From 69e81c47ffa0c95404dac15caa9ffc891300cedd Mon Sep 17 00:00:00 2001 From: fatima99s Date: Sun, 14 Jul 2024 21:34:44 +0500 Subject: [PATCH 1/4] FS-Azure/mysqlCmk --- exports.js | 1 + .../mysqlFlexibleServerCMKEncrypted.js | 53 +++++++++ .../mysqlFlexibleServerCMKEncrypted.spec.js | 103 ++++++++++++++++++ 3 files changed, 157 insertions(+) create mode 100644 plugins/azure/mysqlserver/mysqlFlexibleServerCMKEncrypted.js create mode 100644 plugins/azure/mysqlserver/mysqlFlexibleServerCMKEncrypted.spec.js diff --git a/exports.js b/exports.js index dcbf2a3dbb..f8783d3fdf 100644 --- a/exports.js +++ b/exports.js @@ -867,6 +867,7 @@ module.exports = { 'mysqlFlexibleServersMinTls' : require(__dirname + '/plugins/azure/mysqlserver/mysqlFlexibleServersMinTls.js'), 'mysqlFlexibleServerVersion' : require(__dirname + '/plugins/azure/mysqlserver/mysqlFlexibleServerVersion.js'), 'mysqlServerHasTags' : require(__dirname + '/plugins/azure/mysqlserver/mysqlServerHasTags.js'), + 'mysqlFlexibleServerCMKEncrypted': require(__dirname + '/plugins/azure/mysqlserver/mysqlFlexibleServerCMKEncrypted.js'), 'mysqlFlexibleServerPublicAccess': require(__dirname + '/plugins/azure/mysqlserver/mysqlFlexibleServerPublicAccess.js'), 'mysqlFlexibleServerDignosticLogs': require(__dirname + '/plugins/azure/mysqlserver/mysqlFlexibleServerDignosticLogs.js'), 'mysqlFlexibleServerIdentity' : require(__dirname + '/plugins/azure/mysqlserver/mysqlFlexibleServerIdentity.js'), diff --git a/plugins/azure/mysqlserver/mysqlFlexibleServerCMKEncrypted.js b/plugins/azure/mysqlserver/mysqlFlexibleServerCMKEncrypted.js new file mode 100644 index 0000000000..d164e6674d --- /dev/null +++ b/plugins/azure/mysqlserver/mysqlFlexibleServerCMKEncrypted.js @@ -0,0 +1,53 @@ +const async = require('async'); +const helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'MySQL Flexible Server CMK Encrypted', + category: 'MySQL Server', + domain: 'Databases', + severity: 'High', + description: 'Ensures that MySQL flexible servers are encrypted using CMK.', + more_info: 'MySQL flexible server allows you to encrypt data using customer-managed keys (CMK) instead of using platform-managed keys, which are enabled by default. Using CMK encryption offers enhanced security and compliance, allowing centralized management and control of encryption keys through Azure Key Vault.', + recommended_action: 'Modify MySQL flexible server and disable public network access.', + link: 'https://learn.microsoft.com/en-us/azure/mysql/flexible-server/concepts-customer-managed-key', + apis: ['servers:listMysqlFlexibleServer'], + realtime_triggers: ['microsoftdbformysql:flexibleservers:write','microsoftdbformysql:flexibleservers:delete'], + + run: function(cache, settings, callback) { + const results = []; + const source = {}; + const locations = helpers.locations(settings.govcloud); + + async.each(locations.servers, (location, rcb) => { + const servers = helpers.addSource(cache, source, + ['servers', 'listMysqlFlexibleServer', location]); + + if (!servers) return rcb(); + + if (servers.err || !servers.data) { + helpers.addResult(results, 3, + 'Unable to query for MySQL flexible servers: ' + helpers.addError(servers), location); + return rcb(); + } + + if (!servers.data.length) { + helpers.addResult(results, 0, 'No existing MySQL flexible servers found', location); + return rcb(); + } + + for (var flexibleServer of servers.data) { + if (!flexibleServer.id) continue; + + if (flexibleServer.dataEncryption && flexibleServer.dataEncryption.primaryKeyURI ) { + helpers.addResult(results, 0, 'MySQL flexible server is encrypted using CMK', location, flexibleServer.id); + } else { + helpers.addResult(results, 2, 'MySQL flexible server is not encrypted using CMK', location, flexibleServer.id); + } + } + rcb(); + }, function() { + // Global checking goes here + callback(null, results, source); + }); + } +}; diff --git a/plugins/azure/mysqlserver/mysqlFlexibleServerCMKEncrypted.spec.js b/plugins/azure/mysqlserver/mysqlFlexibleServerCMKEncrypted.spec.js new file mode 100644 index 0000000000..418c8a2f7a --- /dev/null +++ b/plugins/azure/mysqlserver/mysqlFlexibleServerCMKEncrypted.spec.js @@ -0,0 +1,103 @@ +var assert = require('assert'); +var expect = require('chai').expect; +var auth = require('./mysqlFlexibleServerCMKEncrypted'); + +const createCache = (err, list) => { + return { + servers: { + listMysqlFlexibleServer: { + 'eastus': { + err: err, + data: list + } + } + } + } +}; + +describe('mysqlFlexibleServerManagedIdentity', function() { + describe('run', function() { + it('should PASS if no existing servers found', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No existing MySQL flexible servers found'); + expect(results[0].region).to.equal('eastus'); + done() + }; + + const cache = createCache( + null, + [], + {} + ); + + auth.run(cache, {}, callback); + }); + + it('should FAIL if MySQL server is not CMK encrypted', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('MySQL flexible server is not encrypted using CMK'); + expect(results[0].region).to.equal('eastus'); + done() + }; + + const cache = createCache( + null, + [ + { + "id": "/subscriptions/12345/resourceGroups/Default/providers/Microsoft.DBforMySQL/flexibleServers/test-server", + "type": "Microsoft.DBforMySQL/flexibleServers", + "version": '5.8' + } + ], + ); + + auth.run(cache, {}, callback); + }); + + it('should PASS if MySQL server is CMK encrypted', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('MySQL flexible server is encrypted using CMK'); + expect(results[0].region).to.equal('eastus'); + done() + }; + + const cache = createCache( + null, + [ + { + "id": "/subscriptions/12345/resourceGroups/Default/providers/Microsoft.DBforMySQL/flexibleServers/test-server", + "type": "Microsoft.DBforMySQL/flexibleServers", + "version": "8.0", + "dataEncryption": { + "primaryKeyURI" : "https://test.vault.azure.net/keys/test2/9e0e3453676456e" + } + } + ] + ); + + auth.run(cache, {}, callback); + }); + + it('should UNKNOWN if unable to query for server', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query for MySQL flexible servers: '); + expect(results[0].region).to.equal('eastus'); + done() + }; + + const cache = createCache( + null, null + ); + + auth.run(cache, {}, callback); + }); + }) +}) \ No newline at end of file From 3c41a68f84bfafe5209a039a495245e2783db340 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Mon, 16 Sep 2024 13:46:21 +0500 Subject: [PATCH 2/4] Update plugins/azure/mysqlserver/mysqlFlexibleServerCMKEncrypted.js --- plugins/azure/mysqlserver/mysqlFlexibleServerCMKEncrypted.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/mysqlserver/mysqlFlexibleServerCMKEncrypted.js b/plugins/azure/mysqlserver/mysqlFlexibleServerCMKEncrypted.js index d164e6674d..dbc0ee75ca 100644 --- a/plugins/azure/mysqlserver/mysqlFlexibleServerCMKEncrypted.js +++ b/plugins/azure/mysqlserver/mysqlFlexibleServerCMKEncrypted.js @@ -7,7 +7,7 @@ module.exports = { domain: 'Databases', severity: 'High', description: 'Ensures that MySQL flexible servers are encrypted using CMK.', - more_info: 'MySQL flexible server allows you to encrypt data using customer-managed keys (CMK) instead of using platform-managed keys, which are enabled by default. Using CMK encryption offers enhanced security and compliance, allowing centralized management and control of encryption keys through Azure Key Vault.', + more_info: 'MySQL flexible server allows you to encrypt data using customer-managed keys (CMK) instead of using platform-managed keys, which are enabled by default. Using CMK encryption offers enhanced security and compliance, allowing centralized management and control of encryption keys through Azure Key Vault. It adds an extra layer of protection against unauthorized access to sensitive data stored in the database.', recommended_action: 'Modify MySQL flexible server and disable public network access.', link: 'https://learn.microsoft.com/en-us/azure/mysql/flexible-server/concepts-customer-managed-key', apis: ['servers:listMysqlFlexibleServer'], From 69438e1dc1582cd73cba46364d6e92914dc2ac24 Mon Sep 17 00:00:00 2001 From: AkhtarAmir Date: Mon, 16 Sep 2024 13:58:19 +0500 Subject: [PATCH 3/4] fixed --- plugins/aws/eks/eksKubernetesVersion.spec.js | 2 +- .../mysqlserver/mysqlFlexibleServerCMKEncrypted.js | 10 +++++----- .../mysqlFlexibleServerCMKEncrypted.spec.js | 4 ++-- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/plugins/aws/eks/eksKubernetesVersion.spec.js b/plugins/aws/eks/eksKubernetesVersion.spec.js index b53206f8d2..0997f85358 100644 --- a/plugins/aws/eks/eksKubernetesVersion.spec.js +++ b/plugins/aws/eks/eksKubernetesVersion.spec.js @@ -82,7 +82,7 @@ describe('eksKubernetesVersion', function () { "cluster": { "name": "mycluster", "arn": "arn:aws:eks:us-east-1:012345678911:cluster/mycluster", - "version": "1.27", + "version": "1.29", } } ); diff --git a/plugins/azure/mysqlserver/mysqlFlexibleServerCMKEncrypted.js b/plugins/azure/mysqlserver/mysqlFlexibleServerCMKEncrypted.js index dbc0ee75ca..29b0b57100 100644 --- a/plugins/azure/mysqlserver/mysqlFlexibleServerCMKEncrypted.js +++ b/plugins/azure/mysqlserver/mysqlFlexibleServerCMKEncrypted.js @@ -2,13 +2,13 @@ const async = require('async'); const helpers = require('../../../helpers/azure'); module.exports = { - title: 'MySQL Flexible Server CMK Encrypted', + title: 'MySQL Flexible Server Data CMK Encrypted', category: 'MySQL Server', domain: 'Databases', severity: 'High', - description: 'Ensures that MySQL flexible servers are encrypted using CMK.', + description: 'Ensures that MySQL flexible servers data is encrypted using CMK.', more_info: 'MySQL flexible server allows you to encrypt data using customer-managed keys (CMK) instead of using platform-managed keys, which are enabled by default. Using CMK encryption offers enhanced security and compliance, allowing centralized management and control of encryption keys through Azure Key Vault. It adds an extra layer of protection against unauthorized access to sensitive data stored in the database.', - recommended_action: 'Modify MySQL flexible server and disable public network access.', + recommended_action: 'Ensure that MySQL flexible server have CMK encryption enabled.', link: 'https://learn.microsoft.com/en-us/azure/mysql/flexible-server/concepts-customer-managed-key', apis: ['servers:listMysqlFlexibleServer'], realtime_triggers: ['microsoftdbformysql:flexibleservers:write','microsoftdbformysql:flexibleservers:delete'], @@ -39,9 +39,9 @@ module.exports = { if (!flexibleServer.id) continue; if (flexibleServer.dataEncryption && flexibleServer.dataEncryption.primaryKeyURI ) { - helpers.addResult(results, 0, 'MySQL flexible server is encrypted using CMK', location, flexibleServer.id); + helpers.addResult(results, 0, 'MySQL flexible server data is encrypted using CMK', location, flexibleServer.id); } else { - helpers.addResult(results, 2, 'MySQL flexible server is not encrypted using CMK', location, flexibleServer.id); + helpers.addResult(results, 2, 'MySQL flexible server data is not encrypted using CMK', location, flexibleServer.id); } } rcb(); diff --git a/plugins/azure/mysqlserver/mysqlFlexibleServerCMKEncrypted.spec.js b/plugins/azure/mysqlserver/mysqlFlexibleServerCMKEncrypted.spec.js index 418c8a2f7a..17341ed4e1 100644 --- a/plugins/azure/mysqlserver/mysqlFlexibleServerCMKEncrypted.spec.js +++ b/plugins/azure/mysqlserver/mysqlFlexibleServerCMKEncrypted.spec.js @@ -39,7 +39,7 @@ describe('mysqlFlexibleServerManagedIdentity', function() { const callback = (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); - expect(results[0].message).to.include('MySQL flexible server is not encrypted using CMK'); + expect(results[0].message).to.include('MySQL flexible server data is not encrypted using CMK'); expect(results[0].region).to.equal('eastus'); done() }; @@ -62,7 +62,7 @@ describe('mysqlFlexibleServerManagedIdentity', function() { const callback = (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); - expect(results[0].message).to.include('MySQL flexible server is encrypted using CMK'); + expect(results[0].message).to.include('MySQL flexible server data is encrypted using CMK'); expect(results[0].region).to.equal('eastus'); done() }; From fc4bb924299a2edb60329e176ef590ce8d33b4cc Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Mon, 16 Sep 2024 13:59:29 +0500 Subject: [PATCH 4/4] Update plugins/azure/mysqlserver/mysqlFlexibleServerCMKEncrypted.js --- plugins/azure/mysqlserver/mysqlFlexibleServerCMKEncrypted.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/mysqlserver/mysqlFlexibleServerCMKEncrypted.js b/plugins/azure/mysqlserver/mysqlFlexibleServerCMKEncrypted.js index 29b0b57100..d188ae81d3 100644 --- a/plugins/azure/mysqlserver/mysqlFlexibleServerCMKEncrypted.js +++ b/plugins/azure/mysqlserver/mysqlFlexibleServerCMKEncrypted.js @@ -38,7 +38,7 @@ module.exports = { for (var flexibleServer of servers.data) { if (!flexibleServer.id) continue; - if (flexibleServer.dataEncryption && flexibleServer.dataEncryption.primaryKeyURI ) { + if (flexibleServer.dataEncryption && flexibleServer.dataEncryption.primaryKeyURI) { helpers.addResult(results, 0, 'MySQL flexible server data is encrypted using CMK', location, flexibleServer.id); } else { helpers.addResult(results, 2, 'MySQL flexible server data is not encrypted using CMK', location, flexibleServer.id);