[New control] GR13 V3 Break Glass Account Testing Cadence (#258)

* initiate GR13V3 * new module * result update * update * update for MCUP * update * update * update permission * update modules * update
ssc-spc-ccoe-cei · Nov 5, 2024 · a722565 · a722565
1 parent 7806bdd
commit a722565
Show file tree

Hide file tree

Showing 11 changed files with 391 additions and 11 deletions.
diff --git a/psmodules/Check-RiskBasedAccess.zip b/psmodules/Check-RiskBasedAccess.zip
diff --git a/psmodules/Monitor-BreakGlassAccount.zip b/psmodules/Monitor-BreakGlassAccount.zip
diff --git a/setup/IaC/modules/automationaccount.bicep b/setup/IaC/modules/automationaccount.bicep
@@ -375,7 +375,7 @@ resource module12 'modules' = if (newDeployment || updatePSModules) {
     }
   }
 
-    resource module37 'modules' = if (newDeployment || updatePSModules) {
+  resource module37 'modules' = if (newDeployment || updatePSModules) {
     name: 'Check-RiskBasedAccess'
     properties: {
       contentLink: {
@@ -384,6 +384,16 @@ resource module12 'modules' = if (newDeployment || updatePSModules) {
       }
     }
   }
+
+  resource module38 'modules' = if (newDeployment || updatePSModules) {
+    name: 'Monitor-BreakGlassAccount'
+    properties: {
+      contentLink: {
+        uri: '${ModuleBaseURL}/Monitor-BreakGlassAccount.zip'
+        version: '1.0.0'
+      }
+    }
+  }
   resource variable1 'variables' = if (newDeployment || updateCoreResources) {
     name: 'KeyvaultName'
     properties: {

diff --git a/setup/modules.json b/setup/modules.json
@@ -1262,5 +1262,29 @@
         "Value": "AC2"
       }
     ]
+  },
+  {
+    "Control": "Guardrails13",
+    "ModuleName": "Test-BreakGlassAccounts",
+    "Status": "Enabled",
+    "Required": "True",
+    "Profiles": [2, 3, 4, 5, 6],
+    "Script": "Test-BreakGlassAccounts -ControlName $msgTable.CtrName13 -ItemName $msgTable.bgAccountTesting -FirstBreakGlassUPN $vars.FirstBreakGlassUPN -SecondBreakGlassUPN $vars.SecondBreakGlassUPN -MsgTable $msgTable -ReportTime $ReportTime -itsgcode $vars.itsgcode -CloudUsageProfiles $cloudUsageProfilesString -ModuleProfiles $ModuleProfilesString",
+    "secrets": [
+      {
+        "Name": "FirstBreakGlassUPN",
+        "Value": "BGA1"
+      },
+      {
+        "Name": "SecondBreakGlassUPN",
+        "Value": "BGA2"
+      }
+    ],
+    "localVariables": [
+      {
+        "Name": "itsgcode",
+        "Value": "AC2"
+      }
+    ]
   }
 ]
diff --git a/src/GUARDRAIL 13 PLAN FOR CONTINUITY/Audit/Monitor-BreakGlassAccount.psd1 b/src/GUARDRAIL 13 PLAN FOR CONTINUITY/Audit/Monitor-BreakGlassAccount.psd1
@@ -0,0 +1,133 @@
+#
+# Module manifest for module 'Monitor-BreakGlassAccount'
+#
+# Generated by: Cloud Security Compliance Team
+#
+# Contact Information for module : cloudsecuritycompliance-conformiteinfonuagiquesecurise@ssc-spc.gc.ca
+#
+# Generated on: 2024-10-30
+#
+
+@{
+
+# Script module or binary module file associated with this manifest.
+RootModule = 'Monitor-BreakGlassAccount'
+
+# Version number of this module.
+ModuleVersion = '1.0.0'
+
+# Supported PSEditions
+# CompatiblePSEditions = @()
+
+# ID used to uniquely identify this module
+GUID = '06f5dbae-eda6-4335-9a9d-45e9d0c225ac'
+
+# Author of this module
+Author = 'Cloud Security Compliance'
+
+# Company or vendor of this module
+CompanyName = 'Shared Services Canada'
+
+# Copyright statement for this module
+Copyright = ''
+
+# Description of the functionality provided by this module
+# Description = ''
+
+# Minimum version of the PowerShell engine required by this module
+# PowerShellVersion = ''
+
+# Name of the PowerShell host required by this module
+# PowerShellHostName = ''
+
+# Minimum version of the PowerShell host required by this module
+# PowerShellHostVersion = ''
+
+# Minimum version of Microsoft .NET Framework required by this module. This prerequisite is valid for the PowerShell Desktop edition only.
+# DotNetFrameworkVersion = ''
+
+# Minimum version of the common language runtime (CLR) required by this module. This prerequisite is valid for the PowerShell Desktop edition only.
+# ClrVersion = ''
+
+# Processor architecture (None, X86, Amd64) required by this module
+# ProcessorArchitecture = ''
+
+# Modules that must be imported into the global environment prior to importing this module
+# RequiredModules = @()
+
+# Assemblies that must be loaded prior to importing this module
+# RequiredAssemblies = @()
+
+# Script files (.ps1) that are run in the caller's environment prior to importing this module.
+# ScriptsToProcess = @()
+
+# Type files (.ps1xml) to be loaded when importing this module
+# TypesToProcess = @()
+
+# Format files (.ps1xml) to be loaded when importing this module
+# FormatsToProcess = @()
+
+# Modules to import as nested modules of the module specified in RootModule/ModuleToProcess
+# NestedModules = @()
+
+# Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export.
+FunctionsToExport = '*'
+
+# Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export.
+CmdletsToExport = '*'
+
+# Variables to export from this module
+VariablesToExport = '*'
+
+# Aliases to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no aliases to export.
+AliasesToExport = '*'
+
+# DSC resources to export from this module
+# DscResourcesToExport = @()
+
+# List of all modules packaged with this module
+# ModuleList = @()
+
+# List of all files packaged with this module
+# FileList = @()
+
+# Private data to pass to the module specified in RootModule/ModuleToProcess. This may also contain a PSData hashtable with additional module metadata used by PowerShell.
+PrivateData = @{
+
+    PSData = @{
+
+        # Tags applied to this module. These help with module discovery in online galleries.
+        Tags = 'GOC 30 days Guardrails'
+
+        # A URL to the license for this module.
+        # LicenseUri = ''
+
+        # A URL to the main website for this project.
+        # ProjectUri = ''
+
+        # A URL to an icon representing this module.
+        # IconUri = ''
+
+        # ReleaseNotes of this module
+        # ReleaseNotes = ''
+
+        # Prerelease string of this module
+        # Prerelease = ''
+
+        # Flag to indicate whether the module requires explicit user acceptance for install/update/save
+        # RequireLicenseAcceptance = $false
+
+        # External dependent modules of this module
+        # ExternalModuleDependencies = @()
+
+    } # End of PSData hashtable
+
+} # End of PrivateData hashtable
+
+# HelpInfo URI of this module
+# HelpInfoURI = ''
+
+# Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix.
+# DefaultCommandPrefix = ''
+
+}
diff --git a/src/GUARDRAIL 13 PLAN FOR CONTINUITY/Audit/Monitor-BreakGlassAccount.psm1 b/src/GUARDRAIL 13 PLAN FOR CONTINUITY/Audit/Monitor-BreakGlassAccount.psm1
@@ -0,0 +1,204 @@
+<#
+.SYNOPSIS
+   
+The solution will ensures that Break Glass accounts remain active and secure by monitoring the last login date.
+.DESCRIPTION
+The solution will ensures that Break Glass accounts remain active and secure by monitoring the last login date.
+.PARAMETER Name
+        token : auth token 
+        ControlName :-  GUARDRAIL 13 PLAN FOR CONTINUITY
+        FirstBreakGlassUPN: UPN for the first Break Glass account 
+        SecondBreakGlassUPN: UPN for the second Break Glass account
+        ItemName, 
+        WorkSpaceID : Workspace ID to ingest the logs 
+        WorkSpaceKey: Workspace Key for the Workdspace 
+        LogType: GuardrailsCompliance, it will show in log Analytics search as GuardrailsCompliance_CL
+#>
+function Test-BreakGlassAccounts {
+
+  param (
+    [string] $FirstBreakGlassUPN, 
+    [string] $SecondBreakGlassUPN,
+    [hashtable] $msgTable,
+    [string] $itsgcode,
+    [string] $ControlName, 
+    [string] $ItemName,
+    [Parameter(Mandatory=$true)]
+    [string]
+    $ReportTime,
+    [string] 
+    $CloudUsageProfiles = "3",  # Passed as a string
+    [string] $ModuleProfiles,  # Passed as a string
+    [switch] $EnableMultiCloudProfiles # New feature flag, default to false    
+  )
+
+  [bool] $IsCompliant = $false
+  [PSCustomObject] $ErrorList = New-Object System.Collections.ArrayList
+
+  [String] $FirstBreakGlassUPNUrl = $("/users/" + $FirstBreakGlassUPN + "?$" + "select=userPrincipalName,id,userType")
+  [String] $SecondBreakGlassUPNUrl = $("/users/" + $SecondBreakGlassUPN + "?$" + "select=userPrincipalName,id,userType")
+
+  # Validate two BG accounts exist
+  if($FirstBreakGlassUPN -eq "" -or $SecondBreakGlassUPN -eq ""){
+    $IsCompliant = $false
+    $PsObject = [PSCustomObject]@{
+      ComplianceStatus = $IsCompliant
+      ControlName      = $ControlName
+      ItemName         = $ItemName
+      Comments         = $msgTable.isNotCompliant + " " + $msgTable.bgAccountNotExist
+      ReportTime       = $ReportTime
+      itsgcode = $itsgcode
+    }
+  }
+  elseif(($FirstBreakGlassUPN -ne "" -or $SecondBreakGlassUPN -ne "") -and $FirstBreakGlassUPN -eq $SecondBreakGlassUPN){
+    $IsCompliant = $false
+    $PsObject = [PSCustomObject]@{
+      ComplianceStatus = $IsCompliant
+      ControlName      = $ControlName
+      ItemName         = $ItemName
+      Comments         = $msgTable.isNotCompliant + " " + $msgTable.bgAccountNotExist
+      ReportTime       = $ReportTime
+      itsgcode = $itsgcode
+    }
+  }
+  else{
+    # Validate listed BG accounts as members
+    $FirstBreakGlassAcct = [PSCustomObject]@{
+      UserPrincipalName  = $FirstBreakGlassUPN
+      apiUrl             = $FirstBreakGlassUPNUrl
+      ComplianceStatus   = $false
+    }
+    $SecondBreakGlassAcct = [PSCustomObject]@{
+      UserPrincipalName   = $SecondBreakGlassUPN
+      apiUrl              = $SecondBreakGlassUPNUrl
+      ComplianceStatus    = $false
+    }
+
+    # get 1st break glass account
+    try {
+      $urlPath = $FirstBreakGlassAcct.apiUrl
+      $response = Invoke-GraphQuery -urlPath $urlPath -ErrorAction Stop
+
+      $data = $response.Content
+
+      if ($data.userType -eq "Member") {
+        $FirstBreakGlassAcct.ComplianceStatus = $true
+      } 
+    }
+    catch {
+      $ErrorList.Add("Failed to call Microsoft Graph REST API at URL '$urlPath'; returned error message: $_")
+      Write-Warning "Error: Failed to call Microsoft Graph REST API at URL '$urlPath'; returned error message: $_"
+    }
+
+    # get 2nd break glass account
+    try {
+      $urlPath = $SecondBreakGlassAcct.apiURL
+      $response = Invoke-GraphQuery -urlPath $urlPath -ErrorAction Stop
+
+      $data = $response.Content
+
+      if ($data.userType -eq "Member") {
+        $SecondBreakGlassAcct.ComplianceStatus = $true
+      } 
+    }
+    catch {
+      $ErrorList.Add("Failed to call Microsoft Graph REST API at URL '$urlPath'; returned error message: $_")
+      Write-Warning "Error: Failed to call Microsoft Graph REST API at URL '$urlPath'; returned error message: $_"
+    }
+
+    # compliance status
+    $IsCompliant = $FirstBreakGlassAcct.ComplianceStatus -and $SecondBreakGlassAcct.ComplianceStatus
+    Write-Host "step 1 validate listed BG accounts compliance status:  $IsCompliant"
+    # if not compliant
+    if(-not $IsCompliant){
+      $PsObject = [PSCustomObject]@{
+        ComplianceStatus = $IsCompliant
+        ControlName      = $ControlName
+        ItemName         = $ItemName
+        Comments         = $msgTable.isNotCompliant + " " + $msgTable.bgAccountNotExist
+        ReportTime       = $ReportTime
+        itsgcode = $itsgcode
+      }
+    }
+    else{
+      # Validate BG account Sign-in activity
+      $IsSigninCompliant = $false
+      $oneYearAgo = (Get-Date).AddYears(-1)
+
+      $urlPath = "/auditLogs/signIns"
+      try {
+        $response = Invoke-GraphQuery -urlPath $urlPath -ErrorAction Stop
+        Write-Host "step 2 validate BG account Sign-in $($response.Content.Value.Count)"
+
+        # check 1st break glass account signin
+        $firstBGdata = $response.Content.Value | Where-Object {$_.userPrincipalName -eq $FirstBreakGlassUPN}
+        $dataMostRecentSignInFirstBG = $firstBGdata | Sort-Object createdDateTime -Descending | Select-Object -First 1
+
+        $dataSignInFirstBG = $dataMostRecentSignInFirstBG | Select-Object id, userDisplayName, userPrincipalName, createdDateTime, userId
+        $firstBGisWithinLastYear =  $dataSignInFirstBG.createdDateTime -ge $oneYearAgo
+
+        Write-Host "step 2 firstBGisWithinLastYear:  $firstBGisWithinLastYear"
+
+        # check 2nd break glass account signin
+        $secondBGdata = $response.Content.Value | Where-Object {$_.userPrincipalName -eq $SecondBreakGlassUPN}
+        $dataMostRecentSignInSecondBG = $secondBGdata | Sort-Object createdDateTime -Descending | Select-Object -First 1
+
+        $dataSignInSecondBG = $dataMostRecentSignInSecondBG | Select-Object id, userDisplayName, userPrincipalName, createdDateTime, userId
+        $secondBGisWithinLastYear =  $dataSignInSecondBG.createdDateTime -ge $oneYearAgo
+        Write-Host "step 2 secondBGisWithinLastYear:  $secondBGisWithinLastYear"
+      }
+      catch {
+        $ErrorList.Add("Failed to call Microsoft Graph REST API at URL '$urlPath'; returned error message: $_")
+        Write-Warning "Error: Failed to call Microsoft Graph REST API at URL '$urlPath'; returned error message: $_"
+      }
+
+      $IsSigninCompliant = $firstBGisWithinLastYear -and $secondBGisWithinLastYear
+      if($IsSigninCompliant){
+        $PsObject = [PSCustomObject]@{
+          ComplianceStatus = $IsCompliant
+          ControlName      = $ControlName
+          ItemName         = $ItemName
+          Comments         = $msgTable.isCompliant
+          ReportTime       = $ReportTime
+          itsgcode = $itsgcode
+        }
+      }
+      else{
+        $PsObject = [PSCustomObject]@{
+          ComplianceStatus = $IsSigninCompliant
+          ControlName      = $ControlName
+          ItemName         = $ItemName
+          Comments         = $msgTable.isNotCompliant + " " + $msgTable.bgAccountLoginNotValid
+          ReportTime       = $ReportTime
+          itsgcode = $itsgcode
+        }
+      }
+    }
+  }
+
+  # Conditionally add the Profile field based on the feature flag
+  if ($EnableMultiCloudProfiles) {
+    $evalResult = Get-EvaluationProfile -CloudUsageProfiles $CloudUsageProfiles -ModuleProfiles $ModuleProfiles
+    if (!$evalResult.ShouldEvaluate) {
+        if ($evalResult.Profile -gt 0) {
+            $PsObject.ComplianceStatus = "Not Applicable"
+            $PsObject | Add-Member -MemberType NoteProperty -Name "Profile" -Value $evalResult.Profile
+            $PsObject.Comments = "Not evaluated - Profile $($evalResult.Profile) not present in CloudUsageProfiles"
+        } else {
+            $ErrorList.Add("Error occurred while evaluating profile configuration")
+        }
+    } else {
+
+        $PsObject | Add-Member -MemberType NoteProperty -Name "Profile" -Value $evalResult.Profile
+    }
+  }
+
+  $moduleOutput= [PSCustomObject]@{ 
+    ComplianceResults = $PsObject
+    Errors=$ErrorList
+    AdditionalResults = $AdditionalResults
+  }
+  return $moduleOutput   
+}    
+
+