Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(rds_instance_transport_encrypted): add new check #1963

Merged
merged 6 commits into from
Mar 6, 2023
Merged

feat(rds_instance_transport_encrypted): add new check #1963

merged 6 commits into from
Mar 6, 2023

Conversation

MrCloudSec
Copy link
Member

Description

Add new check called rds_instance_transport_encrypted

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@MrCloudSec MrCloudSec requested review from a team, drewkerrigan, jfagoagas and n4ch04 February 23, 2023 15:35
@MrCloudSec MrCloudSec linked an issue Feb 23, 2023 that may be closed by this pull request
Implement a new check for RDS to require encrypted connections #1951
Closed
@jfagoagas jfagoagas added the no-merge Please, DO NOT MERGE this PR. label Feb 24, 2023
MrCloudSec
MrCloudSec commented Feb 28, 2023
View reviewed changes
Copy link
Member Author

@MrCloudSec MrCloudSec left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks to @Fennerr for the idea!

@MrCloudSec MrCloudSec requested a review from a team February 28, 2023 13:58
@Fennerr
Copy link
Contributor

Fennerr commented Mar 2, 2023

Just moving across the info from the slack chat I had with Sergio to here:

For Oracle databases the rds client also needs to retrieve the option groups, and then check for the SQLNET.SSL_VERSION option to that group. https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Appendix.Oracle.Options.SSL.html#Appendix.Oracle.Options.SSL.OptionGroup
The following values are allowed for this option setting:

"1.0" - Clients can connect to the DB instance using TLS 1.0 only.
"1.2" - Clients can connect to the DB instance using TLS 1.2 only.
"1.2 or 1.0" - Clients can connect to the DB instance using either TLS 1.2 or 1.0.

The check can also check if it is set to use TLS 1.0

For existing Oracle SSL options, SQLNET.SSL_VERSION is set to "1.0" automatically. You can change the setting, if necessary.

I can add this to the current check, or it can be a separate check

@MrCloudSec @toniblyx
Update prowler/providers/aws/services/rds/rds_instance_transport_encr…
8c5183a 
…ypted/rds_instance_transport_encrypted.metadata.json

Co-authored-by: Toni de la Fuente <[email protected]>
@MrCloudSec @toniblyx
Apply suggestions from code review
b3ad511 
Co-authored-by: Toni de la Fuente <[email protected]>
@MrCloudSec
Copy link
Member Author

MrCloudSec commented Mar 6, 2023
edited
Loading

Just moving across the info from the slack chat I had with Sergio to here:

For Oracle databases the rds client also needs to retrieve the option groups, and then check for the SQLNET.SSL_VERSION option to that group. https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Appendix.Oracle.Options.SSL.html#Appendix.Oracle.Options.SSL.OptionGroup The following values are allowed for this option setting:

"1.0" - Clients can connect to the DB instance using TLS 1.0 only.
"1.2" - Clients can connect to the DB instance using TLS 1.2 only.
"1.2 or 1.0" - Clients can connect to the DB instance using either TLS 1.2 or 1.0.

The check can also check if it is set to use TLS 1.0

For existing Oracle SSL options, SQLNET.SSL_VERSION is set to "1.0" automatically. You can change the setting, if necessary.

I can add this to the current check, or it can be a separate check

@Fennerr, this is a great idea, it would be awesome if you can do it, we have include it in our roadmap anyway.
If you finally do it, please create a new PR as we want to include this check in the next release that we are going to do tomorrow. Thanks!

@MrCloudSec MrCloudSec requested a review from toniblyx March 6, 2023 11:10
@MrCloudSec MrCloudSec removed the no-merge Please, DO NOT MERGE this PR. label Mar 6, 2023
@MrCloudSec MrCloudSec merged commit c5a42cf into master Mar 6, 2023
@MrCloudSec MrCloudSec deleted the rds_instance_transport_encrypted branch March 6, 2023 12:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@toniblyx toniblyx toniblyx approved these changes

@drewkerrigan drewkerrigan Awaiting requested review from drewkerrigan

@jfagoagas jfagoagas Awaiting requested review from jfagoagas

@n4ch04 n4ch04 Awaiting requested review from n4ch04

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Implement a new check for RDS to require encrypted connections
4 participants
@MrCloudSec @Fennerr @toniblyx @jfagoagas