cis_report does not have code to check for 1.11 (Ensure user IAM Database Passwords rotate within 90 days)

[hslange]

There is no code to check for this control.
If added the following check to support this function.
The code for this check is based on the same check for 1.10 (auth tokens).
I implemented this check to look at the last_modified date and not on the 'created' date.
The spelling of "database_passowrds" is correct, this is how the field is named :)
I hope this can be included in the base code:

included an additional time format, since the last update date for DB password is in a different date format: '2024-11-08T10:01:57.982Z':
__iso_time_format1 = "%Y-%m-%dT%H:%M:%S.%fZ"

    # CIS 1.11 Check - Old DB Password
    for user in self.__users:
        if user['database_passowrds']:
            for key in user['database_passowrds']:
                if self.api_key_time_max_datetime >= datetime.datetime.strptime(key['meta']['last_modified'], self.__iso_time_format1):
                    self.cis_foundations_benchmark_2_0['1.11']['Status'] = False

                        finding = {
                            "user_name": user['name'],
                            "user_id": user['id'],
                            "id": key['ocid'],
                            "description": key['description'],
                            # "expires-on": key['expires_on']
                        }

                        self.cis_foundations_benchmark_2_0['1.11']['Findings'].append(finding)

                # CIS Total 1.11 Adding - Keys to CIS Total
                self.cis_foundations_benchmark_2_0['1.11']['Total'].append(key)

As a result, the total number of DB passwords are included as well as the ones that have expired based on the "last_modified" date.

[Halimer]

Thanks. We will make this update in our next release.