Closed jtracey93 closed 1 year ago
The additional missing settings regarding storage are also a little odd given we configure these in the Deploy-Sql-VulnerabilityAssessments
Policy Definition.
Given we don't have this Policy Definition linked to a Policy Assignment (either directly or via the Deploy-Sql-Security
Policy Initiative referencing it), is this and its related policies still needed? What was the reason for removing them?
Any insights please @krnese and @uday31in? Were these removed as not production-ready, or just deemed no longer necessary? I see we have similar built-in policies, but these only cover the AuditIfNotExists
effect.
I've also found in testing that the Deploy-Sql-Tde
Policy Definition generates the following error during remediation, so this will also require modification of the policyRule
to exclude these databases:
Cannot encrypt a system database. Database encryption operations cannot be performed for 'master', 'model', 'tempdb', 'msdb', or 'resource' databases.
Trigger ADO Sync 1
Trigger ADO Sync 2
Describe the bug
Deploy-Sql-SecurityAlertPolicies
- Doesn't Allow E-Mail Addresses To Be Provided As An Input. It currently has a hard-coded value. (check line 9456 inpolicies.json
)Screenshot
Proposed Fix Needs to be changed to an array input parameter and also added to the initiative definition of
Deploy-Sql-Security
as an input parameter.