Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vault enhancements #80

Merged
merged 30 commits into from
Dec 12, 2021
Merged

Vault enhancements #80

merged 30 commits into from
Dec 12, 2021

Conversation

AssafMiron
Copy link
Contributor

Desired Outcome

  • Fixing issues is Firewall checks
  • Fixing issues in NIC testing
  • Fixing miscellaneous issues

Connected Issue/Story

Resolves #[relevant GitHub issue(s), e.g. 76]

Changelog

  • This PR does not include user-facing changes and doesn't require a
    CHANGELOG update

Documentation

  • This PR does not require updating any documentation

Behavior

  • This PR changes product behavior and has been reviewed by a PO - Windows 2019 NIC hardening is different than other OS

ediulia and others added 7 commits October 18, 2021 12:38
@ediulia
# Mask Passwords regex bug fix
852b21d 
The function doesn't mask the passwords, presented after the space/tab characters.
Bug fix will mask the passwords provided with space/tab
@ediulia
Update VaultHardeningSteps.psm1
024eee4
@ediulia
Update GeneralHardeningSteps.psm1
c89d380
@AssafMiron
Merge branch 'Vault_enhancements' into main
d7b4c71
@AssafMiron
Update CommonUtil.psm1
c273ead 
I canceled the change to the password masking function as I checked it with other areas and found that it is not helping
I have a different regex in a different repo, in any way it is not relevant for this project as we are not outputting any passwords
@AssafMiron
Merge pull request #73 from ediulia/main
9fb1c71 
Vault enhancement fixes
@AssafMiron
Formatting
b4f36f3 
Trying to fix error 057 by using subcategory GUID
Skipping NIC hardening  for 2019
Trying to fix DBParm FW issue
@AssafMiron
Copy link
Contributor Author

@ediulia I have added more fixes based on your testing - would be great if you can verify them
Thanks!

@ediulia
Copy link
Contributor

ediulia commented Nov 12, 2021
edited
Loading

Hey @AssafMiron

VaultHardeningSteps.psm1
I would recommend replacing the:
ForEach ($rule in $($FWRules | Where-Object { $.DisplayGroup -match "NON_STD" }))
with:
ForEach ($rule in $($FWRules | Where-Object { ($.DisplayGroup -match "NON_STD") -or ($.DisplayGroup -NotMatch "CYBERARK") }))

We need to review the Call for Compare-AmountOfUserPermissions function in line 726 , looks like it copied from CPM hardening. And maybe to add some recommendation reference for keys NTFS recommended permissions

CommonUtil.psm1
Looks like you merged back the Write-LogMessage typos of "Advance Audit" , I fixed all the typos to "Advanced Audit" in previous PRs

Workaround for Error 0x00000057 is not working. now all the checks are failing with the error:
[2021-11-12 09:41:18] [INFO] Checking Advance Audit Policy Sub Category for '{0CCE9235-69AE-11D9-BED3-505054503030}'
[2021-11-12 09:41:18] [ERROR] There was a problem verifying Advance Audit Policy Sub Category for '{0CCE9235-69AE-11D9-BED3-505054503030}'
While the original module function is failing on specific policy check:
here is a part of the script output:
Checking Advanced Audit Policy Sub Category for 'Directory Service Access'
Checking Advanced Audit Policy Sub Category for 'Directory Service Changes'
Checking Advanced Audit Policy Sub Category for 'Directory Service Replication'
Checking Advanced Audit Policy Sub Category for 'Central Access Policy Staging'
Error 0x00000057 occurred:

Firewall check Still returns wrong output
Usecase:
DBParm.ini has one FW rule configured:
AllowNonStandardFWAddresses=[192.168.10.5,192.168.10.7],Yes,3389:outbound/tcp,3389:inbound/tcp

Windows Firewall has 4 manually created inbound rules for RDP TCP/UDP 3389 and WINRM TCP 5985 and 5986

Report shows the next output:
There are 4 Firewall rules that were not created by CyberArk Vault currently configured
Non-Standard Firewall rule ([Any],True,3389:Inbound/TCP) is applied but not configured in DBParm.ini
Non-Standard Firewall rule ([Any],True,3389:Inbound/UDP) is applied but not configured in DBParm.ini
Non-Standard Firewall rule ([Any],True,5985:Inbound/TCP) is applied but not configured in DBParm.ini
Non-Standard Firewall rule ([Any],True,5986:Inbound/TCP) is applied but not configured in DBParm.ini
Non-Standard Firewall rule ([192.168.10.5 192.168.10.7],True,Any:Outbound/ICMPv4) is applied but not configured in DBParm.ini
Non-Standard Firewall rule ([192.168.10.5 192.168.10.7],True,Any:Inbound/ICMPv4) is applied but not configured in DBParm.ini
Non-Standard Firewall rule ([192.168.10.5 192.168.10.7],True,3389:Outbound/TCP) is applied but not configured in DBParm.ini
Non-Standard Firewall rule ([192.168.10.5 192.168.10.7],True,3389:Inbound/TCP) is applied but not configured in DBParm.ini
Non-Standard Firewall rule ([192.168.10.5],,3389:outbound/tcp) is configured in DBParm.ini but does not exist in the Vault Firewall policy
Non-Standard Firewall rule ([192.168.10.5],,3389:inbound/tcp) is configured in DBParm.ini but does not exist in the Vault Firewall policy
Non-Standard Firewall rule ([192.168.10.5],True,Any:inbound/ICMPv4) is configured in DBParm.ini but does not exist in the Vault Firewall policy
Non-Standard Firewall rule ([192.168.10.5],True,Any:outbound/ICMPv4) is configured in DBParm.ini but does not exist in the Vault Firewall policy

Vault Keys permissions now returns
The path '"D:\SERVERAPPS\PrivateArk\Keys\PAKeys\operator"' does not exist

One more thing to check:
I have the next exceptions applied on the Vault hardening

First in Windows2019Security.inf file:
"WinRM",2,""
SeRemoteInteractiveLogonRight = *S-1-5-32-544

Second:
I have 2 local Users created and added to the administrators group

Looks like the Script doesn't catch those exceptions on the Vault

AssafMiron and others added 19 commits November 15, 2021 14:48
@AssafMiron
Updated DBParm FW rules to capture all possibilities
803c8ce
@AssafMiron
Reverting auditpol error 57
12d8221
@ediulia
vault hardening enhansments
d255c6f 
main script has time stamp
vault has master key folder check
@AssafMiron
Fixing fw rules parsing issue
d4df19f 
Adding clear validations for the enc keys
@AssafMiron
Report should have a timestamp #82
77f8954
@AssafMiron
Update readme
0aad85d 
Include use case examples
@AssafMiron
Thanks to @ediulia capturing all FW rules
12fc5fd
@ediulia
FW check output updated, main.ps1 updated
6b3a130 
this commit has updated fw rules check function. Function still doesn't parse properly the dbparm.ini nonstandardfwrules addresses array like [10.0.0.1,10.1.1.1] and doesn't parse properly the ports range like 5985-5986
@AssafMiron
Merge pull request #83 from cyberark/misc_fixes
243f20a 
Report should have a timestamp #82
@AssafMiron
Add changes from @ediulia
08ceb5e
@AssafMiron
Merge branch 'Vault_enhancements' of https://github.com/cyberark/CYBR…
0c9d550 
…HardeningCheck into Vault_enhancements
@AssafMiron
Merge branch 'Vault_enhancements' into Vault_enhancements
baf4d32
@AssafMiron
Merge pull request #84 from ediulia/Vault_enhancements
23373cc 
Vault enhancements
@AssafMiron
handling situation of multiple addresses
0114090
@AssafMiron
Merge branch 'Vault_enhancements' of https://github.com/cyberark/CYBR…
54f7ad6 
…HardeningCheck into Vault_enhancements
@AssafMiron
typos fix
ceba44a
@AssafMiron
Merge branch 'main' into Vault_enhancements
bf6992f
@AssafMiron
Fixing issue with Central Access Policy Staging
2eb24dc
@AssafMiron
Fixing issues with FW rules
333e43d 
Recovering FW rule changes that were omitted
Fixing ICMP rules to solve open comare issues
@AssafMiron
Copy link
Contributor Author

@ediulia merged back all fixes, including the one you solved about Error 57
Please take the changes from this branch and test if you can - Thanks!

@AssafMiron AssafMiron linked an issue Dec 8, 2021 that may be closed by this pull request
Unable to complete the 'Advanced Audit Policy Configuration' step when running the script on the Vault server #88
Closed
@AssafMiron AssafMiron merged commit 2c2d721 into main Dec 12, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Unable to complete the 'Advanced Audit Policy Configuration' step when running the script on the Vault server
2 participants
@AssafMiron @ediulia