Add new resource SqlServerAuditSpecification

johlju · johlju · commit 77a1fbecd9fb · 2020-04-10T10:56:56.000+02:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -11,6 +11,7 @@ For older change log history see the [historic changelog](HISTORIC_CHANGELOG.md)
 
 - SqlServerDsc
   - Add new resource SqlServerAudit.
+  - Add new resource SqlServerAuditSpecification.
 
 ### Changed
 
diff --git a/source/DSCResources/DSC_SqlServerAuditSpecification/DSC_SqlServerAuditSpecification.psm1 b/source/DSCResources/DSC_SqlServerAuditSpecification/DSC_SqlServerAuditSpecification.psm1
diff --git a/source/DSCResources/DSC_SqlServerAuditSpecification/DSC_SqlServerAuditSpecification.schema.mof b/source/DSCResources/DSC_SqlServerAuditSpecification/DSC_SqlServerAuditSpecification.schema.mof
@@ -0,0 +1,53 @@
+[ClassVersion("1.0.0.0"), FriendlyName("SqlServerAuditSpecification")]
+class DSC_SqlServerAuditSpecification : OMI_BaseResource
+{
+    [Key, Description("Specifies the host name of the SQL Server on which the instance exist.")] String ServerName;
+    [Key, Description("Specifies the SQL instance in which the Audit exist.")] String InstanceName;
+    [Key, Description("Specifies the name of the SQL audit specification to be added or removed.")] String Name;
+    [Write, Description("Specifies if the audit specification should be enabled. Defaults to $false")] Boolean Enabled;
+    [Write, Description("Specifies the audit to be used as storage.")] String AuditName;
+    [Write, Description("Specifies if this property should be audited.")] Boolean ApplicationRoleChangePasswordGroup;
+    [Write, Description("Specifies if this property should be audited.")] Boolean AuditChangeGroup;
+    [Write, Description("Specifies if this property should be audited.")] Boolean BackupRestoreGroup;
+    [Write, Description("Specifies if this property should be audited.")] Boolean BrokerLoginGroup;
+    [Write, Description("Specifies if this property should be audited.")] Boolean DatabaseChangeGroup;
+    [Write, Description("Specifies if this property should be audited.")] Boolean DatabaseLogoutGroup;
+    [Write, Description("Specifies if this property should be audited.")] Boolean DatabaseMirroringLoginGroup;
+    [Write, Description("Specifies if this property should be audited.")] Boolean DatabaseObjectAccessGroup;
+    [Write, Description("Specifies if this property should be audited.")] Boolean DatabaseObjectChangeGroup;
+    [Write, Description("Specifies if this property should be audited.")] Boolean DatabaseObjectOwnershipChangeGroup;
+    [Write, Description("Specifies if this property should be audited.")] Boolean DatabaseObjectPermissionChangeGroup;
+    [Write, Description("Specifies if this property should be audited.")] Boolean DatabaseOperationGroup;
+    [Write, Description("Specifies if this property should be audited.")] Boolean DatabaseOwnershipChangeGroup;
+    [Write, Description("Specifies if this property should be audited.")] Boolean DatabasePermissionChangeGroup;
+    [Write, Description("Specifies if this property should be audited.")] Boolean DatabasePrincipalChangeGroup;
+    [Write, Description("Specifies if this property should be audited.")] Boolean DatabasePrincipalImpersonationGroup;
+    [Write, Description("Specifies if this property should be audited.")] Boolean DatabaseRoleMemberChangeGroup;
+    [Write, Description("Specifies if this property should be audited.")] Boolean DbccGroup;
+    [Write, Description("Specifies if this property should be audited.")] Boolean FailedDatabaseAuthenticationGroup;
+    [Write, Description("Specifies if this property should be audited.")] Boolean FailedLoginGroup;
+    [Write, Description("Specifies if this property should be audited.")] Boolean FulltextGroup;
+    [Write, Description("Specifies if this property should be audited.")] Boolean LoginChangePasswordGroup;
+    [Write, Description("Specifies if this property should be audited.")] Boolean LogoutGroup;
+    [Write, Description("Specifies if this property should be audited.")] Boolean SchemaObjectAccessGroup;
+    [Write, Description("Specifies if this property should be audited.")] Boolean SchemaObjectChangeGroup;
+    [Write, Description("Specifies if this property should be audited.")] Boolean SchemaObjectOwnershipChangeGroup;
+    [Write, Description("Specifies if this property should be audited.")] Boolean SchemaObjectPermissionChangeGroup;
+    [Write, Description("Specifies if this property should be audited.")] Boolean ServerObjectChangeGroup;
+    [Write, Description("Specifies if this property should be audited.")] Boolean ServerObjectOwnershipChangeGroup;
+    [Write, Description("Specifies if this property should be audited.")] Boolean ServerObjectPermissionChangeGroup;
+    [Write, Description("Specifies if this property should be audited.")] Boolean ServerOperationGroup;
+    [Write, Description("Specifies if this property should be audited.")] Boolean ServerPermissionChangeGroup;
+    [Write, Description("Specifies if this property should be audited.")] Boolean ServerPrincipalChangeGroup;
+    [Write, Description("Specifies if this property should be audited.")] Boolean ServerPrincipalImpersonationGroup;
+    [Write, Description("Specifies if this property should be audited.")] Boolean ServerRoleMemberChangeGroup;
+    [Write, Description("Specifies if this property should be audited.")] Boolean ServerStateChangeGroup;
+    [Write, Description("Specifies if this property should be audited.")] Boolean SuccessfulDatabaseAuthenticationGroup;
+    [Write, Description("Specifies if this property should be audited.")] Boolean SuccessfulLoginGroup;
+    [Write, Description("Specifies if this property should be audited.")] Boolean TraceChangeGroup;
+    [Write, Description("Specifies if this property should be audited.")] Boolean UserChangePasswordGroup;
+    [Write, Description("Specifies if this property should be audited.")] Boolean UserDefinedAuditGroup;
+    [Write, Description("Specifies if this property should be audited.")] Boolean TransactionGroup;
+    [Write, Description("Specifies if the audit should be present or absent. If 'Present' then the audit will be added to the server and, if needed, the audit will be updated. If 'Absent' then the audit will be removed from the server. Defaults to 'Present'."), ValueMap{"Present", "Absent"}, Values{"Present", "Absent"}] String Ensure;
+    [Write, Description("Specifies if it is allowed to re-create the server audit when the DestinationType changes. Defaults to $false not allowing server audits to be re-created.")] Boolean Force;
+};
diff --git a/source/DSCResources/DSC_SqlServerAuditSpecification/en-US/DSC_SqlServerAuditSpecification.strings.psd1 b/source/DSCResources/DSC_SqlServerAuditSpecification/en-US/DSC_SqlServerAuditSpecification.strings.psd1
@@ -0,0 +1,17 @@
+ConvertFrom-StringData @'
+    RetrievingAuditSpecificationInformation = Retrieving information about Audit specification '{0}' from the server '{1}' instance '{2}'. (SSAS0001)
+    EvaluateAuditSpecification = Determining if the audit specification '{0}' on server '{1}' instance '{2}' is in the desired state. (SSAS0002)
+    AuditSpecificationExist = The audit specification '{0}' exist in on server '{1}' instance '{2}'. (SSAS0003)
+    InDesiredState = The audit specification is in desired state. (SSAS0004)
+    NotInDesiredState = The audit specification is not in desired state. (SSAS0005)
+    DisableAuditSpecification = Disabling audit audit specification '{0}' on server '{1}' instance '{2}'. (SSAS0006)
+    EnableAuditSpecification = Enabling audit audit specification '{0}' on server '{1}' instance '{2}'. (SSAS0007)
+    CreateAuditSpecification = Creating the audit specification '{0}' on server '{1}' instance '{2}'. (SSAS008)
+    FailedCreateAuditSpecification = Failed creating audit specification '{0}' on server '{1}' instance '{2}'. (SSAS0009)
+    AuditAlreadyInUse = Audit {0} for audit specification '{1}' on server '{2}' instance '{3}' is already in use for audit specification '{4}' (SSAS0010)
+    DropAuditSpecification = Removing the audit specification '{0}' from server '{1}' instance '{2}'. (SSAS0011)
+    FailedDropAuditSpecification = Failed removing the audit specification '{0}' from server '{1}' instance '{2}'. (SSAS0012)
+    SetAuditSpecification = Setting the audit specification '{0}' on server '{1}' instance '{2}' to the desired state. (SSAS0013)
+    FailedUpdateAuditSpecification = Failed updating audit specification '{0}' on server '{1}' instance '{2}'. (SSAS0014)
+    ForceNotEnabled = Unable to re-create the server audit. The server audit needs to be re-created but the configuration has not opt-in to re-create the audit. To opt-in set the parameter Force to $true. (SSAS0015)
+'@
diff --git a/source/Examples/README.md b/source/Examples/README.md
@@ -26,6 +26,8 @@ These are the links to the examples for each individual resource.
 - [SqlRSSetup](Resources/SqlRSSetup)
 - [SqlScript](Resources/SqlScript)
 - [SqlScriptQuery](Resources/SqlScriptQuery)
+- [SqlServerAudit](Resources/SqlServerAudit)
+- [SqlServerAuditSpecification](Resources/SqlServerAuditSpecification)
 - [SqlServerConfiguration](Resources/SqlServerConfiguration)
 - [SqlServerDatabaseMail](Resources/SqlServerDatabaseMail)
 - [SqlServerEndpoint](Resources/SqlServerEndpoint)
diff --git a/source/Examples/Resources/SqlServerAuditSpecification/1-AddServerAuditSpecificationAdminAudit.ps1 b/source/Examples/Resources/SqlServerAuditSpecification/1-AddServerAuditSpecificationAdminAudit.ps1
@@ -0,0 +1,65 @@
+<#
+    .EXAMPLE
+        This example shows how to ensure that an audit destination
+        is absent on the instance sqltest.company.local\DSC.
+#>
+Configuration Example
+{
+    param
+    (
+        [Parameter(Mandatory = $true)]
+        [System.Management.Automation.PSCredential]
+        $SqlAdministratorCredential
+    )
+
+    Import-DscResource -ModuleName SqlServerDsc
+
+    node localhost
+    {
+        SqlServerAudit SecurityLogAudit_Server
+        {
+            Ensure               = 'Present'
+            ServerName           = 'sqltest.company.local'
+            InstanceName         = 'DSC'
+            Name                 = 'SecLogAudit'
+            DestinationType      = 'SecurityLog'
+            Enabled              = $true
+            PsDscRunAsCredential = $SqlAdministratorCredential
+        }
+
+        SqlServerAuditSpecification 'ServerAuditSpecification_AdminAudit'
+        {
+            Ensure                              = 'Present'
+            ServerName                          = 'sqltest.company.local'
+            InstanceName                        = 'DSC'
+            Name                                = 'AdminAudit'
+            AuditName                           = 'SecLogAudit'
+            Enabled                             = $true
+            AuditChangeGroup                    = $true
+            BackupRestoreGroup                  = $true
+            DatabaseObjectChangeGroup           = $true
+            DatabaseObjectOwnershipChangeGroup  = $true
+            DatabaseObjectPermissionChangeGroup = $true
+            DatabaseOwnershipChangeGroup        = $true
+            DatabasePermissionChangeGroup       = $true
+            DatabasePrincipalChangeGroup        = $true
+            DatabasePrincipalImpersonationGroup = $true
+            DatabaseRoleMemberChangeGroup       = $true
+            SchemaObjectChangeGroup             = $true
+            SchemaObjectOwnershipChangeGroup    = $true
+            SchemaObjectPermissionChangeGroup   = $true
+            ServerObjectChangeGroup             = $true
+            ServerObjectOwnershipChangeGroup    = $true
+            ServerObjectPermissionChangeGroup   = $true
+            ServerOperationGroup                = $true
+            ServerPermissionChangeGroup         = $true
+            ServerPrincipalChangeGroup          = $true
+            ServerPrincipalImpersonationGroup   = $true
+            ServerRoleMemberChangeGroup         = $true
+            ServerStateChangeGroup              = $true
+            TraceChangeGroup                    = $true
+            DependsOn                           = '[SqlServerAudit]SecurityLogAudit_Server'
+            PsDscRunAsCredential                = $SqlAdministratorCredential
+        }
+    }
+}
diff --git a/source/Examples/Resources/SqlServerAuditSpecification/2-AddServerAuditSpecificationLoginAudit.ps1 b/source/Examples/Resources/SqlServerAuditSpecification/2-AddServerAuditSpecificationLoginAudit.ps1
@@ -0,0 +1,49 @@
+<#
+    .EXAMPLE
+        This example shows how to ensure that an audit destination
+        is absent on the instance sqltest.company.local\DSC.
+#>
+Configuration Example
+{
+    param
+    (
+        [Parameter(Mandatory = $true)]
+        [System.Management.Automation.PSCredential]
+        $SqlAdministratorCredential
+    )
+
+    Import-DscResource -ModuleName SqlServerDsc
+
+    node localhost
+    {
+        SqlServerAudit SecurityLogAudit_Server
+        {
+            Ensure               = 'Present'
+            ServerName           = 'sqltest.company.local'
+            InstanceName         = 'DSC'
+            Name                 = 'SecLogAudit'
+            DestinationType      = 'SecurityLog'
+            Enabled              = $true
+            PsDscRunAsCredential = $SqlAdministratorCredential
+        }
+
+        SqlServerAuditSpecification 'ServerAuditSpecification_AdminAudit'
+        {
+            Ensure                                = 'Present'
+            ServerName                            = 'sqltest.company.local'
+            InstanceName                          = 'DSC'
+            Name                                  = 'AdminAudit'
+            AuditName                             = 'SecLogAudit'
+            Enabled                               = $true
+            DatabaseLogoutGroup                   = $true
+            FailedDatabaseAuthenticationGroup     = $true
+            FailedLoginGroup                      = $true
+            LoginChangePasswordGroup              = $true
+            LogoutGroup                           = $true
+            SuccessfulDatabaseAuthenticationGroup = $true
+            SuccessfulLoginGroup                  = $true
+            DependsOn                             = '[SqlServerAudit]SecurityLogAudit_Server'
+            PsDscRunAsCredential                  = $SqlAdministratorCredential
+        }
+    }
+}
diff --git a/source/Examples/Resources/SqlServerAuditSpecification/3-AddServerAuditAuditChange.ps1 b/source/Examples/Resources/SqlServerAuditSpecification/3-AddServerAuditAuditChange.ps1
@@ -0,0 +1,44 @@
+<#
+    .EXAMPLE
+        This example shows how to ensure that an audit destination
+        is absent on the instance sqltest.company.local\DSC.
+#>
+Configuration Example
+{
+    param
+    (
+        [Parameter(Mandatory = $true)]
+        [System.Management.Automation.PSCredential]
+        $SqlAdministratorCredential
+    )
+
+    Import-DscResource -ModuleName SqlServerDsc
+
+    node localhost
+    {
+        SqlServerAudit SecurityLogAudit_Server
+        {
+            Ensure                    = 'Present'
+            ServerName                = 'sqltest.company.local'
+            InstanceName              = 'DSC'
+            Name                      = 'SecLogAudit'
+            DestinationType           = 'SecurityLog'
+            Enabled                   = $true
+            PsDscRunAsCredential      = $SqlAdministratorCredential
+        }
+
+        SqlServerAuditSpecification 'ServerAuditSpecification_AuditAudit'
+        {
+            Ensure                    = 'Present'
+            ServerName                = 'sqltest.company.local'
+            InstanceName              = 'DSC'
+            Name                      = 'AuditAudit'
+            AuditName                 = 'SecLogAudit'
+            Enabled                   = $true
+            AuditChangeGroup          = $true
+            TraceChangeGroup          = $true
+            DependsOn                 = "[SqlServerAudit]SecurityLogAudit_Server"
+            PsDscRunAsCredential      = $SqlAdministratorCredential
+        }
+    }
+}
diff --git a/source/Examples/Resources/SqlServerAuditSpecification/4-AddMultipleServerAudits.ps1 b/source/Examples/Resources/SqlServerAuditSpecification/4-AddMultipleServerAudits.ps1
@@ -0,0 +1,92 @@
+<#
+    .EXAMPLE
+        This example shows how to add multiple audit specifications to the same instance.
+        Each audit can only contain one audit specification.
+#>
+Configuration Example
+{
+    param
+    (
+        [Parameter(Mandatory = $true)]
+        [System.Management.Automation.PSCredential]
+        $SqlAdministratorCredential
+    )
+
+    Import-DscResource -ModuleName SqlServerDsc
+
+    node localhost
+    {
+        SqlServerAudit SecurityLogAudit_Server01
+        {
+            Ensure                    = 'Present'
+            ServerName                = 'sqltest.company.local'
+            InstanceName              = 'DSC'
+            Name                      = 'SecLogAudit01'
+            DestinationType           = 'SecurityLog'
+            Enabled                   = $true
+            PsDscRunAsCredential      = $SqlAdministratorCredential
+        }
+
+        SqlServerAudit SecurityLogAudit_Server02
+        {
+            Ensure                    = 'Present'
+            ServerName                = 'sqltest.company.local'
+            InstanceName              = 'DSC'
+            Name                      = 'SecLogAudit02'
+            DestinationType           = 'SecurityLog'
+            Enabled                   = $true
+            PsDscRunAsCredential      = $SqlAdministratorCredential
+        }
+
+        SqlServerAuditSpecification ServerAuditSpecification_AuditAudit
+        {
+            Ensure                    = 'Present'
+            ServerName                = 'sqltest.company.local'
+            InstanceName              = 'DSC'
+            Name                      = 'AuditAudit'
+            AuditName                 = 'SecLogAudit01'
+            Enabled                   = $true
+            AuditChangeGroup          = $true
+            TraceChangeGroup          = $true
+            DependsOn                 = "[SqlServerAudit]SecurityLogAudit_Server01"
+            PsDscRunAsCredential      = $SqlAdministratorCredential
+        }
+
+
+
+        SqlServerAuditSpecification ServerAuditSpecification_AdminAudit
+        {
+            Ensure                                = 'Present'
+            ServerName                            = 'sqltest.company.local'
+            InstanceName                          = 'DSC'
+            Name                                  = 'AdminAudit'
+            AuditName                             = 'SecLogAudit02'
+            Enabled                               = $true
+            AuditChangeGroup                      = $true
+            BackupRestoreGroup                    = $true
+            DatabaseObjectChangeGroup             = $true
+            DatabaseObjectOwnershipChangeGroup    = $true
+            DatabaseObjectPermissionChangeGroup   = $true
+            DatabaseOwnershipChangeGroup          = $true
+            DatabasePermissionChangeGroup         = $true
+            DatabasePrincipalChangeGroup          = $true
+            DatabasePrincipalImpersonationGroup   = $true
+            DatabaseRoleMemberChangeGroup         = $true
+            SchemaObjectChangeGroup               = $true
+            SchemaObjectOwnershipChangeGroup      = $true
+            SchemaObjectPermissionChangeGroup     = $true
+            ServerObjectChangeGroup               = $true
+            ServerObjectOwnershipChangeGroup      = $true
+            ServerObjectPermissionChangeGroup     = $true
+            ServerOperationGroup                  = $true
+            ServerPermissionChangeGroup           = $true
+            ServerPrincipalChangeGroup            = $true
+            ServerPrincipalImpersonationGroup     = $true
+            ServerRoleMemberChangeGroup           = $true
+            ServerStateChangeGroup                = $true
+            TraceChangeGroup                      = $true
+            DependsOn                             = "[SqlServerAudit]SecurityLogAudit_Server02"
+            PsDscRunAsCredential                  = $SqlAdministratorCredential
+        }
+    }
+}
diff --git a/source/Examples/Resources/SqlServerAuditSpecification/5-RemoveAuditSpecification.ps1 b/source/Examples/Resources/SqlServerAuditSpecification/5-RemoveAuditSpecification.ps1
@@ -0,0 +1,29 @@
+<#
+    .EXAMPLE
+        This example shows how to ensure that an audit destination
+        is absent on the instance sqltest.company.local\DSC.
+#>
+Configuration Example
+{
+    param
+    (
+        [Parameter(Mandatory = $true)]
+        [System.Management.Automation.PSCredential]
+        $SqlAdministratorCredential
+    )
+
+    Import-DscResource -ModuleName SqlServerDsc
+
+    node localhost
+    {
+        SqlServerAuditSpecification 'ServerAuditSpecification_AdminAudit'
+        {
+            Ensure                    = 'Absent'
+            ServerName                = 'sqltest.company.local'
+            InstanceName              = 'DSC'
+            Name                      = 'AdminAudit'
+            AuditName                 = 'SecLogAudit'
+            PsDscRunAsCredential      = $SqlAdministratorCredential
+        }
+    }
+}
diff --git a/tests/Integration/DSC_SqlServerAuditSpecification.Integration.Tests.ps1 b/tests/Integration/DSC_SqlServerAuditSpecification.Integration.Tests.ps1
diff --git a/tests/Integration/DSC_SqlServerAuditSpecification.config.ps1 b/tests/Integration/DSC_SqlServerAuditSpecification.config.ps1
