Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(rds): Add RDS certificate expiration check #4002

Merged
merged 5 commits into from
May 20, 2024
Merged

feat(rds): Add RDS certificate expiration check #4002

merged 5 commits into from
May 20, 2024

Conversation

madereddy
Copy link
Contributor

@madereddy madereddy commented May 14, 2024
edited by sergargar

Context

Ensure that the SSL/TLS certificates configured for your Amazon RDS are not expired.

Description

Check RDS certificate validity and inform if the certificate will expire soon. Certificate rotation takes coordination between the application and RDS.

  1. RDS Certificates with an expiration greater than 3 months the check will PASS with a severity of informational if greater than 6 months and a severity of low if between 3 and 6 months.
  2. RDS Certificates that expires in less than 3 months the check will FAIL with a severity of medium.
  3. RDS Certificates that expires in less than a month the check will FAIL with a severity of high.
  4. RDS Certificates that are expired the check will FAIL with a severity of critical.

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@madereddy madereddy requested review from a team as code owners May 14, 2024 17:44
@github-actions github-actions bot added the provider/aws Issues/PRs related with the AWS provider label May 14, 2024
@madereddy madereddy mentioned this pull request May 15, 2024
Merged
@madereddy
Copy link
Contributor Author

madereddy commented May 15, 2024
edited

Competing with #4003 and #4004

Recommended to merge this first as RDS cert rds-ca-2019 will be expiring August 22nd 2024.

@madereddy madereddy mentioned this pull request May 15, 2024
Closed
sergargar
sergargar requested changes May 15, 2024
View reviewed changes
Copy link
Member

@sergargar sergargar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR @madereddy, I like this check! Please, review my comments 😄

@sergargar sergargar self-assigned this May 15, 2024
@madereddy
Copy link
Contributor Author

Not sure why pr-lint-test 3.9 failed. I ran the test several times on my machine and it was successful.

prowler-py3.10) # pytest -n auto -vvv -s -x tests/providers/aws/services/rds/rds_instance_no_public_access
================================================================= test session starts =================================================================
platform linux -- Python 3.10.12, pytest-8.2.0, pluggy-1.5.0 -- /root/.cache/pypoetry/virtualenvs/prowler-_7q4EYpC-py3.10/bin/python
cachedir: .pytest_cache
Using --randomly-seed=2455016802
rootdir: /config/data/prowler
configfile: pyproject.toml
plugins: anyio-4.3.0, dash-2.17.0, cov-5.0.0, env-1.1.3, randomly-3.15.0, xdist-3.6.1
4 workers [5 items]     
scheduling tests via LoadScheduling

tests/providers/aws/services/rds/rds_instance_no_public_access/rds_instance_no_public_access_test.py::Test_rds_instance_no_public_access::test_rds_instance_public_with_public_sg 
tests/providers/aws/services/rds/rds_instance_no_public_access/rds_instance_no_public_access_test.py::Test_rds_instance_no_public_access::test_rds_instance_public_with_filtered_sg 
tests/providers/aws/services/rds/rds_instance_no_public_access/rds_instance_no_public_access_test.py::Test_rds_instance_no_public_access::test_rds_instance_public 
tests/providers/aws/services/rds/rds_instance_no_public_access/rds_instance_no_public_access_test.py::Test_rds_instance_no_public_access::test_rds_instance_private 
[gw3] PASSED tests/providers/aws/services/rds/rds_instance_no_public_access/rds_instance_no_public_access_test.py::Test_rds_instance_no_public_access::test_rds_instance_public 
[gw0] PASSED tests/providers/aws/services/rds/rds_instance_no_public_access/rds_instance_no_public_access_test.py::Test_rds_instance_no_public_access::test_rds_instance_private 
[gw2] PASSED tests/providers/aws/services/rds/rds_instance_no_public_access/rds_instance_no_public_access_test.py::Test_rds_instance_no_public_access::test_rds_instance_public_with_filtered_sg 
[gw1] PASSED tests/providers/aws/services/rds/rds_instance_no_public_access/rds_instance_no_public_access_test.py::Test_rds_instance_no_public_access::test_rds_instance_public_with_public_sg 
tests/providers/aws/services/rds/rds_instance_no_public_access/rds_instance_no_public_access_test.py::Test_rds_instance_no_public_access::test_rds_no_instances 
[gw1] PASSED tests/providers/aws/services/rds/rds_instance_no_public_access/rds_instance_no_public_access_test.py::Test_rds_instance_no_public_access::test_rds_no_instances 

================================================================= 5 passed in 15.72s ==================================================================

@madereddy madereddy requested a review from sergargar May 15, 2024 14:21
@madereddy
Copy link
Contributor Author

madereddy commented May 15, 2024
edited

Reviewed further, synced master branch back into my fork and then rebased this commit in and the PR Lint 3.9 succeeded.
https://github.com/madereddy/prowler/actions/runs/9100128819/job/25014246558

============================= test session starts ==============================
platform linux -- Python 3.9.19, pytest-8.2.0, pluggy-1.5.0
Using --randomly-seed=4172765213
rootdir: /home/runner/work/prowler/prowler
configfile: pyproject.toml
plugins: anyio-4.3.0, randomly-3.15.0, env-1.1.3, dash-2.17.0, cov-5.0.0, xdist-3.6.1
created: 4/4 workers
4 workers [3167 items]
........................................................................ [  2%]
........................................................................ [  4%]
........................................................................ [  6%]
........................................................................ [  9%]
........................................................................ [ 11%]
........................................................................ [ 13%]
........................................................................ [ 15%]
........................................................................ [ 18%]
........................................................................ [ 20%]
........................................................................ [ 22%]
........................................................................ [ 25%]
........................................................................ [ 27%]
........................................................................ [ 29%]
........................................................................ [ 31%]
........................................................................ [ 34%]
........................................................................ [ 36%]
........................................................................ [ 38%]
........................................................................ [ 40%]
........................................................................ [ 43%]
........................................................................ [ 45%]
........................................................................ [ 47%]
........................................................................ [ 50%]
........................................................................ [ 52%]
........................................................................ [ 54%]
........................................................................ [ 56%]
........................................................................ [ 59%]
........................................................................ [ 61%]
........................................................................ [ 63%]
........................................................................ [ 65%]
........................................................................ [ 68%]
........................................................................ [ 70%]
........................................................................ [ 72%]
........................................................................ [ 75%]
........................................................................ [ 77%]
........................................................................ [ 79%]
........................................................................ [ 81%]
........................................................................ [ 84%]
........................................................................ [ 86%]
........................................................................ [ 88%]
........................................................................ [ 90%]
........................................................................ [ 93%]
........................................................................ [ 95%]
........................................................................ [ 97%]
.......................................................................  [100%]
=============================== warnings summary ===============================
tests/providers/azure/services/defender/defender_auto_provisioning_log_analytics_agent_vms_on/defender_auto_provisioning_log_analytics_agent_vms_on_test.py::Test_defender_auto_provisioning_log_analytics_agent_vms_on::test_defender_auto_provisioning_log_analytics_on
  /home/runner/.cache/pypoetry/virtualenvs/prowler-MpuilnhB-py3.9/lib/python3.9/site-packages/azure/mgmt/security/v2023_01_01/models/_models_py3.py:91: DeprecationWarning: invalid escape sequence \ 
    """A plan's extension properties.
tests/providers/azure/services/defender/defender_auto_provisioning_log_analytics_agent_vms_on/defender_auto_provisioning_log_analytics_agent_vms_on_test.py::Test_defender_auto_provisioning_log_analytics_agent_vms_on::test_defender_auto_provisioning_log_analytics_on
  /home/runner/.cache/pypoetry/virtualenvs/prowler-MpuilnhB-py3.9/lib/python3.9/site-packages/azure/mgmt/security/v2023_01_01/models/_models_py3.py:144: DeprecationWarning: invalid escape sequence \ 
    """
tests/providers/azure/services/defender/defender_auto_provisioning_log_analytics_agent_vms_on/defender_auto_provisioning_log_analytics_agent_vms_on_test.py::Test_defender_auto_provisioning_log_analytics_agent_vms_on::test_defender_auto_provisioning_log_analytics_on
  /home/runner/.cache/pypoetry/virtualenvs/prowler-MpuilnhB-py3.9/lib/python3.9/site-packages/azure/mgmt/security/v2023_01_01/models/_models_py3.py:236: DeprecationWarning: invalid escape sequence \ 
    """Microsoft Defender for Cloud is provided in two pricing tiers: free and standard. The standard
-- Docs: https://docs.pytest.org/en/stable/how-to/capture-warnings.html
---------- coverage: platform linux, python 3.9.19-final-0 -----------
Coverage XML written to file coverage.xml
================= 3167 passed, 3 warnings in 886.53s (0:14:46) =================

@madereddy
Copy link
Contributor Author

@sergargar @jfagoagas Can you rerun the failed lint test?

@codecov Codecov
Copy link

codecov bot commented May 20, 2024
edited

Codecov Report

Attention: Patch coverage is 93.33333% with 5 lines in your changes are missing coverage. Please review.

Project coverage is 86.64%. Comparing base (73b3484) to head (da92604).

Files Patch % Lines
..._expiration/rds_instance_certificate_expiration.py 95.08% 3 Missing ⚠️
prowler/providers/aws/services/rds/rds_service.py 85.71% 2 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #4002      +/-   ##
==========================================
+ Coverage   86.51%   86.64%   +0.12%     
==========================================
  Files         776      777       +1     
  Lines       24163    24237      +74     
==========================================
+ Hits        20904    20999      +95     
+ Misses       3259     3238      -21

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@madereddy
Copy link
Contributor Author

madereddy commented May 20, 2024
edited

Codecov Report

Attention: Patch coverage is 96.96970% with 2 lines in your changes are missing coverage. Please review.

Project coverage is 86.50%. Comparing base (45ccd7e) to head (7e391db).
Report is 17 commits behind head on master.

Files Patch % Lines
prowler/providers/aws/services/rds/rds_service.py 85.71% 2 Missing ⚠️
Additional details and impacted files

☔ View full report in Codecov by Sentry. 📢 Have feedback on the report? Share it here.

@jfagoagas @sergargar Looking at the codecov report, I see that changes I made have more coverage, but indirectly the ec2 service is going down by about 5.47%. Is there anything I need to do to fix this?

@sergargar
Copy link
Member

Hi @madereddy , I have added the case of RDS Certificates that expires in less than a month the check will FAIL with a severity of high.

sergargar
sergargar previously approved these changes May 20, 2024
View reviewed changes
@sergargar sergargar self-requested a review May 20, 2024 14:20
@sergargar sergargar merged commit 12f9f8a into prowler-cloud:master May 20, 2024
11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sergargar sergargar sergargar approved these changes

Assignees

@sergargar sergargar

Labels
provider/aws Issues/PRs related with the AWS provider
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@madereddy @sergargar