Configurare le baseline per le valutazioni delle vulnerabilità nei database SQL di Azure
Questo script di PowerShell configura le baseline in base ai risultati più recenti dell'analisi della valutazione della vulnerabilità per tutti i database in un'istanza di Sql Server di Azure.
Questo esempio richiede Azure PowerShell Az 1.0 o versioni successive. Eseguire Get-Module -ListAvailable Az
per determinare le versioni installate.
Se è necessario installarlo, vedere Installare il modulo Azure PowerShell.
Eseguire Connect-AzAccount per accedere ad Azure.
Se non si ha una sottoscrizione di Azure, creare un account Azure gratuito prima di iniziare.
Script di esempio
Nota
È consigliabile usare il modulo Azure Az PowerShell per interagire con Azure. Per iniziare, vedere Installare Azure PowerShell. Per informazioni su come eseguire la migrazione al modulo AZ PowerShell, vedere Eseguire la migrazione di Azure PowerShell da AzureRM ad Az.
<#
.SYNOPSIS
This script sets the results of the last successful scan as baseline for each database under the selected Azure SQL Server.
.DESCRIPTION
This script check if the selected Azure SQL Server uses Vulnerability Assessment Express Configuration, iterates through all user databases under a server and sets the latest scan results as a baseline.
#>
$SubscriptionId = "<subscriptionid>" # The Subscription id that the server belongs to.
$ResourceGroupName = "<resource group>" # The Resource Group that the server belongs to.
$ServerName = "<server name>" # The SQL server name that we want to apply the new SQL Vulnerability Assessment policy to (short name, without suffix).
$APIVersion = "2022-05-01-preview"
###### New SQL Vulnerability Assessment Commands ######
#######################################################
function GetExpressConfigurationStatus($SubscriptionId, $ResourceGroupName, $ServerName){
$Uri = "https://management.azure.com/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Sql/servers/$ServerName/sqlVulnerabilityAssessments/Default?api-version=" + $APIVersion
SendRestRequest -Method "GET" -Uri $Uri
}
function SetLastScanAsBaselineOnSystemDatabase($SubscriptionId, $ResourceGroupName, $ServerName){
$Uri = "https://management.azure.com/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Sql/servers/$ServerName/sqlVulnerabilityAssessments/default/baselines/default?systemDatabaseName=master&api-version=" + $APIVersion
$Body = "{properties: {latestScan: true,results: {}}}"
SendRestRequest -Method "PUT" -Uri $Uri -Body $Body
}
function SetLastScanAsBaselineOnUserDatabase($SubscriptionId, $ResourceGroupName, $ServerName, $DatabaseName){
$Uri = "https://management.azure.com/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Sql/servers/$ServerName/databases/$DatabaseName/sqlVulnerabilityAssessments/default/baselines/default?api-version=" + $APIVersion
$Body = "{properties: {latestScan: true,results: {}}}"
SendRestRequest -Method "PUT" -Uri $Uri -Body $Body
}
function SendRestRequest(
[Parameter(Mandatory=$True)]
[string] $Method,
[Parameter(Mandatory=$True)]
[string] $Uri,
[parameter( Mandatory=$false )]
[string] $Body = "DEFAULT")
{
$AccessToken = Get-AzAccessToken
$Token = "Bearer $($AccessToken.Token)"
$headers = @{
'Authorization' = $Token
}
$Params = @{
Method = $Method
Uri = $Uri
Headers = $headers
ContentType = "application/json"
}
if(!($Body -eq "DEFAULT"))
{
$Params = @{
Method = $Method
Uri = $Uri
Body = $Body
Headers = $headers
ContentType = "application/json"
}
}
Invoke-RestMethod @Params
}
#######################################################
# Connect
Connect-AzAccount
Set-AzContext $SubscriptionId
# Check if Express Configuration is enabled
$ECState = (GetExpressConfigurationStatus -SubscriptionId $SubscriptionId -ResourceGroupName $ResourceGroupName -ServerName $ServerName).properties.State
Write-Host "Express Configuration status: " $ECState
if ($ECState -eq "Enabled")
{
# Get list of databases
$databases = Get-AzSqlDatabase -ResourceGroupName $ResourceGroupName -ServerName $ServerName | where {$_.DatabaseName -ne "master"}
# Set latest scan results as baseline on all user databases
foreach ($database in $Databases)
{
Write-Host "Set baseline on database: '$($database.DatabaseName)'"
SetLastScanAsBaselineOnUserDatabase -SubscriptionId $SubscriptionId -ResourceGroupName $ResourceGroupName -ServerName $ServerName -DatabaseName $database.DatabaseName
}
Write-Host "Set baseline on 'master' database"
SetLastScanAsBaselineOnSystemDatabase -SubscriptionId $SubscriptionId -ResourceGroupName $ResourceGroupName -ServerName $ServerName
}
else
{
Write-Host "The specified server does not have VA Express Configuration enabled therefore bulk baseline operations were not performed."
return
}
Passaggi successivi
Per altre informazioni sul modulo Azure PowerShell, vedere la documentazione di Azure PowerShell.