共用方式為

在 Azure SQL 資料庫設定弱點評量基準

  • 發行項

這個 PowerShell 指令碼根據 Azure SQL Server 中所有資料庫最新弱點評量掃描結果設定基準。

此範例需要 Azure PowerShell Az 1.0 或更新版本。 執行 Get-Module -ListAvailable Az 可查看已安裝的版本。 如果您需要安裝,請參閱安裝 Azure PowerShell 模組

執行 Connect-AzAccount 來登入 Azure。

如果您沒有 Azure 訂用帳戶,請在開始之前先建立 Azure 免費帳戶

範例指令碼

注意

建議您使用 Azure Az PowerShell 模組來與 Azure 互動。 若要開始使用,請參閱安裝 Azure PowerShell (部分機器翻譯)。 若要了解如何移轉至 Az PowerShell 模組,請參閱將 Azure PowerShell 從 AzureRM 移轉至 Az

<#
.SYNOPSIS
    This script sets the results of the last successful scan as baseline for each database under the selected Azure SQL Server.

.DESCRIPTION
    This script check if the selected Azure SQL Server uses Vulnerability Assessment Express Configuration, iterates through all user databases under a server and sets the latest scan results as a baseline.

#>


$SubscriptionId     = "<subscriptionid>"                         # The Subscription id that the server belongs to.
$ResourceGroupName  = "<resource group>"                         # The Resource Group that the server belongs to.
$ServerName         = "<server name>"                            # The SQL server name that we want to apply the new SQL Vulnerability Assessment policy to (short name, without suffix).
$APIVersion         = "2022-05-01-preview"




###### New SQL Vulnerability Assessment Commands ######
#######################################################


function GetExpressConfigurationStatus($SubscriptionId, $ResourceGroupName, $ServerName){
    $Uri  = "https://management.azure.com/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Sql/servers/$ServerName/sqlVulnerabilityAssessments/Default?api-version=" + $APIVersion
    SendRestRequest -Method "GET" -Uri $Uri
}


function SetLastScanAsBaselineOnSystemDatabase($SubscriptionId, $ResourceGroupName, $ServerName){
    $Uri  = "https://management.azure.com/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Sql/servers/$ServerName/sqlVulnerabilityAssessments/default/baselines/default?systemDatabaseName=master&api-version=" + $APIVersion
    $Body = "{properties: {latestScan: true,results: {}}}"
    SendRestRequest -Method "PUT" -Uri $Uri -Body $Body
}

function SetLastScanAsBaselineOnUserDatabase($SubscriptionId, $ResourceGroupName, $ServerName, $DatabaseName){
    $Uri  = "https://management.azure.com/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Sql/servers/$ServerName/databases/$DatabaseName/sqlVulnerabilityAssessments/default/baselines/default?api-version=" + $APIVersion
    $Body = "{properties: {latestScan: true,results: {}}}"
    SendRestRequest -Method "PUT" -Uri $Uri -Body $Body
}


function SendRestRequest(
    [Parameter(Mandatory=$True)]
    [string] $Method, 
    [Parameter(Mandatory=$True)]
    [string] $Uri, 
    [parameter( Mandatory=$false )]
    [string] $Body = "DEFAULT")
{  
    $AccessToken = Get-AzAccessToken
    $Token = "Bearer $($AccessToken.Token)"

    $headers = @{
        'Authorization' = $Token
    }

    $Params = @{
         Method = $Method
         Uri = $Uri
         Headers = $headers
         ContentType = "application/json"
    }

    if(!($Body -eq "DEFAULT"))
    {
      $Params = @{
         Method = $Method
         Uri = $Uri
         Body = $Body
         Headers = $headers
         ContentType = "application/json"
         }
    }
   
    Invoke-RestMethod @Params
}

#######################################################



# Connect
Connect-AzAccount
Set-AzContext $SubscriptionId

# Check if Express Configuration is enabled
$ECState = (GetExpressConfigurationStatus -SubscriptionId $SubscriptionId -ResourceGroupName $ResourceGroupName -ServerName $ServerName).properties.State

Write-Host "Express Configuration status: " $ECState

if ($ECState -eq "Enabled")
{
    # Get list of databases
    $databases = Get-AzSqlDatabase -ResourceGroupName $ResourceGroupName -ServerName $ServerName | where {$_.DatabaseName -ne "master"}

    # Set latest scan results as baseline on all user databases
    foreach ($database in $Databases)
    {
        Write-Host "Set baseline on database: '$($database.DatabaseName)'"
        SetLastScanAsBaselineOnUserDatabase -SubscriptionId $SubscriptionId -ResourceGroupName $ResourceGroupName -ServerName $ServerName -DatabaseName $database.DatabaseName    
    }

    Write-Host "Set baseline on 'master' database"
    SetLastScanAsBaselineOnSystemDatabase -SubscriptionId $SubscriptionId -ResourceGroupName $ResourceGroupName -ServerName $ServerName
}
else
{
    Write-Host "The specified server does not have VA Express Configuration enabled therefore bulk baseline operations were not performed."
    return
}

下一步

如需有關 Azure PowerShell 模組的詳細資訊,請參閱 Azure PowerShell 文件