Merge branch 'development' into pr/mikedavem/742

PSScriptAnalyzerSettings.psd1

@@ -25,6 +25,7 @@
                 'InModuleScope' #Because Pester!
                 'Mock' #Because Pester!
                 'Assert-MockCalled' #Because Pester!
+                'Get-LocalGroupMember' # Because we handle it
             )
         }
         PSUseCompatibleSyntax = @{

RELEASE.md

@@ -1,3 +1,25 @@
+## Date 18th March 2020
+Thank you Tracey tboggiano
+    New CIS user-defined CLRs to be set to SAFE_ACCESS #734
+    CIS tests for if service accounts are local admins #736
+
+Thank you Rob
+    Getting service accounts tests to pass if no service
+    Made long running jobs check work as expected
+    Improved Database Mail check
+    Made sure disk allocations dont run on Core
+
+Thank you mikedavem
+    Fixed bug in disk allocation check exclusions
+
+##Latest
+
+## Date 14th March 2020
+Thank you Tracey tboggiano
+    New CIS Check Hide Instance #728
+    New CIS Check Symmetric Key #732
+    New CIS Check Agent Proxy not have access to public Role #732
+
 ## Date 8th January 2020
 Thank you Tracey tboggiano
     New CIS Check Guest Account connect permissions #725
@@ -10,8 +32,6 @@ Thank you Rob
     Added Tag parameter to Get-DbcCheck
     Updated tests to work with PowerShell 7
 
-##Latest
-
 ## Date 22nd December
 Thank you Tracey tboggiano
     Two New CIS Checks Contained databases should be auto-closed #721

checks/Agent.Tests.ps1

@@ -133,7 +133,7 @@ Set-PSFConfig -Module dbachecks -Name global.notcontactable -Value $NotContactab
                         Context "Testing database mail profile is set on $psitem" {
                             $databasemailprofile = Get-DbcConfigValue  agent.databasemailprofile
                             It "database mail profile on $psitem is $databasemailprofile" {
-                                (Connect-DbaInstance -SqlInstance $psitem).JobServer.DatabaseMailProfile | Should -Be $databasemailprofile -Because 'The database mail profile is required to send emails'
+                                (Get-DbaDbMailProfile -SqlInstance $InstanceSMO).Name | Should -Be $databasemailprofile -Because 'The database mail profile is required to send emails'
                             }
                         }
                     }
@@ -200,6 +200,7 @@ Set-PSFConfig -Module dbachecks -Name global.notcontactable -Value $NotContactab
                     $messageid = Get-DbcConfigValue agent.alert.messageid
                     $AgentAlertJob = Get-DbcConfigValue agent.alert.Job
                     $AgentAlertNotification = Get-DbcConfigValue agent.alert.Notification
+                    $skip = Get-DbcConfigValue skip.agent.alert
                     if ($NotContactable -contains $psitem) {
                         Context "Testing Agent Alerts Severity exists on $psitem" {
                             It "Can't Connect to $Psitem" {
@@ -216,39 +217,39 @@ Set-PSFConfig -Module dbachecks -Name global.notcontactable -Value $NotContactab
                         $alerts = Get-DbaAgentAlert -SqlInstance $psitem
                         Context "Testing Agent Alerts Severity exists on $psitem" {
                             ForEach ($sev in $severity) {
-                                It "$psitem should have Severity $sev Alert" {
+                                It "$psitem should have Severity $sev Alert" -Skip:$skip{
                                     ($alerts.Where{ $psitem.Severity -eq $sev }) | Should -be $true -Because "Recommended Agent Alerts to exists http://blog.extreme-advice.com/2013/01/29/list-of-errors-and-severity-level-in-sql-server-with-catalog-view-sysmessages/"
                                 }
-                                It "$psitem should have Severity $sev Alert enabled" {
+                                It "$psitem should have Severity $sev Alert enabled" -Skip:$skip{
                                     ($alerts.Where{ $psitem.Severity -eq $sev }) | Should -be $true -Because "Configured alerts should be enabled"
                                 }
                                 if ($AgentAlertJob) {
-                                    It "$psitem should have Jobname for Severity $sev Alert" {
+                                    It "$psitem should have Jobname for Severity $sev Alert" -Skip:$skip{
                                         ($alerts.Where{ $psitem.Severity -eq $sev }).jobname -ne $null | Should -be $true -Because "Should notify by SQL Agent Job"
                                     }
                                 }
                                 if ($AgentAlertNotification) {
-                                    It "$psitem should have notification for Severity $sev Alert" {
+                                    It "$psitem should have notification for Severity $sev Alert" -Skip:$skip{
                                         ($alerts.Where{ $psitem.Severity -eq $sev }).HasNotification -in 1, 2, 3, 4, 5, 6, 7 | Should -be $true -Because "Should notify by Agent notifications"
                                     }
                                 }
                             }
                         }
                         Context "Testing Agent Alerts MessageID exists on $psitem" {
                             ForEach ($mid in $messageid) {
-                                It "$psitem should have Message_ID $mid Alert" {
+                                It "$psitem should have Message_ID $mid Alert" -Skip:$skip{
                                     ($alerts.Where{ $psitem.messageid -eq $mid }) | Should -be $true -Because "Recommended Agent Alerts to exists http://blog.extreme-advice.com/2013/01/29/list-of-errors-and-severity-level-in-sql-server-with-catalog-view-sysmessages/"
                                 }
-                                It "$psitem should have Message_ID $mid Alert enabled" {
+                                It "$psitem should have Message_ID $mid Alert enabled" -Skip:$skip{
                                     ($alerts.Where{ $psitem.messageid -eq $mid }) | Should -be $true -Because "Configured alerts should be enabled"
                                 }
                                 if ($AgentAlertJob) {
-                                    It "$psitem should have Job name for Message_ID $mid Alert" {
+                                    It "$psitem should have Job name for Message_ID $mid Alert" -Skip:$skip {
                                         ($alerts.Where{ $psitem.messageid -eq $mid }).jobname -ne $null | Should -be $true -Because "Should notify by SQL Agent Job"
                                     }
                                 }
                                 if ($AgentAlertNotification) {
-                                    It "$psitem should have notification for Message_ID $mid Alert" {
+                                    It "$psitem should have notification for Message_ID $mid Alert" -Skip:$skip {
                                         ($alerts.Where{ $psitem.messageid -eq $mid }).HasNotification -in 1, 2, 3, 4, 5, 6, 7 | Should -be $true -Because "Should notify by Agent notifications"
                                     }
                                 }
@@ -328,9 +329,16 @@ Set-PSFConfig -Module dbachecks -Name global.notcontactable -Value $NotContactab
                     }
                     else {
                         Context "Testing long running jobs on $psitem" {
-                            foreach ($runningjob in $runningjobs | Where-Object { $_.AvgSec -ne 0 }) {
-                                It "Running job $($runningjob.JobName) duration should not be more than $runningjobpercentage % extra of the average run time on $psitem" -Skip:$skip {
-                                    Assert-LongRunningJobs -runningjob $runningjob -runningjobpercentage $runningjobpercentage
+                            if ($runningjobs) {
+                                foreach ($runningjob in $runningjobs | Where-Object { $_.AvgSec -ne 0 }) {
+                                    It "Running job $($runningjob.JobName) duration should not be more than $runningjobpercentage % extra of the average run time on $psitem" -Skip:$skip {
+                                        Assert-LongRunningJobs -runningjob $runningjob -runningjobpercentage $runningjobpercentage
+                                    }
+                                }
+                            }
+                            else {
+                                It "There are no running jobs currently on $psitem" -Skip:$skip {
+                                    $True | SHould -BeTrue
                                 }
                             }
                         }
@@ -385,8 +393,6 @@ Set-PSFConfig -Module dbachecks -Name global.notcontactable -Value $NotContactab
                         DROP Table #dbachecksLastRunTime
                         DROP Table #dbachecksAverageRunTime"
                         $lastagentjobruns = Invoke-DbaQuery -SqlInstance $PSItem -Database msdb -Query $query
-                    }
-                    else {
                         Context "Testing last job run time on $psitem" {
                             foreach ($lastagentjobrun in $lastagentjobruns | Where-Object { $_.AvgSec -ne 0 }) {
                                 It "Job $($lastagentjobrun.JobName) last run duration should be not be greater than $runningjobpercentage % extra of the average run time on $psitem" -Skip:$skip {
@@ -395,6 +401,13 @@ Set-PSFConfig -Module dbachecks -Name global.notcontactable -Value $NotContactab
                             }
                         }
                     }
+                    else {
+                        Context "Testing last job run time on $psitem" {
+                            It "Job average run time on $psitem" -Skip {
+                                Assert-LastJobRun -lastagentjobrun $lastagentjobrun -runningjobpercentage $runningjobpercentage
+                            }
+                        }
+                    }
                 }
             }
         }

checks/Database.Tests.ps1

@@ -957,6 +957,27 @@ $ExcludedDatabases += $ExcludeDatabase
         }
      }
 
+     Describe "CLR Assemblies SAFE_ACCESS" -Tags CLRAssembliesSafe, CIS, $filename {
+        $skip = Get-DbcConfigValue skip.security.clrassembliessafe
+        if ($NotContactable -contains $psitem) {
+            Context "Testing that all user-defined CLR assemblies are set to SAFE_ACCESS on $psitem" {
+                It "Can't Connect to $Psitem" -Skip:$skip {
+                    $true | Should -BeFalse -Because "The instance should be available to be connected to!"
+                }
+            }
+        }
+        else {
+            Context "Testing that all user-defined CLR assemblies are set to SAFE_ACCESS on $psitem" {
+                $instance = $psitem
+                @($InstanceSMO.Databases.Where{($(if ($Database) {$PsItem.Name -in $Database}else {$ExcludedDatabases -notcontains $PsItem.Name}))}).ForEach{
+                    It "$($psitem.Name) on $($psitem.Parent.Name) user-defined CLR assemblies are set to SAFE_ACCESS" {
+                        Assert-CLRAssembliesSafe -Instance $instance -Database $psitem.Name
+                    }
+                }
+            }
+        }
+     }
+
     Describe "Guest User" -Tags GuestUserConnect, Security, CIS, Medium, $filename {
         $exclude = "master", "tempdb", "msdb"
         $ExcludedDatabases += $exclude
@@ -980,6 +1001,47 @@ $ExcludedDatabases += $ExcludeDatabase
             }
         }
     }
+    Describe "AsymmetricKeySize" -Tags AsymmetricKeySize, CIS, $filename {
+        $skip = Get-DbcConfigValue skip.security.asymmetrickeysize
+        $ExcludedDatabases += "master", "tempdb", "msdb"
+        if ($NotContactable -contains $psitem) {
+            Context "Testing Asymmetric Key Size is 2048 or higher on $psitem" {
+                It "Can't Connect to $Psitem" {
+                    $true | Should -BeFalse -Because "The instance should be available to be connected to!"
+                }
+            }
+        }
+        else {
+            Context "Testing Asymmetric Key Size is 2048 or higher on $psitem" {
+                @($InstanceSMO.Databases.Where{($(if ($Database) {$PsItem.Name -in $Database}else {$ExcludedDatabases -notcontains $PsItem.Name}))}).ForEach{
+                    It "$($psitem.Name) on $($psitem.Parent.Name) Asymmetric Key Size should be at least 2048" -Skip:$skip {
+                        Assert-AsymmetricKeySize -Instance $instance -Database $psitem
+                    }
+                }
+            }
+        }
+     }
+
+     Describe "SymmetricKeyEncryptionLevel" -Tags SymmetricKeyEncryptionLevel, CIS, $filename {
+        $skip = Get-DbcConfigValue skip.security.symmetrickeyencryptionlevel
+        $ExcludedDatabases += "master", "tempdb", "msdb"
+        if ($NotContactable -contains $psitem) {
+            Context "Testing Symmetric Key Encruption Level at least AES_128 or higher on $psitem" -Skip:$skip {
+                It "Can't Connect to $Psitem" -Skip:$skip  {
+                    $true | Should -BeFalse -Because "The instance should be available to be connected to!"
+                }
+            }
+        }
+        else {
+            Context "Testing Symmetric Key Encruption Level at least AES_128 or higher on $psitem" {
+                @($InstanceSMO.Databases.Where{($(if ($Database) {$PsItem.Name -in $Database}else {$ExcludedDatabases -notcontains $PsItem.Name}))}).ForEach{
+                    It "$($psitem.Name) on $($psitem.Parent.Name) Symmetric Key Encryption Level should have AES_128 or higher" -Skip:$skip  {
+                        Assert-SymmetricKeyEncryptionLevel -Instance $instance -Database $psitem
+                    }
+                }
+            }
+        }
+     }
 }
 Set-PSFConfig -Module dbachecks -Name global.notcontactable -Value $NotContactable