Merge pull request #153 from nccgroup/feature/#26-new-finding-azure-s…

…ql-no-tde-nor-ad-admin-configured feature/#26-new-finding-azure-sql-no-tde-nor-ad-admin-configured
nccgroup · Feb 7, 2019 · 9c6ba74 · 9c6ba74
2 parents 6a0556b + d0bdffd
commit 9c6ba74
Show file tree

Hide file tree

Showing 5 changed files with 58 additions and 0 deletions.
diff --git a/ScoutSuite/output/data/html/partials/azure/services.sqldatabase.servers.html b/ScoutSuite/output/data/html/partials/azure/services.sqldatabase.servers.html
@@ -7,6 +7,7 @@ <h4 class="list-group-item-heading">{{name}}</h4>
     <div class="list-group-item">
         <h4 class="list-group-item-heading">Information</h4>
         <div class="list-group-item-text item-margin">SQL Server Name: <span id="sqldatabase.servers.{{@key}}.name">{{name}}</span></div>
+        <div class="list-group-item-text item-margin">Azure Active Directory admin configured: <span id="sqldatabase.servers.{{@key}}.ad_admin_configured">{{ad_admin_configured}}</span></div>
     </div>
 
     <div class="list-group-item">
@@ -17,6 +18,7 @@ <h4 class="list-group-item-heading">SQL Databases</h4>
             <div class="list-group-item-text item-margin">
                 <div class="list-group-item-text item-margin">Auditing: <span id="sqldatabase.servers.{{@../key}}.databases.{{@key}}.auditing_enabled">{{ convert_bool_to_enabled auditing_enabled }}</span></div>
                 <div class="list-group-item-text item-margin">Threat detection: <span id="sqldatabase.servers.{{@../key}}.databases.{{@key}}.threat_detection_enabled">{{ convert_bool_to_enabled threat_detection_enabled }}</span></div>
+                <div class="list-group-item-text item-margin">Transparent data encryption: <span id="sqldatabase.servers.{{@../key}}.databases.{{@key}}.transparent_data_encryption_enabled">{{ convert_bool_to_enabled transparent_data_encryption_enabled }}</span></div>
             </div>
         {{/each}}
         </div>

diff --git a/.../providers/azure/rules/findings/sqldatabase-databases-no-transparent-data-encryption.json b/.../providers/azure/rules/findings/sqldatabase-databases-no-transparent-data-encryption.json
@@ -0,0 +1,11 @@
+{
+    "dashboard_name": "SQL Databases",
+    "description": "Transparent Data Encryption disabled",
+    "rationale": "You should enable transparent data encryption for all of your SQL databases. See CIS 4.2.6.",
+    "path": "sqldatabase.servers.id.databases.id",
+    "display_path": "sqldatabase.servers.id",
+    "conditions": [ "and",
+        [ "sqldatabase.servers.id.databases.id.transparent_data_encryption_enabled", "false", "" ]
+    ],
+    "id_suffix": "transparent_data_encryption_enabled"
+}
diff --git a/ScoutSuite/providers/azure/rules/findings/sqldatabase-servers-no-ad-admin-configured.json b/ScoutSuite/providers/azure/rules/findings/sqldatabase-servers-no-ad-admin-configured.json
@@ -0,0 +1,11 @@
+{
+    "dashboard_name": "SQL Databases",
+    "description": "Azure Active Directory Admin not configured",
+    "rationale": "You should set an Azure Active Directory admin for every SQL server. See CIS 4.1.8.",
+    "path": "sqldatabase.servers.id",
+    "display_path": "sqldatabase.servers.id",
+    "conditions": [ "and",
+        [ "sqldatabase.servers.id.ad_admin_configured", "false", "" ]
+    ],
+    "id_suffix": "ad_admin_configured"
+}
diff --git a/ScoutSuite/providers/azure/rules/rulesets/default.json b/ScoutSuite/providers/azure/rules/rulesets/default.json
@@ -30,6 +30,18 @@
         "enabled": true,
         "level": "warning"
       }
+    ],
+    "sqldatabase-databases-no-transparent-data-encryption.json": [
+      {
+        "enabled": true,
+        "level": "warning"
+      }
+    ],
+    "sqldatabase-servers-no-ad-admin-configured.json": [
+      {
+        "enabled": true,
+        "level": "warning"
+      }
     ]
   }
 }
diff --git a/ScoutSuite/providers/azure/services/sqldatabase.py b/ScoutSuite/providers/azure/services/sqldatabase.py
@@ -2,6 +2,7 @@
 
 from ScoutSuite.providers.azure.configs.base import AzureBaseConfig
 from ScoutSuite.providers.azure.utils import get_resource_group_name
+from msrestazure.azure_exceptions import CloudError
 
 class SQLDatabaseConfig(AzureBaseConfig):
     targets = (
@@ -19,10 +20,14 @@ def parse_servers(self, server, params):
         server_dict = {}
         server_dict['id'] = self.get_non_provider_id(server.id)
         server_dict['name'] = server.name
+        server_dict['ad_admin_configured'] = self._is_ad_admin_configured(server)
         server_dict['databases'] = self._parse_databases(server)
 
         self.servers[server_dict['id']] = server_dict
 
+    def _is_ad_admin_configured(self, server):
+        return server.azure_ad_admin_settings is not None
+
     def _parse_databases(self, server):
         databases = {}
         for db in server.databases:
@@ -34,6 +39,7 @@ def _parse_databases(self, server):
             db_dict['id'] = db.name
             db_dict['auditing_enabled'] = self._is_auditing_enabled(db)
             db_dict['threat_detection_enabled'] = self._is_threat_detection_enabled(db)
+            db_dict['transparent_data_encryption_enabled'] = self._is_transparent_data_encryption_enabled(db)
             databases[db.name] = db_dict
 
         return databases
@@ -44,6 +50,9 @@ def _is_auditing_enabled(self, db):
     def _is_threat_detection_enabled(self, db):
         return db.threat_detection_settings.state == "Enabled"
 
+    def _is_transparent_data_encryption_enabled(self, db):
+        return db.transparent_data_encryption_settings.status == "Enabled"
+
     def _get_targets(self, response_attribute, api_client, method, list_params, ignore_list_error):
         if response_attribute == "Servers":
             return self._get_servers(api_client, method, list_params)
@@ -56,6 +65,8 @@ def _get_servers(self, api_client, method, list_params):
         servers_raw = method(**list_params)
         for server in servers_raw:
             resource_group_name = get_resource_group_name(server.id)
+            setattr(server, "azure_ad_admin_settings",
+                    self._get_azure_ad_admin_settings(api_client, resource_group_name, server.name))
             setattr(server, "databases",
                     self._get_databases(api_client, resource_group_name, server.name))
             servers.append(server)
@@ -70,6 +81,8 @@ def _get_databases(self, api_client, resource_group_name, server_name):
                     self._get_auditing_settings(api_client, resource_group_name, server_name, db.name))
             setattr(db, "threat_detection_settings",
                     self._get_threat_detection_settings(api_client, resource_group_name, server_name, db.name))
+            setattr(db, "transparent_data_encryption_settings",
+                    self._get_transparent_data_encryption_settings(api_client, resource_group_name, server_name, db.name))
             databases.append(db)
 
         return databases
@@ -79,3 +92,12 @@ def _get_auditing_settings(self, api_client, resource_group_name, server_name, d
 
     def _get_threat_detection_settings(self, api_client, resource_group_name, server_name, database_name):
         return api_client.database_threat_detection_policies.get(resource_group_name, server_name, database_name)
+
+    def _get_transparent_data_encryption_settings(self, api_client, resource_group_name, server_name, database_name):
+        return api_client.transparent_data_encryptions.get(resource_group_name, server_name, database_name)
+
+    def _get_azure_ad_admin_settings(self, api_client, resource_group_name, server_name):
+        try:
+            return api_client.server_azure_ad_administrators.get(resource_group_name, server_name)
+        except CloudError:  # no ad admin configured returns a 404 error
+            return None