Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Scan reports showing up as "Skipped" in the Compliance server UI #46

Closed
jeremymv2 opened this issue May 18, 2016 · 2 comments

Comments

@jeremymv2
Copy link
Contributor

commented May 18, 2016

Cookbook version

0.7.1

Chef-client version

12.10.24

Platform Details

Linux node 4.2.0-34-generic #39~14.04.1-Ubuntu SMP Fri Mar 11 11:38:02 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

Scenario:

Converging a node with the audit cookbook in the run_list should report the results back to the Compliance server via the Chef server chef_gate. The reports are coming into the Compliance server but show up as "Skipped".

Steps to Reproduce:

Install Compliance 1.2.3.
Install Compliance/Chef server integration (chef_gate)
Add version 0.7.1 version of the audit cookbook to a node's run_list with the following attributes:

default['audit']['server'] = nil
default['audit']['token'] = nil
default['audit']['variant'] = 'chef'
default['audit']['owner'] = nil
default['audit']['profiles'] = {
  'base/linux' => true,
  'base/apache' => true,
  'base/postgres' => true,
  'base/ssh' => true,
}

# raise exception if Compliance API endpoint is unreachable
# while fetching profiles or posting report
default['audit']['raise_if_unreachable'] = false

# fail converge if downloaded profile is not present
default['audit']['fail_if_not_present'] = false

# fail converge after posting report if any audits have failed
default['audit']['fail_if_any_audits_failed'] = false

# inspec gem version to install(e.g. '0.22.0') or 'latest'
default['audit']['inspec_version'] = '0.22.0'

Verify the inspec version on the client node:

vagrant@node:~$ sudo /opt/chef/embedded/bin/gem list inspec

*** LOCAL GEMS ***

debug_inspector (0.0.2)
inspec (0.22.0)
vagrant@node:~$ /opt/chef/embedded/bin/inspec version
0.22.0
vagrant@node:~$

Expected Result:

Expect to see the results of the inspec scan on the Reports page of the Compliance UI.

Actual Result:

The scan reports show up as "Skipped"
From the Compliance server logs:

==> /var/log/chef-compliance/core/current <==
2016-05-18_13:27:43.28756 13:27:43.287 ERR => Authentication: %!(EXTRA *errors.errorString=missing Authorization header)
2016-05-18_13:27:43.28796 13:27:43.287 DEB => &{Raw:eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdXRoel9pZCI6IjY5YWU5NWUzYjA0ZGFmYmY3MTc3YWEzYzAxMTI0YWZlIiwiY2hlZl91cmwiOiJodHRwczovL2NoZWYuY29tcGxpYW5jZS50ZXN0IiwiZXhwIjoxNDYzNTgxNjg3LCJuYW1lIjoibm9kZSIsIm9yZ19tZW1iZXIiOnRydWUsInB1YmxpY19rZXkiOiItLS0tLUJFR0lOIFBVQkxJQyBLRVktLS0tLVxuTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF4bVZoaVJwenoyeHd0RG1qdEJrNlxuc3lqVDlFcGtmUG5XODN4VCs2UmNYVjAzVjNtbzZNbWcyYmlsaUliZWRJK1pxd2N2Z0xWUVcvNFdCcmhzcjBZR1xua3EzMCtCVzM5b29EekxZMlNtclVQMkNPQW56a2p1RW9TRWczVmRLTENxWUlnSk9yRUk4cVdLakUwTXFobGtTRVxueS9HUVp4R0FVM2VwWllKOWR3cnFNaXhBY2RqYzBrYzVhVkt1T2V6UURTZ2dwUDI2bGVraU96WlJZMkRMMXdFNFxucmFRcEJ3eUZZN1o2dmphUStHOTdZTzhTaFRxbEJsRlNnNUxxb1pEMm5SNDVBcWdmeEZDbXJUQTBlMG5jeVZPR1xudk9iYXBtdGhENzZwYUhCSVVrQzE2WHRwN3VkdlZhb3F2VktGdkowRTVFUG1MMThjQmdBTXg0bGZPMG1hd3BNNFxuRFFJREFRQUJcbi0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLVxuIiwidHlwZSI6ImNsaWVudCJ9.1dbf1ej6Z62xTR6YppcFdVDO6HJMiuPTXkVLK9dqavs Method:0xc8200b50e0 Header:map[alg:HS256 typ:JWT] Claims:map[exp:1.463581687e+09 name:node org_member:true public_key:-----BEGIN PUBLIC KEY-----
2016-05-18_13:27:43.28797 MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxmVhiRpzz2xwtDmjtBk6
2016-05-18_13:27:43.28797 syjT9EpkfPnW83xT+6RcXV03V3mo6Mmg2biliIbedI+ZqwcvgLVQW/4WBrhsr0YG
2016-05-18_13:27:43.28797 kq30+BW39ooDzLY2SmrUP2COAnzkjuEoSEg3VdKLCqYIgJOrEI8qWKjE0MqhlkSE
2016-05-18_13:27:43.28797 y/GQZxGAU3epZYJ9dwrqMixAcdjc0kc5aVKuOezQDSggpP26lekiOzZRY2DL1wE4
2016-05-18_13:27:43.28798 raQpBwyFY7Z6vjaQ+G97YO8ShTqlBlFSg5LqoZD2nR45AqgfxFCmrTA0e0ncyVOG
2016-05-18_13:27:43.28798 vObapmthD76paHBIUkC16Xtp7udvVaoqvVKFvJ0E5EPmL18cBgAMx4lfO0mawpM4
2016-05-18_13:27:43.28798 DQIDAQAB
2016-05-18_13:27:43.28798 -----END PUBLIC KEY-----
2016-05-18_13:27:43.28798  type:client authz_id:69ae95e3b04dafbf7177aa3c01124afe chef_url:https://chef.compliance.test] Signature:1dbf1ej6Z62xTR6YppcFdVDO6HJMiuPTXkVLK9dqavs Valid:true}
2016-05-18_13:27:43.29689 13:27:43.296 DEB => owner: &shared.Owner{PasswordHash:"", Login:"brewinc", Name:"brewinc", IsOrg:true, Source:sql.NullString{String:"8e842a4c-50ee-44de-7e49-c1651e754ee6", Valid:true}, UUID:uuid.UUID{ID:"718957c7-be56-47c6-42a7-8adf369266a1"}}
2016-05-18_13:27:43.29756 13:27:43.297 ERR => DB error: sql: no rows in result set
2016-05-18_13:27:43.29939 13:27:43.299 DEB => [718957c7-be56-47c6-42a7-8adf369266a1/469b440f-3a31-4c5d-4b3a-b5168cb549c4] Process scan result for base / linux
2016-05-18_13:27:43.29945 13:27:43.299 ERR => Calling *ScanSummary.Done(0)
2016-05-18_13:27:43.29949 13:27:43.299 DEB => [718957c7-be56-47c6-42a7-8adf369266a1/469b440f-3a31-4c5d-4b3a-b5168cb549c4] Add scan result for 718957c7-be56-47c6-42a7-8adf369266a1/bc46b8ba-ef97-43b0-4f72-11a90ef12ed2/58860151-d008-436c-7517-19ba5d2f0380:0 with base/linux
2016-05-18_13:27:43.29954 13:27:43.299 DEB => [718957c7-be56-47c6-42a7-8adf369266a1/469b440f-3a31-4c5d-4b3a-b5168cb549c4] Process scan result for base / apache
2016-05-18_13:27:43.29955 13:27:43.299 ERR => Calling *ScanSummary.Done(0)
2016-05-18_13:27:43.29956 13:27:43.299 DEB => [718957c7-be56-47c6-42a7-8adf369266a1/469b440f-3a31-4c5d-4b3a-b5168cb549c4] Add scan result for 718957c7-be56-47c6-42a7-8adf369266a1/bc46b8ba-ef97-43b0-4f72-11a90ef12ed2/58860151-d008-436c-7517-19ba5d2f0380:0 with base/apache
2016-05-18_13:27:43.29957 13:27:43.299 DEB => [718957c7-be56-47c6-42a7-8adf369266a1/469b440f-3a31-4c5d-4b3a-b5168cb549c4] Process scan result for base / postgres
2016-05-18_13:27:43.29958 13:27:43.299 ERR => Calling *ScanSummary.Done(0)
2016-05-18_13:27:43.29960 13:27:43.299 DEB => [718957c7-be56-47c6-42a7-8adf369266a1/469b440f-3a31-4c5d-4b3a-b5168cb549c4] Add scan result for 718957c7-be56-47c6-42a7-8adf369266a1/bc46b8ba-ef97-43b0-4f72-11a90ef12ed2/58860151-d008-436c-7517-19ba5d2f0380:0 with base/postgres
2016-05-18_13:27:43.29961 13:27:43.299 DEB => [718957c7-be56-47c6-42a7-8adf369266a1/469b440f-3a31-4c5d-4b3a-b5168cb549c4] Process scan result for base / ssh
2016-05-18_13:27:43.29964 13:27:43.299 ERR => Calling *ScanSummary.Done(0)
2016-05-18_13:27:43.29967 13:27:43.299 DEB => [718957c7-be56-47c6-42a7-8adf369266a1/469b440f-3a31-4c5d-4b3a-b5168cb549c4] Add scan result for 718957c7-be56-47c6-42a7-8adf369266a1/bc46b8ba-ef97-43b0-4f72-11a90ef12ed2/58860151-d008-436c-7517-19ba5d2f0380:0 with base/ssh
2016-05-18_13:27:43.29977 13:27:43.299 INF => [718957c7-be56-47c6-42a7-8adf369266a1/469b440f-3a31-4c5d-4b3a-b5168cb549c4] scan result | 0 | 0 | 0 | 0 | 0 | packages | 0 | 0 | 0 | 0 | 0 |
2016-05-18_13:27:43.30847 13:27:43.308 DEB => [718957c7-be56-47c6-42a7-8adf369266a1/469b440f-3a31-4c5d-4b3a-b5168cb549c4] db updated
2016-05-18_13:27:43.30859 [GIN] 2016/05/18 - 13:27:43 | 201 |   21.103202ms | 192.168.33.101 |   POST    /chef/organizations/brewinc/inspec

==> /var/log/chef-compliance/nginx/compliance.access.log <==
192.168.33.101 - - [18/May/2016:13:27:43 +0000] "POST /api/chef/organizations/brewinc/inspec HTTP/1.0" 201 46 "-" "Chef Client/12.10.24 (ruby-2.1.8-p440; ohai-8.15.1; x86_64-linux; +https://chef.io)"

From the chef client node running the converge and inspec scan:

...
rspec  # SSH Configuration HostbasedAuthentication should eq "no"
rspec  # SSH Configuration RhostsRSAAuthentication should eq "no"
rspec  # SSH Configuration RSAAuthentication should eq "yes"
rspec  # SSH Configuration PasswordAuthentication should eq "no"
rspec  # SSH Configuration Tunnel should eq "no"
rspec  # SSH Configuration PermitLocalCommand should eq "no"
rspec  # File /etc/ssh should not be readable by others


    - execute compliance profile
    * chef_gem[inspec] action install (up to date)
    * file[/var/chef/cache/compliance/base_ssh_report.json] action create[2016-05-18T13:58:35+00:00] INFO: file[/var/chef/cache/compliance/base_ssh_report.json] backed up to /var/chef/backup/var/chef/cache/compliance/base_ssh_report.json.chef-20160518135835.672152
[2016-05-18T13:58:35+00:00] INFO: file[/var/chef/cache/compliance/base_ssh_report.json] removed backup at /var/chef/backup/var/chef/cache/compliance/base_ssh_report.json.chef-20160518132021.138557
[2016-05-18T13:58:35+00:00] INFO: file[/var/chef/cache/compliance/base_ssh_report.json] updated file contents /var/chef/cache/compliance/base_ssh_report.json

      - update content in file /var/chef/cache/compliance/base_ssh_report.json from e8399a to 133cd2
      - suppressed sensitive resource

  * compliance_report[chef-server] action execute
    - report compliance profiles' results
[2016-05-18T13:58:35+00:00] INFO: Chef Run complete in 3.00964474 seconds

Running handlers:
[2016-05-18T13:58:35+00:00] INFO: Running report handlers
Running handlers complete
[2016-05-18T13:58:35+00:00] INFO: Report handlers complete
Chef Client finished, 13/37 resources updated in 04 seconds
root@node:~#
@alexpop

This comment has been minimized.

Copy link
Contributor

commented May 18, 2016

Jeremy, thanks for the report.
We've fixed it in audit and inspec. Please test it with the latest publicly available versions:

  • audit cookbook 0.8.0
  • inspec 0.22.1

@alexpop alexpop added the bug label May 18, 2016

@alexpop

This comment has been minimized.

Copy link
Contributor

commented May 18, 2016

Tested this with Joe Gardener and looks works for him as well. Closing as fixed

@alexpop alexpop closed this May 18, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.