Skip to content

Commit

Permalink
so that we cna check for public role perms #882
Browse files Browse the repository at this point in the history
  • Loading branch information
SQLDBAWithABeard committed Aug 3, 2023
1 parent 1573d64 commit 3c0ad47
Show file tree
Hide file tree
Showing 2 changed files with 26 additions and 0 deletions.
10 changes: 10 additions & 0 deletions source/checks/Instancev5.Tests.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -367,6 +367,16 @@ Describe "Login SA cannot exist" -Tag SaExist, CIS, Medium, Instance -ForEach $I
}
}

Describe "Public Role Permissions" -Tag PublicPermission, PublicRolePermission, Security, CIS, Instance -ForEach $InstancesToTest {
$skip = ($__dbcconfig | Where-Object { $_.Name -eq 'skip.security.PublicPermission' }).Value

Context "Testing if the public role permissions don't have permissions on <_.Name>" {
It "All permissions should be set to CIS standards on the public role on <_.Name>" -Skip:$skip {
$PsItem.PublicRolePermissions | Should -Be 0 -Because "We expected the public role to have no permissions for CIS compliance."
}
}
}

Describe "SA Login Renamed" -Tag SaRenamed, DISA, CIS, Medium, Instance -ForEach $InstancesToTest {
$skip = ($__dbcconfig | Where-Object { $_.Name -eq 'skip.instance.SaRenamed' }).Value
Context "Checking that sa login has been renamed on <_.Name>" {
Expand Down
16 changes: 16 additions & 0 deletions source/internal/functions/NewGet-AllInstanceInfo.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -416,6 +416,21 @@ function NewGet-AllInstanceInfo {
$Instance.SetDefaultInitFields([Microsoft.SqlServer.Management.Smo.Settings], $LoginInitFields)
}

{ 'PublicRolePermissions' -or 'PublicPermission' } {
#This needs to be done in query just in case the account had already been renamed
$query = "
SELECT Count(*) AS [RowCount]
FROM master.sys.server_permissions
WHERE (grantee_principal_id = SUSER_SID(N'public') and state_desc LIKE 'GRANT%')
AND NOT (state_desc = 'GRANT' and [permission_name] = 'VIEW ANY DATABASE' and class_desc = 'SERVER')
AND NOT (state_desc = 'GRANT' and [permission_name] = 'CONNECT' and class_desc = 'ENDPOINT' and major_id = 2)
AND NOT (state_desc = 'GRANT' and [permission_name] = 'CONNECT' and class_desc = 'ENDPOINT' and major_id = 3)
AND NOT (state_desc = 'GRANT' and [permission_name] = 'CONNECT' and class_desc = 'ENDPOINT' and major_id = 4)
AND NOT (state_desc = 'GRANT' and [permission_name] = 'CONNECT' and class_desc = 'ENDPOINT' and major_id = 5);
"
$PublicRolePermsCount = $srv.Query($query).RowCount
}

'SuspectPageLimit' {
$sql = "Select
COUNT(file_id) as 'SuspectPageCount'
Expand Down Expand Up @@ -620,6 +635,7 @@ function NewGet-AllInstanceInfo {
LoginPasswordExpirationCount = $LoginPasswordExpirationCount
AgentServiceAdminExist = $AgentServiceAdminExist
SqlEngineServiceAccount = $SqlEngineServiceAccount
PublicRolePermissions = $PublicRolePermsCount
# TempDbConfig = [PSCustomObject]@{
# TF118EnabledCurrent = $tempDBTest[0].CurrentSetting
# TF118EnabledRecommended = $tempDBTest[0].Recommended
Expand Down

0 comments on commit 3c0ad47

Please sign in to comment.