Add Check for Scripts in ACLs

README.md

@@ -306,6 +306,9 @@ In general, variables in JavaScript should be properly declared (e.g. using “v
 ### Don't show unpublished knowledge articles
 Unpublished knowledge articles may contain sensitive information that should not be visible to anyone with read access. By preventing access to unpublished articles, reviewers are given the opportunity to verify the content before it is made accessible. This ensures that only properly reviewed and approved information is available to users with read access.
 
+### Scripts in ACLs should be cleared when Advanced is not checked
+Scripts in ACLs ARE executed regardless of whether or not the Advanced checked box is checked off. As such, unnecessary scripts should be cleared from the field OR the Advanced checkbox should be checked in cases where scripts are required to provide better visibility to admins for troubleshooting purposes.
+
 ## Category: User Experience
 
 ### Added a Number Prefix which already exists

ca8467c41b9abc10ce0f62c3b24bcbaa/checksum.txt

@@ -1 +1 @@
-UyeJAZLOPzkqTZioReDZ3QqkmprUdOX4RrzwUqB3iBIUZXID2pxZdDd8-zzVgJ8zrY3LhCdiW5tdvLasslCHZd532Pq7cRCZZuHLjQ-iJ8wlTMmybRT2u-1I429W1lv-sjEOZqeo3oo_RPq12pyxgtGJLOW5I9cPTZrOnLp6VxT4LSRCeliudBQ_8CwylpHtVIGiRDXrerTEk9jAitMPfkJu6qpO-UxLWs0UGIdOZQBmqpOWMww9NtzjI3azrpbzkSBYvqyKR-SJaiDrk77xyN7jfAMg7IZcWd4umGYlrfmLjI_SNPLuLZYpPXAMpjOMd_cAjzh1_R3279D26M9aA0JdhPUNTIJYgn_qht0i8GR249Wx72B57wY8Oi7IhDJYg4guUFeAzK16zCfqGS0ATMaRXHejSgTXZUGe6hm0emFqvHRiYOsS9EmHoJSXCi59YopRy3yIbsaw3-IN2yVOKQiLr41KqxL-M_rD6oYVN3rvS1DQ9IPEzuR6ezCIhY02LP8DvqPF9I33GgUjsGyDk8HYttR-2bQaItpfJz3StKRG6r7oMpaZ_Rp-aUlD4o-TgzUlYGCvSSwqk7IqCFP44WCjVj7Z9AieehbONdFJsMxgTCuWvgmobMRHp5O98ZdyNhoYN_28qSCuRYMOzmwE1ZBVObCNKBS6VyF5P8qCxqw
+TwPIfPENOuLil6KD5FUVu54iV2MjqWceWiQUkVELNuFs3Sq_QhkNtp-PljeTyLJy38WAf4gHwyuX8uiJYn8G8wXwz5jLOC3O20gEgcg3aF16JEHjDIjicZYr4Sd2rVtQ4AVtewUl7D3NuSxRemQbxjipqE0fNarad7iNxXLgPreuxuNmvDgd53vJVB0rE4ETm1nCa2PxdC8WKiBqIcd-v_Br9ISl8F3WDEcg3kV1o60X4hSJ-rcaEQBy8A4NozrFCOr7lQ8pVOblP2ps6XV878QSYeJVok_osAhmzcg2yk1qHoLJ18PwD2H4oycqn4ll_ZxIOcODQnkgzJ45nEHoqPKxE2ByPyUe5xodU6RWfs0_oIQPA3Ji2Z2eQg9SEl5RpkAte1McYwwVD0XAjlkXIYokaPpKHP7LSt2_iqFKMu7C87TNwFFdRzdfCpimJeq2ntMIt2Cf3635rH2xdWM9RNh_Ho1Kj7rMEj8j3u6k5M0FR4LyFsSZba3INlEAdCAgZRWohDEFBJDBp406my2awZmdWKBEI1JJVh-8UKMGEl2pnBjSVk9zZQafcx5GVqwL99a2mRgN2-dU6ozwZfIj1dI4i2ijj86Wm__itnrK8aDSka_iuYMukWveyhCpy5geYSHmnB3cjhkyI4uyoUkkllCE8jPiLarGuhrKR_4fFRg

ca8467c41b9abc10ce0f62c3b24bcbaa/update/scan_table_check_9d4676f6c34d52d08dbc32f1b4013165.xml

@@ -0,0 +1,45 @@
+<?xml version="1.0" encoding="UTF-8"?><record_update table="scan_table_check">
+    <scan_table_check action="INSERT_OR_UPDATE">
+        <active>true</active>
+        <advanced>false</advanced>
+        <category>security</category>
+        <conditions table="sys_security_acl">advanced=false^scriptISNOTEMPTY^active=true^EQ<item endquery="false" field="advanced" goto="false" newquery="false" operator="=" or="false" value="false"/>
+            <item endquery="false" field="script" goto="false" newquery="false" operator="ISNOTEMPTY" or="false" value=""/>
+            <item endquery="false" field="active" goto="false" newquery="false" operator="=" or="false" value="true"/>
+            <item endquery="true" field="" goto="false" newquery="false" operator="=" or="false" value=""/>
+        </conditions>
+        <description>Scripts in ACLs ARE executed regardless of whether or not the Advanced checked box is checked off. As such, unnecessary scripts should be cleared from the field OR the Advanced checkbox should be checked in cases where scripts are required to provide better visibility to admins for troubleshooting purposes.</description>
+        <documentation_url>https://docs.servicenow.com/csh?topicname=t_CreateAnACLRule.html&amp;version=latest</documentation_url>
+        <finding_type>scan_finding</finding_type>
+        <name>Scripts in ACLs Should be Cleared when Advanced is not checked</name>
+        <priority>3</priority>
+        <resolution_details>Clear the Script box data if the script is unnecessary and Advanced is not checked off&#13;
+OR&#13;
+Check off the Advanced check box if there is a script in the Script box that is required for the ACL.</resolution_details>
+        <run_condition/>
+        <score_max>100</score_max>
+        <score_min>0</score_min>
+        <score_scale>1</score_scale>
+        <script><![CDATA[(function (engine) {
+
+    // Add your code here
+
+})(engine);]]></script>
+        <short_description>Scripts in ACLs Should be Cleared when Advanced is not checked</short_description>
+        <sys_class_name>scan_table_check</sys_class_name>
+        <sys_created_by>nia.mccash</sys_created_by>
+        <sys_created_on>2024-10-08 20:03:00</sys_created_on>
+        <sys_id>9d4676f6c34d52d08dbc32f1b4013165</sys_id>
+        <sys_mod_count>0</sys_mod_count>
+        <sys_name>Scripts in ACLs Should be Cleared when Advanced is not checked</sys_name>
+        <sys_package display_value="Example Instance Checks" source="x_appe_exa_checks">ca8467c41b9abc10ce0f62c3b24bcbaa</sys_package>
+        <sys_policy/>
+        <sys_scope display_value="Example Instance Checks">ca8467c41b9abc10ce0f62c3b24bcbaa</sys_scope>
+        <sys_update_name>scan_table_check_9d4676f6c34d52d08dbc32f1b4013165</sys_update_name>
+        <sys_updated_by>nia.mccash</sys_updated_by>
+        <sys_updated_on>2024-10-08 20:03:00</sys_updated_on>
+        <table>sys_security_acl</table>
+        <use_manifest>false</use_manifest>
+    </scan_table_check>
+    <sys_translated_text action="delete_multiple" query="documentkey=9d4676f6c34d52d08dbc32f1b4013165"/>
+</record_update>