Merge pull request #993 from dataplat/instancecheckscontinued

SQLDBAWithABeard · web-flow · commit 7111e697d36d · 2023-08-03T18:51:26.000+01:00
Instancecheckscontinued
diff --git a/developing/Robs-Instance.ps1 b/developing/Robs-Instance.ps1
@@ -1,4 +1,6 @@
-$Checks = 'ErrorLogCount', 'XESessionExists', 'XESessionStopped', 'XpCmdShellDisabled', 'WhoIsActiveInstalled', 'CLREnabled', 'TwoDigitYearCutoff', 'MaxDopInstance', 'ErrorLogCount', 'ModelDbGrowth', 'DefaultBackupCompression', 'SaExist', 'SaDisabled', 'SaRenamed', 'DefaultFilePath', 'AdHocDistributedQueriesEnabled', 'AdHocWorkload', 'DefaultTrace', 'OleAutomationProceduresDisabled', 'CrossDBOwnershipChaining', 'ScanForStartupProceduresDisabled', 'RemoteAccessDisabled', 'SQLMailXPsDisabled', 'DAC', 'OLEAutomation', 'ServerNameMatch', 'OrphanedFile', 'MaxMemory', 'NetworkLatency'
+./build.ps1 -Tasks build
+
+$Checks = 'ErrorLogCount', 'XESessionExists', 'XESessionStopped', 'XpCmdShellDisabled', 'WhoIsActiveInstalled', 'CLREnabled', 'TwoDigitYearCutoff', 'MaxDopInstance', 'ErrorLogCount', 'ModelDbGrowth', 'DefaultBackupCompression', 'SaExist', 'SaDisabled', 'SaRenamed', 'DefaultFilePath', 'AdHocDistributedQueriesEnabled', 'AdHocWorkload', 'DefaultTrace', 'OleAutomationProceduresDisabled', 'CrossDBOwnershipChaining', 'ScanForStartupProceduresDisabled', 'RemoteAccessDisabled', 'SQLMailXPsDisabled', 'DAC', 'OLEAutomation', 'ServerNameMatch', 'OrphanedFile', 'MaxMemory', 'NetworkLatency', 'PublicPermission'
 
 $Checks = 'XESessionRunningAllowed', 'XESessionRunning', 'XESessionRunningAllowed', 'XESessionExists', 'XESessionStopped', 'XpCmdShellDisabled'
 $Checks = 'TraceFlagsNotExpected', 'TraceFlagsExpected'
@@ -18,6 +20,9 @@ $Checks = 'SuspectPageLimit'
 $Checks = 'SupportedBuild'
 $Checks = 'LoginMustChange'
 $Checks = 'LoginAuditSuccessful', 'LoginAuditFailed'
+Set-DbcConfig -Name skip.security.PublicPermission -Value $false
+$Checks = 'PublicRolePermission'
+$Checks = 'PUblicPermission'
 
 Invoke-PerfAndValidateCheck -Checks $Checks
 Invoke-PerfAndValidateCheck -Checks $Checks -PerfDetail
diff --git a/source/checks/Instancev5.Tests.ps1 b/source/checks/Instancev5.Tests.ps1
@@ -55,6 +55,16 @@ Describe "Ad Hoc Workload Optimization" -Tag AdHocWorkload, Medium, Instance -Fo
     }
 }
 
+Describe "SQL Agent Service Admin" -Tags AgentServiceAdmin, Security, CIS, Medium, Instance -ForEach $InstancesToTest {
+    $skip = ($__dbcconfig | Where-Object { $_.Name -eq 'skip.security.AgentServiceAdmin' }).Value
+    Context "Testing whether SQL Agent account is a local administrator on <_.Name>" {
+        It "The SQL Agent service account should not be a local administrator on <_.Name>" -Skip:$skip {
+            # We don't make this -BeFalse because the possible results  are $true/$false/'Could not connect'
+            $psitem.AgentServiceAdminExist | Should -Be $false -Because "We expected the service account for the SQL Agent to not be a local administrator"
+        }
+    }
+}
+
 Describe "Backup Path Access" -Tag BackupPathAccess, Storage, DISA, Medium, Instance -ForEach $InstancesToTest {
     $skip = ($__dbcconfig | Where-Object { $_.Name -eq 'skip.instance.BackupPathAccess' }).Value
     Context "Testing Backup Path Access on <_.Name>" {
@@ -357,6 +367,16 @@ Describe "Login SA cannot exist" -Tag SaExist, CIS, Medium, Instance -ForEach $I
     }
 }
 
+Describe "Public Role Permissions" -Tag PublicPermission, PublicRolePermission, Security, CIS, Instance -ForEach $InstancesToTest {
+    $skip = ($__dbcconfig | Where-Object { $_.Name -eq 'skip.security.PublicPermission' }).Value
+
+    Context "Testing if the public role permissions don't have permissions  on <_.Name>" {
+        It "All permissions should be set to CIS standards on the public role on <_.Name>" -Skip:$skip {
+            $PsItem.PublicRolePermissions | Should -Be 0 -Because "We expected the public role to have no permissions for CIS compliance."
+        }
+    }
+}
+
 Describe "SA Login Renamed" -Tag SaRenamed, DISA, CIS, Medium, Instance -ForEach $InstancesToTest {
     $skip = ($__dbcconfig | Where-Object { $_.Name -eq 'skip.instance.SaRenamed' }).Value
     Context "Checking that sa login has been renamed on <_.Name>" {
@@ -384,6 +404,18 @@ Describe "SQL and Windows names match" -Tag ServerNameMatch, Medium, Instance -F
     }
 }
 
+Describe "SQL Engine Service" -Tags SqlEngineServiceAccount, ServiceAccount, High, Instance -ForEach $InstancesToTest {
+    $skip = ($__dbcconfig | Where-Object { $_.Name -eq 'skip.instance.sqlengineserviceaccount' }).Value
+    Context "Testing SQL Engine Service on <_.Name>" -Skip:$skip {
+        It "SQL Engine service account should be <_.State> on <_.InstanceName>" -ForEach $PsItem.SqlEngineServiceAccount {
+            $PsItem.State | Should -Be $PsItem.ExpectedState -Because "We expected the SQL Engine service account to be $($PsItem.ExpectedState)"
+        }
+        It "SQL Engine service account should have a start mode of <_.ExpectedStartType> on instance <_.InstanceName>" -ForEach $PsItem.SqlEngineServiceAccount {
+            $PsItem.StartType | Should -Be $PsItem.ExpectedStartType -Because $Psitem.because
+        }
+    }
+}
+
 Describe "SQL Mail XPs Disabled" -Tag SQLMailXPsDisabled, Security, CIS, Low, Instance -ForEach $InstancesToTest {
     $skip = ($__dbcconfig | Where-Object { $_.Name -eq 'skip.instance.SQLMailXPsDisabled' }).Value
     Context "Checking SQL Mail XPs on <_.Name>" {
diff --git a/source/internal/configurations/configuration.ps1 b/source/internal/configurations/configuration.ps1
@@ -293,6 +293,13 @@ Set-PSFConfig -Module dbachecks -Name skip.instance.maxmemory -Validation bool -
 Set-PSFConfig -Module dbachecks -Name skip.instance.orphanedfile -Validation bool -Value $false -Initialize -Description "Skip the check for orphaned file"
 Set-PSFConfig -Module dbachecks -Name skip.instance.servernamematch -Validation bool -Value $false -Initialize -Description "Skip the check for server name match"
 Set-PSFConfig -Module dbachecks -Name skip.instance.supportedbuild -Validation bool -Value $false -Initialize -Description "Skip the checks for supported build"
+# becuase we can't run this on core
+if ($IsCoreCLR) {
+    $value = $true
+} {
+    $value = $false
+}
+Set-PSFConfig -Module dbachecks -Name skip.instance.sqlengineserviceaccount -Validation bool -Value $value -Initialize -Description "Skip the checks for sql engine service account"
 
 
 
diff --git a/source/internal/functions/NewGet-AllInstanceInfo.ps1 b/source/internal/functions/NewGet-AllInstanceInfo.ps1
@@ -416,6 +416,21 @@ function NewGet-AllInstanceInfo {
             $Instance.SetDefaultInitFields([Microsoft.SqlServer.Management.Smo.Settings], $LoginInitFields)
         }
 
+        { 'PublicRolePermissions' -or 'PublicPermission' } {
+            #This needs to be done in query just in case the account had already been renamed
+            $query = "
+                        SELECT Count(*) AS [RowCount]
+                        FROM master.sys.server_permissions
+                        WHERE (grantee_principal_id = SUSER_SID(N'public') and state_desc LIKE 'GRANT%')
+                            AND NOT (state_desc = 'GRANT' and [permission_name] = 'VIEW ANY DATABASE' and class_desc = 'SERVER')
+                            AND NOT (state_desc = 'GRANT' and [permission_name] = 'CONNECT' and class_desc = 'ENDPOINT' and major_id = 2)
+                            AND NOT (state_desc = 'GRANT' and [permission_name] = 'CONNECT' and class_desc = 'ENDPOINT' and major_id = 3)
+                            AND NOT (state_desc = 'GRANT' and [permission_name] = 'CONNECT' and class_desc = 'ENDPOINT' and major_id = 4)
+                            AND NOT (state_desc = 'GRANT' and [permission_name] = 'CONNECT' and class_desc = 'ENDPOINT' and major_id = 5);
+                        "
+            $PublicRolePermsCount = $srv.Query($query).RowCount
+        }
+
         'SuspectPageLimit' {
             $sql = "Select
             COUNT(file_id) as 'SuspectPageCount'
@@ -474,6 +489,46 @@ function NewGet-AllInstanceInfo {
             $LoginPasswordExpirationCount = ($Instance.Logins | Where-Object { $_.Name -in $Instance.Roles['sysadmin'].EnumMemberNames() } | Where-Object { $_.LoginType -eq 'SqlLogin' -and $_.PasswordExpirationEnabled -EQ $false -and $_.IsDisabled -EQ $false }).Count
         }
 
+        'AgentServiceAdmin' {
+            try {
+                $SqlAgentService = Get-DbaService -ComputerName $Instance.ComputerName -InstanceName $Instance.DbaInstanceName -Type Agent -ErrorAction SilentlyContinue
+                $LocalAdmins = Invoke-Command -ComputerName $ComputerName -ScriptBlock { Get-LocalGroupMember -Group "Administrators" } -ErrorAction SilentlyContinue
+                $AgentServiceAdminExist = $localAdmins.Name.Contains($SqlAgentService.StartName)
+
+            } catch [System.Exception] {
+                if ($_.Exception.Message -like '*No services found in relevant namespaces*') {
+                    $AgentServiceAdminExist = $false
+                } else {
+                    $AgentServiceAdminExist = 'Some sort of failure'
+                }
+            } catch {
+                $AgentServiceAdminExist = 'We Could not Connect to $Instance $ComputerName , $InstanceName from catch'
+            }
+        }
+
+        'SqlEngineServiceAccount' {
+            $EngineAccounts = Get-DbaService -ComputerName $psitem -Type Engine -ErrorAction SilentlyContinue
+            $starttype = ($__dbcconfig | Where-Object { $_.Name -eq 'policy.instance.sqlenginestart' }).Value
+            $state = ($__dbcconfig | Where-Object { $_.Name -eq 'policy.instance.sqlenginestate' }).Value
+            if ($Instance.IsClustered) {
+                $starttype = 'Manual'
+                $because = 'This is a clustered instance and Clustered Instances required that the SQL engine service is set to manual'
+            } else {
+                $because = "The SQL Service Start Type was expected to be $starttype"
+            }
+
+            $SqlEngineServiceAccount = foreach ($EngineAccount in $EngineAccounts) {
+                [PSCustomObject]@{
+                    InstanceName      = $Instance.Name
+                    State             = $EngineAccount.State
+                    ExpectedState     = $state
+                    StartType         = $EngineAccount.StartType
+                    ExpectedStartType = $starttype
+                    because           = $because
+                }
+            }
+        }
+
         Default { }
     }
 
@@ -578,6 +633,9 @@ function NewGet-AllInstanceInfo {
         SupportedBuild               = $SupportedBuild
         LoginMustChangeCount         = $LoginMustChangeCount
         LoginPasswordExpirationCount = $LoginPasswordExpirationCount
+        AgentServiceAdminExist       = $AgentServiceAdminExist
+        SqlEngineServiceAccount      = $SqlEngineServiceAccount
+        PublicRolePermissions        = $PublicRolePermsCount
         # TempDbConfig          = [PSCustomObject]@{
         #     TF118EnabledCurrent     = $tempDBTest[0].CurrentSetting
         #     TF118EnabledRecommended = $tempDBTest[0].Recommended
