Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heroku Final #49

Merged
merged 1 commit into from
Jan 26, 2024
Merged

Heroku Final #49

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
183 changes: 183 additions & 0 deletions Scripts/SecretServer/Heroku/Discovery/Heroku Discovery.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,183 @@
#Args used for development (Remove before pushing to production):



Import-Module -Name "$env:ProgramFiles\Thycotic Software Ltd\Distributed Engine\Delinea.PoSH.Helpers\Utils.psm1"

#region define variables
#Define Argument Variables

[string]$DiscoveryMode = $args[0]
[string]$apiKey = $args[1]
[string]$teamName = $args[2]
[string]$adminRoles = $args[3]
[string]$svcacctNamePrefixes = $args[4]


#Script Constants
[string]$baseURL = "https://api.heroku.com"
[string]$LogFile = "$env:ProgramFiles\Thycotic Software Ltd\Distributed Engine\log\Heroku-Discovery.log"

[int32]$LogLevel = 3
[string]$logApplicationHeader = "Heroku Discovery"

#create Arrays
$adminRolesArray = $adminRoles.split(",")
$svcacctNamePrefixeArray = $svcacctNamePrefixes.Split(",")
#endregion



#region Discovery Filtering Functions

function isSvcAcct{
param(
[string]$userName
)
try
{

foreach ($svcAcctPrefix in $svcacctNamePrefixeArray)
{
$svcAcctPrefix =$svcAcctPrefix.Trim()
if($userName.IndexOf($svcAcctPrefix) -eq 0)
{
$isSvcAcct = $true

break
}
else{$isSvcAcct = $false}
}
}
catch
{
$Err = $_
Write-Log -ErrorLevel 0 -Message "Check if Service Acct Failed" -logApplicationHeader $logApplicationHeader -LogLevel $LogLevel -LogFile $LogFile
Write-Log -ErrorLevel 2 -Message $Err.Exception -logApplicationHeader $logApplicationHeader -LogLevel $LogLevel -LogFile $LogFile
throw $Err.Exception
}

return $isSvcAcct
}

function isAdminAcct{
param(
$userRole
)
try
{

foreach ($role in $adminRolesArray)
{
$role = $role.Trim()
if($role-like $userRole)
{
$isAdminAcct = $true

break
}
else{$isAdminAcct = $false}
}
}
catch
{
$Err = $_
Write-Log -ErrorLevel 0 -Message "Check if Service Acct Failed" -logApplicationHeader $logApplicationHeader -LogLevel $LogLevel -LogFile $LogFile
Write-Log -ErrorLevel 2 -Message $Err.Exception -logApplicationHeader $logApplicationHeader -LogLevel $LogLevel -LogFile $LogFile
throw $Err.Exception
}

return $isAdminAcct
}

#endregion




#region get admin users
# Fetching users associated with this role(s)

#endregion Get Admin Users

#region Main Process

#creatte Headers
$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
$headers.Add("Content-Type", 'application/json')
$headers.Add("Authorization", "Bearer $apikey")
$headers.Add("Accept", "application/vnd.heroku+json; version=3")

# Get all users
$url = "$baseURL/teams/$TeamNAme/members"
$userlist = Invoke-RestMethod -uri $url -Headers $headers




#endregion

#define Output Array
$foundAccounts = @()

Try {
#Process Users
Write-Log -Errorlevel 0 -Message "Discovering Users" -logApplicationHeader $logApplicationHeader -LogLevel $LogLevel -LogFile $LogFile
if($DiscoveryMode -eq "Default")
{
foreach ($user in $userlist)
{
$username = $allusers | Where-Object gid -eq $user.user.gid
$object = New-Object -TypeName PSObject
$object | Add-Member -MemberType NoteProperty -Name tenanturl -Value $user.team.name
$object | Add-Member -MemberType NoteProperty -Name username -Value $username.email

$foundAccounts += $object

}
}
else{
foreach ($user in $userlist)
{
$userName = $user.email
### check if is admin and svc account
$isAdmin = isAdminAcct -userRole $user.role

$isServiceAccount = isSvcAcct -userName $userName

if ($user.federated)
{
$isLocal = $false
}
else
{
$isLocal = $true
}



$object = New-Object -TypeName PSObject
$object | Add-Member -MemberType NoteProperty -Name tenant-url -Value $teamName
$object | Add-Member -MemberType NoteProperty -Name username -Value $username
$object | Add-Member -MemberType NoteProperty -Name Admin-Account -Value $isadmin
$object | Add-Member -MemberType NoteProperty -Name Service-Account -Value $isServiceAccount
$object | Add-Member -MemberType NoteProperty -Name Local-Account -Value $isLocal

$foundAccounts += $object


}

if($svcAcctNames){Write-Log -Errorlevel 0 -Message "List of Service Accounts defined by Service Account Naming Convention pattern(s) parameter: $($svcAcctNames)" -logApplicationHeader $logApplicationHeader -LogLevel $LogLevel -LogFile $LogFile}
}

}
catch {
$Err = $_
Write-Log -ErrorLevel 0 -Message "Account Discovery-Filtering failed" -logApplicationHeader $logApplicationHeader -LogLevel $LogLevel -LogFile $LogFile
Write-Log -ErrorLevel 2 -Message $Err.Exception -logApplicationHeader $logApplicationHeader -LogLevel $LogLevel -LogFile $LogFile
throw $Err.Exception
}
#endregion Main Process
Write-Log -ErrorLevel 0 -Message "Successfully Found $($foundAccounts.Count) Matching Accounts" -logApplicationHeader $logApplicationHeader -LogLevel $LogLevel -LogFile $LogFile
return $foundAccounts
190 changes: 190 additions & 0 deletions Scripts/SecretServer/Heroku/Discovery/readme.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,190 @@
# Heroku Local Account Discovery

## Create Discovery Source

This scanner can help perform a Scan for user accounts within Heroku. Account types will be distinguished by roles, and/or Username prefixes sites designated by Heroku.

### Create SaaS Scan Template
If this Script has already been created in another Delinea Integration package please skip
to the [Create Account Scan Template](#create-account-scan-template )

- Log in to Secret Server Tenant
- Navigate to **ADMIN** > **Discovery** > **Configuration** > **Scanner Definition** > **Scan Templates**
- Click **Create Scan Template**
- Fill out the required fields with the information
- **Nmae:** (Example: SaaS Tenant)
- **Active:** (Checked)
- **Scan Type:** Host
- **Parent Scan Template:** Host Range
- **Fields**
- Change HostRange to **tenant-url**
- Click Save
- This completes the creation of the Saas Scan Template Creation


### Create Account Scan Template

- Log in to Secret Server Tenant
- Navigate to **ADMIN** > **Discovery** > **Configuration** > **Scanner Definition** > **Scan Templates**
- Click **Create Scan Template**
- Fill out the required fields with the information
- **Nmae:** (Example: Heroku Account)
- **Active:** (Checked)
- **Scan Type:** Account
- **Parent Scan Template:** Account(Basic)
- **Fields**
- Change Resource to **tenant-url**
- Add field: Admin-Account (Leave Parent and Include in Match Blank)
- Add field: Service-Account (Leave Parent and Include in Match Blank)
- Add field: Local-Account (Leave Parent and Include in Match Blank)
- Click Save
- This completes the creation of the Account Scan Template Creation

### Create Discovery Script

- Log in to Secret Server Tenant
- Navigate to **ADMIN** > **Scripts**
- Click on **Create Script**
- Fill out the required fields with the information from the application registration
- Name: (example Heroku Local Account Scanner)
- Description: (Enter something meaningful to your Organization)
- Active: (Checked)
- Script Type: Powershell
- Category: Discovery Scanner
- Merge Fields: Leave Blank
- Script: Copy and paste the Script included in the file [Heroku Discovery.ps1](./Heroku%20Discovery.ps1)
- Click Save
- This completes the creation of the Local Account Discovery Script

### Create Saas Tenant Scanner

If this Script has already been created in another Delinea Integration package please skip
to the [Create Account Scanner Section](#create-Heroku-account-scanner)

- Log in to Secret Server Tenant
- Navigate to **ADMIN** > **Discovery** > **Configuration** >
- Click **Discovery Configuration Options** > **Scanner Definitions** > **Scanners**
- Click **Create Scanner**
- Fill out the required fields with the information
- **Name:** > SaaS Tenant Scanner
- **Description:** (Example - Base scanner used to discover SaaS applications)
- **Discovery Type:** Host
- **Base Scanner:** Host
- **Input Template**: Manual Input Discovery
- **Output Template:**: Saas Tenant (Use Template that Was Created in the [SaaS Scan Template Section](#create-saas-scan-template))
- Click Save
- This completes the creation of the Saas Tenant Scanner

### Create Heroku Account Scanner

- Log in to Secret Server Tenant
- Navigate to **ADMIN** > **Discovery** > **Configuration** >
- Click **Discovery Configuration Options** > **Scanner Definitions** > **Scanners**
- Click **Create Scanner**
- Fill out the required fields with the information
- **Name:** (Example - Heroku Local Account Scanner)
- **Description:** (Example - Discovers Heroku local accounts according to configured Discovery Account template )
- **Discovery Type:** Account
- **Base Scanner:** PowerShell Discovery Create Discovery Script
- **Input Template**: SaaS Tenant (Use Template that Was Created in the [SaaS Scan Template Section](#create-saas-scan-template))
- **Output Template:**: Heroku Account (Use Template that Was Created in the [Create Account Scan Template Section](#create-account-scan-template))
- **Script:** Heroku Local Account Scanner (Use Script Created in the [Create Discovery Script Section](#create-discovery-script))
- **Script Arguments:**
```Advanced $[1]$PAToken $[1]$service-account-name $[1]$DomainName```
- Click Save
- This completes the creation of the Heroku Account Scanner

### Create Discovery Source

- Navigate to **Admin | Discovery**
- Click **Create** drop-down
- Click **Empty Discovery Source**
-Enter the Values below
- **Name:** (example: Heroku Tenant)
- **Site** (Select Site Where Discovery will run)
- **Source Type** Empty
- Click Save
- Click Cancel on the Add Flow Screen
- Click **Add Scanner**
- Find the Saas Tenant Scanner or the Scanner Created in the [Create Saas Tenant Scanner Section](#create-saas-tenant-scanner) and Click **Add Scanner**
- Select the Scanner just Ceated and Click **Edit Scanner**
- In the **lines Parse Format** Section Enter the Source Name (example: Heroku Tenant)
- Click **Save**

- Click **Add Scanner**
- Find the Heroku Local Account Scanner or the Scanner Creatted in the [Create Heroku Account Scanner Section](#create-Heroku-account-scanner) and Click **Add Scanner**
- Select the Scanner just Created and Click **Edit Scanner**
- Click **Edit Scanner**
- Click the **Add Secret** Link
- Search for the Discovery Account Secret created in the [Instructions.md file](../Instructions.md)
- Check the Use Site Run As Secret Check box to enable it
**Note Default Site run as Secret had to be setup in the Site configuration.
See the [Setting the Default PowerShell Credential for a Site](https://docs.delinea.com/online-help/secret-server/authentication/secret-based-credentials-for-scripts/index.htm?Highlight=site) Section in the Delinea Documentation
- Click Save
- Click on the Discovery Source tab and Click the Active check box
- This completes the creation of the Discovery Source


### Next Steps

The Heroku configuration is now complete. The next step is to run a manual discovery scan.
- Navigate to **Admin | Discovery**
- Click the **Run Discovery Now** (Dropdown) and select **Run Discovery Scan**
- Click on the **Network view** Button in the upper right corner
- Click on the newly created discocvery source
- Click the **Domain \ Cloud Accounts** tab to view the discovered accounts

## Optional Report



In this section, There are instructions on creating an optional report to display user information found in the discovery.



- Login to Secret Server Tenant (If you have not already done so)

- Navigate to the Reports module
- click on the New Report Button
- Fill in the following values:
- Name: The name of the Discovery Source you just Created in the [Create Discovery Source ](#create-discovery-source) Section
- Description: (Enter something meaningful to your organization)
- Category: Select the Section where you would like the report to appear (ex. Discovery Scan)
- Report SQL: Copy and Paste the SQL Query below
***Note** " You must replace the WHERE d.DiscoverySourceId = 32 value with the Discovery Source ID of the Discovery source you are reporting on. You can find this by opening up the Discovery source and finding the ID in the URL


``` SQL

SELECT

d.[ComputerAccountId]

,d.[CreatedDate]

,d.[AccountName] AS [Username]

,MIN(CASE JSON_VALUE([adata].[value],'$.Name') WHEN 'Tenant-url' THEN JSON_VALUE([adata].[value],'$.Value') END) AS [Domain]

,MIN(CASE JSON_VALUE([adata].[value],'$.Name') WHEN 'Admin-Account' THEN JSON_VALUE([adata].[value],'$.Value') END) AS [Is Admin]

,MIN(CASE JSON_VALUE([adata].[value],'$.Name') WHEN 'Service-Account' THEN JSON_VALUE([adata].[value],'$.Value') END) AS [Is Service Acount]

,MIN(CASE JSON_VALUE([adata].[value],'$.Name') WHEN 'Local-Account' THEN JSON_VALUE([adata].[value],'$.Value') END) AS [Is Service Acount]

FROM tbComputerAccount AS d

CROSS APPLY OPENJSON (d.AdditionalData) AS adata

INNER JOIN tbScanItemTemplate AS s ON s.ScanItemTemplateId = d.ScanItemTemplateId

WHERE d.DiscoverySourceId = 32

GROUP BY d.ComputerAccountId, d.AccountName, d.CreatedDate



```
- Click Save

You will now find this report under the section you chose in the Category field.
Loading