diff --git a/prowler/providers/azure/services/sqlserver/sqlserver_tde_encryption_enabled/sqlserver_tde_encryption_enabled.py b/prowler/providers/azure/services/sqlserver/sqlserver_tde_encryption_enabled/sqlserver_tde_encryption_enabled.py index f65e3292c48..d37a659ff07 100644 --- a/prowler/providers/azure/services/sqlserver/sqlserver_tde_encryption_enabled/sqlserver_tde_encryption_enabled.py +++ b/prowler/providers/azure/services/sqlserver/sqlserver_tde_encryption_enabled/sqlserver_tde_encryption_enabled.py @@ -12,6 +12,8 @@ def execute(self) -> Check_Report_Azure: ) if len(databases) > 0: for database in databases: + if database.name.lower() == "master": + continue report = Check_Report_Azure(self.metadata()) report.subscription = subscription report.resource_name = database.name diff --git a/tests/providers/azure/services/sqlserver/sqlserver_tde_encryption_enabled/sqlserver_tde_encryption_enabled_test.py b/tests/providers/azure/services/sqlserver/sqlserver_tde_encryption_enabled/sqlserver_tde_encryption_enabled_test.py index 05308a8fc5a..e79f3fe6a8c 100644 --- a/tests/providers/azure/services/sqlserver/sqlserver_tde_encryption_enabled/sqlserver_tde_encryption_enabled_test.py +++ b/tests/providers/azure/services/sqlserver/sqlserver_tde_encryption_enabled/sqlserver_tde_encryption_enabled_test.py @@ -157,3 +157,63 @@ def test_sql_servers_database_encryption_enabled(self): assert result[0].subscription == AZURE_SUBSCRIPTION assert result[0].resource_name == database_name assert result[0].resource_id == database_id + + def test_sql_servers_database_encryption_disabled_on_master_db(self): + sqlserver_client = mock.MagicMock + sql_server_name = "SQL Server Name" + sql_server_id = str(uuid4()) + database_master_name = "MASTER" + database_master_id = str(uuid4()) + database_master = Database( + id=database_master_id, + name=database_master_name, + type="type", + location="location", + managed_by="managed_by", + tde_encryption=TransparentDataEncryption(status="Disabled"), + ) + database_name = "Database Name" + database_id = str(uuid4()) + database = Database( + id=database_id, + name=database_name, + type="type", + location="location", + managed_by="managed_by", + tde_encryption=TransparentDataEncryption(status="Enabled"), + ) + sqlserver_client.sql_servers = { + AZURE_SUBSCRIPTION: [ + Server( + id=sql_server_id, + name=sql_server_name, + public_network_access="", + minimal_tls_version="", + administrators=None, + auditing_policies=None, + firewall_rules=None, + databases=[database_master, database], + encryption_protector=None, + ) + ] + } + + with mock.patch( + "prowler.providers.azure.services.sqlserver.sqlserver_tde_encryption_enabled.sqlserver_tde_encryption_enabled.sqlserver_client", + new=sqlserver_client, + ): + from prowler.providers.azure.services.sqlserver.sqlserver_tde_encryption_enabled.sqlserver_tde_encryption_enabled import ( + sqlserver_tde_encryption_enabled, + ) + + check = sqlserver_tde_encryption_enabled() + result = check.execute() + assert len(result) == 1 + assert result[0].status == "PASS" + assert ( + result[0].status_extended + == f"Database {database_name} from SQL Server {sql_server_name} from subscription {AZURE_SUBSCRIPTION} has TDE enabled" + ) + assert result[0].subscription == AZURE_SUBSCRIPTION + assert result[0].resource_name == database_name + assert result[0].resource_id == database_id