Skip to content

Commit

Permalink
Merge pull request #987 from jpomfret/contained
Browse files Browse the repository at this point in the history
v5 new checks
  • Loading branch information
jpomfret authored Jul 11, 2023
2 parents 4340fe8 + 7aabd32 commit 148d7c5
Show file tree
Hide file tree
Showing 3 changed files with 40 additions and 7 deletions.
26 changes: 24 additions & 2 deletions source/checks/Databasev5.Tests.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -58,17 +58,17 @@ Describe "Suspect Page" -Tag SuspectPage, High , Database -ForEach $InstancesToT
}

Describe "Database Collation" -Tag DatabaseCollation, High, Database -ForEach $InstancesToTest {
#TODO: Should we have a skip option for each IT block?
$skip = ($__dbcconfig | Where-Object { $_.Name -eq 'skip.database.databasecollation' }).Value
Context "Testing database collation on <_.Name>" {
It "Database <_.Name> collation <_.Collation> should match server collation <_.ServerCollation> on <_.SqlInstance>" -Skip:$skip -ForEach $psitem.Databases.Where{ if ($Database) { $_.Name -in $Database } else { $psitem.ConfigValues.wrongcollation -notcontains $PsItem.Name } } {
$psitem.ServerCollation | Should -Be $psitem.Collation -Because "You will get collation conflict errors in tempdb"
}

# wrong collation set
It "Database <_.Name> collation <_.Collation> should not match server collation <_.ServerCollation> on <_.SqlInstance>" -ForEach $psitem.Databases.Where{ $_.Name -in $psitem.ConfigValues.wrongcollation } {
It "Database <_.Name> collation <_.Collation> should not match server collation <_.ServerCollation> on <_.SqlInstance>" -Skip:$skip -ForEach $psitem.Databases.Where{ $_.Name -in $psitem.ConfigValues.wrongcollation } {
$psitem.ServerCollation | Should -Not -Be $psitem.Collation -Because "You have defined the database to have another collation then the server. You will get collation conflict errors in tempdb"
}

}
}

Expand Down Expand Up @@ -252,3 +252,25 @@ Describe "PseudoSimple Recovery Model" -Tag PseudoSimple, Medium, Database -ForE
}
}
}

Describe "Contained Database Auto Close" -Tag ContainedDBAutoClose, CIS, Database -ForEach $InstancesToTest {
$Skip = ($__dbcconfig | Where-Object Name -EQ 'skip.security.containedbautoclose').Value

Context "Testing contained database auto close option" {
It "Database <_.Name> should have auto close set to false on <_.SqlInstance>" -Skip:$skip -ForEach $psitem.Databases.Where{ if ($Database) { $_.Name -in $Database -and $_.ContainmentType -ne "NONE" } else { $psitem.ConfigValues.contdbautocloseexclude -notcontains $psitem.Name -and $_.ContainmentType -ne "NONE" } } {
$psitem.ContainedDbAutoClose | Should -BeFalse -Because "Contained Databases should have auto close set to false for CIS compliance."
}
}
}

Describe "Contained Database SQL Authenticated Users" -Tag ContainedDBSQLAuth, CIS, Database -ForEach $InstancesToTest {
$Skip = ($__dbcconfig | Where-Object Name -EQ 'skip.security.ContainedDBSQLAuth').Value

#if ($version -lt 13 ) { $skip = $true }

Context "Testing contained database to see if sql authenticated users exist" {
It "Database <_.Name> should have no sql authenticated users on <_.SqlInstance>" -Skip:$skip -ForEach $psitem.Databases.Where{ if ($Database) { $_.Name -in $Database -and $_.ContainmentType -ne "NONE" } else { $psitem.ConfigValues.contdbsqlauthexclude -notcontains $psitem.Name -and $_.ContainmentType -ne "NONE" } } {
$psitem.ContainedDbSqlAuthUsers | Should -Be 0 -Because "We expect there to be no sql authenticated users in contained database."
}
}
}
2 changes: 2 additions & 0 deletions source/internal/configurations/configuration.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -171,6 +171,8 @@ Set-PSFConfig -Module dbachecks -Name policy.database.trustworthyexcludedb -Valu
Set-PSFConfig -Module dbachecks -Name policy.database.duplicateindexexcludedb -Value @('msdb', 'ReportServer', 'ReportServerTempDB') -Initialize -Description "A List of databases we do not want to check for Duplicate Indexes"
Set-PSFConfig -Module dbachecks -Name policy.database.clrassembliessafeexcludedb -Value @() -Initialize -Description " A List of database what we do not want to check for SAFE CLR Assemblies"
Set-PSFConfig -Module dbachecks -Name policy.database.pseudosimpleexcludedb -Value @('tempdb', 'model') -Initialize -Description "A List of databases that we do not want to check for pseudosimple recovery modelasd a"
Set-PSFConfig -Module dbachecks -Name policy.database.contdbautocloseexclude -Value @('msdb') -Initialize -Description "A List of contained database that we we do not want to check for autoclose"
Set-PSFConfig -Module dbachecks -Name policy.database.contdbsqlauthexclude -Value @() -Initialize -Description "A list of databases that we do not want to check for contained databases with SQL authenticated users"
Set-PSFConfig -Module dbachecks -Name policy.database.logfilepercentused -Value 75 -Initialize -Description " The % log used we should stay below"

# Policy for Ola Hallengren Maintenance Solution
Expand Down
19 changes: 14 additions & 5 deletions source/internal/functions/Get-AllDatabaseInfo.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -148,6 +148,14 @@ function Get-AllDatabaseInfo {
$pseudoSimple = $true
$ConfigValues | Add-Member -MemberType NoteProperty -Name 'pseudosimpleexclude' -Value ($__dbcconfig | Where-Object Name -EQ 'policy.database.pseudosimpleexcludedb').Value
}
'ContainedDBAutoClose' {
$containedDbAutoClose = $true
$ConfigValues | Add-Member -MemberType NoteProperty -Name 'contdbautocloseexclude' -Value ($__dbcconfig | Where-Object Name -EQ 'policy.database.contdbautocloseexclude').Value
}
'ContainedDBSQLAuth'{
$containedDbSqlAuthUsers = $true
$ConfigValues | Add-Member -MemberType NoteProperty -Name 'contdbsqlauthexclude' -Value ($__dbcconfig | Where-Object Name -EQ 'policy.database.contdbsqlauthexclude').Value
}
Default { }
}

Expand All @@ -156,7 +164,7 @@ function Get-AllDatabaseInfo {
ComputerName = $Instance.ComputerName
InstanceName = $Instance.DbaInstanceName
Name = $Instance.Name
ConfigValues = $ConfigValues # can we move this out to here?
ConfigValues = $ConfigValues
Databases = $Instance.Databases.Foreach{
[PSCustomObject]@{
Name = $psitem.Name
Expand All @@ -165,10 +173,9 @@ function Get-AllDatabaseInfo {
ServerCollation = @(if ($collation) { $Instance.collation })
Collation = @(if ($collation) { $psitem.collation })
SuspectPage = @(if ($suspectPage) { (Get-DbaSuspectPage -SqlInstance $Instance -Database $psitem.Name | Measure-Object).Count })
ConfigValues = $ConfigValues # can we move this out?
ConfigValues = $ConfigValues
AsymmetricKeySize = @(if ($asymmetrickey) { ($psitem.AsymmetricKeys | Where-Object { $_.KeyLength -lt 2048 } | Measure-Object).Count })
#AsymmetricKeySize = if ($asymmetrickey) { $psitem.AsymmetricKeys.KeyLength } # doing this I got $null if there wasn't a key so counting ones that are too short
AutoClose = @(if ($autoclose) { $psitem.AutoClose })
AutoClose = @(if ($autoclose -or $containedDbAutoClose) { $psitem.AutoClose })
AutoCreateStatistics = @(if ($autocreatestats) { $psitem.AutoCreateStatisticsEnabled })
AutoUpdateStatistics = @(if ($autoupdatestats) { $psitem.AutoUpdateStatisticsEnabled })
AutoUpdateStatisticsAsync = @(if ($autoupdatestatsasync) { $psitem.AutoUpdateStatisticsAsync })
Expand All @@ -185,7 +192,9 @@ function Get-AllDatabaseInfo {
GuestUserConnect = @(if ($guestUserConnect) { if ($psitem.EnumDatabasePermissions('guest') | Where-Object { $_.PermissionState -eq 'Grant' -and $_.PermissionType.Connect }) { $true } } )
RecoveryModel = @(if ($pseudoSimple -or $recoverymodel) { $psitem.RecoveryModel })
PseudoSimple = @(if ($pseudoSimple) { '' -eq (($psitem.Query('Select last_log_backup_lsn from sys.database_recovery_status where database_id = DB_ID()')).last_log_backup_lsn) })
# might need to change this to look at last_log_backup_lsn column of the sys.database_recovery_status or DBCC DBINFO () WITH TABLERESULTS").Tables[0] | Where-Object {$_.Field -eq "dbi_dbbackupLSN"}
ContainmentType = @(if ($containedDbAutoClose -or $containedDbSqlAuthUsers) { $psitem.ContainmentType })
ContainedDbAutoClose = @(if ($containedDbAutoClose) { if (($psItem.ContainmentType -ne "NONE") -and ($null -ne $psItem.ContainmentType) -and $psitem.AutoClose) { $true } else { $false } } )
ContainedDbSqlAuthUsers = @(if ($containedDbSqlAuthUsers) { if ($psItem.ContainmentType -ne "NONE" -and ($null -ne $psItem.ContainmentType)) { ($psitem.Users | Where-Object {$_.LoginType -eq "SqlLogin" -and $_.HasDbAccess -eq $true } | Measure-Object ).Count}} )
}
}
}
Expand Down

0 comments on commit 148d7c5

Please sign in to comment.