From b4e76a57c52d641fc9ad297879e0395f7588bb0f Mon Sep 17 00:00:00 2001
From: Rob Sewell <mrrobsewell@outlook.com>
Date: Tue, 9 May 2023 11:58:26 +0000
Subject: [PATCH] so that we c nca check login check policy #882

---
 source/checks/Instancev5.Tests.ps1                   | 9 +++++++++
 source/internal/functions/NewGet-AllInstanceInfo.ps1 | 6 ++++++
 2 files changed, 15 insertions(+)

diff --git a/source/checks/Instancev5.Tests.ps1 b/source/checks/Instancev5.Tests.ps1
index 27968c34..749f4fbf 100644
--- a/source/checks/Instancev5.Tests.ps1
+++ b/source/checks/Instancev5.Tests.ps1
@@ -218,6 +218,15 @@ Describe "Successful Login Auditing" -Tag LoginAuditSuccessful, Security, CIS, M
     }
 }
 
+Describe "Login Check Policy" -Tag LoginCheckPolicy, Security, CIS, Medium, Instance -ForEach $InstancesToTest {
+    $skip = ($__dbcconfig | Where-Object { $_.Name -eq 'skip.security.LoginCheckPolicy' }).Value
+    Context "Testing if the CHECK_POLICY is enabled on all logins on $psitem" {
+        It "All logins should have the CHECK_POLICY option set to ON on $psitem" -Skip:$skip {
+           ($psitem.logins | Where-Object { $_.LoginType -eq 'SqlLogin' -and $_.PasswordPolicyEnforced -eq $false -and $_.IsDisabled -eq $false }).Count | Should -Be 0 -Because "We expected the CHECK_POLICY for the all logins to be enabled"
+        }
+    }
+}
+
 Describe "Instance MaxDop" -Tag MaxDopInstance, MaxDop, Medium, Instance -ForEach ($InstancesToTest | Where-Object { $psitem.Name -notin $psitem.ConfigValues.ExcludeInstanceMaxDop }) {
     $skip = ($__dbcconfig | Where-Object { $_.Name -eq 'skip.instance.MaxDopInstance' }).Value
     Context "Testing Instance MaxDop Value on <_.Name>" {
diff --git a/source/internal/functions/NewGet-AllInstanceInfo.ps1 b/source/internal/functions/NewGet-AllInstanceInfo.ps1
index 271bc055..f525ef8b 100644
--- a/source/internal/functions/NewGet-AllInstanceInfo.ps1
+++ b/source/internal/functions/NewGet-AllInstanceInfo.ps1
@@ -410,6 +410,12 @@ function NewGet-AllInstanceInfo {
             $Instance.SetDefaultInitFields([Microsoft.SqlServer.Management.Smo.Settings], $SettingsInitFields)
         }
 
+        'LoginCheckPolicy' {
+            $LoginInitFields.Add("IsDisabled") | Out-Null # so we can check login check policy
+            $LoginInitFields.Add("PasswordPolicyEnforced") | Out-Null # so we can check login check policy
+            $Instance.SetDefaultInitFields([Microsoft.SqlServer.Management.Smo.Settings], $LoginInitFields)
+        }
+
         Default { }
     }