From f22eede567e7e91289be68ee7d1dedb73335b3b9 Mon Sep 17 00:00:00 2001 From: fatima99s Date: Fri, 14 Jun 2024 22:54:15 +0500 Subject: [PATCH 1/7] F/Azure-mysqlFlexibleServerPublicAccess --- exports.js | 1 + .../mysqlFlexibleServerPublicAccess.js | 56 +++++++ .../mysqlFlexibleServerPublicAccess.spec.js | 138 ++++++++++++++++++ 3 files changed, 195 insertions(+) create mode 100644 plugins/azure/mysqlserver/mysqlFlexibleServerPublicAccess.js create mode 100644 plugins/azure/mysqlserver/mysqlFlexibleServerPublicAccess.spec.js diff --git a/exports.js b/exports.js index 9ca097916d..5512d51df5 100644 --- a/exports.js +++ b/exports.js @@ -855,6 +855,7 @@ module.exports = { 'enforceMySQLSSLConnection' : require(__dirname + '/plugins/azure/mysqlserver/enforceMySQLSSLConnection.js'), 'mysqlFlexibleServersMinTls' : require(__dirname + '/plugins/azure/mysqlserver/mysqlFlexibleServersMinTls.js'), 'mysqlServerHasTags' : require(__dirname + '/plugins/azure/mysqlserver/mysqlServerHasTags.js'), + 'mysqlFlexibleServerPublicAccess': require(__dirname + '/plugins/azure/mysqlserver/mysqlFlexibleServerPublicAccess.js'), 'logRetentionDays' : require(__dirname + '/plugins/azure/postgresqlserver/logRetentionDays.js'), 'connectionThrottlingEnabled' : require(__dirname + '/plugins/azure/postgresqlserver/connectionThrottlingEnabled.js'), diff --git a/plugins/azure/mysqlserver/mysqlFlexibleServerPublicAccess.js b/plugins/azure/mysqlserver/mysqlFlexibleServerPublicAccess.js new file mode 100644 index 0000000000..833be51e9b --- /dev/null +++ b/plugins/azure/mysqlserver/mysqlFlexibleServerPublicAccess.js @@ -0,0 +1,56 @@ +const async = require('async'); +const helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'MySQL Flexible Server Public Access Disabled', + category: 'MySQL Server', + domain: 'Databases', + severity: 'High', + description: 'Ensures that MySQL Flexible servers have public access disabled.', + more_info: 'Configuring public access on for MySQL flexible server instance allows the server to be accessible through a public endpoint. This can expose the server to unauthorized access and various cyber threats. Disabling public access enhances security by limiting access to authorized connections only.', + recommended_action: 'Modify MySQL Flexible server and disble public access.', + link: 'https://learn.microsoft.com/en-us/azure/mysql/flexible-server/concepts-networking-public', + apis: ['servers:listMysqlFlexibleServer'], + realtime_triggers: ['microsoftdbformysql:flexibleservers:write','microsoftdbformysql:flexibleservers:delete'], + + run: function(cache, settings, callback) { + const results = []; + const source = {}; + const locations = helpers.locations(settings.govcloud); + + async.each(locations.servers, (location, rcb) => { + const servers = helpers.addSource(cache, source, + ['servers', 'listMysqlFlexibleServer', location]); + + if (!servers) return rcb(); + + if (servers.err || !servers.data) { + helpers.addResult(results, 3, + 'Unable to query for MySQL flexible servers: ' + helpers.addError(servers), location); + return rcb(); + } + + if (!servers.data.length) { + helpers.addResult(results, 0, 'No existing MySQL flexible servers found', location); + return rcb(); + } + + for (var flexibleServer of servers.data) { + if(!flexibleServer.id) continue; + + if (flexibleServer.properties && + flexibleServer.properties.network && + flexibleServer.properties.network.publicNetworkAccess && + flexibleServer.properties.network.publicNetworkAccess.toLowerCase() == 'enabled') { + helpers.addResult(results, 2, 'MySQL flexible server is publicly accessible', location, flexibleServer.id); + } else { + helpers.addResult(results, 0, 'MySQL flexible server is not publicly accessible', location, flexibleServer.id); + } + } + rcb(); + }, function() { + // Global checking goes here + callback(null, results, source); + }); + } +}; \ No newline at end of file diff --git a/plugins/azure/mysqlserver/mysqlFlexibleServerPublicAccess.spec.js b/plugins/azure/mysqlserver/mysqlFlexibleServerPublicAccess.spec.js new file mode 100644 index 0000000000..4f6ab77062 --- /dev/null +++ b/plugins/azure/mysqlserver/mysqlFlexibleServerPublicAccess.spec.js @@ -0,0 +1,138 @@ +var assert = require('assert'); +var expect = require('chai').expect; +var auth = require('./mysqlFlexibleServerPublicAccess'); + +const createCache = (err, list) => { + return { + servers: { + listMysqlFlexibleServer: { + 'eastus': { + err: err, + data: list + } + } + } + } +}; + +describe('mysqlFlexibleServerPublicAccess', function() { + describe('run', function() { + it('should PASS if no existing servers found', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No existing MySQL flexible servers found'); + expect(results[0].region).to.equal('eastus'); + done() + }; + + const cache = createCache( + null, + [], + {} + ); + + auth.run(cache, {}, callback); + }); + + it('should FAIL if MySQL server is not publicly accessible', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('MySQL flexible server is not publicly accessible'); + expect(results[0].region).to.equal('eastus'); + done() + }; + + const cache = createCache( + null, + [ + { + "id": "/subscriptions/12345/resourceGroups/Default/providers/Microsoft.DBforMySQL/flexibleServers/test-server", + "type": "Microsoft.DBforMySQL/flexibleServers", + "properties": { + "administratorLogin": "test", + "storage": { + "storageSizeGB": 20, + "iops": 360, + "autoGrow": "Enabled", + "autoIoScaling": "Enabled", + "storageSku": "Premium_LRS", + "logOnDisk": "Disabled" + }, + "version": "5.7", + "state": "Ready", + "fullyQualifiedDomainName": "test-flexibleserverr-mysql.mysql.database.azure.com", + "availabilityZone": "3", + "replicationRole": "None", + "replicaCapacity": 10, + "network": { + "publicNetworkAccess": "Disabled" + }, + } + } + ] + ); + + auth.run(cache, {}, callback); + }); + + it('should FAIL if MySQL server is publicly accessible', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('MySQL flexible server is publicly accessible'); + expect(results[0].region).to.equal('eastus'); + done() + }; + + const cache = createCache( + null, + [ + { + "id": "/subscriptions/12345/resourceGroups/Default/providers/Microsoft.DBforMySQL/flexibleServers/test-server", + "type": "Microsoft.DBforMySQL/flexibleServers", + "properties": { + "administratorLogin": "test", + "storage": { + "storageSizeGB": 20, + "iops": 360, + "autoGrow": "Enabled", + "autoIoScaling": "Enabled", + "storageSku": "Premium_LRS", + "logOnDisk": "Disabled" + }, + "version": "5.7", + "state": "Ready", + "fullyQualifiedDomainName": "test-flexibleserverr-mysql.mysql.database.azure.com", + "availabilityZone": "3", + "replicationRole": "None", + "replicaCapacity": 10, + "network": { + "publicNetworkAccess": "Enabled" + }, + } + } + ], + ); + + auth.run(cache, {}, callback); + }); + + it('should UNKNOWN if unable to query for server', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query for MySQL flexible servers: '); + expect(results[0].region).to.equal('eastus'); + done() + }; + + const cache = createCache( + null, null + ); + + auth.run(cache, {}, callback); + }) + }) +}) \ No newline at end of file From 74d49ca86aafceae917488c6d94100c6438e31c4 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Sun, 16 Jun 2024 17:54:30 +0500 Subject: [PATCH 2/7] Update mysqlFlexibleServerPublicAccess.js --- plugins/azure/mysqlserver/mysqlFlexibleServerPublicAccess.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/azure/mysqlserver/mysqlFlexibleServerPublicAccess.js b/plugins/azure/mysqlserver/mysqlFlexibleServerPublicAccess.js index 833be51e9b..2fa82c9724 100644 --- a/plugins/azure/mysqlserver/mysqlFlexibleServerPublicAccess.js +++ b/plugins/azure/mysqlserver/mysqlFlexibleServerPublicAccess.js @@ -8,7 +8,7 @@ module.exports = { severity: 'High', description: 'Ensures that MySQL Flexible servers have public access disabled.', more_info: 'Configuring public access on for MySQL flexible server instance allows the server to be accessible through a public endpoint. This can expose the server to unauthorized access and various cyber threats. Disabling public access enhances security by limiting access to authorized connections only.', - recommended_action: 'Modify MySQL Flexible server and disble public access.', + recommended_action: 'Modify MySQL Flexible server and diasble public access.', link: 'https://learn.microsoft.com/en-us/azure/mysql/flexible-server/concepts-networking-public', apis: ['servers:listMysqlFlexibleServer'], realtime_triggers: ['microsoftdbformysql:flexibleservers:write','microsoftdbformysql:flexibleservers:delete'], @@ -53,4 +53,4 @@ module.exports = { callback(null, results, source); }); } -}; \ No newline at end of file +}; From 4b3c2d83d2afd44b5615650bb9d495b5cf037c5d Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Sun, 16 Jun 2024 18:02:32 +0500 Subject: [PATCH 3/7] Update plugins/azure/mysqlserver/mysqlFlexibleServerPublicAccess.js --- plugins/azure/mysqlserver/mysqlFlexibleServerPublicAccess.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/mysqlserver/mysqlFlexibleServerPublicAccess.js b/plugins/azure/mysqlserver/mysqlFlexibleServerPublicAccess.js index 2fa82c9724..bb8c0fcba3 100644 --- a/plugins/azure/mysqlserver/mysqlFlexibleServerPublicAccess.js +++ b/plugins/azure/mysqlserver/mysqlFlexibleServerPublicAccess.js @@ -6,7 +6,7 @@ module.exports = { category: 'MySQL Server', domain: 'Databases', severity: 'High', - description: 'Ensures that MySQL Flexible servers have public access disabled.', + description: 'Ensures that MySQL Flexible servers are not publicly accessible.', more_info: 'Configuring public access on for MySQL flexible server instance allows the server to be accessible through a public endpoint. This can expose the server to unauthorized access and various cyber threats. Disabling public access enhances security by limiting access to authorized connections only.', recommended_action: 'Modify MySQL Flexible server and diasble public access.', link: 'https://learn.microsoft.com/en-us/azure/mysql/flexible-server/concepts-networking-public', From d706147b18e7d0ed6e211d42dbb22e113a8abc0d Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Sun, 16 Jun 2024 18:02:41 +0500 Subject: [PATCH 4/7] Update plugins/azure/mysqlserver/mysqlFlexibleServerPublicAccess.js --- plugins/azure/mysqlserver/mysqlFlexibleServerPublicAccess.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/mysqlserver/mysqlFlexibleServerPublicAccess.js b/plugins/azure/mysqlserver/mysqlFlexibleServerPublicAccess.js index bb8c0fcba3..10a68338ef 100644 --- a/plugins/azure/mysqlserver/mysqlFlexibleServerPublicAccess.js +++ b/plugins/azure/mysqlserver/mysqlFlexibleServerPublicAccess.js @@ -7,7 +7,7 @@ module.exports = { domain: 'Databases', severity: 'High', description: 'Ensures that MySQL Flexible servers are not publicly accessible.', - more_info: 'Configuring public access on for MySQL flexible server instance allows the server to be accessible through a public endpoint. This can expose the server to unauthorized access and various cyber threats. Disabling public access enhances security by limiting access to authorized connections only.', + more_info: 'Configuring public access on for MySQL flexible server instance allows the server to be accessible through a public endpoint. This can expose the server to unauthorized access and various cyber threats. Disabling public access enhances security by limiting access to authorized connections only.', recommended_action: 'Modify MySQL Flexible server and diasble public access.', link: 'https://learn.microsoft.com/en-us/azure/mysql/flexible-server/concepts-networking-public', apis: ['servers:listMysqlFlexibleServer'], From 622958fe92056d2d501ac4027d9838179424cec4 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Sun, 16 Jun 2024 18:02:52 +0500 Subject: [PATCH 5/7] Update plugins/azure/mysqlserver/mysqlFlexibleServerPublicAccess.js --- plugins/azure/mysqlserver/mysqlFlexibleServerPublicAccess.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/mysqlserver/mysqlFlexibleServerPublicAccess.js b/plugins/azure/mysqlserver/mysqlFlexibleServerPublicAccess.js index 10a68338ef..f915c709ee 100644 --- a/plugins/azure/mysqlserver/mysqlFlexibleServerPublicAccess.js +++ b/plugins/azure/mysqlserver/mysqlFlexibleServerPublicAccess.js @@ -8,7 +8,7 @@ module.exports = { severity: 'High', description: 'Ensures that MySQL Flexible servers are not publicly accessible.', more_info: 'Configuring public access on for MySQL flexible server instance allows the server to be accessible through a public endpoint. This can expose the server to unauthorized access and various cyber threats. Disabling public access enhances security by limiting access to authorized connections only.', - recommended_action: 'Modify MySQL Flexible server and diasble public access.', + recommended_action: 'Modify MySQL flexible server and disable public network access.', link: 'https://learn.microsoft.com/en-us/azure/mysql/flexible-server/concepts-networking-public', apis: ['servers:listMysqlFlexibleServer'], realtime_triggers: ['microsoftdbformysql:flexibleservers:write','microsoftdbformysql:flexibleservers:delete'], From 684b1db2bcfd7e62777f76c5de662b758daffa7a Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Sun, 16 Jun 2024 18:05:11 +0500 Subject: [PATCH 6/7] Update plugins/azure/mysqlserver/mysqlFlexibleServerPublicAccess.js --- plugins/azure/mysqlserver/mysqlFlexibleServerPublicAccess.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/mysqlserver/mysqlFlexibleServerPublicAccess.js b/plugins/azure/mysqlserver/mysqlFlexibleServerPublicAccess.js index f915c709ee..53cdb86b20 100644 --- a/plugins/azure/mysqlserver/mysqlFlexibleServerPublicAccess.js +++ b/plugins/azure/mysqlserver/mysqlFlexibleServerPublicAccess.js @@ -36,7 +36,7 @@ module.exports = { } for (var flexibleServer of servers.data) { - if(!flexibleServer.id) continue; + if (!flexibleServer.id) continue; if (flexibleServer.properties && flexibleServer.properties.network && From 257779414baf62a2837437c6902a2726f3a8fd58 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Thu, 20 Jun 2024 00:07:41 +0500 Subject: [PATCH 7/7] Apply suggestions from code review --- .../azure/mysqlserver/mysqlFlexibleServerPublicAccess.js | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/plugins/azure/mysqlserver/mysqlFlexibleServerPublicAccess.js b/plugins/azure/mysqlserver/mysqlFlexibleServerPublicAccess.js index 53cdb86b20..c61bbcdb32 100644 --- a/plugins/azure/mysqlserver/mysqlFlexibleServerPublicAccess.js +++ b/plugins/azure/mysqlserver/mysqlFlexibleServerPublicAccess.js @@ -2,12 +2,12 @@ const async = require('async'); const helpers = require('../../../helpers/azure'); module.exports = { - title: 'MySQL Flexible Server Public Access Disabled', + title: 'MySQL Flexible Server Public Access', category: 'MySQL Server', domain: 'Databases', severity: 'High', - description: 'Ensures that MySQL Flexible servers are not publicly accessible.', - more_info: 'Configuring public access on for MySQL flexible server instance allows the server to be accessible through a public endpoint. This can expose the server to unauthorized access and various cyber threats. Disabling public access enhances security by limiting access to authorized connections only.', + description: 'Ensures that MySQL flexible servers are not publicly accessible.', + more_info: 'Configuring public access for MySQL flexible server instance allows the server to be accessible through public endpoint. This can expose the server to unauthorized access and various cyber threats. Disabling public access enhances security by limiting access to authorized connections only.', recommended_action: 'Modify MySQL flexible server and disable public network access.', link: 'https://learn.microsoft.com/en-us/azure/mysql/flexible-server/concepts-networking-public', apis: ['servers:listMysqlFlexibleServer'],