Skip to content

Commit

Permalink
TLS Version Changes (#2115)
Browse files Browse the repository at this point in the history 
* TLS Version Changes New

* TLS fixes

---------

Co-authored-by: AkhtarAmir <AkhtarAmir>
  • Loading branch information
@AkhtarAmir
AkhtarAmir authored Nov 11, 2024
1 parent 4af0f44 commit de7c35a
Show file tree
Hide file tree
Showing 4 changed files with 29 additions and 44 deletions.
16 changes: 3 additions & 13 deletions plugins/azure/eventhub/eventHubMinimumTLSversion.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,26 +11,16 @@ module.exports = {
recommended_action: 'Modify Event Hubs namespaces to set the desired minimum TLS version.',
link: 'https://learn.microsoft.com/en-us/azure/event-hubs/transport-layer-security-enforce-minimum-version',
apis: ['eventHub:listEventHub'],
settings: {
event_hub_min_tls_version: {
name: 'Event Hub Minimum TLS Version',
description: 'Minimum desired TLS version for Microsoft Azure Event Hubs',
regex: '^(1.0|1.1|1.2)$',
default: '1.2'
}
},
realtime_triggers: ['microsofteventhub:namespaces:write', 'microsofteventhub:namespaces:delete'],

run: function(cache, settings, callback) {
var results = [];
var source = {};
var locations = helpers.locations(settings.govcloud);

var config = {
event_hub_min_tls_version: settings.event_hub_min_tls_version || this.settings.event_hub_min_tls_version.default
};
var event_hub_min_tls_version = '1.2';

var desiredVersion = parseFloat(config.event_hub_min_tls_version);
var desiredVersion = parseFloat(event_hub_min_tls_version);

async.each(locations.eventHub, function(location, rcb) {
var eventHubs = helpers.addSource(cache, source,
Expand Down Expand Up @@ -58,7 +48,7 @@ module.exports = {
location, eventHub.id);
} else {
helpers.addResult(results, 2,
`Event Hubs namespace is using TLS version ${eventHub.minimumTlsVersion} instead of version ${config.event_hub_min_tls_version}`,
`Event Hubs namespace is using TLS version ${eventHub.minimumTlsVersion} instead of version ${event_hub_min_tls_version}`,
location, eventHub.id);
}
}
Expand Down
18 changes: 4 additions & 14 deletions plugins/azure/sqlserver/sqlServerTlsVersion.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,14 +11,6 @@ module.exports = {
recommended_action: 'Modify SQL server firewall and virtual network settings to set desired minimum TLS version.',
link: 'https://learn.microsoft.com/en-us/azure/azure-sql/database/connectivity-settings#minimal-tls-version',
apis: ['servers:listSql'],
settings: {
sql_server_min_tls_version: {
name: 'SQL Server Minimum TLS Version',
description: 'Minimum desired TLS version for Microsoft Azure SQL servers',
regex: '^(1.0|1.1|1.2)$',
default: '1.2'
}
},
remediation_min_version: '202104012200',
remediation_description: 'TLS version 1.2 will be set for the affected SQL server',
apis_remediate: ['servers:listSql'],
Expand All @@ -31,11 +23,9 @@ module.exports = {
var source = {};
var locations = helpers.locations(settings.govcloud);

var config = {
sql_server_min_tls_version: settings.sql_server_min_tls_version || this.settings.sql_server_min_tls_version.default
};
var sql_server_min_tls_version = '1.2';

var desiredVersion = parseFloat(config.sql_server_min_tls_version);
var desiredVersion = parseFloat(sql_server_min_tls_version);

async.each(locations.servers, function(location, rcb) {
var servers = helpers.addSource(cache, source,
Expand All @@ -60,11 +50,11 @@ module.exports = {
if (server.minimalTlsVersion) {
if (parseFloat(server.minimalTlsVersion) >= desiredVersion) {
helpers.addResult(results, 0,
`SQL server is using TLS version ${server.minimalTlsVersion} which is equal to or higher than desired TLS version ${config.sql_server_min_tls_version}`,
`SQL server is using TLS version ${server.minimalTlsVersion} which is equal to or higher than desired TLS version ${sql_server_min_tls_version}`,
location, server.id);
} else {
helpers.addResult(results, 2,
`SQL server is using TLS version ${server.minimalTlsVersion} which is less than desired TLS version ${config.sql_server_min_tls_version}`,
`SQL server is using TLS version ${server.minimalTlsVersion} which is less than desired TLS version ${sql_server_min_tls_version}`,
location, server.id);
}
} else {
Expand Down
19 changes: 17 additions & 2 deletions plugins/azure/sqlserver/sqlServerTlsVersion.spec.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,21 @@ const servers = [
"fullyQualifiedDomainName": "test-server.database.windows.net",
"privateEndpointConnections": [],
"publicNetworkAccess": "Enabled"
},
{
"kind": "v12.0",
"location": "eastus",
"tags": {},
"id": "/subscriptions/123/resourceGroups/akhtar-rg/providers/Microsoft.Sql/servers/test-server",
"name": "test-server",
"type": "Microsoft.Sql/servers",
"administratorLogin": "aqua",
"version": "12.0",
"state": "Ready",
"fullyQualifiedDomainName": "test-server.database.windows.net",
"privateEndpointConnections": [],
"minimalTlsVersion": "1.2",
"publicNetworkAccess": "Enabled"
}
];

Expand Down Expand Up @@ -106,10 +121,10 @@ describe('sqlServerTlsVersion', function() {
};

const cache = createCache(
[servers[0]]
[servers[2]]
);

sqlServerTlsVersion.run(cache, { sql_server_min_tls_version: '1.0' }, callback);
sqlServerTlsVersion.run(cache, { sql_server_min_tls_version: '1.2' }, callback);
});

it('should give unknown result if unable to query for SQL servers', function(done) {
Expand Down
20 changes: 5 additions & 15 deletions plugins/azure/storageaccounts/storageAccountsTlsVersion.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,14 +12,6 @@ module.exports = {
recommended_action: 'Modify Storage Account configuration and set desired minimum TLS version',
link: 'https://learn.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-minimum-version',
apis: ['storageAccounts:list'],
settings: {
sa_min_tls_version: {
name: 'Storage Account Minimum TLS Version',
description: 'Minimum desired TLS version for Microsoft Azure Storage Accounts',
regex: '^(1.0|1.1|1.2)$',
default: '1.2'
}
},
remediation_min_version: '202112312200',
remediation_description: 'TLS version 1.2 will be set for the affected Storage Accounts',
apis_remediate: ['storageAccounts:list'],
Expand All @@ -32,11 +24,9 @@ module.exports = {
var source = {};
var locations = helpers.locations(settings.govcloud);

var config = {
sa_min_tls_version: settings.sa_min_tls_version || this.settings.sa_min_tls_version.default
};
var sa_min_tls_version = '1.2';

var desiredVersion = parseFloat(config.sa_min_tls_version);
var desiredVersion = parseFloat(sa_min_tls_version);

async.each(locations.storageAccounts, function(location, rcb) {
var storageAccounts = helpers.addSource(cache, source,
Expand All @@ -58,17 +48,17 @@ module.exports = {
storageAccounts.data.forEach(function(storageAccount) {
if (!storageAccount.id) return;

let tlsVersion = storageAccount.minimumTlsVersion ? storageAccount.minimumTlsVersion : 'TLS1.0'; //Default is TLS 1.0
let tlsVersion = storageAccount.minimumTlsVersion ? storageAccount.minimumTlsVersion : 'TLS1.2'; //Default is TLS 1.2
tlsVersion = tlsVersion.replace('TLS', '');
tlsVersion = tlsVersion.replace('_', '.');

if (parseFloat(tlsVersion) >= desiredVersion) {
helpers.addResult(results, 0,
`Storage Account is using TLS version ${tlsVersion} which is equal to or higher than desired TLS version ${config.sa_min_tls_version}`,
`Storage Account is using TLS version ${tlsVersion} which is equal to or higher than desired TLS version ${sa_min_tls_version}`,
location, storageAccount.id);
} else {
helpers.addResult(results, 2,
`Storage Account is using TLS version ${tlsVersion} which is less than desired TLS version ${config.sa_min_tls_version}`,
`Storage Account is using TLS version ${tlsVersion} which is less than desired TLS version ${sa_min_tls_version}`,
location, storageAccount.id);
}
});
Expand Down

0 comments on commit de7c35a

Please sign in to comment.