Share via

Configurare le baseline per le valutazioni delle vulnerabilità nei database SQL di Azure

  • Articolo

Questo script di PowerShell configura le baseline in base ai risultati più recenti dell'analisi della valutazione della vulnerabilità per tutti i database in un'istanza di Sql Server di Azure.

Questo esempio richiede Azure PowerShell Az 1.0 o versioni successive. Eseguire Get-Module -ListAvailable Az per determinare le versioni installate. Se è necessario installarlo, vedere Installare il modulo Azure PowerShell.

Eseguire Connect-AzAccount per accedere ad Azure.

Se non si ha una sottoscrizione di Azure, creare un account Azure gratuito prima di iniziare.

Script di esempio

Nota

È consigliabile usare il modulo Azure Az PowerShell per interagire con Azure. Per iniziare, vedere Installare Azure PowerShell. Per informazioni su come eseguire la migrazione al modulo AZ PowerShell, vedere Eseguire la migrazione di Azure PowerShell da AzureRM ad Az.

<#
.SYNOPSIS
    This script sets the results of the last successful scan as baseline for each database under the selected Azure SQL Server.

.DESCRIPTION
    This script check if the selected Azure SQL Server uses Vulnerability Assessment Express Configuration, iterates through all user databases under a server and sets the latest scan results as a baseline.

#>


$SubscriptionId     = "<subscriptionid>"                         # The Subscription id that the server belongs to.
$ResourceGroupName  = "<resource group>"                         # The Resource Group that the server belongs to.
$ServerName         = "<server name>"                            # The SQL server name that we want to apply the new SQL Vulnerability Assessment policy to (short name, without suffix).
$APIVersion         = "2022-05-01-preview"




###### New SQL Vulnerability Assessment Commands ######
#######################################################


function GetExpressConfigurationStatus($SubscriptionId, $ResourceGroupName, $ServerName){
    $Uri  = "https://management.azure.com/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Sql/servers/$ServerName/sqlVulnerabilityAssessments/Default?api-version=" + $APIVersion
    SendRestRequest -Method "GET" -Uri $Uri
}


function SetLastScanAsBaselineOnSystemDatabase($SubscriptionId, $ResourceGroupName, $ServerName){
    $Uri  = "https://management.azure.com/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Sql/servers/$ServerName/sqlVulnerabilityAssessments/default/baselines/default?systemDatabaseName=master&api-version=" + $APIVersion
    $Body = "{properties: {latestScan: true,results: {}}}"
    SendRestRequest -Method "PUT" -Uri $Uri -Body $Body
}

function SetLastScanAsBaselineOnUserDatabase($SubscriptionId, $ResourceGroupName, $ServerName, $DatabaseName){
    $Uri  = "https://management.azure.com/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Sql/servers/$ServerName/databases/$DatabaseName/sqlVulnerabilityAssessments/default/baselines/default?api-version=" + $APIVersion
    $Body = "{properties: {latestScan: true,results: {}}}"
    SendRestRequest -Method "PUT" -Uri $Uri -Body $Body
}


function SendRestRequest(
    [Parameter(Mandatory=$True)]
    [string] $Method, 
    [Parameter(Mandatory=$True)]
    [string] $Uri, 
    [parameter( Mandatory=$false )]
    [string] $Body = "DEFAULT")
{  
    $AccessToken = Get-AzAccessToken
    $Token = "Bearer $($AccessToken.Token)"

    $headers = @{
        'Authorization' = $Token
    }

    $Params = @{
         Method = $Method
         Uri = $Uri
         Headers = $headers
         ContentType = "application/json"
    }

    if(!($Body -eq "DEFAULT"))
    {
      $Params = @{
         Method = $Method
         Uri = $Uri
         Body = $Body
         Headers = $headers
         ContentType = "application/json"
         }
    }
   
    Invoke-RestMethod @Params
}

#######################################################



# Connect
Connect-AzAccount
Set-AzContext $SubscriptionId

# Check if Express Configuration is enabled
$ECState = (GetExpressConfigurationStatus -SubscriptionId $SubscriptionId -ResourceGroupName $ResourceGroupName -ServerName $ServerName).properties.State

Write-Host "Express Configuration status: " $ECState

if ($ECState -eq "Enabled")
{
    # Get list of databases
    $databases = Get-AzSqlDatabase -ResourceGroupName $ResourceGroupName -ServerName $ServerName | where {$_.DatabaseName -ne "master"}

    # Set latest scan results as baseline on all user databases
    foreach ($database in $Databases)
    {
        Write-Host "Set baseline on database: '$($database.DatabaseName)'"
        SetLastScanAsBaselineOnUserDatabase -SubscriptionId $SubscriptionId -ResourceGroupName $ResourceGroupName -ServerName $ServerName -DatabaseName $database.DatabaseName    
    }

    Write-Host "Set baseline on 'master' database"
    SetLastScanAsBaselineOnSystemDatabase -SubscriptionId $SubscriptionId -ResourceGroupName $ResourceGroupName -ServerName $ServerName
}
else
{
    Write-Host "The specified server does not have VA Express Configuration enabled therefore bulk baseline operations were not performed."
    return
}

Passaggi successivi

Per altre informazioni sul modulo Azure PowerShell, vedere la documentazione di Azure PowerShell.