Skip to content

databases

Sample rules

A few rules that use objects from this package:

non_car_azure_database_public_access
from typing import Dict, List

from cloudrail.knowledge.context.azure.azure_environment_context import AzureEnvironmentContext
from cloudrail.knowledge.rules.azure.azure_base_rule import AzureBaseRule
from cloudrail.knowledge.rules.base_rule import Issue
from cloudrail.knowledge.rules.rule_parameters.base_paramerter import ParameterType


class PublicAccessSqlDatabaseRule(AzureBaseRule):

    def get_id(self) -> str:
        return 'non_car_azure_database_public_access'

    def execute(self, env_context: AzureEnvironmentContext, parameters: Dict[ParameterType, any]) -> List[Issue]:
        issues: List[Issue] = []
        for sql_server in env_context.sql_servers:
            if sql_server.public_network_access_enable:
                issues.append(
                    Issue(
                        f'~{sql_server.get_type()}~. '
                        f'{sql_server.get_type()} with database name `{sql_server.get_friendly_name()}` is exposed to the internet',
                        sql_server,
                        sql_server))
        return issues

    def should_run_rule(self, environment_context: AzureEnvironmentContext) -> bool:
        return bool(environment_context.sql_servers)
non_car_sql_servers_auditing_enabled
from typing import Dict, List

from cloudrail.knowledge.context.azure.azure_environment_context import AzureEnvironmentContext
from cloudrail.knowledge.rules.azure.azure_base_rule import AzureBaseRule
from cloudrail.knowledge.rules.base_rule import Issue
from cloudrail.knowledge.rules.rule_parameters.base_paramerter import ParameterType


class EnsureSqlServerAuditEnabledRule(AzureBaseRule):

    def get_id(self) -> str:
        return 'non_car_sql_servers_auditing_enabled'

    def execute(self, env_context: AzureEnvironmentContext, parameters: Dict[ParameterType, any]) -> List[Issue]:
        issues: List[Issue] = []
        for sql_server in env_context.sql_servers:
            if not sql_server.extended_auditing_policy or not sql_server.extended_auditing_policy.log_monitoring_enabled:
                issues.append(
                    Issue(
                        f'The {sql_server.get_type()} `{sql_server.get_friendly_name()}` does not have auditing enabled',
                        sql_server,
                        sql_server))
            elif sql_server.extended_auditing_policy and sql_server.extended_auditing_policy.log_monitoring_enabled \
                and 0 < sql_server.extended_auditing_policy.retention_in_days <= 90:
                issues.append(
                Issue(
                    f'The {sql_server.get_type()} `{sql_server.get_friendly_name()}` has auditing enabled, but for less than 90 days of retention',
                    sql_server,
                    sql_server))
        return issues

    def should_run_rule(self, environment_context: AzureEnvironmentContext) -> bool:
        return bool(environment_context.sql_servers)
non_car_mysql_server_enforcing_ssl
from typing import List, Dict
from cloudrail.knowledge.context.azure.azure_environment_context import AzureEnvironmentContext
from cloudrail.knowledge.rules.azure.azure_base_rule import AzureBaseRule
from cloudrail.knowledge.rules.base_rule import Issue
from cloudrail.knowledge.rules.rule_parameters.base_paramerter import ParameterType


class MySqlServerEnforcingSslRule(AzureBaseRule):

    def get_id(self) -> str:
        return 'non_car_mysql_server_enforcing_ssl'

    def execute(self, env_context: AzureEnvironmentContext, parameters: Dict[ParameterType, any]) -> List[Issue]:
        issues: List[Issue] = []
        for server in env_context.my_sql_servers:
            if not server.ssl_enforcement_enabled:
                issues.append(
                    Issue(
                        f'The {server.get_type()} `{server.get_friendly_name()}` is not enforcing SSL connections.', server, server))
        return issues

    def should_run_rule(self, environment_context: AzureEnvironmentContext) -> bool:
        return bool(environment_context.my_sql_servers)
non_car_postgresql_server_enforcing_ssl
from typing import List, Dict

from cloudrail.knowledge.context.azure.azure_environment_context import AzureEnvironmentContext
from cloudrail.knowledge.rules.azure.azure_base_rule import AzureBaseRule
from cloudrail.knowledge.rules.base_rule import Issue
from cloudrail.knowledge.rules.rule_parameters.base_paramerter import ParameterType


class PostgreSqlServerEnforceSslRule(AzureBaseRule):

    def get_id(self) -> str:
        return 'non_car_postgresql_server_enforcing_ssl'

    def execute(self, env_context: AzureEnvironmentContext, parameters: Dict[ParameterType, any]) -> List[Issue]:
        issues: List[Issue] = []

        for server in env_context.postgresql_servers:
            if not server.ssl_enforcement_enabled:
                issues.append(
                    Issue(
                        f'The {server.get_type()} `{server.get_friendly_name()}` is not enforcing SSL connections.', server, server))
        return issues

    def should_run_rule(self, environment_context: AzureEnvironmentContext) -> bool:
        return bool(environment_context.postgresql_servers)

AzureSqlServer (AzureResource)

Attributes:

Name Type Description
server_name str

The name of the SQL server

public_network_access_enable bool

An indication on if public network access is enabled.

custom_invalidation(self) inherited

A list of manual reasons why this resource should be invalidated

exclude_from_invalidation(self) inherited

A list of attributes that should be excluded from the invalidation process

AzureMySqlServer (AzureResource)

Attributes:

Name Type Description
server_name str

The name of the SQL server

ssl_enforcement_enabled bool

An indication on if ssl enforcement is enabled.

custom_invalidation(self) inherited

A list of manual reasons why this resource should be invalidated

exclude_from_invalidation(self) inherited

A list of attributes that should be excluded from the invalidation process

AzureSqlServerExtendedAuditingPolicy (AzureResource)

Attributes:

Name Type Description
retention_in_days int

The number of days to retain logs for in the storage account.

log_monitoring_enabled bool

An indication if audit events is enabled.

server_id str

The ID of the SQL server in which to associate the audit policy.

custom_invalidation(self) inherited

A list of manual reasons why this resource should be invalidated

exclude_from_invalidation(self) inherited

A list of attributes that should be excluded from the invalidation process

AzurePostgreSqlServer (AzureResource)

Attributes:

Name Type Description
server_name str

The name of the PostgreSQL server

ssl_enforcement_enabled bool

An indication on if ssl enforcement is enabled.

custom_invalidation(self) inherited

A list of manual reasons why this resource should be invalidated

exclude_from_invalidation(self) inherited

A list of attributes that should be excluded from the invalidation process