Src/Private/Get-AbrVbrSecurityCompliance.ps1


function Get-AbrVbrSecurityCompliance {
    <#
    .SYNOPSIS
    Used by As Built Report to retrieve Veeam VBR Security & Compliance Summary.
    .DESCRIPTION
        Documents the configuration of Veeam VBR in Word/HTML/Text formats using PScribo.
    .NOTES
        Version: 0.8.13
        Author: Jonathan Colon
        Twitter: @jcolonfzenpr
        Github: rebelinux
        Credits: Iain Brighton (@iainbrighton) - PScribo module
 
    .LINK
        https://github.com/AsBuiltReport/AsBuiltReport.Veeam.VBR
    #>

    [CmdletBinding()]
    param (

    )

    begin {
        Write-PScriboMessage "Discovering Veeam VBR Security & Compliance Summary from $System."
    }

    process {
        try {
            try {
                try {
                    # Force new scan
                    Start-VBRSecurityComplianceAnalyzer -ErrorAction SilentlyContinue -WarningAction SilentlyContinue -InformationAction SilentlyContinue
                    Start-Sleep -Seconds 15
                    # Capture scanner results
                    $SecurityCompliances = [Veeam.Backup.DBManager.CDBManager]::Instance.BestPractices.GetAll()
                } Catch {
                    Write-PScriboMessage -IsWarning "Security & Compliance summary command: $($_.Exception.Message)"
                }
                $RuleTypes = @{
                    'WindowsScriptHostDisabled' = 'Windows Script Host is disabled'
                    'BackupServicesUnderLocalSystem' = 'Backup services run under the LocalSystem account'
                    'OutdatedSslAndTlsDisabled' = 'Outdated SSL And TLS are Disabled'
                    'ManualLinuxHostAuthentication' = 'Unknown Linux servers are not trusted automatically'
                    'CSmbSigningAndEncryptionEnabled' = 'SMB v3 signing is enabled'
                    'ViProxyTrafficEncrypted' = 'Host to proxy traffic encryption should be enable for the Network transport mode'
                    'JobsTargetingCloudRepositoriesEncrypted' = 'Backup jobs to cloud repositories is encrypted'
                    'LLMNRDisabled' = 'Link-Local Multicast Name Resolution (LLMNR) is disabled'
                    'ImmutableOrOfflineMediaPresence' = 'Immutable or offline media is used'
                    'OsBucketsInComplianceMode' = 'Os Buckets In Compliance Mode'
                    'BackupServerUpToDate' = 'Backup Server is Up To Date'
                    'BackupServerInProductionDomain' = 'Computer is Workgroup member'
                    'ReverseIncrementalInUse' = 'Reverse incremental backup mode is not used'
                    'ConfigurationBackupEncryptionEnabled' = 'Configuration backup encryption is enabled'
                    'WDigestNotStorePasswordsInMemory' = 'WDigest credentials caching is disabled'
                    'WebProxyAutoDiscoveryDisabled' = 'Web Proxy Auto-Discovery service (WinHttpAutoProxySvc) is disabled'
                    'ContainBackupCopies' = 'All backups have at least one copy (the 3-2-1 backup rule)'
                    'SMB1ProtocolDisabled' = 'SMB 1.0 is disabled'
                    'EmailNotificationsEnabled' = 'Email notifications are enabled'
                    'RemoteRegistryDisabled' = 'Remote registry service is disabled'
                    'PasswordsRotation' = 'Credentials and encryption passwords rotates annually'
                    'WinRmServiceDisabled' = 'Remote powershell is disabled (WinRM service)'
                    'MfaEnabledInBackupConsole' = 'MFA is enabled'
                    'HardenedRepositorySshDisabled' = 'Hardened repositories have SSH disabled'
                    'LinuxServersUsingSSHKeys' = 'Linux servers have password-based authentication disabled'
                    'RemoteDesktopServiceDisabled' = 'Remote desktop protocol is disabled'
                    'ConfigurationBackupEnabled' = 'Configuration backup is enabled'
                    'WindowsFirewallEnabled' = 'Windows firewall is enabled'
                    'ConfigurationBackupEnabledAndEncrypted' = 'Configuration backup is enabled and use encryption'
                    'HardenedRepositoryNotVirtual' = 'Hardened repositories are not hosted in virtual machines'
                    'ConfigurationBackupRepositoryNotLocal' = 'The configuration backup is not stored on the backup server'
                    'LossProtectionEnabled' = 'Password loss protection is enabled'
                    'TrafficEncryptionEnabled' = 'Encryption network rules added for LAN traffic'
                    'NetBiosDisabled' = 'NetBIOS protocol should be disabled on all network interfaces'
                    'LsassProtectedProcess' = 'Local Security Authority Server Service (LSASS) should be set to run as a protected process'
                    'HardenedRepositoryNotContainsNBDProxies' = 'Hardened repositories should not be used as backup proxy servers due to expanded attack surface'
                    'PostgreSqlUseRecommendedSettings' = 'PostgreSQL server should be configured with recommended settings'
                    'PasswordsComplexityRules' = 'Backup encryption password length and complexity recommendations should be followed'
                }
                $StatusObj = @{
                    'Ok' = "Passed"
                    'Violation' = "Not Implemented"
                    'UnableToCheck' = "Unable to detect"
                    'Suppressed' = "Suppressed"
                }
                $OutObj = @()
                foreach ($SecurityCompliance in $SecurityCompliances) {
                    try {
                        # Write-PscriboMessage -IsWarning "$($SecurityCompliance.Type) = $($RuleTypes[$SecurityCompliance.Type.ToString()])"
                        $inObj = [ordered] @{
                            'Best Practices' = $RuleTypes[$SecurityCompliance.Type.ToString()]
                            'Status' = $StatusObj[$SecurityCompliance.Status.ToString()]
                        }
                        $OutObj += [pscustomobject](ConvertTo-HashToYN $inObj)
                    } catch {
                        Write-PScriboMessage -IsWarning "Security & Compliance summary table: $($_.Exception.Message)"
                    }
                }
            } catch {
                Write-PScriboMessage -IsWarning "Security & Compliance summary section: $($_.Exception.Message)"
            }

            if ($HealthCheck.Security.BestPractice) {
                $OutObj | Where-Object { $_.'Status' -eq 'Not Implemented' } | Set-Style -Style Critical -Property 'Status'
                $OutObj | Where-Object { $_.'Status' -eq 'Passed' } | Set-Style -Style Ok -Property 'Status'
                $OutObj | Where-Object { $_.'Status' -eq 'Unable to detect' } | Set-Style -Style Warning -Property 'Status'
            }

            $TableParams = @{
                Name = "Security & Compliance - $VeeamBackupServer"
                List = $false
                ColumnWidths = 70, 30
            }
            if ($Report.ShowTableCaptions) {
                $TableParams['Caption'] = "- $($TableParams.Name)"
            }

            try {

                $sampleData = [ordered]@{
                    'Passed' = ($OutObj.status | Where-Object { $_ -eq "Passed" } | Measure-Object).Count
                    'Unable to detect' = ($OutObj.status | Where-Object { $_ -eq "Unable to detect" } | Measure-Object).Count
                    'Not Implemented' = ($OutObj.status | Where-Object { $_ -eq "Not Implemented" } | Measure-Object).Count
                    'Suppressed' = ($OutObj.status | Where-Object { $_ -eq "Suppressed" } | Measure-Object).Count
                }

                $sampleDataObj = $sampleData.GetEnumerator() | Select-Object @{ Name = 'Category'; Expression = { $_.key } }, @{ Name = 'Value'; Expression = { $_.value } }

                $chartFileItem = Get-ColumnChart -Status -SampleData $sampleDataObj -ChartName 'SecurityCompliance' -XField 'Category' -YField 'Value' -ChartAreaName 'Infrastructure' -AxisXTitle 'Status' -AxisYTitle 'Count' -ChartTitleName 'SecurityCompliance' -ChartTitleText 'Best Practices'

            } catch {
                Write-PScriboMessage -IsWarning "Security & Compliance chart section: $($_.Exception.Message)"
            }

            if ($OutObj) {
                Section -Style NOTOCHeading4 -ExcludeFromTOC 'Security & Compliance' {
                    if ($chartFileItem -and ($OutObj.count | Measure-Object -Sum).Sum -ne 0) {
                        Image -Text 'Security & Compliance - Chart' -Align 'Center' -Percent 100 -Base64 $chartFileItem
                    }
                    BlankLine
                    $OutObj | Sort-Object -Property 'Best Practices' | Table @TableParams
                }
            }
        } catch {
            Write-PScriboMessage -IsWarning "Infrastructure Summary Section: $($_.Exception.Message)"
        }
    }
    end {}

}