instance-security

仓库: groeimetai/snow-flow
安装量: 51
排名: #14587

安装

npx skills add https://github.com/groeimetai/snow-flow --skill instance-security

Instance Security for ServiceNow Instance Security covers authentication, authorization, and security hardening. Security Layers Network Security ↓ Authentication (SSO, MFA) ↓ Session Management ↓ Authorization (ACLs, Roles) ↓ Data Protection ↓ Audit & Logging Key Tables Table Purpose sys_user User accounts sys_user_role Roles sys_security_acl Access controls sysevent_log Security events sys_properties Security settings Authentication Security (ES5) Password Policy Configuration // Check password strength (ES5 ONLY!) function validatePasswordStrength ( password ) { var issues = [ ] // Minimum length var minLength = parseInt ( gs . getProperty ( "glide.security.password.min_length" , "8" ) , 10 ) if ( password . length < minLength ) { issues . push ( "Password must be at least " + minLength + " characters" ) } // Complexity requirements if ( ! / [ A - Z ] / . test ( password ) ) { issues . push ( "Password must contain uppercase letter" ) } if ( ! / [ a - z ] / . test ( password ) ) { issues . push ( "Password must contain lowercase letter" ) } if ( ! / [ 0 - 9 ] / . test ( password ) ) { issues . push ( "Password must contain number" ) } if ( ! / [ !@#$%^&*(),.?":{}|<> ] / . test ( password ) ) { issues . push ( "Password must contain special character" ) } return { valid : issues . length === 0 , issues : issues , } } Session Security // Check session validity (ES5 ONLY!) function isSessionSecure ( ) { var session = gs . getSession ( ) // Check session age var maxAge = parseInt ( gs . getProperty ( "glide.security.session.timeout" , "60" ) , 10 ) var sessionAge = session . getSessionAge ( ) / 60000 // Convert to minutes if ( sessionAge

maxAge ) { return { valid : false , reason : "Session expired" } } // Check for session fixation var clientIP = gs . getSession ( ) . getClientIP ( ) var originalIP = session . getValue ( "original_ip" ) if ( originalIP && clientIP !== originalIP ) { return { valid : false , reason : "IP address changed" } } return { valid : true } } // Force re-authentication function requireReauthentication ( reason ) { gs . getSession ( ) . invalidate ( ) gs . addErrorMessage ( reason ) // Redirect to login response . sendRedirect ( "/login.do" ) } MFA Implementation (ES5) Check MFA Status // Check if user has MFA enabled (ES5 ONLY!) function hasMFAEnabled ( userSysId ) { var user = new GlideRecord ( "sys_user" ) if ( ! user . get ( userSysId ) ) { return false } // Check MFA settings var mfa = new GlideRecord ( "sys_user_mfa" ) mfa . addQuery ( "user" , userSysId ) mfa . addQuery ( "active" , true ) mfa . query ( ) return mfa . hasNext ( ) } // Enforce MFA for sensitive operations function requireMFA ( operation ) { var userId = gs . getUserID ( ) if ( ! hasMFAEnabled ( userId ) ) { gs . addErrorMessage ( "MFA required for " + operation ) return false } // Check if MFA verified this session var session = gs . getSession ( ) var mfaVerified = session . getValue ( "mfa_verified" ) if ( mfaVerified !== "true" ) { // Trigger MFA challenge gs . eventQueue ( "user.mfa.challenge" , null , userId , operation ) return false } return true } Input Validation (ES5) XSS Prevention // Sanitize user input (ES5 ONLY!) function sanitizeInput ( input ) { if ( ! input ) return "" // Encode HTML entities var sanitized = input . toString ( ) . replace ( / & / g , "&" ) . replace ( / < / g , "<" ) . replace ( /

/ g , ">" ) . replace ( / " / g , """ ) . replace ( / ' / g , "'" ) return sanitized } // Validate and sanitize before storage function validateUserInput ( tableName , fieldName , value ) { // Check field type var dict = new GlideRecord ( "sys_dictionary" ) dict . addQuery ( "name" , tableName ) dict . addQuery ( "element" , fieldName ) dict . query ( ) if ( ! dict . next ( ) ) { return { valid : false , error : "Field not found" } } var fieldType = dict . getValue ( "internal_type" ) // Validate based on type if ( fieldType === "string" || fieldType === "html" ) { // Check for script injection if ( / <script / i . test ( value ) ) { return { valid : false , error : "Script tags not allowed" } } // Check for event handlers if ( / on \w + \s * = / i . test ( value ) ) { return { valid : false , error : "Event handlers not allowed" } } } return { valid : true , sanitized : sanitizeInput ( value ) } } SQL Injection Prevention // Safe query building (ES5 ONLY!) // NEVER concatenate user input directly into queries // BAD - Vulnerable to injection // gr.addEncodedQuery('name=' + userInput); // GOOD - Use parameterized queries function safeQuery ( tableName , fieldName , value ) { var gr = new GlideRecord ( tableName ) // GlideRecord methods handle escaping gr . addQuery ( fieldName , value ) gr . query ( ) return gr } // For encoded queries, validate input function safeEncodedQuery ( tableName , userQuery ) { // Whitelist allowed fields var allowedFields = [ "number" , "short_description" , "state" , "priority" ] // Parse and validate query var parts = userQuery . split ( "^" ) var safeQuery = [ ] for ( var i = 0 ; i < parts . length ; i ++ ) { var part = parts [ i ] var match = part . match ( / ^ ( \w + ) ( = | != | LIKE | CONTAINS ) ( . + ) $ / ) if ( match ) { var field = match [ 1 ] if ( allowedFields . indexOf ( field ) !== - 1 ) { safeQuery . push ( part ) } } } var gr = new GlideRecord ( tableName ) if ( safeQuery . length

0 ) { gr . addEncodedQuery ( safeQuery . join ( "^" ) ) } gr . query ( ) return gr } Security Properties (ES5) Key Security Settings // Get security-related properties (ES5 ONLY!) function getSecuritySettings ( ) { return { // Session settings session_timeout : gs . getProperty ( "glide.security.session.timeout" ) , session_cookie_secure : gs . getProperty ( "glide.security.session.cookie.secure" ) , // Password settings password_min_length : gs . getProperty ( "glide.security.password.min_length" ) , password_history : gs . getProperty ( "glide.security.password.history" ) , password_expiry : gs . getProperty ( "glide.security.password.expiry" ) , // Login settings max_failed_logins : gs . getProperty ( "glide.security.password.max_failed_logins" ) , lockout_duration : gs . getProperty ( "glide.security.password.lockout_duration" ) , // General security csrf_protection : gs . getProperty ( "glide.security.csrf.strict_validation" ) , xss_protection : gs . getProperty ( "glide.security.xss.strict" ) , } } // Update security property function setSecurityProperty ( name , value , requireRestart ) { gs . setProperty ( name , value ) if ( requireRestart ) { gs . warn ( "Security property changed: " + name + ". Restart may be required." ) } // Log security change gs . eventQueue ( "security.property.changed" , null , name , value ) } Security Auditing (ES5) Log Security Events // Log security event (ES5 ONLY!) function logSecurityEvent ( eventType , details ) { var log = new GlideRecord ( "syslog" ) log . initialize ( ) log . setValue ( "level" , "warning" ) log . setValue ( "source" , "Security" ) log . setValue ( "message" , eventType + ": " + JSON . stringify ( details ) ) log . insert ( ) // Also queue for security monitoring gs . eventQueue ( "security.event" , null , eventType , JSON . stringify ( details ) ) } // Track failed login attempts function trackFailedLogin ( username , ipAddress ) { logSecurityEvent ( "failed_login" , { username : username , ip : ipAddress , timestamp : new GlideDateTime ( ) . getDisplayValue ( ) , } ) // Check for brute force var recentFailures = countRecentFailures ( username , 5 ) // Last 5 minutes var maxFailures = parseInt ( gs . getProperty ( "glide.security.password.max_failed_logins" , "5" ) , 10 ) if ( recentFailures = maxFailures ) { lockAccount ( username ) logSecurityEvent ( "account_locked" , { username : username , reason : "Too many failed login attempts" , failures : recentFailures , } ) } } Security Health Check // Check instance security health (ES5 ONLY!) function securityHealthCheck ( ) { var issues = [ ] // Check for default admin password var admin = new GlideRecord ( "sys_user" ) if ( admin . get ( "user_name" , "admin" ) ) { if ( admin . getValue ( "password" ) === gs . getProperty ( "glide.security.default.admin.password" ) ) { issues . push ( { severity : "critical" , issue : "Default admin password not changed" } ) } } // Check session timeout var timeout = parseInt ( gs . getProperty ( "glide.security.session.timeout" , "0" ) , 10 ) if ( timeout === 0 || timeout

60 ) { issues . push ( { severity : "high" , issue : "Session timeout too long or disabled" } ) } // Check password policy var minLength = parseInt ( gs . getProperty ( "glide.security.password.min_length" , "0" ) , 10 ) if ( minLength < 12 ) { issues . push ( { severity : "medium" , issue : "Password minimum length less than 12" } ) } // Check HTTPS enforcement if ( gs . getProperty ( "glide.security.session.cookie.secure" ) !== "true" ) { issues . push ( { severity : "high" , issue : "Secure cookies not enforced" } ) } return { healthy : issues . length === 0 , issues : issues , } } MCP Tool Integration Available Tools Tool Purpose snow_property_get Check security properties snow_execute_script_with_output Test security scripts snow_review_access_control Review ACLs Example Workflow // 1. Check security properties await snow_property_get ( { name : "glide.security.session.timeout" , } ) // 2. Run security health check await snow_execute_script_with_output ( { script : var health = securityHealthCheck(); gs.info(JSON.stringify(health)); , } ) // 3. Review access controls await snow_query_table ( { table : "sys_security_acl" , query : "active=true^admin_overrides=true" , fields : "name,operation,type,script" , } ) Best Practices Strong Passwords - Enforce complexity MFA - Enable for privileged users Session Timeout - 15-30 minutes Input Validation - Sanitize everything Least Privilege - Minimal roles Audit Logging - Log security events Regular Reviews - Security assessments ES5 Only - No modern JavaScript syntax

返回排行榜