Skip to content
Permalink
Browse files

Merge branch 'development' into pr/mikedavem/742

  • Loading branch information
Rob Rob
Rob authored and Rob committed Mar 21, 2020
2 parents 304b1d7 + ae9b1eb commit fc1f132d1bba753fd2d4be8c9d21ee008eed0918
@@ -25,6 +25,7 @@
'InModuleScope' #Because Pester!
'Mock' #Because Pester!
'Assert-MockCalled' #Because Pester!
'Get-LocalGroupMember' # Because we handle it
)
}
PSUseCompatibleSyntax = @{
@@ -1,3 +1,25 @@
## Date 18th March 2020
Thank you Tracey tboggiano
New CIS user-defined CLRs to be set to SAFE_ACCESS #734
CIS tests for if service accounts are local admins #736

Thank you Rob
Getting service accounts tests to pass if no service
Made long running jobs check work as expected
Improved Database Mail check
Made sure disk allocations dont run on Core

Thank you mikedavem
Fixed bug in disk allocation check exclusions

##Latest

## Date 14th March 2020
Thank you Tracey tboggiano
New CIS Check Hide Instance #728
New CIS Check Symmetric Key #732
New CIS Check Agent Proxy not have access to public Role #732

## Date 8th January 2020
Thank you Tracey tboggiano
New CIS Check Guest Account connect permissions #725
@@ -10,8 +32,6 @@ Thank you Rob
Added Tag parameter to Get-DbcCheck
Updated tests to work with PowerShell 7

##Latest

## Date 22nd December
Thank you Tracey tboggiano
Two New CIS Checks Contained databases should be auto-closed #721
@@ -133,7 +133,7 @@ Set-PSFConfig -Module dbachecks -Name global.notcontactable -Value $NotContactab
Context "Testing database mail profile is set on $psitem" {
$databasemailprofile = Get-DbcConfigValue agent.databasemailprofile
It "database mail profile on $psitem is $databasemailprofile" {
(Connect-DbaInstance -SqlInstance $psitem).JobServer.DatabaseMailProfile | Should -Be $databasemailprofile -Because 'The database mail profile is required to send emails'
(Get-DbaDbMailProfile -SqlInstance $InstanceSMO).Name | Should -Be $databasemailprofile -Because 'The database mail profile is required to send emails'
}
}
}
@@ -200,6 +200,7 @@ Set-PSFConfig -Module dbachecks -Name global.notcontactable -Value $NotContactab
$messageid = Get-DbcConfigValue agent.alert.messageid
$AgentAlertJob = Get-DbcConfigValue agent.alert.Job
$AgentAlertNotification = Get-DbcConfigValue agent.alert.Notification
$skip = Get-DbcConfigValue skip.agent.alert
if ($NotContactable -contains $psitem) {
Context "Testing Agent Alerts Severity exists on $psitem" {
It "Can't Connect to $Psitem" {
@@ -216,39 +217,39 @@ Set-PSFConfig -Module dbachecks -Name global.notcontactable -Value $NotContactab
$alerts = Get-DbaAgentAlert -SqlInstance $psitem
Context "Testing Agent Alerts Severity exists on $psitem" {
ForEach ($sev in $severity) {
It "$psitem should have Severity $sev Alert" {
It "$psitem should have Severity $sev Alert" -Skip:$skip{
($alerts.Where{ $psitem.Severity -eq $sev }) | Should -be $true -Because "Recommended Agent Alerts to exists http://blog.extreme-advice.com/2013/01/29/list-of-errors-and-severity-level-in-sql-server-with-catalog-view-sysmessages/"
}
It "$psitem should have Severity $sev Alert enabled" {
It "$psitem should have Severity $sev Alert enabled" -Skip:$skip{
($alerts.Where{ $psitem.Severity -eq $sev }) | Should -be $true -Because "Configured alerts should be enabled"
}
if ($AgentAlertJob) {
It "$psitem should have Jobname for Severity $sev Alert" {
It "$psitem should have Jobname for Severity $sev Alert" -Skip:$skip{
($alerts.Where{ $psitem.Severity -eq $sev }).jobname -ne $null | Should -be $true -Because "Should notify by SQL Agent Job"
}
}
if ($AgentAlertNotification) {
It "$psitem should have notification for Severity $sev Alert" {
It "$psitem should have notification for Severity $sev Alert" -Skip:$skip{
($alerts.Where{ $psitem.Severity -eq $sev }).HasNotification -in 1, 2, 3, 4, 5, 6, 7 | Should -be $true -Because "Should notify by Agent notifications"
}
}
}
}
Context "Testing Agent Alerts MessageID exists on $psitem" {
ForEach ($mid in $messageid) {
It "$psitem should have Message_ID $mid Alert" {
It "$psitem should have Message_ID $mid Alert" -Skip:$skip{
($alerts.Where{ $psitem.messageid -eq $mid }) | Should -be $true -Because "Recommended Agent Alerts to exists http://blog.extreme-advice.com/2013/01/29/list-of-errors-and-severity-level-in-sql-server-with-catalog-view-sysmessages/"
}
It "$psitem should have Message_ID $mid Alert enabled" {
It "$psitem should have Message_ID $mid Alert enabled" -Skip:$skip{
($alerts.Where{ $psitem.messageid -eq $mid }) | Should -be $true -Because "Configured alerts should be enabled"
}
if ($AgentAlertJob) {
It "$psitem should have Job name for Message_ID $mid Alert" {
It "$psitem should have Job name for Message_ID $mid Alert" -Skip:$skip {
($alerts.Where{ $psitem.messageid -eq $mid }).jobname -ne $null | Should -be $true -Because "Should notify by SQL Agent Job"
}
}
if ($AgentAlertNotification) {
It "$psitem should have notification for Message_ID $mid Alert" {
It "$psitem should have notification for Message_ID $mid Alert" -Skip:$skip {
($alerts.Where{ $psitem.messageid -eq $mid }).HasNotification -in 1, 2, 3, 4, 5, 6, 7 | Should -be $true -Because "Should notify by Agent notifications"
}
}
@@ -328,9 +329,16 @@ Set-PSFConfig -Module dbachecks -Name global.notcontactable -Value $NotContactab
}
else {
Context "Testing long running jobs on $psitem" {
foreach ($runningjob in $runningjobs | Where-Object { $_.AvgSec -ne 0 }) {
It "Running job $($runningjob.JobName) duration should not be more than $runningjobpercentage % extra of the average run time on $psitem" -Skip:$skip {
Assert-LongRunningJobs -runningjob $runningjob -runningjobpercentage $runningjobpercentage
if ($runningjobs) {
foreach ($runningjob in $runningjobs | Where-Object { $_.AvgSec -ne 0 }) {
It "Running job $($runningjob.JobName) duration should not be more than $runningjobpercentage % extra of the average run time on $psitem" -Skip:$skip {
Assert-LongRunningJobs -runningjob $runningjob -runningjobpercentage $runningjobpercentage
}
}
}
else {
It "There are no running jobs currently on $psitem" -Skip:$skip {
$True | SHould -BeTrue
}
}
}
@@ -385,8 +393,6 @@ Set-PSFConfig -Module dbachecks -Name global.notcontactable -Value $NotContactab
DROP Table #dbachecksLastRunTime
DROP Table #dbachecksAverageRunTime"
$lastagentjobruns = Invoke-DbaQuery -SqlInstance $PSItem -Database msdb -Query $query
}
else {
Context "Testing last job run time on $psitem" {
foreach ($lastagentjobrun in $lastagentjobruns | Where-Object { $_.AvgSec -ne 0 }) {
It "Job $($lastagentjobrun.JobName) last run duration should be not be greater than $runningjobpercentage % extra of the average run time on $psitem" -Skip:$skip {
@@ -395,6 +401,13 @@ Set-PSFConfig -Module dbachecks -Name global.notcontactable -Value $NotContactab
}
}
}
else {
Context "Testing last job run time on $psitem" {
It "Job average run time on $psitem" -Skip {
Assert-LastJobRun -lastagentjobrun $lastagentjobrun -runningjobpercentage $runningjobpercentage
}
}
}
}
}
}
@@ -957,6 +957,27 @@ $ExcludedDatabases += $ExcludeDatabase
}
}

Describe "CLR Assemblies SAFE_ACCESS" -Tags CLRAssembliesSafe, CIS, $filename {
$skip = Get-DbcConfigValue skip.security.clrassembliessafe
if ($NotContactable -contains $psitem) {
Context "Testing that all user-defined CLR assemblies are set to SAFE_ACCESS on $psitem" {
It "Can't Connect to $Psitem" -Skip:$skip {
$true | Should -BeFalse -Because "The instance should be available to be connected to!"
}
}
}
else {
Context "Testing that all user-defined CLR assemblies are set to SAFE_ACCESS on $psitem" {
$instance = $psitem
@($InstanceSMO.Databases.Where{($(if ($Database) {$PsItem.Name -in $Database}else {$ExcludedDatabases -notcontains $PsItem.Name}))}).ForEach{
It "$($psitem.Name) on $($psitem.Parent.Name) user-defined CLR assemblies are set to SAFE_ACCESS" {
Assert-CLRAssembliesSafe -Instance $instance -Database $psitem.Name
}
}
}
}
}

Describe "Guest User" -Tags GuestUserConnect, Security, CIS, Medium, $filename {
$exclude = "master", "tempdb", "msdb"
$ExcludedDatabases += $exclude
@@ -980,6 +1001,47 @@ $ExcludedDatabases += $ExcludeDatabase
}
}
}
Describe "AsymmetricKeySize" -Tags AsymmetricKeySize, CIS, $filename {
$skip = Get-DbcConfigValue skip.security.asymmetrickeysize
$ExcludedDatabases += "master", "tempdb", "msdb"
if ($NotContactable -contains $psitem) {
Context "Testing Asymmetric Key Size is 2048 or higher on $psitem" {
It "Can't Connect to $Psitem" {
$true | Should -BeFalse -Because "The instance should be available to be connected to!"
}
}
}
else {
Context "Testing Asymmetric Key Size is 2048 or higher on $psitem" {
@($InstanceSMO.Databases.Where{($(if ($Database) {$PsItem.Name -in $Database}else {$ExcludedDatabases -notcontains $PsItem.Name}))}).ForEach{
It "$($psitem.Name) on $($psitem.Parent.Name) Asymmetric Key Size should be at least 2048" -Skip:$skip {
Assert-AsymmetricKeySize -Instance $instance -Database $psitem
}
}
}
}
}

Describe "SymmetricKeyEncryptionLevel" -Tags SymmetricKeyEncryptionLevel, CIS, $filename {
$skip = Get-DbcConfigValue skip.security.symmetrickeyencryptionlevel
$ExcludedDatabases += "master", "tempdb", "msdb"
if ($NotContactable -contains $psitem) {
Context "Testing Symmetric Key Encruption Level at least AES_128 or higher on $psitem" -Skip:$skip {
It "Can't Connect to $Psitem" -Skip:$skip {
$true | Should -BeFalse -Because "The instance should be available to be connected to!"
}
}
}
else {
Context "Testing Symmetric Key Encruption Level at least AES_128 or higher on $psitem" {
@($InstanceSMO.Databases.Where{($(if ($Database) {$PsItem.Name -in $Database}else {$ExcludedDatabases -notcontains $PsItem.Name}))}).ForEach{
It "$($psitem.Name) on $($psitem.Parent.Name) Symmetric Key Encryption Level should have AES_128 or higher" -Skip:$skip {
Assert-SymmetricKeyEncryptionLevel -Instance $instance -Database $psitem
}
}
}
}
}
}
Set-PSFConfig -Module dbachecks -Name global.notcontactable -Value $NotContactable

0 comments on commit fc1f132

Please sign in to comment.
You can’t perform that action at this time.