so that we c nca check login check policy #882

Author: SQLDBAWithABeard

source/checks/Instancev5.Tests.ps1

@@ -218,6 +218,15 @@ Describe "Successful Login Auditing" -Tag LoginAuditSuccessful, Security, CIS, M
     }
 }
 
+Describe "Login Check Policy" -Tag LoginCheckPolicy, Security, CIS, Medium, Instance -ForEach $InstancesToTest {
+    $skip = ($__dbcconfig | Where-Object { $_.Name -eq 'skip.security.LoginCheckPolicy' }).Value
+    Context "Testing if the CHECK_POLICY is enabled on all logins on $psitem" {
+        It "All logins should have the CHECK_POLICY option set to ON on $psitem" -Skip:$skip {
+           ($psitem.logins | Where-Object { $_.LoginType -eq 'SqlLogin' -and $_.PasswordPolicyEnforced -eq $false -and $_.IsDisabled -eq $false }).Count | Should -Be 0 -Because "We expected the CHECK_POLICY for the all logins to be enabled"
+        }
+    }
+}
+
 Describe "Instance MaxDop" -Tag MaxDopInstance, MaxDop, Medium, Instance -ForEach ($InstancesToTest | Where-Object { $psitem.Name -notin $psitem.ConfigValues.ExcludeInstanceMaxDop }) {
     $skip = ($__dbcconfig | Where-Object { $_.Name -eq 'skip.instance.MaxDopInstance' }).Value
     Context "Testing Instance MaxDop Value on <_.Name>" {

source/internal/functions/NewGet-AllInstanceInfo.ps1

@@ -410,6 +410,12 @@ function NewGet-AllInstanceInfo {
             $Instance.SetDefaultInitFields([Microsoft.SqlServer.Management.Smo.Settings], $SettingsInitFields)
         }
 
+        'LoginCheckPolicy' {
+            $LoginInitFields.Add("IsDisabled") | Out-Null # so we can check login check policy
+            $LoginInitFields.Add("PasswordPolicyEnforced") | Out-Null # so we can check login check policy
+            $Instance.SetDefaultInitFields([Microsoft.SqlServer.Management.Smo.Settings], $LoginInitFields)
+        }
+
         Default { }
     }