From 4f4b3cfc8b20f49b76fc2ce32113e048c0b1ecca Mon Sep 17 00:00:00 2001 From: Jonathan Colon Date: Tue, 30 Jan 2024 14:02:16 -0400 Subject: [PATCH 1/2] v0.8.5 improvements --- CHANGELOG.md | 13 ++- Src/Private/Get-AbrVbrBackupProxy.ps1 | 4 +- Src/Private/Get-AbrVbrHistorySetting.ps1 | 57 +++++++++++++ Src/Private/Get-AbrVbrUserRoleAssignment.ps1 | 80 ++++++++++++++++++- Src/Private/SharedUtilsFunctions.ps1 | 2 +- Src/Public/Invoke-AsBuiltReport.Veeam.VBR.ps1 | 1 + 6 files changed, 151 insertions(+), 6 deletions(-) create mode 100644 Src/Private/Get-AbrVbrHistorySetting.ps1 diff --git a/CHANGELOG.md b/CHANGELOG.md index 93eb757..f0d0ca0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,14 +2,23 @@ ## [0.8.5] - 2024-01-25 +### Added + +- Added Option => History section +- Improved Role & Users section + - Added Global MFA settings + - Added Auto logoff on inactivity setting + - Added Four-eye Authorization setting + - Added HealthCheck conditions + ### Changed - Removed Graphviz install check code. ### Fixed -- Improved error handling on Diagram section. -- Fixed issue with Veeam.Diagrammer module. +- Improved error handling on the Diagram section. +- Fixed issue with the Veeam.Diagrammer module. ## [0.8.4] - 2024-01-16 diff --git a/Src/Private/Get-AbrVbrBackupProxy.ps1 b/Src/Private/Get-AbrVbrBackupProxy.ps1 index 220fcc6..67c601d 100644 --- a/Src/Private/Get-AbrVbrBackupProxy.ps1 +++ b/Src/Private/Get-AbrVbrBackupProxy.ps1 @@ -449,7 +449,7 @@ function Get-AbrVbrBackupProxy { } if ($Graph) { Section -Style Heading3 "VMware Backup Proxy Diagram." { - Image -Base64 $Graph -Text "VMware Backup Proxy Diagram" -Percent 20 -Align Center + Image -Base64 $Graph -Text "VMware Backup Proxy Diagram" -Percent (Get-ImagePercent -Graph $Graph) -Align Center Paragraph "Image preview: Opens the image in a new tab to view it at full resolution." -Tabs 2 } BlankLine @@ -891,7 +891,7 @@ function Get-AbrVbrBackupProxy { } if ($Graph) { Section -Style Heading3 "HyperV Backup Proxy Diagram." { - Image -Base64 $Graph -Text "HyperV Backup Proxy Diagram" -Percent 20 -Align Center + Image -Base64 $Graph -Text "HyperV Backup Proxy Diagram" -Percent (Get-ImagePercent -Graph $Graph) -Align Center Paragraph "Image preview: Opens the image in a new tab to view it at full resolution." -Tabs 2 } BlankLine diff --git a/Src/Private/Get-AbrVbrHistorySetting.ps1 b/Src/Private/Get-AbrVbrHistorySetting.ps1 new file mode 100644 index 0000000..f484d44 --- /dev/null +++ b/Src/Private/Get-AbrVbrHistorySetting.ps1 @@ -0,0 +1,57 @@ + +function Get-AbrVbrHistorySetting { + <# + .SYNOPSIS + Used by As Built Report to returns Email Notification settings configured on Veeam Backup & Replication.. + .DESCRIPTION + Documents the configuration of Veeam VBR in Word/HTML/Text formats using PScribo. + .NOTES + Version: 0.8.5 + Author: Jonathan Colon + Twitter: @jcolonfzenpr + Github: rebelinux + Credits: Iain Brighton (@iainbrighton) - PScribo module + + .LINK + https://github.com/AsBuiltReport/AsBuiltReport.Veeam.VBR + #> + [CmdletBinding()] + param ( + + ) + + begin { + Write-PscriboMessage "Discovering Veeam VBR History settings information from $System." + } + + process { + try { + $HistorySettings = Get-VBRHistoryOptions + if ($HistorySettings) { + Section -Style Heading4 'History Retention' { + $OutObj = @() + $inObj = [ordered] @{ + 'Keep All Sessions' = ConvertTo-TextYN $HistorySettings.KeepAllSessions + 'Retention Limit' = "$($HistorySettings.RetentionLimitWeeks) weeks" + } + $OutObj = [pscustomobject]$inobj + + $TableParams = @{ + Name = "History Settings - $VeeamBackupServer" + List = $true + ColumnWidths = 40, 60 + } + if ($Report.ShowTableCaptions) { + $TableParams['Caption'] = "- $($TableParams.Name)" + } + $OutObj | Table @TableParams + } + } + } + catch { + Write-PscriboMessage -IsWarning "History Setting Section: $($_.Exception.Message)" + } + } + end {} + +} \ No newline at end of file diff --git a/Src/Private/Get-AbrVbrUserRoleAssignment.ps1 b/Src/Private/Get-AbrVbrUserRoleAssignment.ps1 index 804ef65..f0d496f 100644 --- a/Src/Private/Get-AbrVbrUserRoleAssignment.ps1 +++ b/Src/Private/Get-AbrVbrUserRoleAssignment.ps1 @@ -6,7 +6,7 @@ function Get-AbrVbrUserRoleAssignment { .DESCRIPTION Documents the configuration of Veeam VBR in Word/HTML/Text formats using PScribo. .NOTES - Version: 0.7.1 + Version: 0.8.5 Author: Jonathan Colon Twitter: @jcolonfzenpr Github: rebelinux @@ -55,6 +55,84 @@ function Get-AbrVbrUserRoleAssignment { $TableParams['Caption'] = "- $($TableParams.Name)" } $OutObj | Sort-Object -Property 'Name' | Table @TableParams + try { + Section -ExcludeFromTOC -Style NOTOCHeading4 'Roles and Users Settings' { + BlankLine + $OutObj = @() + try { + try {$MFAGlobalSetting = [Veeam.Backup.Core.SBackupOptions]::get_GlobalMFA()} catch {Out-Null} + try {$AutoTerminateSession = [Veeam.Backup.Core.SBackupOptions]::get_AutomaticallyTerminateSession()} catch {Out-Null} + try {$AutoTerminateSessionMin = [Veeam.Backup.Core.SBackupOptions]::get_AutomaticallyTerminateSessionTimeoutMinutes()} catch {Out-Null} + try {$UserActionNotification = [Veeam.Backup.Core.SBackupOptions]::get_UserActionNotification()} catch {Out-Null} + try {$UserActionRetention = [Veeam.Backup.Core.SBackupOptions]::get_UserActionRetention()} catch {Out-Null} + foreach ($RoleAssignment in $RoleAssignments) { + Write-PscriboMessage "Discovered Roles and Users Settings." + $inObj = [ordered] @{ + 'Is MFA globally enabled?' = ConvertTo-TextYN $MFAGlobalSetting + 'Is auto logoff on inactivity enabled?' = ConvertTo-TextYN $AutoTerminateSession + 'Auto logoff on inactivity after' = "$($AutoTerminateSessionMin) minutes" + 'Is Four-eye Authorization enabled?' = ConvertTo-TextYN $UserActionNotification + 'Auto reject pending approvals after' = "$($UserActionRetention) days" + } + $OutObj = [pscustomobject]$inobj + } + } + catch { + Write-PscriboMessage -IsWarning "Roles and Users Settings Table: $($_.Exception.Message)" + } + + if ($HealthCheck.Infrastructure.Settings) { + $OutObj | Where-Object { $_.'Is MFA globally enabled?' -like 'No'} | Set-Style -Style Warning -Property 'Is MFA globally enabled?' + foreach ( $OBJ in ($OutObj | Where-Object { $_.'Is MFA globally enabled?' -eq 'No' })) { + $OBJ.'Is MFA globally enabled?' = "* " + $OBJ.'Is MFA globally enabled?' + } + $OutObj | Where-Object { $_.'Is auto logoff on inactivity enabled?' -like 'No'} | Set-Style -Style Warning -Property 'Is auto logoff on inactivity enabled?' + foreach ( $OBJ in ($OutObj | Where-Object { $_.'Is auto logoff on inactivity enabled?' -eq 'No' })) { + $OBJ.'Is auto logoff on inactivity enabled?' = "** " + $OBJ.'Is auto logoff on inactivity enabled?' + } + $OutObj | Where-Object { $_.'Is Four-eye Authorization enabled?' -like 'No'} | Set-Style -Style Warning -Property 'Is Four-eye Authorization enabled?' + foreach ( $OBJ in ($OutObj | Where-Object { $_.'Is Four-eye Authorization enabled?' -eq 'No' })) { + $OBJ.'Is Four-eye Authorization enabled?' = "*** " + $OBJ.'Is Four-eye Authorization enabled?' + } + } + + $TableParams = @{ + Name = "Roles and Users Settings - $VeeamBackupServer" + List = $True + ColumnWidths = 40, 60 + } + if ($Report.ShowTableCaptions) { + $TableParams['Caption'] = "- $($TableParams.Name)" + } + $OutObj | Table @TableParams + if ($HealthCheck.Infrastructure.BestPractice -and ($OutObj | Where-Object { $_.'Is MFA globally enabled?' -eq '* No' -or $_.'Is auto logoff on inactivity enabled?' -eq '** No' -or $_.'Is Four-eye Authorization enabled?' -eq '*** No'})) { + Paragraph "Health Check:" -Bold -Underline + BlankLine + Paragraph "Security Best Practice:" -Bold + BlankLine + if ($OutObj | Where-Object { $_.'Is MFA globally enabled?' -eq '* No' }) { + Paragraph { + Text "* To ensure comprehensive security, it's crucial to implement MFA across all user accounts. By using a combination of different authentication factors like passwords, biometrics, and one-time passcodes, you create layers of security that make it harder for attackers to gain unauthorized access." + } + BlankLine + } + if ($OutObj | Where-Object { $_.'Is auto logoff on inactivity enabled?' -eq '** No' }) { + Paragraph { + Text "** Limiting the length of inactive sessions can help protect sensitive information and prevent unauthorized account access." + } + BlankLine + } + if ($OutObj | Where-Object { $_.'Is Four-eye Authorization enabled?' -eq '*** No' }) { + Paragraph { + Text "*** Veeam recommends configuring Four-eye Authorization to be able to protect against accidental deletion of backup and repositories by requiring an approval from another Backup Administrator." + } + } + } + } + } + catch { + Write-PscriboMessage -IsWarning "Roles and Users Settings Section: $($_.Exception.Message)" + } } } catch { diff --git a/Src/Private/SharedUtilsFunctions.ps1 b/Src/Private/SharedUtilsFunctions.ps1 index ba2885e..e6627e6 100644 --- a/Src/Private/SharedUtilsFunctions.ps1 +++ b/Src/Private/SharedUtilsFunctions.ps1 @@ -259,7 +259,7 @@ function Get-ImagePercent { If ($Image_FromStream.Width -gt 1500) { return 10 } else { - return 20 + return 30 } } # end diff --git a/Src/Public/Invoke-AsBuiltReport.Veeam.VBR.ps1 b/Src/Public/Invoke-AsBuiltReport.Veeam.VBR.ps1 index e35f5e8..6957fe3 100644 --- a/Src/Public/Invoke-AsBuiltReport.Veeam.VBR.ps1 +++ b/Src/Public/Invoke-AsBuiltReport.Veeam.VBR.ps1 @@ -87,6 +87,7 @@ function Invoke-AsBuiltReport.Veeam.VBR { Get-AbrVbrEventForwarding } Get-AbrVbrGlobalNotificationSetting + Get-AbrVbrHistorySetting Get-AbrVbrIOControlSetting Get-AbrVbrBackupServerCertificate Get-AbrVbrNetworkTrafficRule From d2bd6a9aa358e63bc3e17e217df178d3e57bfff2 Mon Sep 17 00:00:00 2001 From: Jonathan Colon Date: Tue, 30 Jan 2024 14:56:16 -0400 Subject: [PATCH 2/2] Improved section healthcheck --- Src/Private/Get-AbrVbrUserRoleAssignment.ps1 | 24 ++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/Src/Private/Get-AbrVbrUserRoleAssignment.ps1 b/Src/Private/Get-AbrVbrUserRoleAssignment.ps1 index f0d496f..d62de03 100644 --- a/Src/Private/Get-AbrVbrUserRoleAssignment.ps1 +++ b/Src/Private/Get-AbrVbrUserRoleAssignment.ps1 @@ -46,6 +46,10 @@ function Get-AbrVbrUserRoleAssignment { Write-PscriboMessage -IsWarning "Roles and Users Table: $($_.Exception.Message)" } + if ($HealthCheck.Infrastructure.Settings) { + $OutObj | Where-Object { $_.'Name' -eq 'BUILTIN\Administrators'} | Set-Style -Style Warning -Property 'Name' + } + $TableParams = @{ Name = "Roles and Users - $VeeamBackupServer" List = $false @@ -55,6 +59,26 @@ function Get-AbrVbrUserRoleAssignment { $TableParams['Caption'] = "- $($TableParams.Name)" } $OutObj | Sort-Object -Property 'Name' | Table @TableParams + if ($HealthCheck.Infrastructure.BestPractice -and ($OutObj | Where-Object {$_.'Name' -eq 'BUILTIN\Administrators'})) { + Paragraph "Health Check:" -Bold -Underline + BlankLine + Paragraph "Security Best Practice:" -Bold + BlankLine + if ($OutObj | Where-Object { $_.'Name' -eq 'BUILTIN\Administrators' }) { + Paragraph { + Text "Veeam recommends to give every Veeam admin his own admin account or add their admin account to the appropriate security group within Veeam and to remove the default 'Veeam Backup Administrator' role from local Administrators group, for traceability and easy adding and removal" + } + BlankLine + Paragraph { + Text -Bold "Reference:" + } + BlankLine + Paragraph { + Text "https://bp.veeam.com/security/Design-and-implementation/Roles_And_Users.html#roles-and-users" + } + BlankLine + } + } try { Section -ExcludeFromTOC -Style NOTOCHeading4 'Roles and Users Settings' { BlankLine