diff --git a/.DS_Store b/.DS_Store new file mode 100644 index 0000000000..6dee872861 Binary files /dev/null and b/.DS_Store differ diff --git a/plugins/azure/eventhub/eventHubMinimumTLSversion.js b/plugins/azure/eventhub/eventHubMinimumTLSversion.js index dbba63485e..375abdbf19 100644 --- a/plugins/azure/eventhub/eventHubMinimumTLSversion.js +++ b/plugins/azure/eventhub/eventHubMinimumTLSversion.js @@ -11,14 +11,6 @@ module.exports = { recommended_action: 'Modify Event Hubs namespaces to set the desired minimum TLS version.', link: 'https://learn.microsoft.com/en-us/azure/event-hubs/transport-layer-security-enforce-minimum-version', apis: ['eventHub:listEventHub'], - settings: { - event_hub_min_tls_version: { - name: 'Event Hub Minimum TLS Version', - description: 'Minimum desired TLS version for Microsoft Azure Event Hubs', - regex: '^(1.0|1.1|1.2)$', - default: '1.2' - } - }, realtime_triggers: ['microsofteventhub:namespaces:write', 'microsofteventhub:namespaces:delete'], run: function(cache, settings, callback) { @@ -26,11 +18,11 @@ module.exports = { var source = {}; var locations = helpers.locations(settings.govcloud); - var config = { - event_hub_min_tls_version: settings.event_hub_min_tls_version || this.settings.event_hub_min_tls_version.default - }; - var desiredVersion = parseFloat(config.event_hub_min_tls_version); + var event_hub_min_tls_version = '1.2'; + + + var desiredVersion = parseFloat(event_hub_min_tls_version); async.each(locations.eventHub, function(location, rcb) { var eventHubs = helpers.addSource(cache, source, @@ -58,7 +50,7 @@ module.exports = { location, eventHub.id); } else { helpers.addResult(results, 2, - `Event Hubs namespace is using TLS version ${eventHub.minimumTlsVersion} instead of version ${config.event_hub_min_tls_version}`, + `Event Hubs namespace is using TLS version ${eventHub.minimumTlsVersion} instead of version ${event_hub_min_tls_version}`, location, eventHub.id); } } diff --git a/plugins/azure/redisCache/minimumTlsVersion.js b/plugins/azure/redisCache/minimumTlsVersion.js index d02f37f187..936fe12948 100644 --- a/plugins/azure/redisCache/minimumTlsVersion.js +++ b/plugins/azure/redisCache/minimumTlsVersion.js @@ -7,8 +7,8 @@ module.exports = { domain: 'Databases', severity: 'Medium', description: 'Ensures that Azure Cache for Redis is using the latest TLS version.', - more_info: 'TLS versions 1.0 and 1.1 are known to be susceptible to attacks, and to have other Common Vulnerabilities and Exposures (CVE) weaknesses.So there\'s an industry- wide push toward the exclusive use of Transport Layer Security(TLS) version 1.2 or later.', - recommended_action: 'Ensure that Azure cache for Redis is using the latest TLS version', + more_info: 'TLS versions 1.2 is known to be susceptible to attacks, and to have other Common Vulnerabilities and Exposures (CVE) weaknesses.So there\'s an industry- wide push toward the exclusive use of Transport Layer Security(TLS) version 1.2 or later.', + recommended_action: 'Ensure that Azure cache for Redis is using the latest TLS version.', link: 'https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-remove-tls-10-11', apis: ['redisCaches:listBySubscription'], realtime_triggers: ['microsoftcache:redis:write','microsoftcache:redis:delete'], @@ -37,7 +37,7 @@ module.exports = { for (let cache of caches.data) { if (!cache.minimumTlsVersion) { helpers.addResult(results, 2, 'Redis Cache is using the default TLS Version', location, cache.id); - } else if (cache.minimumTlsVersion && (cache.minimumTlsVersion === '1.0' || cache.minimumTlsVersion === '1.1')) { + } else if (cache.minimumTlsVersion && (cache.minimumTlsVersion === '1.1' || cache.minimumTlsVersion === '1.0')) { helpers.addResult(results, 2, 'Redis Cache is not using the latest TLS Version', location, cache.id); } else { helpers.addResult(results, 0, 'Redis Cache is using the latest TLS Version', location, cache.id); diff --git a/plugins/azure/sqlserver/sqlServerTlsVersion.js b/plugins/azure/sqlserver/sqlServerTlsVersion.js index 1b51bd8220..d40df27faa 100644 --- a/plugins/azure/sqlserver/sqlServerTlsVersion.js +++ b/plugins/azure/sqlserver/sqlServerTlsVersion.js @@ -11,14 +11,6 @@ module.exports = { recommended_action: 'Modify SQL server firewall and virtual network settings to set desired minimum TLS version.', link: 'https://learn.microsoft.com/en-us/azure/azure-sql/database/connectivity-settings#minimal-tls-version', apis: ['servers:listSql'], - settings: { - sql_server_min_tls_version: { - name: 'SQL Server Minimum TLS Version', - description: 'Minimum desired TLS version for Microsoft Azure SQL servers', - regex: '^(1.0|1.1|1.2)$', - default: '1.2' - } - }, remediation_min_version: '202104012200', remediation_description: 'TLS version 1.2 will be set for the affected SQL server', apis_remediate: ['servers:listSql'], @@ -32,7 +24,7 @@ module.exports = { var locations = helpers.locations(settings.govcloud); var config = { - sql_server_min_tls_version: settings.sql_server_min_tls_version || this.settings.sql_server_min_tls_version.default + sql_server_min_tls_version: '1.2' }; var desiredVersion = parseFloat(config.sql_server_min_tls_version); diff --git a/plugins/azure/sqlserver/sqlServerTlsVersion.spec.js b/plugins/azure/sqlserver/sqlServerTlsVersion.spec.js index 75f76df122..59a5f5e940 100644 --- a/plugins/azure/sqlserver/sqlServerTlsVersion.spec.js +++ b/plugins/azure/sqlserver/sqlServerTlsVersion.spec.js @@ -30,6 +30,21 @@ const servers = [ "fullyQualifiedDomainName": "test-server.database.windows.net", "privateEndpointConnections": [], "publicNetworkAccess": "Enabled" + }, + { + "kind": "v12.0", + "location": "eastus", + "tags": {}, + "id": "/subscriptions/123/resourceGroups/akhtar-rg/providers/Microsoft.Sql/servers/test-server", + "name": "test-server", + "type": "Microsoft.Sql/servers", + "administratorLogin": "aqua", + "version": "12.0", + "state": "Ready", + "fullyQualifiedDomainName": "test-server.database.windows.net", + "privateEndpointConnections": [], + "minimalTlsVersion": "1.2", + "publicNetworkAccess": "Enabled" } ]; @@ -77,7 +92,7 @@ describe('sqlServerTlsVersion', function() { [servers[0]], ); - sqlServerTlsVersion.run(cache, { sql_server_min_tls_version: '1.2' }, callback); + sqlServerTlsVersion.run(cache, { sql_server_min_tls_version: '1.1' }, callback); }); it('should give failing result if SQL server allows all TLS versions', function(done) { @@ -106,10 +121,10 @@ describe('sqlServerTlsVersion', function() { }; const cache = createCache( - [servers[0]] + [servers[2]] ); - sqlServerTlsVersion.run(cache, { sql_server_min_tls_version: '1.0' }, callback); + sqlServerTlsVersion.run(cache, { sql_server_min_tls_version: '1.2' }, callback); }); it('should give unknown result if unable to query for SQL servers', function(done) { diff --git a/plugins/azure/storageaccounts/storageAccountsTlsVersion.js b/plugins/azure/storageaccounts/storageAccountsTlsVersion.js index a0fac3088c..540cc2499f 100644 --- a/plugins/azure/storageaccounts/storageAccountsTlsVersion.js +++ b/plugins/azure/storageaccounts/storageAccountsTlsVersion.js @@ -12,14 +12,6 @@ module.exports = { recommended_action: 'Modify Storage Account configuration and set desired minimum TLS version', link: 'https://learn.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-minimum-version', apis: ['storageAccounts:list'], - settings: { - sa_min_tls_version: { - name: 'Storage Account Minimum TLS Version', - description: 'Minimum desired TLS version for Microsoft Azure Storage Accounts', - regex: '^(1.0|1.1|1.2)$', - default: '1.2' - } - }, remediation_min_version: '202112312200', remediation_description: 'TLS version 1.2 will be set for the affected Storage Accounts', apis_remediate: ['storageAccounts:list'], @@ -32,11 +24,10 @@ module.exports = { var source = {}; var locations = helpers.locations(settings.govcloud); - var config = { - sa_min_tls_version: settings.sa_min_tls_version || this.settings.sa_min_tls_version.default - }; + + var sa_min_tls_version = '1.2'; - var desiredVersion = parseFloat(config.sa_min_tls_version); + var desiredVersion = parseFloat(sa_min_tls_version); async.each(locations.storageAccounts, function(location, rcb) { var storageAccounts = helpers.addSource(cache, source, @@ -58,17 +49,17 @@ module.exports = { storageAccounts.data.forEach(function(storageAccount) { if (!storageAccount.id) return; - let tlsVersion = storageAccount.minimumTlsVersion ? storageAccount.minimumTlsVersion : 'TLS1.0'; //Default is TLS 1.0 + let tlsVersion = storageAccount.minimumTlsVersion ? storageAccount.minimumTlsVersion : 'TLS1.2'; //Default is TLS 1.2 tlsVersion = tlsVersion.replace('TLS', ''); tlsVersion = tlsVersion.replace('_', '.'); if (parseFloat(tlsVersion) >= desiredVersion) { helpers.addResult(results, 0, - `Storage Account is using TLS version ${tlsVersion} which is equal to or higher than desired TLS version ${config.sa_min_tls_version}`, + `Storage Account is using TLS version ${tlsVersion} which is equal to or higher than desired TLS version ${sa_min_tls_version}`, location, storageAccount.id); } else { helpers.addResult(results, 2, - `Storage Account is using TLS version ${tlsVersion} which is less than desired TLS version ${config.sa_min_tls_version}`, + `Storage Account is using TLS version ${tlsVersion} which is less than desired TLS version ${sa_min_tls_version}`, location, storageAccount.id); } });