From a403a65fb5421ea795a608979d0052e5d197f166 Mon Sep 17 00:00:00 2001
From: AkhtarAmir <AkhtarAmir>
Date: Fri, 8 Nov 2024 20:06:46 +0500
Subject: [PATCH 1/5] TLS Version change

---
 .DS_Store                                        | Bin 0 -> 8196 bytes
 .../azure/eventhub/eventHubMinimumTLSversion.js  |  10 +---------
 plugins/azure/redisCache/minimumTlsVersion.js    |   4 ++--
 plugins/azure/sqlserver/sqlServerTlsVersion.js   |  10 +---------
 .../storageaccounts/storageAccountsTlsVersion.js |  12 ++----------
 5 files changed, 6 insertions(+), 30 deletions(-)
 create mode 100644 .DS_Store

diff --git a/.DS_Store b/.DS_Store
new file mode 100644
index 0000000000000000000000000000000000000000..6dee872861bd116d3a08409a45588a1811cd649f
GIT binary patch
literal 8196
zcmeI1&2G~`5XWcRK%9hrAc0g4NS3%(rKJ=JaY@tmPzg9R2o8WkK1>?wuA|r?MO9JG
z@D98JSDu7-;ROGgbt|uv_Rs?YbyxC^W6ytg_BZQw*CirV8+O)+mWas1!FI8NYD(ez
zd`y&?^vWGr1wGLL1vH=@bxBWny9<thBj5-)0*-(q@GlU+JDZDl&U@e7b+sel2wX`5
zygv9i*j7_JHddAnRI&wtE#R^goMRs#8b7tw)Q*i6DcUr<2bD@yy2VgNj{82l!&Xx}
zHrB{V89Ax6XO-?yl=KdrFYctO#=6=Oa0Dg^@ZNonR;WV}wXOYogq?h_8%FI`7`5Pq
z2WzH_2W$Sf6lrQ6%79`DvFF#6K+(pP54aMMwzaeg?dOcP0M9OTNzU*4d48=?+)rcq
z(dvi2I9Xl&sb*#i*RB`6qF3?W*7u`PJ!vMxxYiuJ=3g(OC~TdcH(M`z!Kkr#Yb(-8
zv!{cB2zs3WE^l7-bSE0sqM`1@qOF@7Udbyp7MG5X*VZ2_`x_hUC(Hiv;|HtD{=@Z0
zCnqKE_PzU0_8JG_p^m;7z$#s&K-Ml_@w0e3ZrZ0Iwd~QWySdSq&%Di7l_^<KXw@Ri
z8clsVOuxiT)BMV5D$sELn)DH>7{5M2AKKAL{<AqOBi|9SA7U1?q351rTf=#$l}z4m
zibm6WiLL?V5qdpDyxfY+o?Hu<5mpOj+Rn^YZU;(R!yGM5A)Vp5=$M`5S3(S0=B1t<
zjRHAKF`rY!7zxvuG7{!zY0L0Df<JRhggTxbdnCf|TZZ4lgyw=CiP>e<Ma;SYyg0^*
zTnV+Tw+FTw<T%PH;}LpU{~|r5UD~1@dQNrPu}320vfgtTcOvl&sDT*}p{JqDf*b?k
zmQ~(B{7o=EK;1=j7p*zj^{NP6h(37T(G#S3<;i+iBr`E$?1L4rkG$69Vv{E}t18hR
z#=nU<`V4jj<Lcx%@bj8gETHv3V#2B^v*3b^GDS;`1iRu0T!O%?(JWP9ch3L*e~Ffz
z#1U`={uctOuwCD-A==YFTl0bQUfaj<4hI+Z8yhPURI(k1mF+m}**^?%?!%Qe)zprS
T#TAsl{vp7<|Ao7&t~P-`F8R&o

literal 0
HcmV?d00001

diff --git a/plugins/azure/eventhub/eventHubMinimumTLSversion.js b/plugins/azure/eventhub/eventHubMinimumTLSversion.js
index dbba63485e..a870e802b5 100644
--- a/plugins/azure/eventhub/eventHubMinimumTLSversion.js
+++ b/plugins/azure/eventhub/eventHubMinimumTLSversion.js
@@ -11,14 +11,6 @@ module.exports = {
     recommended_action: 'Modify Event Hubs namespaces to set the desired minimum TLS version.',
     link: 'https://learn.microsoft.com/en-us/azure/event-hubs/transport-layer-security-enforce-minimum-version',
     apis: ['eventHub:listEventHub'],
-    settings: {
-        event_hub_min_tls_version: {
-            name: 'Event Hub Minimum TLS Version',
-            description: 'Minimum desired TLS version for Microsoft Azure Event Hubs',
-            regex: '^(1.0|1.1|1.2)$',
-            default: '1.2'
-        }
-    },
     realtime_triggers: ['microsofteventhub:namespaces:write', 'microsofteventhub:namespaces:delete'],
 
     run: function(cache, settings, callback) {
@@ -27,7 +19,7 @@ module.exports = {
         var locations = helpers.locations(settings.govcloud);
 
         var config = {
-            event_hub_min_tls_version: settings.event_hub_min_tls_version || this.settings.event_hub_min_tls_version.default
+            event_hub_min_tls_version: '1.2'
         };
 
         var desiredVersion = parseFloat(config.event_hub_min_tls_version);
diff --git a/plugins/azure/redisCache/minimumTlsVersion.js b/plugins/azure/redisCache/minimumTlsVersion.js
index d02f37f187..c214a69eec 100644
--- a/plugins/azure/redisCache/minimumTlsVersion.js
+++ b/plugins/azure/redisCache/minimumTlsVersion.js
@@ -7,7 +7,7 @@ module.exports = {
     domain: 'Databases',
     severity: 'Medium',
     description: 'Ensures that Azure Cache for Redis is using the latest TLS version.',
-    more_info: 'TLS versions 1.0 and 1.1 are known to be susceptible to attacks, and to have other Common Vulnerabilities and Exposures (CVE) weaknesses.So there\'s an industry- wide push toward the exclusive use of Transport Layer Security(TLS) version 1.2 or later.',
+    more_info: 'TLS versions 1.2 is known to be susceptible to attacks, and to have other Common Vulnerabilities and Exposures (CVE) weaknesses.So there\'s an industry- wide push toward the exclusive use of Transport Layer Security(TLS) version 1.2 or later.',
     recommended_action: 'Ensure that Azure cache for Redis is using the latest TLS version',
     link: 'https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-remove-tls-10-11',
     apis: ['redisCaches:listBySubscription'],
@@ -37,7 +37,7 @@ module.exports = {
             for (let cache of caches.data) {
                 if (!cache.minimumTlsVersion) {
                     helpers.addResult(results, 2, 'Redis Cache is using the default TLS Version', location, cache.id);
-                } else if (cache.minimumTlsVersion && (cache.minimumTlsVersion === '1.0' || cache.minimumTlsVersion === '1.1')) {
+                } else if (cache.minimumTlsVersion && (cache.minimumTlsVersion === '1.2')) {
                     helpers.addResult(results, 2, 'Redis Cache is not using the latest TLS Version', location, cache.id);
                 } else {
                     helpers.addResult(results, 0, 'Redis Cache is using the latest TLS Version', location, cache.id);
diff --git a/plugins/azure/sqlserver/sqlServerTlsVersion.js b/plugins/azure/sqlserver/sqlServerTlsVersion.js
index 1b51bd8220..d40df27faa 100644
--- a/plugins/azure/sqlserver/sqlServerTlsVersion.js
+++ b/plugins/azure/sqlserver/sqlServerTlsVersion.js
@@ -11,14 +11,6 @@ module.exports = {
     recommended_action: 'Modify SQL server firewall and virtual network settings to set desired minimum TLS version.',
     link: 'https://learn.microsoft.com/en-us/azure/azure-sql/database/connectivity-settings#minimal-tls-version',
     apis: ['servers:listSql'],
-    settings: {
-        sql_server_min_tls_version: {
-            name: 'SQL Server Minimum TLS Version',
-            description: 'Minimum desired TLS version for Microsoft Azure SQL servers',
-            regex: '^(1.0|1.1|1.2)$',
-            default: '1.2'
-        }
-    },
     remediation_min_version: '202104012200',
     remediation_description: 'TLS version 1.2 will be set for the affected SQL server',
     apis_remediate: ['servers:listSql'],
@@ -32,7 +24,7 @@ module.exports = {
         var locations = helpers.locations(settings.govcloud);
 
         var config = {
-            sql_server_min_tls_version: settings.sql_server_min_tls_version || this.settings.sql_server_min_tls_version.default
+            sql_server_min_tls_version: '1.2'
         };
 
         var desiredVersion = parseFloat(config.sql_server_min_tls_version);
diff --git a/plugins/azure/storageaccounts/storageAccountsTlsVersion.js b/plugins/azure/storageaccounts/storageAccountsTlsVersion.js
index a0fac3088c..5b4501cf01 100644
--- a/plugins/azure/storageaccounts/storageAccountsTlsVersion.js
+++ b/plugins/azure/storageaccounts/storageAccountsTlsVersion.js
@@ -12,14 +12,6 @@ module.exports = {
     recommended_action: 'Modify Storage Account configuration and set desired minimum TLS version',
     link: 'https://learn.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-minimum-version',
     apis: ['storageAccounts:list'],
-    settings: {
-        sa_min_tls_version: {
-            name: 'Storage Account Minimum TLS Version',
-            description: 'Minimum desired TLS version for Microsoft Azure Storage Accounts',
-            regex: '^(1.0|1.1|1.2)$',
-            default: '1.2'
-        }
-    },
     remediation_min_version: '202112312200',
     remediation_description: 'TLS version 1.2 will be set for the affected Storage Accounts',
     apis_remediate: ['storageAccounts:list'],
@@ -33,7 +25,7 @@ module.exports = {
         var locations = helpers.locations(settings.govcloud);
 
         var config = {
-            sa_min_tls_version: settings.sa_min_tls_version || this.settings.sa_min_tls_version.default
+            sa_min_tls_version: 1.2
         };
 
         var desiredVersion = parseFloat(config.sa_min_tls_version);
@@ -58,7 +50,7 @@ module.exports = {
             storageAccounts.data.forEach(function(storageAccount) {
                 if (!storageAccount.id) return;
 
-                let tlsVersion = storageAccount.minimumTlsVersion ? storageAccount.minimumTlsVersion : 'TLS1.0'; //Default is TLS 1.0
+                let tlsVersion = storageAccount.minimumTlsVersion ? storageAccount.minimumTlsVersion : 'TLS1.2'; //Default is TLS 1.2
                 tlsVersion = tlsVersion.replace('TLS', '');
                 tlsVersion = tlsVersion.replace('_', '.');
  

From 5d98dbbce22f8ca79b3b2a510fcf9daf364cb1c1 Mon Sep 17 00:00:00 2001
From: AkhtarAmir <AkhtarAmir>
Date: Sat, 9 Nov 2024 01:18:52 +0500
Subject: [PATCH 2/5] TLS Fixes

---
 plugins/azure/eventhub/eventHubMinimumTLSversion.js   | 10 +++++-----
 .../storageaccounts/storageAccountsTlsVersion.js      | 11 +++++------
 2 files changed, 10 insertions(+), 11 deletions(-)

diff --git a/plugins/azure/eventhub/eventHubMinimumTLSversion.js b/plugins/azure/eventhub/eventHubMinimumTLSversion.js
index a870e802b5..0c9d70fffa 100644
--- a/plugins/azure/eventhub/eventHubMinimumTLSversion.js
+++ b/plugins/azure/eventhub/eventHubMinimumTLSversion.js
@@ -18,11 +18,11 @@ module.exports = {
         var source = {};
         var locations = helpers.locations(settings.govcloud);
 
-        var config = {
-            event_hub_min_tls_version: '1.2'
-        };
 
-        var desiredVersion = parseFloat(config.event_hub_min_tls_version);
+        event_hub_min_tls_version = '1.2'
+
+
+        var desiredVersion = parseFloat(event_hub_min_tls_version);
 
         async.each(locations.eventHub, function(location, rcb) {
             var eventHubs = helpers.addSource(cache, source,
@@ -50,7 +50,7 @@ module.exports = {
                         location, eventHub.id);
                 } else {
                     helpers.addResult(results, 2,
-                        `Event Hubs namespace is using TLS version ${eventHub.minimumTlsVersion} instead of version ${config.event_hub_min_tls_version}`,
+                        `Event Hubs namespace is using TLS version ${eventHub.minimumTlsVersion} instead of version ${event_hub_min_tls_version}`,
                         location, eventHub.id);
                 }
             }
diff --git a/plugins/azure/storageaccounts/storageAccountsTlsVersion.js b/plugins/azure/storageaccounts/storageAccountsTlsVersion.js
index 5b4501cf01..5848fb8004 100644
--- a/plugins/azure/storageaccounts/storageAccountsTlsVersion.js
+++ b/plugins/azure/storageaccounts/storageAccountsTlsVersion.js
@@ -24,11 +24,10 @@ module.exports = {
         var source = {};
         var locations = helpers.locations(settings.govcloud);
 
-        var config = {
-            sa_min_tls_version: 1.2
-        };
+        
+        sa_min_tls_version = '1.2'
 
-        var desiredVersion = parseFloat(config.sa_min_tls_version);
+        var desiredVersion = parseFloat(sa_min_tls_version);
 
         async.each(locations.storageAccounts, function(location, rcb) {
             var storageAccounts = helpers.addSource(cache, source,
@@ -56,11 +55,11 @@ module.exports = {
  
                 if (parseFloat(tlsVersion) >= desiredVersion) {
                     helpers.addResult(results, 0,
-                        `Storage Account is using TLS version ${tlsVersion} which is equal to or higher than desired TLS version ${config.sa_min_tls_version}`,
+                        `Storage Account is using TLS version ${tlsVersion} which is equal to or higher than desired TLS version ${sa_min_tls_version}`,
                         location, storageAccount.id);
                 } else {
                     helpers.addResult(results, 2,
-                        `Storage Account is using TLS version ${tlsVersion} which is less than desired TLS version ${config.sa_min_tls_version}`,
+                        `Storage Account is using TLS version ${tlsVersion} which is less than desired TLS version ${sa_min_tls_version}`,
                         location, storageAccount.id);   
                 }
             });

From 269e4a209f9920b079d8c22b3875597d2a52a281 Mon Sep 17 00:00:00 2001
From: AkhtarAmir <AkhtarAmir>
Date: Sat, 9 Nov 2024 01:21:30 +0500
Subject: [PATCH 3/5] TLS Lint fix

---
 plugins/azure/eventhub/eventHubMinimumTLSversion.js        | 2 +-
 plugins/azure/storageaccounts/storageAccountsTlsVersion.js | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/plugins/azure/eventhub/eventHubMinimumTLSversion.js b/plugins/azure/eventhub/eventHubMinimumTLSversion.js
index 0c9d70fffa..375abdbf19 100644
--- a/plugins/azure/eventhub/eventHubMinimumTLSversion.js
+++ b/plugins/azure/eventhub/eventHubMinimumTLSversion.js
@@ -19,7 +19,7 @@ module.exports = {
         var locations = helpers.locations(settings.govcloud);
 
 
-        event_hub_min_tls_version = '1.2'
+        var event_hub_min_tls_version = '1.2';
 
 
         var desiredVersion = parseFloat(event_hub_min_tls_version);
diff --git a/plugins/azure/storageaccounts/storageAccountsTlsVersion.js b/plugins/azure/storageaccounts/storageAccountsTlsVersion.js
index 5848fb8004..540cc2499f 100644
--- a/plugins/azure/storageaccounts/storageAccountsTlsVersion.js
+++ b/plugins/azure/storageaccounts/storageAccountsTlsVersion.js
@@ -25,7 +25,7 @@ module.exports = {
         var locations = helpers.locations(settings.govcloud);
 
         
-        sa_min_tls_version = '1.2'
+        var sa_min_tls_version = '1.2';
 
         var desiredVersion = parseFloat(sa_min_tls_version);
 

From c4cc71a1fae26e128883c98d3c8675e8128ec764 Mon Sep 17 00:00:00 2001
From: AkhtarAmir <AkhtarAmir>
Date: Mon, 11 Nov 2024 02:27:22 -0800
Subject: [PATCH 4/5] minimumTlsVersion TLS version check fix for specs

---
 plugins/azure/redisCache/minimumTlsVersion.js |  2 +-
 .../sqlserver/sqlServerTlsVersion.spec.js     | 21 ++++++++++++++++---
 2 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/plugins/azure/redisCache/minimumTlsVersion.js b/plugins/azure/redisCache/minimumTlsVersion.js
index c214a69eec..fa34eb166a 100644
--- a/plugins/azure/redisCache/minimumTlsVersion.js
+++ b/plugins/azure/redisCache/minimumTlsVersion.js
@@ -37,7 +37,7 @@ module.exports = {
             for (let cache of caches.data) {
                 if (!cache.minimumTlsVersion) {
                     helpers.addResult(results, 2, 'Redis Cache is using the default TLS Version', location, cache.id);
-                } else if (cache.minimumTlsVersion && (cache.minimumTlsVersion === '1.2')) {
+                } else if (cache.minimumTlsVersion && (cache.minimumTlsVersion === '1.1' || cache.minimumTlsVersion === '1.0')) {
                     helpers.addResult(results, 2, 'Redis Cache is not using the latest TLS Version', location, cache.id);
                 } else {
                     helpers.addResult(results, 0, 'Redis Cache is using the latest TLS Version', location, cache.id);
diff --git a/plugins/azure/sqlserver/sqlServerTlsVersion.spec.js b/plugins/azure/sqlserver/sqlServerTlsVersion.spec.js
index 75f76df122..59a5f5e940 100644
--- a/plugins/azure/sqlserver/sqlServerTlsVersion.spec.js
+++ b/plugins/azure/sqlserver/sqlServerTlsVersion.spec.js
@@ -30,6 +30,21 @@ const servers = [
         "fullyQualifiedDomainName": "test-server.database.windows.net",
         "privateEndpointConnections": [],
         "publicNetworkAccess": "Enabled"
+    },
+    {
+        "kind": "v12.0",
+        "location": "eastus",
+        "tags": {},
+        "id": "/subscriptions/123/resourceGroups/akhtar-rg/providers/Microsoft.Sql/servers/test-server",
+        "name": "test-server",
+        "type": "Microsoft.Sql/servers",
+        "administratorLogin": "aqua",
+        "version": "12.0",
+        "state": "Ready",
+        "fullyQualifiedDomainName": "test-server.database.windows.net",
+        "privateEndpointConnections": [],
+        "minimalTlsVersion": "1.2",
+        "publicNetworkAccess": "Enabled"
     }
 ];
 
@@ -77,7 +92,7 @@ describe('sqlServerTlsVersion', function() {
                 [servers[0]],
             );
 
-            sqlServerTlsVersion.run(cache, { sql_server_min_tls_version: '1.2' }, callback);
+            sqlServerTlsVersion.run(cache, { sql_server_min_tls_version: '1.1' }, callback);
         });
 
         it('should give failing result if SQL server allows all TLS versions', function(done) {
@@ -106,10 +121,10 @@ describe('sqlServerTlsVersion', function() {
             };
 
             const cache = createCache(
-                [servers[0]]
+                [servers[2]]
             );
 
-            sqlServerTlsVersion.run(cache, { sql_server_min_tls_version: '1.0' }, callback);
+            sqlServerTlsVersion.run(cache, { sql_server_min_tls_version: '1.2' }, callback);
         });
 
         it('should give unknown result if unable to query for SQL servers', function(done) {

From f1a4f1d0e1d0f18b2824ff372b0f8390c998238f Mon Sep 17 00:00:00 2001
From: AkhtarAmir <AkhtarAmir>
Date: Mon, 11 Nov 2024 03:21:17 -0800
Subject: [PATCH 5/5] DS Store removal

---
 plugins/azure/redisCache/minimumTlsVersion.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/plugins/azure/redisCache/minimumTlsVersion.js b/plugins/azure/redisCache/minimumTlsVersion.js
index fa34eb166a..936fe12948 100644
--- a/plugins/azure/redisCache/minimumTlsVersion.js
+++ b/plugins/azure/redisCache/minimumTlsVersion.js
@@ -8,7 +8,7 @@ module.exports = {
     severity: 'Medium',
     description: 'Ensures that Azure Cache for Redis is using the latest TLS version.',
     more_info: 'TLS versions 1.2 is known to be susceptible to attacks, and to have other Common Vulnerabilities and Exposures (CVE) weaknesses.So there\'s an industry- wide push toward the exclusive use of Transport Layer Security(TLS) version 1.2 or later.',
-    recommended_action: 'Ensure that Azure cache for Redis is using the latest TLS version',
+    recommended_action: 'Ensure that Azure cache for Redis is using the latest TLS version.',
     link: 'https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-remove-tls-10-11',
     apis: ['redisCaches:listBySubscription'],
     realtime_triggers: ['microsoftcache:redis:write','microsoftcache:redis:delete'],