Skip to content

Commit

Permalink
Revised dbTDEEnabled (#2110)
Browse files Browse the repository at this point in the history 
* Revised dbTDEEnabled

* Revised dbTDEEnabled

* Apply suggestions from code review

suggested fix

Co-authored-by: Fatima <66124862+fatima99s@users.noreply.github.com>

* lint resolve

* lint resolve

---------

Co-authored-by: AkhtarAmir <AkhtarAmir>
Co-authored-by: Fatima <66124862+fatima99s@users.noreply.github.com>
Co-authored-by: hamza <hamza.aziz.ext@aquasec.com>
  • Loading branch information
@AkhtarAmir @fatima99s
3 people authored Nov 11, 2024
1 parent cb73ff7 commit eaad9c4
Show file tree
Hide file tree
Showing 2 changed files with 236 additions and 89 deletions.
146 changes: 99 additions & 47 deletions plugins/azure/sqldatabases/dbTDEEnabled.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,10 +7,10 @@ module.exports = {
domain: 'Databases',
severity: 'Medium',
description: 'Ensure that Transparent Data Encryption (TDE) is enabled for SQL databases.',
more_info: 'Transparent data encryption (TDE) helps protect Azure SQL Database, Managed Instance, and Synapse Analytics against the threat of malicious offline activity by encrypting data at rest. It performs real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application.',
more_info: 'Transparent data encryption (TDE) helps protect Azure SQL Databases, Managed Instances, and Synapse Analytics against the threat of malicious offline activity by encrypting data at rest. It performs real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application.',
recommended_action: 'Modify SQL database and enable Transparent Data Encryption (TDE).',
link: 'https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption?view=sql-server-ver15',
apis: ['servers:listSql', 'databases:listByServer', 'transparentDataEncryption:list'],
apis: ['servers:listSql', 'databases:listByServer', 'transparentDataEncryption:list', 'managedInstances:list', 'managedDatabases:listByInstance'],
realtime_triggers: ['microsoftsql:servers:write', 'microsoftsql:servers:delete', 'microsoftsql:servers:databases:write', 'microsoftsql:servers:databases:transparentdataencryption:write', 'microsoftsql:servers:databases:delete'],

run: function(cache, settings, callback) {
Expand All @@ -19,55 +19,107 @@ module.exports = {
var locations = helpers.locations(settings.govcloud);

async.each(locations.servers, function(location, rcb) {
var servers = helpers.addSource(cache, source, ['servers', 'listSql', location]);

if (!servers) return rcb();

if (servers.err || !servers.data) {
helpers.addResult(results, 3, 'Unable to query for SQL servers: ' + helpers.addError(servers), location);
return rcb();
}

if (!servers.data.length) {
helpers.addResult(results, 0, 'No SQL servers found', location);
return rcb();
}

servers.data.forEach(server => {
var databases = helpers.addSource(cache, source,
['databases', 'listByServer', location, server.id]);

if (!databases || databases.err || !databases.data) {
helpers.addResult(results, 3,
'Unable to query for SQL server databases: ' + helpers.addError(databases), location, server.id);
} else {
if (!databases.data.length) {
helpers.addResult(results, 0,
'No databases found for SQL server', location, server.id);
} else {
databases.data.forEach(database => {

if (database.name && database.name.toLowerCase() !== 'master') {
var transparentDataEncryption = helpers.addSource(cache, source, ['transparentDataEncryption', 'list', location, database.id]);

if (!transparentDataEncryption || transparentDataEncryption.err || !transparentDataEncryption.data || !transparentDataEncryption.data.length) {
helpers.addResult(results, 3, 'Unable to query transparent data encryption for SQL Database: ' + helpers.addError(transparentDataEncryption), location, database.id);
return;
}
var encryption = transparentDataEncryption.data[0];
if (encryption.state && encryption.state.toLowerCase() == 'enabled') {
helpers.addResult(results, 0, 'Transparent data encryption is enabled for SQL Database', location, database.id);
} else {
helpers.addResult(results, 2, 'Transparent data encryption is not enabled for SQL Database', location, database.id);
}
async.parallel([
// Check SQL Server Databases
function(cb) {
const servers = helpers.addSource(cache, source, ['servers', 'listSql', location]);

if (!servers) return cb();

if (servers.err || !servers.data) {
helpers.addResult(results, 3, 'Unable to query for SQL servers: ' + helpers.addError(servers), location);
return cb();
}

if (!servers.data.length) {
helpers.addResult(results, 0, 'No SQL servers found', location);
return cb();
}

servers.data.forEach(server => {
var databases = helpers.addSource(cache, source,
['databases', 'listByServer', location, server.id]);

if (!databases || databases.err || !databases.data) {
helpers.addResult(results, 3,
'Unable to query for SQL server databases: ' + helpers.addError(databases), location, server.id);
} else {
if (!databases.data.length) {
helpers.addResult(results, 0,
'No databases found for SQL server', location, server.id);
} else {
databases.data.forEach(database => {

if (database.name && database.name.toLowerCase() !== 'master') {
var transparentDataEncryption = helpers.addSource(cache, source,
['transparentDataEncryption', 'list', location, database.id]);

if (!transparentDataEncryption || transparentDataEncryption.err ||
!transparentDataEncryption.data || !transparentDataEncryption.data.length) {
helpers.addResult(results, 3, 'Unable to query transparent data encryption for SQL Database: ' + helpers.addError(transparentDataEncryption), location, database.id);
return;
}
var encryption = transparentDataEncryption.data[0];
if (encryption.state && encryption.state.toLowerCase() == 'enabled') {
helpers.addResult(results, 0,
'SQL Database: Transparent data encryption is enabled', location, database.id);
} else {
helpers.addResult(results, 2,
'SQL Database: Transparent data encryption is not enabled', location, database.id);
}
}
});
}
});
}

});

cb();
},
// Check Managed Instances
function(cb) {
const managedInstances = helpers.addSource(cache, source,
['managedInstances', 'list', location]);

if (!managedInstances) return cb();

if (managedInstances.err || !managedInstances.data) {
helpers.addResult(results, 3,
'Unable to query for managed instances: ' + helpers.addError(managedInstances), location);
return cb();
}
}

});
if (!managedInstances.data.length) {
helpers.addResult(results, 0, 'No managed instances found', location);
return cb();
}

rcb();
managedInstances.data.forEach(instance => {
const managedDatabases = helpers.addSource(cache, source,
['managedDatabases', 'listByInstance', location, instance.id]);

if (!managedDatabases || managedDatabases.err || !managedDatabases.data) {
helpers.addResult(results, 3,
'Unable to query for managed instance databases: ' + helpers.addError(managedDatabases), location, instance.id);
} else if (!managedDatabases.data.length) {
helpers.addResult(results, 0,
'No databases found for managed instance', location, instance.id);
} else {
managedDatabases.data.forEach(database => {
if (database.name && database.name.toLowerCase() !== 'master') {
// Managed instances have TDE enabled by default and cannot be disabled
helpers.addResult(results, 0,
'Managed Instance Database: Transparent data encryption is enabled', location, database.id);
}
});
}
});

cb();
}
], function() {
rcb();
});
}, function() {
callback(null, results, source);
});
Expand Down
Loading

0 comments on commit eaad9c4

Please sign in to comment.