From 702659959c5ba9704abac4d65f5c84caa4466e9e Mon Sep 17 00:00:00 2001 From: Prowler Bot Date: Tue, 14 Jan 2025 21:25:27 +0100 Subject: [PATCH] fix(Azure TDE): add filter for master DB (#6514) Co-authored-by: johannes-engler-mw <132657752+johannes-engler-mw@users.noreply.github.com> --- .../sqlserver_tde_encryption_enabled.py | 2 + .../sqlserver_tde_encryption_enabled_test.py | 65 +++++++++++++++++++ 2 files changed, 67 insertions(+) diff --git a/prowler/providers/azure/services/sqlserver/sqlserver_tde_encryption_enabled/sqlserver_tde_encryption_enabled.py b/prowler/providers/azure/services/sqlserver/sqlserver_tde_encryption_enabled/sqlserver_tde_encryption_enabled.py index 728ddc986f..9750b2843d 100644 --- a/prowler/providers/azure/services/sqlserver/sqlserver_tde_encryption_enabled/sqlserver_tde_encryption_enabled.py +++ b/prowler/providers/azure/services/sqlserver/sqlserver_tde_encryption_enabled/sqlserver_tde_encryption_enabled.py @@ -12,6 +12,8 @@ class sqlserver_tde_encryption_enabled(Check): ) if len(databases) > 0: for database in databases: + if database.name.lower() == "master": + continue report = Check_Report_Azure(self.metadata()) report.subscription = subscription report.resource_name = database.name diff --git a/tests/providers/azure/services/sqlserver/sqlserver_tde_encryption_enabled/sqlserver_tde_encryption_enabled_test.py b/tests/providers/azure/services/sqlserver/sqlserver_tde_encryption_enabled/sqlserver_tde_encryption_enabled_test.py index 667c0333c6..9ea404f8ec 100644 --- a/tests/providers/azure/services/sqlserver/sqlserver_tde_encryption_enabled/sqlserver_tde_encryption_enabled_test.py +++ b/tests/providers/azure/services/sqlserver/sqlserver_tde_encryption_enabled/sqlserver_tde_encryption_enabled_test.py @@ -177,3 +177,68 @@ class Test_sqlserver_tde_encryption_enabled: assert result[0].resource_name == database_name assert result[0].resource_id == database_id assert result[0].location == "location" + + def test_sql_servers_database_encryption_disabled_on_master_db(self): + sqlserver_client = mock.MagicMock + sql_server_name = "SQL Server Name" + sql_server_id = str(uuid4()) + database_master_name = "MASTER" + database_master_id = str(uuid4()) + database_master = Database( + id=database_master_id, + name=database_master_name, + type="type", + location="location", + managed_by="managed_by", + tde_encryption=TransparentDataEncryption(status="Disabled"), + ) + database_name = "Database Name" + database_id = str(uuid4()) + database = Database( + id=database_id, + name=database_name, + type="type", + location="location", + managed_by="managed_by", + tde_encryption=TransparentDataEncryption(status="Enabled"), + ) + sqlserver_client.sql_servers = { + AZURE_SUBSCRIPTION_ID: [ + Server( + id=sql_server_id, + name=sql_server_name, + public_network_access="", + minimal_tls_version="", + administrators=None, + auditing_policies=None, + firewall_rules=None, + databases=[database_master, database], + encryption_protector=None, + location="location", + ) + ] + } + + with mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=set_mocked_azure_provider(), + ), mock.patch( + "prowler.providers.azure.services.sqlserver.sqlserver_tde_encryption_enabled.sqlserver_tde_encryption_enabled.sqlserver_client", + new=sqlserver_client, + ): + from prowler.providers.azure.services.sqlserver.sqlserver_tde_encryption_enabled.sqlserver_tde_encryption_enabled import ( + sqlserver_tde_encryption_enabled, + ) + + check = sqlserver_tde_encryption_enabled() + result = check.execute() + assert len(result) == 1 + assert result[0].status == "PASS" + assert ( + result[0].status_extended + == f"Database {database_name} from SQL Server {sql_server_name} from subscription {AZURE_SUBSCRIPTION_ID} has TDE enabled" + ) + assert result[0].subscription == AZURE_SUBSCRIPTION_ID + assert result[0].resource_name == database_name + assert result[0].resource_id == database_id + assert result[0].location == "location"