public/Invoke-VPASAuditSafeTest.ps1
<#
.Synopsis RUN AUDIT SAFE TESTS CREATED BY: Vadim Melamed, EMAIL: vmelamed5@gmail.com .DESCRIPTION USE THIS FUNCTION TO RUN AUDIT TESTS FOR SAFES .PARAMETER NoSSL If the environment is not set up for SSL, API calls will be made via HTTP not HTTPS (Not Recommended!) .PARAMETER token HashTable of data containing various pieces of login information (PVWA, LoginToken, HeaderType, etc). If -token is not passed, function will use last known hashtable generated by New-VPASToken .EXAMPLE $RunAuditSafeTests = Invoke-VPASAuditSafeTest .OUTPUTS $true if successful $false if failed #> function Invoke-VPASAuditSafeTest{ [OutputType([bool])] [CmdletBinding()] Param( [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=0)] [hashtable]$token, [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=1)] [Switch]$NoSSL ) Begin{ $tokenval,$sessionval,$PVWA,$Header,$ISPSS,$IdentityURL = Get-VPASSession -token $token } Process{ $OutputResultsToFile = $true $ErrorInAudit = $false $AuditFailCount = 0 $curUser = $env:UserName $ConfigFilePath = "C:\Users\$curUser\AppData\Local\VPASModuleOutputs\Audits" $ConfigFile = "C:\Users\$curUser\AppData\Local\VPASModuleOutputs\Audits\AuditSafeTestConfigs.txt" if($OutputResultsToFile){ $OutputFile = "C:\Users\$curUser\AppData\Local\VPASModuleOutputs\Audits\AuditSafesResults.txt" $timestamp = Get-Date -Format "(MM-dd-yyyy HH:mm:ss)" write-output "$timestamp : BEGINNING AUDIT TEST" | Set-Content $OutputFile } Write-Verbose "CONSTRUCTING FILEPATHS FOR AuditSafeTestConfigs" #FILE CREATION try{ if(Test-Path -Path $ConfigFilePath){ #DO NOTHING Write-Verbose "AuditSafeTestConfigs DIRECTORY EXISTS" if($OutputResultsToFile){ $timestamp = Get-Date -Format "(MM-dd-yyyy HH:mm:ss)" write-output "$timestamp : SAFE AUDIT PRECHECK 1 PASSED" | Add-Content $OutputFile } } else{ Write-Verbose "AuditSafeTestConfigs DIRECTORY DOES NOT EXIST...PLEASE RUN Set-VPASAuditSafeTest COMMAND TO INITIATE TEST CASES" Write-Verbose "Returning False" Write-VPASOutput -str "AuditSafeTestConfigs DIRECTORY DOES NOT EXIST...PLEASE RUN Set-VPASAuditSafeTes COMMAND TO INITIATE TEST CASES" -type E Write-VPASOutput -str "EXITING UTILITY" -type E if($OutputResultsToFile){ $timestamp = Get-Date -Format "(MM-dd-yyyy HH:mm:ss)" write-output "$timestamp : FAILED TO RUN SAFE AUDIT TEST" | Add-Content $OutputFile } return $false } if(Test-Path -Path $ConfigFile){ if($OutputResultsToFile){ $timestamp = Get-Date -Format "(MM-dd-yyyy HH:mm:ss)" write-output "$timestamp : SAFE AUDIT PRECHECK 2 PASSED" | Add-Content $OutputFile } #START PARSING FILE HERE $AllLines = Get-Content -Path $ConfigFile $AuditSafeNameConvention = "" $AuditNumberOfSafeMembers = 0 $AuditSafeMembers = @{} $AuditSafeMember = "" $AuditPermissions = @() $AuditCPMName = "" $AuditIgnoreSafes = @() foreach($line in $AllLines){ #SafeNamingConvention if($line -match "SafeNamingConvention="){ $tempVal = $line $tempValSplit = $tempVal -split "=" $AuditSafeNameConvention = $tempValSplit[1] Write-Verbose "SafeNamingConvention = $AuditSafeNameConvention" } #NumberOfSafeMembers if($line -match "NumberOfSafeMembers="){ $tempVal = $line $tempValSplit = $tempVal -split "=" $AuditNumberOfSafeMembers = [int]$tempValSplit[1] Write-Verbose "NumberOfSafeMembers = $AuditNumberOfSafeMembers" } #SafeMember if($line -match "SafeMember="){ $tempVal = $line $tempValSplit = $tempVal -split "=" $AuditSafeMember = $tempValSplit[1] Write-Verbose "SafeMember = $AuditSafeMember" } #Permissions if($line -match "Permissions="){ $tempVal = $line $tempValSplit = $tempVal -split "=" $AuditPermissionsTemp = $tempValSplit[1] Write-Verbose "Permissions = $AuditPermissionsTemp" $pUseAccounts = $false $pRetrieveAccounts = $false $pListAccounts = $false $pAddAccounts = $false $pUpdateAccountContent = $false $pUpdateAccountProperties = $false $pInitiateCPMAccountManagementOperations = $false $pSpecifyNextAccountContent = $false $pRenameAccounts = $false $pDeleteAccounts = $false $pUnlockAccounts = $false $pManageSafe = $false $pManageSafeMembers = $false $pBackupSafe = $false $pViewAuditLog = $false $pViewSafeMembers = $false $pAccessWithoutConfirmation = $false $pCreateFolders = $false $pDeleteFolders = $false $pMoveAccountsAndFolders = $false $pRequestsAuthorizationLevel1 = $false $pRequestsAuthorizationLevel2 = $false $AuditPermissions = $AuditPermissionsTemp -split ";" foreach($perm in $AuditPermissions){ if($perm -eq "UseAccounts"){ $pUseAccounts = $true } if($perm -eq "RetrieveAccounts"){ $pRetrieveAccounts = $true } if($perm -eq "ListAccounts"){ $pListAccounts = $true } if($perm -eq "AddAccounts"){ $pAddAccounts = $true } if($perm -eq "UpdateAccountContent"){ $pUpdateAccountContent = $true } if($perm -eq "UpdateAccountProperties"){ $pUpdateAccountProperties = $true } if($perm -eq "InitiateCPMAccountManagementOperations"){ $pInitiateCPMAccountManagementOperations = $true } if($perm -eq "SpecifyNextAccountContent"){ $pSpecifyNextAccountContent = $true } if($perm -eq "RenameAccounts"){ $pRenameAccounts = $true } if($perm -eq "DeleteAccounts"){ $pDeleteAccounts = $true } if($perm -eq "UnlockAccounts"){ $pUnlockAccounts = $true } if($perm -eq "ManageSafe"){ $pManageSafe = $true } if($perm -eq "ManageSafeMembers"){ $pManageSafeMembers = $true } if($perm -eq "BackupSafe"){ $pBackupSafe = $true } if($perm -eq "ViewAuditLog"){ $pViewAuditLog = $true } if($perm -eq "ViewSafeMembers"){ $pViewSafeMembers = $true } if($perm -eq "AccessWithoutConfirmation"){ $pAccessWithoutConfirmation = $true } if($perm -eq "CreateFolders"){ $pCreateFolders = $true } if($perm -eq "DeleteFolders"){ $pDeleteFolders = $true } if($perm -eq "MoveAccountsAndFolders"){ $pMoveAccountsAndFolders = $true } if($perm -eq "RequestsAuthorizationLevel1"){ $pRequestsAuthorizationLevel1 = $true } if($perm -eq "RequestsAuthorizationLevel2"){ $pRequestsAuthorizationLevel2 = $true } } $Perms = @{ UseAccounts = $pUseAccounts RetrieveAccounts = $pRetrieveAccounts ListAccounts = $pListAccounts AddAccounts = $pAddAccounts UpdateAccountContent = $pUpdateAccountContent UpdateAccountProperties = $pUpdateAccountProperties InitiateCPMAccountManagementOperations = $pInitiateCPMAccountManagementOperations SpecifyNextAccountContent = $pSpecifyNextAccountContent RenameAccounts = $pRenameAccounts DeleteAccounts = $pDeleteAccounts UnlockAccounts = $pUnlockAccounts ManageSafe = $pManageSafe ManageSafeMembers = $pManageSafeMembers BackupSafe = $pBackupSafe ViewAuditLog = $pViewAuditLog ViewSafeMembers = $pViewSafeMembers AccessWithoutConfirmation = $pAccessWithoutConfirmation CreateFolders = $pCreateFolders DeleteFolders = $pDeleteFolders MoveAccountsAndFolders = $pMoveAccountsAndFolders RequestsAuthorizationLevel1 = $pRequestsAuthorizationLevel1 RequestsAuthorizationLevel2 = $pRequestsAuthorizationLevel2 } $AuditSafeMembers += @{ $AuditSafeMember = $Perms } $AuditSafeMember = "" $AuditPermissions = @() } #CPMName if($line -match "CPMName="){ $tempVal = $line $tempValSplit = $tempVal -split "=" $AuditCPMName = $tempValSplit[1] Write-Verbose "CPMName = $AuditCPMName" } #IgnoreSafes if($line -match "IgnoreSafes="){ $tempVal = $line $tempValSplit = $tempVal -split "=" $AuditIgnoreSafesTemp = $tempValSplit[1] Write-Verbose "IgnoreSafes = $AuditIgnoreSafesTemp" $AuditIgnoreSafes = $AuditIgnoreSafesTemp -split ";" } } } else{ Write-Verbose "AuditSafeTestConfigs.txt DOES NOT EXIST...PLEASE RUN Set-VPASAuditSafeTes COMMAND TO INITIATE TEST CASES" Write-Verbose "Returning False" Write-VPASOutput -str "AuditSafeTestConfigs.txt DOES NOT EXIST...PLEASE RUN Set-VPASAuditSafeTes COMMAND TO INITIATE TEST CASES" -type E Write-VPASOutput -str "EXITING UTILITY" -type E if($OutputResultsToFile){ $timestamp = Get-Date -Format "(MM-dd-yyyy HH:mm:ss)" write-output "$timestamp : FAILED TO RUN SAFE AUDIT TEST" | Add-Content $OutputFile } return $false } }catch{ Write-VPASOutput -str "ERROR READING AuditSafeTestConfigs FILE" -type E Write-VPASOutput -str $_ -type E if($OutputResultsToFile){ $timestamp = Get-Date -Format "(MM-dd-yyyy HH:mm:ss)" write-output "$timestamp : FAILED TO RUN SAFE AUDIT TEST" | Add-Content $OutputFile write-output "$_" | Add-Content $OutputFile } return $false } if($OutputResultsToFile){ $timestamp = Get-Date -Format "(MM-dd-yyyy HH:mm:ss)" write-output "$timestamp : AUDITING SAFES AGAINST THE FOLLOWING PARAMETERS:" | Add-Content $OutputFile write-output "$timestamp : `tSafeNameConvention = $AuditSafeNameConvention" | Add-Content $OutputFile write-output "$timestamp : `tCPMName = $AuditCPMName" | Add-Content $OutputFile write-output "$timestamp : `tIgnoreSafes = $AuditIgnoreSafes" | Add-Content $OutputFile write-output "$timestamp : `tNumberOfSafeMembers = $AuditNumberOfSafeMembers" | Add-Content $OutputFile $AllKeys = $AuditSafeMembers.Keys $targetMembers = @() $MemberCheckArr = @{} foreach($rec in $AllKeys){ $targetUser = $rec $str = "" $pUseAccounts = $AuditSafeMembers.$rec.UseAccounts $pRetrieveAccounts = $AuditSafeMembers.$rec.RetrieveAccounts $pListAccounts = $AuditSafeMembers.$rec.ListAccounts $pAddAccounts = $AuditSafeMembers.$rec.AddAccounts $pUpdateAccountContent = $AuditSafeMembers.$rec.UpdateAccountContent $pUpdateAccountProperties = $AuditSafeMembers.$rec.UpdateAccountProperties $pInitiateCPMAccountManagementOperations = $AuditSafeMembers.$rec.InitiateCPMAccountManagementOperations $pSpecifyNextAccountContent = $AuditSafeMembers.$rec.SpecifyNextAccountContent $pRenameAccounts = $AuditSafeMembers.$rec.RenameAccounts $pDeleteAccounts = $AuditSafeMembers.$rec.DeleteAccounts $pUnlockAccounts = $AuditSafeMembers.$rec.UnlockAccounts $pManageSafe = $AuditSafeMembers.$rec.ManageSafe $pManageSafeMembers = $AuditSafeMembers.$rec.ManageSafeMembers $pBackupSafe = $AuditSafeMembers.$rec.BackupSafe $pViewAuditLog = $AuditSafeMembers.$rec.ViewAuditLog $pViewSafeMembers = $AuditSafeMembers.$rec.ViewSafeMembers $pAccessWithoutConfirmation = $AuditSafeMembers.$rec.AccessWithoutConfirmation $pCreateFolders = $AuditSafeMembers.$rec.CreateFolders $pDeleteFolders = $AuditSafeMembers.$rec.DeleteFolders $pMoveAccountsAndFolders = $AuditSafeMembers.$rec.MoveAccountsAndFolders $pRequestsAuthorizationLevel1 = $AuditSafeMembers.$rec.RequestsAuthorizationLevel1 $pRequestsAuthorizationLevel2 = $AuditSafeMembers.$rec.RequestsAuthorizationLevel2 if($pUseAccounts){ $str += "UseAccounts;" } if($pRetrieveAccounts){ $str += "RetrieveAccounts;" } if($pListAccounts){ $str += "ListAccounts;" } if($pAddAccounts){ $str += "AddAccounts;" } if($pUpdateAccountContent){ $str += "UpdateAccountContent;" } if($pUpdateAccountProperties){ $str += "UpdateAccountProperties;" } if($pInitiateCPMAccountManagementOperations){ $str += "InitiateCPMAccountManagementOperations;" } if($pSpecifyNextAccountContent){ $str += "SpecifyNextAccountContent;" } if($pRenameAccounts){ $str += "RenameAccounts;" } if($pDeleteAccounts){ $str += "DeleteAccounts;" } if($pUnlockAccounts){ $str += "UnlockAccounts;" } if($pManageSafe){ $str += "ManageSafe;" } if($pManageSafeMembers){ $str += "ManageSafeMembers;" } if($pBackupSafe){ $str += "BackupSafe;" } if($pViewAuditLog){ $str += "ViewAuditLog;" } if($pViewSafeMembers){ $str += "ViewSafeMembers;" } if($pAccessWithoutConfirmation){ $str += "AccessWithoutConfirmation;" } if($pCreateFolders){ $str += "CreateFolders;" } if($pDeleteFolders){ $str += "DeleteFolders;" } if($pMoveAccountsAndFolders){ $str += "MoveAccountsAndFolders;" } if($pRequestsAuthorizationLevel1){ $str += "RequestsAuthorizationLevel1;" } if($pRequestsAuthorizationLevel2){ $str += "RequestsAuthorizationLevel2;" } $targetPermissions = $AuditSafeMembers.$rec write-output "$timestamp : `tTargetSafeMember = $targetUser" | Add-Content $OutputFile write-output "$timestamp : `tTargetPermissions = $str" | Add-Content $OutputFile $targetMembers += $targetUser.ToLower() $MemberCheckArr += @{ $targetUser = $false } } } if($NoSSL){ $AllSafes = Get-VPASSafes -token $token -searchQuery "$AuditSafeNameConvention" -limit 5000 -NoSSL } else{ $AllSafes = Get-VPASSafes -token $token -searchQuery "$AuditSafeNameConvention" -limit 5000 } if($AllSafes){ #WE HAVE A BUNCH OF SAFES NOW $counter = $AllSafes.count if($OutputResultsToFile){ $timestamp = Get-Date -Format "(MM-dd-yyyy HH:mm:ss)" write-output "$timestamp : $counter SAFES FOUND CONTAINING *$AuditSafeNameConvention* " | Add-Content $OutputFile Write-Verbose "FOUND $counter SAFES CONTAINING *$AuditSafeNameConvention* " } foreach($saferes in $AllSafes.value){ $safe = $saferes.safename $CPM = $saferes.managingCPM write-verbose "ANALYZING SAFE: $safe" if($AuditIgnoreSafes.Contains($safe)){ #DO NOTHING...SKIPPING SAFE Write-Verbose "SKIPPING $safe...PART OF IGNORE SAFE SET" } else{ #CONTINUE QUERYING CYBERARK FOR MEMBERS AND OTHER CHECKS if($AuditCPMName -eq "NULL"){ #SKIPPING CPM AUDIT } else{ if($CPM -ne $AuditCPMName){ if([String]::IsNullOrEmpty($CPM)){ $CPM = "None" } if($OutputResultsToFile){ $timestamp = Get-Date -Format "(MM-dd-yyyy HH:mm:ss)" write-output "$timestamp : AUDIT FAIL (CPM) - $safe - CURRENT CPM ASSIGNED $CPM...SHOULD BE $AuditCPMName" | Add-Content $OutputFile $ErrorInAudit = $true $AuditFailCount += 1 Write-Verbose "CPM USER IS INCORRECT ON SAFE: $safe" } } } if($AuditNumberOfSafeMembers -eq "0"){ #SKIPPING SAFE MEMBERS CHECK } else{ if($NoSSL){ $AllSafemembers = Get-VPASSafeMembers -token $token -safe $safe -IncludePredefinedMembers -NoSSL } else{ $AllSafemembers = Get-VPASSafeMembers -token $token -safe $safe -IncludePredefinedMembers } foreach($foundMember in $AllSafemembers.value){ $MemberName = $foundMember.memberName $permissions = $foundMember.permissions Write-Verbose "ANALYZING SAFE MEMBER: $MemberName ON SAFE: $safe" $MemberName = $MemberName.ToLower() if($targetMembers.Contains($MemberName)){ #FOUND TARGET MEMBER $MemberCheckArr.$MemberName = $true Write-Verbose "FOUND TARGET MEMBER: $MemberName ON SAFE: $safe" #CURRENT PERMS $pUseAccounts = $permissions.UseAccounts $pRetrieveAccounts = $permissions.RetrieveAccounts $pListAccounts = $permissions.ListAccounts $pAddAccounts = $permissions.AddAccounts $pUpdateAccountContent = $permissions.UpdateAccountContent $pUpdateAccountProperties = $permissions.UpdateAccountProperties $pInitiateCPMAccountManagementOperations = $permissions.InitiateCPMAccountManagementOperations $pSpecifyNextAccountContent = $permissions.SpecifyNextAccountContent $pRenameAccounts = $permissions.RenameAccounts $pDeleteAccounts = $permissions.DeleteAccounts $pUnlockAccounts = $permissions.UnlockAccounts $pManageSafe = $permissions.ManageSafe $pManageSafeMembers = $permissions.ManageSafeMembers $pBackupSafe = $permissions.BackupSafe $pViewAuditLog = $permissions.ViewAuditLog $pViewSafeMembers = $permissions.ViewSafeMembers $pAccessWithoutConfirmation = $permissions.AccessWithoutConfirmation $pCreateFolders = $permissions.CreateFolders $pDeleteFolders = $permissions.DeleteFolders $pMoveAccountsAndFolders = $permissions.MoveAccountsAndFolders $pRequestsAuthorizationLevel1 = $permissions.RequestsAuthorizationLevel1 $pRequestsAuthorizationLevel2 = $permissions.RequestsAuthorizationLevel2 #AUDIT PERMS $cUseAccounts = $AuditSafeMembers.$MemberName.UseAccounts $cRetrieveAccounts = $AuditSafeMembers.$MemberName.RetrieveAccounts $cListAccounts = $AuditSafeMembers.$MemberName.ListAccounts $cAddAccounts = $AuditSafeMembers.$MemberName.AddAccounts $cUpdateAccountContent = $AuditSafeMembers.$MemberName.UpdateAccountContent $cUpdateAccountProperties = $AuditSafeMembers.$MemberName.UpdateAccountProperties $cInitiateCPMAccountManagementOperations = $AuditSafeMembers.$MemberName.InitiateCPMAccountManagementOperations $cSpecifyNextAccountContent = $AuditSafeMembers.$MemberName.SpecifyNextAccountContent $cRenameAccounts = $AuditSafeMembers.$MemberName.RenameAccounts $cDeleteAccounts = $AuditSafeMembers.$MemberName.DeleteAccounts $cUnlockAccounts = $AuditSafeMembers.$MemberName.UnlockAccounts $cManageSafe = $AuditSafeMembers.$MemberName.ManageSafe $cManageSafeMembers = $AuditSafeMembers.$MemberName.ManageSafeMembers $cBackupSafe = $AuditSafeMembers.$MemberName.BackupSafe $cViewAuditLog = $AuditSafeMembers.$MemberName.ViewAuditLog $cViewSafeMembers = $AuditSafeMembers.$MemberName.ViewSafeMembers $cAccessWithoutConfirmation = $AuditSafeMembers.$MemberName.AccessWithoutConfirmation $cCreateFolders = $AuditSafeMembers.$MemberName.CreateFolders $cDeleteFolders = $AuditSafeMembers.$MemberName.DeleteFolders $cMoveAccountsAndFolders = $AuditSafeMembers.$MemberName.MoveAccountsAndFolders $cRequestsAuthorizationLevel1 = $AuditSafeMembers.$MemberName.RequestsAuthorizationLevel1 $cRequestsAuthorizationLevel2 = $AuditSafeMembers.$MemberName.RequestsAuthorizationLevel2 if($pUseAccounts -ne $cUseAccounts){ $ErrorInAudit = $true if($OutputResultsToFile){ $timestamp = Get-Date -Format "(MM-dd-yyyy HH:mm:ss)" write-output "$timestamp : AUDIT FAIL (SAFE MEMBER PERMISSION) - $safe - $MemberName UseAccounts IS SET TO $pUseAccounts...SHOULD BE SET TO $cUseAccounts" | Add-Content $OutputFile $ErrorInAudit = $true $AuditFailCount += 1 } Write-Verbose "UseAccounts PERMISSION FOR $MemberName ON SAFE: $safe IS INCORRECT" } if($pRetrieveAccounts -ne $cRetrieveAccounts){ $ErrorInAudit = $true if($OutputResultsToFile){ $timestamp = Get-Date -Format "(MM-dd-yyyy HH:mm:ss)" write-output "$timestamp : AUDIT FAIL (SAFE MEMBER PERMISSION) - $safe - $MemberName RetrieveAccounts IS SET TO $pRetrieveAccounts...SHOULD BE SET TO $cRetrieveAccounts" | Add-Content $OutputFile $ErrorInAudit = $true $AuditFailCount += 1 } Write-Verbose "RetrieveAccounts PERMISSION FOR $MemberName ON SAFE: $safe IS INCORRECT" } if($pListAccounts -ne $cListAccounts){ $ErrorInAudit = $true if($OutputResultsToFile){ $timestamp = Get-Date -Format "(MM-dd-yyyy HH:mm:ss)" write-output "$timestamp : AUDIT FAIL (SAFE MEMBER PERMISSION) - $safe - $MemberName ListAccounts IS SET TO $pListAccounts...SHOULD BE SET TO $cListAccounts" | Add-Content $OutputFile $ErrorInAudit = $true $AuditFailCount += 1 } Write-Verbose "ListAccounts PERMISSION FOR $MemberName ON SAFE: $safe IS INCORRECT" } if($pAddAccounts -ne $cAddAccounts){ $ErrorInAudit = $true if($OutputResultsToFile){ $timestamp = Get-Date -Format "(MM-dd-yyyy HH:mm:ss)" write-output "$timestamp : AUDIT FAIL (SAFE MEMBER PERMISSION) - $safe - $MemberName AddAccounts IS SET TO $pAddAccounts...SHOULD BE SET TO $cAddAccounts" | Add-Content $OutputFile $ErrorInAudit = $true $AuditFailCount += 1 } Write-Verbose "AddAccounts PERMISSION FOR $MemberName ON SAFE: $safe IS INCORRECT" } if($pUpdateAccountContent -ne $cUpdateAccountContent){ $ErrorInAudit = $true if($OutputResultsToFile){ $timestamp = Get-Date -Format "(MM-dd-yyyy HH:mm:ss)" write-output "$timestamp : AUDIT FAIL (SAFE MEMBER PERMISSION) - $safe - $MemberName UpdateAccountContent IS SET TO $pUpdateAccountContent...SHOULD BE SET TO $cUpdateAccountContent" | Add-Content $OutputFile $ErrorInAudit = $true $AuditFailCount += 1 } Write-Verbose "UpdateAccountContent PERMISSION FOR $MemberName ON SAFE: $safe IS INCORRECT" } if($pUpdateAccountProperties -ne $cUpdateAccountProperties){ $ErrorInAudit = $true if($OutputResultsToFile){ $timestamp = Get-Date -Format "(MM-dd-yyyy HH:mm:ss)" write-output "$timestamp : AUDIT FAIL (SAFE MEMBER PERMISSION) - $safe - $MemberName UpdateAccountProperties IS SET TO $pUpdateAccountProperties...SHOULD BE SET TO $cUpdateAccountProperties" | Add-Content $OutputFile $ErrorInAudit = $true $AuditFailCount += 1 } Write-Verbose "UpdateAccountProperties PERMISSION FOR $MemberName ON SAFE: $safe IS INCORRECT" } if($pInitiateCPMAccountManagementOperations -ne $cInitiateCPMAccountManagementOperations){ $ErrorInAudit = $true if($OutputResultsToFile){ $timestamp = Get-Date -Format "(MM-dd-yyyy HH:mm:ss)" write-output "$timestamp : AUDIT FAIL (SAFE MEMBER PERMISSION) - $safe - $MemberName InitiateCPMAccountManagementOperations IS SET TO $pInitiateCPMAccountManagementOperations...SHOULD BE SET TO $cInitiateCPMAccountManagementOperations" | Add-Content $OutputFile $ErrorInAudit = $true $AuditFailCount += 1 } Write-Verbose "InitiateCPMAccountManagementOperations PERMISSION FOR $MemberName ON SAFE: $safe IS INCORRECT" } if($pSpecifyNextAccountContent -ne $cSpecifyNextAccountContent){ $ErrorInAudit = $true if($OutputResultsToFile){ $timestamp = Get-Date -Format "(MM-dd-yyyy HH:mm:ss)" write-output "$timestamp : AUDIT FAIL (SAFE MEMBER PERMISSION) - $safe - $MemberName SpecifyNextAccountContent IS SET TO $pSpecifyNextAccountContent...SHOULD BE SET TO $cSpecifyNextAccountContent" | Add-Content $OutputFile $ErrorInAudit = $true $AuditFailCount += 1 } Write-Verbose "SpecifyNextAccountContent PERMISSION FOR $MemberName ON SAFE: $safe IS INCORRECT" } if($pRenameAccounts -ne $cRenameAccounts){ $ErrorInAudit = $true if($OutputResultsToFile){ $timestamp = Get-Date -Format "(MM-dd-yyyy HH:mm:ss)" write-output "$timestamp : AUDIT FAIL (SAFE MEMBER PERMISSION) - $safe - $MemberName RenameAccounts IS SET TO $pRenameAccounts...SHOULD BE SET TO $cRenameAccounts" | Add-Content $OutputFile $ErrorInAudit = $true $AuditFailCount += 1 } Write-Verbose "RenameAccounts PERMISSION FOR $MemberName ON SAFE: $safe IS INCORRECT" } if($pDeleteAccounts -ne $cDeleteAccounts){ $ErrorInAudit = $true if($OutputResultsToFile){ $timestamp = Get-Date -Format "(MM-dd-yyyy HH:mm:ss)" write-output "$timestamp : AUDIT FAIL (SAFE MEMBER PERMISSION) - $safe - $MemberName DeleteAccounts IS SET TO $pDeleteAccounts...SHOULD BE SET TO $cDeleteAccounts" | Add-Content $OutputFile $ErrorInAudit = $true $AuditFailCount += 1 } Write-Verbose "DeleteAccounts PERMISSION FOR $MemberName ON SAFE: $safe IS INCORRECT" } if($pUnlockAccounts -ne $cUnlockAccounts){ $ErrorInAudit = $true if($OutputResultsToFile){ $timestamp = Get-Date -Format "(MM-dd-yyyy HH:mm:ss)" write-output "$timestamp : AUDIT FAIL (SAFE MEMBER PERMISSION) - $safe - $MemberName UnlockAccounts IS SET TO $pUnlockAccounts...SHOULD BE SET TO $cUnlockAccounts" | Add-Content $OutputFile $ErrorInAudit = $true $AuditFailCount += 1 } Write-Verbose "UnlockAccounts PERMISSION FOR $MemberName ON SAFE: $safe IS INCORRECT" } if($pManageSafe -ne $cManageSafe){ $ErrorInAudit = $true if($OutputResultsToFile){ $timestamp = Get-Date -Format "(MM-dd-yyyy HH:mm:ss)" write-output "$timestamp : AUDIT FAIL (SAFE MEMBER PERMISSION) - $safe - $MemberName ManageSafe IS SET TO $pManageSafe...SHOULD BE SET TO $cManageSafe" | Add-Content $OutputFile $ErrorInAudit = $true $AuditFailCount += 1 } Write-Verbose "ManageSafe PERMISSION FOR $MemberName ON SAFE: $safe IS INCORRECT" } if($pManageSafeMembers -ne $cManageSafeMembers){ $ErrorInAudit = $true if($OutputResultsToFile){ $timestamp = Get-Date -Format "(MM-dd-yyyy HH:mm:ss)" write-output "$timestamp : AUDIT FAIL (SAFE MEMBER PERMISSION) - $safe - $MemberName ManageSafeMembers IS SET TO $pManageSafeMembers...SHOULD BE SET TO $cManageSafeMembers" | Add-Content $OutputFile $ErrorInAudit = $true $AuditFailCount += 1 } Write-Verbose "ManageSafeMembers PERMISSION FOR $MemberName ON SAFE: $safe IS INCORRECT" } if($pBackupSafe -ne $cBackupSafe){ $ErrorInAudit = $true if($OutputResultsToFile){ $timestamp = Get-Date -Format "(MM-dd-yyyy HH:mm:ss)" write-output "$timestamp : AUDIT FAIL (SAFE MEMBER PERMISSION) - $safe - $MemberName BackupSafe IS SET TO $pBackupSafe...SHOULD BE SET TO $cBackupSafe" | Add-Content $OutputFile $ErrorInAudit = $true $AuditFailCount += 1 } Write-Verbose "BackupSafe PERMISSION FOR $MemberName ON SAFE: $safe IS INCORRECT" } if($pViewAuditLog -ne $cViewAuditLog){ $ErrorInAudit = $true if($OutputResultsToFile){ $timestamp = Get-Date -Format "(MM-dd-yyyy HH:mm:ss)" write-output "$timestamp : AUDIT FAIL (SAFE MEMBER PERMISSION) - $safe - $MemberName ViewAuditLog IS SET TO $pViewAuditLog...SHOULD BE SET TO $cViewAuditLog" | Add-Content $OutputFile $ErrorInAudit = $true $AuditFailCount += 1 } Write-Verbose "ViewAuditLog PERMISSION FOR $MemberName ON SAFE: $safe IS INCORRECT" } if($pViewSafeMembers -ne $cViewSafeMembers){ $ErrorInAudit = $true if($OutputResultsToFile){ $timestamp = Get-Date -Format "(MM-dd-yyyy HH:mm:ss)" write-output "$timestamp : AUDIT FAIL (SAFE MEMBER PERMISSION) - $safe - $MemberName ViewSafeMembers IS SET TO $pViewSafeMembers...SHOULD BE SET TO $cViewSafeMembers" | Add-Content $OutputFile $ErrorInAudit = $true $AuditFailCount += 1 } Write-Verbose "ViewSafeMembers PERMISSION FOR $MemberName ON SAFE: $safe IS INCORRECT" } if($pAccessWithoutConfirmation -ne $cAccessWithoutConfirmation){ $ErrorInAudit = $true if($OutputResultsToFile){ $timestamp = Get-Date -Format "(MM-dd-yyyy HH:mm:ss)" write-output "$timestamp : AUDIT FAIL (SAFE MEMBER PERMISSION) - $safe - $MemberName AccessWithoutConfirmation IS SET TO $pAccessWithoutConfirmation...SHOULD BE SET TO $cAccessWithoutConfirmation" | Add-Content $OutputFile $ErrorInAudit = $true $AuditFailCount += 1 } Write-Verbose "AccessWithoutConfirmation PERMISSION FOR $MemberName ON SAFE: $safe IS INCORRECT" } if($pCreateFolders -ne $cCreateFolders){ $ErrorInAudit = $true if($OutputResultsToFile){ $timestamp = Get-Date -Format "(MM-dd-yyyy HH:mm:ss)" write-output "$timestamp : AUDIT FAIL (SAFE MEMBER PERMISSION) - $safe - $MemberName CreateFolders IS SET TO $pCreateFolders...SHOULD BE SET TO $cCreateFolders" | Add-Content $OutputFile $ErrorInAudit = $true $AuditFailCount += 1 } Write-Verbose "CreateFolders PERMISSION FOR $MemberName ON SAFE: $safe IS INCORRECT" } if($pDeleteFolders -ne $cDeleteFolders){ $ErrorInAudit = $true if($OutputResultsToFile){ $timestamp = Get-Date -Format "(MM-dd-yyyy HH:mm:ss)" write-output "$timestamp : AUDIT FAIL (SAFE MEMBER PERMISSION) - $safe - $MemberName DeleteFolders IS SET TO $pDeleteFolders...SHOULD BE SET TO $cDeleteFolders" | Add-Content $OutputFile $ErrorInAudit = $true $AuditFailCount += 1 } Write-Verbose "DeleteFolders PERMISSION FOR $MemberName ON SAFE: $safe IS INCORRECT" } if($pMoveAccountsAndFolders -ne $cMoveAccountsAndFolders){ $ErrorInAudit = $true if($OutputResultsToFile){ $timestamp = Get-Date -Format "(MM-dd-yyyy HH:mm:ss)" write-output "$timestamp : AUDIT FAIL (SAFE MEMBER PERMISSION) - $safe - $MemberName MoveAccountsAndFolders IS SET TO $pMoveAccountsAndFolders...SHOULD BE SET TO $cMoveAccountsAndFolders" | Add-Content $OutputFile $ErrorInAudit = $true $AuditFailCount += 1 } Write-Verbose "MoveAccountsAndFolders PERMISSION FOR $MemberName ON SAFE: $safe IS INCORRECT" } if($pRequestsAuthorizationLevel1 -ne $cRequestsAuthorizationLevel1){ $ErrorInAudit = $true if($OutputResultsToFile){ $timestamp = Get-Date -Format "(MM-dd-yyyy HH:mm:ss)" write-output "$timestamp : AUDIT FAIL (SAFE MEMBER PERMISSION) - $safe - $MemberName RequestsAuthorizationLevel1 IS SET TO $pRequestsAuthorizationLevel1...SHOULD BE SET TO $cRequestsAuthorizationLevel1" | Add-Content $OutputFile $ErrorInAudit = $true $AuditFailCount += 1 } Write-Verbose "RequestsAuthorizationLevel1 PERMISSION FOR $MemberName ON SAFE: $safe IS INCORRECT" } if($pRequestsAuthorizationLevel2 -ne $cRequestsAuthorizationLevel2){ $ErrorInAudit = $true if($OutputResultsToFile){ $timestamp = Get-Date -Format "(MM-dd-yyyy HH:mm:ss)" write-output "$timestamp : AUDIT FAIL (SAFE MEMBER PERMISSION) - $safe - $MemberName RequestsAuthorizationLevel2 IS SET TO $pRequestsAuthorizationLevel2...SHOULD BE SET TO $cRequestsAuthorizationLevel2" | Add-Content $OutputFile $ErrorInAudit = $true $AuditFailCount += 1 } Write-Verbose "RequestsAuthorizationLevel2 PERMISSION FOR $MemberName ON SAFE: $safe IS INCORRECT" } } } $AllCheckKeys = $MemberCheckArr.Keys foreach($CheckKey in $AllCheckKeys){ if($MemberCheckArr.$CheckKey -eq $false){ if($OutputResultsToFile){ $timestamp = Get-Date -Format "(MM-dd-yyyy HH:mm:ss)" write-output "$timestamp : AUDIT FAIL (SAFE MEMBER) - $safe - MISSING SAFE MEMBER: $CheckKey" | Add-Content $OutputFile $ErrorInAudit = $true $AuditFailCount += 1 } } } } } } } else{ Write-Verbose "FAILED TO QUERY CYBERARK FOR SAFES" Write-Verbose "Returning False" Write-VPASOutput -str "FAILED TO QUERY CYBERARK FOR SAFES" -type E Write-VPASOutput -str "EXITING UTILITY" -type E if($OutputResultsToFile){ $timestamp = Get-Date -Format "(MM-dd-yyyy HH:mm:ss)" write-output "$timestamp : FAILED TO RUN SAFE AUDIT TEST" | Add-Content $OutputFile } return $false } if($OutputResultsToFile){ $timestamp = Get-Date -Format "(MM-dd-yyyy HH:mm:ss)" write-output "$timestamp : $AuditFailCount FAILED AUDIT TESTS" | Add-Content $OutputFile } if($ErrorInAudit){ Write-Verbose "SOME AUDIT CHECKS FAILED...RETURNING FALSE" Write-VPASOutput -str "AuditSafeTest RAN SUCCESSFULLY, BUT SOME ERRORS WERE DISCOVERED" -type M Write-VPASOutput -str "VIEW AUDIT LOG LOCATED HERE TO VIEW MORE DETAILS: $OutputFile" -type M return $false } else{ Write-Verbose "ALL AUDIT CHECKS PASSED...RETURNING TRUE" Write-VPASOutput -str "ALL AUDIT CHECKS PASSED!!!" -type G return $true } } End{ } } |