Partilhar via

Configurar linhas de base para avaliações de vulnerabilidade em bancos de dados SQL do Azure

  • Artigo

Este script do PowerShell configura linhas de base com base nos resultados mais recentes da verificação de avaliação de vulnerabilidades para todos os bancos de dados em um SQL Server do Azure.

Este exemplo requer o Azure PowerShell Az 1.0 ou posterior. Execute Get-Module -ListAvailable Az para ver quais versões estão instaladas. Se você precisar instalar, consulte Instalar o módulo do Azure PowerShell.

Execute Connect-AzAccount para entrar no Azure.

Se não tiver uma subscrição do Azure, crie uma conta gratuita do Azure antes de começar.

Script de exemplo

Nota

Recomendamos que utilize o módulo Azure Az do PowerShell para interagir com o Azure. Para começar, consulte Instalar o Azure PowerShell. Para saber como migrar para o módulo do Az PowerShell, veja Migrar o Azure PowerShell do AzureRM para o Az.

<#
.SYNOPSIS
    This script sets the results of the last successful scan as baseline for each database under the selected Azure SQL Server.

.DESCRIPTION
    This script check if the selected Azure SQL Server uses Vulnerability Assessment Express Configuration, iterates through all user databases under a server and sets the latest scan results as a baseline.

#>


$SubscriptionId     = "<subscriptionid>"                         # The Subscription id that the server belongs to.
$ResourceGroupName  = "<resource group>"                         # The Resource Group that the server belongs to.
$ServerName         = "<server name>"                            # The SQL server name that we want to apply the new SQL Vulnerability Assessment policy to (short name, without suffix).
$APIVersion         = "2022-05-01-preview"




###### New SQL Vulnerability Assessment Commands ######
#######################################################


function GetExpressConfigurationStatus($SubscriptionId, $ResourceGroupName, $ServerName){
    $Uri  = "https://management.azure.com/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Sql/servers/$ServerName/sqlVulnerabilityAssessments/Default?api-version=" + $APIVersion
    SendRestRequest -Method "GET" -Uri $Uri
}


function SetLastScanAsBaselineOnSystemDatabase($SubscriptionId, $ResourceGroupName, $ServerName){
    $Uri  = "https://management.azure.com/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Sql/servers/$ServerName/sqlVulnerabilityAssessments/default/baselines/default?systemDatabaseName=master&api-version=" + $APIVersion
    $Body = "{properties: {latestScan: true,results: {}}}"
    SendRestRequest -Method "PUT" -Uri $Uri -Body $Body
}

function SetLastScanAsBaselineOnUserDatabase($SubscriptionId, $ResourceGroupName, $ServerName, $DatabaseName){
    $Uri  = "https://management.azure.com/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Sql/servers/$ServerName/databases/$DatabaseName/sqlVulnerabilityAssessments/default/baselines/default?api-version=" + $APIVersion
    $Body = "{properties: {latestScan: true,results: {}}}"
    SendRestRequest -Method "PUT" -Uri $Uri -Body $Body
}


function SendRestRequest(
    [Parameter(Mandatory=$True)]
    [string] $Method, 
    [Parameter(Mandatory=$True)]
    [string] $Uri, 
    [parameter( Mandatory=$false )]
    [string] $Body = "DEFAULT")
{  
    $AccessToken = Get-AzAccessToken
    $Token = "Bearer $($AccessToken.Token)"

    $headers = @{
        'Authorization' = $Token
    }

    $Params = @{
         Method = $Method
         Uri = $Uri
         Headers = $headers
         ContentType = "application/json"
    }

    if(!($Body -eq "DEFAULT"))
    {
      $Params = @{
         Method = $Method
         Uri = $Uri
         Body = $Body
         Headers = $headers
         ContentType = "application/json"
         }
    }
   
    Invoke-RestMethod @Params
}

#######################################################



# Connect
Connect-AzAccount
Set-AzContext $SubscriptionId

# Check if Express Configuration is enabled
$ECState = (GetExpressConfigurationStatus -SubscriptionId $SubscriptionId -ResourceGroupName $ResourceGroupName -ServerName $ServerName).properties.State

Write-Host "Express Configuration status: " $ECState

if ($ECState -eq "Enabled")
{
    # Get list of databases
    $databases = Get-AzSqlDatabase -ResourceGroupName $ResourceGroupName -ServerName $ServerName | where {$_.DatabaseName -ne "master"}

    # Set latest scan results as baseline on all user databases
    foreach ($database in $Databases)
    {
        Write-Host "Set baseline on database: '$($database.DatabaseName)'"
        SetLastScanAsBaselineOnUserDatabase -SubscriptionId $SubscriptionId -ResourceGroupName $ResourceGroupName -ServerName $ServerName -DatabaseName $database.DatabaseName    
    }

    Write-Host "Set baseline on 'master' database"
    SetLastScanAsBaselineOnSystemDatabase -SubscriptionId $SubscriptionId -ResourceGroupName $ResourceGroupName -ServerName $ServerName
}
else
{
    Write-Host "The specified server does not have VA Express Configuration enabled therefore bulk baseline operations were not performed."
    return
}

Próximos passos

Para obter mais informações sobre o módulo do Azure PowerShell, veja Documentação do Azure PowerShell.