diff --git a/plugins/aws/lambda/lambdaOldRuntimes.spec.js b/plugins/aws/lambda/lambdaOldRuntimes.spec.js index 20b23a8178..d49bcdf987 100644 --- a/plugins/aws/lambda/lambdaOldRuntimes.spec.js +++ b/plugins/aws/lambda/lambdaOldRuntimes.spec.js @@ -5,7 +5,7 @@ const listFunctions = [ { "FunctionName": "test-lambda", "FunctionArn": "arn:aws:lambda:us-east-1:000011112222:function:test-lambda", - "Runtime": "nodejs16.x", + "Runtime": "nodejs18.x", "Role": "arn:aws:iam::000011112222:role/lambda-role", "Handler": "index.handler", "TracingConfig": { "Mode": "PassThrough" } diff --git a/plugins/azure/appConfigurations/appConfigurationCmkEncrypted.js b/plugins/azure/appConfigurations/appConfigurationCmkEncrypted.js index 6533b0f964..494ab3a932 100644 --- a/plugins/azure/appConfigurations/appConfigurationCmkEncrypted.js +++ b/plugins/azure/appConfigurations/appConfigurationCmkEncrypted.js @@ -19,7 +19,7 @@ module.exports = { var locations = helpers.locations(settings.govcloud); async.each(locations.appConfigurations, function(location, rcb){ - var appConfigurations = helpers.addSource(cache, source, + var appConfigurations = helpers.addSource(cache, source, ['appConfigurations', 'list', location]); if (!appConfigurations) return rcb(); @@ -37,10 +37,17 @@ module.exports = { for (let appConfiguration of appConfigurations.data) { if (!appConfiguration.id) continue; - if (appConfiguration.encryption && appConfiguration.encryption.keyVaultProperties && appConfiguration.encryption.keyVaultProperties.keyIdentifier) { - helpers.addResult(results, 0, 'App Configuration is encrypted using CMK', location, appConfiguration.id); + if (appConfiguration.sku && + appConfiguration.sku.name && + appConfiguration.sku.name.toLowerCase() === 'free') { + helpers.addResult(results, 0, 'App Configuration tier is free', location, appConfiguration.id); } else { - helpers.addResult(results, 2, 'App Configuration is not encrypted using CMK', location, appConfiguration.id); + + if (appConfiguration.encryption && appConfiguration.encryption.keyVaultProperties && appConfiguration.encryption.keyVaultProperties.keyIdentifier) { + helpers.addResult(results, 0, 'App Configuration is encrypted using CMK', location, appConfiguration.id); + } else { + helpers.addResult(results, 2, 'App Configuration is not encrypted using CMK', location, appConfiguration.id); + } } } @@ -49,4 +56,4 @@ module.exports = { callback(null, results, source); }); } -}; \ No newline at end of file +}; diff --git a/plugins/azure/appConfigurations/appConfigurationCmkEncrypted.spec.js b/plugins/azure/appConfigurations/appConfigurationCmkEncrypted.spec.js index 4375799a5c..90abfbed8d 100644 --- a/plugins/azure/appConfigurations/appConfigurationCmkEncrypted.spec.js +++ b/plugins/azure/appConfigurations/appConfigurationCmkEncrypted.spec.js @@ -9,15 +9,15 @@ const appConfigurations = [ "creationDate": "2023-12-27T09:26:54+00:00", "endpoint": "https://dummy-test-rg.azconfig.io", "encryption": { - "keyVaultProperties": { - "keyIdentifier": "https://dummy-test-key.vault.azure.net/keys/test-key", - "identityClientId": null - }, - "privateEndpointConnections": null, - "publicNetworkAccess": "Disabled", - "disableLocalAuth": false, - "softDeleteRetentionInDays": 0, - "enablePurgeProtection": false + "keyVaultProperties": { + "keyIdentifier": "https://dummy-test-key.vault.azure.net/keys/test-key", + "identityClientId": null + }, + "privateEndpointConnections": null, + "publicNetworkAccess": "Disabled", + "disableLocalAuth": false, + "softDeleteRetentionInDays": 0, + "enablePurgeProtection": false }, "id": "/subscriptions/123/resourceGroups/meerab-rg/providers/Microsoft.AppConfiguration/configurationStores/meerab-test-rg", "name": "meerab-test-rg", @@ -30,7 +30,7 @@ const appConfigurations = [ "creationDate": "2023-12-27T09:26:54+00:00", "endpoint": "https://dummy-test-rg.azconfig.io", "encryption": { - "keyVaultProperties": null + "keyVaultProperties": null }, "privateEndpointConnections": null, "publicNetworkAccess": "Disabled", @@ -45,13 +45,37 @@ const appConfigurations = [ "principalId": "12345", "tenantId": "123456", "userAssignedIdentities": { - "/subscriptions/123/resourcegroups/meerab-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/testmeerab": { - "PrincipalId": "1234567", - "ClientId": "123456789" - } + "/subscriptions/123/resourcegroups/meerab-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/testmeerab": { + "PrincipalId": "1234567", + "ClientId": "123456789" + } } } - } + }, + { + "type": "Microsoft.AppConfiguration/configurationStores", + "location": "eastus", + "provisioningState": "Succeeded", + "creationDate": "2023-12-27T09:26:54+00:00", + "endpoint": "https://dummy-test-rg.azconfig.io", + "encryption": { + "keyVaultProperties": { + "keyIdentifier": "https://dummy-test-key.vault.azure.net/keys/test-key", + "identityClientId": null + }, + "privateEndpointConnections": null, + "publicNetworkAccess": "Disabled", + "disableLocalAuth": false, + "softDeleteRetentionInDays": 0, + "enablePurgeProtection": false + }, + "id": "/subscriptions/123/resourceGroups/meerab-rg/providers/Microsoft.AppConfiguration/configurationStores/meerab-test-rg", + "name": "meerab-test-rg", + "tags": {}, + "sku": { + "name": "free" + } + }, ]; const createCache = (appConfigurations,err) => { @@ -103,6 +127,17 @@ describe('appConfigurationCmkEncrypted', function () { }); }); + it('should give passing result if App Configuration tier is free', function (done) { + const cache = createCache([appConfigurations[2]]); + appConfigurationCmkEncrypted.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('App Configuration tier is free'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + it('should give failing result if App Configuration is not encrypted using CMK', function (done) { const cache = createCache([appConfigurations[1]]); appConfigurationCmkEncrypted.run(cache, {}, (err, results) => { @@ -114,4 +149,4 @@ describe('appConfigurationCmkEncrypted', function () { }); }); }); -}); \ No newline at end of file +}); diff --git a/plugins/azure/applicationGateway/agHttpsListenerOnly.js b/plugins/azure/applicationGateway/agHttpsListenerOnly.js index 94fcff84ab..87012d4eca 100644 --- a/plugins/azure/applicationGateway/agHttpsListenerOnly.js +++ b/plugins/azure/applicationGateway/agHttpsListenerOnly.js @@ -39,7 +39,7 @@ module.exports = { if (appGateway.httpListeners && appGateway.httpListeners.length) { var httpListeners = appGateway.httpListeners - .filter(listener => listener.protocol && listener.protocol.toLowerCase() !== 'https') + .filter(listener => listener.properties.protocol && listener.properties.protocol.toLowerCase() !== 'https') .map(listener => listener.name); if (httpListeners && httpListeners.length) { diff --git a/plugins/azure/applicationGateway/agHttpsListenerOnly.spec.js b/plugins/azure/applicationGateway/agHttpsListenerOnly.spec.js index 86e6b04a63..5a8bdbc54c 100644 --- a/plugins/azure/applicationGateway/agHttpsListenerOnly.spec.js +++ b/plugins/azure/applicationGateway/agHttpsListenerOnly.spec.js @@ -3,60 +3,68 @@ var agHttpsListenerOnly = require('./agHttpsListenerOnly'); const appGateway = [ { "sku": { - "tier": "WAF_v2" + "tier": "WAF_v2" }, "name": 'test-gateway', "id": '/subscriptions/123/resourceGroups/test-rg/providers/Microsoft.Network/applicationGateways/test-gateway",', "type": "Microsoft.Network/applicationGateways", "httpListeners": [ { - "name": "listenerhttp", - "id": "/subscriptions/123/resourceGroups/test-rg/providers/Microsoft.Network/applicationGateways/test-app-gateway/httpListeners/listenerhttp", - "etag": "W/\"9a09a0a2-7baa-44a2-b37b-88308429d799\"", - "protocol": "Http", - "hostNames": [], - "requireServerNameIndication": false, - "type": "Microsoft.Network/applicationGateways/httpListeners" + "name": "listenerhttp", + "id": "/subscriptions/123/resourceGroups/test-rg/providers/Microsoft.Network/applicationGateways/test-app-gateway/httpListeners/listenerhttp", + "etag": "W/\"9a09a0a2-7baa-44a2-b37b-88308429d799\"", + "properties": { + "protocol": "Http", + "hostNames": [], + "requireServerNameIndication": false, + }, + "type": "Microsoft.Network/applicationGateways/httpListeners" }, { "name": "listenerhttp2", "id": "/subscriptions/123/resourceGroups/test-rg/providers/Microsoft.Network/applicationGateways/test-app-gateway/httpListeners/listenerhttp", "etag": "W/\"9a09a0a2-7baa-44a2-b37b-88308429d799\"", - "protocol": "Http", - "hostNames": [], - "requireServerNameIndication": false, + "properties": { + "protocol": "Http", + "hostNames": [], + "requireServerNameIndication": false, + }, "type": "Microsoft.Network/applicationGateways/httpListeners" - }, - { + }, + { "name": "listenerhttp3", "id": "/subscriptions/123/resourceGroups/test-rg/providers/Microsoft.Network/applicationGateways/test-app-gateway/httpListeners/listenerhttp", "etag": "W/\"9a09a0a2-7baa-44a2-b37b-88308429d799\"", - "protocol": "Https", - "hostNames": [], - "requireServerNameIndication": false, + "properties": { + "protocol": "Https", + "hostNames": [], + "requireServerNameIndication": false, + }, "type": "Microsoft.Network/applicationGateways/httpListeners" - } - ], + } + ], }, - { + { "sku": { - "tier": "WAF_v2" + "tier": "WAF_v2" }, - "name": 'test-gateway', + "name": 'test-gateway', "id": '/subscriptions/123/resourceGroups/test-rg/providers/Microsoft.Network/applicationGateways/test",', "type": "Microsoft.Network/applicationGateways", "location": "eastus", "httpListeners": [ { - "name": "listenerhttp", - "id": "/subscriptions/123/resourceGroups/test-rg/providers/Microsoft.Network/applicationGateways/test-app-gateway/httpListeners/listenerhttp", - "etag": "W/\"9a09a0a2-7baa-44a2-b37b-88308429d799\"", - "protocol": "Https", - "hostNames": [], - "requireServerNameIndication": false, - "type": "Microsoft.Network/applicationGateways/httpListeners" + "name": "listenerhttp", + "id": "/subscriptions/123/resourceGroups/test-rg/providers/Microsoft.Network/applicationGateways/test-app-gateway/httpListeners/listenerhttp", + "etag": "W/\"9a09a0a2-7baa-44a2-b37b-88308429d799\"", + "properties": { + "protocol": "Https", + "hostNames": [], + "requireServerNameIndication": false, + }, + "type": "Microsoft.Network/applicationGateways/httpListeners" } - ], + ], }, ]; @@ -127,7 +135,7 @@ describe('agHttpsListenerOnly', function() { done(); }); }); - + }); -}); +}); diff --git a/plugins/azure/eventhub/eventHubManagedIdentity.js b/plugins/azure/eventhub/eventHubManagedIdentity.js index bd60d67111..0e6fb6b420 100644 --- a/plugins/azure/eventhub/eventHubManagedIdentity.js +++ b/plugins/azure/eventhub/eventHubManagedIdentity.js @@ -38,10 +38,15 @@ module.exports = { for (let eventHub of eventHubs.data){ if (!eventHub.id) continue; - if (eventHub.identity) { - helpers.addResult(results, 0, 'Event Hubs namespace has managed identity enabled', location, eventHub.id); + if (eventHub.sku && eventHub.sku.tier && eventHub.sku.tier.toLowerCase() === 'basic') { + helpers.addResult(results, 0, + 'Event Hubs namespace tier is basic', location, eventHub.id); } else { - helpers.addResult(results, 2, 'Event Hubs namespace does not have managed identity enabled', location, eventHub.id); + if (eventHub.identity) { + helpers.addResult(results, 0, 'Event Hubs namespace has managed identity enabled', location, eventHub.id); + } else { + helpers.addResult(results, 2, 'Event Hubs namespace does not have managed identity enabled', location, eventHub.id); + } } } diff --git a/plugins/azure/eventhub/eventHubManagedIdentity.spec.js b/plugins/azure/eventhub/eventHubManagedIdentity.spec.js index aba6d3537a..9c1e60d886 100644 --- a/plugins/azure/eventhub/eventHubManagedIdentity.spec.js +++ b/plugins/azure/eventhub/eventHubManagedIdentity.spec.js @@ -1,5 +1,6 @@ var expect = require('chai').expect; var eventHubManagedIdentity = require('./eventHubManagedIdentity'); +const eventHubPublicAccess = require("./eventHubPublicAccess"); const eventHubs = [ { @@ -40,7 +41,28 @@ const eventHubs = [ "isAutoInflateEnabled": false, "maximumThroughputUnits": 0, "kafkaEnabled": false, - } + }, + { + "kind": "v12.0", + "location": "eastus", + "tags": {}, + "id": "/subscriptions/123/resourceGroups/test-rg/providers/Microsoft.EventHub/namespaces/testHub'", + "name": "testHub2", + "type": 'Microsoft.EventHub/Namespaces', + "location": 'East US', + "tags": {}, + "sku": { + "name": "Basic", + "tier": "Basic", + "capacity": 1 + }, + "minimumTlsVersion": '1.2', + "publicNetworkAccess": 'Enabled', + "disableLocalAuth": true, + "isAutoInflateEnabled": false, + "maximumThroughputUnits": 0, + "kafkaEnabled": false + }, ]; const createCache = (hub) => { @@ -96,6 +118,19 @@ describe('eventHubManagedIdentity', function() { eventHubManagedIdentity.run(cache, {}, callback); }); + it('should give passing result if eventHub is of basic tier', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Event Hubs namespace tier is basic'); + expect(results[0].region).to.equal('eastus'); + done() + }; + + const cache = createCache([eventHubs[2]]); + eventHubManagedIdentity.run(cache, {}, callback); + }); + it('should give unknown result if unable to query for event hubs', function(done) { const callback = (err, results) => { expect(results.length).to.equal(1); @@ -109,4 +144,4 @@ describe('eventHubManagedIdentity', function() { eventHubManagedIdentity.run(cache, {}, callback); }); }) -}) \ No newline at end of file +}) diff --git a/plugins/azure/eventhub/eventHubPublicAccess.js b/plugins/azure/eventhub/eventHubPublicAccess.js index 9f06429fb8..7f8f56e3eb 100644 --- a/plugins/azure/eventhub/eventHubPublicAccess.js +++ b/plugins/azure/eventhub/eventHubPublicAccess.js @@ -38,12 +38,17 @@ module.exports = { for (let eventHub of eventHubs.data){ if (!eventHub.id) continue; - if (eventHub.publicNetworkAccess && eventHub.publicNetworkAccess.toLowerCase() === 'enabled') { - helpers.addResult(results, 2, - 'Event Hubs namespace is publicly accessible',location, eventHub.id); - } else { + if (eventHub.sku && eventHub.sku.tier && eventHub.sku.tier.toLowerCase() === 'basic') { helpers.addResult(results, 0, - 'Event Hubs namespace is not publicly accessible', location, eventHub.id); + 'Event Hubs namespace tier is basic', location, eventHub.id); + } else { + if (eventHub.publicNetworkAccess && eventHub.publicNetworkAccess.toLowerCase() === 'enabled') { + helpers.addResult(results, 2, + 'Event Hubs namespace is publicly accessible',location, eventHub.id); + } else { + helpers.addResult(results, 0, + 'Event Hubs namespace is not publicly accessible', location, eventHub.id); + } } } rcb(); diff --git a/plugins/azure/eventhub/eventHubPublicAccess.spec.js b/plugins/azure/eventhub/eventHubPublicAccess.spec.js index c33c3adaba..d70e8c55bc 100644 --- a/plugins/azure/eventhub/eventHubPublicAccess.spec.js +++ b/plugins/azure/eventhub/eventHubPublicAccess.spec.js @@ -35,7 +35,28 @@ const eventHubs = [ "isAutoInflateEnabled": false, "maximumThroughputUnits": 0, "kafkaEnabled": false, - } + }, + { + "kind": "v12.0", + "location": "eastus", + "tags": {}, + "id": "/subscriptions/123/resourceGroups/test-rg/providers/Microsoft.EventHub/namespaces/testHub'", + "name": "testHub2", + "type": 'Microsoft.EventHub/Namespaces', + "location": 'East US', + "tags": {}, + "sku": { + "name": "Basic", + "tier": "Basic", + "capacity": 1 + }, + "minimumTlsVersion": '1.2', + "publicNetworkAccess": 'Enabled', + "disableLocalAuth": true, + "isAutoInflateEnabled": false, + "maximumThroughputUnits": 0, + "kafkaEnabled": false + }, ]; const createCache = (hub) => { @@ -91,6 +112,19 @@ describe('eventHubPublicAccess', function() { eventHubPublicAccess.run(cache, {}, callback); }); + it('should give passing result if eventHub is of basic tier', function(done) { + const callback = (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Event Hubs namespace tier is basic'); + expect(results[0].region).to.equal('eastus'); + done() + }; + + const cache = createCache([eventHubs[2]]); + eventHubPublicAccess.run(cache, {}, callback); + }); + it('should give unknown result if unable to query for event hubs', function(done) { const callback = (err, results) => { expect(results.length).to.equal(1); diff --git a/plugins/azure/sqldatabases/dbAuditingEnabled.js b/plugins/azure/sqldatabases/dbAuditingEnabled.js index 8ce470c023..9080abb4a5 100644 --- a/plugins/azure/sqldatabases/dbAuditingEnabled.js +++ b/plugins/azure/sqldatabases/dbAuditingEnabled.js @@ -54,7 +54,7 @@ module.exports = { } else { var databases = helpers.addSource(cache, source, ['databases', 'listByServer', location, server.id]); - + if (!databases || databases.err || !databases.data) { helpers.addResult(results, 3, 'Unable to query for SQL server databases: ' + helpers.addError(databases), location, server.id); @@ -65,25 +65,28 @@ module.exports = { } else { // Loop through databases and add policies databases.data.forEach(function(database){ - var databaseBlobAuditingPolicies = helpers.addSource(cache, source, - ['databaseBlobAuditingPolicies', 'get', location, database.id]); - - if (!databaseBlobAuditingPolicies || databaseBlobAuditingPolicies.err || !databaseBlobAuditingPolicies.data) { - helpers.addResult(results, 3, - 'Unable to query for SQL server database auditing policies: ' + helpers.addError(databaseBlobAuditingPolicies), location, database.id); - } else { - if (!databaseBlobAuditingPolicies.data.length) { - helpers.addResult(results, 2, - 'SQL server database does not contain auditing policies', location, database.id); + + if (database.name && database.name.toLowerCase() !== 'master') { + var databaseBlobAuditingPolicies = helpers.addSource(cache, source, + ['databaseBlobAuditingPolicies', 'get', location, database.id]); + + if (!databaseBlobAuditingPolicies || databaseBlobAuditingPolicies.err || !databaseBlobAuditingPolicies.data) { + helpers.addResult(results, 3, + 'Unable to query for SQL server database auditing policies: ' + helpers.addError(databaseBlobAuditingPolicies), location, database.id); } else { - databaseBlobAuditingPolicies.data.forEach(function(policy){ - if (policy.state && - policy.state.toLowerCase() == 'enabled') { - helpers.addResult(results, 0, 'Database Auditing is enabled on the SQL database', location, policy.id); - } else { - helpers.addResult(results, 2, 'Database Auditing is not enabled on the SQL database', location, policy.id); - } - }); + if (!databaseBlobAuditingPolicies.data.length) { + helpers.addResult(results, 2, + 'SQL server database does not contain auditing policies', location, database.id); + } else { + databaseBlobAuditingPolicies.data.forEach(function(policy){ + if (policy.state && + policy.state.toLowerCase() == 'enabled') { + helpers.addResult(results, 0, 'Database Auditing is enabled on the SQL database', location, policy.id); + } else { + helpers.addResult(results, 2, 'Database Auditing is not enabled on the SQL database', location, policy.id); + } + }); + } } } }); diff --git a/plugins/azure/sqldatabases/dbAuditingEnabled.spec.js b/plugins/azure/sqldatabases/dbAuditingEnabled.spec.js index 3f7ebe6e4f..2ef1385518 100644 --- a/plugins/azure/sqldatabases/dbAuditingEnabled.spec.js +++ b/plugins/azure/sqldatabases/dbAuditingEnabled.spec.js @@ -9,13 +9,14 @@ const servers = [ const databases = [ { - id: '/subscriptions/123/resourceGroups/test-rg/providers/Microsoft.Sql/servers/test-server/databases/master', + id: '/subscriptions/123/resourceGroups/test-rg/providers/Microsoft.Sql/servers/test-server/databases/test-database', + "name": "test-database", } ]; const databaseBlobAuditingPolicies = [ { - "id": "/subscriptions/123/resourceGroups/test-rg/providers/Microsoft.Sql/servers/test-server/databases/master/auditingSettings/Default", + "id": "/subscriptions/123/resourceGroups/test-rg/providers/Microsoft.Sql/servers/test-server/databases/test-database/auditingSettings/Default", "name": "Default", "type": "Microsoft.Sql/servers/databases/auditingSettings", "retentionDays": 9, @@ -23,7 +24,7 @@ const databaseBlobAuditingPolicies = [ "state": "Enabled", }, { - "id": "/subscriptions/123/resourceGroups/test-rg/providers/Microsoft.Sql/servers/test-server/databases/master/auditingSettings/Default", + "id": "/subscriptions/123/resourceGroups/test-rg/providers/Microsoft.Sql/servers/test-server/databases/test-database/auditingSettings/Default", "name": "Default", "type": "Microsoft.Sql/servers/databases/auditingSettings", "retentionDays": 9, @@ -259,4 +260,4 @@ describe('dbAuditingEnabled', function() { dbAuditingEnabled.run(cache, {}, callback); }); }) -}) \ No newline at end of file +}) diff --git a/plugins/azure/sqldatabases/dbDataDiscoveryClassification.js b/plugins/azure/sqldatabases/dbDataDiscoveryClassification.js index 45e0ddb12d..d615ee762e 100644 --- a/plugins/azure/sqldatabases/dbDataDiscoveryClassification.js +++ b/plugins/azure/sqldatabases/dbDataDiscoveryClassification.js @@ -12,7 +12,7 @@ module.exports = { link: 'https://learn.microsoft.com/en-us/azure/azure-sql/database/data-discovery-and-classification-overview?view=azuresql', apis: ['servers:listSql', 'databases:listByServer', 'currentSensitivityLabels:list'], realtime_triggers: ['microsoftsql:servers:write', 'microsoftsql:servers:delete', 'microsoftsql:servers:databases:write', 'microsoftsql:servers:databases:delete'], - + run: function(cache, settings, callback) { var results = []; var source = {}; @@ -47,19 +47,21 @@ module.exports = { } else { databases.data.forEach(function(database) { - var currentSensitivityLabels = helpers.addSource(cache, source, ['currentSensitivityLabels', 'list', location, database.id]); + if (database.name && database.name.toLowerCase() !== 'master') { + var currentSensitivityLabels = helpers.addSource(cache, source, ['currentSensitivityLabels', 'list', location, database.id]); - if (!currentSensitivityLabels || !currentSensitivityLabels.data || currentSensitivityLabels.err) { - helpers.addResult(results, 2, 'Unable to query data discovery and classification information: ' + helpers.addError(currentSensitivityLabels), location, database.id); - } else { - if (currentSensitivityLabels.data.length) { - helpers.addResult(results, 0, 'SQL Database is using data discovery and classification', location, database.id); + if (!currentSensitivityLabels || !currentSensitivityLabels.data || currentSensitivityLabels.err) { + helpers.addResult(results, 2, 'Unable to query data discovery and classification information: ' + helpers.addError(currentSensitivityLabels), location, database.id); } else { - helpers.addResult(results, 2, 'SQL Database is not using data discovery and classification', location, database.id); + if (currentSensitivityLabels.data.length) { + helpers.addResult(results, 0, 'SQL Database is using data discovery and classification', location, database.id); + } else { + helpers.addResult(results, 2, 'SQL Database is not using data discovery and classification', location, database.id); + } } } - } ); - + }); + } } }); diff --git a/plugins/azure/sqldatabases/dbDataDiscoveryClassification.spec.js b/plugins/azure/sqldatabases/dbDataDiscoveryClassification.spec.js index a7d73e210f..a104533623 100644 --- a/plugins/azure/sqldatabases/dbDataDiscoveryClassification.spec.js +++ b/plugins/azure/sqldatabases/dbDataDiscoveryClassification.spec.js @@ -10,6 +10,7 @@ const servers = [ const databases = [ { "id": "/subscriptions/123/resourceGroups/test-rg/providers/Microsoft.Sql/servers/test-server/databases/test-database", + "name": "test-database", } ]; diff --git a/plugins/azure/sqldatabases/dbDataMaskingEnabled.js b/plugins/azure/sqldatabases/dbDataMaskingEnabled.js index 2d44ead7f3..3577843f13 100644 --- a/plugins/azure/sqldatabases/dbDataMaskingEnabled.js +++ b/plugins/azure/sqldatabases/dbDataMaskingEnabled.js @@ -12,7 +12,7 @@ module.exports = { link: 'https://docs.microsoft.com/en-us/azure/sql-database/sql-database-dynamic-data-masking-get-started-portal', apis: ['servers:listSql', 'databases:listByServer', 'dataMaskingPolicies:get'], realtime_triggers: ['microsoftsql:servers:write', 'microsoftsql:servers:delete', 'microsoftsql:servers:databases:write', 'microsoftsql:servers:databases:delete'], - + run: function(cache, settings, callback) { var results = []; var source = {}; @@ -47,7 +47,7 @@ module.exports = { 'No databases found for SQL server', location, server.id); } else { databases.data.forEach(database => { - if (database.name === 'master' || (database.sku && database.sku.tier && database.sku.tier.toLowerCase() === 'datawarehouse')) return; + if (database.name && database.name.toLowerCase() === 'master' || (database.sku && database.sku.tier && database.sku.tier.toLowerCase() === 'datawarehouse')) return; var dataMaskingPolicies = helpers.addSource(cache, source, ['dataMaskingPolicies', 'get', location, database.id]); diff --git a/plugins/azure/sqldatabases/dbDataMaskingEnabled.spec.js b/plugins/azure/sqldatabases/dbDataMaskingEnabled.spec.js index d0112bee3f..dfa5867054 100644 --- a/plugins/azure/sqldatabases/dbDataMaskingEnabled.spec.js +++ b/plugins/azure/sqldatabases/dbDataMaskingEnabled.spec.js @@ -10,6 +10,7 @@ const servers = [ const databases = [ { "id": "/subscriptions/123/resourceGroups/test-rg/providers/Microsoft.Sql/servers/test-server/databases/test-database", + "name": "test-database", } ]; diff --git a/plugins/azure/sqldatabases/dbDiagnosticLoggingEnabled.js b/plugins/azure/sqldatabases/dbDiagnosticLoggingEnabled.js index 1b63c62fad..a5f4dcfe35 100644 --- a/plugins/azure/sqldatabases/dbDiagnosticLoggingEnabled.js +++ b/plugins/azure/sqldatabases/dbDiagnosticLoggingEnabled.js @@ -28,7 +28,7 @@ module.exports = { }, }, - + run: function(cache, settings, callback) { var results = []; var source = {}; @@ -65,55 +65,57 @@ module.exports = { helpers.addResult(results, 0, 'No databases found for SQL server', location, server.id); return; - + } else { databases.data.forEach(database=> { - - var diagnosticSettings = helpers.addSource(cache, source, ['diagnosticSettings', 'listByDatabase', location, database.id]); - - if (!diagnosticSettings || diagnosticSettings.err || !diagnosticSettings.data) { - helpers.addResult(results, 3, 'Unable to query SQL database diagnostic settings: ' + helpers.addError(diagnosticSettings), location, database.id); - return; - - } - var foundLogs = true; - var foundMetrics = true; - - var missingLogs = []; - var missingMetrics = []; - var missingConfig = []; - - if (logsConfig == '*') { - foundLogs = diagnosticSettings.data.some(ds => ds.logs && ds.logs.length && ds.logs.some(log=>log.enabled)); - } else { - logsConfig = logsConfig.replace(/\s/g, ''); - missingLogs = logsConfig.toLowerCase().split(','); - diagnosticSettings.data.forEach(settings => { - missingLogs = missingLogs.filter(requiredCategory => - !settings.logs.some(log => (log.category && log.category.toLowerCase() === requiredCategory && log.enabled) || log.categoryGroup && log.categoryGroup.toLowerCase() === 'alllogs' && log.enabled) - ); - }); - } - if (metricsConfig == '*') { - foundMetrics = diagnosticSettings.data.some(ds => ds.metrics && ds.metrics.length && ds.metrics.some(metrics=>metrics.enabled)); - } else { - metricsConfig = metricsConfig.replace(/\s/g, ''); - missingMetrics = metricsConfig.toLowerCase().split(','); - diagnosticSettings.data.forEach(settings => { - missingMetrics = missingMetrics.filter(requiredCategory => - !settings.metrics.some(metric => (metric.category && metric.category.toLowerCase() === requiredCategory && metric.enabled)) - ); - }); - } - missingConfig = [...missingLogs, ...missingMetrics]; - - if (!missingConfig.length && foundLogs && foundMetrics) { - helpers.addResult(results, 0, 'SQL database has diagnostic logs/metrics enabled', location, database.id); - - } else { - helpers.addResult(results, 2, `SQL database does not have diagnostic logs/metrics enabled ${missingConfig.length ? `for following: ${missingConfig.join(',')}` : ''}`, location, database.id); + + if (database.name && database.name.toLowerCase() !== 'master') { + + var diagnosticSettings = helpers.addSource(cache, source, ['diagnosticSettings', 'listByDatabase', location, database.id]); + + if (!diagnosticSettings || diagnosticSettings.err || !diagnosticSettings.data) { + helpers.addResult(results, 3, 'Unable to query SQL database diagnostic settings: ' + helpers.addError(diagnosticSettings), location, database.id); + return; + + } + var foundLogs = true; + var foundMetrics = true; + + var missingLogs = []; + var missingMetrics = []; + var missingConfig = []; + + if (logsConfig == '*') { + foundLogs = diagnosticSettings.data.some(ds => ds.logs && ds.logs.length && ds.logs.some(log=>log.enabled)); + } else { + logsConfig = logsConfig.replace(/\s/g, ''); + missingLogs = logsConfig.toLowerCase().split(','); + diagnosticSettings.data.forEach(settings => { + missingLogs = missingLogs.filter(requiredCategory => + !settings.logs.some(log => (log.category && log.category.toLowerCase() === requiredCategory && log.enabled) || log.categoryGroup && log.categoryGroup.toLowerCase() === 'alllogs' && log.enabled) + ); + }); + } + if (metricsConfig == '*') { + foundMetrics = diagnosticSettings.data.some(ds => ds.metrics && ds.metrics.length && ds.metrics.some(metrics=>metrics.enabled)); + } else { + metricsConfig = metricsConfig.replace(/\s/g, ''); + missingMetrics = metricsConfig.toLowerCase().split(','); + diagnosticSettings.data.forEach(settings => { + missingMetrics = missingMetrics.filter(requiredCategory => + !settings.metrics.some(metric => (metric.category && metric.category.toLowerCase() === requiredCategory && metric.enabled)) + ); + }); + } + missingConfig = [...missingLogs, ...missingMetrics]; + + if (!missingConfig.length && foundLogs && foundMetrics) { + helpers.addResult(results, 0, 'SQL database has diagnostic logs/metrics enabled', location, database.id); + + } else { + helpers.addResult(results, 2, `SQL database does not have diagnostic logs/metrics enabled ${missingConfig.length ? `for following: ${missingConfig.join(',')}` : ''}`, location, database.id); + } } - }); } }); diff --git a/plugins/azure/sqldatabases/dbDiagnosticLoggingEnabled.spec.js b/plugins/azure/sqldatabases/dbDiagnosticLoggingEnabled.spec.js index 08b918b138..14401052c7 100644 --- a/plugins/azure/sqldatabases/dbDiagnosticLoggingEnabled.spec.js +++ b/plugins/azure/sqldatabases/dbDiagnosticLoggingEnabled.spec.js @@ -9,7 +9,8 @@ const servers = [ const databases = [ { - "id": "/subscriptions/123/resourceGroups/test-rg/providers/Microsoft.Sql/servers/test-server/databases/test-database" + "id": "/subscriptions/123/resourceGroups/test-rg/providers/Microsoft.Sql/servers/test-server/databases/test-database", + "name": "test-database" } ]; diff --git a/plugins/azure/sqldatabases/dbEnableSecureEnclaves.js b/plugins/azure/sqldatabases/dbEnableSecureEnclaves.js index 73e2cd1c76..5d4c15329f 100644 --- a/plugins/azure/sqldatabases/dbEnableSecureEnclaves.js +++ b/plugins/azure/sqldatabases/dbEnableSecureEnclaves.js @@ -12,7 +12,7 @@ module.exports = { link: 'https://learn.microsoft.com/en-us/sql/relational-databases/security/encryption/always-encrypted-enclaves?view=sql-server-ver16', apis: ['servers:listSql', 'databases:listByServer'], realtime_triggers: ['microsoftsql:servers:write', 'microsoftsql:servers:delete', 'microsoftsql:servers:databases:write', 'microsoftsql:servers:databases:delete'], - + run: function(cache, settings, callback) { var results = []; var source = {}; @@ -46,13 +46,15 @@ module.exports = { 'No databases found for SQL server', location, server.id); } else { databases.data.forEach(database => { - if (!database.preferredEnclaveType) { - helpers.addResult(results, 2, 'Secure enclaves encryption is disabled for SQL database', location, database.id); - } else { - helpers.addResult(results, 0, 'Secure enclaves encryption is enabled for SQL database', location, database.id); + + if (database.name && database.name.toLowerCase() !== 'master') { + if (!database.preferredEnclaveType) { + helpers.addResult(results, 2, 'Secure enclaves encryption is disabled for SQL database', location, database.id); + } else { + helpers.addResult(results, 0, 'Secure enclaves encryption is enabled for SQL database', location, database.id); + } } - } - ); + }); } } }); diff --git a/plugins/azure/sqldatabases/dbEnableSecureEnclaves.spec.js b/plugins/azure/sqldatabases/dbEnableSecureEnclaves.spec.js index f55ebe699f..aadb492347 100644 --- a/plugins/azure/sqldatabases/dbEnableSecureEnclaves.spec.js +++ b/plugins/azure/sqldatabases/dbEnableSecureEnclaves.spec.js @@ -10,10 +10,12 @@ const servers = [ const databases = [ { "id": "/subscriptions/123/resourceGroups/test-rg/providers/Microsoft.Sql/servers/test-server/databases/test-database", + "name": "test-database", "preferredEnclaveType": "VBS", }, { "id": "/subscriptions/123/resourceGroups/test-rg/providers/Microsoft.Sql/servers/test-server/databases/test-database", + "name": "test-database" }, ]; diff --git a/plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.js b/plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.js index f9bc96c703..467079b564 100644 --- a/plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.js +++ b/plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.js @@ -12,7 +12,7 @@ module.exports = { link: 'https://learn.microsoft.com/en-us/sql/relational-databases/security/ledger/ledger-overview?view=sql-server-ver16', apis: ['servers:listSql', 'databases:listByServer', 'ledgerDigestUploads:list'], realtime_triggers: ['microsoftsql:servers:write', 'microsoftsql:servers:delete', 'microsoftsql:servers:databases:write', 'microsoftsql:servers:databases:ledgerdigestuploads:write', 'microsoftsql:servers:databases:delete'], - + run: function(cache, settings, callback) { var results = []; var source = {}; @@ -47,16 +47,20 @@ module.exports = { 'No databases found for SQL server', location, server.id); } else { databases.data.forEach(database => { - var ledgerDigestUploads = helpers.addSource(cache, source, ['ledgerDigestUploads', 'list', location, database.id]); - if (!ledgerDigestUploads || ledgerDigestUploads.err || !ledgerDigestUploads.data) { - helpers.addResult(results, 3, 'Unable to query for Ledger Digest Uploads for SQL database: ' + helpers.addError(ledgerDigestUploads), location, database.id); - } else { - if (ledgerDigestUploads.data.length && ledgerDigestUploads.data[0].state && ledgerDigestUploads.data[0].state.toLowerCase() == 'enabled') { - helpers.addResult(results, 0, 'Ledger automatic digest storage is enabled for SQL database', location, database.id); + + if (database.name && database.name.toLowerCase() !== 'master') { + + var ledgerDigestUploads = helpers.addSource(cache, source, ['ledgerDigestUploads', 'list', location, database.id]); + if (!ledgerDigestUploads || ledgerDigestUploads.err || !ledgerDigestUploads.data) { + helpers.addResult(results, 3, 'Unable to query for Ledger Digest Uploads for SQL database: ' + helpers.addError(ledgerDigestUploads), location, database.id); } else { - helpers.addResult(results, 2, 'Ledger automatic digest storage is not enabled for SQL database', location, database.id); + if (ledgerDigestUploads.data.length && ledgerDigestUploads.data[0].state && ledgerDigestUploads.data[0].state.toLowerCase() == 'enabled') { + helpers.addResult(results, 0, 'Ledger automatic digest storage is enabled for SQL database', location, database.id); + } else { + helpers.addResult(results, 2, 'Ledger automatic digest storage is not enabled for SQL database', location, database.id); + } + } - } }); } diff --git a/plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.spec.js b/plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.spec.js index 0060548a86..03f6aed903 100644 --- a/plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.spec.js +++ b/plugins/azure/sqldatabases/dbLedgerDigestStorageEnabled.spec.js @@ -10,6 +10,7 @@ const servers = [ const databases = [ { "id": "/subscriptions/123/resourceGroups/test-rg/providers/Microsoft.Sql/servers/test-server/databases/test-database", + "name": "test-database", } ]; diff --git a/plugins/azure/sqldatabases/dbLedgerEnabled.js b/plugins/azure/sqldatabases/dbLedgerEnabled.js index 970898c104..b4b93adaae 100644 --- a/plugins/azure/sqldatabases/dbLedgerEnabled.js +++ b/plugins/azure/sqldatabases/dbLedgerEnabled.js @@ -12,7 +12,7 @@ module.exports = { link: 'https://learn.microsoft.com/en-us/sql/relational-databases/security/ledger/ledger-overview?view=sql-server-ver16', apis: ['servers:listSql', 'databases:listByServer'], realtime_triggers: ['microsoftsql:servers:write', 'microsoftsql:servers:delete', 'microsoftsql:servers:databases:write', 'microsoftsql:servers:databases:delete'], - + run: function(cache, settings, callback) { var results = []; var source = {}; @@ -48,16 +48,18 @@ module.exports = { } else { // Loop through databases databases.data.forEach(database => { - - if (database.isLedgerOn) { - helpers.addResult(results, 0, 'Ledger is enabled for SQL database', location, database.id); - } else { - helpers.addResult(results, 2, 'Ledger is not enabled for SQL database', location, database.id); + + if (database.name && database.name.toLowerCase() !== 'master') { + + if (database.isLedgerOn) { + helpers.addResult(results, 0, 'Ledger is enabled for SQL database', location, database.id); + } else { + helpers.addResult(results, 2, 'Ledger is not enabled for SQL database', location, database.id); + } } - }); } - + } }); diff --git a/plugins/azure/sqldatabases/dbLedgerEnabled.spec.js b/plugins/azure/sqldatabases/dbLedgerEnabled.spec.js index 7b62257fdc..7354e910df 100644 --- a/plugins/azure/sqldatabases/dbLedgerEnabled.spec.js +++ b/plugins/azure/sqldatabases/dbLedgerEnabled.spec.js @@ -10,10 +10,12 @@ const servers = [ const databases = [ { "id": "/subscriptions/123/resourceGroups/test-rg/providers/Microsoft.Sql/servers/test-server/databases/test-database", + "name": "test-database", "isLedgerOn": true, }, { "id": "/subscriptions/123/resourceGroups/test-rg/providers/Microsoft.Sql/servers/test-server/databases/test-database", + "name": "test-database", "isLedgerOn": false, } ]; diff --git a/plugins/azure/sqldatabases/dbRestorable.js b/plugins/azure/sqldatabases/dbRestorable.js index 3c49175f78..8513696b75 100644 --- a/plugins/azure/sqldatabases/dbRestorable.js +++ b/plugins/azure/sqldatabases/dbRestorable.js @@ -54,12 +54,15 @@ module.exports = { } else { // Loop through databases databases.data.forEach(function(database) { - if (database.earliestRestoreDate) { - helpers.addResult(results, 0, - 'SQL Database is restorable', location, database.id); - } else { - helpers.addResult(results, 2, - 'SQL Database is not restorable', location, database.id); + if (database.name && database.name.toLowerCase() !== 'master') { + + if (database.earliestRestoreDate) { + helpers.addResult(results, 0, + 'SQL Database is restorable', location, database.id); + } else { + helpers.addResult(results, 2, + 'SQL Database is not restorable', location, database.id); + } } }); } diff --git a/plugins/azure/sqldatabases/dbRestorable.spec.js b/plugins/azure/sqldatabases/dbRestorable.spec.js index b490adf620..bb81c2a415 100644 --- a/plugins/azure/sqldatabases/dbRestorable.spec.js +++ b/plugins/azure/sqldatabases/dbRestorable.spec.js @@ -9,11 +9,13 @@ const servers = [ const databases = [ { - "id": "/subscriptions/123/resourceGroups/test-rg/providers/Microsoft.Sql/servers/test-server/databases/master", - "earliestRestoreDate": "2021-03-05T16:01:34Z", + "id": "/subscriptions/123/resourceGroups/test-rg/providers/Microsoft.Sql/servers/test-server/databases/test-database", + "name": "test-database", + "earliestRestoreDate": "2021-03-05T16:01:34Z", }, { - "id": "/subscriptions/123/resourceGroups/test-rg/providers/Microsoft.Sql/servers/test-server/databases/master", + "id": "/subscriptions/123/resourceGroups/test-rg/providers/Microsoft.Sql/servers/test-server/databases/test-database", + "name": "test-database" } ]; @@ -148,4 +150,4 @@ describe('dbRestorable', function() { dbRestorable.run(cache, {}, callback); }); }) -}) \ No newline at end of file +}) diff --git a/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js b/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js index 90e88a5073..5c12348c90 100644 --- a/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js +++ b/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.js @@ -12,7 +12,7 @@ module.exports = { link: 'https://learn.microsoft.com/en-us/azure/azure-sql/database/sql-data-sync-data-sql-server-sql-database?view=azuresql', apis: ['servers:listSql', 'databases:listByServer', 'syncGroups:list'], realtime_triggers: ['microsoftsql:servers:write', 'microsoftsql:servers:delete', 'microsoftsql:servers:databases:write', 'microsoftsql:servers:databases:syncgroups:write', 'microsoftsql:servers:databases:delete'], - + run: function(cache, settings, callback) { var results = []; var source = {}; @@ -35,7 +35,7 @@ module.exports = { // Loop through servers and check databases servers.data.forEach(function(server) { - + var databases = helpers.addSource(cache, source, ['databases', 'listByServer', location, server.id]); @@ -48,31 +48,33 @@ module.exports = { 'No databases found for SQL server', location, server.id); } else { databases.data.forEach(database => { - - var syncGroups = helpers.addSource(cache, source, ['syncGroups', 'list', location, database.id]); - if (!syncGroups || syncGroups.err || !syncGroups.data) { - helpers.addResult(results, 3, 'Unable to query for SQL Database sync groups: ' + helpers.addError(syncGroups), location, database.id); - return; - } - if (!syncGroups.data.length) { - helpers.addResult(results, 0, - 'No sync groups found for SQL database', location, database.id); - } else { - var missingPrivateConfigGrps = syncGroups.data.filter((e) => !e.usePrivateLinkConnection).map((e) => e.name); - - if (missingPrivateConfigGrps.length) { - helpers.addResult(results, 2, `Following SQL Database sync groups are not configured to use private link: ${missingPrivateConfigGrps.join(', ')} `, location, database.id); - + if (database.name && database.name.toLowerCase() !== 'master') { + + var syncGroups = helpers.addSource(cache, source, ['syncGroups', 'list', location, database.id]); + + if (!syncGroups || syncGroups.err || !syncGroups.data) { + helpers.addResult(results, 3, 'Unable to query for SQL Database sync groups: ' + helpers.addError(syncGroups), location, database.id); + return; + } + if (!syncGroups.data.length) { + helpers.addResult(results, 0, + 'No sync groups found for SQL database', location, database.id); } else { - helpers.addResult(results, 0, 'All SQL Database sync groups are configured to use private link', location, database.id); + var missingPrivateConfigGrps = syncGroups.data.filter((e) => !e.usePrivateLinkConnection).map((e) => e.name); + + if (missingPrivateConfigGrps.length) { + helpers.addResult(results, 2, `Following SQL Database sync groups are not configured to use private link: ${missingPrivateConfigGrps.join(', ')} `, location, database.id); + + } else { + helpers.addResult(results, 0, 'All SQL Database sync groups are configured to use private link', location, database.id); + } } } - }); } } - + }); rcb(); diff --git a/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.spec.js b/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.spec.js index 6d7b15d8dc..eaeae69d80 100644 --- a/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.spec.js +++ b/plugins/azure/sqldatabases/dbSyncGroupPrivateLink.spec.js @@ -9,7 +9,8 @@ const servers = [ const databases = [ { - "id": "/subscriptions/123/resourceGroups/test-rg/providers/Microsoft.Sql/servers/test-server/databases/test-database" + "id": "/subscriptions/123/resourceGroups/test-rg/providers/Microsoft.Sql/servers/test-server/databases/test-database", + "name": "test-database" } ]; diff --git a/plugins/azure/sqldatabases/dbTDEEnabled.js b/plugins/azure/sqldatabases/dbTDEEnabled.js index 2480ba955e..1352a00de8 100644 --- a/plugins/azure/sqldatabases/dbTDEEnabled.js +++ b/plugins/azure/sqldatabases/dbTDEEnabled.js @@ -12,7 +12,7 @@ module.exports = { link: 'https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption?view=sql-server-ver15', apis: ['servers:listSql', 'databases:listByServer', 'transparentDataEncryption:list'], realtime_triggers: ['microsoftsql:servers:write', 'microsoftsql:servers:delete', 'microsoftsql:servers:databases:write', 'microsoftsql:servers:databases:transparentdataencryption:write', 'microsoftsql:servers:databases:delete'], - + run: function(cache, settings, callback) { var results = []; var source = {}; @@ -46,23 +46,25 @@ module.exports = { 'No databases found for SQL server', location, server.id); } else { databases.data.forEach(database => { - - var transparentDataEncryption = helpers.addSource(cache, source, ['transparentDataEncryption', 'list', location, database.id]); - - if (!transparentDataEncryption || transparentDataEncryption.err || !transparentDataEncryption.data || !transparentDataEncryption.data.length) { - helpers.addResult(results, 3, 'Unable to query transparent data encryption for SQL Database: ' + helpers.addError(transparentDataEncryption), location, database.id); - return; - } - var encryption = transparentDataEncryption.data[0]; - if (encryption.state && encryption.state.toLowerCase() == 'enabled') { - helpers.addResult(results, 0, 'Transparent data encryption is enabled for SQL Database', location, database.id); - } else { - helpers.addResult(results, 2, 'Transparent data encryption is not enabled for SQL Database', location, database.id); + + if (database.name && database.name.toLowerCase() !== 'master') { + var transparentDataEncryption = helpers.addSource(cache, source, ['transparentDataEncryption', 'list', location, database.id]); + + if (!transparentDataEncryption || transparentDataEncryption.err || !transparentDataEncryption.data || !transparentDataEncryption.data.length) { + helpers.addResult(results, 3, 'Unable to query transparent data encryption for SQL Database: ' + helpers.addError(transparentDataEncryption), location, database.id); + return; + } + var encryption = transparentDataEncryption.data[0]; + if (encryption.state && encryption.state.toLowerCase() == 'enabled') { + helpers.addResult(results, 0, 'Transparent data encryption is enabled for SQL Database', location, database.id); + } else { + helpers.addResult(results, 2, 'Transparent data encryption is not enabled for SQL Database', location, database.id); + } } }); } } - + }); rcb(); diff --git a/plugins/azure/sqldatabases/dbTDEEnabled.spec.js b/plugins/azure/sqldatabases/dbTDEEnabled.spec.js index 13a9b17c64..f85fca17ed 100644 --- a/plugins/azure/sqldatabases/dbTDEEnabled.spec.js +++ b/plugins/azure/sqldatabases/dbTDEEnabled.spec.js @@ -9,7 +9,8 @@ const servers = [ const databases = [ { - "id": "/subscriptions/123/resourceGroups/test-rg/providers/Microsoft.Sql/servers/test-server/databases/test-database" + "id": "/subscriptions/123/resourceGroups/test-rg/providers/Microsoft.Sql/servers/test-server/databases/test-database", + "name": "test-database", } ]; diff --git a/plugins/azure/sqldatabases/pitrBackupEnabled.js b/plugins/azure/sqldatabases/pitrBackupEnabled.js index 311a393f64..18215ebafa 100644 --- a/plugins/azure/sqldatabases/pitrBackupEnabled.js +++ b/plugins/azure/sqldatabases/pitrBackupEnabled.js @@ -55,43 +55,45 @@ module.exports = { 'Unable to query for SQL server databases: ' + helpers.addError(databases), location, server.id); return scb(); } - + if (!databases.data.length) { helpers.addResult(results, 0, 'No databases found for SQL server', location, server.id); return scb(); } - + for (const database of databases.data) { - const policies = helpers.addSource(cache, source, - ['backupShortTermRetentionPolicies', 'listByDatabase', location, database.id]); - - if (!policies || policies.err || !policies.data) { - helpers.addResult(results, 3, - 'Unable to query for SQL database retention policies: ' + helpers.addError(policies), location, database.id); - continue; - } - - if (!policies.data.length) { - helpers.addResult(results, 0, - 'No retention policies found for SQL database', location, database.id); - continue; - } - - for (const policy of policies.data) { - let retentionDays = 0; - if (policy.retentionDays){ - retentionDays = policy.retentionDays; + if (database.name && database.name.toLowerCase() !== 'master') { + const policies = helpers.addSource(cache, source, + ['backupShortTermRetentionPolicies', 'listByDatabase', location, database.id]); + + if (!policies || policies.err || !policies.data) { + helpers.addResult(results, 3, + 'Unable to query for SQL database retention policies: ' + helpers.addError(policies), location, database.id); + continue; } - if (retentionDays >= config.retentionDays) { + if (!policies.data.length) { helpers.addResult(results, 0, - `SQL Database is configured to retain backups for ${retentionDays} of ${config.retentionDays} days desired limit`, - location, database.id); - } else { - helpers.addResult(results, 2, - `SQL Database is configured to retain backups for ${retentionDays} of ${config.retentionDays} days desired limit`, - location, database.id); + 'No retention policies found for SQL database', location, database.id); + continue; + } + + for (const policy of policies.data) { + let retentionDays = 0; + if (policy.retentionDays){ + retentionDays = policy.retentionDays; + } + + if (retentionDays >= config.retentionDays) { + helpers.addResult(results, 0, + `SQL Database is configured to retain backups for ${retentionDays} of ${config.retentionDays} days desired limit`, + location, database.id); + } else { + helpers.addResult(results, 2, + `SQL Database is configured to retain backups for ${retentionDays} of ${config.retentionDays} days desired limit`, + location, database.id); + } } } } diff --git a/plugins/azure/sqldatabases/sqlDbMultiAz.js b/plugins/azure/sqldatabases/sqlDbMultiAz.js index 2c9c3d6e14..27dba4c76d 100644 --- a/plugins/azure/sqldatabases/sqlDbMultiAz.js +++ b/plugins/azure/sqldatabases/sqlDbMultiAz.js @@ -50,12 +50,14 @@ module.exports = { } else { // Loop through databases databases.data.forEach(function(database) { - if (database.zoneRedundant) { - helpers.addResult(results, 0, - 'SQL Database has zone redundancy enabled', location, database.id); - } else { - helpers.addResult(results, 2, - 'SQL Database does not have zone redundancy enabled', location, database.id); + if (database.name && database.name.toLowerCase() !== 'master') { + if (database.zoneRedundant) { + helpers.addResult(results, 0, + 'SQL Database has zone redundancy enabled', location, database.id); + } else { + helpers.addResult(results, 2, + 'SQL Database does not have zone redundancy enabled', location, database.id); + } } }); } @@ -67,4 +69,4 @@ module.exports = { callback(null, results, source); }); } -}; \ No newline at end of file +}; diff --git a/plugins/azure/sqldatabases/sqlDbMultiAz.spec.js b/plugins/azure/sqldatabases/sqlDbMultiAz.spec.js index 4aee455499..b2cd085c5e 100644 --- a/plugins/azure/sqldatabases/sqlDbMultiAz.spec.js +++ b/plugins/azure/sqldatabases/sqlDbMultiAz.spec.js @@ -9,11 +9,13 @@ const servers = [ const databases = [ { - "id": "/subscriptions/123/resourceGroups/test-rg/providers/Microsoft.Sql/servers/test-server/databases/master", - "zoneRedundant": true, + "id": "/subscriptions/123/resourceGroups/test-rg/providers/Microsoft.Sql/servers/test-server/databases/test-database", + "name": "test-database", + "zoneRedundant": true, }, { - "id": "/subscriptions/123/resourceGroups/test-rg/providers/Microsoft.Sql/servers/test-server/databases/master", + "id": "/subscriptions/123/resourceGroups/test-rg/providers/Microsoft.Sql/servers/test-server/databases/test-database", + "name": "test-database", "zoneRedundant": false, } ]; @@ -149,4 +151,4 @@ describe('sqlDbMultiAz', function() { sqlDbMultiAz.run(cache, {}, callback); }); }) -}) \ No newline at end of file +})