From 22acd9d3e018260df26df6a06cac892a813310b0 Mon Sep 17 00:00:00 2001 From: Lucifer <108731648+shivamvish160@users.noreply.github.com> Date: Sat, 18 Oct 2025 19:30:22 +0530 Subject: [PATCH 1/2] Create README.md --- .../ACL Audit Utility/README.md | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 Server-Side Components/Script Includes/ACL Audit Utility/README.md diff --git a/Server-Side Components/Script Includes/ACL Audit Utility/README.md b/Server-Side Components/Script Includes/ACL Audit Utility/README.md new file mode 100644 index 0000000000..9c7d1ae67a --- /dev/null +++ b/Server-Side Components/Script Includes/ACL Audit Utility/README.md @@ -0,0 +1,25 @@ +# ACL Audit Utility for ServiceNow + +## Overview + +This script audits Access Control Lists (ACLs) in your ServiceNow instance to identify potential security misconfigurations. It helps ensure that ACLs are properly configured and do not unintentionally expose sensitive data. + +## Features + +- Detects **inactive ACLs** +- Flags ACLs with **no condition or script** +- Warns about **public read access** (ACLs with no roles assigned) +- Logs findings using `gs.info()` and `gs.warning()` for visibility + +## Usage + +1. Navigate to **System Definition > Script Includes** in your ServiceNow instance. +2. Create a new Script Include named `ACL_Audit_Utility`. +3. Paste the contents of `ACL_Audit_Utility.js` into the script field. +4. Ensure the script is set to **Active** and **Accessible from all application scopes**. +5. Run the script manually or schedule it using a **Scheduled Job**. + +## Notes + +- This script does not make any changes to ACLs; it only audits and logs findings. +- You can extend the script to send email notifications or create audit records in a custom table. From af23b22195ccabedddf1e6f86f38c21448d4953f Mon Sep 17 00:00:00 2001 From: Lucifer <108731648+shivamvish160@users.noreply.github.com> Date: Sat, 18 Oct 2025 19:31:08 +0530 Subject: [PATCH 2/2] Create code.js --- .../Script Includes/ACL Audit Utility/code.js | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 Server-Side Components/Script Includes/ACL Audit Utility/code.js diff --git a/Server-Side Components/Script Includes/ACL Audit Utility/code.js b/Server-Side Components/Script Includes/ACL Audit Utility/code.js new file mode 100644 index 0000000000..02e60b78e1 --- /dev/null +++ b/Server-Side Components/Script Includes/ACL Audit Utility/code.js @@ -0,0 +1,31 @@ + + // Description: Audits ACLs for potential misconfigurations and logs findings. + + var grACL = new GlideRecord('sys_security_acl'); + grACL.query(); + + while (grACL.next()) { + var aclName = grACL.name.toString(); + var type = grACL.type.toString(); + var operation = grACL.operation.toString(); + var active = grACL.active; + + // Check for ACLs that are inactive + if (!active) { + gs.info('[ACL Audit] Inactive ACL found: ' + aclName + ' | Operation: ' + operation); + continue; + } + + // Check for ACLs with no condition or script + var hasCondition = grACL.condition && grACL.condition.toString().trim() !== ''; + var hasScript = grACL.script && grACL.script.toString().trim() !== ''; + + if (!hasCondition && !hasScript) { + gs.warning('[ACL Audit] ACL with no condition or script: ' + aclName + ' | Operation: ' + operation); + } + + // Check for ACLs granting 'read' access to 'public' + if (operation === 'read' && grACL.roles.toString() === '') { + gs.warning('[ACL Audit] Public read access detected: ' + aclName); + } + }