漏洞描述
Ensure that Transparent Data Encryption (also known as encryption at rest) is enabled for all SQL databases available within your Microsoft Azure cloud account for protecting your data at rest.
azure-sql-tde-not-enabled: Azure SQL Transparent Data Encryption Not Enabled
PoC代码[已公开]
id: azure-sql-tde-not-enabled
info:
name: Azure SQL Transparent Data Encryption Not Enabled
author: princechaddha
severity: medium
description: |
Ensure that Transparent Data Encryption (also known as encryption at rest) is enabled for all SQL databases available within your Microsoft Azure cloud account for protecting your data at rest.
impact: |
Disabling TDE can expose sensitive data at rest to potential breaches, failing to comply with best security practices and regulatory requirements.
remediation: |
Enable Transparent Data Encryption on all your Azure SQL databases to protect data at rest using encryption.
reference:
- https://docs.microsoft.com/en-us/azure/azure-sql/database/transparent-data-encryption-tde-overview
tags: cloud,devops,azure,microsoft,sql-database,azure-cloud-config
flow: |
code(1);
for (let serverId of iterate(template.serverIds)) {
set("serverId", serverId);
code(2);
for (let databaseId of iterate(template.databaseIds)) {
set("databaseId", databaseId);
code(3);
}
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az sql server list --query '[*].id'
extractors:
- type: json
name: serverIds
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az sql db list --ids "$serverId" --query '[*].id'
extractors:
- type: json
name: databaseIds
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az sql db tde show --ids "$databaseId" --query 'status'
matchers:
- type: word
words:
- 'Disabled'
extractors:
- type: dsl
dsl:
- 'serverId + " database " + databaseId + " has TDE disabled"'
# digest: 4a0a004730450220047db714609f1a7668e36eb833ec8f8f0877d79cc64dacc972c5dc9428615a5c022100d7898b10e00ea726228cf623eeb6779b75786c992e270c7bae793e1524aa1bb0:922c64590222798bb761d5b6d8e72950