Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AzSK Subscription Security Status Report fails to generate on Mac with Word installed #732

Open
akamalov opened this issue Aug 22, 2019 · 1 comment
Open

AzSK Subscription Security Status Report fails to generate on Mac with Word installed #732

akamalov opened this issue Aug 22, 2019 · 1 comment

Comments

@akamalov
Copy link

Title

AzSK Subscription Security Status Report fails to generate on Mac with Word installed

Description

AzSK Subscription Security Status Report fails to generate on Mac with Word installed

Steps to reproduce

OS: Mac OSX - Mojave
Powershell: 6.2.0
AzSK: 4.0.0

On Mac with Word installed, run the following command:

Get-AzSKsubscriptionSecuritystatus -subscriptionid $subId -GeneratePDF Portrait

Output:

================================================================================                                                               AzSK Version: 4.0.0                                                                                                                            ================================================================================                                                               Method Name: get-azsksubscriptionsecuritystatus (GSS)
Input Parameters:
Name           Alias Value
----           ----- -----
SubscriptionId       XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
GeneratePDF          Portrait

You can also use: gss -SubscriptionId XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX -GeneratePDF Portrait
================================================================================
Running AzSK cmdlet using a generic (org-neutral) policy...
Scan events will be sent to the following Log Analytics workspace(s):                                                                          WSId: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXXb                                                                                                                                                                                                                                                    ================================================================================                                                               Starting analysis: [FeatureName: SubscriptionCore] [SubscriptionName: Managed-External] [SubscriptionId: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX] --------------------------------------------------------------------------------                                                               Checking: [SubscriptionCore]-[Minimize the number of admins/owners]
Checking: [SubscriptionCore]-[Justify all identities that are granted with admin/owner access on your subscription.]                           Checking: [SubscriptionCore]-[Mandatory central accounts must be present on the subscription]                                                  Checking: [SubscriptionCore]-[Deprecated/stale accounts must not be present on the subscription]                                               Checking: [SubscriptionCore]-[Do not grant permissions to external accounts (i.e., accounts outside the native directory for the subscription)]Checking: [SubscriptionCore]-[There should not be more than 2 classic administrators]
Checking: [SubscriptionCore]-[Use of management certificates is not permitted.]
Checking: [SubscriptionCore]-[Azure Security Center (ASC) must be correctly configured on the subscription]
Checking: [SubscriptionCore]-[Pending Azure Security Center (ASC) alerts must be resolved]
Checking: [SubscriptionCore]-[Service Principal Names (SPNs) should not be Owners or Contributors on the subscription]                         Checking: [SubscriptionCore]-[Critical application resources should be protected using a resource lock]                                        Checking: [SubscriptionCore]-[ARM policies should be used to audit or deny certain activities in the subscription that can impact security]    Checking: [SubscriptionCore]-[Alerts must be configured for critical actions on subscription and resources]
Checking: [SubscriptionCore]-[Do not use custom-defined RBAC roles]
Checking: [SubscriptionCore]-[Do not use any classic resources on a subscription]
Checking: [SubscriptionCore]-[Do not use any classic virtual machines on your subscription.]
Checking: [SubscriptionCore]-[Verify the list of public IP addresses on your subscription]
Checking: [SubscriptionCore]-[Permanent access should not be granted for privileged subscription level roles]
Checking: [SubscriptionCore]-[Mandatory tags must be set per your organization policy]
Checking: [SubscriptionCore]-[Standard tier must be enabled for Azure Security Center]
Checking: [SubscriptionCore]-[Ensure any credentials approaching expiry are rotated soon.]
--------------------------------------------------------------------------------                                                               Completed analysis: [FeatureName: SubscriptionCore] [SubscriptionName: Managed-External] [SubscriptionId: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX]                                                                                                                                               ================================================================================
Summary   Total Passed Failed Verify Manual                                                                                                    -------   ----- ------ ------ ------ ------                                                                                                    Medium        6      3      0      3      0                                                                                                    High         15      9      3      0      3
Critical      1      1      0      0      0
------   ------ ------ ------ ------ ------
Total        22     13      3      3      3
------   ------ ------ ------ ------ ------
================================================================================
** Next steps **
Look at the individual control evaluation status in the CSV file.
        a) If the control has passed, no action is necessary.
        b) If the control has failed, look at the control evaluation detail in the LOG file to understand why.
        c) If the control status says 'Verify', it means that human judgement is required to determine the final control status. Look at the control evaluation output in the LOG file to make a determination.
        d) If the control status says 'Manual', it means that AzSK (currently) does not cover the control via automation OR AzSK is not able to fetch the data. You need to manually implement/verify it.

Note: The 'Recommendation' column in the CSV file provides basic (generic) guidance that can help you fix a failed control. You can also use standard Azure product documentation. You should carefully consider the implications of making the required change in the context of your application.
Control results may not reflect attestation if you do not have permissions to read attestation data from AzSKRG
--------------------------------------------------------------------------------
Status and detailed logs have been exported to path - /Users/user1/.local/share/Microsoft/AzSKLogs/Sub_Managed-External/20190822_081425_GSS
================================================================================
You must have Microsoft Word application installed on machine to generate PDF report.                                                          /Users/user1/.local/share/Microsoft/AzSKLogs/Sub_Managed-External/20190822_081425_GSS                                                   PS /Users/user1>

Powershell Version

PS /Users/user1/.azsk/policies/Config> $PSVersionTable

Name                           Value
----                           -----
PSVersion                      6.2.0
PSEdition                      Core
GitCommitId                    6.2.0
OS                             Darwin 18.6.0 Darwin Kernel Version 18.6.0: Thu Apr 25 23:16:27 PDT 2019; root:xnu-4903.261.4~2/RELEASE_X86_64
Platform                       Unix
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

PS /Users/user1/.azsk/policies/Config>

Expected behavior

I'd expect for report to be generated.

Actual behavior

Report fails to generate even if Word installed on Mac.
@EvgeniaMartynova
Copy link

They say in the docs - support for Windows OS only - prerequisites section.
https://github.com/azsk/DevOpsKit-docs/tree/master/00a-Setup

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@akamalov @EvgeniaMartynova