cs-suite icon indicating copy to clipboard operation
cs-suite copied to clipboard
verified publisher icon SecurityFTW

Error working with Azure on MacOS

Open Electronickss opened this issue 7 years ago • 7 comments

Running into an issue with CS-Suite on MacOS and Azure

  • MacOS Version: 10.13.6 (17G65)
  • I made sure to git pull before running it
  • The check number I am having this issue on is: 4.2.1: Checking if SQL DB has AUDIT policy enabled
  • I reran the setup tools to make sure everything was the correct version

Here is the error

Can not perform requested operation on nested resource. Parent resource 'SERVERNAME/master' not found.
Traceback (most recent call last):
  File "cs.py", line 55, in <module>
    main()
  File "cs.py", line 51, in main
    azureaudit.azure_audit()
  File "/Users/REDACTED/gitProjects/cs-suite/modules/azureaudit.py", line 1472, in azure_audit
    sql_db_audit()
  File "/Users/REDACTED/gitProjects/cs-suite/modules/azureaudit.py", line 1170, in sql_db_audit
    audit_policy = subprocess.check_output(['az sql db audit-policy show --resource-group %s --server %s --name %s --query \'state\' --output tsv' %(resource_group,name,database)], shell=True).strip()
  File "/usr/local/Cellar/python/2.7.14/Frameworks/Python.framework/Versions/2.7/lib/python2.7/subprocess.py", line 219, in check_output
    raise CalledProcessError(retcode, cmd, output=output)
subprocess.CalledProcessError: Command '["az sql db audit-policy show --resource-group REDACTED --server REDACTED --name master --query 'state' --output tsv"]' returned non-zero exit status 3

Electronickss avatar Sep 24 '18 18:09 Electronickss

Looks to me like this could potentially be an issue with azure-cli or how cs-suite interfaces with azure-cli?

https://stackoverflow.com/questions/45624411/azure-cloud-shell-fails-to-identify-server-throws-error-can-not-perform-reque Error:

Azure Cloud shell fails to identify server. Throws error : Can not perform requested operation on nested resource. Parent resource not found

Fix:

The failure was because I have multiple subscriptions on Azure and my default subscription did not have the sql-server. I changed the subscription by using az account set --subscription and now the command to get firewall works

Electronickss avatar Sep 24 '18 19:09 Electronickss

I discovered it was an issue with one of the DBs in my setup. I can run:

az sql db audit-policy show --resource-group REDACTED_RG --server REDACTED_SERVER_NAME --name REDACTED_DB_2 --query 'state' --output tsv

And it works. However when I run:

az sql db audit-policy show --resource-group REDACTED_RG --server REDACTED_SERVER_NAME --name REDACTED_DB_1 --query 'state' --output tsv

I get the error: Can not perform requested operation on nested resource. Parent resource 'REDACTED_SERVER_NAME/REQUESTED_DB_1' not found.

I have tested that I can see the DB with the command:

az sql db list --server REDACTED_SERVER_NAME --resource-group REDACTED_RG --query "[*].name" --output tsv

and I see the DB that is giving me trouble.

Does your team have a recommendation for working through this? I am assuming this issue is being caused because something from a different resource or subscription created the DB I am having issues with. I will attempt to confirm this theory

Electronickss avatar Sep 24 '18 19:09 Electronickss

When looking at this server through the webui, the DB I am having issues with does not show up on the SQL server. Is it possible to just add some error handling and skip over this? The api and the webui are showing a different number of DBs

Electronickss avatar Sep 24 '18 19:09 Electronickss

https://i.imgur.com/WdmEwo9.png https://i.imgur.com/tPsK8Pf.png

Electronickss avatar Sep 24 '18 20:09 Electronickss

yes @Electronickss I think you're right, the azure-cli sometimes does not show the right output and that's possibly the case, due to which it fails I had commented on a issue on azure-cli on a different case, regarding the output it throws https://github.com/Azure/azure-cli/issues/5243 We will add error handling into this, but it might take us some time thanks for raising this issue and if you have further suggestions regarding the Azure checks, if we have missed any, please let us know, it'll be really helpful.

shivankar-madaan avatar Sep 24 '18 20:09 shivankar-madaan

So I need this to work as soon as possible so I am looking at implementing error handling myself. As an example:

try:
    email_policy = subprocess.check_output(['az sql db threat-policy show --resource-group %s --server %s --name %s --query \'emailAccountAdmins\' --output tsv' %(resource_group, name, database)], shell=True).strip()
except subprocess.CalledProcessError as e:
    continue

I can fork/pr this if you like the solution

Electronickss avatar Sep 25 '18 17:09 Electronickss

sure can you just submit a PR, that will be great, I will verify once as well, it shouldn't break anything though.

shivankar-madaan avatar Sep 25 '18 21:09 shivankar-madaan