TLS Version Changes (#2115)

* TLS Version Changes New

* TLS fixes

---------

Co-authored-by: AkhtarAmir <AkhtarAmir>

Author: AkhtarAmir

plugins/azure/eventhub/eventHubMinimumTLSversion.js

@@ -11,26 +11,16 @@ module.exports = {
     recommended_action: 'Modify Event Hubs namespaces to set the desired minimum TLS version.',
     link: 'https://learn.microsoft.com/en-us/azure/event-hubs/transport-layer-security-enforce-minimum-version',
     apis: ['eventHub:listEventHub'],
-    settings: {
-        event_hub_min_tls_version: {
-            name: 'Event Hub Minimum TLS Version',
-            description: 'Minimum desired TLS version for Microsoft Azure Event Hubs',
-            regex: '^(1.0|1.1|1.2)$',
-            default: '1.2'
-        }
-    },
     realtime_triggers: ['microsofteventhub:namespaces:write', 'microsofteventhub:namespaces:delete'],
 
     run: function(cache, settings, callback) {
         var results = [];
         var source = {};
         var locations = helpers.locations(settings.govcloud);
 
-        var config = {
-            event_hub_min_tls_version: settings.event_hub_min_tls_version || this.settings.event_hub_min_tls_version.default
-        };
+        var event_hub_min_tls_version = '1.2';
 
-        var desiredVersion = parseFloat(config.event_hub_min_tls_version);
+        var desiredVersion = parseFloat(event_hub_min_tls_version);
 
         async.each(locations.eventHub, function(location, rcb) {
             var eventHubs = helpers.addSource(cache, source,
@@ -58,7 +48,7 @@ module.exports = {
                         location, eventHub.id);
                 } else {
                     helpers.addResult(results, 2,
-                        `Event Hubs namespace is using TLS version ${eventHub.minimumTlsVersion} instead of version ${config.event_hub_min_tls_version}`,
+                        `Event Hubs namespace is using TLS version ${eventHub.minimumTlsVersion} instead of version ${event_hub_min_tls_version}`,
                         location, eventHub.id);
                 }
             }

plugins/azure/sqlserver/sqlServerTlsVersion.js

@@ -11,14 +11,6 @@ module.exports = {
     recommended_action: 'Modify SQL server firewall and virtual network settings to set desired minimum TLS version.',
     link: 'https://learn.microsoft.com/en-us/azure/azure-sql/database/connectivity-settings#minimal-tls-version',
     apis: ['servers:listSql'],
-    settings: {
-        sql_server_min_tls_version: {
-            name: 'SQL Server Minimum TLS Version',
-            description: 'Minimum desired TLS version for Microsoft Azure SQL servers',
-            regex: '^(1.0|1.1|1.2)$',
-            default: '1.2'
-        }
-    },
     remediation_min_version: '202104012200',
     remediation_description: 'TLS version 1.2 will be set for the affected SQL server',
     apis_remediate: ['servers:listSql'],
@@ -31,11 +23,9 @@ module.exports = {
         var source = {};
         var locations = helpers.locations(settings.govcloud);
 
-        var config = {
-            sql_server_min_tls_version: settings.sql_server_min_tls_version || this.settings.sql_server_min_tls_version.default
-        };
+        var sql_server_min_tls_version = '1.2';
 
-        var desiredVersion = parseFloat(config.sql_server_min_tls_version);
+        var desiredVersion = parseFloat(sql_server_min_tls_version);
 
         async.each(locations.servers, function(location, rcb) {
             var servers = helpers.addSource(cache, source,
@@ -60,11 +50,11 @@ module.exports = {
                 if (server.minimalTlsVersion) {
                     if (parseFloat(server.minimalTlsVersion) >= desiredVersion) {
                         helpers.addResult(results, 0,
-                            `SQL server is using TLS version ${server.minimalTlsVersion} which is equal to or higher than desired TLS version ${config.sql_server_min_tls_version}`,
+                            `SQL server is using TLS version ${server.minimalTlsVersion} which is equal to or higher than desired TLS version ${sql_server_min_tls_version}`,
                             location, server.id);
                     } else {
                         helpers.addResult(results, 2,
-                            `SQL server is using TLS version ${server.minimalTlsVersion} which is less than desired TLS version ${config.sql_server_min_tls_version}`,
+                            `SQL server is using TLS version ${server.minimalTlsVersion} which is less than desired TLS version ${sql_server_min_tls_version}`,
                             location, server.id);   
                     }
                 } else {

plugins/azure/sqlserver/sqlServerTlsVersion.spec.js

@@ -30,6 +30,21 @@ const servers = [
         "fullyQualifiedDomainName": "test-server.database.windows.net",
         "privateEndpointConnections": [],
         "publicNetworkAccess": "Enabled"
+    },
+    {
+        "kind": "v12.0",
+        "location": "eastus",
+        "tags": {},
+        "id": "/subscriptions/123/resourceGroups/akhtar-rg/providers/Microsoft.Sql/servers/test-server",
+        "name": "test-server",
+        "type": "Microsoft.Sql/servers",
+        "administratorLogin": "aqua",
+        "version": "12.0",
+        "state": "Ready",
+        "fullyQualifiedDomainName": "test-server.database.windows.net",
+        "privateEndpointConnections": [],
+        "minimalTlsVersion": "1.2",
+        "publicNetworkAccess": "Enabled"
     }
 ];
 
@@ -106,10 +121,10 @@ describe('sqlServerTlsVersion', function() {
             };
 
             const cache = createCache(
-                [servers[0]]
+                [servers[2]]
             );
 
-            sqlServerTlsVersion.run(cache, { sql_server_min_tls_version: '1.0' }, callback);
+            sqlServerTlsVersion.run(cache, { sql_server_min_tls_version: '1.2' }, callback);
         });
 
         it('should give unknown result if unable to query for SQL servers', function(done) {

plugins/azure/storageaccounts/storageAccountsTlsVersion.js

@@ -12,14 +12,6 @@ module.exports = {
     recommended_action: 'Modify Storage Account configuration and set desired minimum TLS version',
     link: 'https://learn.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-minimum-version',
     apis: ['storageAccounts:list'],
-    settings: {
-        sa_min_tls_version: {
-            name: 'Storage Account Minimum TLS Version',
-            description: 'Minimum desired TLS version for Microsoft Azure Storage Accounts',
-            regex: '^(1.0|1.1|1.2)$',
-            default: '1.2'
-        }
-    },
     remediation_min_version: '202112312200',
     remediation_description: 'TLS version 1.2 will be set for the affected Storage Accounts',
     apis_remediate: ['storageAccounts:list'],
@@ -32,11 +24,9 @@ module.exports = {
         var source = {};
         var locations = helpers.locations(settings.govcloud);
 
-        var config = {
-            sa_min_tls_version: settings.sa_min_tls_version || this.settings.sa_min_tls_version.default
-        };
+        var sa_min_tls_version = '1.2';
 
-        var desiredVersion = parseFloat(config.sa_min_tls_version);
+        var desiredVersion = parseFloat(sa_min_tls_version);
 
         async.each(locations.storageAccounts, function(location, rcb) {
             var storageAccounts = helpers.addSource(cache, source,
@@ -58,17 +48,17 @@ module.exports = {
             storageAccounts.data.forEach(function(storageAccount) {
                 if (!storageAccount.id) return;
 
-                let tlsVersion = storageAccount.minimumTlsVersion ? storageAccount.minimumTlsVersion : 'TLS1.0'; //Default is TLS 1.0
+                let tlsVersion = storageAccount.minimumTlsVersion ? storageAccount.minimumTlsVersion : 'TLS1.2'; //Default is TLS 1.2
                 tlsVersion = tlsVersion.replace('TLS', '');
                 tlsVersion = tlsVersion.replace('_', '.');
 
                 if (parseFloat(tlsVersion) >= desiredVersion) {
                     helpers.addResult(results, 0,
-                        `Storage Account is using TLS version ${tlsVersion} which is equal to or higher than desired TLS version ${config.sa_min_tls_version}`,
+                        `Storage Account is using TLS version ${tlsVersion} which is equal to or higher than desired TLS version ${sa_min_tls_version}`,
                         location, storageAccount.id);
                 } else {
                     helpers.addResult(results, 2,
-                        `Storage Account is using TLS version ${tlsVersion} which is less than desired TLS version ${config.sa_min_tls_version}`,
+                        `Storage Account is using TLS version ${tlsVersion} which is less than desired TLS version ${sa_min_tls_version}`,
                         location, storageAccount.id);   
                 }
             });