Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Db tde enabled hotfix #2100

Closed
wants to merge 2 commits into from
Closed

Db tde enabled hotfix #2100

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
117bcd7
TDE Protectors Encrypted Plugin Update
Nov 4, 2024
d4a0b3b
dbTDEEnabledHotfix Plugin Update
Nov 5, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 13 additions & 2 deletions helpers/azure/api.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -573,8 +573,12 @@ var calls = {
listWorkspaces: {
url: 'https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Synapse/workspaces?api-version=2021-06-01'
}
}

},
managedInstances: {
list: {
url: 'https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Sql/managedInstances?api-version=2022-05-01-preview'
}
},
};

var postcalls = {
Expand Down Expand Up @@ -1108,6 +1112,13 @@ var postcalls = {
url: 'https://management.azure.com/{id}/encryptionScopes?api-version=2023-01-01'
}
},
managedDatabases: {
get: {
reliesOnPath: 'managedDatabases.listByInstance',
properties: ['id'],
url: 'https://management.azure.com/{id}?api-version=2022-05-01-preview'
}
},
};

var tertiarycalls = {
Expand Down
140 changes: 94 additions & 46 deletions plugins/azure/sqldatabases/dbTDEEnabled.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ module.exports = {
more_info: 'Transparent data encryption (TDE) helps protect Azure SQL Database, Managed Instance, and Synapse Analytics against the threat of malicious offline activity by encrypting data at rest. It performs real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application.',
recommended_action: 'Modify SQL database and enable Transparent Data Encryption (TDE).',
link: 'https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption?view=sql-server-ver15',
apis: ['servers:listSql', 'databases:listByServer', 'transparentDataEncryption:list'],
apis: ['servers:listSql', 'databases:listByServer', 'transparentDataEncryption:list', 'managedInstances:list', 'managedDatabases:listByInstance'],
realtime_triggers: ['microsoftsql:servers:write', 'microsoftsql:servers:delete', 'microsoftsql:servers:databases:write', 'microsoftsql:servers:databases:transparentdataencryption:write', 'microsoftsql:servers:databases:delete'],

run: function(cache, settings, callback) {
Expand All @@ -19,55 +19,103 @@ module.exports = {
var locations = helpers.locations(settings.govcloud);

async.each(locations.servers, function(location, rcb) {
var servers = helpers.addSource(cache, source, ['servers', 'listSql', location]);

if (!servers) return rcb();

if (servers.err || !servers.data) {
helpers.addResult(results, 3, 'Unable to query for SQL servers: ' + helpers.addError(servers), location);
return rcb();
}

if (!servers.data.length) {
helpers.addResult(results, 0, 'No SQL servers found', location);
return rcb();
}

servers.data.forEach(server => {
var databases = helpers.addSource(cache, source,
['databases', 'listByServer', location, server.id]);

if (!databases || databases.err || !databases.data) {
helpers.addResult(results, 3,
'Unable to query for SQL server databases: ' + helpers.addError(databases), location, server.id);
} else {
if (!databases.data.length) {
helpers.addResult(results, 0,
'No databases found for SQL server', location, server.id);
} else {
databases.data.forEach(database => {

if (database.name && database.name.toLowerCase() !== 'master') {
var transparentDataEncryption = helpers.addSource(cache, source, ['transparentDataEncryption', 'list', location, database.id]);

if (!transparentDataEncryption || transparentDataEncryption.err || !transparentDataEncryption.data || !transparentDataEncryption.data.length) {
helpers.addResult(results, 3, 'Unable to query transparent data encryption for SQL Database: ' + helpers.addError(transparentDataEncryption), location, database.id);
return;
}
var encryption = transparentDataEncryption.data[0];
if (encryption.state && encryption.state.toLowerCase() == 'enabled') {
helpers.addResult(results, 0, 'Transparent data encryption is enabled for SQL Database', location, database.id);
} else {
helpers.addResult(results, 2, 'Transparent data encryption is not enabled for SQL Database', location, database.id);
}
async.parallel([
// Check SQL Server Databases
function(cb) {
const servers = helpers.addSource(cache, source, ['servers', 'listSql', location]);

if (!servers) return cb();

if (servers.err || !servers.data) {
helpers.addResult(results, 3, 'Unable to query for SQL servers: ' + helpers.addError(servers), location);
return cb();
}

if (!servers.data.length) {
helpers.addResult(results, 0, 'No SQL servers found', location);
return cb();
}

servers.data.forEach(server => {
var databases = helpers.addSource(cache, source,
['databases', 'listByServer', location, server.id]);

if (!databases || databases.err || !databases.data) {
helpers.addResult(results, 3,
'Unable to query for SQL server databases: ' + helpers.addError(databases), location, server.id);
} else {
if (!databases.data.length) {
helpers.addResult(results, 0,
'No databases found for SQL server', location, server.id);
} else {
databases.data.forEach(database => {

if (database.name && database.name.toLowerCase() !== 'master') {
var transparentDataEncryption = helpers.addSource(cache, source, ['transparentDataEncryption', 'list', location, database.id]);

if (!transparentDataEncryption || transparentDataEncryption.err || !transparentDataEncryption.data || !transparentDataEncryption.data.length) {
helpers.addResult(results, 3, 'Unable to query transparent data encryption for SQL Database: ' + helpers.addError(transparentDataEncryption), location, database.id);
return;
}
var encryption = transparentDataEncryption.data[0];
if (encryption.state && encryption.state.toLowerCase() == 'enabled') {
helpers.addResult(results, 0, 'Transparent data encryption is enabled for SQL Database', location, database.id);
} else {
helpers.addResult(results, 2, 'Transparent data encryption is not enabled for SQL Database', location, database.id);
}
}
});
}
});
}

});

cb();
},
// Check Managed Instances
function(cb) {
const managedInstances = helpers.addSource(cache, source,
['managedInstances', 'list', location]);

if (!managedInstances) return cb();

if (managedInstances.err || !managedInstances.data) {
helpers.addResult(results, 3,
'Unable to query for managed instances: ' + helpers.addError(managedInstances), location);
return cb();
}
}

});
if (!managedInstances.data.length) {
helpers.addResult(results, 0, 'No managed instances found', location);
return cb();
}

rcb();
managedInstances.data.forEach(instance => {
const managedDatabases = helpers.addSource(cache, source,
['managedDatabases', 'listByInstance', location, instance.id]);

if (!managedDatabases || managedDatabases.err || !managedDatabases.data) {
helpers.addResult(results, 3,
'Unable to query for managed instance databases: ' + helpers.addError(managedDatabases), location, instance.id);
} else if (!managedDatabases.data.length) {
helpers.addResult(results, 0,
'No databases found for managed instance', location, instance.id);
} else {
managedDatabases.data.forEach(database => {
if (database.name && database.name.toLowerCase() !== 'master') {
// Managed instances have TDE enabled by default and cannot be disabled
helpers.addResult(results, 0,
'Transparent data encryption is enabled for managed instance database', location, database.id);
}
});
}
});

cb();
}
], function() {
rcb();
});
}, function() {
callback(null, results, source);
});
Expand Down
Loading
Loading