Table: duo_account_settings - Query Duo Security Account Settings using SQL
Duo Security Account Settings is a feature within Duo Security that allows administrators to manage and configure the security settings for their Duo account. It provides a centralized way to set up and manage settings for various Duo resources, including user policies, integrations, and more. Duo Security Account Settings helps you stay informed about the security and configuration status of your Duo resources and take appropriate actions when required.
Table Usage Guide
The duo_account_settings
table provides insights into Account Settings within Duo Security. As a Security Administrator, explore specific details through this table, including security restrictions, policy settings, and associated metadata. Utilize it to uncover information about settings, such as those related to user policies, integrations, and to verify the current configuration status.
Examples
Get account settings
select *from duo_account_settings;
select *from duo_account_settings;
Check password settings are secure
select name, case when password_requires_lower_alpha then '✅' else '❌' end as requires_lower_alpha, case when password_requires_upper_alpha then '✅' else '❌' end as requires_upper_alpha, case when password_requires_numeric then '✅' else '❌' end as requires_numeric, case when password_requires_special then '✅' else '❌' end as requires_special, case when minimum_password_length >= 12 then '✅' else '❌' end as min_length_gte_12from duo_account_settings;
select name, case when password_requires_lower_alpha then '✅' else '❌' end as requires_lower_alpha, case when password_requires_upper_alpha then '✅' else '❌' end as requires_upper_alpha, case when password_requires_numeric then '✅' else '❌' end as requires_numeric, case when password_requires_special then '✅' else '❌' end as requires_special, case when minimum_password_length >= 12 then '✅' else '❌' end as min_length_gte_12from duo_account_settings;
Schema for duo_account_settings
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form. | |
caller_id | text | Automated calls will appear to come from this number. This does not apply to text messages. | |
fraud_email | text | The email address to be notified when a user reports a fraudulent authentication attempt or is locked out due to failed authentication attempts. All administrators will be notified if this is not set. | |
fraud_email_enabled | boolean | If true, emailed notifications of user-reported fraudulent authentication attempts and user lockouts due to failed authentication are sent to the email address defined for fraud_email, or to all administrators if fraud_email is not defined. If set to false, no fraud alert emails are sent. | |
helpdesk_bypass | text | Grants permission for administrators with the Help Desk role to generate bypass codes for users. One of allow (default value), limit, or deny. | |
helpdesk_bypass_expiration | bigint | Integer specifying a default expiration for bypass codes generated by Help Desk admins, in minutes. If not set, Help Desk admins may change bypass code expiration from the default 60 minutes after creation if helpdesk_bypass is set to allow. | |
helpdesk_can_send_enroll_email | boolean | Permits Help Desk administrators to send or resend enrollment emails to users. One of true or false (default). | |
helpdesk_message | text | Custom help message shown to end-users in the traditional Duo Prompt and Device Health application. Up to 200 characters; HTML formatting or hyperlinks are not allowed. | |
inactive_user_expiration | bigint | Users will be automatically deleted if they are inactive (no successful logins) for a this amount of days. | |
keypress_confirm | text | The key for users to press to authenticate, or empty if any key should be pressed to authenticate. | |
keypress_fraud | text | The key for users to press to report fraud, or empty if any key should be pressed to authenticate. | |
language | text | The language used in the traditional Duo browser-based user authentication prompt. One of: EN, DE, FR. Default: EN | |
lockout_expire_duration | bigint | If non-zero, an integer indicating the time in minutes until a locked-out user's status reverts to Active. If null or 0, a user remains locked out until their status is manually changed (By an admin or API call). Minimum: 5 minutes. Maximum: 30000 minutes. | |
lockout_threshold | bigint | The number of consecutive failed authentication attempts before the user's status is set to 'Locked Out' and the user is denied access. | |
minimum_password_length | bigint | An integer indicating the minimum number of characters that an administrator's Duo Admin Panel password must contain. This is only enforced on password creation and reset; existing passwords will not be invalidated. Default: 12. | |
name | text | The customer name. | |
password_requires_lower_alpha | boolean | If true, administrator passwords will be required to contain a lower case alphabetic character. If false, administrator passwords will not be required to contain a lower case alphabetic character. This is only enforced on password creation and reset; existing passwords will not be invalidated. Default: false. | |
password_requires_numeric | boolean | If true, administrator passwords will be required to contain a numeric character. If false, administrator passwords will not be required to contain a numeric character. This is only enforced on password creation and reset; existing passwords will not be invalidated. Default: false. | |
password_requires_special | boolean | If true, administrator passwords will be required to contain a special (non-alphanumeric) character. If false, administrator passwords will not be required to contain a special (non-alphanumeric) character. This is only enforced on password creation and reset; existing passwords will not be invalidated. Default: false. | |
password_requires_upper_alpha | boolean | If true, administrator passwords will be required to contain an upper case alphabetic character. If false, administrator passwords will not be required to contain an upper case alphabetic character. This is only enforced on password creation and reset; existing passwords will not be invalidated. Default: false. | |
sms_batch | bigint | An integer that indicates how many passcodes to send at one time, up to 10. | |
sms_expiration | bigint | The time in minutes to expire and invalidate SMS passcodes. | |
sms_message | text | Description sent with every batch of SMS passcodes. | |
sms_refresh | bigint | If 1, a new set of SMS passcodes will automatically be sent after the last one is used. If 0, a new set will not be sent. | |
sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
sp_ctx | jsonb | Steampipe context in JSON form. | |
telephony_warning_min | bigint | An integer indicating the number of telephony credits at which an alert will be sent for low credits. | |
timezone | text | This is the timezone used when displaying timestamps in the Duo Admin Panel. | |
user_telephony_cost_max | double precision | An integer indicating the maximum number of telephony credits a user may consume in a single authentication event. This excludes Duo administrators authenticating to the Duo administration panel. Default: 20. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- duo
You can pass the configuration to the command with the --config
argument:
steampipe_export_duo --config '<your_config>' duo_account_settings