search

SecurityFTW / cs-suite

Cloud Security Suite - One stop tool for auditing the security posture of AWS/GCP/Azure infrastructure.
GNU General Public License v3.0
1.13k stars 217 forks source link

Error working with Azure on MacOS #22

Open Electronickss opened 5 years ago

Electronickss commented 5 years ago

Running into an issue with CS-Suite on MacOS and Azure

Here is the error

Can not perform requested operation on nested resource. Parent resource 'SERVERNAME/master' not found.
Traceback (most recent call last):
  File "cs.py", line 55, in <module>
    main()
  File "cs.py", line 51, in main
    azureaudit.azure_audit()
  File "/Users/REDACTED/gitProjects/cs-suite/modules/azureaudit.py", line 1472, in azure_audit
    sql_db_audit()
  File "/Users/REDACTED/gitProjects/cs-suite/modules/azureaudit.py", line 1170, in sql_db_audit
    audit_policy = subprocess.check_output(['az sql db audit-policy show --resource-group %s --server %s --name %s --query \'state\' --output tsv' %(resource_group,name,database)], shell=True).strip()
  File "/usr/local/Cellar/python/2.7.14/Frameworks/Python.framework/Versions/2.7/lib/python2.7/subprocess.py", line 219, in check_output
    raise CalledProcessError(retcode, cmd, output=output)
subprocess.CalledProcessError: Command '["az sql db audit-policy show --resource-group REDACTED --server REDACTED --name master --query 'state' --output tsv"]' returned non-zero exit status 3
Electronickss commented 5 years ago

Looks to me like this could potentially be an issue with azure-cli or how cs-suite interfaces with azure-cli?

https://stackoverflow.com/questions/45624411/azure-cloud-shell-fails-to-identify-server-throws-error-can-not-perform-reque Error:

Azure Cloud shell fails to identify server. Throws error : Can not perform requested operation on nested resource. Parent resource not found

Fix:

The failure was because I have multiple subscriptions on Azure and my default subscription did not have the sql-server. I changed the subscription by using az account set --subscription and now the command to get firewall works

Electronickss commented 5 years ago

I discovered it was an issue with one of the DBs in my setup. I can run:

az sql db audit-policy show --resource-group REDACTED_RG --server REDACTED_SERVER_NAME --name REDACTED_DB_2 --query 'state' --output tsv

And it works. However when I run:

az sql db audit-policy show --resource-group REDACTED_RG --server REDACTED_SERVER_NAME --name REDACTED_DB_1 --query 'state' --output tsv

I get the error: Can not perform requested operation on nested resource. Parent resource 'REDACTED_SERVER_NAME/REQUESTED_DB_1' not found.

I have tested that I can see the DB with the command:

az sql db list --server REDACTED_SERVER_NAME --resource-group REDACTED_RG --query "[*].name" --output tsv

and I see the DB that is giving me trouble.

Does your team have a recommendation for working through this? I am assuming this issue is being caused because something from a different resource or subscription created the DB I am having issues with. I will attempt to confirm this theory

Electronickss commented 5 years ago

When looking at this server through the webui, the DB I am having issues with does not show up on the SQL server. Is it possible to just add some error handling and skip over this? The api and the webui are showing a different number of DBs

Electronickss commented 5 years ago

https://i.imgur.com/WdmEwo9.png https://i.imgur.com/tPsK8Pf.png

shivankar-madaan commented 5 years ago

yes @Electronickss I think you're right, the azure-cli sometimes does not show the right output and that's possibly the case, due to which it fails I had commented on a issue on azure-cli on a different case, regarding the output it throws https://github.com/Azure/azure-cli/issues/5243 We will add error handling into this, but it might take us some time thanks for raising this issue and if you have further suggestions regarding the Azure checks, if we have missed any, please let us know, it'll be really helpful.

Electronickss commented 5 years ago

So I need this to work as soon as possible so I am looking at implementing error handling myself. As an example:

try:
    email_policy = subprocess.check_output(['az sql db threat-policy show --resource-group %s --server %s --name %s --query \'emailAccountAdmins\' --output tsv' %(resource_group, name, database)], shell=True).strip()
except subprocess.CalledProcessError as e:
    continue

I can fork/pr this if you like the solution

shivankar-madaan commented 5 years ago

sure can you just submit a PR, that will be great, I will verify once as well, it shouldn't break anything though.