Skip to content

Commit

Permalink
dbTDEEnabledHotfix Plugin Update
Browse files Browse the repository at this point in the history
  • Loading branch information
AkhtarAmir authored and AkhtarAmir committed Nov 5, 2024
1 parent 117bcd7 commit d4a0b3b
Show file tree
Hide file tree
Showing 3 changed files with 242 additions and 88 deletions.
15 changes: 13 additions & 2 deletions helpers/azure/api.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -573,8 +573,12 @@ var calls = {
listWorkspaces: {
url: 'https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Synapse/workspaces?api-version=2021-06-01'
}
}

},
managedInstances: {
list: {
url: 'https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Sql/managedInstances?api-version=2022-05-01-preview'
}
},
};

var postcalls = {
Expand Down Expand Up @@ -1108,6 +1112,13 @@ var postcalls = {
url: 'https://management.azure.com/{id}/encryptionScopes?api-version=2023-01-01'
}
},
managedDatabases: {
get: {
reliesOnPath: 'managedDatabases.listByInstance',
properties: ['id'],
url: 'https://management.azure.com/{id}?api-version=2022-05-01-preview'
}
},
};

var tertiarycalls = {
Expand Down
140 changes: 94 additions & 46 deletions plugins/azure/sqldatabases/dbTDEEnabled.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ module.exports = {
more_info: 'Transparent data encryption (TDE) helps protect Azure SQL Database, Managed Instance, and Synapse Analytics against the threat of malicious offline activity by encrypting data at rest. It performs real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application.',
recommended_action: 'Modify SQL database and enable Transparent Data Encryption (TDE).',
link: 'https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption?view=sql-server-ver15',
apis: ['servers:listSql', 'databases:listByServer', 'transparentDataEncryption:list'],
apis: ['servers:listSql', 'databases:listByServer', 'transparentDataEncryption:list', 'managedInstances:list', 'managedDatabases:listByInstance'],
realtime_triggers: ['microsoftsql:servers:write', 'microsoftsql:servers:delete', 'microsoftsql:servers:databases:write', 'microsoftsql:servers:databases:transparentdataencryption:write', 'microsoftsql:servers:databases:delete'],

run: function(cache, settings, callback) {
Expand All @@ -19,55 +19,103 @@ module.exports = {
var locations = helpers.locations(settings.govcloud);

async.each(locations.servers, function(location, rcb) {
var servers = helpers.addSource(cache, source, ['servers', 'listSql', location]);

if (!servers) return rcb();

if (servers.err || !servers.data) {
helpers.addResult(results, 3, 'Unable to query for SQL servers: ' + helpers.addError(servers), location);
return rcb();
}

if (!servers.data.length) {
helpers.addResult(results, 0, 'No SQL servers found', location);
return rcb();
}

servers.data.forEach(server => {
var databases = helpers.addSource(cache, source,
['databases', 'listByServer', location, server.id]);

if (!databases || databases.err || !databases.data) {
helpers.addResult(results, 3,
'Unable to query for SQL server databases: ' + helpers.addError(databases), location, server.id);
} else {
if (!databases.data.length) {
helpers.addResult(results, 0,
'No databases found for SQL server', location, server.id);
} else {
databases.data.forEach(database => {

if (database.name && database.name.toLowerCase() !== 'master') {
var transparentDataEncryption = helpers.addSource(cache, source, ['transparentDataEncryption', 'list', location, database.id]);

if (!transparentDataEncryption || transparentDataEncryption.err || !transparentDataEncryption.data || !transparentDataEncryption.data.length) {
helpers.addResult(results, 3, 'Unable to query transparent data encryption for SQL Database: ' + helpers.addError(transparentDataEncryption), location, database.id);
return;
}
var encryption = transparentDataEncryption.data[0];
if (encryption.state && encryption.state.toLowerCase() == 'enabled') {
helpers.addResult(results, 0, 'Transparent data encryption is enabled for SQL Database', location, database.id);
} else {
helpers.addResult(results, 2, 'Transparent data encryption is not enabled for SQL Database', location, database.id);
}
async.parallel([
// Check SQL Server Databases
function(cb) {
const servers = helpers.addSource(cache, source, ['servers', 'listSql', location]);

if (!servers) return cb();

if (servers.err || !servers.data) {
helpers.addResult(results, 3, 'Unable to query for SQL servers: ' + helpers.addError(servers), location);
return cb();
}

if (!servers.data.length) {
helpers.addResult(results, 0, 'No SQL servers found', location);
return cb();
}

servers.data.forEach(server => {
var databases = helpers.addSource(cache, source,
['databases', 'listByServer', location, server.id]);

if (!databases || databases.err || !databases.data) {
helpers.addResult(results, 3,
'Unable to query for SQL server databases: ' + helpers.addError(databases), location, server.id);
} else {
if (!databases.data.length) {
helpers.addResult(results, 0,
'No databases found for SQL server', location, server.id);
} else {
databases.data.forEach(database => {

if (database.name && database.name.toLowerCase() !== 'master') {
var transparentDataEncryption = helpers.addSource(cache, source, ['transparentDataEncryption', 'list', location, database.id]);

if (!transparentDataEncryption || transparentDataEncryption.err || !transparentDataEncryption.data || !transparentDataEncryption.data.length) {
helpers.addResult(results, 3, 'Unable to query transparent data encryption for SQL Database: ' + helpers.addError(transparentDataEncryption), location, database.id);
return;
}
var encryption = transparentDataEncryption.data[0];
if (encryption.state && encryption.state.toLowerCase() == 'enabled') {
helpers.addResult(results, 0, 'Transparent data encryption is enabled for SQL Database', location, database.id);
} else {
helpers.addResult(results, 2, 'Transparent data encryption is not enabled for SQL Database', location, database.id);
}
}
});
}
});
}

});

cb();
},
// Check Managed Instances
function(cb) {
const managedInstances = helpers.addSource(cache, source,
['managedInstances', 'list', location]);

if (!managedInstances) return cb();

if (managedInstances.err || !managedInstances.data) {
helpers.addResult(results, 3,
'Unable to query for managed instances: ' + helpers.addError(managedInstances), location);
return cb();
}
}

});
if (!managedInstances.data.length) {
helpers.addResult(results, 0, 'No managed instances found', location);
return cb();
}

rcb();
managedInstances.data.forEach(instance => {
const managedDatabases = helpers.addSource(cache, source,
['managedDatabases', 'listByInstance', location, instance.id]);

if (!managedDatabases || managedDatabases.err || !managedDatabases.data) {
helpers.addResult(results, 3,
'Unable to query for managed instance databases: ' + helpers.addError(managedDatabases), location, instance.id);
} else if (!managedDatabases.data.length) {
helpers.addResult(results, 0,
'No databases found for managed instance', location, instance.id);
} else {
managedDatabases.data.forEach(database => {
if (database.name && database.name.toLowerCase() !== 'master') {
// Managed instances have TDE enabled by default and cannot be disabled
helpers.addResult(results, 0,
'Transparent data encryption is enabled for managed instance database', location, database.id);
}
});
}
});

cb();
}
], function() {
rcb();
});
}, function() {
callback(null, results, source);
});
Expand Down
Loading

0 comments on commit d4a0b3b

Please sign in to comment.