securityftw / cs-suite Goto Github PK

Please do not run sudo commands in setup.py.

When I run the cs-suite for Azure I get this following error:

File "/home/ubuntu/cs-suite/modules/azureaudit.py", line 1181, in vm_agent
    log_data["data"] = log_data.pop("value")
KeyError: 'value'

I checked the code, and I found this:

azure_audit.py:1170
        if check == '':
            j_res['type'] = 'WARNING'
            j_res['value'] = 'The VM %s does not have virtual agent enabled' %(name)
        else:
            list = check.split()
            if list[1] == "Succeeded" and list[0] != "":
                j_res['type'] = 'PASS'
                j_res['value'] = 'The VM %s does have virtual agent enabled' % (name)
        data.append(j_res)
        log_data = dict()
        log_data = j_res
        log_data["data"] = log_data.pop("value")

This is problematic because if condition inside else has no else condition to default to.

I had to add the following else block to bypass this problem.

azure_audit.py:1170
        if check == '':
            j_res['type'] = 'WARNING'
            j_res['value'] = 'The VM %s does not have virtual agent enabled' %(name)
        else:
            list = check.split()
            if list[1] == "Succeeded" and list[0] != "":
                j_res['type'] = 'PASS'
                j_res['value'] = 'The VM %s does have virtual agent enabled' % (name)
            # change made starts here:
            else:
                j_res['type'] = 'WARNING'
                j_res['value'] = 'The VM %s does not have virtual agent enabled' %(name)
            # change made ends here
        data.append(j_res)
        log_data = dict()
        log_data = j_res
        log_data["data"] = log_data.pop("value")

The Readme states you need Python 2.7. The countdown clock shows that it will be EOL a little over 2 months from now.

Scout2 is deprecated it is now https://github.com/nccgroup/ScoutSuite

Can this be updated?

Please see the screenshot and let me know , if we have issue in the command.

When running a audit for Azure I get the following error:

8.2: Checking if expiry is enabled for vault secret

Traceback (most recent call last):
  File "cs.py", line 55, in <module>
    main()
  File "cs.py", line 51, in main
    azureaudit.azure_audit()
  File "/Users/xxx/workspace/cs-suite/modules/azureaudit.py", line 1580, in azure_audit
    vault_secret()
  File "/Users/xxxx/workspace/cs-suite/modules/azureaudit.py", line 1126, in vault_secret
    if key_name == 'Access':
UnboundLocalError: local variable 'key_name' referenced before assignment

Looking through the code it seems like https://github.com/SecurityFTW/cs-suite/blob/master/modules/azureaudit.py#L1126 should be checking if the key Access exists in the first hand before evaluating it eg if "Access" in key_name:

I am current running of the following commit ID from master:

Author: shivankarmadaan <[email protected]>
Date:   Thu Dec 6 16:06:28 2018 +0530

    new update```
Current on OSX running current version of master for the app 

On Fedora 29 I get:

$ ./cs.py 
./cs.py: line 2: from: command not found
./cs.py: line 3: from: command not found
^C./cs.py: line 6: syntax error near unexpected token `('
./cs.py: line 6: `def main():'

Without the space it works as expected:

$ ./cs.py 
usage: cs.py [-h] [-aip AUDIT_IP] [-u USER_NAME] [-pem PEM_FILE] [-p] -env
             {aws,gcp,azure} [-pId PROJECT_NAME]
cs.py: error: argument -env/--environment is required

Hello,

I am trying to implement this tool, and I was wondering if there was a way to get the output as XML rather than JSON or just as the .log file. Thanks!

Start testing on ubuntu:
Linux ip-10-48-0-245 4.4.0-1022-aws #31-Ubuntu SMP Tue Jun 27 11:27:55 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

NAME="Ubuntu"
VERSION="16.04.2 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04.2 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
VERSION_CODENAME=xenial
UBUNTU_CODENAME=xenial

Python 2.7.12

and i'm getting a lot of errors like this:

curl: option -: is unknown
curl: try 'curl --help' or 'curl --manual' for more information
curl: curl: option -: is unknown
curl: try 'curl --help' or 'curl --manual' for more information
option -: is unknown
curl: try 'curl --help' or 'curl --manual' for more information
curl: curl: curl: curl: option -: is unknown
curl: try 'curl --help' or 'curl --manual' for more information
option -: is unknown
curl: try 'curl --help' or 'curl --manual' for more information
option -: is unknown
curl: try 'curl --help' or 'curl --manual' for more information
option -: is unknown
curl: try 'curl --help' or 'curl --manual' for more information

any help?

I am seeing a lot of false positives for the SNS Audit along these lines:

Warning: SNS topic arn:aws:sns:eu-west-2:nnnnnnnnnnnn:MGT-NONPROD-CONFIG-ALERTS is publicly accessible

When I look at the policy though:

{
  "Version": "2008-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "__default_statement_ID",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": [
        "SNS:GetTopicAttributes",
        "SNS:SetTopicAttributes",
        "SNS:AddPermission",
        "SNS:RemovePermission",
        "SNS:DeleteTopic",
        "SNS:Subscribe",
        "SNS:ListSubscriptionsByTopic",
        "SNS:Publish",
        "SNS:Receive"
      ],
      "Resource": "arn:aws:sns:eu-west-2:xxxxxxxxxxxxxx:MGT-NONPROD-CONFIG-ALERTS",
      "Condition": {
        "StringEquals": {
          "AWS:SourceOwner": "xxxxxxxxxxxxxx"
        }
      }
    }
  ]
}

I'm not an expert on AWS but this reads to me like it is granting access to AWS:"*" and then imposing a condition of restricting it to the "AWS:SourceOwner"

Am I completely misinterpreting this or is it a bug?

I'm trying to run this tool to audit my Azure cloud environment and my server is running in AWSEc2 instance. This is working satisfactorily with AWS. now, i wan to generate same kind of report for azure as well.
Did anybody worked to make this tool to generate the report for Azure cloud ?
i'm getting this error
[ec2-user@ip-172-31-27-131 cs-suite]$ python cs.py -env azure
Traceback (most recent call last):
File "cs.py", line 55, in
main()
File "cs.py", line 50, in main
from modules import azureaudit
File "/home/ec2-user/cs-suite/modules/azureaudit.py", line 8, in
subprocess.call(['az', 'login'])
File "/usr/lib64/python2.7/subprocess.py", line 168, in call
return Popen(*popenargs, **kwargs).wait()
File "/usr/lib64/python2.7/subprocess.py", line 390, in init
errread, errwrite)
File "/usr/lib64/python2.7/subprocess.py", line 1025, in _execute_child
raise child_exception
OSError: [Errno 2] No such file or directory
[ec2-user@ip-172-31-27-131 cs-suite]$

I just installed CS_Suite on Kali Linux AMI and am trying to get it working.

Where the instructions indicate to " Generate a set of ReadOnly AWS keys", are there specific Policies that I should select to grant this access? I noticed an error for ListAccountAliases so I found that permission in the AWSQuickSightListIAM policy and applied that. This fixed what was a fatal error but I am getting a ton of "(AccessDenied)" errors as cs.py is now running.

Also worth noting - another fatal error related to an out of range index ([0]) occurs when no aliases have been defined. That was easy enough to fix (customize the IAM URL) but not a graceful error handling.

Next err occurs, during script run because of "wildcard" in source definition:

Traceback (most recent call last):
  File "cs.py", line 89, in <module>
    main()
  File "cs.py", line 83, in main
    azureaudit.azure_audit()
  File "/Users/user/cs-suite/modules/azureaudit.py", line 1885, in azure_audit
    rdp_public()
  File "/Users/user/cs-suite/modules/azureaudit.py", line 1056, in rdp_public
    access_type, port, direction, protocol, source = line.split()
ValueError: need more than 4 values to unpack

Actual line contains next string Allow 443 Inbound Tcp which can be actually spited od ['Allow', '443', 'Inbound', 'Tcp']

rule set (lines) looks like this:

Allow	443	Inbound	Tcp
Allow	*	Inbound	Tcp
Allow	22	Inbound	Tcp
Allow	443	Inbound	Tcp
Allow		Inbound	Udp	192.168.1.5

Traceback (most recent call last):
File "gscout.py", line 63, in
list_projects(sys.argv[1],sys.argv[2])
File "gscout.py", line 35, in list_projects
for project in response['projects']:
KeyError: 'projects'

I setup this tool to run locally using docker. I setup ReadOnlyAccess Policy for AWS:

I now have the final report and I noticed the following sections don't open:

Scout2
IP Audit
AWS Trust Advisor

Any idea why?

I also noticed this during the scan might have something to do with it:

For the other reports to work I have to right click and open in new tab.

At the moment EC2 audit is raising an issue that I cannot investigate because of the lack of detail:

Warning: VPC has en exposed enpoint
Warning: VPC has en exposed enpoint
Warning: VPC has en exposed enpoint
Warning: VPC has en exposed enpoint
Warning: VPC has en exposed enpoint
Warning: VPC has an exposed enpoint
Warning: VPC has en exposed enpoint
Warning: VPC has en exposed enpoint
Warning: VPC has en exposed enpoint
Warning: VPC has en exposed enpoint

This isn't very useful without mention of the VPC or the endpoint in question, so it is difficult to get the platform engineers to take it seriously.

Would it be possible to add this information?

Thanks

I set up a new GCP Debian instance, apt installed git, python2.7, python-pip, gcc, and executed

git clone https://github.com/SecurityFTW/cs-suite.git
cd cs-suite/
sudo python setup.py

Finishing the process with blank answers to AWS credentials:

Please enter your AWS credetionals
AWS Access Key ID [None]:
AWS Secret Access Key [None]:
Default region name [None]:
Default output format [None]:

(by the way, credetionals != credentials)

I wanted a GCP scan, and went by the readme's "To run GCP Audit - python cs.py -env gcp -pId <project_name>"

This is my output (censored):

test@gcp-scan:~/cs-suite$ python cs.py -env gcp -pId CENSOREDPROJ
Starting GCP Audit
/usr/local/lib/python2.7/dist-packages/oauth2client/_helpers.py:255: UserWarning                                                                                                                                                             : Cannot access creds.data: No such file or directory
  warnings.warn(_MISSING_FILE_MESSAGE.format(filename))
Traceback (most recent call last):
  File "gscout.py", line 63, in <module>
    list_projects(sys.argv[1],sys.argv[2])
  File "gscout.py", line 34, in list_projects
    response = request.execute()
  File "/usr/local/lib/python2.7/dist-packages/oauth2client/_helpers.py", line 1                                                                                                                                                             33, in positional_wrapper
    return wrapped(*args, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/googleapiclient/http.py", line 83                                                                                                                                                             8, in execute
    raise HttpError(resp, content, uri=self.uri)
googleapiclient.errors.HttpError: <HttpError 403 when requesting https://cloudre                                                                                                                                                             sourcemanager.googleapis.com/v1/projects?filter=name%3ACENSOREDPROJ&alt=json                                                                                                                                                              returned "Request had insufficient authentication scopes.">

This is basically a fresh Linux machine and the tool fails, are there missing setup steps in the guide, am I missing steps?

When I run the script about 75% of the checks are returning with:

curl: option -: is unknown
curl: try 'curl --help' or 'curl --manual' for more information

Has anyone came across this?

Could i know , how we can get the report of multiple roles with credentials using Scout2?

Hi team,

As you bundle Lynis (in tools/lynis), please do a resync on a regular basis. Lynis still receives updates and the overall audit will benefit if the tool is kept up-to-date.

What is the version for aws cli which i cannot see on requirements .txt? I am getting the following errors

pyasn1-modules 0.2.3 has requirement pyasn1<0.5.0,>=0.4.1, but you'll have pyasn1 0.3.2 which is incompatible.
awscli 1.16.94 has requirement botocore==1.12.84, but you'll have botocore 1.6.2 which is incompatible.
awscli 1.16.94 has requirement s3transfer<0.2.0,>=0.1.12, but you'll have s3transfer 0.1.10 which is incompatible.

Hi,

When I click on the trusted advisor, I get

your file was not found.

I followed the instruction as per docs, installed ok and can see reports except for the one for Trusted Advisor

What am I missing?
Thanks

I am logging into az using the tag --allow-no-subscriptions however when running using cs.py --env azure I'm getting the error below:

ValidationError: The subscription '[subscription number]' could not be found.

I'm part of a security group which has read only access. Does this tool support the group access concept, or does it go by user permissions only?

We ran CS-Suite and under Web & Network it shows the following:|

Where are these expired certificates ?

We issue TLS certificates using AWS Certificate Manager, in us-east-1 for CloudFront and all our supported regions for NLBs

I have checked

Warning: certificate ably.io.wildcard.and.ably-realtime.com.san.2015 has expired

Warning: certificate ably.io.wildcard.and.ably-realtime.com.san.2015v has expired

Warning: certificate ably.io.wildcard.and.ably-realtime.com.san.2015v2 has expired

Warning: certificate ably.io.wildcard.and.ably-realtime.com.san.2015v3 has expired

Warning: certificate ably.io.wildcard.and.ably-realtime.com.san.2015v4 has expired

Warning: certificate ably.io.wildcard.and.ably-realtime.com.san.2017v5 has expired

Warning: certificate ably.io.wildcard.and.ably-realtime.com.san.2018v6 has expired

Warning: certificate Makes agencies agile : easyBacklog has expired

Warning: certificate example1024bit has expired

Warning: certificate example2048bit has expired

Warning: certificate realtime.ably.io has expired

Warning: certificate rest.ably.io has expired

Warning: certificate wilcard.ably.io has expired

Warning: certificate wildcard.ably.io-2013 has expired

Warning: certificate wildcard.ably.io-2014 has expired

Hi Team,

I am facing the following error, pls help me..

(venv) ubuntu@ip:~/cs-suite$ python3 cs.py -env aws
Traceback (most recent call last):
File "cs.py", line 6, in
from modules import logger
File "/home/ubuntu/cs-suite/modules/logger.py", line 17, in
formatter = CustomJsonFormatter('(timestamp) (level) (name) (message)')
File "/home/ubuntu/cs-suite/venv/lib/python3.8/site-packages/pythonjsonlogger/jsonlogger.py", line 115, in init
logging.Formatter.init(self, *args, **kwargs)
File "/usr/lib/python3.8/logging/init.py", line 576, in init
self._style.validate()
File "/usr/lib/python3.8/logging/init.py", line 429, in validate
raise ValueError("Invalid format '%s' for '%s' style" % (self._fmt, self.default_format[0]))
ValueError: Invalid format '(timestamp) (level) (name) (message)' for '%' style

In the requirements.txt is necessary to add azure-cli package, in my case, the one that I have now is azure-cli-2.0.62

This is necessary for azure scans

when iam installing i am getting the following errors .I am using linux server
pyasn1-modules 0.2.2 has requirement pyasn1<0.5.0,>=0.4.1, but you'll have pyasn1 0.3.2 which is incompatible.
awscli 1.14.8 has requirement botocore==1.8.12, but you'll have botocore 1.6.2 which is incompatible.
awscli 1.14.8 has requirement s3transfer<0.2.0,>=0.1.12, but you'll have s3transfer 0.1.10 which is incompatible
Cannot uninstall 'docutils'. It is a distutils installed project and thus we cannot accurately determine which files belong to it which would lead to only a partial uninstall.

We can add a new feature to use IAM role on EC2 instead of credentials. #

Hi,

NCC has announced that upcoming release will be provided into Scoutsuite not in Scout2.
Scoutsuite has good improvements in-terms GUI and report export in 'csv' & 'json' format.

Is there any road map to be integrate with CS-Suite ?

I am trying to use it in azure . installed rhel linux server and azure cli but faciing this error while running the report how ever it was generating error for 6.1: Checking if any network group allows public access to RDP and it was getting failed from there

Traceback (most recent call last):
File "cs.py", line 55, in
main()
File "cs.py", line 51, in main
azureaudit.azure_audit()
File "/home/challs1/cs-suite/modules/azureaudit.py", line 1572, in azure_audit
rdp_public()
File "/home/challs1/cs-suite/modules/azureaudit.py", line 902, in rdp_public
j_res['value'] = "The network group %s does not allow public RDP access" % network_group
UnboundLocalError: local variable 'j_res' referenced before assignment

After the report is generated, does it automatically export it to the default browser or it has to be manually open? If so, how? Any suggestion or help is appreciated here.

I set up a new ec2 instance, apt installed git, python2.7, python-pip, gcc, and executed and performed the following commands for installation
git clone https://github.com/SecurityFTW/cs-suite.git
cd cs-suite/
sudo python setup.py

This is my output (censored):
Traceback (most recent call last):
File "cs.py", line 55, in
main()
File "cs.py", line 34, in main
from modules import localaudit
File "/home/ec2-user/saiawsazure/cs-suite/modules/localaudit.py", line 4, in
from IPy import IP
ImportError: No module named IPy
I have installed ipy 5.0 for python 2.7 still i am facing the same issue

When running an Azure Audit I receive the following error:

6.1: Checking if any network group allows public access to RDP

Traceback (most recent call last):
File "cs.py", line 89, in
main()
File "cs.py", line 83, in main
azureaudit.azure_audit()
File "/home/jbenson/cs-suite/modules/azureaudit.py", line 1885, in azure_audit
rdp_public()
File "/home/jbenson/cs-suite/modules/azureaudit.py", line 1074, in rdp_public
j_res['value'] = "The network group %s does not allow public RDP access" % network_group
UnboundLocalError: local variable 'j_res' referenced before assignment

Any specific reason why scout2 is added in a folder and not as a dependency in requirements. I would suggest moving them as a dependency reduces the overhead of maintaining that tool and your tool can immediately benifits from upgrades on the new version of scout2 when its released. also if you want a feature freeze give a specific version number.

I did run the assessment on my AWS account (non-container mode) and in results I can see check numbers as null, as given below:
{
"check_no": "null",
"level": "null",
"region": "<some_region>",
"value": "<some_value>",
"score": "Scored",
"type": ""
}

I am expecting CIS check numbers here.

I'm implement cs-suite with Jenkins and fixed some bug.

Add support to AWS profiles to simplify multiple account auditing

It was working for everything rather than For Identity Access Management in Azure

I want to upload this tool as a zip file to AWS Lambda and want to invoke this periodically using CRON expressions and store the reports in S3. How do I go about this?

Hi!

Did you think about enhancing the cs-suite and add new tools? I think it would be quite useful to add AWS MAcie-like tool the DumpsterDiver: https://github.com/securing/DumpsterDiver. I can add a feature to download the content from S3 bucket and then each file would be scanned via the DumpsterDiver in search of any hardcoded key, password or any pattern. Let me know what do you think about it.

Cheers!
Pawel.

When running CS-Suite (pulled from GIT) to do GCP audit i get this kind of python issue

a@zbox:~/src/cs-suite$ bin/python cs.py -env gcp -pId XXXXXXXX
Starting GCP Audit
Traceback (most recent call last):
  File "gscout.py", line 63, in <module>
    list_projects(sys.argv[1],sys.argv[2])
  File "gscout.py", line 25, in list_projects
    'v1',credentials=storage.get())
  File "/usr/local/lib/python2.7/dist-packages/oauth2client/client.py", line 407, in get
    return self.locked_get()
  File "/usr/local/lib/python2.7/dist-packages/oauth2client/file.py", line 54, in locked_get
    credentials = client.Credentials.new_from_json(content)
  File "/usr/local/lib/python2.7/dist-packages/oauth2client/client.py", line 302, in new_from_json
    module_name = data['_module']
KeyError: '_module'

I believe a quickstart or quick instruction on how to run IP audit locally (Mac, Windows, Linux) or remote server (Ec2, Google Compute Engine, Azure) would be great.

I persisted with these kind of error in AWS CLI

Hello guys,
I have this info message:
Skipping bucket ********** (region eu-west-3 outside of scope)
How can I change that ?

Hi there, I just tried to run this tool today with -env aws.

I kept getting this exception in a few different spots:

File "cs.py", line 89, in <module>
    main()
  File "cs.py", line 53, in main
    from modules import awsaudit
  File "/Users/coltonleese/cs-suite/modules/awsaudit.py", line 30, in <module>
    account_name = get_account_alias() or get_account_id()
  File "/Users/coltonleese/cs-suite/modules/awsaudit.py", line 15, in get_account_alias
    account_details = json.loads(str(account_details))
  File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/json/__init__.py", line 338, in loads
    return _default_decoder.decode(s)
  File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/json/decoder.py", line 366, in decode
    obj, end = self.raw_decode(s, idx=_w(s, 0).end())
  File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/json/decoder.py", line 384, in raw_decode
    raise ValueError("No JSON object could be decoded")
ValueError: No JSON object could be decoded

I fixed it by changing the command

subprocess.check_output(['aws sts get-caller-identity')], shell=True

to

 subprocess.check_output(['aws sts get-caller-identity --output json')], shell=True

I can submit a PR if you want but don't know if this is widely applicable.

thanks.

Hi Team,

I am unable to install CS-Suite, getting below error:

File "/Users/avijit.sarkar/cs-suite/cs.py", line 6, in
from modules import logger
File "/Users/avijit.sarkar/cs-suite/modules/logger.py", line 17, in
formatter = CustomJsonFormatter('(timestamp) (level) (name) (message)')
File "/opt/homebrew/lib/python3.10/site-packages/pythonjsonlogger/jsonlogger.py", line 119, in init
logging.Formatter.init(self, *args, **kwargs)
File "/opt/homebrew/Cellar/[email protected]/3.10.6_2/Frameworks/Python.framework/Versions/3.10/lib/python3.10/logging/init.py", line 589, in init
self._style.validate()
File "/opt/homebrew/Cellar/[email protected]/3.10.6_2/Frameworks/Python.framework/Versions/3.10/lib/python3.10/logging/init.py", line 429, in validate
raise ValueError("Invalid format '%s' for '%s' style" % (self._fmt, self.default_format[0]))
ValueError: Invalid format '(timestamp) (level) (name) (message)' for '%' style

Environment:
Python 3.10.6
pip 22.2.2
virtualenv 20.16.5

Are there any problem azure checking 2.x rules?

Hey @challs1 @shivankar-madaan
can you please tell what exact command do I need to run from command line as I am getting the same error on running following command:
python cs.py -env azure

File "cs.py", line 55, in
main()
File "cs.py", line 50, in main
from modules import azureaudit
File "/root/cs-suite/modules/azureaudit.py", line 9, in
subprocess.call(['az', 'login'])
File "/usr/lib/python2.7/subprocess.py", line 172, in call
return Popen(*popenargs, **kwargs).wait()
File "/usr/lib/python2.7/subprocess.py", line 394, in init
errread, errwrite)
File "/usr/lib/python2.7/subprocess.py", line 1047, in _execute_child
raise child_exception

"For azure, the first command az login requires a browser interaction to authenticate with Azure subscription" What exactly you are referring here.
thanks

Originally posted by @exrme18 in #21 (comment)

Running into an issue with CS-Suite on MacOS and Azure

• MacOS Version: 10.13.6 (17G65)
• I made sure to git pull before running it
• The check number I am having this issue on is: 4.2.1: Checking if SQL DB has AUDIT policy enabled
• I reran the setup tools to make sure everything was the correct version

Here is the error

Can not perform requested operation on nested resource. Parent resource 'SERVERNAME/master' not found.
Traceback (most recent call last):
  File "cs.py", line 55, in <module>
    main()
  File "cs.py", line 51, in main
    azureaudit.azure_audit()
  File "/Users/REDACTED/gitProjects/cs-suite/modules/azureaudit.py", line 1472, in azure_audit
    sql_db_audit()
  File "/Users/REDACTED/gitProjects/cs-suite/modules/azureaudit.py", line 1170, in sql_db_audit
    audit_policy = subprocess.check_output(['az sql db audit-policy show --resource-group %s --server %s --name %s --query \'state\' --output tsv' %(resource_group,name,database)], shell=True).strip()
  File "/usr/local/Cellar/python/2.7.14/Frameworks/Python.framework/Versions/2.7/lib/python2.7/subprocess.py", line 219, in check_output
    raise CalledProcessError(retcode, cmd, output=output)
subprocess.CalledProcessError: Command '["az sql db audit-policy show --resource-group REDACTED --server REDACTED --name master --query 'state' --output tsv"]' returned non-zero exit status 3