Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Revised dbTDEEnabled #2110

Merged
merged 6 commits into from
Nov 11, 2024
Merged

Revised dbTDEEnabled #2110

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
0216263
Revised dbTDEEnabled
Nov 6, 2024
7f6b3ce
Revised dbTDEEnabled
Nov 6, 2024
f4c3d30
Apply suggestions from code review
AkhtarAmir Nov 7, 2024
cbd4206
lint resolve
Nov 7, 2024
2a0ab28
Merge branch 'dbTDEEnabled' of https://github.com/AkhtarAmir/scans in…
Nov 7, 2024
49f8b66
lint resolve
Nov 7, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
146 changes: 99 additions & 47 deletions plugins/azure/sqldatabases/dbTDEEnabled.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,10 +7,10 @@ module.exports = {
domain: 'Databases',
severity: 'Medium',
description: 'Ensure that Transparent Data Encryption (TDE) is enabled for SQL databases.',
more_info: 'Transparent data encryption (TDE) helps protect Azure SQL Database, Managed Instance, and Synapse Analytics against the threat of malicious offline activity by encrypting data at rest. It performs real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application.',
more_info: 'Transparent data encryption (TDE) helps protect Azure SQL Databases, Managed Instances, and Synapse Analytics against the threat of malicious offline activity by encrypting data at rest. It performs real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application.',
recommended_action: 'Modify SQL database and enable Transparent Data Encryption (TDE).',
link: 'https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption?view=sql-server-ver15',
apis: ['servers:listSql', 'databases:listByServer', 'transparentDataEncryption:list'],
apis: ['servers:listSql', 'databases:listByServer', 'transparentDataEncryption:list', 'managedInstances:list', 'managedDatabases:listByInstance'],
realtime_triggers: ['microsoftsql:servers:write', 'microsoftsql:servers:delete', 'microsoftsql:servers:databases:write', 'microsoftsql:servers:databases:transparentdataencryption:write', 'microsoftsql:servers:databases:delete'],

run: function(cache, settings, callback) {
Expand All @@ -19,55 +19,107 @@ module.exports = {
var locations = helpers.locations(settings.govcloud);

async.each(locations.servers, function(location, rcb) {
var servers = helpers.addSource(cache, source, ['servers', 'listSql', location]);

if (!servers) return rcb();

if (servers.err || !servers.data) {
helpers.addResult(results, 3, 'Unable to query for SQL servers: ' + helpers.addError(servers), location);
return rcb();
}

if (!servers.data.length) {
helpers.addResult(results, 0, 'No SQL servers found', location);
return rcb();
}

servers.data.forEach(server => {
var databases = helpers.addSource(cache, source,
['databases', 'listByServer', location, server.id]);

if (!databases || databases.err || !databases.data) {
helpers.addResult(results, 3,
'Unable to query for SQL server databases: ' + helpers.addError(databases), location, server.id);
} else {
if (!databases.data.length) {
helpers.addResult(results, 0,
'No databases found for SQL server', location, server.id);
} else {
databases.data.forEach(database => {

if (database.name && database.name.toLowerCase() !== 'master') {
var transparentDataEncryption = helpers.addSource(cache, source, ['transparentDataEncryption', 'list', location, database.id]);

if (!transparentDataEncryption || transparentDataEncryption.err || !transparentDataEncryption.data || !transparentDataEncryption.data.length) {
helpers.addResult(results, 3, 'Unable to query transparent data encryption for SQL Database: ' + helpers.addError(transparentDataEncryption), location, database.id);
return;
}
var encryption = transparentDataEncryption.data[0];
if (encryption.state && encryption.state.toLowerCase() == 'enabled') {
helpers.addResult(results, 0, 'Transparent data encryption is enabled for SQL Database', location, database.id);
} else {
helpers.addResult(results, 2, 'Transparent data encryption is not enabled for SQL Database', location, database.id);
}
async.parallel([
// Check SQL Server Databases
function(cb) {
const servers = helpers.addSource(cache, source, ['servers', 'listSql', location]);

if (!servers) return cb();

if (servers.err || !servers.data) {
helpers.addResult(results, 3, 'Unable to query for SQL servers: ' + helpers.addError(servers), location);
return cb();
}

if (!servers.data.length) {
helpers.addResult(results, 0, 'No SQL servers found', location);
return cb();
}

servers.data.forEach(server => {
var databases = helpers.addSource(cache, source,
['databases', 'listByServer', location, server.id]);

if (!databases || databases.err || !databases.data) {
helpers.addResult(results, 3,
'Unable to query for SQL server databases: ' + helpers.addError(databases), location, server.id);
} else {
if (!databases.data.length) {
helpers.addResult(results, 0,
'No databases found for SQL server', location, server.id);
} else {
databases.data.forEach(database => {

if (database.name && database.name.toLowerCase() !== 'master') {
var transparentDataEncryption = helpers.addSource(cache, source,
['transparentDataEncryption', 'list', location, database.id]);

if (!transparentDataEncryption || transparentDataEncryption.err ||
!transparentDataEncryption.data || !transparentDataEncryption.data.length) {
helpers.addResult(results, 3, 'Unable to query transparent data encryption for SQL Database: ' + helpers.addError(transparentDataEncryption), location, database.id);
return;
}
var encryption = transparentDataEncryption.data[0];
if (encryption.state && encryption.state.toLowerCase() == 'enabled') {
helpers.addResult(results, 0,
'SQL Database: Transparent data encryption is enabled', location, database.id);
} else {
helpers.addResult(results, 2,
'SQL Database: Transparent data encryption is not enabled', location, database.id);
}
}
});
}
});
}

});

cb();
},
// Check Managed Instances
function(cb) {
const managedInstances = helpers.addSource(cache, source,
['managedInstances', 'list', location]);

if (!managedInstances) return cb();

if (managedInstances.err || !managedInstances.data) {
helpers.addResult(results, 3,
'Unable to query for managed instances: ' + helpers.addError(managedInstances), location);
return cb();
}
}

});
if (!managedInstances.data.length) {
helpers.addResult(results, 0, 'No managed instances found', location);
return cb();
}

rcb();
managedInstances.data.forEach(instance => {
const managedDatabases = helpers.addSource(cache, source,
['managedDatabases', 'listByInstance', location, instance.id]);

if (!managedDatabases || managedDatabases.err || !managedDatabases.data) {
helpers.addResult(results, 3,
'Unable to query for managed instance databases: ' + helpers.addError(managedDatabases), location, instance.id);
} else if (!managedDatabases.data.length) {
helpers.addResult(results, 0,
'No databases found for managed instance', location, instance.id);
} else {
managedDatabases.data.forEach(database => {
if (database.name && database.name.toLowerCase() !== 'master') {
// Managed instances have TDE enabled by default and cannot be disabled
helpers.addResult(results, 0,
'Managed Instance Database: Transparent data encryption is enabled', location, database.id);
}
});
}
});

cb();
}
], function() {
rcb();
});
}, function() {
callback(null, results, source);
});
Expand Down
Loading
Loading