Merge branch 'containers' of github.com:dataplat/dbachecks into containers

Author: SQLDBAWithABeard

.devcontainer/devcontainer.json

@@ -16,7 +16,6 @@
             "extensions": [
                 "ms-vscode.powershell",
                 "github.vscode-pull-request-github",
-                "2gua.rainbow-brackets",
                 "oderwat.indent-rainbow",
                 "mhutchie.git-graph",
                 "usernamehw.errorlens",
@@ -25,7 +24,8 @@
                 "TylerLeonhardt.vscode-inline-values-powershell",
                 "cschleiden.vscode-github-actions",
                 "ms-mssql.mssql",
-                "Gruntfuggly.todo-tree"
+                "Gruntfuggly.todo-tree",
+                "streetsidesoftware.code-spell-checker"
             ],
             "settings": {
                 "editor.renderWhitespace": "all",

.devcontainer/docker-compose.yml

@@ -1,7 +1,7 @@
 version: "3"
 services:
     dbachecks1:
-      image: dbachecks/sqlinstance1:v2.36.0
+      image: dbachecks/sqlinstance1:v2.37.0
       volumes:
         - mydata:/var/opt/backups
         - shared:/shared
@@ -13,7 +13,7 @@ services:
       hostname: dbachecks1
 
     dbachecks2:
-      image: dbachecks/sqlinstance2:v2.36.0
+      image: dbachecks/sqlinstance2:v2.37.0
       volumes:
         - mydata:/var/opt/backups
         - shared:/shared
@@ -27,7 +27,7 @@ services:
 
       # This is our SQL2022 container
     dbachecks3:
-      image: dbachecks/sqlinstance3:v2.36.0
+      image: dbachecks/sqlinstance3:v2.37.0
       volumes:
         - mydata:/var/opt/backups
         - shared:/shared

RequiredModules.psd1

@@ -7,6 +7,7 @@
         }
     }
 
+    'dbatools.library'    = 'latest'
     InvokeBuild           = 'latest'
     PSScriptAnalyzer      = 'latest'
     Pester                = 'latest'

containers/JessAndBeard.psm1

@@ -2343,13 +2343,27 @@ The Tags are the same"
           PassedChange  = 0 # + or - the number of tests passed for v5
           FailedChange  = -12 # + or - the number of tests failed for v5
           SkippedChange = 0 # + or - the number of tests skipped for v5
-      }
+      },
       @{
           Name          = 'LinkedServerConnection'
           RunChange     = -3 # + or - the number of tests for v5
           PassedChange  = -3 # + or - the number of tests passed for v5
           FailedChange  = 0 # + or - the number of tests failed for v5
           SkippedChange = 0 # + or - the number of tests skipped for v5
+      },
+      @{
+          Name          = 'SupportedBuild'
+          RunChange     = -3 # + or - the number of tests run for v5
+          PassedChange  = -3 # + or - the number of tests passed for v5
+          FailedChange  = 0 # + or - the number of tests failed for v5
+          SkippedChange = 0 # + or - the number of tests skipped for v5
+      },
+      @{
+          Name          = 'GuestUserConnect'
+          RunChange     = 0 # + or - the number of tests run for v5
+          PassedChange  = +2 # + or - the number of tests passed for v5
+          FailedChange  = -2 # + or - the number of tests failed for v5
+          SkippedChange = 0 # + or - the number of tests skipped for v5
       }
   )
   $runchange = 0

developing/Robs-Instance.ps1

@@ -9,6 +9,15 @@ $Checks = 'NetworkLatency'
 $Checks = 'LinkedServerConnection'
 $Checks = 'MaxMemory'
 $Checks = 'OrphanedFile'
+$Checks = 'MemoryDump'
+$Checks = 'HideInstance'
+$Checks = 'LoginAuditFailed'
+$Checks = 'LoginAuditSuccessful'
+$Checks = 'LoginCheckPolicy'
+$Checks = 'SuspectPageLimit'
+$Checks = 'SupportedBuild'
+$Checks = 'LoginMustChange'
+$Checks = 'LoginAuditSuccessful', 'LoginAuditFailed'
 
 Invoke-PerfAndValidateCheck -Checks $Checks
 Invoke-PerfAndValidateCheck -Checks $Checks -PerfDetail
@@ -17,7 +26,7 @@ $password = ConvertTo-SecureString "dbatools.IO" -AsPlainText -Force
 $cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "sqladmin", $password
 $show = 'All'
 
-$v4code = Invoke-DbcCheck -SqlInstance $Sqlinstances -SqlCredential $cred -Check $Checks -legacy $true -Show $show -PassThru
+$v4code = Invoke-DbcCheck -SqlInstance $Sqlinstances -SqlCredential $cred -Check $Checks -legacy $true -Show $show -PassThru -verbose
 # Run v5 checks
 $v5code = Invoke-DbcCheck -SqlInstance $Sqlinstances -SqlCredential $cred -Check $Checks -legacy $false -Show $show -PassThru -Verbose
 
@@ -44,4 +53,4 @@ $traci = Trace-Script -ScriptBlock {
     $v4code = Invoke-DbcCheck -SqlInstance $Sqlinstances -SqlCredential $cred -Check $Checks -legacy $true -Show $show -PassThru
 }
 
- Invoke-DbcCheck -SqlInstance $Sqlinstances -SqlCredential $cred -Check failsafeoperator -legacy $false -Show $show -verbose
+Invoke-DbcCheck -SqlInstance $Sqlinstances -SqlCredential $cred -Check failsafeoperator -legacy $false -Show $show -verbose

source/checks/Databasev5.Tests.ps1

@@ -222,3 +222,13 @@ Describe "Compatibility Level" -Tag CompatibilityLevel, High, Database -ForEach
         }
     }
 }
+
+Describe "Guest User" -Tag GuestUserConnect, Security, CIS, Medium, Database -ForEach $InstancesToTest {
+    $Skip = ($__dbcconfig | Where-Object Name -EQ 'skip.security.guestuserconnect').Value
+
+    Context "Testing Guest user has CONNECT permission" {
+        It "Database Guest user should return no CONNECT permissions in <_.Name> on <_.SqlInstance>" -Skip:$skip -ForEach $psitem.Databases.Where{ if ($Database) { $_.Name -in $Database } else { $psitem.ConfigValues.guestuserexclude -notcontains $psitem.Name } } {
+            $psitem.GuestUserConnect | Should -BeFalse -Because "we don't want the guest user to have connect access to our database."
+        }
+    }
+}

source/checks/Instancev5.Tests.ps1

@@ -140,6 +140,16 @@ Describe "Error Log Count" -Tag ErrorLogCount, CIS, Low, Instance -ForEach $Inst
     }
 }
 
+Describe "Hide Instance" -Tag HideInstance, Security, CIS, Medium, Instance -ForEach $InstancesToTest {
+    $skip = ($__dbcconfig | Where-Object { $_.Name -eq 'skip.security.hideinstance' }).Value
+    Context "Checking the Hide an Instance of SQL Server Database Engine property on <_.Name>" {
+        It "The Hide an Instance of SQL Server Database Engine property on SQL Server instance <_.Name>" -Skip:$skip {
+            # We don't make this -BeTrue because the possible results  are $true/$false/'Could not connect'
+            $psitem.HideInstance.Result | Should -Be $true -Because "We expected the hide instance property to be set to $true"
+        }
+    }
+}
+
 Describe "Instance Connection" -Tag InstanceConnection, Connectivity, High, Instance -ForEach $InstancesToTest {
     BeforeAll {
         $skipall = ($__dbcconfig | Where-Object { $_.Name -eq 'skip.connection' }).Value
@@ -190,6 +200,51 @@ Describe "Linked Servers" -Tag LinkedServerConnection, Connectivity, Medium, Ins
     }
 }
 
+Describe "Failed Login Auditing" -Tag LoginAuditFailed, Security, CIS, Medium, Instance -ForEach $InstancesToTest {
+    $skip = ($__dbcconfig | Where-Object { $_.Name -eq 'skip.security.loginauditlevelfailed' }).Value
+    Context "Testing if failed login auditing is in place on <_.Name>" {
+        It "The failed login auditing should be set on  <_.Name>" -Skip:$skip {
+            $psitem.Settings.AuditLevel | Should -BeIn @("Failure", "All") -Because "We expected the audit level to be set to capture failed logins"
+        }
+    }
+}
+
+Describe "Successful Login Auditing" -Tag LoginAuditSuccessful, Security, CIS, Medium, Instance -ForEach $InstancesToTest {
+    $skip = ($__dbcconfig | Where-Object { $_.Name -eq 'skip.security.loginauditlevelsuccessful' }).Value
+    Context "Testing if successful and failed login auditing is in place on  <_.Name>" {
+        It "The successful and failed auditing should be set on  <_.Name>" -Skip:$skip {
+            $psitem.Settings.AuditLevel | Should -Be "All" -Because "We expected the audit level to be set to capture all logins (successful and failed)"
+        }
+    }
+}
+
+Describe "Login Check Policy" -Tag LoginCheckPolicy, Security, CIS, Medium, Instance -ForEach $InstancesToTest {
+    $skip = ($__dbcconfig | Where-Object { $_.Name -eq 'skip.security.LoginCheckPolicy' }).Value
+    Context "Testing if the CHECK_POLICY is enabled on all logins on <_.Name>" {
+        It "All logins should have the CHECK_POLICY option set to ON on <_.Name>" -Skip:$skip {
+           ($psitem.logins | Where-Object { $_.LoginType -eq 'SqlLogin' -and $_.PasswordPolicyEnforced -eq $false -and $_.IsDisabled -eq $false }).Count | Should -Be 0 -Because "We expected the CHECK_POLICY for the all logins to be enabled"
+        }
+    }
+}
+
+Describe "Login Must Change" -Tag LoginMustChange, Security, CIS, Medium, Instance -ForEach $InstancesToTest {
+    $skip = ($__dbcconfig | Where-Object { $_.Name -eq 'skip.security.LoginMustChange' }).Value
+    Context "Testing if the new SQL logins that have not logged have to change their password when they log in on <_.Name>" {
+        It "All new sql logins should have the have to change their password when they log in for the first time on <_.Name>" -Skip:$skip {
+            $PsItem.LoginMustChangeCount | Should -Be 0 -Because "We expected the all the new sql logins to have to change the password on first login"
+        }
+    }
+}
+
+Describe "Login Password Expiration" -Tag LoginPasswordExpiration, Security, CIS, Medium, Instance -ForEach $InstancesToTest {
+    $skip = ($__dbcconfig | Where-Object { $_.Name -eq 'skip.security.LoginPasswordExpiration' }).Value
+    Context "Testing if the login password expiration is enabled for sql logins in the sysadmin role on <_.Name>" {
+        It "All sql logins should have the password expiration option set to ON in the sysadmin role on <_.Name>" -Skip:$skip {
+            $PsItem.LoginPasswordExpirationCount | Should -Be 0 -Because "We expected the password expiration policy to set on all sql logins in the sysadmin role"
+        }
+    }
+}
+
 Describe "Instance MaxDop" -Tag MaxDopInstance, MaxDop, Medium, Instance -ForEach ($InstancesToTest | Where-Object { $psitem.Name -notin $psitem.ConfigValues.ExcludeInstanceMaxDop }) {
     $skip = ($__dbcconfig | Where-Object { $_.Name -eq 'skip.instance.MaxDopInstance' }).Value
     Context "Testing Instance MaxDop Value on <_.Name>" {
@@ -213,11 +268,11 @@ Describe "Max Memory" -Tag MaxMemory, High, Instance -ForEach $InstancesToTest {
     }
 }
 
-Describe "SQL Memory Dumps" -Tags MemoryDump, Medium, Instance -ForEach $InstancesToTest {
+Describe "SQL Memory Dumps" -Tag MemoryDump, Medium, Instance -ForEach $InstancesToTest {
     $skip = ($__dbcconfig | Where-Object { $_.Name -eq 'skip.instance.memorydump' }).Value
     Context "Testing SQL Memory Dumps on <_.Name>" {
         It "There should be less than <_.MemoryDump.MaxDumps> since <_.MemoryDump.DumpDateCheckFrom> on <_.Name>" -Skip:$skip {
-            $Psitem.MemoryDump.Result | Should -BeTrue -Because "We expected less than $($Psitem.MemoryDump.MaxDumps) dumps since $(PsItem.MemoryDump.DumpDateCheckFrom)but found $($Psitem.MemoryDump.DumpCount) . Memory dumps often suggest issues with the SQL Server instance"
+            $Psitem.MemoryDump.Result | Should -BeTrue -Because "We expected less than $($Psitem.MemoryDump.MaxDumps) dumps since $($PsItem.MemoryDump.DumpDateCheckFrom)but found $($Psitem.MemoryDump.DumpCount) . Memory dumps often suggest issues with the SQL Server instance"
         }
     }
 }
@@ -338,6 +393,29 @@ Describe "SQL Mail XPs Disabled" -Tag SQLMailXPsDisabled, Security, CIS, Low, In
     }
 }
 
+Describe "Supported Build" -Tag SupportedBuild, DISA, High, Instance -ForEach $InstancesToTest {
+    $skip = ($__dbcconfig | Where-Object { $_.Name -eq 'skip.instance.SupportedBuild' }).Value
+    Context "Checking that build is still supported by Microsoft for <_.Name>" -Skip:$skip {
+        It "The build is not behind the latest build by more than <_.SupportedBuild.BuildBehind> for <_.Name>" {
+            $psItem.SupportedBuild.Compliant | Should -BeTrue -Because "this build $($psItem.SupportedBuild.Build) should not be behind the required build"
+        }
+        It "The build is supported by Microsoft for <_.Name>" {
+            $psItem.SupportedBuild.InsideMicrosoftSupport | Should -BeTrue -Because "this build $($psItem.SupportedBuild.Build) is now unsupported by Microsoft"
+        }
+        It "The build is supported by Microsoft within the warning window of <_.SupportedBuild.BuildWarning> months for <_.Name>" {
+            $psItem.SupportedBuild.InsideBuildWarning | Should -BeTrue -Because "this build $($psItem.SupportedBuild.Build)  will be unsupported by Microsoft on $($psItem.SupportedBuild.SupportedUntil) which is less than $($psItem.SupportedBuild.BuildWarning) months away"
+        }
+    }
+}
+
+Describe "Suspect Page Limit Nearing" -Tag SuspectPageLimit, Medium, Instance -ForEach $InstancesToTest {
+    $skip = ($__dbcconfig | Where-Object { $_.Name -eq 'skip.instance.suspectpagelimit' }).Value
+    Context "Testing if the suspect_pages table is nearing the limit of 1000 rows on on <_.Name>" {
+        It "The suspect_pages table in msdb shouldn't be nearing the limit of 1000 rows on on <_.Name>" -Skip:$skip {
+            $PSItem.SuspectPageCountResult | Should -BeTrue -Because "The suspect_pages table in msdb shouldn't be nearing the limit of 1000 rows"
+        }
+    }
+}
 Describe "Trace Flags Expected" -Tag TraceFlagsExpected, TraceFlag, High, Instance -ForEach $InstancesToTest {
     $skip = ($__dbcconfig | Where-Object { $_.Name -eq 'skip.instance.TraceFlagsExpected' }).Value
     Context "Testing Expected Trace Flags on <_.Name>" {

source/dbachecks.psd1

@@ -288,11 +288,13 @@ function Invoke-DbcCheck {
     process {
         if ($legacy) {
             try {
+                Write-PSFMessage 'Running in legacy mode, we need Version 4'
                 if (Get-Module Pester | Where-Object { $_.Version -gt '5.0.0' }) {
+                    Write-PSFMessage 'Remove Version 5' -Level Verbose
                     Remove-Module Pester -ErrorAction SilentlyContinue
-                    Write-PSFMessage 'Running in legacy mode, we need to import Version 4' -Level Verbose
-                    Import-Module Pester -RequiredVersion 4.10.1 -Global
                 }
+                Write-PSFMessage 'import Version 4' -Level Verbose
+                Import-Module Pester -RequiredVersion 4.10.1 -Global
             } catch {
                 Write-PSFMessage -Message 'Something Went wrong' -Level Warning -ErrorRecord $_
                 Return