New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Audit doesn't run when CCR fails #289

Closed
drrk opened this Issue Oct 16, 2017 · 5 comments

Comments

Projects
None yet
4 participants
@drrk
Contributor

drrk commented Oct 16, 2017

Cookbook version

5.0.3

Chef-client version

13.5.3

Platform Details

ubuntu-16.04 (as test system)

Scenario:

Run audits when CCR failrs

Steps to Reproduce:

Have a failing CCR with audit cookbook default recipe included

Expected Result:

Audit still runs

Actual Result:

Audit doesn't run

I have created a PR to resolve this, but I guess a discussion is needed to decide if it is actually wanted. The workaround is to manually add the exception handler in your wrapper cookbook after the include of the audit cookbook default recipe like so:

include_recipe 'audit' Chef::Config.send('exception_handlers') << Chef::Handler::AuditReport.new

@trickyearlobe

This comment has been minimized.

trickyearlobe commented Oct 16, 2017

Running audit on success or failure of a CCR feels like the right thing to do so long as we've managed to populate the list of profiles to run. After all, we want to know the security posture of ALL the nodes, not just the ones that have successfully converged. It could be made optional by addition of an attribute to turn if on/off (with default being on)

@chris-rock

This comment has been minimized.

Collaborator

chris-rock commented Dec 1, 2017

@drrk @trickyearlobe @thommay As far as I can see, this is a feature we need to introduce in chef-client to support running the auditreporter in any case. Not sure if we can tackle this from cookbook perspective.

@trickyearlobe

This comment has been minimized.

trickyearlobe commented Dec 1, 2017

Not sure what you mean... maybe the description's not that clear.
Chef client has the necessary bits already... (exception_handlers, report_handlers)

All we're proposing is that the audit cookbook should add a handler for both of them (the same handler in fact)

@drrk already submitted a PR #290 for it. We just need to decide if thats the behaviour we want, or if we want to make it optional or something.

@chris-rock

This comment has been minimized.

Collaborator

chris-rock commented Dec 1, 2017

Oh, thank you @trickyearlobe I missed that :-)

@chris-rock

This comment has been minimized.

Collaborator

chris-rock commented Dec 1, 2017

@trickyearlobe I think the proposed solution in #290 is okay for now. The real solution would be that we have a real audit handler, that works in both cases. This would also allow us to ensure the audit run is always executed at the end. @thommay is there something planned for the next major release of Chef?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment