so we cna check agent service admin #882

dataplat · May 18, 2023 · 7f934ec · 7f934ec
1 parent 6d1ebe0
commit 7f934ec
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 0 deletions.
diff --git a/source/checks/Instancev5.Tests.ps1 b/source/checks/Instancev5.Tests.ps1
@@ -55,6 +55,16 @@ Describe "Ad Hoc Workload Optimization" -Tag AdHocWorkload, Medium, Instance -Fo
     }
 }
 
+Describe "SQL Agent Service Admin" -Tags AgentServiceAdmin, Security, CIS, Medium, Instance -ForEach $InstancesToTest {
+    $skip = ($__dbcconfig | Where-Object { $_.Name -eq 'skip.security.AgentServiceAdmin' }).Value
+    Context "Testing whether SQL Agent account is a local administrator on <_.Name>" {
+        It "The SQL Agent service account should not be a local administrator on <_.Name>" -Skip:$skip {
+            # We don't make this -BeFalse because the possible results  are $true/$false/'Could not connect'
+            $psitem.AgentServiceAdminExist | Should -Be $false -Because "We expected the service account for the SQL Agent to not be a local administrator"
+        }
+    }
+}
+
 Describe "Backup Path Access" -Tag BackupPathAccess, Storage, DISA, Medium, Instance -ForEach $InstancesToTest {
     $skip = ($__dbcconfig | Where-Object { $_.Name -eq 'skip.instance.BackupPathAccess' }).Value
     Context "Testing Backup Path Access on <_.Name>" {

diff --git a/source/internal/functions/NewGet-AllInstanceInfo.ps1 b/source/internal/functions/NewGet-AllInstanceInfo.ps1
@@ -474,6 +474,23 @@ function NewGet-AllInstanceInfo {
             $LoginPasswordExpirationCount = ($Instance.Logins | Where-Object { $_.Name -in $Instance.Roles['sysadmin'].EnumMemberNames() } | Where-Object { $_.LoginType -eq 'SqlLogin' -and $_.PasswordExpirationEnabled -EQ $false -and $_.IsDisabled -EQ $false }).Count
         }
 
+        'AgentServiceAdmin' {
+            try {
+                $SqlAgentService = Get-DbaService -ComputerName $Instance.ComputerName -InstanceName $Instance.DbaInstanceName -Type Agent -ErrorAction SilentlyContinue
+                $LocalAdmins = Invoke-Command -ComputerName $ComputerName -ScriptBlock { Get-LocalGroupMember -Group "Administrators" } -ErrorAction SilentlyContinue
+                $AgentServiceAdminExist = $localAdmins.Name.Contains($SqlAgentService.StartName)
+
+            } catch [System.Exception] {
+                if ($_.Exception.Message -like '*No services found in relevant namespaces*') {
+                    $AgentServiceAdminExist = $false
+                } else {
+                    $AgentServiceAdminExist = 'Some sort of failure'
+                }
+            } catch {
+                $AgentServiceAdminExist = 'We Could not Connect to $Instance $ComputerName , $InstanceName from catch'
+            }
+        }
+
         Default { }
     }
 
@@ -578,6 +595,7 @@ function NewGet-AllInstanceInfo {
         SupportedBuild               = $SupportedBuild
         LoginMustChangeCount         = $LoginMustChangeCount
         LoginPasswordExpirationCount = $LoginPasswordExpirationCount
+        AgentServiceAdminExist       = $AgentServiceAdminExist
         # TempDbConfig          = [PSCustomObject]@{
         #     TF118EnabledCurrent     = $tempDBTest[0].CurrentSetting
         #     TF118EnabledRecommended = $tempDBTest[0].Recommended