From c2d39880915c40294ffe8dac10b7edcf65fe0491 Mon Sep 17 00:00:00 2001 From: dutt0 <147828743+dutt0@users.noreply.github.com> Date: Thu, 11 Jul 2024 15:12:41 -0400 Subject: [PATCH] [Enhancement] GR2 validation 8 Guest user accounts (#156) * ItemName change, making it mandatory * rename GR name and guest account control to v2.0 * list all guest user with updated logic * Testing Gr2 V8 updates * replace the ItemName * Change the gUest account table to display unique users * put back prev. workbook * add roles to the table unique rows * Mandatory validation and unique users only in guest account table * unique guest user list * updated modules * test deployment * storage bicep testing * storage bicep testing * add Comments to the guest table * updating compliance messages * removing branch from workflow * write output to the pipeline --- psmodules/Check-ExternalAccounts.zip | Bin 24493 -> 6624 bytes psmodules/GR-ComplianceChecks.zip | Bin 12107 -> 12222 bytes setup/IaC/modules/automationaccount.bicep | 2 +- setup/IaC/modules/gr.workbook | 2 +- setup/IaC/modules/storage.bicep | 69 ++++++------ setup/modules.json | 4 +- .../Audit/Check-DeprecatedAccounts.psd1 | 0 .../Audit/Check-DeprecatedAccounts.psm1 | 0 .../Audit/Check-ExternalAccounts.psd1 | 2 +- .../Audit/Check-ExternalAccounts.psm1 | 98 ++++++++++++++---- .../Mitigation/ReadMe.MD | 0 .../GR-ComplianceChecks-Msgs.psd1 | 52 +++++----- .../fr-CA/GR-ComplianceChecks-Msgs.psd1 | 54 +++++----- tools/CentralView/setup/IaC/modules/law.bicep | 2 +- 14 files changed, 181 insertions(+), 104 deletions(-) rename src/{GUARDRAIL 2 MANAGEMENT OF ADMINISTRATIVE PRIVILEGES => GUARDRAIL 2 MANAGE ACCESS}/Audit/Check-DeprecatedAccounts.psd1 (100%) rename src/{GUARDRAIL 2 MANAGEMENT OF ADMINISTRATIVE PRIVILEGES => GUARDRAIL 2 MANAGE ACCESS}/Audit/Check-DeprecatedAccounts.psm1 (100%) rename src/{GUARDRAIL 2 MANAGEMENT OF ADMINISTRATIVE PRIVILEGES => GUARDRAIL 2 MANAGE ACCESS}/Audit/Check-ExternalAccounts.psd1 (99%) rename src/{GUARDRAIL 2 MANAGEMENT OF ADMINISTRATIVE PRIVILEGES => GUARDRAIL 2 MANAGE ACCESS}/Audit/Check-ExternalAccounts.psm1 (56%) rename src/{GUARDRAIL 2 MANAGEMENT OF ADMINISTRATIVE PRIVILEGES => GUARDRAIL 2 MANAGE ACCESS}/Mitigation/ReadMe.MD (100%) diff --git a/psmodules/Check-ExternalAccounts.zip b/psmodules/Check-ExternalAccounts.zip index c8d7c2d71e114ab15d0708ba216db33afe2b9c93..fc1563161295d729541bd01105dbe5f7671ad852 100644 GIT binary patch literal 6624 zcmai(Wl$VUwm@+R4uQc5K?a9Gf+VD%YtD=!TThXVx#g#^W|d8FP__i)(+4+V9L2?a&+XII$F*wB(u#MsW> z*iav0Y$RxCX#3p;;=p9*V8k-2wq&!!h3Ub$?nM>_zsO|330^#|7w{n*%ZH9(4~jL= zH4mw7jFyPcOT!O+eagtD(P*oq1)$7e$T5tjakHfn-8H52IvU5Y#xm?_=1;jK5Ds4+ zE`(0Xg#1_yW+=s39yX%!r>%2h&XQ=_QY-MsJH4NOGdi}3-5j__qMIuS;VhnG$U8{G~%xa;y=#Fi}VjnO;%!UsQG>d9S?;gVa^}Hi+VAA zuZE|W(!S#HcjnmwtcK;M(|;r(0*}65&B8?~`N=k(CjRW;Ob}y*RtbR7R_2LjqJ-_` z#q799)SR%*z`E#4;m#3z*B(+|+$_?fsJUZ|UQs+9R>--luy`S3LJ;d(Tx+E2$r!&9 z(t=~NBhrI$F%Oqc5O-Na#xGcnepti(M*IvsVg!`ORrV#%)V$stkbJ3GzcxGWW@7Vj z6z7*W5bVfi0X=7IrNubU)5n2%FjjG7RO@^aq8J}Hmc!Z;+N$mts{O-PZZ=&tFG7m!D)=lovCCu1BJo)j?4n9`7v9m;)s`IIDw1$@Bp{VWFT8CT zYoTTJPyO{h*r(jwDtZU`?fkm!;Gvx$_Hp9N&;(C2yW>)7f4(i7U0QBBd!C{`qFqt; zIO)jm=rQ`Hy-}KDBE+&rgjwqX^IHUbSgkKXeEU)EA(XV04yr`wiz0oWe4(2P=S7f% z?Ys1LDYUwl^Qo)}oA|}Vy@E+Aqlx!2#gF%)CbhU6zmYRCs%g|+G6$nByqp-5%%G;0 z1Rm7Q)&|J#5gMJAS%{sZ*QSv_(@^Udn2}XgzJ_D9`MN0aK0yPe#5UHW_UBcJb#OTP z78Q?RVwNs!6e0_AEw_%$C!~5v3{q)0YeDeuO0N@=jsqQDw#Ti1&X0~GO=#yoReK++BrkM&(fV)yVxYr&H1~;Yb_7P z5tHJ=-zx4B!H&S4yzAtzu(H0S}dnw_zQ?Cnmzx(s~j5vmyXXUIWC++?WGFK}P2uAW}&uSnKi^n;hB@Bo2 z(lk1uy`m@FY=2a0K(rtHr9y(R^A0a(Ahewf&k~AKK%98jARDAl_+4+D4!p-S*hPn3 z9k+`IcyPtVMQ_ z^$jZKNSs&0ZdEML0;8x2jNN8Y^`Ss!Q|jg4>z&T5-$7OT!WyF?g7E8;YOB{k-E%WK z_DOt|bvV&%f(3d=zbv2iZ z{e(+5tUp`p@#3TSmE>2Q7%_yDwGq#kH4^4pD;rzNzX%;`r3RVMd^U0t+2w2{o*dIH zbK1VbCNL)6OO|At{>{5@xkhprhKGGOIN`rtBNdsNJp1dJraE6z(1m^}1N@^@D3-Qr zxRKB@Q*Ow&yf9(2W2chvRcwhuvYY`4={<)qx4>#qo;o}YIcxj7=Uyw|Tp@|tmxa=5 z%8{o)3xLlZ%`8yDJg9~ilSC|fzP&pqnz|QGcq!TWpj0u|6dA4r?cGd}2bMUlus!(>Hi+Pr;a9Y9>ou#oBURf=*d3sXr+e^lz#qXmA zjvcN-ey)qt5w`KLUD>DfR*&03ll%mRJu%rl3@ZbY;S$sFKsMUb=DkS4&)qiyNLnfD znS$Z$%=ys~h{;tKn~X#jS|(PMq6f4(p$~Q3(`FsO7W?9C01i!U$)-m9HC66hGhJ4q*9mR#~&|SrwZ+E_jGNi z$E|Na+U^!4xK#X8pnrwMZ`dgCC(*cr&&uSnjsyb;P}p`-gKj>%HOvL#^gFEu6DB{= zrBhePCP(HQI>vP5aAeUXX(F46w|bsM=JC*lc74tPvwa@N2^d$?A4P$4DBZc_hOF^> zDIDmeS4|1itE&I`HECv&FJnCz}p9oy?ji)SkA%*2h0VCRqO^wD! zWuP@~5ZF$H1Sm~w=<%)h*gF#_{oRoid1Co~!u0ZDcWfkzP1u$PJ8v8lE963SMYU#i z$UPOs{_aRJg`Bs7O_MSfqj|}66v?q(i9^<+-;f*Z$v66)t$fEAhVCV!K9Ff3-VCOB zp?k*O08ldH?B6o}4M|k4Mi9tu!cbvOLI1EkcSIGBWEF)@x zG-eS9eZO6AHZIsP3LBnD8oeV*r|oAR9mOg8Uq`yy=wHHn`*M`+_{WjbL>Zks?5O`Z zQa0p|BZc$md9`tK>-q6~ajA=4MIOispF|dqyO!TFOQyosNBwX)6Bj4w_mTSNVg$GG zoi?|n!8?Fl^bZb6dN!Q~k5sc+4$T+K_12Mo%`&aI1SMWRl4kfB->($jnyseeZUOwR z3JZd%*|`CRvqcVN`EI*jT~({tYikQQtMw<%q92zMJ~*Il)$goy%cQJiM87(2hjQt^ zp*RLqlC%!`FM?4eO+e^Anji0*)TbzK0&pyH3^FQrdfYW$%)@&60N{GcE>Vkt$#VBF zN9wU%>s`dEgudEgoT*-3*qU8$;{*aCGfab^BN@9ymp)n5_JO>FLJ5N~hwq_&G(%{y zE03!DlT>-|`GHlV{$^NR(VXmO$1bASRM&32S(m7Ro&*>@pGnTY;xtsf4W)0Y zv$yrP*Zh{S_QThEbbA@~OQpz*PrQqUUYg19EZ%SS6>-;7C0uk27QxUnzq~v=$|^C5=QZ9A zFl#vaZB{2;|g1FzX!7ioBR91fC4nHxSFWm#C2BmDfWIt}1Rw~Tw(RA%#a%G$x%K;(}2A_^NE zaKjvSjysZixPSptU`0m!A<|#Jd5}}dGMAvK7PTDV6zVEMqO&Cb)lZfD6mvk)vd{o|&k;j_8i6)b zt)~V+Liu6p>LEoKi!yypujnb_g+ow9;1}aJUEIlbWNmM=5_N)XE#9*D;>$16DF()M z9|vtILjmvdZeS>*Z;w=s%La~XFlaEFYAE>2Ik*^gr>$(O&7o}l%@&yzJz!l*w%O3Y$%e7j_J4%? zbe$vhFaU^D`5hD#fa<@5dux^xLLJ*Jj>}eoH&|vCJ))o%(GM6mbz*H%j#oZhp*#!# zTE@wGLP=#wb0w#mw-*x$DRL?)NAw@7yvhPFsVM|wcc?#r{!xbZO~xAzY1RWNDE1E< z?hgWH_?N8olpohTbA4=_J0+^};h#gP9_-#S&KVZ4I?X5tHP3OrfvP29*8PlxVkG;p z5~72sO7#?E9i%p8+JoRxP?#L4ZD*lH)>5DJefC;!ddul8;e# zqQ$BMtO+c3XQbOs?bxT|uHU{V2Z)Zal_jh{NBRbb0X1nZMPWA_#NlNJd$Lr<#Wj#7 zcBolD?`V8M^DNY6;C64lOKVoDM&F$T_ zW%aTori0^9tUv9_P_nNp#w`f$EP>H?Psq*($`)9+$s;&Aq?EBMDN|!0CuW%<5hdZL zzRcHpUJwV^NDy7@a=4uC8CV1yno~F@`>oA`i~)Y_eBXB}1X0N(68Sgf$^|;RnN0Vg zZ~D4i^P3Yx47u5SWI-oOM7hxEnH}L;j`O(GKl>#h?*Rl}clB409wo zle(Q2z(pe}S6US(2|5lxPdNpopjnBk?0j99`#uVG!nZdwlQ+!C&pOcZDpaH`{$SA=Aw}6Fd}r+t?gUVM%5|yi|10mkNM#+L)e(BC21~pb3aQSoZz(x~dpa1ZtXqsq^(aqL5ij*AWcII4aRH{O2v-S&@z{QY0 z-8CSMy<+gbU8upQypCRi06kSCnsy-wk0=V@GHo<+l{;_sz{5msa)$Mm6n#w?tM^x6 ztCd0E9>H#U(QqzDM?MSG4D-2WP?2mPQ~ptv1(cP&_3iL1?>ZwxEuG4*BTDt0Jh62S zJeoQF()q)f6SGsaTZ`!8(jUV;yV@?a5Z?M0op23qVU78*+^Eb6xZ1K2rhsUbV32E> z_7Yet66tY8MZ^~~Exj)ap|iPyd^q_DVrhM>a+n=bxBu&7g~|ms-cmi`^AMyPzDlKq zxT~PPHei% zBzgLgN{yrX_>+Fhb;1Q@ts0)N(2J~)->}M8xzHVk)!wl%xz2RJ*i989kpQ^DuC6p-chd)56&Hvm5r0(&woEd5Nkf9~yR$9RvSt`cJHeoDLbdspPv z>GAbVat+T}^=x#FE9CJ*o>h|9OM2ZGjpmT7cA#6g-K6C5;kK9j=4xUSWBEuw;k(_? zVzAYRwIeVby6j4Pkm(lZIF(!$dgO*Tt|_oDqRKXa8xyI_P+q@nkEq()Wg8t)L<9}0 zOj4wIpqNzK*fFWnoqK;~Etd*^k*4V06!>j|E+o}r2D3rgXvh7I@}%O^3Pq)DV73-@ z?lzI9T1lNDPvQ+H$Dxg(jjWJsiY6i7!+`xyz z?1j`|q27A?lsk#Af>cgrCUtKdZ%Xgw1Qh%hid!Fo>t7@d_tfk=d$}Rf-=*hCCfHpN z?>th9JWNjUPdL$gA?`wbCtC2F-tLGia~pFLZ}%$&8x-Yx>PM;1b>lSv7wtnBRcZ~C z39kg}PXd6Jo1dX3b-Vy6+uyl?GEAk_**`weJ6fBJ*yDAE7^8Tu-|q+3k4|YAAJCS%`_jmek})hfz*P*I%>Ma{o(8L}E__!m^Dg&F$yf>dpDck{R5 z`VrL^$g<1vNqK?}B`_9-Z=crvVoC@LENHEff)-5s?3ZyZ4?Y99qL8{3krD#D_f0Y^ zNqdjdi71YesEXfosMy{5kS*Oydckj>W;;#h6IGPoF7k*q;+>}Z+{O*KAhx)Zs*@IV z!FGAQ^h_&=In|2FVyIT&-VymHgjlbAjrE8m0FKJd)#WY1c&wd)^42kza8A@AL}`~@ z9XA|{yr@_{y#s9)k@T5?MT3q`jLq7stnk-L=@5;X`+D{W#mmC= znv@`xTb{-phLkKt^qWbcA_4S3Djz{Pb_& zqtdi5%usRi|2Vzwu(vr8SaSBr^0Tx8oiV=F!#b$|zUFb)=Rq5`u3h|!lYd2};EB+u z0tyb1YK`q(?4<{t-x|a&Tk?rb3RY9Y{|*+_(#Je2-7Ym-~sh;bc{yWLSvX z*3)jH*&qkAu8KrGBvFw6K}~(sR$hSxK|NG`_wS(F(vyj*sP+0NeDk0G^+pu+5WZuD%ZVUvI%8rF$0=e9HJEsMj88AEn?g)!@bH zeTZHSyXe2WF8HHsf|NgiC{y&#L|Lsi++O+9E zGyuBzY2~%gj|aCD{NZ(79i*$QG3}GLK1sVzi~afczo~WIzuWPD{u8S$!tqL{<0;S??_*uUrkR zC0-jX65B@_MBN+VRbJ?QN^72N8Ylf**Mk)+!7SG;_JhEWMnK$qM>6Wxt+3dARRAph zPzB4sy<$tkXRUuRf|v$v-PO1L?N5o)-{=iMnFH7eKA1!K9+c7w1ej$KaZ&r; zvb!H?TUV(3_oI`UK&|G7x} zHoGy2s^8CS>HllV^op?mcVxdL{95|wPWYHO0Lixsz#))YzQ22SmUkrWnkYzb>AFwe zz9A;``tdo)8rW7jzt{-$dq7^tjizWt>Mbf85dFQj^#E$FQv%y!*&0>-i4b2D z0!#j>re0GoC4me5j}L$%C=C4WPVl@6r5U^WS%rD}klG zq67PDq5PnS2RJLaNKd>j>6gv%QqBus@aBD(;H`{$Z`EVvtN^6GVIo+XcTHDOU;-

gB_z1z@ff82Sfl`sddUmscC3 zO+O*{H`2<*!eivGoZ?d?AgmdH@b6^GuV?=onZRXIuyA0b1GdsFiNa5?_N^BOTK-y| z3j7iHkyQ5|Xz*nt{-)W_Qsjj&tt|khZx>B|FX~I%p9Rr{7q5U-g=w(tb^w1%DEPX| z-^o$8xHVX#bd5HEQw2fP^lLi1m^ZCJa#0k}(148^L7n&bVM42r_w~cR_5Gi3|Hln@ zMfAO1AE_dUUkylr7FO{cg#L1-ADv$AN51zAzN0ov%m1~s1tAhh`q2TGCSPBF@vQIK z{M#D~9AwGa!T#WW(&^jlgEl_!jPg{I<0nFcr%FC-Fwgk4*6r){PXP!{H_Ig z*19U;_cDfVS$=LM9DlrL+<(aHyFb4SNxX)6z4+AVf4#FkjsbJVBanH$b!l9AE64SV zI>^@$%W*w7I=oQ3T=EDcObLh@Jflehkb8{46lx-8Ov2+LPVyLc6_LVXipEGB!Q;AJ zWZ*GHVGg$k W}Mo-7K%eybnBav_jY@{#@Qxx_*o*cTk5Y%zcOBZI5A=szcP&gdJ ze)vsdlZb5@!Xg+AqYG?QfKCR66QpVFhp_U7Dc=_NHSg!1jsU|6opX`D-B2{HVU^zP zE_!v{9SMSNxG|2E4VW{@-+|QCCC8KIE=U1Caycs*Q;Mi~X~zN5g14M%dLNapd^vDR@?tmhc_5u|t$ z+G_3Z`6epOb!|D;oLvon_~nF%I_QtBb0Dc_L4WAL(fq^TE3vXOpCMC}o+TyV=fh8N ze39`XGi3AlqT#HVVG%uU$E%L*fsT_jbFieV9(Xp3K=SLEu|8XDx6b8Xu-~t2x5)Tc z?Ds3%y=?l|?e{C&t%UGju;0(NBZ!p|YTQUFUww|kaRnpen36HzcbHNW;O{tgxl?_0 z@vC@h4^7pG7*mBq{aj=Wyoobi}$q*)@pUk1wW5ZKKd{ywII;LnSDT}ZX@Fc#e)th%TCXD z(W!3tev=i$tew~Lr!x!{%~t*X2pcDA<_5E$_t=?vv}w7Eb}^($jfbW>wT~@f$|am5 zHy2MT7%^{H>a{LQeDWj$M7WWR!G2Y@GN!N)jwws5U_>Ae?5mI(DI6LVTEs*gyPZc? zS=(OMScp3m%`{KGY87@sQDp8LBUHQ0-6&M)wQDT7r! z^vYtR8hhp7U5b(qCZ3{5J9vj#J)Pb3ASLUN1lWU%#2tOHetN1pY8yAnd^^H*;ocTk-4g?x16MTYIQXT;~sXKVFS zJEB`ouaB|&?5HgwRw*PWOh6p9uuR$c%y$=&&HOQZvI=xOJ4h?6_6WG(8AK8^cbbJ| zWuNW4D4njG!_}JO@$5OF5ggTdY-Gq#iHcDuzXd^E^xfiIuN5ozB8i0piR)+y{gE z8Jm#7wUvj@n3ZFVeaM(k-xjAO=DzUu)mJ2vOwce8b1{UYz8?#Wv&5Xz-*d5Jn_G`T zpPtVjHV7H?m0}i5WFY3pVJ+R-6^sTAs~7^7_n~)@K>sESRw3?eB0Q9)E!g^x~T@ zUB?kw-mi0c=}Y=Mwcu!}ad$}LmqBcl=wo>faAE6NZsY7|@Dm+4iiSf5MBcL4MjF8`Qg9R47X+8R*8JOg1HOY@0arL<%X=agz~3pXIWRIhsdQiR>mEDz>9Bp8kw&5F z<7}c8j0IB2TDOwA7kJSFE%GL5LKIe2ug22po|K^h8}S)Xczjs76k7CoC+vFe0>aqV zZGGiZsU8BO^-&mfZb(nbo~3yya*|u4*Ur<#y5br1546T^mIN&_PV=Qx>oD7acss&% zB2^EhL~WsFkmp67le3GAx{_G5wNdU+&kb#50}6OZEMvHxY<`h3UOA(m165J{G#!W< z9n4K%#Wa{vd@|0gq8$WkTV*-lLwkRJY%geTgmh4zblARz!6E~i2fy(!58iM2t`qjq z?hri01Vx6tg;-&xuZ3W$0##8;5vu#0@WACp!%&Z~TgMI8xK3`YoqW3vQ9jA?bhYv2?n+N#RPH48)*L3E{JRv#Q@Ei7C@eUQE zX!FPpN|v8wV$Q`J=CdoAfWP;sIzVk5ohwt`U50e$ zZ8Ue^nQ{WB^|mykCk~mw0E4AY_H`_tRd^G6gk)yBrxzJ{Llf9`LgjP&ytf$v5Obz@ zl)2p1GAR?!!;?|aV>M>*HqEbDu$!}P*X^N=7rG;(tud%SKQxIw84PLK@*&xdG~qy} zM{rT>k=xX#UdA=}tQ{X9oX1C2WytJ)(+Nh9GblKSs|XC#bb{QbAi;O$2BA3xjj4W#% zSu{L$f9dLbKk{mT5YF|&wSZa4SA=%e$@H_tPo#2dKGX3wrH_7%V*?GT=f=ZrtI&9v z;y6HZxDjeoG~A?TM)#n0a;n}rnuK5M4t9#|lPSMC@PSVH+6q^Gx_M63{Qz-fPgY@? zvRBf$VHwfx9cIJuWz_onO_x3-9q@^p0enUdYYh02!VwfJHEZ5b^oo@A`>pRC&wAQj z1nkEgKmtT;)aPGwif_38Gq3obQ;0gd{d^Dd5;O<=Lien2Mn1+#V7C5=zq z76C?cGx!Z~+t{wSohe_R%>cKbzsToEMW>Ya7(oF-#p*j`>)3n)qMN+%-E}UL$mn|& zJP(sqhWgH%6-A&XSN9nD=~_x`EO`{*8m=t@-RZ%x)Z|NB@}un{bRyihK-QP~E9I6zRUCK+( z-Q;e~_nBUNkOxmNRJf+`3O(nW4Ml}A8MW=~TPKx~wefCTvV_@gcUj{#^=sWY;e+p#wK9@AQhQwP1X#PZb~h;J#qAh(=lTXgV{)AQe7jSnt$%~C zMMjs#j8GDLPIc{Tj9kcy6)wSG-VcamRR*2WX~E3YJk*JgC66AKWCejYL1Fo!8@{*$ zml)j`&KsJ9-Sc(Z5gIb733pD*sy@ZfiB`(0D?C7+Vm69rH1=yZ%qqj^BUZqowPsMp z2UL4rO+k8&2Rj7B>`;z7Y1dQ{5=;YX9D`oJlkPQBN_{xxwKX^l(Xv-mbZ&a)u6Yy| zC0Gpb4P!EZh4r#`coHOjUvLl0Fzox-uAH6;etu@UzwR-#5n;YN%8l4UWS0c`kFi~U zRHp{%Soz7T$f3d{t-^afk&e-!Aj z@Yt-uO3(HQH!jpz(9vA46<%f=LXar9LM%V#qxq=R3oktE}iuS!4A8uow|neovYg(+_h$KzS(dH!}zX6tPYUy%kfBVD9QCAuj_|VCg6v! zVU>CFHxqv+JU*cZ=$Sg9V#fg-u6}ER0DqWI^ug_v`g+TE%znW`WacxhCm0fP$l^-nnN* zA;Q%>Bs{~#?uOlr6G51X&JLoz$ao0sP{)?Ws1!4;LrW$IOGLIMc`?wQRd$(C@^a;ZZls$La8TGU|g1AjbQ%8_`aalnhA!To&MuC)% zkbR6uoI6%_V=uO{@4Cq6eQM3KBifqBt?hZ7pv<N^(SuZSmdgZ(m0LpAV?+9V1*KOJZR|{h%qd_u!d+9YkE{YQi2*E{!0Gg} zmJvj#8473E6eVx5nzN<$MA=a0EGG%Xr_nZT;!o{n%hn=cR49kTVqD--8fzS z$F$qQ=ltk3H)V6xk?|xyQ|mlYAZEg~jKuyHv0gc0X}OMmkdm>I&Njh6FvF%vD8%%g zdfDQEa90iymTr=4J3n2R^cVU+=4U9pc2gq}D?i=xs93aEn z7Do~Vi(y+0JV`O+lJ^S@U?d#a`(QmP%Eni|PU%TT?M~D5xT6#WLd?e9(IF1g_m)uL z+vW}-S+I4|`jX9v7>;UOA$L8*%T~JhIJ#m(a2HuLv$PPWbN`VOa6o9qjj=8JAf4`9 zajs}{;0Nh(-VbfRKatmH5OYMyJodJ=uWJr81_%^}_x6DjeVk=9a>)9++#ZvJ*~2F? zxpUo#q$s;Apd7dYS1H5|-299E|!;R zb_X|G@^qZYoNrGWe2RkeCKXt?k`Wp)*L-fAX4tfo8!XqCk?x?3jZLy>#A|sf_$E{M z^BC{X1asZrCD(8_JByC)H*Ju6{oHPCc8wqHmBy+2<%tzxx9W=pB#zm$oanj46vLKY8CT>&QU`q9GPDcp2d& zMp4)o3|M*42M(+?P71RhSEkf$Jc>>uB|vtb%UTlR{((>9152wieEd}Xcm z>HD%q?$@$r5h|$|h)M=Cwl90q1HfEHx9Kh%&Q^;+GO~3$H%F=*^mk%2p2J z>SYv}8aLsV@R;1|WdlW;rFq>Az3+g9eTus2R!@u6<}QyJ4Lcme&UTdYZEm$|Je3Ty z*XJQrkS#s%`xzpY#KsgyEP{h1vO@fnn5K?1E^s$AN3>nEIT6Q^mp6!>>&(mN3YEII zCMuF+$02hqA0_9QV;p@HV|(9Xq%_>2QM9lT-nxX~74%`0Y)3~!IXP^wb$>kj>aIEo zQ_;FfT`#j37g#@p0X<(fvjDYzfW|Uw&!=LF725E7vwQ@pRO{{pHpRH+rcV!5tYaX# z@y0^jyLljpl7p7UM^ocBv{&7(wZ^~3ji1p4hPn35hYW5mX;sQj`R z+$T;dE1y9v1s0!Jg3q4mt~sGWI;Rk2cEf`@w8S(1)g6bL1Ka?Q86sWcmx9Mx0Gf$697HKu#x#L=gCP?8Gq=fj4b8|YwW-nLIO5e&tGQhDq=shRgLlT-JOt} z5;czE2&OdeH$akcLj)QAGtSEOykVoIb_tvL$=blA-VZfn2+x9MEry`z^Yt8KR(GGZD||c@m&u6e z;<0t{dS2JXHT^6!4?{{!gK){zr0HYj*?XGGLyY^H(4 z=NTkPt395N>%c_=<(>t37)9r4G=xpJR^SQlh;AMPARYNWh7X#t8##8vsicA%UZIze)mWwi%G@Pj+t|y&HffMHf=rKYlZf0>N7RMG8T=H zgum`}2#v0X21mE3aZkb#%t13`5_(n+{BAA>WY%F z#x*xJ!?-${v9K`&$#*Xu&vAlQYAu-^RNOCewE>A*ax|J!wOGi4;k;2Acdx-yquv8? zt;5ijBEe;PR3hi`tdBzociDZ=T5A|_(%afp%Ih|wGp20B&0W3IAcl#1`6N;}Pf5(` zbN91evO^0^`&PX_3M;=rIiP?yb`mN>sF6O*#5vzGvT4_K)`y7)R(pFG<3tjEx??no zxae^DH6sXWcE0W}7Q2II&j9oTnLa1~eW{Br!U!DTE zSaa+R=h#5xSa&(Y_`Jj9a})N?VMLPpl=&`ixw}De3{s!(mF!>i<)%a}1*MWzfCyX- z^M3dC)S=h;>ayBnTeb<7D52&RSSXqIoj*J_oqW$Fmwnta3r=Dg%-|`J*jCJd2%SSD zo%d?ynENDt|3wX!RWeE!aq6Q6E9e$IIJ=|>_G%Gilq2HK$9)^w*qPayi!mThJ#o>q z;3j0uT-3%|jrS{(Y9jgRGbOMlA0q^-^QXH~}%W4v^uFXx==6q#0W(HbL7ZCkz?75198DudjEaUbXQVgGEvtMZnuc5?}8{ zfpt8HB=;0&1FU1=iA?>A`H3T?eBLqQsIie8kXU#O;BjD{q6#>0{DDj8x3!_B# zKV*=Y?iwNwNjwjn&D%h}R?K#t|fm zF+qW$PAHVp@$)_t^NyR2MP9G5kb<8bbdB1hI$D>O7_Yo3%m-7s?*fwdnA7!|%l@(O z%7&_`*+N)IL=T$Ic_+p_V*9mrF>LpR>`VrRunI)%Wxy5=QJe=jN~H(p$~31Fx~-*| zN;JRBM_z5W+sBo@7;OJM(2tb|F@ATGnc9tZ$J517?vHE|XW=Q}yv&#fFAip>josUk zLHbR~-5jGTc|dFS5*nQh9y+cv2vepYKDr6z#L;zgKT1Rb00pH+LX%*pF#(4@l0D

x@~rs4cxZ{Qn4Qxx8;dXzdh@9V;bRK7xWe3bcbpv18b0<20=MY3(55sY zdDQM`z(x^zJKKh~b*I%H2z`*s%>?tqX|sha?E(w*QEDhdyQeco3dznT>#4&|M*%Jx zIBm7ya!z{T8C(q|i`JOTaax@mPvnqF&j?D46O^?4iJ(z0B$F_1ueR=6RX}V#{fGv; zKn})RTd+#Bn;ll$s*4Pzkfu<)6p~l>Msjia02;R_p#qPv#cJpHS81;V8N@zSQZNh0=e1`X8|NRvs|v-^@kN8VpIicwLtP{sl0RAb-e-0S~0#^Wk8wAD6vU ztabiZ+yEGY_Lr@s81vT}J2$E?{cbq99j`Nn)MOM(jx&FEHopToFoDb;u?pnG4`2Hh zyOx-=##8efrYPI@vvO8>VZ*1M0FRk?bTbV4GVc+qzm2(!7ydBbiVc5l%}N^es}=KE}cAMmConf@l7pR&>#GQ(~Y^~AD-k4;2lH}R^SU{9iA0^*F(-yll&SthS9X{6q z;GuRWkU>KX2hn%VO?5i9n&#T$nw#E8lVUyCVVFMMph!1i_r{mRM6Jl+a)4o-kO?Kk zk45$%HFPiKsk;q}abNRwUggM|tLyz$CO3wz!v*CUJ?V;oi!)(07&~ajcGEQ@m0E|n z)@};qI^PZ$J9f`TxOy|*$mM!Af75M6%!#;D^E*Q@&nLU31GTyEvv)u6aS-qAYT6^0 zgpwr%8kA!1+^PG7jW+I=O0%AwY-+qO7#hIR5qW~~d3sVZg^Ks_ZI6Ze;gYaY<;cZG ztP7S>P<~^LNgmumszQYoyxyhtsEyP^0hrP*zC_4OqPa3OJNLrQcBpP-kc1gXb;uFd z6jE-i;My$NTRFI_ryi+ny=(oX4dJ9!B#RynO@|qqnL{^1NjjO&ji&>aOwV?cHw1`C zBtWp>#*(gWC)ZPhM%>j|b1|I(i3ZlV=v!pc!W2tHT-NNr+;gjEu z!P}U4n}S zI7_fI5s-5)_p2v1!-5ZPN1JL5INBNujjgGfG>{J~F_5wcb5tg-M{=M*o_x7^7De2@E%?_HN~7WDX&@2$M>U*xnu^4Y(C-v9XPoc2dP zyXHWDnbQ&kmi~NCebwW2p8C409xr#*IRIO+k9iQ-t4FT1w|GgOo zU$vav@UA5!!3TYWA*`MZG>^xNvDsXrvp*7otoFM!0-2m(CFrU4#?xr+_f1%qI)_iI z-xkkl&uD{QxM@%zr#1uR(d=A`4*@@FYUbjeN&B%Q>q4rYEqly7I)6H;W(7m7cH|m^ z&UYWWnKz%R{9~F^IgCHf!QC+GUh9?VnQKmuUsZ)<)9T0^jkLYnr0!glENt2yeXQrV z429bPgikfp3pc~qjkidOA9v)bzCKOLwuXlIJzA^FW9+9v5 z`p4Z5+FR~^nAuPF^7P0@y?fdVGpu2UF!e`%|LkI^e9l<-;kO^>9n76QIBFh~X9*9t zMxFH(Y>$qH)5b5pIbfJ2=B;{s`|f}fF=yd`1g8A6dlK=QPrmL*)UUhN%e~5vvjloQ zw+-1*lMZoFg@9wb(jQCZDO8HKQFP!d29dMUXjrH7vlJI5B5OCe^xT52@ z-}6%-e~-_-C%mqL1A)^lXzz^Gw(CZmkITr`WKd|})@8&rsG_(66RO5fwb zDBPSVIwu%lLwcmQTY1B-C^jDVtM4BM)!LW|K0`Ets5lCp@GX0Q7#ph)5kB2(d@L<` zo_m~<;m{@z?QB|X3TdpLs7$!lF0vC&QrJd9|%U!rNAty$y+HvBqi|dx`Wj);pVU)Xq5R z!N~r0sfeS*O({~Jd6vE5tG~c^dNxP1E|<@Rc1HLZ?&lpPkjiKk>CxdKlt~J~z237e zk1A%@qkL}l@ty1VOLcpFKWFE2q>(#c;ysTrH&^HuO-93B2NLFA+3z4i|jE)bSLNflrUOQWF zbTVR$_&TB>JA|6rVAi=nEwdD{@6wfw?s9%cI%*uwz*C>|*~T60E|Ju2Q>&GFV5Ym< zi^Xnx#qw5DqB|6gt4((grn;Ord+63G^+9)eQt=_-%u$EOO2uKSksCx{+`eON-c}mvF!6s z2K|lKtUmXfS{BIT2#PF3KBCVxv#suoonFyA4c{Hg(nH4FkvrZVBY6d$4C(Q9F#6&+k{wFR@>F)i&S1 zQ(9||KYXk7fkQv$DZk56R=js=mz%V?n`K>iiSnwY9$ZDWX# zbo6#*m>NZgnK=~gS8PBLmuV~DT(pY#2ce4Sp1T)1Lx|@#-qEbKgDG?Zu{H7u$=Xu# zQ#Qmibb-a_cHJ`TIpH}yZmiwCp}mRV%%cxOrwMHl`z()g-R_NRh}^yIRtZ;`>bZk; z>QP%I$=&{L+ILG^b3z}{wiKt`z|KCWVOZ30bl4oZ{dLUT? zsRKEvD00}AlUHsjAmIVp3|YXy44<9}Wb75&i8ha>^7$4HkmH?yLLuCUji&FWY1?## zeb*m{pxhG0xPFtUSWez&P;0m_$J6(g((17}h;SyL`d$@F-^^|(VcvrdWE*GIHd z4#=%ij^*x%uJ}Uro_48K#@-C2cGH^@BbPv_Ymgj1s2C`@a3v4o0!|N5r# z_1^+4{}sYd|0%%#1yD-^1QY-O00;oPo0eGbf~U|9FaQ7~SO5SU0000(Xk}w-Ek$^A zWpZv|Y(ZmVZ*^{Tb1ramZ85F9d5_~rvM2ce0`nbW`W4V!(5t3M>f&H}c6lEXN%1B% z80_#8??XI9if`X{Undn284(#(T@8$Y%#0x2&E3t-e)cnSSH8Twy!_h>8HawBl+nwz zYF=1_*7O(G_p83_+LxFA@_)T7jijmzU%J@sz+XxGVyLH=s>~lRP3Q*g%eAQr@FIM{ z^ZYlX4V(7mZ)MdjkAg4{yD)f{`RhwkK3^nF=yz4~`1kiw^jY?;4;vskud1wF=JY_t`BktLslw`ukJT^Y3e4`dw0$Prdv`k6qZ5 zZvI@=%YQr@&7ZT|xW&ugUVc28KmW7s8lcSo_3{f@m0eTil3RrT{=1F%E-e1IMbfpA zUj^a6e`yfAZQQwD9)dPS8|m|pU)wBG1WRrHCc0(d&dUDBFJ04zzy7c9hx`2W7d5P_ zrqh!m{QTnAj|%&rbxZbbR~53Cf(-@JiTbeZ7KPzW<33*g@gjx8Z_n2++M@+){ySOa zdAKOL{rl4D1UBbY;92`3kZzi)nH&7eqP(igXEnEERn&Rnmfb&Ie!04N8-85EFJQFV zayvi%Jiu@IqYmfoc^isK+^DSDF7eyHYoO1t^!X|TymFiFZ$L|LCMwUq5`|BXU}yET z@7DKhlU!f^_Dc|Yee~rL~xJN#xFk0z?+TBW5-IMS}3x@m|#!0_*s=-aptHW|{jhfBT>+V2)te zUq3DJr``H6skZmpe?0d}13&srQZMlH+hX+i6N|JY2g}SKGo~bEAO3$Y*1QF8cKRQ` z{J*o!0f?UW?XPq>DX#1l(w2^&EabT`zpBH3 z`~~_X3VM$7cRu*_FQ420!3<9z6wD3)#`-Aibw>?|VqVsN{oqqSi~UJ+|H6KK5%sov z^W&F~GhYl41n-aQ{aIsAtuYA@zwGcwz=_@ayan!8W&SMTmtw}iFj#QsAD=+!C$s%# z3D0+Y@ba4vjNMJj_61lsAN=Rb%Xjnrs^1TTf2-I(tK1KAK6~_29YfN^UsdtFLg&v9 zmzjGnKJ#bh`P>g{*|@ms^WbFww5gisKbv(s2c|_}0fH>x1209NcS)UpWAXp@?@evl zv1hpLpBwg5`2BzWV0!b1O4>SiA4{AB`#p>K`-f+L-1!sc{p01`q5rs-=qCC5SOxgy zkDJe7{Jr`7*Zkm*yO3bV07s-|P<`v^|9JK@C;Iw%1>yJ3ui^gn@jn^-8P?iQac%J< z5$uc?s$o&x|Cx|CYWa^JEc4}$d;Fk#^T5AH{=RA)X;{m*y$@t)Ew9{!bMy=OFYqW1Yo zP?dk}W{?J5%EwC`Hbnv^10pWS)1Il>)B{A z5Bo8Bd=;u!zX|P}j4VQ4Y1>y#z6$w_l#BVyj1kPBuY>2$-yq4$Us)CTRAl)pK(OEi z?9SZduixcXfBoRkFF>D761IQ&p%6R>K9zgQssvo}b@N^^8|dltWc~&e^U)A!Lm)~aV2WehWGf4=@;GB%i z?)h*3<8AG~yi1z1!M^xTbmy;Kj{fBYz&{do1=ntxWrCp|S`*Ei+o>At)<$LmtS zvftf_1{U)8XE5@+bASHyf70h(o$co-{_j8Lw)5xRC4V`+{_uN__*2(cMEW1!*BX}! z;@^J#r}e+35dCIGZ(-o2amyLr|J$6bYVRWH+^yR%_`6afKeK373c{ zkK!yME{aIw5zXKfu_dCanPm_WP2&!ag6DL_wu7tV>-pV>=b=bCBtFnMjw=dx81@d6 zpGbO#3et(4WgPAOWGFm=<6r(z_$cCQmb6G#!bqSm0-W-*c(YQH9tg=vI1+Sgd30?(Ig(JM`JTo^BA)XQoFGl z@1c}J6XamvBG0Zwr5#Acp-e?#=|M1!iMB*SVR6`?$yk(BYrFPKa|*~IT2yXr(^E=U zV9n1qqj)tCGv~Pg4IbOvE7eC}OY2jy%>xo^FIEtHB)q=ZLg!EPcG(xof9pFOS+V9R zeh{fF`Z(4yPJ(wld%61w5eK$fd8kl_g}Ll4&zaLjBko=?ZbcpR$Couw^do29=D;(; z-9wc~LCi8cB!O(Kx| zd}b`qX5B4o`4{x}o$h8C|BC*;)7?|2e_nsz>28+sujub*-I3%h1K0S0Qa<_|O%MuB zMG<|*f#2auMS`CR{B)zc^5m7#*lg;u7IC%=`f9QDUN8x^EnUahI(`eSuu9n8Q7I;( zTP|S9WMdMe$KwOeHjhJjJW^0du>o<5cpO*N-J*|i6}tCPu!ZrFy5!*)@8O#}Y{Sb{ z^aIQ`Vh0|0Pn*O(JXM{=%F1!LPzu6% z(C}~%8IKrhZ93#lCTwq4LAtVgiSz{LluqJ_o@J=MCFW?wx{pdNciGX)qP>UR4O-1f zY;)l5kg40-VTBQXyDf@VPX*B_ueWZM=KZ7{W*My0_a(!X9lC>!Jw5Tg*-a>ZVDC** zAR!V#npC@3qSI((9mh-}cxrWWrJNPBnxmilGUJmgkpSTaDgySZuFtr_K?JVMSiy=w z9I&f^9%up@6h_2F0>2&xPFdQ@3lw?AF>E_^wGpUodRZxS;Wi7FeZd%f z18`0uw&jRe%f2+1?fG$(Voc`nL5E6(!;&{+tmh;FsXI1FjV8|Jmo{87N5yeiH zD>bV+;aq-M3uDm7?Ss3H6?*12U9C0_%;({wLE5u5Ii3rd2h=%Fde6(`G4KT09VrBg z;x0e$obxQhcALZ2#bNO&^cy(a;F7F!c7OEJ&9cE4Z(v` zpxwdQHpfLDKJP#LP=cmbv+%U&QnU?|QC@9iYl?=0>jZ|sQ>URmLxxJWjHwXFd0<+n zh_9%&_-&DuHcD^zNfzIewT*xnz@QUJ5@HzP1JHlOD|$v{60CRIYQX1@5y-}MiGA5^ zmJw$Oiw$eAS1pKtBymsalZa;v))28snx;51DQ*yvWD^m$f|SOL>Tz^NdtqkZtW1eqBK zqC+0KM89w;Ebp@Rh;;l3z}WiIc*?0%-7Sn&yJN5OeX@^HjuE8LiLbR@IS&(W^M~Kv zu?oLh5;V)$Pp4L`f)oLGJHS;emG^Cd*~g0AK2GN;K3ukguEZ8&t&|(o@qp*sfC6q} z%jmCrTbN}GGH-N~uPTa{Bt2PSy}9bjhyg2#_Qruzw9S!TmuV(+5bB}3=7eQN!1%>p zhiy6VXBp7cd$o(ZFuE4n_J~5r#=na(w(YY9;*Jv|=SNdL(j~3rfr=u>J8`Zx9CJy# zaW27v>(t6Z&R4k~4zzkFdU=vT9A&m7&R@n2oU}w+=N#G_b=KLJVO-facyoa}a|7?2 z5lh=yhR*KT2XyvV!iu|FzsS$OQ7u5YFfv& zAhld<9k}(R_E1xWhtfPFr#?a4m3Bc}^BluTwJwbCK|m%@KyRs|Ef4vl46es+ORLhzSr;xu9 z7a1fk9d^M6sm~J_;@oS8X}lk}GqYQ%f%xRz9JkUoSFGbRd_#Ga{F}C!ZWz2mY6a=v19fy0b zFxMxe!;&+p!JLPd&25FqdG94tTVt`o{ti+!Zw9r9$@)lGYv@at12BF$2`6%p#q zPcFMPvA!Cvh_}@p!F})~bSm)m&45b50J%)j0&p zbje!8(d|)RY^=69)Os+du?||&Lt#XnWqXC}DTFF3B<<>s755vvQ!}k7tm8q!e zQluodDIl-2j2oeDPlFj7Y1%kv(QrBR)K<4{5LAClI`WBqoK;X9Oth^DlHd&P5}aVc zb%x*&V36Q2xVyW%y9Enw!C`U#U!#u?=bc1K>BCV;HR}B!RNs!lSNz2T z4yW&;SX@9$7&K)RIgg0$7)2)vX!nWRwMV*8mrWN>apE@DzeuxFiG(yr;PO+o+oX1s zAc36uf+llA(ccA>oYPOp|4k9t$)hc$Y`7U=zr(!^+#~!Z z6kg$abbCv~*~|Td(`_D|=w(xP8Lwa1Bw zw&+f~IhFk^`zmT%*Jx?qMq18mF>gy>(-qkTs%M=HL&2|MF&}9{8N8&9cVPAsfs!za zf^9xQe>+`?AewMMWS}J#XW}NqGXccPVN_PTY*bTEMPX>Vs;~3wetiUPeQt*>r+RAom37 z2Z|0{OfJ+OQ*$|cm9)1mkZ8u%Po2V{3!l`r=FfJ!*IHKY-&ZUvMJwpayZNx4 zlyrg9l-C0jgMVabD4R6~{{yT`<(iYy8@!|F76E<)#FlKDvSpi(U&xi*C0-=PrH=U? zyH<<72n85Ng~lYNGO%-@Hyl{|aj^%h0klg?FW0LVmr7I%9pZftYB(DC=yt6woUZHSDND^~$E3x)V{`SeD43M9UWYOn%Jb?Sl=t3=a zyprK>>lyZ^VhP-vPbcuQLZqV>xC)X7#m+`-|q+{62>G8TWC<&HxCgTX$4{dx8+)DIKAI3Zzpfvnhk+N32VP14iJw? z<#;$Ubih#w;XKEB(vG7>ZDbzPxGo2gnl+I4ppZbF&^l}%$y;XA>IZZ!D0(Pin(ql@ zL%~Fy2`y0jkbmIXP{zqLxxNn0IT*J64J*nTjC{)bzIG=o@0i#Ki$=*vejoxu0<5=@Mnnf$(`zBh41P8Xoph=Ojhci*slLt9~ zt07sVZG&X&rWpubdgBUZ3A@u6n-WR#xv+*G)1W{<(!Da}K^-{D%&yhfqj`2H_RCZF zqCO){l7rb1(3AEj)vtE)^7Wc55F%nf4bVw-ciXl}&N0?Vi8|2gVj`Rxq6ET>4?Qz? z`8w3*?9&d`4F9N+gkJovFZK9p?UhvvP;cL3ycQDu!n+9I8?4pCH2R=rL|(a3gK^|Y zgf=DzfJK#TIzqr`hL-_uSMYGKyU%gXA&U@MEg}VgKBK;tTtRbmil=qRXtU@on*Nb5ruK)bJ`A|BH|(kgWWDf zWRjU|G2Ig|m@7_o<*YLXt2=y%p-`ePPS{<_YT@UOYxJbXMFyFPw03`B)mg`WyrOHs zro;M(UkhIz)^n_}1Z!&(%dX2^sC<5xLvY$=%tJu1AzYL{7Z%vbk^@lIbZ*b5BF?(B zcn~vt$DFj>kTD$otu}m%2EB8m#hxF=#5AlNW1x$jv{`#a86G@QUqeP!irTKyijVYD zZpyWFtv$0@iOnx>ZaYopX4|XBm=}x2!d*NoDCn!6m6G_W2Q$!x{S z+I0{!*})F(0v`EO&aiQ1DGG9`_ibF5zuH(`wf!Qwb>Q}uw* zVt(s~+Aw@JOTkXpmSMswu$RkfuF#$_qX<$&oY!PNo51g5qT2b{00FhHQ^$N>)DMvw zE;}2So#rijDU(>+$T=Q<;gi3ujdYoJX;VjSRXJ{8D&;XwB(&F`8o7N^IR?$cwH3WO zY@T5=I1@{IL{C;`5e1Ir@ABWVFQv$qDQ@HSeit3&9AHTyjcvEbffm6!0yKm(T|=%D zy|UG>P#s$_I9F(h8~7G!e(lVJ_7vD}H~*3(@d__@LSd@HQqJ9L!eA%+V|k(_?R}E{O9vkBg@&+w|GU=K?XH0>r*sViWMi zyLapFUIxXB1j~}6eidd7o#@;A4<3kI*-O0gw|4m)@C0-S6@mY>&+vK_d6LmEfMG#N z;R+|>dA4)~p1i2kOB^fQMeHqJ`~K^5$)`6ck|1!epz9!3C%Q8rGx!!anKWf~2v5%e#Isj90yTNMuDsmxxUJ+Q z`%AD8Bk$36CbVwv8S&};>4X?ADYUTjjK`N~Pc9uv;f=6ubDhKUfu8dz5tn7ci_&TO zntkp`UJ)!S4P6HUa?Rs5O>>9e8BT`yvpE>r^T4Sna*IEWIec&<$_5j|+&dGA@0&v; zCVs8l#H<1ej1$Z1+JAG=cD3h4rUg^x?=p%ghA}o}qbM`<9bZ@Cq@83RptyxFGqgAl z;JOCVMXzxA$k{=pSV&hM2GD9em?O(@vB3`d1_*5T6*8^N?KuTpB~#FrllwsN z;oOyDjTY?6a$U(Z!ja?>oC;&LE2{&&^G{CU6WlIchO4o`>|D7w(b`rRR)}LeqjX1wyefnZ$R{A$7 z$rF@=>&MxCCsPWbQ$qieSyk`p97+}ZEQnE7`WVhfi!`E8H~csjT96h#X_SE&izCX& zIN!fE~#$as54q3b)<}(9mWmT0E&mG5_s#{gffz-L!*shdY!Ql)riR zBVg2<`?Gok=W|+cU*2{IrJ%y+Pw&R=$E3z+UrK9iFw2!aCAf8Gy|Ob;`|jkA(*&pu>=kdP zSK3WAf2qkdYvN8UnhpfsJU@`wcjR$;!S?P{+O5rf)kc*Fazo0`wAO^>=NXu+B7Z4q ziXNs1_om<^V;@wxl9qJWmg^UFoC;HXf_qWJub(wnaWbD7!AIeBBK-{t=MDvgYufh1 zgyt6_BVatuJ*!0F$Mg^3gQSd=U&5^`yJz$>O6GIk$CPd>d&a#@22dJgen}}|+AsEZ zzQYpry(^#|CZHv|`(a#(BKTx}LA=7vjJQ7ngOi27tB<+uM#S1O8F1AK+4oD{=eQyr ze57Pdq`uI?rc=A_7}xT?TE)uVPl#|l%k5(ToqBq#i4)1X&J#Lguy%JcwGS>J7RWTk z)#96rYEGngt?k~`>KrX#nL*}%jvJL^w4RgX^`cYZh1U(FQHv)urMu14EI{^D`%iMn z*vdTi!pM+mRHWt{*LJ9BZ(lABJH_qS?cIQo@?XjHl^>CW65k=^ma5+VP0)yQ zbjM3tpqobP5L_?0#VF5+Fq|6>ZMl7A2wdK2^se9}!}nq*VJ+E)%s!iOb^Dty z)!(&%)`Qszic=nNG^C6JzZ=5szq{bsCVtRnyk7O~Z7OG2int}A!^GU|mPbx8IeYv`LfJXV zl+4!M2GRg|+NHIX{So(ey>Yk$filIvXOi>4Kt*SeO4G< zB<`FuEq|+(7jMd9j2Jh4d3Q9M6v~!0WNrFEpuZeBb9KzchIFg*BXxZjmzIKcRiG4orOUOVNMnk@#OcZGg6sH39BC8!+L~ebWnrl z3h;Z{0TS~u z{ME69QVso|8MkP08Ie4fJP|;HMoP@bSTJ1mM2+*>WrxkTsjl{lCZB&CXS}g<8>?no zo|?;ao*v3rlpC-K3lHegmCW!6NgM}PSxa^>;DaemcO*1SW6wNg1?x6Trk`fspC;fK z@~83YfBd=+{jhdY2}-7VPeAU=><|VVF>?4cAU-?Xa;j6RTnq7!ypIaJiL_01{T!u; zU0(BBCn80`lqTP0q(+zy1VN@InLh3yw75(5dxX?bKg5$#FUC7AXKkmXVLX&eRHowQV7*Q z8Ph?KR-*W3E%5A+R}Mu};496YhlDn6!ASU$M%Ck9but$-c1QCzk<%AbGKlBN=g@&)!2m_Pey z!dWI4&Oyq6#6_#N62WWZRV0IF5?3nDJMJ|+@|TsYqdI6vt8lMg_di|MyUzS?hn0Q4 zR5ch7hrAr->q2v?I8IQf5s$fXr0!)U>~R%$$6ynx*|F)oh1%O~P%T;(iB=c}%(apd z6x6~F{4?Zi$$143wrVQM%0;gnJ>lA5%#6qUy4sw6saz8gCfm z;zJuDr))n^D;DdJ%q=2da9ZSuw5nW^&ktt63aHBaZMG@wSK(*dws4YsY1_CSmG4?H z_FOyN91DDPMCsht@NmkEla$vnm+X_KZwkqGhTU)cAFER>)zG3K`D-j#lBI00>QKK= ztc9bab{#v1K1|;#(+iKBz=m-N?NKB>CZUZ20IQ$Ls$iDVU&h@HM}Dlz^H^}KlVZ^5 zsnqPg$>x#Ps%C#&oGxES1O20ylkK3^QR+unYdqi{*Cvy$9XN2UqgG%rqPj1$F5_2^ zR;O~fdu*nG3xRXfu${EveC+-a_ql2cmkgpRIweq^mHK%W`nMrrdv7i5=Su#*-Hd>}9vi!=JE0-B%sK5}NEbFz^o`QC?N0 zUIcyPb2bvkQ-bBaBb*#`F>mgOfxmkoe5=5MaZNp!U-8mn;aG6OXp$qJp1iG%?^2DHE^oW#u zxpd!y88>{Nn7Uuv8#+_Pp53kIKLe9z0(P7J?LNN@ecNv~ygyDsdbS2Dq=4&Us;idr55IAKWp?EC3{tqDZKQ^p@|x-eEQ_*vpO#dnp?H(4Nu8H#k6N2_0D zZY>9Uuz)%SIIm7v*s5)>B`c4xy?y(g{Q4Npj{Tz=h7nJJy|>zy(-G&xa3Tpobkb*5 zC}pgW*$sW!9L}YIZLfcw6uUyT4_P=1<>lOEy!`#rB~ts?L9}wEyy2d+=!54(=v+NX zJgO?OlN;|OdQ+FwXfo0EOTnV+Wl@Vs(wF%`@=EnpT4UY80h~-j_RA8=D(^I#ao=tB--$ZEb-tS@s$4oP~ zxA?cAfjn_lGs5P6X4x~ija4f8YNrc%$-DwNzw%O3-n!2i--&`uO|n=ggY-7Msp%e^tELv-%(=)k}$hRTPvCi%?Gub&2dJoUTnQw(g+ zERUqxTT3|=>?P|)!*c{o$&$+tnEnhE=U3$wF`K&?n&osL87(R}{?0;ZY(foQTXh+tV zX7hbw^Tlg+ZaQ&Y_z4NAtqF|n- zjZ}@oo0+CDp~eQ|-!y_M#-rcB+0rv>&Y!6GJmT!`z)*(4m7=v_PSUTf3G00kZpyXu zTQOrKpyR25TY)Z{n(?eGnuwJu{hhfv+dOm~x|DaAW|1lo z(&I*=3S$96+ZFn+=#Klx_4WsaVhGCqitloq&U2)u=QT<*4kIWXGr{A@&^XKZvM>Q= z3Zgt(&lXWiO=dUyG@D|>u#q5oO7mjeXRqaW*2z^MGY>#j3$!39mCU!qs~Mto zs>UN2(E%k)HudQ&XD!85e9Pza-5?WdW6+&fCb`k6efud-A&;Ir?+3`GxisRkn#YGW zx$A;gNjiMxjcA{86zAWn`LkD!Ko%$XRC^oGP*i>RMUh=$>f-tt{Prqzo(*&>0%c1Y zO6E|8xZVm;U-pQ)D%HJ#?o+Y$+v%JBG#?w0qjJTl8~LC)2D+?{tRr83||| z@J{^VeVQ?WvRUMA`cth-MElV$K%~g_Ph(Mb)dCj%23-Hv*vk-fJk@b_F6KBwUbVHnpU$Vl#zu zn2vnbGsqmz)l50Ot_=5kK_^h)cE2BgnRn>Y67Bk0$qdZ#!PoGCPl-CO6gCZG?V|BZJ-y&+UHJ zouAspyerDu=@s>~Wi71yLau5OK2*Mf;o*fg03t&#bW71%eKm0nurVZh)-9d_)t_PX zpq3q~3FbOnj+otx1*p9tq&}fIYzWBoxg7+<#e%mADmD_}SNrZ+J44)%y}>Ol8*P)Lt=QhlgsXWX zc(|o9qPHIcEb|8-r^dl)#*GNRzLP`z=|@F`E)U}bP30TX_b57pFtkq6T9lwz(JV5Bt`=u4Zjr8g18{*SH z6@@p51PK3o4E}2p{{LA2pHTe&DfIs$68^7B_iM`j|0-n9rJ{iH_P@u7uRG=SL^1sD G_J06Y*sc`- diff --git a/psmodules/GR-ComplianceChecks.zip b/psmodules/GR-ComplianceChecks.zip index 40e79c7b96cae869a50e95757a9f42408bbd628f..3d765b02f291f9f071d34a95d465b9d3ab828e8f 100644 GIT binary patch delta 10141 zcmZwNb8p}e)TiOvwrz82+s2er+nVy*PVIK8scqY~ZQHi@_iQ%VY_jLSJ2|i5%4gi5 z%MeFd4jcjl1Ox;I#7*a1n{`WZCFj4q7l_B92jpDVhmyC-WxsRFul^|NM>bsy#3VUu z(EL@^CRb(nt7@K%GLz?sm}kXrIbNzh>HNWLjyvh~1^T_>bNm2~_@}^hI&+Z$EmAmJ zDqHYc@TAO@vVM<2Ei&IKe(FlD(otkvD>3b{c>eb(C$&#tSTmQ9aN;k#K zq{OH7eOA+1X5{TgHnnU>9aOe>>c0HV>IQGPjMXKG`qrua-QIHIe_`n*bHL10?S*tS zj5iTW9nxNU@;LZl?Yv2>r{^lU*>%$R2IQ|62xTD@`9goHA-)x(&l1Nl^KO2j*aU!T zGfCw?F8dAcr{fLaGp6}@{AeLq1Q9=$^}h#C`iUMjGn~dcz@>o#6!#9)#_f0;K-Ezp z=Kg(&alE1n2%N|Aml8RgAY+sWr9Di`NHti7n_N56jkHw}i2ZcDun4@TZ|6cGa;N&9 z%f98&m=ma?pJr`3cwcP3>g(UyXnFJ3=?3i{%}n8fqr-!6l}a|xW95{MSgCKHiY%(glW)) zSP;geWnt1_8si=qe;P_qNuXfeT7QxZswSmM7r-nU|CDx07;NQFqZXl28X#u=#*i<> zK8{VW8r4%P*HnaV;9N$G3@)`_hG!V zNh2fwVS)Gq7UsnkA55XH?}4FG&aemZ_gDbR_*2=@F-~Q)|I&GZpX&QQK5JEcj|4-#Aw{TC^;Q&qXe$^IF>wY z3AuF^d&C6yxjxDb;Tuidg1>|ad7muHX3=qtygRIbQb-J2`v!HPKS75{9rkc)P}Mw= zdm1$Do~QB8AzJ9*$XX~g#VrNWTwXaA{0Yg8$5@TLubz+Vs{oiLP?Y11!tUsOp*75l zJS>t0sQz>{7*YZ0@}h%~{pdEmP?0lZ{hIL}T?KKeRfc2_-4B8elXcn(zHJpiw-LcR zZ0tN{4P0uneHoFc5|-OMp!@j^*={8kSsTjeO;|dp(3I<_%$P(JOxLNg3P$m3C>`bk z)zH>CF69>P8WB1Rh{`F3d?oi&v_2n4k1?U_XOwj&ixI~4YKlPTNl}qXpJb5^Y%O4n zO7K_z^Bn+k>?nSr+LQ8#i|6&p5*t3VD?){BO&MK!_%uR?%ECtRA@FC5aNSV$VaW1OKZY6FK zvSQ;FugGLAwL1@TeAFd=31-4m^PNOC9aTyv>WN_j zqg$l~9=Ht7I6=B}{`1Ayt}Bf`39_(7$tGTQN=)hyU^Dikojo>Ex)(AIuUb7rq%jBr zwLpqtfUQtsz&q^wgA0USzG^TeLnW*Ss_jNc#UBwu#(4F@bguTxuSgbcD}-Uigx3M# zMqNLyPFcMCm)p!=t3*_{H9e;B0bUj{{Oe!_A(s`o-6#qUv7?^9k~u|l!uM`UOciLj z9J~n205E%+=2j{%|72-c`JM1E{Hu_WEMKhPoh+Xf36I0n)oVM`K=t<`N@iUT7&oBE zPM!F}EW_OW??6b()K-Ubu@2QTgL)~YmRg6I|3m30|0v37$<_tcs6zB=m#=ANL*>7V z=!6{sJz=4a0`l!LFRcUW%iQZ6SUa6PE)|3^VA}M`Mb=kuVUfD+NSU5ZD+> z?m;@dx!KGpZuCQ~UaOg8q0OhWu@S-fec$Faf9vT1?`Iq7In)Ya+$ekZq<~93NYdCH zE=YhUtix>x^09zrB-)C6qq1~S?Jx0bFujSUcaUOANN*$wBIbE-*+S@pZ0nEr%dW^8 z;PdFB+j9rUhUAr;EOQt6dwJ<=!LfpvsM}VJGl+lF+x>#|(BZEE7yo3evIYgijIPjv z1wC%RjF~M+TobLeZHs@U%A(lbWrEt2T~?&3b?ZPW*{sCQ7=X~+9F9Pi0WY8K&QGM# zI~B}jx}=(3sA!!_P_|GQuP{cHl2X5^j>mx#^X0iBWsPG>OmP^Qd!dZj>cN$6Mzv-6 z`{}NI^nx@`hC+#&RTaXVXCYLan+AKho~eWKb%?}C1w;dd=PHK=HAt^y9+xZ?!2i3G zF~jnoTi%+t3`hU!0Q#r zyKi1wGFo>oJkzrsQ{X=} zcLJY+S5;ZVjV$KqxY(t8?&Hda*){9^K zKf-e2iPRlx5!111Gs&6Cl(169Cxt6Qp>#gC<8?`8mXpuZ z6&(h;hQ!4bm?Mh=t_L~;0KTNDyydp%>Oir(P8L|8K0%Cw&)RuTrdfn@lIo`TBpNj& zT!S*%D+8n74!eX(?(B?eI`6(i5oGk5q&>uKuoBfPf~m4hgph%qa=xZYAlct=I|_v= z+{Js}TCD=`iUBh=JE?^Fpdp!#VBK8`2Y1%Pp&wroNH1sCK!snEU7^jKa83n_ z#))dL28et*%mWQWDSbt|I_d-{f$}h_X1~`Q$p<@bucep$8S00b!omZ`nyp1?#gzZL zbcyrWN7!-?Gnzji{I7}Qi=|_M)UE!WlLr44DI49qCHx%9h^na59QD+i-ysC#(aV67 z-4iw#3AC?gWCI};@KsyD@CGebHv!-HPZ{CEaAsb;1uDGAr${hJ$J;&=tak$TenP7rn7SZ@dQ8 zwgunxT3L(2qP$xwAF|RiJ2eAo)!dBFi!X9;E zl@V8+>jWjQ0d<*NPpEN+PiGHFM-4;{o~eLRaBz@t1J;=^Vx&1w!?e(r^R&;Kv#t?|G7q zC1N`g93un%tmwQOD?`F!S6{E^VI=V9w@6x^rz@rJW-o`&TnN5*F&~badu?ECOb1mX zMHJ-4(mz@W@F`AiHN$&R+Y zq@_!+(X3V`|MudP@MCV16ux9|h}9Ol;0uBfBD_nW zg|nE)o>`~CM6$%3sh=f{NMAStxJ2Xu)l>D5&Yi4km(|kLVFUMbG>)^b_`k|uDK;GB zi=^Gs>&h;ocYKtk9iT!2?zpTj2&KZq^7ZvP6k_-S0g;An z=U~XFTLo~8fy%?Y-uJ`pGgb|&u+)X?E6`E{{D|-`V6IEhf+4Q^X;ZZ-o3`6k+OEP! zuKGMJyPF;DqsMJ=j`j_|CWMcMnkb>%@$N5GB~9oGH~1r1dKDlx0 zUK!zJd&-;Xg@l<24j9qb%$R9&I-RrwrJ7UPZNwwQ+`6kDCQ*-~cu~0CJ`v^S-l4_EYea5pGMm8pG^=OB(%hM29FpVTni>3xyEL z-{1n3uU+?el^-4-Fm83v1MQK0@9>l;+H{sJ4us=U?ihfoEc7J{`um_Q7^ zUcs;UCR(VSv4<;w(#zeqFzw6e^NAepan@nsy=UwRb+^J+!T>?Ys+kjDAQB ziUay84EG7x%w)mZH8uBTb`%24re5kt%vg(rU+|YVF%O%&sI}rk;CW65m3*>?#Ydr_ zI5zF6>7&;A5be2rY8#_7KlSHxMw({NSYzJJrxLU{jEdWX%r~miLdzLoOe_)7i4+(7};u+;2Var-d zIzS74x$yB-%L`M!Sa4RF(6yWP62c?oyq0@=H!1O_@*v;e25~VP+512F1hD#1 zf*CjzQNnB@nVK7$39$)C?`1+EU&Ps+9Sm8`@j$DHjuKjE9t=PiSdqamLp)GvPnZgi zr81EM+!}+M4kzl1J6wr9S|oGOHM{$)RmRTZ`yKpLMwcH9iW}HW7LpQSr0=wmqs}~e z;~1CyPf#^l0kIQQ1Pl|4egnUbsrer{U5h4kIZEglh`GTj5IrgP&*|Dp`m(-&$w&wa0ac#*4sY+{%H11E}=^Psi3<8Z}l8#q?eOd@^}38YX>TZ+SmJ7Tdz$9 zFBEh*kwX_3_-oZ7xqxM+Be5v=FoX7Ls-fxiqOPrej5vT7) z`TZ9v2uRWo5D>!u;4?vli4fS-{pqqUiRP!3^wqC^8F-=dpLJ3wCaV5#>qLzuqb#>yW7V5FLrz&p&Bn;*>qtuU@l5Rz; zw~x9#E4set@BU_L>)bl<>$q9D#$UN+9xUOz+CqY{XUX=iK}M`WPRaA&YQ2u!GUdiX>gA4k5v zDs7fo!slC~wM@>#kJ5k-wXlu$Y(#8eCuOymR9y@IUVlFAI_FfV3YvYEcmrWbd7DXc z{L9h5ee{y?9NT#Dtco@5N4Nj1(Qx|iWoLZ$gV6-v*_0oE&rsyC3DsZ3tk;7J!ivR} zfIIsWVfc9^?RIUQj_xm+Ecmp4YvVS*|>BH-f z$ObGGf^s^5nR(Fgx(lXgUFlH^rZ_D;1S7!Lt1hC=DI*1src(+RpmH;{#x=`JubAhT z2$L+NYdFCxN(&!`kkz^MO06~6YJL>u>jpIdYdf;2h!7nr9I3FEU7BQC(oRBhqWab^ zge=&~--|=Iz6pp^RH}#(E@Wo^3HB<>K$IISJKhIaDf3I>c_p_>GtAVn5r@xdCY#p^ zwcs;A`LYsD#3`fDcmQG01x*5XFPYj^&jZm6b@Z(Xk;2v-Hqvh;&wNSXM&bukmI+7^ ze-O7bks!Yf0K!7EHZ~?l%A(Y$9QuNz2P67}>>B&TVbv07Pz%;F&qmGQARVD`+jkv* z+Xi4&cr;`{66;*u=A(?Sn7UTSgm!E^OQ(9*W@knT{liDvsF`Lvf^J!tMLK62v4UvU zkDmOAE~_skTO)o$(@NC%K|_9P8Qor_1v7y1rF9$bHu5eA<6-myGQ^E zuark@Pw&t>$e;x6OR#E5?t-`tWT6$ho&!K-Ae^Pxv26g^hfXp(!wpTXjo7_FfK*w{ zmBx+@9-IH(*>}+qykfmBh8U5L)(*O5W8Yz^A=!Gj(>}plKCP0>=D~27!Haxw(UsAEGwodqV3H z<_yE|k#{40bcFkbh`(gRMY%REIK|tK5E`B?8witB-tn$qjP;*Vq6LrjMCATVtah1= zfp%Wws*y=tm{jP@C|t!khHY_QuLHo}^>0MgPN8eg{-uu=s|(gcX5}Fm8OSD^tCbXU z^iC<0Bx6K*Gpso&woI=bL`#SoCylkB>v7V_?nTl-`yPB%}? zU1V4j(<~n1oq=PQ)<*J+FsXVbD!>AfpAg$Y0ch^gF>3}zWkJ8f!t{?_7XX)0Q)|fG z{d4OI@l5}Ws3XgBoVEw9QMq;wEG)cqs7Lu#Q@aj6x^w1pSr`3Tu`+2g*3o*#g0Q-Y z_zSE#IoHL>9H!w&@D;||6OZJwDpr!F{laK>=#J%#AiwNG)2%aRpgqG*+4RPj(QQ_INju! z(bX5#lUX9zA%Z(t-!mbq1uX@HK-s=1%n2llkgGONy*kj9poGRzHNaeL@Xa77>P1m( z)YblA5{lG_Hl{z{+%Z;{J*bq~v$-)G=|L#|fj-u^vo1lR-Xf#31^axxvlfe24qd-aYKZe{Ai~h4L(CYAvrQh{hi2 zg64o9@C6=m1RQ#8&YV1Wanzl1s27c{U6RSRO+>;Fk}au~U}c%Do2zlA&L<;GiH-;< z>=n>1^J|_6Rkx5s$LO-zkr`P+)kJIR2W4gzJid;a1$`1W8jyY`+En%Hk@Gte>wPnQ zwY?a}CJ5lC(`v-n8`cS67YlEMtDV99+v%~pim;jf1bUbkz;I(JiXY??N8R5cIL}vX zwTp~HceACp4e+o+?w+sAg^{H)ypqGqO-~jcx&!meWTSN!#%*%W*+cO}-)D1Qy=o-Z zG;m5>^6h!@y)~$1I-*_?Q zH96v~9E&l_OXYVikLYn^L}wN4U^yyhAB`YvI=$`$i5zP=+v^&d6lvMg!>)ts4~Tyh z_^94JFUR+KRV`Naxwv1rJvq(gq#MMEWo4={LT;st1%@6JvO6HGnaMSh6oQ2kKUFZh zfZAj6Vyao3+)W3c^0D)vE)`lB_DpKI(9e+!uGY5eX?f({Ol#39#4gDS9b!WGHV0#= zgB+hIWo@-A7a7=xWSv&hNJhu* z-!15P%Xrq|wwX=HRe^9-r`>f+sKBjvEmB4Q(>%=QLfS{KkFW)yP!Xk1Jo+DfDnpjL z)u;K3-lrJ*`Q6gy^ejKN=%)$<-azDddfDz*|IPTJeml77iqK9;3#~h5K9wTAPsu7}pSACiKOwbco z(-sHE_)N@M=h86YDbHBFT8LtpZ_RGaO(8ABnTVRet2r-sorjNr5CQ1%=se3 z?m^hX4(@V20}J=j>cThFPvDFjP>R0!M;2biid;mMtYV1vPej_wk_rv#U_OiC!CBF5 zL!Tg=Z%^XOJVtmpOkn14>nPqBb0f&X<{MwR^qeZ;rUau;MiT(w4AkEeH=z$?>SrQV{mQhK~!U&zOy{u=IFy_`HkfCa%uMjFg zpF7~PQL_ujqQZ&hhH*C?%_HKyEMUz9JESltP`4C)KY_rEH`t#3l6EdX)`HNFF*E;` z7kx1B(!jRpxs`#{Opx{x5*%-pqsMv7uigxGkusv5KPup@qK%& zCqRzkL|C65!tD5S;?O_`u)o9!NATs`es%Y{qsg!ELC77bu2hmPx)V9VsSNt{nd!he z-+p!7Yex4|vET6&e6iKTnz9W?$UgqA@r7`!fQw_FNXA5BSFoYrFW=`eqZR^D=XL3G8A1%=g5(As~3DO4(SWD#m5olD1A0(M& zOl^IP@YNccGKpHLf@!#N`SonjQWoUjQhvmcR>-pm!A+W!+J3P`1`UT>4!K=E zm7?^ZRmD*sC|RPzp6`amRI;6>MT)|HXDrAy*dW2tWL#9K6@V#o+Mv@y7u?0+{Z)5#xd6Akj%H6eY37who(Uy*Y?%fbw|?wxX9(K~ zzIJ=|_OhF~xI@58-+^W4TuBKb(o=`E`pYl4&LokdGRzGTknQ6t{TB;8`?J`F-Yh-Y zs>qc~sV&YN!)*G%mrpze&OOJFfuE1UD1$FCKPqaQtFKnGQidhU)Pw`pn8Wt!seIKc z7!30L-~DH>J>76n0!#0JTmvZh7@!kdo*>RA6(1dbQNo zA7a!o@72cMFuG>qG2+}+2FgoU!@mD8xXi(p;BBL?@#JO)ic8JLniJQiIc)&F{n5fj z<&X&=_3XN=u0AUtg(6^zxhS>22EX|emPgUCdKVlOPIB*DYCoa-aCY=SNumE*E0-KH zfOWzxV92PQCMYbGjOM2IsfI13KpU)LQ588Ogxb*hj~l z!!qY{bI5LMt08x>h0cS8xcn4&%e|i9br&u$$o}_mtm{57=p#q%A9kj9)~kZi$)WXG zR(S);hCqWM^-d45sJ0f}LQJjRPalN6AC4WaspeGUhT9QK&G>%4IjF){mcK&*LY-_9+%h?R4 z?EiLGbXXqI_=K;+Us>t48@gujC$6te&-clZEet?wP!RZDNjIDzgVZ4S_2l0C#Hu?3 zQnY4DCu(et%x(fhq&~;7fzT(q)uf}_4VctiATK}z>+nV>g(bJ^iGR} z-_#`9cw`M9O)7bdJya9+Z>(%mTqSvm5Ct=j{QT86Q9m7Uvba#F+@82IfiI$=at5D>-ib{i=Q2i2}ziOUGcj#|?2@N*eihY*SbwrCi z8F6E+Hv{>FqI+DQT5|Xq5G>z-K}UxVX7{WVuCM3(*P-Wg?|OW`sRU-Ky64*gp9Pjr ze1`ad*xQ2dK3L|H?%ob&BVRA)r}5KK0Q7$lDWRGPFF}$4tA3qI5E|+K-OD9VGl`M? w|9t5`V){R~``@tcKW(B-Xk;RSz@z@(fu3;2#0-(n@PC4Z857E%>3{zJ7X$XIM*si- delta 10009 zcmY+KQ*@pU*KXsav2B};&BnIv#%_{3wx8Ix?Z&okTTL1@``t(1_}AGQV;x+l*IcvL zXwnc@Sq>5k6ATOt4y=H8OZ#S8H{0aDwM!romjRe`*p%+vA-LnmWJRD#Z$+osmKlu& zW0Gss!g{@?;0AvDnWu{{&{_)%A?KyGqveXJVf z&+ld{$bA*7x3quRf7E4O+8qQ&>xsMBh_jK#QrCS>g72wvRNsfZ@yu1Qha!1|1aPO{ zY}n3_4wXwgph{o2Wuv5{LVCZI-~z)Yr7rGjaNX(9reFyAJ5ZnB+ZD~-O4<7&Oc-dR z^)j%XaWNZYhtH}hR0o=13dE{|^zHwtn5#mWpw)4|s8*|IL`p;{GiilluIgk@7D=Lq zJV<<8zmf!1JRN*EvomGb!MktakMH-BpM{v{9(lF>Vi@!kack+AJs^mtbOE%twI%PEq2B-lB)3z9?WUlL9(3mVS6KbgrN5WX}bn+R)9&Og(W? z7ELs#PxzKB2=vB*+S?(^Ujgzx7Ot0rC)p#ar*tUOV`o)(rkLrpsUM#AWGOmYCD2gP zzO*Tl^r6|(L4UP|Br~9#M@UFc7;g`3&|%FZ9fzyoq8jH!&SNK1rwG@yEnM&>?Zer? z;lu6*{pX}pNe-veO12<QXd3ShU5k5k0APYlsE2^of#$vNv`oWL zr=%!0oG7G?ItgaTAurNA#RyF^$QaF@t9Qw0f@c=Q_8_#f?5OBd&?Wo(;S4o@BE;PR z{h&Sk$$01+^7XBd15e#3{(#(Y4bJ`naZA`{JRUBY(aXg`$+kn8DoBi36J6z-5cn?( z!ImH_(^!wEXJB8{T1+Vrw^;(UUg+%5botnm)|(@=50MSBZPdSHMUp4b)nCM1h~+Q> zLRTpi6GdH{{kgoP5f?aXI?AqgZBU2ifORL=rSQ%53`8iXtw(dIroJKU61Z2Cc`F_+my{t=t;)lY_7vL{M( zSDBU*YbMb7sM3(^uv}ATxxOfm-YfE{oiC`Eplp&?m$F9@wHIsAI%JS9__W4P5O8e= zP1M|PCKV?cekKkiMYL>R0R!}zh`{@mIt*-+$=yYG_XPUugfmyqRKYtrHBW)wUQQ248539*z2B|PU z5=_uID!iSFrMvB2(2wsMj(VBBHBQ5{KtLGaL`sW(FD>3CX6nL*{wyk?mr3?`r!(I?l8F<{Lfe8NFVankip8?SrhbRuOo7Q{sjRU|8B?AM-9JH~TkcMq z7;=+(o<9L9F1WPMBWS_VGK9w?-XTNw&z@@eyYk)g$&{rIpxa5>l+|P(@!FJgC>xM> zyz39=O9Ib};5BT=mmvn|MLHeXmDnYUfD)801(!`z4-%4Nav}z1S{mix7ciW96c(8i zeuZ0fiJXO(xe(3*c?maYA$6CrWdzw}<{KMOOKaKWGrGu`M*JoZ`dWc%eQ3J8yW}O# zeIe2pGKjshG6p*&kcOp-hA7YTWgz}%!x&HIV2VakTiv`kX7G|f^_wIrWHIz70I^rr z3Wp(U)%Qaq_X|b$i~iTeKI_jYaR_4KU7mwG_5kwBcq&Se}>)f&#yzX!RG%WlO*5z(pW=y(6ui2#B)k2%fA^ z9X|Vb_xiNfpCRFiKr~epr867y^Fv*n`!1;d`x6P4!VmQwGqWWI@Dq|D6KZ-|c~45B z>#UadmynUNzA^@zISMauSfy($maO-#N=67gql{;I z*U(<2XkIFqJSx(FQlSQK`O+^HRPnPylM-6i;SS zH~Pq!o{iIaf+ItZ=fz)by4y_A!Y6*uUM@RJ5gP z*?}b+&GoKB&p>omL8}NNx#y3FhT3xjk9iFmd@H0`wJ3P)+y2jFOLMx^F%KHbccVtkgSa zXd^LZSH^{Ebrnp1axvkW(Ny{N*hfyn`X!Wr5w@UtGM`bYn6br`AFEnpy@?akjk>og z=h9E6b!C+)Y$;Gr)T(R$(#EHW`u0W9i~MtvS9!p2T{(w>Y4$!5`s^999y2sULe$iA z-s$~wRBN!zJ+b7B6dW~jg3j2yCwNQLE`$ny!$Maxb3l0Wuk6A@MmX&%Ry>>^j{0p#d&V;wW9!+jAxT5Rt3pNgD)~vp)Xy50EzjjW zKEt1F`6>dDy2+-(BnWnQ?XAlRiodG?M@PhCIn{n2m}hL>abX?zy{(-sim~CH zAonYQPSU+yhr38mJ$ok`s;MQ-O5ezAHaaA8J$E|uQ1FPvS}FUWX(sP&r<^0P{{2TA$VMPzK&W3ER>eFwope>!t7912Y6FVnKzAy+XNLuC&J z@0urIw!M>C^3e3)j1$m`TmH*x!TEI(8Wn4D>gfm_=g(#|ubYd=g|IU8N0~_iHf4(F z#=v-|3&Kb_0Vnz)Jl!fVe~zpJQ1dEkM)gf6&m^U(aHAeHbQ&e#M7BM#tLt{h!jIh@ zlP(9F;>>KgP}VOtD~Bd~&8buu3NRw+N=oMqQ#Up%Z6GzLi^a9Rnl9&h!GD>;&0--k zj6ADzty6kP{Z)I@qPH*#b%7l8j90X6Yjb^rqHLx>LA_{2L-{s>yIYt6JT8DLF$YuqOpLN$8pi@SGwW6??t4SUAMA`ocisVN$54Z1qNT( zygLk%L*rd{`a3anreK8&pD7N6&IhqU<{b8It==u~d(J2+w9Sh#d!dri8?wo5^%`Map|^g&%@_w|3& zD>;Z>PI4i6-zn4;Ck|UEE*TjGNGhz)e`Ib6w0Of4QZ%NXPxSDc&M#=<)FtZJ^h)yEs6>Te`1J$R%ynfuX@G;<|u`Q`!_sgc6|mr zajuWy5Bcpui{+4-KSUqM_7F0VK74%KiuMYH=!W3ea(-Uz=ZBn(9jq(q{)p1;evAz& zipU}E$S>=nAW&@{+DT*TR67jX-RZMpz+zH}qTzXpNelKCFSqZSCNwKbfH9->%(7%q zzbsN2weg}6h6RfNG+(zlq|n`W4)+i0QW#)&Ga$pp6Sol5G-2p0h^~PGhATnCdwOC;sV)mYn3(Db2=X zsok`)!Y>-MxbK0G0r-Qi~V|)5=FLa%oipq#X^j_&0 zc&T)I%zK_sxmS|k)&733SSU5^{G0GCe0E2=A~FaCzS8x0{wFa=yARI+0zaWctz+}c zmpxCLfFR%$00f2y2Dg+Xt`E}xizG&ZRwd{R!uxK;%gmne_Y>!&a>M3ED!-+V2)_cn zAtU=F;w77*E6#ySu)Vj-w~Tv{pJn$EL#($r5`TB%-e|OT87VvLhN^d4YLie67KEeL za;%AX4U@TXcEKiJx@G_2F(59tNf_%*Bh;nv+|UW&va<91RZV*K^ee-$`{Xo8y75q{h@6?w< zIsBOMQLoC$`=D~)5S9Oi{3_NSyxe4)itM#MRXNbZ+N3EXSw~Xs73o_MMc^CcaeR9I zrx>PkpsPG#UaqRuZfL$8T@`WtK6R4`(RvM#ew{~TtR6;a0MB@+^NcHQ{ zDMc3q7)!!;AeA!>PeJlX=YKDiEs)by%V!u)&1>C_>_kTI4R{b7X@dSoVj-kwbsLPE z;-ctbclK8gN_u}r{<<^%AK&DcOmMEYn5B$JY(bG3blGYzF;(YmguaA@es=GiFm(~2 zIr23<3Rx@~dvkTCBfu&BqFmAS*c!en^3#1>I?dsO=in$^l)sFZctJ&mnjbr4fa{PGaYa$jxv#k7MS+#SWbuC~HWl6Y!_`RhNWo*;|Z z&xXLyd)1gO(2Wx-v3#njk6FD`^l^6=;WmnhkDG8O5h84KW?vahpi)|)Cx6dn^p0C& z`VMl$uJL}sZ#xmdldjK-6?T1CB&G~B@4`o-5T+;_|KbOE`z|+s%iML~u@MaDFUlZ2 zi$h+8>*53yY@;rCdwL6zFm}TTaXSf-4B;uv6a}w3lQ03JB#-ZC>ZkFq;*Z(FB8$I`P)-Vk+wtV{d;MZk zE&9GYlns(y;+T57|B5N))b9fbo#MEQ_Hz>Ro=oCAw{pJB>a({!2oSScoxsh&h9tJ+ zPbI8)Gq+6aMsmY7)F~yCEe{T!%)4=qj?00p5%yJdi4hxp+8ScnH9s8*(J)J_DdcNB0KKkydxtK|Qs?is{XT0P9$)HA7c+@l+pMFeObzpExl^ zwAo3-23gQ?1N}UA!@lYJgxSV}g6`P^X#<#inu?B%$l=sZWN3^=t}p-0a9(%^=v2Sz zVZH*zXNayik}c~hXU&p5==DJdAsqy^8}7FKS~l`cpg3b*aS)grL4Pt1VtOo^rJt`~ zf!(-m0i94mXXje)Si|}HUQ$j-Z2!>7)NZ@9&8c<8eNRa*AAF`^zbr@$X2L?_6O$5< znoIO5T&92`DiAsRE#*UaJg8 z1xt(b6n3)??g5;A?YMJ61Yg%?{M{;GUEt(&{T~EXg$b%8u;(74obTEG8xfB5H<9ViL}?|HrVgMoBb{U zYWPzstfbr9|CouDI|&oYb|Q~`er(a!-^kq@k)y_29s+EBlsEz*R-(9QEh^0lu#)}v zUHk;!{%rz8Wfq+tiH??A=p|Zj^%xH*A=b}cfBF7#U&B1vU7*HNRuNF2|sE{^@9Ks)oi`wTZxoQB3#P3TkJC8d4C3qXTIG2+FXr9 z#H#OPY``0RDdqx(gJ?TeAeFJYY8o@H!cui=XuPJFZIqaJ(8EdQNp}nSD?-rx{lO`6 z@17vI%bOoBltGP~e(~nQO-e>QgF)?)zQYoTyL_JrzIvlDNI+kWMg0T|d6P zRxp~2i=Scf677$(F7%g^zP>3U5O(NRWzdsM7Vvx#THawww4}qmq*z>yKtzTC~GN72$`ZV%#=8hOwz z7x?5B5-N)jd4C4zW|Wj#CEr3A8&e~;*UbpQ%CP z0h-B>jDz!R(nQ4BI^Ozap79P-6wQCRG~c}#VY0N5ws_&LXOBo18tNtd?b{#_WTWR2 zk!H|>udYJ9)NRL#@u`tAio+zlA+j{QlczBupfzOsxlQsz42m8a(kkf5aLG+q*PrwQ zRoI>AIY%EDj*K1c^}5Utd`IU>b~}zJfvd)>u!=yRQu`xv3-1z^1|qeAnhpD{^V z{?Q(mu8`4{vMaQjs`J7!<5XcpFM6nOSGUqVQ9WrbE^Rs!o{^9r1Cnb94LY8F?5M+I zNtb%HYsXafzT2?T_8@b+M11Kgp>hUOL$mahyPTNLk~_M5fJ#|a*u&buqlMoeP;I75 zzC8H>!pIB%5siq?U}dF~n5WjTd-TH!)f|HzuH$Ya<#8n+B4zi2!3n4w(J(cJs-P&-rU9M7RI1WQ`C#1;fC01id#1V{ z-6O<|7wWL*7f)r^%E;Nro*VR9`XC< zD++CbW|o3@QPbu9TG*m;2DNRG9DJq*{VF4^fE$#NQh}~^DiJg^z{EnrgFyDh8VHi= zjMgr|JIsLGZ>KV{wuY%U2xo~=Qc}$m?ue-eiawZ+NL&UvBQN1$Z-TRA=DP<tCab?dp0YNR)>bjvRCPJ3LQ!_$2xds?=E$nlhAck;>SSIFONR~pvq%?FVO^Wb({ zzB3{Y-+oR95UXYbKBd<`eQVR7~cqum)2-V zN{#b038KCs*i#D80UudbRWBxbceTr+`B~EyhCp}|WpgHJ4~pUY3oXyEphFXwKe*Gw zIJ)}GUbP&Ufn?tZgAr?iO%V<`HuP)_23Er9W~GYoBMa>Y3*(52 z_;H(MK;a@fD(Cc*-8-6E6FVLv1LMs?@wX(^RJjwsN7+x|&D>a~>I6ITQI9n#6t|Vq zx!ywiM3ooNhS%9F4%2DHJ_(1!JW?32G|YZsC%|zxj-MGBLj3ARirAA2^6dVv4#fjr zi9H#FXSfZ}oqL;8bejDNe_Nk_gQsjb@S*dCfQJ;Vq0FP^%&#kdh=kf$N}hyA3OXF# zN{9M~{8YqwAEu0g1#>$xLaW3=VHPs3tY3g*@Vk-qt{0)&`4ePXz*06?nxcFFeUs%> z6-y9;AE^ufI=WIkx8ok)DHjCZ*dPytSG!XbWSmPD`Gm^}7EF!&je-|}??4>HoLgGa zAQ+E)wXv9RH8VwS`#CqnT^%D2dpyBwRnW=#)+14juXH<>WXP=lDMV0;7cndM6Cozv(mxTjXcHd7j zc02%tTI}1cHIg`wqeNo8*uVQTpHjmJ%?%Yr8t!AZ6v((yY9FTxPk9fZ z7s4h2m*PDvM;wJSqLF#fV$vKf8XW4WE2FjFB-krC_Y=SnumhZeOwr1X9bvv;f+gC_ zu~+Dk4f6S-*-X3W=Q3v#w^xAy4JxQ39K`P%imvqV31lgF-B-I6Fz^}WRJ*Jy12i>R zn>=qR4AWQnX!NU7_Bo*l@ayfs3GD9{Ini)ORDK*mt2Z$7_L+6Oy~rD^It#p zzSTf(R4o5_U4*Ubhj!Ck(rxZvmV*lluwZ%!TxP%|Dx$RUuD(=8@3b%Ms_EnRYj0I; zwaIXh^?WQwuo+Q#mR|wdez-}paGaqa%)-dvo+2MhN{!qQ+?;9HK_F7-kSIWqAa!*O z+Ir}c{pc6M_6;n^nqa%3jN!OP|JfJtpk(JPB;9NVwax+7-v|4b@ArP~#9HP3V5VpS z3I3{QAc=phLk@(Y_y(C@Z2P269r;ay?H30D?^Wn*xR{c((32Fv7x?Cv>%dpW+kbnQj}7Kgg4~_}bx~Tiqz33UTB9P=BB^iV#o*ALa#+g9A;P3o_a-==xJ2^!!XK~L zgKF=Dut{V^%P(8*oCECdSgYqrh))aUTcMM3$949EZvz7@XLm<1T51HgoOpJ>Glznk zrg2==u)6OMZ|Xj_%^{Jwe{fZ8B7h6vkgZRxXSFJ=+G;h}*Z!EOZ7W}lBvPM-oo70oVp#&`Bo6hFmKfhNzDYu+y6 z0c6Q`7+Gb&;m-w**2fKEp%x+jRZ9X8YYRzcT=}zL+Z3io?y{sld8v zvkO{Z`DutnrU1VmB0wp2G;HM`joN(gLTtwyON=QX(FAtF36aL5u6qj%fbMI#QgtH{vS=>H821G diff --git a/setup/IaC/modules/automationaccount.bicep b/setup/IaC/modules/automationaccount.bicep index 871df8ec..b8ad529a 100644 --- a/setup/IaC/modules/automationaccount.bicep +++ b/setup/IaC/modules/automationaccount.bicep @@ -86,7 +86,7 @@ resource module5 'modules' = if (newDeployment || updatePSModules) { properties: { contentLink: { uri: '${ModuleBaseURL}/Check-ExternalAccounts.zip' - version: '1.2.4' + version: '1.2.5' } } } diff --git a/setup/IaC/modules/gr.workbook b/setup/IaC/modules/gr.workbook index 434c9fda..8b8e58de 100644 --- a/setup/IaC/modules/gr.workbook +++ b/setup/IaC/modules/gr.workbook @@ -314,7 +314,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "GR2ExternalUsers_CL \n| where ReportTime_s == \"{RunTime}\"\n| project DisplayName_s, Mail_s, Subscription_s", + "query": "GR2ExternalUsers_CL \n| where ReportTime_s == \"{RunTime}\"\n| project DisplayName_s, Mail_s, Subscription_s, Role_s, Comments_s", "size": 0, "timeContext": { "durationMs": 86400000 diff --git a/setup/IaC/modules/storage.bicep b/setup/IaC/modules/storage.bicep index 1f36dca4..0c788765 100644 --- a/setup/IaC/modules/storage.bicep +++ b/setup/IaC/modules/storage.bicep @@ -1,6 +1,7 @@ param storageAccountName string param location string param containername string + resource guardrailsStorage 'Microsoft.Storage/storageAccounts@2021-06-01' = { name: storageAccountName location: location @@ -15,37 +16,47 @@ resource guardrailsStorage 'Microsoft.Storage/storageAccounts@2021-06-01' = { supportsHttpsTrafficOnly: true minimumTlsVersion: 'TLS1_2' } - resource blobServices 'blobServices'={ - name: 'default' - properties: { - cors: { - corsRules: [] - } - deleteRetentionPolicy: { - enabled: false - } +} + +resource blobServices 'Microsoft.Storage/storageAccounts/blobServices@2021-06-01' = { + name: 'default' + parent: guardrailsStorage + properties: { + cors: { + corsRules: [] } - resource container1 'containers'={ - name: containername - properties: { - immutableStorageWithVersioning: { - enabled: false - } - denyEncryptionScopeOverride: false - defaultEncryptionScope: '$account-encryption-key' - publicAccess: 'None' - } + deleteRetentionPolicy: { + enabled: false } - resource container2 'containers'={ - name: 'configuration' - properties: { - immutableStorageWithVersioning: { - enabled: false - } - denyEncryptionScopeOverride: false - defaultEncryptionScope: '$account-encryption-key' - publicAccess: 'None' - } + } +} + +resource container1 'Microsoft.Storage/storageAccounts/blobServices/containers@2021-06-01' = { + name: '${guardrailsStorage.name}/default/${containername}' + properties: { + immutableStorageWithVersioning: { + enabled: false + } + denyEncryptionScopeOverride: false + defaultEncryptionScope: '$account-encryption-key' + publicAccess: 'None' + } + dependsOn: [ + blobServices + ] +} + +resource container2 'Microsoft.Storage/storageAccounts/blobServices/containers@2021-06-01' = { + name: '${guardrailsStorage.name}/default/configuration' + properties: { + immutableStorageWithVersioning: { + enabled: false } + denyEncryptionScopeOverride: false + defaultEncryptionScope: '$account-encryption-key' + publicAccess: 'None' } + dependsOn: [ + blobServices + ] } diff --git a/setup/modules.json b/setup/modules.json index f8ec3a1c..569f3cef 100644 --- a/setup/modules.json +++ b/setup/modules.json @@ -60,8 +60,8 @@ "Control": "Guardrails2", "ModuleType": "Builtin", "Status": "Enabled", - "Required": "False", - "Script": "Check-ExternalUsers -ControlName $msgTable.CtrName2 -ItemName $msgTable.removeGuestAccounts -MsgTable $msgTable -ReportTime $ReportTime -itsgcode $vars.itsgcode", + "Required": "True", + "Script": "Check-ExternalUsers -ControlName $msgTable.CtrName2 -ItemName $msgTable.existingGuestAccounts -MsgTable $msgTable -ReportTime $ReportTime -itsgcode $vars.itsgcode", "localVariables": [ { "Name": "itsgcode", diff --git a/src/GUARDRAIL 2 MANAGEMENT OF ADMINISTRATIVE PRIVILEGES/Audit/Check-DeprecatedAccounts.psd1 b/src/GUARDRAIL 2 MANAGE ACCESS/Audit/Check-DeprecatedAccounts.psd1 similarity index 100% rename from src/GUARDRAIL 2 MANAGEMENT OF ADMINISTRATIVE PRIVILEGES/Audit/Check-DeprecatedAccounts.psd1 rename to src/GUARDRAIL 2 MANAGE ACCESS/Audit/Check-DeprecatedAccounts.psd1 diff --git a/src/GUARDRAIL 2 MANAGEMENT OF ADMINISTRATIVE PRIVILEGES/Audit/Check-DeprecatedAccounts.psm1 b/src/GUARDRAIL 2 MANAGE ACCESS/Audit/Check-DeprecatedAccounts.psm1 similarity index 100% rename from src/GUARDRAIL 2 MANAGEMENT OF ADMINISTRATIVE PRIVILEGES/Audit/Check-DeprecatedAccounts.psm1 rename to src/GUARDRAIL 2 MANAGE ACCESS/Audit/Check-DeprecatedAccounts.psm1 diff --git a/src/GUARDRAIL 2 MANAGEMENT OF ADMINISTRATIVE PRIVILEGES/Audit/Check-ExternalAccounts.psd1 b/src/GUARDRAIL 2 MANAGE ACCESS/Audit/Check-ExternalAccounts.psd1 similarity index 99% rename from src/GUARDRAIL 2 MANAGEMENT OF ADMINISTRATIVE PRIVILEGES/Audit/Check-ExternalAccounts.psd1 rename to src/GUARDRAIL 2 MANAGE ACCESS/Audit/Check-ExternalAccounts.psd1 index 14d0e491..983a7aef 100644 --- a/src/GUARDRAIL 2 MANAGEMENT OF ADMINISTRATIVE PRIVILEGES/Audit/Check-ExternalAccounts.psd1 +++ b/src/GUARDRAIL 2 MANAGE ACCESS/Audit/Check-ExternalAccounts.psd1 @@ -14,7 +14,7 @@ RootModule = 'Check-ExternalAccounts' # Version number of this module. -ModuleVersion = '1.2.4' +ModuleVersion = '1.2.5' # Supported PSEditions # CompatiblePSEditions = @() diff --git a/src/GUARDRAIL 2 MANAGEMENT OF ADMINISTRATIVE PRIVILEGES/Audit/Check-ExternalAccounts.psm1 b/src/GUARDRAIL 2 MANAGE ACCESS/Audit/Check-ExternalAccounts.psm1 similarity index 56% rename from src/GUARDRAIL 2 MANAGEMENT OF ADMINISTRATIVE PRIVILEGES/Audit/Check-ExternalAccounts.psm1 rename to src/GUARDRAIL 2 MANAGE ACCESS/Audit/Check-ExternalAccounts.psm1 index bc0540ad..3588cd22 100644 --- a/src/GUARDRAIL 2 MANAGEMENT OF ADMINISTRATIVE PRIVILEGES/Audit/Check-ExternalAccounts.psm1 +++ b/src/GUARDRAIL 2 MANAGE ACCESS/Audit/Check-ExternalAccounts.psm1 @@ -1,6 +1,6 @@ # Checking for GUEST accounts # Note that this URL only reads from the All-Users (not the deleted accounts) in the directory, - # This querly looks for accounts marked as GUEST + # This query looks for accounts marked as GUEST # It does not list GUEST accounts from the list of deleted accounts. function Check-ExternalUsers { @@ -10,31 +10,37 @@ [string] $itsgcode, [hashtable] $msgTable, [Parameter(Mandatory=$true)] - [string] - $ReportTime + [string] $ReportTime ) [psCustomObject] $guestUsersArray = New-Object System.Collections.ArrayList [PSCustomObject] $ErrorList = New-Object System.Collections.ArrayList [bool] $IsCompliant= $false + + $guestUsers_wo_matchedUsers = @() + $guestUsersArray_grouped = @() + $unique_guestUsersArray = @() $stopWatch = New-Object -TypeName System.Diagnostics.Stopwatch $stopWatch.Start() # Only get the Guests accounts if ($debug) {Write-Output "Getting guest users in the tenant"} - $guestUsers = Get-AzADUser -Filter "usertype eq 'guest'" - + $guestUsers = Get-AzADUser -Filter "usertype eq 'guest'" + + # Default pass (v2.0) for no guest account OR if Guest accounts whether or not have any permissions on the Azure subscriptions + $IsCompliant= $true + + # Find the number of guest accounts if ($null -eq $guestUsers) { # There are no Guest users in the tenant Write-Output "No Guest Users found in the tenant" - $IsCompliant= $true $comment = $msgTable.noGuestAccounts $MitigationCommands = "N/A" } else { if ($debug) {Write-Output "Found $($guestUsers.Count) Guest Users in the tenant"} - + # get the Azure subscriptions $subs=Get-AzSubscription -ErrorAction SilentlyContinue| Where-Object {$_.State -eq 'Enabled'} if ($debug) {Write-Output "Found $($subs.Count) subscriptions"} @@ -49,8 +55,7 @@ if ($debug) {Write-Output "Found $($subRoleAssignments.Count) Role Assignments in that subscription"} # Find each guest users having a role assignment - $matchedUser = $guestUsers | Where-Object {$subRoleAssignments.ObjectId -contains $_.Id} - + $matchedUser = $guestUsers | Where-Object {$subRoleAssignments.ObjectId -contains $_.Id} if (!$null -eq $matchedUser) { if ($debug) {Write-Output "Found $($matchedUser.Count) Guest users with role assignment"} @@ -64,7 +69,8 @@ Type = $user.userType CreatedDate = $user.createdDateTime Enabled = $user.accountEnabled - Comments = $msgTable.guestMustbeRemoved + Roles = "True" # At least one role assigned to the user in this scope(i.e. subscription) + Comments = $msgTable.guestAssigned ItemName= $ItemName ReportTime = $ReportTime itsgcode = $itsgcode @@ -72,9 +78,37 @@ $guestUsersArray.add($Customuser) } } - else { + else{ Write-Output "Found no Guest users with role assignment" } + + # Find any guest users without having a role assignment + $guestUsers_wo_matchedUsers = $guestUsers | Where-Object { $_ -notin $matchedUser } + if (!$null -eq $guestUsers_wo_matchedUsers) { + + # Add the guest users without role assignment to the list + foreach ($user in $guestUsers_wo_matchedUsers) { + $Customuser_noMatch = [PSCustomObject] @{ + DisplayName = $user.DisplayName + Subscription = $sub.Name + Mail = $user.mail + Type = $user.userType + CreatedDate = $user.createdDateTime + Enabled = $user.accountEnabled + Roles = "False" # No role assigned to the user in this scope(i.e. subscription) + Comments = $msgTable.guestNotAssigned + ItemName= $ItemName + ReportTime = $ReportTime + itsgcode = $itsgcode + } + $guestUsersArray.add($Customuser_noMatch) + } + } + else{ + Write-Output "All Guest users have role assignment" + } + + } } } @@ -82,7 +116,6 @@ # If there are no Guest accounts or Guest accounts don't have any permissions on the Azure subscriptions, it's fine # we still create the Log Analytics table if ($guestUsersArray.Count -eq 0) { - $IsCompliant= $true $MitigationCommands = "N/A" # Don't overwrite the comment if there are no guest users if (!$null -eq $guestUsers) { @@ -96,6 +129,7 @@ Type = "N/A" CreatedDate = "N/A" Enabled = "N/A" + Roles = "N/A" Comments = $comment ItemName= $ItemName ReportTime = $ReportTime @@ -104,14 +138,42 @@ $guestUsersArray.add($Customuser) } else { - $IsCompliant= $false - $comment = $msgTable.removeGuestAccountsComment - $MitigationCommands = $msgTable.removeGuestAccounts + $comment = $msgTable.existingGuestAccountsComment + $MitigationCommands = $msgTable.existingGuestAccounts + + # Group by DisplayName and others, aggregate Subscription + $guestUsersArray_grouped = $guestUsersArray | Group-Object -Property DisplayName, Roles, Comments | ForEach-Object { + $subscriptions = $_.Group.Subscription -join ', ' + [PSCustomObject]@{ + DisplayName = $_.Group[0].DisplayName + Subscription = $subscriptions + Mail = $_.Group[0].Mail + Type = $_.Group[0].Type + CreatedDate = $_.Group[0].CreatedDate + Enabled = $_.Group[0].Enabled + Role = $_.Group[0].Roles + Comments = $_.Group[0].Comments + ItemName= $_.Group[0].ItemName + ReportTime = $_.Group[0].ReportTime + itsgcode = $_.Group[0].itsgcode + } + } + $filtered_unique_guestUsersArray_grouped = $guestUsersArray_grouped | + Sort-Object -Property Role -Descending | # Sort by Role descending so True comes before False + Sort-Object -Property DisplayName -Unique # Get unique DisplayNames, keeping the first occurrence + + # Modify Subscription field to blank if Role = False + $unique_guestUsersArray = $filtered_unique_guestUsersArray_grouped | ForEach-Object { + if ($_.Role -eq "False") { + $_.Subscription = "" + } + $_ # Output the modified object + } } # Convert data to JSON format for input in Azure Log Analytics - #$JSONGuestUsers = ConvertTo-Json -inputObject $guestUsersArray - #Write-Output "Creating or updating Log Analytics table 'GR2ExternalUsers' and adding '$($guestUsers.Count)' guest user entries" + # $JSONGuestUsers = ConvertTo-Json -inputObject $guestUsersArray + # Write-Output "Creating or updating Log Analytics table 'GR2ExternalUsers' and adding '$($guestUsers.Count)' guest user entries" # Add the list of non-compliant users to Log Analytics (in a different table) <#Send-OMSAPIIngestionFile -customerId $WorkSpaceID -sharedkey $workspaceKey ` @@ -127,7 +189,7 @@ MitigationCommands = $MitigationCommands } $AdditionalResults = [PSCustomObject]@{ - records = $guestUsersArray + records = $unique_guestUsersArray logType = "GR2ExternalUsers" } diff --git a/src/GUARDRAIL 2 MANAGEMENT OF ADMINISTRATIVE PRIVILEGES/Mitigation/ReadMe.MD b/src/GUARDRAIL 2 MANAGE ACCESS/Mitigation/ReadMe.MD similarity index 100% rename from src/GUARDRAIL 2 MANAGEMENT OF ADMINISTRATIVE PRIVILEGES/Mitigation/ReadMe.MD rename to src/GUARDRAIL 2 MANAGE ACCESS/Mitigation/ReadMe.MD diff --git a/src/GuardRails-Localization/GR-ComplianceChecks-Msgs.psd1 b/src/GuardRails-Localization/GR-ComplianceChecks-Msgs.psd1 index dae5f8a3..fc8dcf9f 100644 --- a/src/GuardRails-Localization/GR-ComplianceChecks-Msgs.psd1 +++ b/src/GuardRails-Localization/GR-ComplianceChecks-Msgs.psd1 @@ -3,7 +3,7 @@ ConvertFrom-StringData @' # English strings CtrName1 = GUARDRAIL 1: PROTECT ROOT / GLOBAL ADMINS ACCOUNT -CtrName2 = GUARDRAIL 2: MANAGEMENT OF ADMINISTRATIVE PRIVILEGES +CtrName2 = GUARDRAIL 2: MANAGE ACCESS CtrName3 = GUARDRAIL 3: CLOUD CONSOLE ACCESS CtrName4 = GUARDRAIL 4: ENTERPRISE MONITORING ACCOUNTS CtrName5 = GUARDRAIL 5: DATA LOCATION @@ -16,29 +16,12 @@ CtrName11 = GUARDRAIL 11: LOGGING AND MONITORING CtrName12 = GUARDRAIL 12: CONFIGURATION OF CLOUD MARKETPLACES CtrName13 = GUARDRAIL 13: PLAN FOR CONTINUITY -# Guardrail 1 +# Guardrail #1 MSEntIDLicense = Microsoft Entra ID License Type mfaEnabledFor = MFA Authentication should not be enabled for BreakGlass account: {0} mfaDisabledFor = MFA Authentication is not enabled for {0} - gaAccntsMFACheck = Global Administrators Accounts MFA check -# Guardrail 13 -bgMSEntID = Break Glass Microsoft Entra ID P2 -bgProcedure = Break Glass Account Procedure -bgCreation = Break Glass account Creation -bgAccountResponsibility = BG Responsibility Follows Department Procedure -bgAccountOwnerContact = Break Glass Account Owners Contact information -bgAccountsCompliance = First Break Glass Account Compliance status = {0}, Second Break Glass Account Compliance status = {1} -bgAccountsCompliance2 = Both accounts are identical, please check the config.json file -bgAuthenticationMeth = Authentication Methods -firstBgAccount = First Break Glass Account -secondBgAccount = Second Break Glass Account -bgNoValidLicenseAssigned = No Microsoft Entra ID P2 license assigned to -bgValidLicenseAssigned = has a valid Microsoft Entra ID P2 assigned -bgAccountHasManager = BG Account {0} has a Manager -bgAccountNoManager = BG Account {0} doesn't have a Manager -bgBothHaveManager = Both BreakGlass accounts have manager # GuardRail #2 MSEntIDLicenseTypeFound = Found correct license type @@ -50,17 +33,19 @@ apiError = API Error apiErrorMitigation = Please verify existance of the user (more likely) or application permissions. compliantComment = Didnt find any unsynced deprecated users gcPasswordGuidanceDoc = GC Password Guidance Doc -guestAccountsNoPermission = There are Guest accounts in the tenant but they don't have any permission in the subscriptions. -guestMustbeRemoved = This GUEST account should not have any role assignment in the Azure subscriptions mitigationCommands = Verify is the users reported are deprecated. -noGuestAccounts = There are no GUEST users in your tenant. noncompliantComment = Total Number of non-compliant users {0}. noncompliantUsers = The following Users are disabled and not synchronized with Microsoft Entra ID: - privilegedAccountManagementPlan = Privileged Account Management plan removeDeletedAccount = Permanently remove deleted accounts removeDeprecatedAccount = Remove deprecated accounts -removeGuestAccounts = Remove guest accounts. -removeGuestAccountsComment = Remove guest accounts from Microsoft Entra ID or remove their permissions from the Azure subscriptions. + +noGuestAccounts = There are currently no GUEST User Accounts in your tenant environment. +guestAccountsNoPermission = There are GUEST User Accounts in the tenant environment and they do not have any permissions in the tenant's Azure subscription(s). +guestAssigned = This GUEST User Account has a role assignment in the tenant's Azure subscriptions. +guestNotAssigned = This GUEST User Account does not have any role assignment in the tenant's Azure subscription(s). +existingGuestAccounts = Existing Guest User Accounts +existingGuestAccountsComment = Review and validate the provided list of GUEST User Accounts. Remove GUEST User Accounts according to your departmental procedures and policies, as needed. # GuardRail #3 consoleAccessConditionalPolicy = Conditional Access Policy for Cloud Console Access. @@ -129,7 +114,7 @@ subnetExcludedByVNET = Subnet '{0}' is not being checked for compliance because networkDiagram = Network architecture diagram noSubnets = No subnets found in the subscription. -# GuardRail # 9 +# GuardRail #9 authSourceIPPolicyConfirm = Attestation that the authentication source IP policy is adhered to. ddosEnabled=DDos Protection Enabled. ddosNotEnabled=DDos Protection not enabled. @@ -192,6 +177,23 @@ mktPlaceCreatedNotEnabled = The Private Marketplace has been created but not ena mktPlaceNotCreated = The Private Marketplace has not been created. enableMktPlace = Enable Azure Private MarketPlace as per: https://docs.microsoft.com/en-us/marketplace/create-manage-private-azure-marketplace-new +# Guardrail #13 +bgMSEntID = Break Glass Microsoft Entra ID P2 +bgProcedure = Break Glass Account Procedure +bgCreation = Break Glass account Creation +bgAccountResponsibility = BG Responsibility Follows Department Procedure +bgAccountOwnerContact = Break Glass Account Owners Contact information +bgAccountsCompliance = First Break Glass Account Compliance status = {0}, Second Break Glass Account Compliance status = {1} +bgAccountsCompliance2 = Both accounts are identical, please check the config.json file +bgAuthenticationMeth = Authentication Methods +firstBgAccount = First Break Glass Account +secondBgAccount = Second Break Glass Account +bgNoValidLicenseAssigned = No Microsoft Entra ID P2 license assigned to +bgValidLicenseAssigned = has a valid Microsoft Entra ID P2 assigned +bgAccountHasManager = BG Account {0} has a Manager +bgAccountNoManager = BG Account {0} doesn't have a Manager +bgBothHaveManager = Both BreakGlass accounts have manager + # GR-Common procedureFileFound = File {0} found in Container. procedureFileNotFound = Could not find document for {0}, please create and upload a file with the name '{1}' in Container '{2}' on Storage Account '{3}' to confirm you have completed the Item in the control. diff --git a/src/GuardRails-Localization/fr-CA/GR-ComplianceChecks-Msgs.psd1 b/src/GuardRails-Localization/fr-CA/GR-ComplianceChecks-Msgs.psd1 index 300d6c05..7e5aede8 100644 --- a/src/GuardRails-Localization/fr-CA/GR-ComplianceChecks-Msgs.psd1 +++ b/src/GuardRails-Localization/fr-CA/GR-ComplianceChecks-Msgs.psd1 @@ -3,7 +3,7 @@ ConvertFrom-StringData @' # French strings CtrName1 = GUARDRAIL 1: PROTÉGER LE COMPTE RACINE / ADMINISTRATEURS GLOBAUX -CtrName2 = GUARDRAIL 2: GESTION DES PRIVILÈGES ADMINISTRATIFS +CtrName2 = GUARDRAIL 2: GÉRER L'ACCÈS CtrName3 = GUARDRAIL 3: ACCÈS À LA CONSOLE CLOUD CtrName4 = GUARDRAIL 4: COMPTES DE SURVEILLANCE D'ENTREPRISE CtrName5 = GUARDRAIL 5: EMPLACEMENT DES DONNÉES @@ -16,30 +16,12 @@ CtrName11 = GUARDRAIL 11: ENREGISTREMENT ET SURVEILLANCE CtrName12 = GUARDRAIL 12: CONFIGURATION DES MARKETPLACES CtrName13 = GUARDRAIL 13: PLANIFIER LA CONTINUITÉ -# Guardrail 1 +# Guardrail #1 MSEntIDLicense = Type de licence Microsoft Entra ID mfaEnabledFor = L'authentication MFA ne devrait pas être activée pour le compte brise-glace: {0} mfaDisabledFor = L'authentication MFA n'est pas activée pour {0} - gaAccntsMFACheck = Vérification d'authentification multifacteur de comptes d'administrateur général -# Guardrail 13 -bgMSEntID = Attribution Bris de Verre Microsoft Entra ID P2 -bgProcedure = Procédure de compte de bris de verre -bgCreation = Création de compte Brise Glace -bgAccountResponsibility = Responsabilité BV suit la procédure du ministère -bgAccountOwnerContact = Coordonnées des titulaires de compte Brise Glace -bgAccountsCompliance = Statut de conformité du premier compte brise-glace = {0}, Statut de conformité du deuxième compte brise-glace = {1} -bgAccountsCompliance2 = Les deux comptes sont identiques, veuillez vérifier le fichier config.json -bgAuthenticationMeth = Méthodes d'authentification -firstBgAccount = Premier compte brise-glace -secondBgAccount = Deuxième compte brise-glace -bgNoValidLicenseAssigned = Aucune licence Microsoft Entra ID P2 assignée au -bgValidLicenseAssigned = a une licence Microsoft Entra ID P2 valide -bgAccountHasManager = Le compte BG {0} a un responsable -bgAccountNoManager = Le compte BG {0} n'a pas de gestionnaire -bgBothHaveManager = Les deux comptes brise-glace ont un gestionnaire - # GuardRail #2 MSEntIDLicenseTypeFound = Type de licence Microsoft Entra ID trouvé MSEntIDLicenseTypeNotFound = Type de licence requis Microsoft Entra ID non trouvé @@ -50,17 +32,20 @@ apiError = Erreur API apiErrorMitigation = Vérifiez l'existence des utilisateurs ou les permissions de l'application. compliantComment = Aucun utilisateur non synchronisé ou désactivé trouvé gcPasswordGuidanceDoc = Document d'orientation sur les mots de passe du GC -guestAccountsNoPermission = Il y a des comptes invités dans le tenant mais ils n'ont pas de permissions dans les abonnements Azure. -guestMustbeRemoved = Ce comptes invité ne devraient pas avoir de rôles dans les abonnements Azure mitigationCommands = Vérifiez si les utilisateurs trouvés sont obsolètes. -noGuestAccounts = Il n'y a aucun compte invité dans votre tenant noncompliantComment = Nombre d'utilisateurs non-conformes {0}. noncompliantUsers = Les utilisateurs suivants sont désactivés et ne sont pas synchronisés avec Microsoft Entra ID: - privilegedAccountManagementPlan = Plan de gestion des comptes privilégiés removeDeletedAccount = Supprimez définitivement les comptes supprimés removeDeprecatedAccount = Supprimez les comptes obsolètes -removeGuestAccounts = Supprimez les comptes invités. -removeGuestAccountsComment = Supprimer les comptes d'invités de Microsoft Entra ID ou supprimer les permissions des abonnements Azure. + +noGuestAccounts = Il n'y a présentement aucun compte d'utilisateur invité dans votre environnement locataire. +guestAccountsNoPermission = Il y a des comptes d'utilisateurs invités dans l'environnement locataire et ils n'ont aucune permission dans le(s) abonnement(s) Azure du locataire. +guestAssigned = Ce compte d'utilisateur invité a une attribution de rôle dans le(s) abonnement(s) Azure du locataire. +guestNotAssigned = Ce compte d'utilisateur invité n'a pas d'attribution de rôle dans les abonnement(s) Azure du locataire. +existingGuestAccounts = Comptes d'utilisateurs invités existants +existingGuestAccountsComment = Examinez et validez la liste fournie des comptes d'utilisateurs invités. Supprimez les comptes d'utilisateurs invités selon les procédures et les politiques ministérielles, au besoin. + # GuardRail #3 noCompliantPoliciesfound=Aucune stratégie conforme n'a été trouvée. Les politiques doivent avoir un emplacement unique et cet emplacement doit être réservé au Canada. allPoliciesAreCompliant=Toutes les politiques sont conformes. @@ -127,7 +112,7 @@ subnetExcludedByVNET = Subnet '{0}' is not being checked for compliance because networkDiagram = Diagramme d'architecture réseau noSubnets = Aucun sous-réseau n'est présent. -# GuardRail # 9 +# GuardRail #9 authSourceIPPolicyConfirm = Attestation que la politique IPs de la source d'authentification est respectée ddosEnabled = Protection DDos activée. ddosNotEnabled = Protection DDos non activée. @@ -191,6 +176,23 @@ mktPlaceCreatedNotEnabled = Le marché privé a été créé, mais n'est pas act mktPlaceNotCreated = Le marché privé n'a pas été créé. enableMktPlace = Activer Azure Private MarketPlace selon: https://docs.microsoft.com/en-us/marketplace/create-manage-private-azure-marketplace-new +# Guardrail #13 +bgMSEntID = Attribution Bris de Verre Microsoft Entra ID P2 +bgProcedure = Procédure de compte de bris de verre +bgCreation = Création de compte Brise Glace +bgAccountResponsibility = Responsabilité BV suit la procédure du ministère +bgAccountOwnerContact = Coordonnées des titulaires de compte Brise Glace +bgAccountsCompliance = Statut de conformité du premier compte brise-glace = {0}, Statut de conformité du deuxième compte brise-glace = {1} +bgAccountsCompliance2 = Les deux comptes sont identiques, veuillez vérifier le fichier config.json +bgAuthenticationMeth = Méthodes d'authentification +firstBgAccount = Premier compte brise-glace +secondBgAccount = Deuxième compte brise-glace +bgNoValidLicenseAssigned = Aucune licence Microsoft Entra ID P2 assignée au +bgValidLicenseAssigned = a une licence Microsoft Entra ID P2 valide +bgAccountHasManager = Le compte BG {0} a un responsable +bgAccountNoManager = Le compte BG {0} n'a pas de gestionnaire +bgBothHaveManager = Les deux comptes brise-glace ont un gestionnaire + # GR-Common procedureFileFound = Fichier {0} trouvé dans le conteneur. procedureFileNotFound = N'a pas trouvé de document pour {0}, veuillez créer et télécharger un fichier avec le nom '{1}' dans le conteneur '{2}' sur le compte de stockage '{3}' pour confirmer que vous avez terminé l'élément dans le contrôle. diff --git a/tools/CentralView/setup/IaC/modules/law.bicep b/tools/CentralView/setup/IaC/modules/law.bicep index e1b01c4a..ecac58c7 100644 --- a/tools/CentralView/setup/IaC/modules/law.bicep +++ b/tools/CentralView/setup/IaC/modules/law.bicep @@ -144,7 +144,7 @@ resource f1 'Microsoft.OperationalInsights/workspaces/savedSearches@2020-08-01' category: 'grcentral_functions' displayName: 'controlconfig' //query: 'let baseurl="${GRDocsBaseUrl}";\nlet Link=strcat(baseurl,control,"-", replace_string(replace_string(itsgcode,"(","-"),")",""),".md");\nLink\n' - query: 'let controlconfig = datatable(Control:string, mandatory:bool)\n[\n"GUARDRAIL 1: PROTECT ROOT / GLOBAL ADMINS ACCOUNT", false,\n"GUARDRAIL 8: NETWORK SEGMENTATION AND SEPARATION", true,\n"GUARDRAIL 11: LOGGING AND MONITORING", true,\n"GUARDRAIL 5: DATA LOCATION", true,\n"GUARDRAIL 2: MANAGEMENT OF ADMINISTRATIVE PRIVILEGES", false,\n"GUARDRAIL 6: PROTECTION OF DATA-AT-REST",true,\n"GUARDRAIL 7: PROTECTION OF DATA-IN-TRANSIT", true,\n"GUARDRAIL 12: CONFIGURATION OF CLOUD MARKETPLACES",false,\n"GUARDRAIL 10: CYBER DEFENSE SERVICES",true,\n"GUARDRAIL 3: CLOUD CONSOLE ACCESS",true,\n"GUARDRAIL 4: ENTERPRISE MONITORING ACCOUNTS",true,\n"GUARDRAIL 9: NETWORK SECURITY SERVICES",true\n];\ncontrolconfig' + query: 'let controlconfig = datatable(Control:string, mandatory:bool)\n[\n"GUARDRAIL 1: PROTECT ROOT / GLOBAL ADMINS ACCOUNT", false,\n"GUARDRAIL 8: NETWORK SEGMENTATION AND SEPARATION", true,\n"GUARDRAIL 11: LOGGING AND MONITORING", true,\n"GUARDRAIL 5: DATA LOCATION", true,\n"GUARDRAIL 2: MANAGE ACCESS", false,\n"GUARDRAIL 6: PROTECTION OF DATA-AT-REST",true,\n"GUARDRAIL 7: PROTECTION OF DATA-IN-TRANSIT", true,\n"GUARDRAIL 12: CONFIGURATION OF CLOUD MARKETPLACES",false,\n"GUARDRAIL 10: CYBER DEFENSE SERVICES",true,\n"GUARDRAIL 3: CLOUD CONSOLE ACCESS",true,\n"GUARDRAIL 4: ENTERPRISE MONITORING ACCOUNTS",true,\n"GUARDRAIL 9: NETWORK SECURITY SERVICES",true\n];\ncontrolconfig' functionAlias: 'controlconfig' version: 2 }