Merge pull request #970 from dataplat/instancecheckscontinued

Instancecheckscontinued

Author: SQLDBAWithABeard

.devcontainer/devcontainer.json

@@ -16,7 +16,6 @@
             "extensions": [
                 "ms-vscode.powershell",
                 "github.vscode-pull-request-github",
-                "2gua.rainbow-brackets",
                 "oderwat.indent-rainbow",
                 "mhutchie.git-graph",
                 "usernamehw.errorlens",

developing/Robs-Instance.ps1

@@ -9,6 +9,11 @@ $Checks = 'NetworkLatency'
 $Checks = 'LinkedServerConnection'
 $Checks = 'MaxMemory'
 $Checks = 'OrphanedFile'
+$Checks = 'MemoryDump'
+$Checks = 'HideInstance'
+$Checks = 'LoginAuditFailed'
+$Checks = 'LoginAuditSuccessful'
+$Checks = 'LoginAuditSuccessful', 'LoginAuditFailed'
 
 Invoke-PerfAndValidateCheck -Checks $Checks
 Invoke-PerfAndValidateCheck -Checks $Checks -PerfDetail
@@ -17,7 +22,7 @@ $password = ConvertTo-SecureString "dbatools.IO" -AsPlainText -Force
 $cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "sqladmin", $password
 $show = 'All'
 
-$v4code = Invoke-DbcCheck -SqlInstance $Sqlinstances -SqlCredential $cred -Check $Checks -legacy $true -Show $show -PassThru
+$v4code = Invoke-DbcCheck -SqlInstance $Sqlinstances -SqlCredential $cred -Check $Checks -legacy $true -Show $show -PassThru -verbose
 # Run v5 checks
 $v5code = Invoke-DbcCheck -SqlInstance $Sqlinstances -SqlCredential $cred -Check $Checks -legacy $false -Show $show -PassThru -Verbose
 
@@ -44,4 +49,4 @@ $traci = Trace-Script -ScriptBlock {
     $v4code = Invoke-DbcCheck -SqlInstance $Sqlinstances -SqlCredential $cred -Check $Checks -legacy $true -Show $show -PassThru
 }
 
- Invoke-DbcCheck -SqlInstance $Sqlinstances -SqlCredential $cred -Check failsafeoperator -legacy $false -Show $show -verbose
+Invoke-DbcCheck -SqlInstance $Sqlinstances -SqlCredential $cred -Check failsafeoperator -legacy $false -Show $show -verbose

source/checks/Instancev5.Tests.ps1

@@ -140,6 +140,16 @@ Describe "Error Log Count" -Tag ErrorLogCount, CIS, Low, Instance -ForEach $Inst
     }
 }
 
+Describe "Hide Instance" -Tag HideInstance, Security, CIS, Medium, Instance -ForEach $InstancesToTest {
+    $skip = ($__dbcconfig | Where-Object { $_.Name -eq 'skip.security.hideinstance' }).Value
+    Context "Checking the Hide an Instance of SQL Server Database Engine property on <_.Name>" {
+        It "The Hide an Instance of SQL Server Database Engine property on SQL Server instance <_.Name>" -Skip:$skip {
+            # We don't make this -BeTrue because the possible results  are $true/$false/'Could not connect'
+            $psitem.HideInstance.Result | Should -Be $true -Because "We expected the hide instance property to be set to $true"
+        }
+    }
+}
+
 Describe "Instance Connection" -Tag InstanceConnection, Connectivity, High, Instance -ForEach $InstancesToTest {
     BeforeAll {
         $skipall = ($__dbcconfig | Where-Object { $_.Name -eq 'skip.connection' }).Value
@@ -190,6 +200,33 @@ Describe "Linked Servers" -Tag LinkedServerConnection, Connectivity, Medium, Ins
     }
 }
 
+Describe "Failed Login Auditing" -Tag LoginAuditFailed, Security, CIS, Medium, Instance -ForEach $InstancesToTest {
+    $skip = ($__dbcconfig | Where-Object { $_.Name -eq 'skip.security.loginauditlevelfailed' }).Value
+    Context "Testing if failed login auditing is in place on <_.Name>" {
+        It "The failed login auditing should be set on  <_.Name>" -Skip:$skip {
+            $psitem.Settings.AuditLevel | Should -BeIn @("Failure", "All") -Because "We expected the audit level to be set to capture failed logins"
+        }
+    }
+}
+
+Describe "Successful Login Auditing" -Tag LoginAuditSuccessful, Security, CIS, Medium, Instance -ForEach $InstancesToTest {
+    $skip = ($__dbcconfig | Where-Object { $_.Name -eq 'skip.security.loginauditlevelsuccessful' }).Value
+    Context "Testing if successful and failed login auditing is in place on  <_.Name>" {
+        It "The successful and failed auditing should be set on  <_.Name>" -Skip:$skip {
+            $psitem.Settings.AuditLevel | Should -Be "All" -Because "We expected the audit level to be set to capture all logins (successful and failed)"
+        }
+    }
+}
+
+Describe "Login Check Policy" -Tag LoginCheckPolicy, Security, CIS, Medium, Instance -ForEach $InstancesToTest {
+    $skip = ($__dbcconfig | Where-Object { $_.Name -eq 'skip.security.LoginCheckPolicy' }).Value
+    Context "Testing if the CHECK_POLICY is enabled on all logins on $psitem" {
+        It "All logins should have the CHECK_POLICY option set to ON on $psitem" -Skip:$skip {
+           ($psitem.logins | Where-Object { $_.LoginType -eq 'SqlLogin' -and $_.PasswordPolicyEnforced -eq $false -and $_.IsDisabled -eq $false }).Count | Should -Be 0 -Because "We expected the CHECK_POLICY for the all logins to be enabled"
+        }
+    }
+}
+
 Describe "Instance MaxDop" -Tag MaxDopInstance, MaxDop, Medium, Instance -ForEach ($InstancesToTest | Where-Object { $psitem.Name -notin $psitem.ConfigValues.ExcludeInstanceMaxDop }) {
     $skip = ($__dbcconfig | Where-Object { $_.Name -eq 'skip.instance.MaxDopInstance' }).Value
     Context "Testing Instance MaxDop Value on <_.Name>" {
@@ -213,11 +250,11 @@ Describe "Max Memory" -Tag MaxMemory, High, Instance -ForEach $InstancesToTest {
     }
 }
 
-Describe "SQL Memory Dumps" -Tags MemoryDump, Medium, Instance -ForEach $InstancesToTest {
+Describe "SQL Memory Dumps" -Tag MemoryDump, Medium, Instance -ForEach $InstancesToTest {
     $skip = ($__dbcconfig | Where-Object { $_.Name -eq 'skip.instance.memorydump' }).Value
     Context "Testing SQL Memory Dumps on <_.Name>" {
         It "There should be less than <_.MemoryDump.MaxDumps> since <_.MemoryDump.DumpDateCheckFrom> on <_.Name>" -Skip:$skip {
-            $Psitem.MemoryDump.Result | Should -BeTrue -Because "We expected less than $($Psitem.MemoryDump.MaxDumps) dumps since $(PsItem.MemoryDump.DumpDateCheckFrom)but found $($Psitem.MemoryDump.DumpCount) . Memory dumps often suggest issues with the SQL Server instance"
+            $Psitem.MemoryDump.Result | Should -BeTrue -Because "We expected less than $($Psitem.MemoryDump.MaxDumps) dumps since $($PsItem.MemoryDump.DumpDateCheckFrom)but found $($Psitem.MemoryDump.DumpCount) . Memory dumps often suggest issues with the SQL Server instance"
         }
     }
 }

source/functions/Invoke-DbcCheck.ps1

@@ -288,11 +288,13 @@ function Invoke-DbcCheck {
     process {
         if ($legacy) {
             try {
+                Write-PSFMessage 'Running in legacy mode, we need Version 4'
                 if (Get-Module Pester | Where-Object { $_.Version -gt '5.0.0' }) {
+                    Write-PSFMessage 'Remove Version 5' -Level Verbose
                     Remove-Module Pester -ErrorAction SilentlyContinue
-                    Write-PSFMessage 'Running in legacy mode, we need to import Version 4' -Level Verbose
-                    Import-Module Pester -RequiredVersion 4.10.1 -Global
                 }
+                Write-PSFMessage 'import Version 4' -Level Verbose
+                Import-Module Pester -RequiredVersion 4.10.1 -Global
             } catch {
                 Write-PSFMessage -Message 'Something Went wrong' -Level Warning -ErrorRecord $_
                 Return

source/internal/functions/NewGet-AllInstanceInfo.ps1

@@ -388,6 +388,34 @@ function NewGet-AllInstanceInfo {
             }
         }
 
+        'HideInstance' {
+            try {
+                $HideInstance = [pscustomobject] @{
+                    Result = (Get-DbaHideInstance -SqlInstance $InstanceSMO).HideInstance
+                }
+            } catch {
+                $HideInstance = [pscustomobject] @{
+                    Result = 'We Could not Connect to $Instance'
+                }
+            }
+        }
+
+        'LoginAuditFailed' {
+            $SettingsInitFields.Add("AuditLevel") | Out-Null # so we can check auditlevel
+            $Instance.SetDefaultInitFields([Microsoft.SqlServer.Management.Smo.Settings], $SettingsInitFields)
+        }
+
+        'LoginAuditSuccessful' {
+            $SettingsInitFields.Add("AuditLevel") | Out-Null # so we can check auditlevel
+            $Instance.SetDefaultInitFields([Microsoft.SqlServer.Management.Smo.Settings], $SettingsInitFields)
+        }
+
+        'LoginCheckPolicy' {
+            $LoginInitFields.Add("IsDisabled") | Out-Null # so we can check login check policy
+            $LoginInitFields.Add("PasswordPolicyEnforced") | Out-Null # so we can check login check policy
+            $Instance.SetDefaultInitFields([Microsoft.SqlServer.Management.Smo.Settings], $LoginInitFields)
+        }
+
         Default { }
     }
 
@@ -487,6 +515,7 @@ function NewGet-AllInstanceInfo {
             renamerequired       = $ServerNameMatchrenamerequired
         }
         MemoryDump            = $Dump
+        HideInstance          = $HideInstance
         # TempDbConfig          = [PSCustomObject]@{
         #     TF118EnabledCurrent     = $tempDBTest[0].CurrentSetting
         #     TF118EnabledRecommended = $tempDBTest[0].Recommended