From 0f31bb48d8c31b675d7ce759eb8e70ab7c818dfd Mon Sep 17 00:00:00 2001 From: Dmitry Gurevich <99176494+gurevichdmitry@users.noreply.github.com> Date: Mon, 14 Oct 2024 14:58:01 +0300 Subject: [PATCH] Skip Azure PostgreSQL tests (#2600) (cherry picked from commit 2ec360f24aa7f15a80180ed87620b0093d30edd0) --- security-policies/RULES.md | 12 +- .../azure_database_service_test_cases.py | 122 ++++++++++-------- 2 files changed, 72 insertions(+), 62 deletions(-) diff --git a/security-policies/RULES.md b/security-policies/RULES.md index bf2228ca3d..10f1ff33d5 100644 --- a/security-policies/RULES.md +++ b/security-policies/RULES.md @@ -404,7 +404,7 @@ #### Manual rules: 0/74 (0%) -#### Integration Tests Coverage: 100/302 (33%) +#### Integration Tests Coverage: 94/302 (31%)

Full Table 📋

 @@ -495,12 +495,12 @@ | 4.2.5 | SQL Server - Microsoft Defender for SQL | Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL Server | :x: | Passed :x: / Failed :x: | Automated | | [4.3.1](bundle/compliance/cis_azure/rules/cis_4_3_1) | PostgreSQL Database Server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | :white_check_mark: | Passed :x: / Failed :x: | Automated | | [4.3.2](bundle/compliance/cis_azure/rules/cis_4_3_2) | PostgreSQL Database Server | Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | :white_check_mark: | Passed :white_check_mark: / Failed :white_check_mark: | Automated | -| [4.3.3](bundle/compliance/cis_azure/rules/cis_4_3_3) | PostgreSQL Database Server | Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server | :white_check_mark: | Passed :white_check_mark: / Failed :white_check_mark: | Automated | -| [4.3.4](bundle/compliance/cis_azure/rules/cis_4_3_4) | PostgreSQL Database Server | Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server | :white_check_mark: | Passed :white_check_mark: / Failed :white_check_mark: | Automated | +| [4.3.3](bundle/compliance/cis_azure/rules/cis_4_3_3) | PostgreSQL Database Server | Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server | :white_check_mark: | Passed :white_check_mark: / Failed :x: | Automated | +| [4.3.4](bundle/compliance/cis_azure/rules/cis_4_3_4) | PostgreSQL Database Server | Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server | :white_check_mark: | Passed :white_check_mark: / Failed :x: | Automated | | [4.3.5](bundle/compliance/cis_azure/rules/cis_4_3_5) | PostgreSQL Database Server | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | :white_check_mark: | Passed :white_check_mark: / Failed :white_check_mark: | Automated | -| [4.3.6](bundle/compliance/cis_azure/rules/cis_4_3_6) | PostgreSQL Database Server | Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server | :white_check_mark: | Passed :white_check_mark: / Failed :white_check_mark: | Automated | -| [4.3.7](bundle/compliance/cis_azure/rules/cis_4_3_7) | PostgreSQL Database Server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | :white_check_mark: | Passed :white_check_mark: / Failed :white_check_mark: | Automated | -| [4.3.8](bundle/compliance/cis_azure/rules/cis_4_3_8) | PostgreSQL Database Server | Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled' | :white_check_mark: | Passed :x: / Failed :white_check_mark: | Automated | +| [4.3.6](bundle/compliance/cis_azure/rules/cis_4_3_6) | PostgreSQL Database Server | Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server | :white_check_mark: | Passed :x: / Failed :x: | Automated | +| [4.3.7](bundle/compliance/cis_azure/rules/cis_4_3_7) | PostgreSQL Database Server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | :white_check_mark: | Passed :white_check_mark: / Failed :x: | Automated | +| [4.3.8](bundle/compliance/cis_azure/rules/cis_4_3_8) | PostgreSQL Database Server | Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled' | :white_check_mark: | Passed :x: / Failed :x: | Automated | | [4.4.1](bundle/compliance/cis_azure/rules/cis_4_4_1) | MySQL Database | Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server | :white_check_mark: | Passed :x: / Failed :x: | Automated | | [4.4.2](bundle/compliance/cis_azure/rules/cis_4_4_2) | MySQL Database | Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server | :white_check_mark: | Passed :white_check_mark: / Failed :x: | Automated | | 4.4.3 | MySQL Database | Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL Database Server | :x: | Passed :x: / Failed :x: | Manual | diff --git a/tests/product/tests/data/azure/azure_database_service_test_cases.py b/tests/product/tests/data/azure/azure_database_service_test_cases.py index 273fbcea84..ed2051a5c9 100644 --- a/tests/product/tests/data/azure/azure_database_service_test_cases.py +++ b/tests/product/tests/data/azure/azure_database_service_test_cases.py @@ -210,17 +210,19 @@ expected=RULE_PASS_STATUS, ) -cis_azure_4_3_3_fail = AzureServiceCase( - rule_tag=CIS_4_3_3, - case_identifier="test-postgresql-single-server-failpgserver", - expected=RULE_FAIL_STATUS, -) +# TODO: This will be cleaned up in issue https://github.com/elastic/cloudbeat/issues/2544 +# cis_azure_4_3_3_fail = AzureServiceCase( +# rule_tag=CIS_4_3_3, +# case_identifier="test-postgresql-single-server-failpgserver", +# expected=RULE_FAIL_STATUS, +# ) cis_azure_4_3_3 = { """4.3.3 Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server (Automated) expect: passed""": cis_azure_4_3_3_pass, - """4.3.3 Ensure server parameter 'log_connections' is set to 'ON' for - PostgreSQL Database Server (Automated) expect: failed""": cis_azure_4_3_3_fail, + # TODO: This will be cleaned up in issue https://github.com/elastic/cloudbeat/issues/2544 + # """4.3.3 Ensure server parameter 'log_connections' is set to 'ON' for + # PostgreSQL Database Server (Automated) expect: failed""": cis_azure_4_3_3_fail, } cis_azure_4_3_4_pass = AzureServiceCase( @@ -229,24 +231,27 @@ expected=RULE_PASS_STATUS, ) -cis_azure_4_3_4_fail = AzureServiceCase( - rule_tag=CIS_4_3_4, - case_identifier="test-postgresql-single-server-failpgserver", - expected=RULE_FAIL_STATUS, -) +# TODO: This will be cleaned up in issue https://github.com/elastic/cloudbeat/issues/2544 +# cis_azure_4_3_4_fail = AzureServiceCase( +# rule_tag=CIS_4_3_4, +# case_identifier="test-postgresql-single-server-failpgserver", +# expected=RULE_FAIL_STATUS, +# ) cis_azure_4_3_4 = { """4.3.4 Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server (Automated) expect: passed""": cis_azure_4_3_4_pass, - """4.3.4 Ensure server parameter 'log_disconnections' is set to 'ON' for - PostgreSQL Database Server (Automated) expect: failed""": cis_azure_4_3_4_fail, + # TODO: This will be cleaned up in issue https://github.com/elastic/cloudbeat/issues/2544 + # """4.3.4 Ensure server parameter 'log_disconnections' is set to 'ON' for + # PostgreSQL Database Server (Automated) expect: failed""": cis_azure_4_3_4_fail, } -cis_azure_4_3_5_pass_single_server = AzureServiceCase( - rule_tag=CIS_4_3_5, - case_identifier="test-postgresql-single-server", - expected=RULE_PASS_STATUS, -) +# TODO: This will be cleaned up in issue https://github.com/elastic/cloudbeat/issues/2544 +# cis_azure_4_3_5_pass_single_server = AzureServiceCase( +# rule_tag=CIS_4_3_5, +# case_identifier="test-postgresql-single-server", +# expected=RULE_PASS_STATUS, +# ) cis_azure_4_3_5_fail_single_server = AzureServiceCase( rule_tag=CIS_4_3_5, @@ -267,8 +272,9 @@ ) cis_azure_4_3_5 = { - """4.3.5 Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server - (Automated) [SINGLE SERVER] expect: passed""": cis_azure_4_3_5_pass_single_server, + # TODO: This will be cleaned up in issue https://github.com/elastic/cloudbeat/issues/2544 + # """4.3.5 Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server + # (Automated) [SINGLE SERVER] expect: passed""": cis_azure_4_3_5_pass_single_server, """4.3.5 Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server (Automated) [SINGLE SERVER] expect: failed""": cis_azure_4_3_5_fail_single_server, """4.3.5 Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server @@ -277,24 +283,25 @@ (Automated) [FLEXIBLE SERVER] expect: failed""": cis_azure_4_3_5_fail_flexible_server, } -cis_azure_4_3_6_pass = AzureServiceCase( - rule_tag=CIS_4_3_6, - case_identifier="test-postgresql-single-server", - expected=RULE_PASS_STATUS, -) +# TODO: This will be cleaned up in issue https://github.com/elastic/cloudbeat/issues/2544 +# cis_azure_4_3_6_pass = AzureServiceCase( +# rule_tag=CIS_4_3_6, +# case_identifier="test-postgresql-single-server", +# expected=RULE_PASS_STATUS, +# ) -cis_azure_4_3_6_fail = AzureServiceCase( - rule_tag=CIS_4_3_6, - case_identifier="test-postgresql-single-server-failpgserver", - expected=RULE_FAIL_STATUS, -) +# cis_azure_4_3_6_fail = AzureServiceCase( +# rule_tag=CIS_4_3_6, +# case_identifier="test-postgresql-single-server-failpgserver", +# expected=RULE_FAIL_STATUS, +# ) -cis_azure_4_3_6 = { - """4.3.6 Ensure Server Parameter 'log_retention_days' is greater - than 3 days for PostgreSQL Database Server (Automated) expect: passed""": cis_azure_4_3_6_pass, - """4.3.6 Ensure Server Parameter 'log_retention_days' is greater - than 3 days for PostgreSQL Database Server (Automated) expect: failed""": cis_azure_4_3_6_fail, -} +# cis_azure_4_3_6 = { +# """4.3.6 Ensure Server Parameter 'log_retention_days' is greater +# than 3 days for PostgreSQL Database Server (Automated) expect: passed""": cis_azure_4_3_6_pass, +# """4.3.6 Ensure Server Parameter 'log_retention_days' is greater +# than 3 days for PostgreSQL Database Server (Automated) expect: failed""": cis_azure_4_3_6_fail, +# } cis_azure_4_3_7_pass = AzureServiceCase( rule_tag=CIS_4_3_7, @@ -302,30 +309,33 @@ expected=RULE_PASS_STATUS, ) -cis_azure_4_3_7_fail = AzureServiceCase( - rule_tag=CIS_4_3_7, - case_identifier="test-postgresql-single-server-failpgserver", - expected=RULE_FAIL_STATUS, -) +# TODO: This will be cleaned up in issue https://github.com/elastic/cloudbeat/issues/2544 +# cis_azure_4_3_7_fail = AzureServiceCase( +# rule_tag=CIS_4_3_7, +# case_identifier="test-postgresql-single-server-failpgserver", +# expected=RULE_FAIL_STATUS, +# ) cis_azure_4_3_7 = { """4.3.7 Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled (Automated) expect: passed""": cis_azure_4_3_7_pass, - """4.3.7 Ensure 'Allow access to Azure services' for PostgreSQL - Database Server is disabled (Automated) expect: failed""": cis_azure_4_3_7_fail, + # TODO: This will be cleaned up in issue https://github.com/elastic/cloudbeat/issues/2544 + # """4.3.7 Ensure 'Allow access to Azure services' for PostgreSQL + # Database Server is disabled (Automated) expect: failed""": cis_azure_4_3_7_fail, } -cis_azure_4_3_8_fail = AzureServiceCase( - rule_tag=CIS_4_3_8, - case_identifier="test-postgresql-single-server-failpgserver", - expected=RULE_FAIL_STATUS, -) +# TODO: This will be cleaned up in issue https://github.com/elastic/cloudbeat/issues/2544 +# cis_azure_4_3_8_fail = AzureServiceCase( +# rule_tag=CIS_4_3_8, +# case_identifier="test-postgresql-single-server-failpgserver", +# expected=RULE_FAIL_STATUS, +# ) -cis_azure_4_3_8 = { - # Can't test this rule passing, motivation: https://github.com/elastic/cloudbeat/pull/1797 - """4.3.8 Ensure 'Infrastructure double encryption' for PostgreSQL - Database Server is 'Enabled' (Automated) expect: failed""": cis_azure_4_3_8_fail, -} +# cis_azure_4_3_8 = { +# # Can't test this rule passing, motivation: https://github.com/elastic/cloudbeat/pull/1797 +# """4.3.8 Ensure 'Infrastructure double encryption' for PostgreSQL +# Database Server is 'Enabled' (Automated) expect: failed""": cis_azure_4_3_8_fail, +# } # 4.4.* Rules ==================================== @@ -394,9 +404,9 @@ **cis_azure_4_3_3, **cis_azure_4_3_4, **cis_azure_4_3_5, - **cis_azure_4_3_6, + # **cis_azure_4_3_6, **cis_azure_4_3_7, - **cis_azure_4_3_8, + # **cis_azure_4_3_8, # **cis_azure_4_4_1, **cis_azure_4_4_2, **cis_azure_4_5_1,