so that we cna check for public role perms #882

dataplat · Aug 3, 2023 · 3c0ad47 · 3c0ad47
1 parent 1573d64
commit 3c0ad47
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 0 deletions.
diff --git a/source/checks/Instancev5.Tests.ps1 b/source/checks/Instancev5.Tests.ps1
@@ -367,6 +367,16 @@ Describe "Login SA cannot exist" -Tag SaExist, CIS, Medium, Instance -ForEach $I
     }
 }
 
+Describe "Public Role Permissions" -Tag PublicPermission, PublicRolePermission, Security, CIS, Instance -ForEach $InstancesToTest {
+    $skip = ($__dbcconfig | Where-Object { $_.Name -eq 'skip.security.PublicPermission' }).Value
+
+    Context "Testing if the public role permissions don't have permissions  on <_.Name>" {
+        It "All permissions should be set to CIS standards on the public role on <_.Name>" -Skip:$skip {
+            $PsItem.PublicRolePermissions | Should -Be 0 -Because "We expected the public role to have no permissions for CIS compliance."
+        }
+    }
+}
+
 Describe "SA Login Renamed" -Tag SaRenamed, DISA, CIS, Medium, Instance -ForEach $InstancesToTest {
     $skip = ($__dbcconfig | Where-Object { $_.Name -eq 'skip.instance.SaRenamed' }).Value
     Context "Checking that sa login has been renamed on <_.Name>" {

diff --git a/source/internal/functions/NewGet-AllInstanceInfo.ps1 b/source/internal/functions/NewGet-AllInstanceInfo.ps1
@@ -416,6 +416,21 @@ function NewGet-AllInstanceInfo {
             $Instance.SetDefaultInitFields([Microsoft.SqlServer.Management.Smo.Settings], $LoginInitFields)
         }
 
+        { 'PublicRolePermissions' -or 'PublicPermission' } {
+            #This needs to be done in query just in case the account had already been renamed
+            $query = "
+                        SELECT Count(*) AS [RowCount]
+                        FROM master.sys.server_permissions
+                        WHERE (grantee_principal_id = SUSER_SID(N'public') and state_desc LIKE 'GRANT%')
+                            AND NOT (state_desc = 'GRANT' and [permission_name] = 'VIEW ANY DATABASE' and class_desc = 'SERVER')
+                            AND NOT (state_desc = 'GRANT' and [permission_name] = 'CONNECT' and class_desc = 'ENDPOINT' and major_id = 2)
+                            AND NOT (state_desc = 'GRANT' and [permission_name] = 'CONNECT' and class_desc = 'ENDPOINT' and major_id = 3)
+                            AND NOT (state_desc = 'GRANT' and [permission_name] = 'CONNECT' and class_desc = 'ENDPOINT' and major_id = 4)
+                            AND NOT (state_desc = 'GRANT' and [permission_name] = 'CONNECT' and class_desc = 'ENDPOINT' and major_id = 5);
+                        "
+            $PublicRolePermsCount = $srv.Query($query).RowCount
+        }
+
         'SuspectPageLimit' {
             $sql = "Select
             COUNT(file_id) as 'SuspectPageCount'
@@ -620,6 +635,7 @@ function NewGet-AllInstanceInfo {
         LoginPasswordExpirationCount = $LoginPasswordExpirationCount
         AgentServiceAdminExist       = $AgentServiceAdminExist
         SqlEngineServiceAccount      = $SqlEngineServiceAccount
+        PublicRolePermissions        = $PublicRolePermsCount
         # TempDbConfig          = [PSCustomObject]@{
         #     TF118EnabledCurrent     = $tempDBTest[0].CurrentSetting
         #     TF118EnabledRecommended = $tempDBTest[0].Recommended