 -0
package/dist/api/middlewares/authenticate.d.ts.map +1 -0
package/dist/api/middlewares/authenticate.js +141 -0
package/dist/api/middlewares/authenticate.js.map +1 -0
package/dist/api/middlewares/errorHandler.d.ts +3 -0
package/dist/api/middlewares/errorHandler.d.ts.map +1 -0
package/dist/api/middlewares/errorHandler.js +30 -0
package/dist/api/middlewares/errorHandler.js.map +1 -0
package/dist/api/middlewares/rateLimit.d.ts +3 -0
package/dist/api/middlewares/rateLimit.d.ts.map +1 -0
package/dist/api/middlewares/rateLimit.js +34 -0
package/dist/api/middlewares/rateLimit.js.map +1 -0
package/dist/api/middlewares/validate.d.ts +4 -0
package/dist/api/middlewares/validate.d.ts.map +1 -0
package/dist/api/middlewares/validate.js +31 -0
package/dist/api/middlewares/validate.js.map +1 -0
package/dist/api/routes/audit.routes.d.ts +5 -0
package/dist/api/routes/audit.routes.d.ts.map +1 -0
package/dist/api/routes/audit.routes.js +24 -0
package/dist/api/routes/audit.routes.js.map +1 -0
package/dist/api/routes/auth.routes.d.ts +6 -0
package/dist/api/routes/auth.routes.d.ts.map +1 -0
package/dist/api/routes/auth.routes.js +22 -0
package/dist/api/routes/auth.routes.js.map +1 -0
package/dist/api/routes/export.routes.d.ts +5 -0
package/dist/api/routes/export.routes.d.ts.map +1 -0
package/dist/api/routes/export.routes.js +16 -0
package/dist/api/routes/export.routes.js.map +1 -0
package/dist/api/routes/health.routes.d.ts +4 -0
package/dist/api/routes/health.routes.d.ts.map +1 -0
package/dist/api/routes/health.routes.js +11 -0
package/dist/api/routes/health.routes.js.map +1 -0
package/dist/api/routes/index.d.ts +10 -0
package/dist/api/routes/index.d.ts.map +1 -0
package/dist/api/routes/index.js +20 -0
package/dist/api/routes/index.js.map +1 -0
package/dist/api/routes/providers.routes.d.ts +5 -0
package/dist/api/routes/providers.routes.d.ts.map +1 -0
package/dist/api/routes/providers.routes.js +13 -0
package/dist/api/routes/providers.routes.js.map +1 -0
package/dist/api/validators/audit.schemas.d.ts +60 -0
package/dist/api/validators/audit.schemas.d.ts.map +1 -0
package/dist/api/validators/audit.schemas.js +55 -0
package/dist/api/validators/audit.schemas.js.map +1 -0
package/dist/api/validators/auth.schemas.d.ts +17 -0
package/dist/api/validators/auth.schemas.d.ts.map +1 -0
package/dist/api/validators/auth.schemas.js +21 -0
package/dist/api/validators/auth.schemas.js.map +1 -0
package/dist/app.d.ts +3 -0
package/dist/app.d.ts.map +1 -0
package/dist/app.js +62 -0
package/dist/app.js.map +1 -0
package/dist/config/config.schema.d.ts +65 -0
package/dist/config/config.schema.d.ts.map +1 -0
package/dist/config/config.schema.js +95 -0
package/dist/config/config.schema.js.map +1 -0
package/dist/config/index.d.ts +4 -0
package/dist/config/index.d.ts.map +1 -0
package/dist/config/index.js +75 -0
package/dist/config/index.js.map +1 -0
package/dist/container.d.ts +47 -0
package/dist/container.d.ts.map +1 -0
package/dist/container.js +137 -0
package/dist/container.js.map +1 -0
package/dist/data/database.d.ts +13 -0
package/dist/data/database.d.ts.map +1 -0
package/dist/data/database.js +68 -0
package/dist/data/database.js.map +1 -0
package/dist/data/jobs/token-cleanup.job.d.ts +23 -0
package/dist/data/jobs/token-cleanup.job.d.ts.map +1 -0
package/dist/data/jobs/token-cleanup.job.js +96 -0
package/dist/data/jobs/token-cleanup.job.js.map +1 -0
package/dist/data/migrations/migration.runner.d.ts +13 -0
package/dist/data/migrations/migration.runner.d.ts.map +1 -0
package/dist/data/migrations/migration.runner.js +136 -0
package/dist/data/migrations/migration.runner.js.map +1 -0
package/dist/data/models/Token.model.d.ts +30 -0
package/dist/data/models/Token.model.d.ts.map +1 -0
package/dist/data/models/Token.model.js +3 -0
package/dist/data/models/Token.model.js.map +1 -0
package/dist/data/repositories/token.repository.d.ts +16 -0
package/dist/data/repositories/token.repository.d.ts.map +1 -0
package/dist/data/repositories/token.repository.js +97 -0
package/dist/data/repositories/token.repository.js.map +1 -0
package/dist/providers/azure/auth.provider.d.ts +5 -0
package/dist/providers/azure/auth.provider.d.ts.map +1 -0
package/dist/providers/azure/auth.provider.js +13 -0
package/dist/providers/azure/auth.provider.js.map +1 -0
package/dist/providers/azure/azure-errors.d.ts +40 -0
package/dist/providers/azure/azure-errors.d.ts.map +1 -0
package/dist/providers/azure/azure-errors.js +121 -0
package/dist/providers/azure/azure-errors.js.map +1 -0
package/dist/providers/azure/azure-retry.d.ts +41 -0
package/dist/providers/azure/azure-retry.d.ts.map +1 -0
package/dist/providers/azure/azure-retry.js +85 -0
package/dist/providers/azure/azure-retry.js.map +1 -0
package/dist/providers/azure/graph-client.d.ts +26 -0
package/dist/providers/azure/graph-client.d.ts.map +1 -0
package/dist/providers/azure/graph-client.js +146 -0
package/dist/providers/azure/graph-client.js.map +1 -0
package/dist/providers/azure/graph.provider.d.ts +23 -0
package/dist/providers/azure/graph.provider.d.ts.map +1 -0
package/dist/providers/azure/graph.provider.js +161 -0
package/dist/providers/azure/graph.provider.js.map +1 -0
package/dist/providers/azure/queries/app.queries.d.ts +6 -0
package/dist/providers/azure/queries/app.queries.d.ts.map +1 -0
package/dist/providers/azure/queries/app.queries.js +9 -0
package/dist/providers/azure/queries/app.queries.js.map +1 -0
package/dist/providers/azure/queries/policy.queries.d.ts +6 -0
package/dist/providers/azure/queries/policy.queries.d.ts.map +1 -0
package/dist/providers/azure/queries/policy.queries.js +9 -0
package/dist/providers/azure/queries/policy.queries.js.map +1 -0
package/dist/providers/azure/queries/user.queries.d.ts +7 -0
package/dist/providers/azure/queries/user.queries.d.ts.map +1 -0
package/dist/providers/azure/queries/user.queries.js +10 -0
package/dist/providers/azure/queries/user.queries.js.map +1 -0
package/dist/providers/interfaces/IGraphProvider.d.ts +31 -0
package/dist/providers/interfaces/IGraphProvider.d.ts.map +1 -0
package/dist/providers/interfaces/IGraphProvider.js +3 -0
package/dist/providers/interfaces/IGraphProvider.js.map +1 -0
package/dist/providers/interfaces/ILDAPProvider.d.ts +37 -0
package/dist/providers/interfaces/ILDAPProvider.d.ts.map +1 -0
package/dist/providers/interfaces/ILDAPProvider.js +3 -0
package/dist/providers/interfaces/ILDAPProvider.js.map +1 -0
package/dist/providers/ldap/acl-parser.d.ts +8 -0
package/dist/providers/ldap/acl-parser.d.ts.map +1 -0
package/dist/providers/ldap/acl-parser.js +157 -0
package/dist/providers/ldap/acl-parser.js.map +1 -0
package/dist/providers/ldap/ad-mappers.d.ts +8 -0
package/dist/providers/ldap/ad-mappers.d.ts.map +1 -0
package/dist/providers/ldap/ad-mappers.js +162 -0
package/dist/providers/ldap/ad-mappers.js.map +1 -0
package/dist/providers/ldap/ldap-client.d.ts +33 -0
package/dist/providers/ldap/ldap-client.d.ts.map +1 -0
package/dist/providers/ldap/ldap-client.js +195 -0
package/dist/providers/ldap/ldap-client.js.map +1 -0
package/dist/providers/ldap/ldap-errors.d.ts +48 -0
package/dist/providers/ldap/ldap-errors.d.ts.map +1 -0
package/dist/providers/ldap/ldap-errors.js +120 -0
package/dist/providers/ldap/ldap-errors.js.map +1 -0
package/dist/providers/ldap/ldap-retry.d.ts +14 -0
package/dist/providers/ldap/ldap-retry.d.ts.map +1 -0
package/dist/providers/ldap/ldap-retry.js +102 -0
package/dist/providers/ldap/ldap-retry.js.map +1 -0
package/dist/providers/ldap/ldap-sanitizer.d.ts +12 -0
package/dist/providers/ldap/ldap-sanitizer.d.ts.map +1 -0
package/dist/providers/ldap/ldap-sanitizer.js +104 -0
package/dist/providers/ldap/ldap-sanitizer.js.map +1 -0
package/dist/providers/ldap/ldap.provider.d.ts +21 -0
package/dist/providers/ldap/ldap.provider.d.ts.map +1 -0
package/dist/providers/ldap/ldap.provider.js +165 -0
package/dist/providers/ldap/ldap.provider.js.map +1 -0
package/dist/providers/ldap/queries/computer.queries.d.ts +6 -0
package/dist/providers/ldap/queries/computer.queries.d.ts.map +1 -0
package/dist/providers/ldap/queries/computer.queries.js +9 -0
package/dist/providers/ldap/queries/computer.queries.js.map +1 -0
package/dist/providers/ldap/queries/group.queries.d.ts +6 -0
package/dist/providers/ldap/queries/group.queries.d.ts.map +1 -0
package/dist/providers/ldap/queries/group.queries.js +9 -0
package/dist/providers/ldap/queries/group.queries.js.map +1 -0
package/dist/providers/ldap/queries/user.queries.d.ts +7 -0
package/dist/providers/ldap/queries/user.queries.d.ts.map +1 -0
package/dist/providers/ldap/queries/user.queries.js +10 -0
package/dist/providers/ldap/queries/user.queries.js.map +1 -0
package/dist/providers/smb/smb.provider.d.ts +68 -0
package/dist/providers/smb/smb.provider.d.ts.map +1 -0
package/dist/providers/smb/smb.provider.js +382 -0
package/dist/providers/smb/smb.provider.js.map +1 -0
package/dist/server.d.ts +2 -0
package/dist/server.d.ts.map +1 -0
package/dist/server.js +44 -0
package/dist/server.js.map +1 -0
package/dist/services/audit/ad-audit.service.d.ts +70 -0
package/dist/services/audit/ad-audit.service.d.ts.map +1 -0
package/dist/services/audit/ad-audit.service.js +1019 -0
package/dist/services/audit/ad-audit.service.js.map +1 -0
package/dist/services/audit/attack-graph.service.d.ts +62 -0
package/dist/services/audit/attack-graph.service.d.ts.map +1 -0
package/dist/services/audit/attack-graph.service.js +702 -0
package/dist/services/audit/attack-graph.service.js.map +1 -0
package/dist/services/audit/audit.service.d.ts +4 -0
package/dist/services/audit/audit.service.d.ts.map +1 -0
package/dist/services/audit/audit.service.js +10 -0
package/dist/services/audit/audit.service.js.map +1 -0
package/dist/services/audit/azure-audit.service.d.ts +37 -0
package/dist/services/audit/azure-audit.service.d.ts.map +1 -0
package/dist/services/audit/azure-audit.service.js +153 -0
package/dist/services/audit/azure-audit.service.js.map +1 -0
package/dist/services/audit/detectors/ad/accounts.detector.d.ts +37 -0
package/dist/services/audit/detectors/ad/accounts.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/accounts.detector.js +881 -0
package/dist/services/audit/detectors/ad/accounts.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/adcs.detector.d.ts +21 -0
package/dist/services/audit/detectors/ad/adcs.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/adcs.detector.js +227 -0
package/dist/services/audit/detectors/ad/adcs.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/advanced.detector.d.ts +63 -0
package/dist/services/audit/detectors/ad/advanced.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/advanced.detector.js +867 -0
package/dist/services/audit/detectors/ad/advanced.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/attack-paths.detector.d.ts +16 -0
package/dist/services/audit/detectors/ad/attack-paths.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/attack-paths.detector.js +369 -0
package/dist/services/audit/detectors/ad/attack-paths.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/compliance.detector.d.ts +28 -0
package/dist/services/audit/detectors/ad/compliance.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/compliance.detector.js +896 -0
package/dist/services/audit/detectors/ad/compliance.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/computers.detector.d.ts +30 -0
package/dist/services/audit/detectors/ad/computers.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/computers.detector.js +799 -0
package/dist/services/audit/detectors/ad/computers.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/gpo.detector.d.ts +17 -0
package/dist/services/audit/detectors/ad/gpo.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/gpo.detector.js +257 -0
package/dist/services/audit/detectors/ad/gpo.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/groups.detector.d.ts +19 -0
package/dist/services/audit/detectors/ad/groups.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/groups.detector.js +488 -0
package/dist/services/audit/detectors/ad/groups.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/index.d.ts +15 -0
package/dist/services/audit/detectors/ad/index.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/index.js +51 -0
package/dist/services/audit/detectors/ad/index.js.map +1 -0
package/dist/services/audit/detectors/ad/kerberos.detector.d.ts +17 -0
package/dist/services/audit/detectors/ad/kerberos.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/kerberos.detector.js +293 -0
package/dist/services/audit/detectors/ad/kerberos.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/monitoring.detector.d.ts +23 -0
package/dist/services/audit/detectors/ad/monitoring.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/monitoring.detector.js +328 -0
package/dist/services/audit/detectors/ad/monitoring.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/network.detector.d.ts +39 -0
package/dist/services/audit/detectors/ad/network.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/network.detector.js +257 -0
package/dist/services/audit/detectors/ad/network.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/password.detector.d.ts +14 -0
package/dist/services/audit/detectors/ad/password.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/password.detector.js +235 -0
package/dist/services/audit/detectors/ad/password.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/permissions.detector.d.ts +20 -0
package/dist/services/audit/detectors/ad/permissions.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/permissions.detector.js +392 -0
package/dist/services/audit/detectors/ad/permissions.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/trusts.detector.d.ts +11 -0
package/dist/services/audit/detectors/ad/trusts.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/trusts.detector.js +186 -0
package/dist/services/audit/detectors/ad/trusts.detector.js.map +1 -0
package/dist/services/audit/detectors/azure/app-security.detector.d.ts +11 -0
package/dist/services/audit/detectors/azure/app-security.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/azure/app-security.detector.js +184 -0
package/dist/services/audit/detectors/azure/app-security.detector.js.map +1 -0
package/dist/services/audit/detectors/azure/conditional-access.detector.d.ts +10 -0
package/dist/services/audit/detectors/azure/conditional-access.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/azure/conditional-access.detector.js +130 -0
package/dist/services/audit/detectors/azure/conditional-access.detector.js.map +1 -0
package/dist/services/audit/detectors/azure/privilege-security.detector.d.ts +8 -0
package/dist/services/audit/detectors/azure/privilege-security.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/azure/privilege-security.detector.js +113 -0
package/dist/services/audit/detectors/azure/privilege-security.detector.js.map +1 -0
package/dist/services/audit/detectors/azure/user-security.detector.d.ts +14 -0
package/dist/services/audit/detectors/azure/user-security.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/azure/user-security.detector.js +198 -0
package/dist/services/audit/detectors/azure/user-security.detector.js.map +1 -0
package/dist/services/audit/detectors/index.d.ts +2 -0
package/dist/services/audit/detectors/index.d.ts.map +1 -0
package/dist/services/audit/detectors/index.js +38 -0
package/dist/services/audit/detectors/index.js.map +1 -0
package/dist/services/audit/response-formatter.d.ts +176 -0
package/dist/services/audit/response-formatter.d.ts.map +1 -0
package/dist/services/audit/response-formatter.js +240 -0
package/dist/services/audit/response-formatter.js.map +1 -0
package/dist/services/audit/scoring.service.d.ts +15 -0
package/dist/services/audit/scoring.service.d.ts.map +1 -0
package/dist/services/audit/scoring.service.js +139 -0
package/dist/services/audit/scoring.service.js.map +1 -0
package/dist/services/auth/crypto.service.d.ts +19 -0
package/dist/services/auth/crypto.service.d.ts.map +1 -0
package/dist/services/auth/crypto.service.js +135 -0
package/dist/services/auth/crypto.service.js.map +1 -0
package/dist/services/auth/errors.d.ts +19 -0
package/dist/services/auth/errors.d.ts.map +1 -0
package/dist/services/auth/errors.js +46 -0
package/dist/services/auth/errors.js.map +1 -0
package/dist/services/auth/token.service.d.ts +41 -0
package/dist/services/auth/token.service.d.ts.map +1 -0
package/dist/services/auth/token.service.js +208 -0
package/dist/services/auth/token.service.js.map +1 -0
package/dist/services/config/config.service.d.ts +6 -0
package/dist/services/config/config.service.d.ts.map +1 -0
package/dist/services/config/config.service.js +64 -0
package/dist/services/config/config.service.js.map +1 -0
package/dist/services/export/export.service.d.ts +28 -0
package/dist/services/export/export.service.d.ts.map +1 -0
package/dist/services/export/export.service.js +28 -0
package/dist/services/export/export.service.js.map +1 -0
package/dist/services/export/formatters/csv.formatter.d.ts +8 -0
package/dist/services/export/formatters/csv.formatter.d.ts.map +1 -0
package/dist/services/export/formatters/csv.formatter.js +46 -0
package/dist/services/export/formatters/csv.formatter.js.map +1 -0
package/dist/services/export/formatters/json.formatter.d.ts +40 -0
package/dist/services/export/formatters/json.formatter.d.ts.map +1 -0
package/dist/services/export/formatters/json.formatter.js +58 -0
package/dist/services/export/formatters/json.formatter.js.map +1 -0
package/dist/services/jobs/azure-job-runner.d.ts +38 -0
package/dist/services/jobs/azure-job-runner.d.ts.map +1 -0
package/dist/services/jobs/azure-job-runner.js +199 -0
package/dist/services/jobs/azure-job-runner.js.map +1 -0
package/dist/services/jobs/index.d.ts +4 -0
package/dist/services/jobs/index.d.ts.map +1 -0
package/dist/services/jobs/index.js +20 -0
package/dist/services/jobs/index.js.map +1 -0
package/dist/services/jobs/job-runner.d.ts +64 -0
package/dist/services/jobs/job-runner.d.ts.map +1 -0
package/dist/services/jobs/job-runner.js +952 -0
package/dist/services/jobs/job-runner.js.map +1 -0
package/dist/services/jobs/job-store.d.ts +27 -0
package/dist/services/jobs/job-store.d.ts.map +1 -0
package/dist/services/jobs/job-store.js +261 -0
package/dist/services/jobs/job-store.js.map +1 -0
package/dist/services/jobs/job.types.d.ts +67 -0
package/dist/services/jobs/job.types.d.ts.map +1 -0
package/dist/services/jobs/job.types.js +36 -0
package/dist/services/jobs/job.types.js.map +1 -0
package/dist/types/ad.types.d.ts +74 -0
package/dist/types/ad.types.d.ts.map +1 -0
package/dist/types/ad.types.js +3 -0
package/dist/types/ad.types.js.map +1 -0
package/dist/types/adcs.types.d.ts +58 -0
package/dist/types/adcs.types.d.ts.map +1 -0
package/dist/types/adcs.types.js +38 -0
package/dist/types/adcs.types.js.map +1 -0
package/dist/types/attack-graph.types.d.ts +135 -0
package/dist/types/attack-graph.types.d.ts.map +1 -0
package/dist/types/attack-graph.types.js +58 -0
package/dist/types/attack-graph.types.js.map +1 -0
package/dist/types/audit.types.d.ts +34 -0
package/dist/types/audit.types.d.ts.map +1 -0
package/dist/types/audit.types.js +3 -0
package/dist/types/audit.types.js.map +1 -0
package/dist/types/azure.types.d.ts +61 -0
package/dist/types/azure.types.d.ts.map +1 -0
package/dist/types/azure.types.js +3 -0
package/dist/types/azure.types.js.map +1 -0
package/dist/types/config.types.d.ts +63 -0
package/dist/types/config.types.d.ts.map +1 -0
package/dist/types/config.types.js +3 -0
package/dist/types/config.types.js.map +1 -0
package/dist/types/error.types.d.ts +33 -0
package/dist/types/error.types.d.ts.map +1 -0
package/dist/types/error.types.js +70 -0
package/dist/types/error.types.js.map +1 -0
package/dist/types/finding.types.d.ts +133 -0
package/dist/types/finding.types.d.ts.map +1 -0
package/dist/types/finding.types.js +3 -0
package/dist/types/finding.types.js.map +1 -0
package/dist/types/gpo.types.d.ts +39 -0
package/dist/types/gpo.types.d.ts.map +1 -0
package/dist/types/gpo.types.js +15 -0
package/dist/types/gpo.types.js.map +1 -0
package/dist/types/token.types.d.ts +26 -0
package/dist/types/token.types.d.ts.map +1 -0
package/dist/types/token.types.js +3 -0
package/dist/types/token.types.js.map +1 -0
package/dist/types/trust.types.d.ts +45 -0
package/dist/types/trust.types.d.ts.map +1 -0
package/dist/types/trust.types.js +71 -0
package/dist/types/trust.types.js.map +1 -0
package/dist/utils/entity-converter.d.ts +17 -0
package/dist/utils/entity-converter.d.ts.map +1 -0
package/dist/utils/entity-converter.js +285 -0
package/dist/utils/entity-converter.js.map +1 -0
package/dist/utils/graph.util.d.ts +66 -0
package/dist/utils/graph.util.d.ts.map +1 -0
package/dist/utils/graph.util.js +382 -0
package/dist/utils/graph.util.js.map +1 -0
package/dist/utils/logger.d.ts +7 -0
package/dist/utils/logger.d.ts.map +1 -0
package/dist/utils/logger.js +86 -0
package/dist/utils/logger.js.map +1 -0
package/dist/utils/type-name-normalizer.d.ts +5 -0
package/dist/utils/type-name-normalizer.d.ts.map +1 -0
package/dist/utils/type-name-normalizer.js +218 -0
package/dist/utils/type-name-normalizer.js.map +1 -0
package/docker-compose.yml +26 -0
package/docs/api/README.md +178 -0
package/docs/api/openapi.yaml +1524 -0
package/eslint.config.js +54 -0
package/jest.config.js +38 -0
package/package.json +97 -0
package/scripts/fetch-ad-cert.sh +142 -0
package/src/.gitkeep +0 -0
package/src/api/.gitkeep +0 -0
package/src/api/controllers/.gitkeep +0 -0
package/src/api/controllers/audit.controller.ts +313 -0
package/src/api/controllers/auth.controller.ts +258 -0
package/src/api/controllers/export.controller.ts +153 -0
package/src/api/controllers/health.controller.ts +16 -0
package/src/api/controllers/jobs.controller.ts +187 -0
package/src/api/controllers/providers.controller.ts +165 -0
package/src/api/dto/.gitkeep +0 -0
package/src/api/dto/AuditRequest.dto.ts +8 -0
package/src/api/dto/AuditResponse.dto.ts +19 -0
package/src/api/dto/TokenRequest.dto.ts +8 -0
package/src/api/dto/TokenResponse.dto.ts +14 -0
package/src/api/middlewares/.gitkeep +0 -0
package/src/api/middlewares/authenticate.ts +203 -0
package/src/api/middlewares/errorHandler.ts +54 -0
package/src/api/middlewares/rateLimit.ts +35 -0
package/src/api/middlewares/validate.ts +32 -0
package/src/api/routes/.gitkeep +0 -0
package/src/api/routes/audit.routes.ts +77 -0
package/src/api/routes/auth.routes.ts +71 -0
package/src/api/routes/export.routes.ts +34 -0
package/src/api/routes/health.routes.ts +14 -0
package/src/api/routes/index.ts +40 -0
package/src/api/routes/providers.routes.ts +24 -0
package/src/api/validators/.gitkeep +0 -0
package/src/api/validators/audit.schemas.ts +59 -0
package/src/api/validators/auth.schemas.ts +59 -0
package/src/app.ts +87 -0
package/src/config/.gitkeep +0 -0
package/src/config/config.schema.ts +108 -0
package/src/config/index.ts +82 -0
package/src/container.ts +221 -0
package/src/data/.gitkeep +0 -0
package/src/data/database.ts +78 -0
package/src/data/jobs/token-cleanup.job.ts +166 -0
package/src/data/migrations/.gitkeep +0 -0
package/src/data/migrations/001_initial_schema.sql +47 -0
package/src/data/migrations/migration.runner.ts +125 -0
package/src/data/models/.gitkeep +0 -0
package/src/data/models/Token.model.ts +35 -0
package/src/data/repositories/.gitkeep +0 -0
package/src/data/repositories/token.repository.ts +160 -0
package/src/providers/.gitkeep +0 -0
package/src/providers/azure/.gitkeep +0 -0
package/src/providers/azure/auth.provider.ts +14 -0
package/src/providers/azure/azure-errors.ts +189 -0
package/src/providers/azure/azure-retry.ts +168 -0
package/src/providers/azure/graph-client.ts +315 -0
package/src/providers/azure/graph.provider.ts +294 -0
package/src/providers/azure/queries/app.queries.ts +9 -0
package/src/providers/azure/queries/policy.queries.ts +9 -0
package/src/providers/azure/queries/user.queries.ts +10 -0
package/src/providers/interfaces/.gitkeep +0 -0
package/src/providers/interfaces/IGraphProvider.ts +117 -0
package/src/providers/interfaces/ILDAPProvider.ts +142 -0
package/src/providers/ldap/.gitkeep +0 -0
package/src/providers/ldap/acl-parser.ts +231 -0
package/src/providers/ldap/ad-mappers.ts +280 -0
package/src/providers/ldap/ldap-client.ts +259 -0
package/src/providers/ldap/ldap-errors.ts +188 -0
package/src/providers/ldap/ldap-retry.ts +267 -0
package/src/providers/ldap/ldap-sanitizer.ts +273 -0
package/src/providers/ldap/ldap.provider.ts +293 -0
package/src/providers/ldap/queries/computer.queries.ts +9 -0
package/src/providers/ldap/queries/group.queries.ts +9 -0
package/src/providers/ldap/queries/user.queries.ts +10 -0
package/src/providers/smb/smb.provider.ts +653 -0
package/src/server.ts +60 -0
package/src/services/.gitkeep +0 -0
package/src/services/audit/.gitkeep +0 -0
package/src/services/audit/ad-audit.service.ts +1481 -0
package/src/services/audit/attack-graph.service.ts +1104 -0
package/src/services/audit/audit.service.ts +12 -0
package/src/services/audit/azure-audit.service.ts +286 -0
package/src/services/audit/detectors/ad/accounts.detector.ts +1232 -0
package/src/services/audit/detectors/ad/adcs.detector.ts +449 -0
package/src/services/audit/detectors/ad/advanced.detector.ts +1270 -0
package/src/services/audit/detectors/ad/attack-paths.detector.ts +600 -0
package/src/services/audit/detectors/ad/compliance.detector.ts +1421 -0
package/src/services/audit/detectors/ad/computers.detector.ts +1188 -0
package/src/services/audit/detectors/ad/gpo.detector.ts +485 -0
package/src/services/audit/detectors/ad/groups.detector.ts +685 -0
package/src/services/audit/detectors/ad/index.ts +84 -0
package/src/services/audit/detectors/ad/kerberos.detector.ts +424 -0
package/src/services/audit/detectors/ad/monitoring.detector.ts +501 -0
package/src/services/audit/detectors/ad/network.detector.ts +538 -0
package/src/services/audit/detectors/ad/password.detector.ts +324 -0
package/src/services/audit/detectors/ad/permissions.detector.ts +637 -0
package/src/services/audit/detectors/ad/trusts.detector.ts +315 -0
package/src/services/audit/detectors/azure/app-security.detector.ts +246 -0
package/src/services/audit/detectors/azure/conditional-access.detector.ts +186 -0
package/src/services/audit/detectors/azure/privilege-security.detector.ts +176 -0
package/src/services/audit/detectors/azure/user-security.detector.ts +280 -0
package/src/services/audit/detectors/index.ts +18 -0
package/src/services/audit/response-formatter.ts +604 -0
package/src/services/audit/scoring.service.ts +234 -0
package/src/services/auth/.gitkeep +0 -0
package/src/services/auth/crypto.service.ts +230 -0
package/src/services/auth/errors.ts +47 -0
package/src/services/auth/token.service.ts +420 -0
package/src/services/config/.gitkeep +0 -0
package/src/services/config/config.service.ts +75 -0
package/src/services/export/.gitkeep +0 -0
package/src/services/export/export.service.ts +99 -0
package/src/services/export/formatters/csv.formatter.ts +124 -0
package/src/services/export/formatters/json.formatter.ts +160 -0
package/src/services/jobs/azure-job-runner.ts +312 -0
package/src/services/jobs/index.ts +9 -0
package/src/services/jobs/job-runner.ts +1280 -0
package/src/services/jobs/job-store.ts +384 -0
package/src/services/jobs/job.types.ts +182 -0
package/src/types/.gitkeep +0 -0
package/src/types/ad.types.ts +91 -0
package/src/types/adcs.types.ts +107 -0
package/src/types/attack-graph.types.ts +260 -0
package/src/types/audit.types.ts +42 -0
package/src/types/azure.types.ts +68 -0
package/src/types/config.types.ts +79 -0
package/src/types/error.types.ts +69 -0
package/src/types/finding.types.ts +284 -0
package/src/types/gpo.types.ts +72 -0
package/src/types/smb2.d.ts +73 -0
package/src/types/token.types.ts +32 -0
package/src/types/trust.types.ts +140 -0
package/src/utils/.gitkeep +0 -0
package/src/utils/entity-converter.ts +453 -0
package/src/utils/graph.util.ts +609 -0
package/src/utils/logger.ts +111 -0
package/src/utils/type-name-normalizer.ts +302 -0
package/tests/.gitkeep +0 -0
package/tests/e2e/.gitkeep +0 -0
package/tests/fixtures/.gitkeep +0 -0
package/tests/integration/.gitkeep +0 -0
package/tests/integration/README.md +156 -0
package/tests/integration/ad-audit.integration.test.ts +216 -0
package/tests/integration/api/.gitkeep +0 -0
package/tests/integration/api/endpoints.integration.test.ts +431 -0
package/tests/integration/auth/jwt-authentication.integration.test.ts +358 -0
package/tests/integration/providers/.gitkeep +0 -0
package/tests/integration/providers/azure-basic.integration.test.ts +167 -0
package/tests/integration/providers/ldap-basic.integration.test.ts +152 -0
package/tests/integration/providers/ldap-connectivity.test.ts +44 -0
package/tests/integration/providers/ldap-provider.integration.test.ts +347 -0
package/tests/mocks/.gitkeep +0 -0
package/tests/setup.ts +16 -0
package/tests/unit/.gitkeep +0 -0
package/tests/unit/api/middlewares/authenticate.test.ts +446 -0
package/tests/unit/providers/.gitkeep +0 -0
package/tests/unit/providers/azure/azure-errors.test.ts +193 -0
package/tests/unit/providers/azure/azure-retry.test.ts +254 -0
package/tests/unit/providers/azure/graph-provider.test.ts +313 -0
package/tests/unit/providers/ldap/ad-mappers.test.ts +392 -0
package/tests/unit/providers/ldap/ldap-provider.test.ts +376 -0
package/tests/unit/providers/ldap/ldap-retry.test.ts +377 -0
package/tests/unit/providers/ldap/ldap-sanitizer.test.ts +301 -0
package/tests/unit/sample.test.ts +19 -0
package/tests/unit/services/.gitkeep +0 -0
package/tests/unit/services/audit/detectors/ad/accounts.detector.test.ts +393 -0
package/tests/unit/services/audit/detectors/ad/advanced.detector.test.ts +380 -0
package/tests/unit/services/audit/detectors/ad/computers.detector.test.ts +440 -0
package/tests/unit/services/audit/detectors/ad/groups.detector.test.ts +276 -0
package/tests/unit/services/audit/detectors/ad/kerberos.detector.test.ts +215 -0
package/tests/unit/services/audit/detectors/ad/password.detector.test.ts +226 -0
package/tests/unit/services/audit/detectors/ad/permissions.detector.test.ts +244 -0
package/tests/unit/services/audit/detectors/azure/app-security.detector.test.ts +349 -0
package/tests/unit/services/audit/detectors/azure/conditional-access.detector.test.ts +374 -0
package/tests/unit/services/audit/detectors/azure/privilege-security.detector.test.ts +374 -0
package/tests/unit/services/audit/detectors/azure/user-security.detector.test.ts +297 -0
package/tests/unit/services/auth/crypto.service.test.ts +296 -0
package/tests/unit/services/auth/token.service.test.ts +579 -0
package/tests/unit/services/export/export.service.test.ts +241 -0
package/tests/unit/services/export/formatters/csv.formatter.test.ts +270 -0
package/tests/unit/services/export/formatters/json.formatter.test.ts +258 -0
package/tests/unit/utils/.gitkeep +0 -0
package/tsconfig.json +50 -0

package/src/services/audit/detectors/ad/monitoring.detector.ts ADDED Viewed

@@ -0,0 +1,501 @@
+/**
+ * Monitoring and Security Supervision Detector
+ *
+ * Detects security monitoring gaps and supervision weaknesses in Active Directory.
+ * Phase 2B: Monitoring Detection
+ *
+ * Vulnerabilities detected (8):
+ * HIGH (4):
+ * - AUDIT_LOGON_EVENTS_DISABLED: Logon events not audited
+ * - AUDIT_ACCOUNT_MGMT_DISABLED: Account management not audited
+ * - AUDIT_POLICY_CHANGE_DISABLED: Policy changes not audited
+ * - ADMIN_AUDIT_BYPASS: Admins can bypass audit
+ *
+ * MEDIUM (4):
+ * - AUDIT_PRIVILEGE_USE_DISABLED: Privilege use not audited
+ * - NO_HONEYPOT_ACCOUNTS: No decoy accounts detected
+ * - SECURITY_LOG_SIZE_SMALL: Security log size insufficient
+ * - NO_PROTECTED_USERS_MONITORING: Protected Users group not used
+ */
+import { ADUser, ADGroup, ADDomain } from '../../../../types/ad.types';
+import { Finding } from '../../../../types/finding.types';
+import { toAffectedUserEntities } from '../../../../utils/entity-converter';
+import { GpoSecuritySettings } from '../../../../providers/smb/smb.provider';
+/**
+ * Extended GPO settings for monitoring analysis
+ */
+export interface MonitoringGpoSettings extends GpoSecuritySettings {
+  /** Event log maximum size settings (in KB) */
+  eventLogSettings?: {
+    securityLogMaxSize?: number;
+    systemLogMaxSize?: number;
+    applicationLogMaxSize?: number;
+  };
+}
+/**
+ * Detect if logon events are not being audited
+ * Checks for "Account Logon" and "Logon/Logoff" audit categories
+ */
+export function detectAuditLogonEventsDisabled(
+  gpoSettings: GpoSecuritySettings | null,
+  domain: ADDomain | null,
+  includeDetails: boolean
+): Finding {
+  if (gpoSettings?.auditPolicies && gpoSettings.auditPolicies.length > 0) {
+    const auditPolicies = gpoSettings.auditPolicies;
+    // Check for logon-related audit categories
+    const logonCategories = ['Account Logon', 'Logon/Logoff', 'Logon'];
+    const hasLogonAudit = auditPolicies.some(
+      (p) => logonCategories.some((cat) => p.category.includes(cat)) && (p.success || p.failure)
+    );
+    return {
+      type: 'AUDIT_LOGON_EVENTS_DISABLED',
+      severity: 'high',
+      category: 'monitoring',
+      title: 'Logon Events Not Audited',
+      description:
+        'Logon events are not being audited. Failed and successful authentication attempts will not be logged, hindering intrusion detection.',
+      count: hasLogonAudit ? 0 : 1,
+      affectedEntities: includeDetails && !hasLogonAudit && domain ? [domain.dn] : undefined,
+      details: !hasLogonAudit
+        ? {
+            recommendation:
+              'Enable "Audit Logon Events" and "Audit Account Logon Events" for both Success and Failure.',
+            missingCategories: logonCategories,
+            attacksUndetected: [
+              'Brute force attacks',
+              'Password spraying',
+              'Pass-the-hash',
+              'Kerberos ticket attacks',
+            ],
+          }
+        : undefined,
+    };
+  }
+  return {
+    type: 'AUDIT_LOGON_EVENTS_DISABLED',
+    severity: 'high',
+    category: 'monitoring',
+    title: 'Logon Audit Configuration Unknown',
+    description: 'Unable to determine logon audit configuration. Manual review recommended.',
+    count: 0,
+    details: {
+      note: 'GPO audit settings not available. Check Advanced Audit Policy Configuration manually.',
+    },
+  };
+}
+/**
+ * Detect if account management events are not being audited
+ */
+export function detectAuditAccountMgmtDisabled(
+  gpoSettings: GpoSecuritySettings | null,
+  domain: ADDomain | null,
+  includeDetails: boolean
+): Finding {
+  if (gpoSettings?.auditPolicies && gpoSettings.auditPolicies.length > 0) {
+    const auditPolicies = gpoSettings.auditPolicies;
+    const hasAccountMgmtAudit = auditPolicies.some(
+      (p) => p.category.includes('Account Management') && (p.success || p.failure)
+    );
+    return {
+      type: 'AUDIT_ACCOUNT_MGMT_DISABLED',
+      severity: 'high',
+      category: 'monitoring',
+      title: 'Account Management Not Audited',
+      description:
+        'Account management events are not being audited. User/group creation, modification, and deletion will not be logged.',
+      count: hasAccountMgmtAudit ? 0 : 1,
+      affectedEntities: includeDetails && !hasAccountMgmtAudit && domain ? [domain.dn] : undefined,
+      details: !hasAccountMgmtAudit
+        ? {
+            recommendation: 'Enable "Audit Account Management" for both Success and Failure.',
+            attacksUndetected: [
+              'Unauthorized account creation',
+              'Privilege escalation via group membership',
+              'Backdoor accounts',
+              'Account takeover',
+            ],
+          }
+        : undefined,
+    };
+  }
+  return {
+    type: 'AUDIT_ACCOUNT_MGMT_DISABLED',
+    severity: 'high',
+    category: 'monitoring',
+    title: 'Account Management Audit Configuration Unknown',
+    description: 'Unable to determine account management audit configuration.',
+    count: 0,
+  };
+}
+/**
+ * Detect if policy change events are not being audited
+ */
+export function detectAuditPolicyChangeDisabled(
+  gpoSettings: GpoSecuritySettings | null,
+  domain: ADDomain | null,
+  includeDetails: boolean
+): Finding {
+  if (gpoSettings?.auditPolicies && gpoSettings.auditPolicies.length > 0) {
+    const auditPolicies = gpoSettings.auditPolicies;
+    const hasPolicyChangeAudit = auditPolicies.some(
+      (p) => p.category.includes('Policy Change') && (p.success || p.failure)
+    );
+    return {
+      type: 'AUDIT_POLICY_CHANGE_DISABLED',
+      severity: 'high',
+      category: 'monitoring',
+      title: 'Policy Changes Not Audited',
+      description:
+        'Policy change events are not being audited. GPO modifications and security policy changes will not be logged.',
+      count: hasPolicyChangeAudit ? 0 : 1,
+      affectedEntities: includeDetails && !hasPolicyChangeAudit && domain ? [domain.dn] : undefined,
+      details: !hasPolicyChangeAudit
+        ? {
+            recommendation: 'Enable "Audit Policy Change" for both Success and Failure.',
+            attacksUndetected: [
+              'GPO poisoning',
+              'Security policy weakening',
+              'Audit policy tampering',
+              'Firewall rule modifications',
+            ],
+          }
+        : undefined,
+    };
+  }
+  return {
+    type: 'AUDIT_POLICY_CHANGE_DISABLED',
+    severity: 'high',
+    category: 'monitoring',
+    title: 'Policy Change Audit Configuration Unknown',
+    description: 'Unable to determine policy change audit configuration.',
+    count: 0,
+  };
+}
+/**
+ * Detect if privilege use is not being audited
+ */
+export function detectAuditPrivilegeUseDisabled(
+  gpoSettings: GpoSecuritySettings | null,
+  domain: ADDomain | null,
+  includeDetails: boolean
+): Finding {
+  if (gpoSettings?.auditPolicies && gpoSettings.auditPolicies.length > 0) {
+    const auditPolicies = gpoSettings.auditPolicies;
+    const hasPrivilegeUseAudit = auditPolicies.some(
+      (p) => p.category.includes('Privilege Use') && (p.success || p.failure)
+    );
+    return {
+      type: 'AUDIT_PRIVILEGE_USE_DISABLED',
+      severity: 'medium',
+      category: 'monitoring',
+      title: 'Privilege Use Not Audited',
+      description:
+        'Privilege use events are not being audited. Sensitive privilege usage will not be logged.',
+      count: hasPrivilegeUseAudit ? 0 : 1,
+      affectedEntities: includeDetails && !hasPrivilegeUseAudit && domain ? [domain.dn] : undefined,
+      details: !hasPrivilegeUseAudit
+        ? {
+            recommendation: 'Enable "Audit Privilege Use" for Failure events at minimum.',
+            attacksUndetected: [
+              'Privilege abuse',
+              'SeDebugPrivilege exploitation',
+              'Token manipulation',
+              'Impersonation attacks',
+            ],
+          }
+        : undefined,
+    };
+  }
+  return {
+    type: 'AUDIT_PRIVILEGE_USE_DISABLED',
+    severity: 'medium',
+    category: 'monitoring',
+    title: 'Privilege Use Audit Configuration Unknown',
+    description: 'Unable to determine privilege use audit configuration.',
+    count: 0,
+  };
+}
+/**
+ * Detect absence of honeypot/decoy accounts
+ * Honeypots help detect attackers early during enumeration
+ */
+export function detectNoHoneypotAccounts(users: ADUser[], _includeDetails: boolean): Finding {
+  const honeypotPatterns = ['honeypot', 'decoy', 'trap', 'canary', 'bait', 'fake'];
+  const attractivePatterns = ['svc_', 'admin_backup', 'admin_old', 'sa_', 'sqlsvc', 'backup_admin'];
+  // Find explicit honeypot accounts
+  const honeypots = users.filter((u) => {
+    const rawDesc = u.description;
+    const desc = (typeof rawDesc === 'string' ? rawDesc : '').toLowerCase();
+    const name = (u.sAMAccountName || '').toLowerCase();
+    return honeypotPatterns.some((p) => desc.includes(p) || name.includes(p));
+  });
+  // Find potential bait accounts (attractive names, never used)
+  const potentialBaits = users.filter((u) => {
+    const name = (u.sAMAccountName || '').toLowerCase();
+    const hasAttractiveNaming = attractivePatterns.some((p) => name.includes(p));
+    const neverLoggedIn = !u.lastLogon;
+    const isEnabled = u.enabled;
+    return hasAttractiveNaming && neverLoggedIn && isEnabled;
+  });
+  const hasHoneypots = honeypots.length > 0 || potentialBaits.length >= 2;
+  return {
+    type: 'NO_HONEYPOT_ACCOUNTS',
+    severity: 'medium',
+    category: 'monitoring',
+    title: 'No Honeypot/Decoy Accounts Detected',
+    description:
+      'No honeypot or decoy accounts detected in the directory. These accounts help detect attackers during enumeration phase.',
+    count: hasHoneypots ? 0 : 1,
+    affectedEntities: undefined, // No affected entities - this is a missing control
+    details: hasHoneypots
+      ? {
+          honeypotCount: honeypots.length,
+          potentialBaitCount: potentialBaits.length,
+          status: 'Honeypot accounts detected',
+        }
+      : {
+          recommendation:
+            'Create honeypot accounts with attractive names (e.g., svc_backup, admin_old) and monitor for any usage.',
+          benefits: [
+            'Early detection of attacker enumeration',
+            'Detect credential stuffing attempts',
+            'Alert on lateral movement',
+          ],
+          implementationGuide:
+            'Create accounts with attractive names but no real permissions. Alert on any authentication attempt.',
+        },
+  };
+}
+/**
+ * Detect if admins can bypass audit
+ * Checks for accounts with SeAuditPrivilege or audit bypass capabilities
+ */
+export function detectAdminAuditBypass(
+  users: ADUser[],
+  _domain: ADDomain | null,
+  includeDetails: boolean
+): Finding {
+  // Find users with adminCount=1 who are not in Protected Users
+  // These admins may have the ability to manipulate audit logs
+  const adminUsers = users.filter((u) => u.adminCount === 1 && u.enabled);
+  // Check for users not in Protected Users group
+  const protectedUsersPattern = /protected users/i;
+  const adminsNotProtected = adminUsers.filter((u) => {
+    const memberOf = u['memberOf'] as string[] | undefined;
+    if (!memberOf) return true;
+    return !memberOf.some((g) => protectedUsersPattern.test(g));
+  });
+  // Check for specific concerning patterns
+  const auditBypassRisk = adminsNotProtected.filter((u) => {
+    // Admins with old passwords are higher risk (may be compromised)
+    const pwdAge = u.pwdLastSet ? Date.now() - new Date(u.pwdLastSet).getTime() : Infinity;
+    const pwdAgeMonths = pwdAge / (1000 * 60 * 60 * 24 * 30);
+    return pwdAgeMonths > 6; // Password older than 6 months
+  });
+  const hasRisk = auditBypassRisk.length > 0;
+  return {
+    type: 'ADMIN_AUDIT_BYPASS',
+    severity: 'high',
+    category: 'monitoring',
+    title: 'Administrators Can Bypass Audit',
+    description:
+      'Privileged accounts not in Protected Users group with old passwords may bypass audit controls.',
+    count: auditBypassRisk.length,
+    affectedEntities: includeDetails ? toAffectedUserEntities(auditBypassRisk) : undefined,
+    details: hasRisk
+      ? {
+          totalAdmins: adminUsers.length,
+          adminsNotProtected: adminsNotProtected.length,
+          adminsWithOldPasswords: auditBypassRisk.length,
+          recommendation:
+            'Add admin accounts to Protected Users group and enforce regular password rotation.',
+          risks: [
+            'Admins can clear security logs',
+            'Compromised admin credentials may evade detection',
+            'Audit policies may be disabled by compromised admin',
+          ],
+        }
+      : undefined,
+  };
+}
+/**
+ * Detect if security log size is too small
+ * Small logs mean events are overwritten quickly, losing forensic data
+ */
+export function detectSecurityLogSizeSmall(
+  gpoSettings: MonitoringGpoSettings | null,
+  domain: ADDomain | null,
+  includeDetails: boolean
+): Finding {
+  const MINIMUM_LOG_SIZE_KB = 128 * 1024; // 128 MB minimum recommended
+  if (gpoSettings?.eventLogSettings?.securityLogMaxSize !== undefined) {
+    const logSize = gpoSettings.eventLogSettings.securityLogMaxSize;
+    const isTooSmall = logSize < MINIMUM_LOG_SIZE_KB;
+    return {
+      type: 'SECURITY_LOG_SIZE_SMALL',
+      severity: 'medium',
+      category: 'monitoring',
+      title: 'Security Log Size Insufficient',
+      description: `Security event log maximum size is ${Math.round(logSize / 1024)} MB. Small logs cause events to be overwritten quickly, losing forensic data.`,
+      count: isTooSmall ? 1 : 0,
+      affectedEntities: includeDetails && isTooSmall && domain ? [domain.dn] : undefined,
+      details: isTooSmall
+        ? {
+            currentSizeKB: logSize,
+            currentSizeMB: Math.round(logSize / 1024),
+            recommendedSizeKB: MINIMUM_LOG_SIZE_KB,
+            recommendedSizeMB: Math.round(MINIMUM_LOG_SIZE_KB / 1024),
+            recommendation: 'Increase Security log maximum size to at least 128 MB via GPO.',
+            risks: [
+              'Critical events may be lost due to log rotation',
+              'Incident response hampered by missing events',
+              'Compliance violations for log retention requirements',
+            ],
+          }
+        : undefined,
+    };
+  }
+  // Return informational finding if we can't determine log size
+  // Don't count as a vulnerability since we can't verify
+  return {
+    type: 'SECURITY_LOG_SIZE_SMALL',
+    severity: 'medium',
+    category: 'monitoring',
+    title: 'Security Log Size Configuration Unknown',
+    description: 'Unable to determine security event log size configuration.',
+    count: 0,
+    details: {
+      note: 'GPO event log settings not available. Verify Security log maximum size manually.',
+      recommendedSizeMB: Math.round(MINIMUM_LOG_SIZE_KB / 1024),
+    },
+  };
+}
+/**
+ * Detect if Protected Users group is not being used
+ * Protected Users provides additional protections for privileged accounts
+ */
+export function detectNoProtectedUsersMonitoring(
+  users: ADUser[],
+  groups: ADGroup[],
+  includeDetails: boolean
+): Finding {
+  // Find the Protected Users group
+  const protectedUsersGroup = groups.find((g) => {
+    const name = (g.sAMAccountName || g.displayName || '').toLowerCase();
+    return name === 'protected users' || g.dn.toLowerCase().includes('cn=protected users');
+  });
+  // Get privileged users who should be in Protected Users
+  const privilegedUsers = users.filter((u) => u.adminCount === 1 && u.enabled);
+  // Check which privileged users are NOT in Protected Users
+  const notInProtectedUsers = privilegedUsers.filter((u) => {
+    const memberOf = u['memberOf'] as string[] | undefined;
+    if (!memberOf) return true;
+    // Check if any membership is Protected Users
+    return !memberOf.some(
+      (g) =>
+        g.toLowerCase().includes('cn=protected users') ||
+        (protectedUsersGroup && g.toLowerCase() === protectedUsersGroup.dn.toLowerCase())
+    );
+  });
+  // If no Protected Users group found or it's empty
+  const groupExists = protectedUsersGroup !== undefined;
+  const groupMemberCount = protectedUsersGroup?.member?.length ?? 0;
+  return {
+    type: 'NO_PROTECTED_USERS_MONITORING',
+    severity: 'medium',
+    category: 'monitoring',
+    title: 'Protected Users Group Not Utilized',
+    description:
+      'Privileged accounts are not members of the Protected Users group. This group provides additional protections against credential theft.',
+    count: notInProtectedUsers.length,
+    affectedEntities: includeDetails ? toAffectedUserEntities(notInProtectedUsers) : undefined,
+    details: {
+      groupExists,
+      currentMembers: groupMemberCount,
+      totalPrivilegedAccounts: privilegedUsers.length,
+      notInGroup: notInProtectedUsers.length,
+      protections: [
+        'NTLM authentication disabled',
+        'Kerberos DES/RC4 encryption disabled',
+        'Kerberos TGT lifetime reduced to 4 hours',
+        'Credential delegation disabled',
+        'Cached credentials not stored',
+      ],
+      recommendation:
+        'Add all privileged/admin accounts to Protected Users group for enhanced credential protection.',
+    },
+  };
+}
+/**
+ * Monitoring detector options
+ */
+export interface MonitoringDetectorOptions {
+  /** GPO security settings including event log settings */
+  gpoSettings?: MonitoringGpoSettings | null;
+}
+/**
+ * Detect all monitoring vulnerabilities
+ */
+export function detectMonitoringVulnerabilities(
+  users: ADUser[],
+  groups: ADGroup[],
+  domain: ADDomain | null,
+  includeDetails: boolean,
+  options: MonitoringDetectorOptions = {}
+): Finding[] {
+  const { gpoSettings = null } = options;
+  return [
+    // High severity - Audit gaps
+    detectAuditLogonEventsDisabled(gpoSettings, domain, includeDetails),
+    detectAuditAccountMgmtDisabled(gpoSettings, domain, includeDetails),
+    detectAuditPolicyChangeDisabled(gpoSettings, domain, includeDetails),
+    detectAdminAuditBypass(users, domain, includeDetails),
+    // Medium severity
+    detectAuditPrivilegeUseDisabled(gpoSettings, domain, includeDetails),
+    detectNoHoneypotAccounts(users, includeDetails),
+    detectSecurityLogSizeSmall(gpoSettings, domain, includeDetails),
+    detectNoProtectedUsersMonitoring(users, groups, includeDetails),
+  ].filter((finding) => finding.count > 0);
+}