chef-boneyard / audit Goto Github PK
View Code? Open in Web Editor NEWAudit Cookbook for Chef Compliance
Home Page: https://supermarket.chef.io/cookbooks/audit
License: Apache License 2.0
Audit Cookbook for Chef Compliance
Home Page: https://supermarket.chef.io/cookbooks/audit
License: Apache License 2.0
Since cookbooks
have the test/integration directory already, it would be great if we could use a audit
resource to trigger the inspec tests via a Chef run. The resource name could be
inspec do
dir 'test/integration/...'
end
node[:audit][:profiles] = [ 'base/ssh', 'base/linux', 'admin/cis-level-1' ]
This should cause the default recipe to run these profiles, and report against the chef server that it is currently using.
Later on, we may change this to compliance://base/ssh
, to also support other inspec targets.
Instead of requiring Chef to install the InSpec gem, we vendor the gem into the cookbook. This allows users to update easier.
1.0.0
2.0.0
n/a
n/a
https://github.com/chef-cookbooks/audit#upload-cookbook-to-chef-server
If you want to upload the cookbook from git, use the following commands:
mkdir chef-cookbooks
cd chef-cookbooks
git clone https://github.com/chef-cookbooks/audit
cd ..
knife cookbook upload audit -o ./chef-cookbooks
Follow the exact commands above verbatim.
audit cookbook uploaded
$ knife cookbook upload audit -o ./chef-cookbooks
Uploading audit [2.0.0]
ERROR: Cookbook audit depends on cookbooks which are not currently
ERROR: being uploaded and cannot be found on the server.
ERROR: The missing cookbook(s) are: 'compat_resource' version '>= 0.0.0', 'chef_handler' version '>= 0.0.0'
$
Since there are dependency cookbooks now (compat_resource, chef_handler), we need to use berks to help.
$ berks vendor -e integration
Resolving cookbook dependencies...
Fetching 'audit' from source at .
Using audit (2.0.0) from source at .
Using compat_resource (12.16.1)
Using chef_handler (2.0.0)
Vendoring audit (2.0.0) to /Users/jmiller/Devel/ChefProject/audit/berks-cookbooks/audit
Vendoring chef_handler (2.0.0) to /Users/jmiller/Devel/ChefProject/audit/berks-cookbooks/chef_handler
Vendoring compat_resource (12.16.1) to /Users/jmiller/Devel/ChefProject/audit/berks-cookbooks/compat_resource
$ knife cookbook upload -a -o berks-cookbooks
Uploading audit [2.0.0]
Uploading chef_handler [2.0.0]
Uploading compat_resource [12.16.1]
Uploaded all cookbooks.
$
0.14.4
Windows Server 2k12 r2
This error looks to be related to winrm v1/v2 issues that were fixed in inspec 0.33.0. Bumping the inspec version in a wrapper cookbook fixes the issue. I'll make a PR to bump the version.
[0.14.1]
[12.13.37]
[RHEL 7.2 on AWS]
[When you run the audit cookbook for a profile that does not exist, the chef_gate log will say Authentication failed. Please check your system's clock.
This is misleading because the problem is a missing profile, not any authentication or problem with the clock.]
[Run the audit cookbook for a profile that doesn't exist, then look at your chef_gate current log.]
[If an error is because of a missing profile, the error message should state that the profile is missing.]
[chef_gate current log will say Authentication failed. Please check your system's clock.
]
We still can't run the audit
cookbook in production because it reports resources that are converged, which causes us to lose the ability to know when our run is entirely idempotent.
Run the audit
cookbook configured to run against profiles
At the end of an audit
cookbook run, 0 resources should report as failed
resources report as converged
The audit
cookbook is implemented incorrectly. Resources in chef are there to configure the machine, not report on that machine. This is a fundamental misuse of the chef model.
Instead a report handler should be used to both download and report on the chef run. The recipe can ensure that inspec is properly installed and that the handler is used.
I am happy to create a PR for this if you think it's the right direction for the cookbook. It is a fundamental departure from what is there now.
Version 2.0 of the cookbook still requires .inspec/compliance/config.json
. We should just keep the information in-memory and just use node attributes.
2.0.0
Previously we used the runner with generating a json file: https://github.com/chef-cookbooks/audit/blob/v1.1.0/resources/profile.rb#L121-L135 (edited)
output = quiet ? ::File::NULL : $stdout
runner = ::Inspec::Runner.new('report' => true, 'format' => formatter, 'output' => output)
report = runner.report.to_json
This helps us to remove https://github.com/chef-cookbooks/audit/blob/master/files/default/audit_report.rb#L86-L87 and https://github.com/chef-cookbooks/audit/blob/master/libraries/helper.rb#L74-L80. For users who require a local json report, we should implement #126
0.5.0
12.9.38-1
Windows 7 Enterprise
Trying to run audit cookbook on node.
Execute a remote chef-client call using knife windows winrm that has the audit cookbook in the node's runlist
INFO: Processing compliance_profile[windows] action fetch (audit::default line 28)
WARN: Using inspec version: (0.19.3)
INFO: Fetch compliance profile base/windows
INFO: Processing directory[c:/chef/cache/compliance] action create (c:/chef/cache/cookbooks/audit/libraries/profile.rb line 40)
INFO: Processing directory[c:/chef/cache/compliance] action create (c:/chef/cache/cookbooks/audit/libraries/profile.rb line 40)
INFO: Processing compliance_profile[windows] action execute (audit::default line 28)
WARN: Using inspec version: (0.19.3)
INFO: Execute compliance profile base/windows
https://gist.github.com/chef09210/c8b116b747e340e5ba6afbe81d4adb62
================================================================================
[Error executing action `fetch` on resource 'compliance_profile[windows]'
================================================================================
NoMethodError
-------------
undefined method `path' for nil:NilClass
Cookbook Trace:
---------------
c:/chef/cache/cookbooks/audit/libraries/profile.rb:71:in `block (2 levels) in <class:ComplianceProfile>'
c:/chef/cache/cookbooks/audit/libraries/profile.rb:35:in `block in <class:ComplianceProfile>'
Resource Declaration:
---------------------
# In c:/chef/cache/cookbooks/audit/recipes/default.rb
28: compliance_profile p do
29: owner o
30: server server
31: token token
32: inspec_version node['audit']['inspec_version']
33: action [:fetch, :execute]
34: end
35: end
Compiled Resource:
------------------
# Declared in c:/chef/cache/cookbooks/audit/recipes/default.rb:28:in `block in from_file'
compliance_profile("windows") do
action [:fetch, :execute]
retries 0
retry_delay 2
default_guard_interpreter :default
declared_type :compliance_profile
cookbook_name "audit"
recipe_name "default"
owner "base"
inspec_version "latest"
profile "windows"
end
Platform:
---------
x64-mingw32
https://gist.github.com/chef09210/77b1e9d23118bf06864b3bbb8a88eb50
1.0.0
The current version of the audit cookbook is duplicating the following inspec features:
0.6.0
12.9.38-1
Windows 7 Enterprise
When a Windows node initiates a chef-client run with the audit cookbook, certain information is sent back to Chef Compliance such as hostname/IP and WinRM account. However the hostname/IP field is not filled in and WinRM account name is listed as Administrator even though node is a domain account with a domain administrative account. This prevents reconnection to the node until this information is entered in manually.
Run the audit cookbook for the first time on a Win7 client. View the node information result in Chef Compliance after the chef-client run is complete.
Hostname/IP of machine and account used to run chef-client command remotely through winrm should be sent back to Chef Compliance and listed in the node details on Chef Compliance page.
Hostname/IP field is empty and account is listed as generic Administrator
In #2 we introduced the use of node attributes: node['audit']['profiles'].each
. This crashes if audit is not defined. We should fix that https://github.com/chef/audit-cookbook/pull/2/files#diff-55bf87238c9b8af164c5133a60721f12R20
0.12
12.8.1
Windows 2012 R2
When I run chef-client
it always reports that a resource was converged, even when node['audit']['quiet'] = true
.
Set node['audit']['interval']['enabled'] = true
Run chef-client
twice
0 resources converge
1 resource converges (the compliance report)
Recipe: audit::default
* directory[D:/chef/cache/compliance] action create (up to date)
* file[D:/chef/cache/compliance/windows] action nothing (skipped due to action :nothing)
* compliance_profile[windows] action fetch (skipped due to only_if)
* compliance_profile[windows] action execute (skipped due to only_if)
* compliance_report[chef-server] action execute
- report compliance profiles' results
←[0m
Running handlers:
Running handlers complete
←[0m
Chef Client finished, 1/84 resources updated in 01 minutes 03 seconds
The compliance_report
resource in this case is reporting a converge.
0.8.0
12.9.41
all
Execute scans and report on profiles hosted from Supermarket, Github and local filesystem paths.
This could prove beneficial where direct access to the Compliance server from all scanned nodes is not desirable. Also other sources would provide more highly available hosting options.
N/A
Given paths to Profiles hosted on Supermarket, Github and local filesystem, I expect the audit cookbook to execute scans and report on results.
Since the audit cookbook does not do any converge, it should not report to chef as a changed converge.
0.14.4
Chef: 12.14.89
Ubuntu 14.04
Setting the interval attributes doesn't work. The compliance profiles are never executed.
I use a wrapper cookbook to set the following attributes. I'm setting the interval to 1 minute for troubleshooting purposes.
default['audit']['profiles']['base/linux'] = true
default['audit']['profiles']['base/ssh'] = true
default['audit']['interval']['enabled'] = true
default['audit']['interval']['time'] = 1
The compliance_profile should fetch AND execute properly according to the interval.
Run chef-client -l debug
and notice that the compliance profiles are fetched but they are not executed at all. (skipped due to only_if)
The file that is used to calculate if the interval has passed is being touched by the compliance_profile's notifies property.
The problem is the compliance_profile has both the :fetch
AND :execute
action. The :fetch
action works and touches the interval file immediately so when the :execute
action runs the only_if
guard is rechecked and sees (incorrectly) that the interval has not passed.
I tested changing the notifies
to a :delayed
instead of :immediately
and it fixed this for me. The compliance_profile fetched AND executed properly according to the interval.
Putting the following in my audit wrapper cookbook's default.rb recipe worked for me. It creates :delayed
notifications and deletes the :immediate
notifications.
include_recipe 'audit'
run_context.immediate_notification_collection.each do |k,v|
if (k =~ /^compliance_profile\[\w*\]$/) && (v.first.action == :touch)
resources(k).notifies :touch, v.first.resource, :delayed
end
end
run_context.immediate_notification_collection.delete_if { |k,v| (k =~ /^compliance_profile\[\w*\]$/) && (v.first.action == :touch) }
As reported by Jeff Mathe
0.14.1
A user selects multiple profiles via the audit cookbook. All profiles are downloaded and executed and reported in one report.
All executed profiles are part of the report.
I run multiple profiles via InSpec, but only one profile is reported to Chef Compliance / Chef Visibility. The current audit cookbook has a timing issue, where reports are not properly aggregated.
The basic reporting should be implemented as plain ruby InSpec plugin instead of using chef dsl. This would simplify the audit cookbook and allows us to focus the audit cookbook to be the glue between Chef + InSpec
1.0
2.0.0
12.15.19
ubuntu 14.04
version 2.0.0 uses chef-handler in attempt to not report resources being updated, however each subsequent chef-client converge is reporting resources updated.
use wrapper cookbook with these attributes:
default['audit']['inspec_version'] = '1.2.0'
# collector possible values: chef-server, chef-compliance, chef-visibility, json-file
# chef-visibility requires inspec version 0.27.1 or above
default['audit']['collector'] = 'chef-server'
# Attributes server, insecure and token/refresh_token are only needed for the 'chef-compliance' collector
# server format example: 'https://comp-server.example.com/api'
default['audit']['server'] = nil
# choose between the permanent refresh_token or ephemeral token(access_token). Needed only for the 'chef-compliance' collector
default['audit']['refresh_token'] = nil
# the token(access_token) expires in 12h after creation
default['audit']['token'] = nil
# set this insecure attribute to true if the compliance server / chef server uses self-signed ssl certificates
default['audit']['insecure'] = nil
# Chef Compliance organization to post the report to. Defaults to Chef Server org if not defined
# needed for the 'chef-compliance' collector, optional for 'chef-server' collector
default['audit']['owner'] = nil
# raise exception if Compliance API endpoint is unreachable
# while fetching profiles or posting report
default['audit']['raise_if_unreachable'] = true
# fail converge if downloaded profile is not present
default['audit']['fail_if_not_present'] = false
# by default run audit every time
default['audit']['interval']['enabled'] = false
# by default run compliance once a day
default['audit']['interval']['time'] = 1440
# quiet mode, on by default because this is testing, resources aren't converged in the normal chef sense
default['audit']['quiet'] = true
# overwrite existing profile in upload mode
default['audit']['overwrite'] = true
# use json format since this is for reporting
default['audit']['format'] = 'json'
# set profiles to empty array as default
default['audit']['profiles'] = [{
'name' => 'linux',
'compliance' => 'base/linux'
}]
Chef-client runs should report 0/x resources updated at the end of the report handlers phase.
I'm seeing 2 resources updated on each chef-client converge.
root@node:/tmp/vagrant-chef# chef-client -c client.rb
[2016-11-01T19:32:37+00:00] INFO: Forking chef instance to converge...
Starting Chef Client, version 12.15.19
[2016-11-01T19:32:37+00:00] INFO: *** Chef 12.15.19 ***
[2016-11-01T19:32:37+00:00] INFO: Platform: x86_64-linux
[2016-11-01T19:32:37+00:00] INFO: Chef-client pid: 4712
[2016-11-01T19:32:39+00:00] INFO: Run List is [recipe[audit_wrapper]]
[2016-11-01T19:32:39+00:00] INFO: Run List expands to [audit_wrapper]
[2016-11-01T19:32:39+00:00] INFO: Starting Chef Run for node
[2016-11-01T19:32:39+00:00] INFO: Running start handlers
[2016-11-01T19:32:39+00:00] INFO: Start handlers complete.
[2016-11-01T19:32:39+00:00] INFO: HTTP Request Returned 404 Not Found:
resolving cookbooks for run list: ["audit_wrapper"]
[2016-11-01T19:32:39+00:00] INFO: Loading cookbooks [[email protected], [email protected], [email protected], [email protected]]
Synchronizing Cookbooks:
- audit_wrapper (0.1.0)
- audit (2.0.0)
- compat_resource (12.16.1)
- chef_handler (2.0.0)
Installing Cookbook Gems:
Compiling Cookbooks...
[2016-11-01T19:32:39+00:00] INFO: Chef Handlers will be located at: /var/chef/handlers
Recipe: chef_handler::default
* remote_directory[/var/chef/handlers] action create
Recipe: <Dynamically Defined Resource>
* cookbook_file[/var/chef/handlers/README] action create (up to date)
(up to date)
Converging 5 resources
Recipe: chef_handler::default
* remote_directory[/var/chef/handlers] action nothing (skipped due to action :nothing)
Recipe: audit::default
* inspec[inspec] action install
* chef_gem[inspec] action install (up to date)
- install/update inspec[2016-11-01T19:32:39+00:00] WARN: Using inspec version: (1.2.0)
- verifies the inspec version
* chef_gem[inspec] action install (up to date)
* directory[/var/chef/cache/handler] action create (up to date)
* cookbook_file[/var/chef/cache/handler/audit_report.rb] action create (up to date)
* chef_handler[Chef::Handler::AuditReport] action enable[2016-11-01T19:32:39+00:00] INFO: Disabling Chef::Handler::AuditReport as a report handler.
- disable Chef::Handler::AuditReport as a report handler[2016-11-01T19:32:39+00:00] INFO: Disabling Chef::Handler::AuditReport as a exception handler.
- disable Chef::Handler::AuditReport as a exception handler
- load Chef::Handler::AuditReport from /var/chef/cache/handler/audit_report.rb[2016-11-01T19:32:39+00:00] INFO: Enabling Chef::Handler::AuditReport as a report handler.
- enable chef_handler[Chef::Handler::AuditReport] as a report handler[2016-11-01T19:32:39+00:00] INFO: Enabling Chef::Handler::AuditReport as a exception handler.
- enable chef_handler[Chef::Handler::AuditReport] as a exception handler
[2016-11-01T19:32:39+00:00] INFO: Chef Run complete in 0.674548823 seconds
Running handlers:
[2016-11-01T19:32:39+00:00] INFO: Running report handlers
[2016-11-01T19:32:39+00:00] WARN: Format is json-min
[2016-11-01T19:32:39+00:00] INFO: Initialize InSpec
[2016-11-01T19:32:39+00:00] INFO: Running tests from: [{:name=>"linux", :compliance=>"base/linux"}]
[2016-11-01T19:32:40+00:00] INFO: Reporting to chef-server
[2016-11-01T19:32:40+00:00] INFO: Control Profile: ["linux"]
[2016-11-01T19:32:40+00:00] INFO: Control Profil: linux
[2016-11-01T19:32:40+00:00] INFO: Compliance Profils: [{:owner=>"base", :profile_id=>"linux"}]
[2016-11-01T19:32:40+00:00] INFO: Report to Chef Server: https://chef-server.test/compliance/organizations/brewinc/inspec
- Chef::Handler::AuditReport
Running handlers complete
[2016-11-01T19:32:40+00:00] INFO: Report handlers complete
Chef Client finished, 2/9 resources updated in 02 seconds
root@node:/tmp/vagrant-chef#
We should allow direct reporting to Chef Compliance:
compliance_report 'chef-compliance' do
type 'compliance'
url 'http://mycompliance endpoint'
end
#122 re-added support for compliance profile upload. This PR has not covered the unit tests and we should add enable them for 2.0 release.
master
12.14.89
CentOS 6.6, kitchen vagrant
InSpec 1.2.0
Trying to converge using collector: 'chef-compliance'
Point Berkshelf to master:
cookbook 'audit', github: 'chef-cookbooks/audit'
Successful converge
Failed converge
Recipe: audit::default
* audit_token[Compliance Token] action create[2016-10-14T09:50:54+00:00] INFO: Processing audit_token[Compliance Token] action create (audit::default line 30)
[2016-10-14T09:50:54+00:00] INFO: Using refresh_token to exchange for an access token.
- compliance server auth token setup
* directory[/tmp/kitchen/cache/compliance] action create[2016-10-14T09:50:54+00:00] INFO: Processing directory[/tmp/kitchen/cache/compliance] action create (audit::default line 48)
[2016-10-14T09:50:54+00:00] INFO: directory[/tmp/kitchen/cache/compliance] created directory /tmp/kitchen/cache/compliance
- create new directory /tmp/kitchen/cache/compliance
- restore selinux security context
* file[/tmp/kitchen/cache/compliance/ssh] action nothing[2016-10-14T09:50:54+00:00] INFO: Processing file[/tmp/kitchen/cache/compliance/ssh] action nothing (audit::default line 66)
(skipped due to action :nothing)
* audit_profile[ssh] action fetch[2016-10-14T09:50:54+00:00] INFO: Processing audit_profile[ssh] action fetch (audit::default line 71)
- load required inspec modules
* directory[/tmp/kitchen/cache/compliance] action create[2016-10-14T09:50:54+00:00] INFO: Processing directory[/tmp/kitchen/cache/compliance] action create (/tmp/kitchen/cache/cookbooks/audit/resources/profile.rb line 41)
(up to date)
- create cache directory[2016-10-14T09:50:54+00:00] INFO: Fetch compliance profile base/ssh
[2016-10-14T09:50:54+00:00] INFO: Load profile from: https://ap-cc6.opschef.tv/api/owners/base/compliance/ssh/tar
- fetch compliance profile
* directory[/tmp/kitchen/cache/compliance] action create[2016-10-14T09:50:54+00:00] INFO: Processing directory[/tmp/kitchen/cache/compliance] action create (/tmp/kitchen/cache/cookbooks/audit/resources/profile.rb line 41)
(up to date)
[2016-10-14T09:50:54+00:00] INFO: audit_profile[ssh] sending touch action to file[/tmp/kitchen/cache/compliance/ssh] (immediate)
* file[/tmp/kitchen/cache/compliance/ssh] action touch[2016-10-14T09:50:54+00:00] INFO: Processing file[/tmp/kitchen/cache/compliance/ssh] action touch (audit::default line 66)
[2016-10-14T09:50:54+00:00] INFO: file[/tmp/kitchen/cache/compliance/ssh] created file /tmp/kitchen/cache/compliance/ssh
- create new file /tmp/kitchen/cache/compliance/ssh
- restore selinux security context[2016-10-14T09:50:54+00:00] INFO: file[/tmp/kitchen/cache/compliance/ssh] updated atime and mtime to 2016-10-14 09:50:54 +0000
- update utime on file /tmp/kitchen/cache/compliance/ssh
* audit_profile[ssh] action execute[2016-10-14T09:50:54+00:00] INFO: Processing audit_profile[ssh] action execute (audit::default line 71)
- load required inspec modules
* directory[/tmp/kitchen/cache/compliance] action create[2016-10-14T09:50:54+00:00] INFO: Processing directory[/tmp/kitchen/cache/compliance] action create (/tmp/kitchen/cache/cookbooks/audit/resources/profile.rb line 103)
(up to date)
- create/verify cache directory[2016-10-14T09:50:54+00:00] INFO: Executing: /tmp/kitchen/cache/compliance/base_ssh.tgz
- execute compliance profile
* directory[/tmp/kitchen/cache/compliance] action create[2016-10-14T09:50:55+00:00] INFO: Processing directory[/tmp/kitchen/cache/compliance] action create (/tmp/kitchen/cache/cookbooks/audit/resources/profile.rb line 103)
(up to date)
* file[/tmp/kitchen/cache/compliance/base_ssh_report.json] action create[2016-10-14T09:50:55+00:00] INFO: Processing file[/tmp/kitchen/cache/compliance/base_ssh_report.json] action create (/tmp/kitchen/cache/cookbooks/audit/resources/profile.rb line 131)
[2016-10-14T09:50:55+00:00] INFO: file[/tmp/kitchen/cache/compliance/base_ssh_report.json] created file /tmp/kitchen/cache/compliance/base_ssh_report.json
- create new file /tmp/kitchen/cache/compliance/base_ssh_report.json[2016-10-14T09:50:55+00:00] INFO: file[/tmp/kitchen/cache/compliance/base_ssh_report.json] updated file contents /tmp/kitchen/cache/compliance/base_ssh_report.json
- update content in file /tmp/kitchen/cache/compliance/base_ssh_report.json from none to 4fa098
- suppressed sensitive resource
- restore selinux security context
[2016-10-14T09:50:55+00:00] INFO: audit_profile[ssh] sending touch action to file[/tmp/kitchen/cache/compliance/ssh] (immediate)
* file[/tmp/kitchen/cache/compliance/ssh] action touch[2016-10-14T09:50:55+00:00] INFO: Processing file[/tmp/kitchen/cache/compliance/ssh] action touch (audit::default line 66)
[2016-10-14T09:50:55+00:00] INFO: file[/tmp/kitchen/cache/compliance/ssh] updated atime and mtime to 2016-10-14 09:50:55 +0000
- update utime on file /tmp/kitchen/cache/compliance/ssh
* audit_report[chef-compliance] action execute[2016-10-14T09:50:55+00:00] INFO: Processing audit_report[chef-compliance] action execute (audit::default line 84)
================================================================================
Error executing action `execute` on resource 'audit_report[chef-compliance]'
================================================================================
NameError
---------
uninitialized constant Custom resource audit_report from cookbook audit::ComplianceProfile
Cookbook Trace:
---------------
/tmp/kitchen/cache/cookbooks/audit/resources/report.rb:93:in `block in profiles'
/tmp/kitchen/cache/cookbooks/audit/resources/report.rb:92:in `profiles'
/tmp/kitchen/cache/cookbooks/audit/resources/report.rb:24:in `block (2 levels) in class_from_file'
/tmp/kitchen/cache/cookbooks/audit/resources/report.rb:23:in `block in class_from_file'
Resource Declaration:
---------------------
# In /tmp/kitchen/cache/cookbooks/audit/recipes/default.rb
84: compliance_report report_collector do
85: owner node['audit']['owner']
86: server server
87: collector report_collector
88: quiet node['audit']['quiet'] unless node['audit']['quiet'].nil?
89: action :execute
90: end if node['audit']['profiles'].values.any?
Compiled Resource:
------------------
# Declared in /tmp/kitchen/cache/cookbooks/audit/recipes/default.rb:84:in `from_file'
audit_report("chef-compliance") do
action [:execute]
retries 0
retry_delay 2
default_guard_interpreter :default
declared_type :compliance_report
cookbook_name "audit"
recipe_name "default"
owner "admin"
server "https://ap-cc6.opschef.tv/api/"
collector "chef-compliance"
quiet true
end
Platform:
---------
x86_64-linux
[2016-10-14T09:50:55+00:00] INFO: Running queued delayed notifications before re-raising exception
Running handlers:
[2016-10-14T09:50:55+00:00] ERROR: Running exception handlers
Running handlers complete
[2016-10-14T09:50:55+00:00] ERROR: Exception handlers complete
Chef Client failed. 9 resources updated in 11 seconds
[2016-10-14T09:50:55+00:00] FATAL: Stacktrace dumped to /tmp/kitchen/cache/chef-stacktrace.out
[2016-10-14T09:50:55+00:00] FATAL: Please provide the contents of the stacktrace.out file if you file a bug report
[2016-10-14T09:50:55+00:00] ERROR: audit_report[chef-compliance] (audit::default line 84) had an error: NameError: uninitialized constant Custom resource audit_report from cookbook audit::ComplianceProfile
[2016-10-14T09:50:55+00:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)
0.14.0
I want to use the audit cookbook in my wrapper cookbook.
include_recipe 'audit::default'
node.default['audit']['collector'] = 'chef-visibility'
InSpec reports are shipped to Chef Visibility.
The audit cookbook tries to report to Chef Server. The problem is the Chef attribute system. A solution is to set the attribute before the recipe is included:
node.default['audit']['collector'] = 'chef-visibility'
include_recipe 'audit::default'
We should enable the audit cookbook to write json reports into a specific directory. By default the nameing of a report should use the pattern {profilename}-{timestamp}.json
2.0.0
n/a
n/a
https://github.com/chef-cookbooks/audit/blob/master/attributes/default.rb#L19
and
https://github.com/chef-cookbooks/audit/blob/master/attributes/default.rb#L68
are redundant/identical
latest
< 12.5.1
all
Run the audit cookbook in chef-client < 12.5.1
Run the audit cookbook as part of a converge run.
audit cookbook works fine, even with older versions of the Chef Client
use_automatic_resource_name
is not supported
2.0
Customers use the latest version of Automate that allows users to send reports to Visibility Data Collector API via Chef Server. This increases security, since all requests are signed now. The audit cookbook should support that scenario
As discussed with @alexpop, we are two different endpoints that are being used based on the setup. We have the following flows:
/data-collector/
) —> chef-automate authenticates using dc_token from client/organizations/ORG/data-collector
) —> chef-automate authenticates using dc_token added by chef-server after verifying the clientThe first flow is already implemented. We need to add support for the second flow.
/data-collector/
requires dc_token/organizations/([^/]+)/data-collector
requires chef signed headersI configured my Chef Server and Chef Compliance instances for integration. When I attempting to run an audit cookbook this is the error message I am getting:
================================================================================
Error executing action `fetch` on resource 'compliance_profile[linux]'
================================================================================
Net::HTTPServerException
------------------------
403 "Forbidden"
Cookbook Trace:
---------------
/var/chef/cache/cookbooks/audit/libraries/server_api.rb:23:in `binmode_streaming_request'
/var/chef/cache/cookbooks/audit/libraries/profile.rb:55:in `block (2 levels) in <class:ComplianceProfile>'
/var/chef/cache/cookbooks/audit/libraries/profile.rb:46:in `block in <class:ComplianceProfile>'
Resource Declaration:
---------------------
# In /var/chef/cache/cookbooks/audit/recipes/default.rb
25: compliance_profile p do
26: owner o
27: action [:fetch, :execute]
28: end
29: end
Compiled Resource:
------------------
# Declared in /var/chef/cache/cookbooks/audit/recipes/default.rb:25:in `block in from_file'
compliance_profile("linux") do
action [:fetch, :execute]
retries 0
retry_delay 2
default_guard_interpreter :default
declared_type :compliance_profile
cookbook_name "audit"
recipe_name "default"
owner "base"
profile "linux"
end
Running handlers:
[2016-04-08T16:13:15-07:00] ERROR: Running exception handlers
Running handlers complete
[2016-04-08T16:13:15-07:00] ERROR: Exception handlers complete
Chef Client failed. 0 resources updated in 05 seconds
[2016-04-08T16:13:15-07:00] FATAL: Stacktrace dumped to /var/chef/cache/chef-stacktrace.out
[2016-04-08T16:13:15-07:00] FATAL: Please provide the contents of the stacktrace.out file if you file a bug report
[2016-04-08T16:13:15-07:00] ERROR: compliance_profile[linux] (audit::default line 25) had an error: Net::HTTPServerException: 403 "Forbidden"
[2016-04-08T16:13:15-07:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)
Both servers are able to access each other over 443.
When running this cookbook for the first time and specifying an interval, the user is presented with this error:
Chef::Log.error 'Please take a look at your interval settings'
This may lead the user to believe that something is configured incorrectly. However, they may be getting this error because this returned false
:
seconds_since_last_run > interval
Could we modify this error to be a warning and say something similar to:
Chef::Log.warn 'Audit run skipped due to interval configuration'
2.0.0
12.15.19
ubuntu 14.04
Cannot run Supermarket profiles
Use a wrapper cookbook and set your attributes to this:
default['audit']['inspec_version'] = '1.2.0'
# collector possible values: chef-server, chef-compliance, chef-visibility, json-file
# chef-visibility requires inspec version 0.27.1 or above
default['audit']['collector'] = 'chef-server'
# Attributes server, insecure and token/refresh_token are only needed for the 'chef-compliance' collector
# server format example: 'https://comp-server.example.com/api'
default['audit']['server'] = nil
# choose between the permanent refresh_token or ephemeral token(access_token). Needed only for the 'chef-compliance' collector
default['audit']['refresh_token'] = nil
# the token(access_token) expires in 12h after creation
default['audit']['token'] = nil
# set this insecure attribute to true if the compliance server / chef server uses self-signed ssl certificates
default['audit']['insecure'] = nil
# Chef Compliance organization to post the report to. Defaults to Chef Server org if not defined
# needed for the 'chef-compliance' collector, optional for 'chef-server' collector
default['audit']['owner'] = nil
# raise exception if Compliance API endpoint is unreachable
# while fetching profiles or posting report
default['audit']['raise_if_unreachable'] = true
# fail converge if downloaded profile is not present
default['audit']['fail_if_not_present'] = false
# by default run audit every time
default['audit']['interval']['enabled'] = false
# by default run compliance once a day
default['audit']['interval']['time'] = 1440
# quiet mode, on by default because this is testing, resources aren't converged in the normal chef sense
default['audit']['quiet'] = true
# overwrite existing profile in upload mode
default['audit']['overwrite'] = true
# use json format since this is for reporting
default['audit']['format'] = 'json'
# set profiles to empty array as default
default['audit']['profiles'] = [
{
"name" => "ssh-hardening",
"supermarket" => "hardening/ssh-hardening"
}
]
Execute and report on Supermarket profile
Stacktrace:
root@node:/tmp/vagrant-chef# chef-client -c client.rb
[2016-11-01T20:31:26+00:00] INFO: Forking chef instance to converge...
Starting Chef Client, version 12.15.19
[2016-11-01T20:31:26+00:00] INFO: *** Chef 12.15.19 ***
[2016-11-01T20:31:26+00:00] INFO: Platform: x86_64-linux
[2016-11-01T20:31:26+00:00] INFO: Chef-client pid: 14557
[2016-11-01T20:31:27+00:00] INFO: Run List is [recipe[audit_wrapper]]
[2016-11-01T20:31:27+00:00] INFO: Run List expands to [audit_wrapper]
[2016-11-01T20:31:27+00:00] INFO: Starting Chef Run for node
[2016-11-01T20:31:27+00:00] INFO: Running start handlers
[2016-11-01T20:31:27+00:00] INFO: Start handlers complete.
[2016-11-01T20:31:27+00:00] INFO: HTTP Request Returned 404 Not Found:
resolving cookbooks for run list: ["audit_wrapper"]
[2016-11-01T20:31:27+00:00] INFO: Loading cookbooks [[email protected], [email protected], [email protected], [email protected]]
Synchronizing Cookbooks:
- audit (2.0.0)
- chef_handler (2.0.0)
- compat_resource (12.16.1)
[2016-11-01T20:31:27+00:00] INFO: Storing updated cookbooks/audit_wrapper/attributes/default.rb in the cache.
- audit_wrapper (0.1.0)
Installing Cookbook Gems:
Compiling Cookbooks...
[2016-11-01T20:31:27+00:00] INFO: Chef Handlers will be located at: /var/chef/handlers
Recipe: chef_handler::default
* remote_directory[/var/chef/handlers] action create
Recipe: <Dynamically Defined Resource>
* cookbook_file[/var/chef/handlers/README] action create (up to date)
(up to date)
Converging 5 resources
Recipe: chef_handler::default
* remote_directory[/var/chef/handlers] action nothing (skipped due to action :nothing)
Recipe: audit::default
* inspec[inspec] action install
* chef_gem[inspec] action install (up to date)
- install/update inspec[2016-11-01T20:31:28+00:00] WARN: Using inspec version: (1.2.0)
- verifies the inspec version
* chef_gem[inspec] action install (up to date)
* directory[/var/chef/cache/handler] action create (up to date)
* cookbook_file[/var/chef/cache/handler/audit_report.rb] action create (up to date)
* chef_handler[Chef::Handler::AuditReport] action enable[2016-11-01T20:31:28+00:00] INFO: Disabling Chef::Handler::AuditReport as a report handler.
- disable Chef::Handler::AuditReport as a report handler[2016-11-01T20:31:28+00:00] INFO: Disabling Chef::Handler::AuditReport as a exception handler.
- disable Chef::Handler::AuditReport as a exception handler
- load Chef::Handler::AuditReport from /var/chef/cache/handler/audit_report.rb[2016-11-01T20:31:28+00:00] INFO: Enabling Chef::Handler::AuditReport as a report handler.
- enable chef_handler[Chef::Handler::AuditReport] as a report handler[2016-11-01T20:31:28+00:00] INFO: Enabling Chef::Handler::AuditReport as a exception handler.
- enable chef_handler[Chef::Handler::AuditReport] as a exception handler
[2016-11-01T20:31:28+00:00] INFO: Chef Run complete in 0.716410089 seconds
Running handlers:
[2016-11-01T20:31:28+00:00] INFO: Running report handlers
[2016-11-01T20:31:28+00:00] WARN: Format is json-min
[2016-11-01T20:31:28+00:00] INFO: Initialize InSpec
[2016-11-01T20:31:29+00:00] WARN: URL target https://github.com/dev-sec/tests-ssh-hardening transformed to https://github.com/dev-sec/tests-ssh-hardening/archive/master.tar.gz. Consider using the git fetcher
[2016-11-01T20:31:29+00:00] INFO: Running tests from: [{:name=>"ssh-hardening", :supermarket=>"hardening/ssh-hardening"}]
[2016-11-01T20:31:30+00:00] INFO: Reporting to chef-server
[2016-11-01T20:31:30+00:00] INFO: Control Profile: ["ssh-hardening"]
[2016-11-01T20:31:30+00:00] INFO: Control Profil: ssh-hardening
[2016-11-01T20:31:30+00:00] INFO: Compliance Profils: []
[2016-11-01T20:31:30+00:00] ERROR: Report handler Chef::Handler::AuditReport raised #<NoMethodError: undefined method `[]' for nil:NilClass>
[2016-11-01T20:31:30+00:00] ERROR: /var/chef/cache/cookbooks/audit/libraries/collector_classes.rb:243:in `block in enriched_report'
[2016-11-01T20:31:30+00:00] ERROR: /var/chef/cache/cookbooks/audit/libraries/collector_classes.rb:238:in `each'
[2016-11-01T20:31:30+00:00] ERROR: /var/chef/cache/cookbooks/audit/libraries/collector_classes.rb:238:in `enriched_report'
[2016-11-01T20:31:30+00:00] ERROR: /var/chef/cache/cookbooks/audit/libraries/collector_classes.rb:273:in `send_report'
[2016-11-01T20:31:30+00:00] ERROR: /var/chef/cache/handler/audit_report.rb:155:in `send_report'
[2016-11-01T20:31:30+00:00] ERROR: /var/chef/cache/handler/audit_report.rb:46:in `block in report'
[2016-11-01T20:31:30+00:00] ERROR: /var/chef/cache/handler/audit_report.rb:33:in `each'
[2016-11-01T20:31:30+00:00] ERROR: /var/chef/cache/handler/audit_report.rb:33:in `report'
[2016-11-01T20:31:30+00:00] ERROR: /opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/handler.rb:259:in `run_report_unsafe'
[2016-11-01T20:31:30+00:00] ERROR: /opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/handler.rb:247:in `run_report_safely'
[2016-11-01T20:31:30+00:00] ERROR: /opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/handler.rb:125:in `block in run_report_handlers'
[2016-11-01T20:31:30+00:00] ERROR: /opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/handler.rb:123:in `each'
[2016-11-01T20:31:30+00:00] ERROR: /opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/handler.rb:123:in `run_report_handlers'
[2016-11-01T20:31:30+00:00] ERROR: /opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/handler.rb:135:in `block in <class:Handler>'
[2016-11-01T20:31:30+00:00] ERROR: /opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/client.rb:440:in `block in run_completed_successfully'
[2016-11-01T20:31:30+00:00] ERROR: /opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/client.rb:439:in `each'
[2016-11-01T20:31:30+00:00] ERROR: /opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/client.rb:439:in `run_completed_successfully'
[2016-11-01T20:31:30+00:00] ERROR: /opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/client.rb:298:in `run'
[2016-11-01T20:31:30+00:00] ERROR: /opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/application.rb:302:in `block in fork_chef_client'
[2016-11-01T20:31:30+00:00] ERROR: /opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/application.rb:290:in `fork'
[2016-11-01T20:31:30+00:00] ERROR: /opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/application.rb:290:in `fork_chef_client'
[2016-11-01T20:31:30+00:00] ERROR: /opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/application.rb:255:in `block in run_chef_client'
[2016-11-01T20:31:30+00:00] ERROR: /opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/local_mode.rb:44:in `with_server_connectivity'
[2016-11-01T20:31:30+00:00] ERROR: /opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/application.rb:243:in `run_chef_client'
[2016-11-01T20:31:30+00:00] ERROR: /opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/application/client.rb:464:in `sleep_then_run_chef_client'
[2016-11-01T20:31:30+00:00] ERROR: /opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/application/client.rb:451:in `block in interval_run_chef_client'
[2016-11-01T20:31:30+00:00] ERROR: /opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/application/client.rb:450:in `loop'
[2016-11-01T20:31:30+00:00] ERROR: /opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/application/client.rb:450:in `interval_run_chef_client'
[2016-11-01T20:31:30+00:00] ERROR: /opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/application/client.rb:434:in `run_application'
[2016-11-01T20:31:30+00:00] ERROR: /opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/application.rb:60:in `run'
[2016-11-01T20:31:30+00:00] ERROR: /opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/bin/chef-client:26:in `<top (required)>'
[2016-11-01T20:31:30+00:00] ERROR: /usr/bin/chef-client:54:in `load'
[2016-11-01T20:31:30+00:00] ERROR: /usr/bin/chef-client:54:in `<main>'
- Chef::Handler::AuditReport
Running handlers complete
[2016-11-01T20:31:30+00:00] INFO: Report handlers complete
Chef Client finished, 2/9 resources updated in 04 seconds
root@node:/tmp/vagrant-chef#
0.8.0
no client
MacOS 10.11.4
I want to see the reports of the audit cookbook run in Chef Compliance.
Just run the audit cookbook and see if the reports are generated in Chef Compliance (Compliance only, no Chef Server)
List of reports
The path is misconfigured in the helper.rb when report.rb calls the construct_url method.
#<URI::HTTPS:0x00000005076318 URL:https://172.28.128.4/api/owners/base/compliance/windows/tarowners/cjohannsen/inspec>
That´s because the server.value is still set from the profile.rb run.
Right now the source for where we fetch the inspec gem is hardcoded to rubygems.org. Some customers cannot access rubygems.org due to network restrictions. We should provide a gem_source
attribute to override the source. The chef-vault cookbook provides this override as well...
https://github.com/chef-cookbooks/chef-vault
default['chef-vault']['gem_source'] = nil
chef_gem 'chef-vault' do # ~FC009
23 source node['chef-vault']['gem_source']
24 version node['chef-vault']['version']
25 clear_sources true unless node['chef-vault']['gem_source'].nil?
26 compile_time true
27 end
0.14.4
Chef: 12.14.89
Ubuntu 14.04
After working around issue #101 the audit cookbook properly fetches and executes compliance profiles according to the interval set in attributes. However, even when the compliance_profile resource does not get executed because of the interval the compliance_report resource still reports the results of the profile using the report results from previous chef-client runs that get cached in /var/chef/cache/compliance
.
Here is the code that reads the cached report.
https://github.com/chef-cookbooks/audit/blob/v0.14.4/libraries/report.rb#L85
Seems like a possible solution would be to delete cached reports at the beginning of the audit recipe. Doing it at the beginning seems safer than at the end because if the chef-client run should fail somehow the cached files could accidentally remain in place for the next chef-client run
Use the workaround in issue #101 to get interval settings to work properly.
Then use the following attributes in the audit wrapper cookbook.
default['audit']['profiles']['base/ssh'] = true
default['audit']['interval']['enabled'] = true
default['audit']['interval']['time'] = 2
Then run chef-client twice (one run right after the other) with this wrapper cookbook in the run list.
Cached profile reports from previous chef-client runs should not get accidentally sent to the server.
As you can see below the fetch and execute action for the ssh
compliance profile was skipped but its cached report was still read, summarized in this output and posted to the server.
* compliance_profile[ssh] action fetch[2016-09-29T11:13:08+00:00] INFO: Processing compliance_profile[ssh] action fetch (audit::default line 78)
(skipped due to only_if)
* compliance_profile[ssh] action execute[2016-09-29T11:13:08+00:00] INFO: Processing compliance_profile[ssh] action execute (audit::default line 78)
(skipped due to only_if)
* compliance_report[chef-server] action execute[2016-09-29T11:13:08+00:00] INFO: Processing compliance_report[chef-server] action execute (audit::default line 93)
[2016-09-29T11:13:08+00:00] INFO: Summary for ssh {"duration":0.162846326,"example_count":69,"failure_count":44,"skip_count":0}
[2016-09-29T11:13:08+00:00] INFO: Report to Chef Server: https://chef.lxc/compliance/organizations/demo/inspec
Putting the following in my audit wrapper cookbook's default.rb recipe worked for me. It deletes the reports before including the audit cookbook.
compliance_cache_directory = ::File.join(Chef::Config[:file_cache_path], 'compliance')
Dir.glob(File.join(compliance_cache_directory, '*report.json')).each do |f|
file f do
action :delete
end
end
include_recipe 'audit'
Currently, the inspec version is hardcoded:
https://github.com/chef/audit-cookbook/blob/6b18c581bb6103aca79a4a3c28fe5f605545bde3/libraries/profile.rb#L25
We should use latest
as default and allow users to pin versions if required.
'audit', '~> 0.14.4'
12.13.37
MS Windows 2012 R2
Simply running the audit cookbook in a recipe.
nothing fancy, running the cookbook with the below attributes:
default['audit']['server'] = 'https://servername/api'
default['audit']['collector'] = 'chef-compliance'
default['audit']['token'] = 'token_here'
default['audit']['owner'] = 'owner'
default['audit']['quiet'] = true
default['audit']['profiles']['base/windows'] = true
Cookbook to run compliance against the node with the base/windows compliance profile.
Error below:
[2016-09-13T11:24:33+01:00] INFO: Executing: c:/chef/cache/compliance/base_windows.tgz
execute
on resource 'compliance_profile[windows]'Zlib::GzipFile::Error
not in gzip format
Cookbook Trace:
c:/chef/cache/cookbooks/audit/libraries/profile.rb:128:in block (2 levels) in <class:ComplianceProfile>' c:/chef/cache/cookbooks/audit/libraries/profile.rb:111:in
block in class:ComplianceProfile'
Resource Declaration:
78: compliance_profile p do
79: owner o
80: formatter formatter
81: server server
82: token lazy { node['audit']['token'] }
83: insecure node['audit']['insecure'] unless node['audit']['insecure'].nil?
84: path path unless path.nil?
85: quiet node['audit']['quiet'] unless node['audit']['quiet'].nil?
86: only_if { profile_overdue_to_run?(p, interval_seconds) }
87: action [:fetch, :execute]
88: notifies :touch, "file[#{compliance_cache_directory}/#{p}]", :immediately
89: end
90: end
Compiled Resource:
compliance_profile("windows") do
action [:fetch, :execute]
updated true
retries 0
retry_delay 2
default_guard_interpreter :default
declared_type :compliance_profile
cookbook_name "audit"
recipe_name "default"
owner "base"
formatter "json-min"
server "https://servername.domainname.com/api/"
token #Chef::DelayedEvaluator:0x0000000526fcf0@c:/chef/cache/cookbooks/audit/recipes/default.rb:82
quiet true
profile "windows"
only_if { #code block }
end
Platform:
x64-mingw32
[2016-09-13T11:24:34+01:00] INFO: Running queued delayed notifications before re-raising exception
[2016-09-13T11:24:34+01:00] ERROR: Running exception handlers
[2016-09-13T11:24:34+01:00] ERROR: Exception handlers complete
[2016-09-13T11:24:34+01:00] INFO: Sending resource update report (run-id: d940188d-1693-46df-b5e8-184adf24092f)
[2016-09-13T11:24:34+01:00] FATAL: Stacktrace dumped to c:/chef/cache/chef-stacktrace.out
[2016-09-13T11:24:34+01:00] FATAL: Please provide the contents of the stacktrace.out file if you file a bug report
[2016-09-13T11:24:34+01:00] FATAL: Zlib::GzipFile::Error: compliance_profile[windows](audit::default line 78) had an error: Zlib::GzipFile::Error: not in gzip format
ERROR: Failed to execute command on return code 1
2.x
It should be easy for customer to copy profile locations from inspec.yml
to chef attributes. In inspec/inspec#1227 we defined the target format for audit
cookbook. We change from
"profiles" => {
# org / profile name from Chef Compliance
"base/linux" => true,
# supermarket url
"brewinc/ssh-hardening" => {
# location where inspec will fetch the profile from
"source" => "supermarket://hardening/ssh-hardening"
},
# local Windows path
"brewinc/win2012_audit" => {
# filesystem path
"source" => "E:/profiles/win2012_audit"
},
# github url
"brewinc/tmp_compliance_profile" => {
"source" => "https://github.com/nathenharvey/tmp_compliance_profile"
},
# disable profile
"brewinc/tmp_compliance_profile-master" => {
"source" => "/tmp/tmp_compliance_profile-master",
"disabled" => true
}
}
to
{
"profiles": [
{
"name": "hardening/ssh-hardening"
},
{
"name": "os-hardening",
"url": "https://github.com/dev-sec/tests-os-hardening/archive/master.zip"
},
{
"git": "https://github.com/dev-sec/tests-ssh-hardening.git"
},
{
"git": "https://github.com/dev-sec/tests-os-hardening.git"
}
]
}
0.7.1
12.10.24
Linux node 4.2.0-34-generic #39~14.04.1-Ubuntu SMP Fri Mar 11 11:38:02 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
Converging a node with the audit cookbook in the run_list should report the results back to the Compliance server via the Chef server chef_gate. The reports are coming into the Compliance server but show up as "Skipped".
Install Compliance 1.2.3.
Install Compliance/Chef server integration (chef_gate)
Add version 0.7.1 version of the audit cookbook to a node's run_list with the following attributes:
default['audit']['server'] = nil
default['audit']['token'] = nil
default['audit']['variant'] = 'chef'
default['audit']['owner'] = nil
default['audit']['profiles'] = {
'base/linux' => true,
'base/apache' => true,
'base/postgres' => true,
'base/ssh' => true,
}
# raise exception if Compliance API endpoint is unreachable
# while fetching profiles or posting report
default['audit']['raise_if_unreachable'] = false
# fail converge if downloaded profile is not present
default['audit']['fail_if_not_present'] = false
# fail converge after posting report if any audits have failed
default['audit']['fail_if_any_audits_failed'] = false
# inspec gem version to install(e.g. '0.22.0') or 'latest'
default['audit']['inspec_version'] = '0.22.0'
Verify the inspec version on the client node:
vagrant@node:~$ sudo /opt/chef/embedded/bin/gem list inspec
*** LOCAL GEMS ***
debug_inspector (0.0.2)
inspec (0.22.0)
vagrant@node:~$ /opt/chef/embedded/bin/inspec version
0.22.0
vagrant@node:~$
Expect to see the results of the inspec scan on the Reports page of the Compliance UI.
The scan reports show up as "Skipped"
From the Compliance server logs:
==> /var/log/chef-compliance/core/current <==
2016-05-18_13:27:43.28756 13:27:43.287 ERR => Authentication: %!(EXTRA *errors.errorString=missing Authorization header)
2016-05-18_13:27:43.28796 13:27:43.287 DEB => &{Raw:eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdXRoel9pZCI6IjY5YWU5NWUzYjA0ZGFmYmY3MTc3YWEzYzAxMTI0YWZlIiwiY2hlZl91cmwiOiJodHRwczovL2NoZWYuY29tcGxpYW5jZS50ZXN0IiwiZXhwIjoxNDYzNTgxNjg3LCJuYW1lIjoibm9kZSIsIm9yZ19tZW1iZXIiOnRydWUsInB1YmxpY19rZXkiOiItLS0tLUJFR0lOIFBVQkxJQyBLRVktLS0tLVxuTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF4bVZoaVJwenoyeHd0RG1qdEJrNlxuc3lqVDlFcGtmUG5XODN4VCs2UmNYVjAzVjNtbzZNbWcyYmlsaUliZWRJK1pxd2N2Z0xWUVcvNFdCcmhzcjBZR1xua3EzMCtCVzM5b29EekxZMlNtclVQMkNPQW56a2p1RW9TRWczVmRLTENxWUlnSk9yRUk4cVdLakUwTXFobGtTRVxueS9HUVp4R0FVM2VwWllKOWR3cnFNaXhBY2RqYzBrYzVhVkt1T2V6UURTZ2dwUDI2bGVraU96WlJZMkRMMXdFNFxucmFRcEJ3eUZZN1o2dmphUStHOTdZTzhTaFRxbEJsRlNnNUxxb1pEMm5SNDVBcWdmeEZDbXJUQTBlMG5jeVZPR1xudk9iYXBtdGhENzZwYUhCSVVrQzE2WHRwN3VkdlZhb3F2VktGdkowRTVFUG1MMThjQmdBTXg0bGZPMG1hd3BNNFxuRFFJREFRQUJcbi0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLVxuIiwidHlwZSI6ImNsaWVudCJ9.1dbf1ej6Z62xTR6YppcFdVDO6HJMiuPTXkVLK9dqavs Method:0xc8200b50e0 Header:map[alg:HS256 typ:JWT] Claims:map[exp:1.463581687e+09 name:node org_member:true public_key:-----BEGIN PUBLIC KEY-----
2016-05-18_13:27:43.28797 MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxmVhiRpzz2xwtDmjtBk6
2016-05-18_13:27:43.28797 syjT9EpkfPnW83xT+6RcXV03V3mo6Mmg2biliIbedI+ZqwcvgLVQW/4WBrhsr0YG
2016-05-18_13:27:43.28797 kq30+BW39ooDzLY2SmrUP2COAnzkjuEoSEg3VdKLCqYIgJOrEI8qWKjE0MqhlkSE
2016-05-18_13:27:43.28797 y/GQZxGAU3epZYJ9dwrqMixAcdjc0kc5aVKuOezQDSggpP26lekiOzZRY2DL1wE4
2016-05-18_13:27:43.28798 raQpBwyFY7Z6vjaQ+G97YO8ShTqlBlFSg5LqoZD2nR45AqgfxFCmrTA0e0ncyVOG
2016-05-18_13:27:43.28798 vObapmthD76paHBIUkC16Xtp7udvVaoqvVKFvJ0E5EPmL18cBgAMx4lfO0mawpM4
2016-05-18_13:27:43.28798 DQIDAQAB
2016-05-18_13:27:43.28798 -----END PUBLIC KEY-----
2016-05-18_13:27:43.28798 type:client authz_id:69ae95e3b04dafbf7177aa3c01124afe chef_url:https://chef.compliance.test] Signature:1dbf1ej6Z62xTR6YppcFdVDO6HJMiuPTXkVLK9dqavs Valid:true}
2016-05-18_13:27:43.29689 13:27:43.296 DEB => owner: &shared.Owner{PasswordHash:"", Login:"brewinc", Name:"brewinc", IsOrg:true, Source:sql.NullString{String:"8e842a4c-50ee-44de-7e49-c1651e754ee6", Valid:true}, UUID:uuid.UUID{ID:"718957c7-be56-47c6-42a7-8adf369266a1"}}
2016-05-18_13:27:43.29756 13:27:43.297 ERR => DB error: sql: no rows in result set
2016-05-18_13:27:43.29939 13:27:43.299 DEB => [718957c7-be56-47c6-42a7-8adf369266a1/469b440f-3a31-4c5d-4b3a-b5168cb549c4] Process scan result for base / linux
2016-05-18_13:27:43.29945 13:27:43.299 ERR => Calling *ScanSummary.Done(0)
2016-05-18_13:27:43.29949 13:27:43.299 DEB => [718957c7-be56-47c6-42a7-8adf369266a1/469b440f-3a31-4c5d-4b3a-b5168cb549c4] Add scan result for 718957c7-be56-47c6-42a7-8adf369266a1/bc46b8ba-ef97-43b0-4f72-11a90ef12ed2/58860151-d008-436c-7517-19ba5d2f0380:0 with base/linux
2016-05-18_13:27:43.29954 13:27:43.299 DEB => [718957c7-be56-47c6-42a7-8adf369266a1/469b440f-3a31-4c5d-4b3a-b5168cb549c4] Process scan result for base / apache
2016-05-18_13:27:43.29955 13:27:43.299 ERR => Calling *ScanSummary.Done(0)
2016-05-18_13:27:43.29956 13:27:43.299 DEB => [718957c7-be56-47c6-42a7-8adf369266a1/469b440f-3a31-4c5d-4b3a-b5168cb549c4] Add scan result for 718957c7-be56-47c6-42a7-8adf369266a1/bc46b8ba-ef97-43b0-4f72-11a90ef12ed2/58860151-d008-436c-7517-19ba5d2f0380:0 with base/apache
2016-05-18_13:27:43.29957 13:27:43.299 DEB => [718957c7-be56-47c6-42a7-8adf369266a1/469b440f-3a31-4c5d-4b3a-b5168cb549c4] Process scan result for base / postgres
2016-05-18_13:27:43.29958 13:27:43.299 ERR => Calling *ScanSummary.Done(0)
2016-05-18_13:27:43.29960 13:27:43.299 DEB => [718957c7-be56-47c6-42a7-8adf369266a1/469b440f-3a31-4c5d-4b3a-b5168cb549c4] Add scan result for 718957c7-be56-47c6-42a7-8adf369266a1/bc46b8ba-ef97-43b0-4f72-11a90ef12ed2/58860151-d008-436c-7517-19ba5d2f0380:0 with base/postgres
2016-05-18_13:27:43.29961 13:27:43.299 DEB => [718957c7-be56-47c6-42a7-8adf369266a1/469b440f-3a31-4c5d-4b3a-b5168cb549c4] Process scan result for base / ssh
2016-05-18_13:27:43.29964 13:27:43.299 ERR => Calling *ScanSummary.Done(0)
2016-05-18_13:27:43.29967 13:27:43.299 DEB => [718957c7-be56-47c6-42a7-8adf369266a1/469b440f-3a31-4c5d-4b3a-b5168cb549c4] Add scan result for 718957c7-be56-47c6-42a7-8adf369266a1/bc46b8ba-ef97-43b0-4f72-11a90ef12ed2/58860151-d008-436c-7517-19ba5d2f0380:0 with base/ssh
2016-05-18_13:27:43.29977 13:27:43.299 INF => [718957c7-be56-47c6-42a7-8adf369266a1/469b440f-3a31-4c5d-4b3a-b5168cb549c4] scan result | 0 | 0 | 0 | 0 | 0 | packages | 0 | 0 | 0 | 0 | 0 |
2016-05-18_13:27:43.30847 13:27:43.308 DEB => [718957c7-be56-47c6-42a7-8adf369266a1/469b440f-3a31-4c5d-4b3a-b5168cb549c4] db updated
2016-05-18_13:27:43.30859 [GIN] 2016/05/18 - 13:27:43 | 201 | 21.103202ms | 192.168.33.101 | POST /chef/organizations/brewinc/inspec
==> /var/log/chef-compliance/nginx/compliance.access.log <==
192.168.33.101 - - [18/May/2016:13:27:43 +0000] "POST /api/chef/organizations/brewinc/inspec HTTP/1.0" 201 46 "-" "Chef Client/12.10.24 (ruby-2.1.8-p440; ohai-8.15.1; x86_64-linux; +https://chef.io)"
From the chef client node running the converge and inspec scan:
...
rspec # SSH Configuration HostbasedAuthentication should eq "no"
rspec # SSH Configuration RhostsRSAAuthentication should eq "no"
rspec # SSH Configuration RSAAuthentication should eq "yes"
rspec # SSH Configuration PasswordAuthentication should eq "no"
rspec # SSH Configuration Tunnel should eq "no"
rspec # SSH Configuration PermitLocalCommand should eq "no"
rspec # File /etc/ssh should not be readable by others
- execute compliance profile
* chef_gem[inspec] action install (up to date)
* file[/var/chef/cache/compliance/base_ssh_report.json] action create[2016-05-18T13:58:35+00:00] INFO: file[/var/chef/cache/compliance/base_ssh_report.json] backed up to /var/chef/backup/var/chef/cache/compliance/base_ssh_report.json.chef-20160518135835.672152
[2016-05-18T13:58:35+00:00] INFO: file[/var/chef/cache/compliance/base_ssh_report.json] removed backup at /var/chef/backup/var/chef/cache/compliance/base_ssh_report.json.chef-20160518132021.138557
[2016-05-18T13:58:35+00:00] INFO: file[/var/chef/cache/compliance/base_ssh_report.json] updated file contents /var/chef/cache/compliance/base_ssh_report.json
- update content in file /var/chef/cache/compliance/base_ssh_report.json from e8399a to 133cd2
- suppressed sensitive resource
* compliance_report[chef-server] action execute
- report compliance profiles' results
[2016-05-18T13:58:35+00:00] INFO: Chef Run complete in 3.00964474 seconds
Running handlers:
[2016-05-18T13:58:35+00:00] INFO: Running report handlers
Running handlers complete
[2016-05-18T13:58:35+00:00] INFO: Report handlers complete
Chef Client finished, 13/37 resources updated in 04 seconds
root@node:~#
0.6.0
12.9.41
RHEL 7.2
Attempting to run an audit profile that inherits another profile on the compliance server
Run the audit cookbook with a compliance policy that is inherited
Audit cookbook passes
* compliance_profile[cis-rhel7-level1-lite] action execute * chef_gem[inspec] action install (up to date) [2016-05-04T11:33:00-04:00] WARN: Using inspec version: (0.20.1) - install/update inspec ================================================================================ Error executing action
execute` on resource 'compliance_profile[cis-rhel7-level1-lite]'
================================================================================
RuntimeError
------------
You must supply a --profiles-path to inherit from other profiles.
Cookbook Trace:
---------------
/var/chef/cache/cookbooks/audit/libraries/profile.rb:111:in `block (2 levels) in <class:ComplianceProfile>'
/var/chef/cache/cookbooks/audit/libraries/profile.rb:94:in `block in <class:ComplianceProfile>'
Resource Declaration:
---------------------
# In /var/chef/cache/cookbooks/audit/recipes/default.rb
30: compliance_profile p do
31: owner o
32: server server
33: token token
34: inspec_version node['audit']['inspec_version']
35: action [:fetch, :execute]
36: end
37: end
Compiled Resource:
------------------
# Declared in /var/chef/cache/cookbooks/audit/recipes/default.rb:30:in `block in from_file'
compliance_profile("cis-rhel7-level1-lite") do
action [:fetch, :execute]
updated true
retries 0
retry_delay 2
default_guard_interpreter :default
declared_type :compliance_profile
cookbook_name "audit"
recipe_name "default"
owner "thomasrgcheforg"
inspec_version "latest"
profile "cis-rhel7-level1-lite"
end
Platform:
---------
x86_64-linux
`
We should be able to define a node attribute to tell the chef client if it should fail or pass in an event of a detected compliance issue.
2.0.0
In order to address those issues and harmonize the implementation between audit cookbook and inspec, we need to write InSpec fetcher for Chef Server (to have Chef Server authentication), this implicitly removes the need to download profiles manually before execution and also removes the need to aggregate the reports, since InSpec is already doing that out-of-the-box
0.8.0
User want to use a api token for Chef Compliance and report to compliance directly instead of sending the data via the Chef Server
2.0.0
any
any
These capabilities are removed from 2.0.0. What is the consensus on re-adding them?
Not sure how else to surface this issue and its not that big of a deal but your changelog generator is producing broken links:
https://github.com/chef-cookbooks/audit/blame/master/CHANGELOG.md#L4
# This line
[Full Changelog](https://github.com/chef-cookbooks/audit/compare/v0.12.0...0.13.0)
# Should be this
[Full Changelog](https://github.com/chef-cookbooks/audit/compare/v0.12.0...v0.13.0)
Notice the V ->^
Not sure how to fix it myself or I would
audit 0.5.0
12.5.1, 12.9.38
CentOS 6
Run chef-client in audit mode with the audit::default
in the runlist. The failure is not impacting in any way the chef-client run.
[root@vagrant-local-linux ~]# chef-client --audit-mode enabled
Starting Chef Client, version 12.5.1
resolving cookbooks for run list: ["audit::default"]
Synchronizing Cookbooks:
- audit (0.5.0)
Compiling Cookbooks...
Converging 2 resources
Recipe: audit::default
* compliance_profile[mylinux] action fetch
* chef_gem[inspec] action install (up to date)
[2016-04-26T18:13:30+00:00] WARN: Using inspec version: (0.19.3)
- install/update inspec
* directory[/var/chef/cache/compliance] action create (up to date)
- fetch compliance profile
* chef_gem[inspec] action install (up to date)
* directory[/var/chef/cache/compliance] action create (up to date)
* compliance_profile[mylinux] action execute
* chef_gem[inspec] action install (up to date)
[2016-04-26T18:13:30+00:00] WARN: Using inspec version: (0.19.3)
- install/update inspec..F
Failures:
1) Service iptables should be running
Failure/Error: Unable to find admin/mylinux/controls/services_spec.rb to read failed line
expected that `Service iptables` is running
# admin/mylinux/controls/services_spec.rb:12:in `block (3 levels) in load'
# /var/chef/cache/cookbooks/audit/libraries/profile.rb:112:in `block (2 levels) in <class:ComplianceProfile>'
# /var/chef/cache/cookbooks/audit/libraries/profile.rb:93:in `block in <class:ComplianceProfile>'
Finished in 0.09885 seconds (files took 0.78511 seconds to load)
3 examples, 1 failure
Failed examples:
rspec # Service iptables should be running
- execute compliance profile
* chef_gem[inspec] action install (up to date)
* file[/var/chef/cache/compliance/admin_mylinux_report.json] action create
- update content in file /var/chef/cache/compliance/admin_mylinux_report.json from 6f5303 to de6456
- suppressed sensitive resource
- restore selinux security context
* compliance_report[chef-server] action execute
- report compliance profiles' results
Starting audit phase
RSpec's reporter has already been initialized with #<IO:<STDOUT>> as the output stream, so your change to `output_stream` will be ignored. You should configure it earlier for it to take effect. (Called from /opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.5.1/lib/chef/audit/runner.rb:120:in `set_streams')
[2016-04-26T18:13:31+00:00] ERROR: Audit phase failed with error message: undefined method `split' for nil:NilClass
Audit phase exception:
undefined method `split' for nil:NilClass
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.5.1/lib/chef/audit/audit_event_proxy.rb:63:in `build_control_from'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.5.1/lib/chef/audit/audit_event_proxy.rb:48:in `block in stop'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.5.1/lib/chef/audit/audit_event_proxy.rb:47:in `each'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.5.1/lib/chef/audit/audit_event_proxy.rb:47:in `stop'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/rspec-core-3.3.2/lib/rspec/core/reporter.rb:184:in `block in notify'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/rspec-core-3.3.2/lib/rspec/core/reporter.rb:183:in `each'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/rspec-core-3.3.2/lib/rspec/core/reporter.rb:183:in `notify'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/rspec-core-3.3.2/lib/rspec/core/reporter.rb:178:in `stop'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/rspec-core-3.3.2/lib/rspec/core/reporter.rb:152:in `block in finish'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/rspec-core-3.3.2/lib/rspec/core/reporter.rb:170:in `close_after'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/rspec-core-3.3.2/lib/rspec/core/reporter.rb:151:in `finish'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/rspec-core-3.3.2/lib/rspec/core/reporter.rb:79:in `report'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/rspec-core-3.3.2/lib/rspec/core/runner.rb:113:in `run_specs'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.5.1/lib/chef/audit/runner.rb:189:in `do_run'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.5.1/lib/chef/audit/runner.rb:35:in `run'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.5.1/lib/chef/client.rb:721:in `run_audits'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.5.1/lib/chef/client.rb:276:in `run'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.5.1/lib/chef/application.rb:270:in `block in fork_chef_client'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.5.1/lib/chef/application.rb:258:in `fork'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.5.1/lib/chef/application.rb:258:in `fork_chef_client'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.5.1/lib/chef/application.rb:224:in `block in run_chef_client'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.5.1/lib/chef/local_mode.rb:44:in `with_server_connectivity'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.5.1/lib/chef/application.rb:212:in `run_chef_client'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.5.1/lib/chef/application/client.rb:408:in `block in interval_run_chef_client'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.5.1/lib/chef/application/client.rb:398:in `loop'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.5.1/lib/chef/application/client.rb:398:in `interval_run_chef_client'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.5.1/lib/chef/application/client.rb:388:in `run_application'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.5.1/lib/chef/application.rb:60:in `run'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.5.1/bin/chef-client:26:in `<top (required)>'
/usr/bin/chef-client:54:in `load'
/usr/bin/chef-client:54:in `<main>'
Running handlers:
Running handlers complete
Chef Client finished, 4/10 resources updated in 05 seconds
[2016-04-26T18:13:31+00:00] FATAL: Stacktrace dumped to /var/chef/cache/chef-stacktrace.out
[2016-04-26T18:13:31+00:00] ERROR: Found 1 errors, they are stored in the backtrace
[2016-04-26T18:13:32+00:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)
[root@vagrant-local-linux ~]#
0.6.0
12.9.41
0.21.0
Windows 2012 R2 (Azure)
Running audit cookbook with Windows specific profile to report back into Compliance
Install inspec 0.21.0
You get 0 results reported back to Compliance
Compliant / Issues reporting back into Compliance dashboard
2016-05-12_17:13:43.76370 17:13:43.763 DEB => owner: &shared.Owner{PasswordHash:"", Login:"unit4", Name:"unit4", IsOrg:true, Source:sql.NullString{String:"9cf58bf8-a53b-4bf9-58fe-2f493bf4adfc", Valid:true}, UUID:uuid.UUID{ID:"2a50ead3-2918-41a6-5915-48f45a41b74f"}}
2016-05-12_17:13:43.76466 17:13:43.764 ERR => DB error: sql: no rows in result set
2016-05-12_17:13:43.76908 17:13:43.769 ERR => [2a50ead3-2918-41a6-5915-48f45a41b74f/a9df344b-5c01-4359-50ff-5016064a2c8f] Couldn't find rule in profile unit4/identity-server-level-1
2016-05-12_17:13:43.76923 17:13:43.769 ERR => [2a50ead3-2918-41a6-5915-48f45a41b74f/a9df344b-5c01-4359-50ff-5016064a2c8f] Couldn't find rule in profile unit4/identity-server-level-1
2016-05-12_17:13:43.76934 17:13:43.769 ERR => [2a50ead3-2918-41a6-5915-48f45a41b74f/a9df344b-5c01-4359-50ff-5016064a2c8f] Couldn't find rule in profile unit4/identity-server-level-1
2016-05-12_17:13:43.76944 17:13:43.769 ERR => [2a50ead3-2918-41a6-5915-48f45a41b74f/a9df344b-5c01-4359-50ff-5016064a2c8f] Couldn't find rule in profile unit4/identity-server-level-1
2016-05-12_17:13:43.76954 17:13:43.769 ERR => [2a50ead3-2918-41a6-5915-48f45a41b74f/a9df344b-5c01-4359-50ff-5016064a2c8f] Couldn't find rule in profile unit4/identity-server-level-1
2016-05-12_17:13:43.76975 17:13:43.769 DEB => [2a50ead3-2918-41a6-5915-48f45a41b74f/a9df344b-5c01-4359-50ff-5016064a2c8f] Add scan result for 2a50ead3-2918-41a6-5915-48f45a41b74f/732b4772-0122-4ec8-468f-ce4bc706f254/937ab0a4-2f99-4ccc-4d74-8809956ec7dd:0 with unit4/identity-server-level-1
2016-05-12_17:13:43.76989 17:13:43.769 INF => [2a50ead3-2918-41a6-5915-48f45a41b74f/a9df344b-5c01-4359-50ff-5016064a2c8f] scan result | 0 | 0 | 0 | 0 | 0 | packages | 0 | 0 | 0 | 0 | 0 |
Hey,
I just tested the cookbook against a Windows node and it fails:
cjo@Christians-MBP ~/Downloads/chef-repo/cookbooks/atom git:(master) ✗ kitchen converge
-----> Starting Kitchen (v1.7.3)
-----> Converging <default-windows-2012r2>...
Preparing files for transfer
Preparing dna.json
Resolving cookbook dependencies with Berkshelf 4.2.1...
Removing non-cookbook files before transfer
Preparing validation.pem
Preparing client.rb
-----> Chef Omnibus installation detected (install only if missing)
Transferring files to <default-windows-2012r2>
Starting Chef Client, version 12.10.24
resolving cookbooks for run list: ["audit::default"]
Synchronizing Cookbooks:
- audit (0.8.0)
Installing Cookbook Gems:
Compiling Cookbooks...
Converging 2 resources
Recipe: audit::default
* compliance_profile[windows] action fetch
* chef_gem[inspec] action install (up to date)
[2016-05-21T10:21:42-07:00] WARN: Using inspec version: (0.22.1)
- install/update inspec
* directory[C:\Users\vagrant\AppData\Local\Temp\kitchen\cache/compliance] action create (up to date)
URL: https://192.168.178.221/api/owners/base/compliance/windows/tar
================================================================================
Error executing action `fetch` on resource 'compliance_profile[windows]'
================================================================================
Errno::EACCES
-------------
Permission denied @ sys_fail2 - (C:/Users/vagrant/AppData/Local/Temp/foo20160521-2220-1c553kw, C:\Users\vagrant\AppData\Local\Temp\kitchen\cache/compliance/base_windows.tgz)
Resource Declaration:
---------------------
# In C:/Users/vagrant/AppData/Local/Temp/kitchen/cache/cookbooks/audit/recipes/default.rb
30: compliance_profile p do
31: owner o
32: server server
33: token token
34: inspec_version node['audit']['inspec_version']
35: action [:fetch, :execute]
36: end
37: end
Compiled Resource:
------------------
# Declared in C:/Users/vagrant/AppData/Local/Temp/kitchen/cache/cookbooks/audit/recipes/default.rb:30:in `block in from_file'
compliance_profile("windows") do
action [:fetch, :execute]
retries 0
retry_delay 2
default_guard_interpreter :default
declared_type :compliance_profile
cookbook_name "audit"
recipe_name "default"
owner "base"
server #<URI::HTTPS:0x0000000132e3e8 URL:https://192.168.178.221/api/owners/base/compliance/windows/tar>
token "eyJhbGciOiJSUzI1NiIsImtpZCI6InFfa3ZHdWVLSHJhSkRCelY0NjBEMFBVb0g1ZnFTTGhSdC1odGh0WGhHbVZPNFJXeHRLNTYzR2JZbmNtNlRkRWVlZTFjdUJwUDJvWDkyRC1ndWRneEhXSUZybF85Yno0cGVVNTVvcDNmekNaeUxDWTk0RDNiMlhXRE9rdy1CTVhIM2dpTmtIeHVjblRMV045LS04eU9aY0p0WXliOU9DNDV1ZUFjNkc2YkhoYWY5YTZlbTZfelNiMlFmN01FN2h2bDJtX2JzVW9LUzB4RGNpYjdRb2FYTldNamdqX3A1b2xHUEdzaVZ3SzA4RXR4MmVva0FENk1MeEdIYlB0ZFRpOTFDQzFPVVhIOFUzQXVUc2tsOVZwci14OG91SDBnRzB6NlZYT3FWM0JzczNZbVQ1czhGWktTWVdseE9hcFRtSGJ1UlZqZ2hCcUVraHZjdnBnZ2ZYRG1CUT09IiwidHlwIjoiSldUIn0.eyJhdWQiOiIwTHZDTVh3ODUwVXg0Rzh5U2ljWW9BUVpnR2ZCRUpkV2VPQkxHWVo3dmtFPUB2YWdyYW50LXVidW50dS10cnVzdHktNjQiLCJjb25uZWN0b3JfaWQiOiJDb21wbGlhbmNlIFNlcnZlciIsImNvbm5lY3Rvcl9pbmZvIjoiaHR0cHM6Ly92YWdyYW50LXVidW50dS10cnVzdHktNjQvYXBpLyIsImNvbm5lY3Rvcl90eXBlIjoiY29tcGxpYW5jZSIsImVtYWlsIjoiY2hyaXN0aWFuQGNvbXBsaWFuY2UuZmFrZSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJleHAiOjEuNDYzODg0M2UrMDksImlhdCI6MS40NjM4NDExZSswOSwiaXNzIjoiaHR0cHM6Ly92YWdyYW50LXVidW50dS10cnVzdHktNjQiLCJuYW1lIjoiY2hyaXN0aWFuIiwic3ViIjoiOWZkYWFmNDUtZWI0YS00MDYzLWJkOWQtZjRmMDk1YjU2ODg3In0.O4YpXz3PeJf91eEXwh7QGLt6u1sfyaVUwD4VcrfRmH-zJ97a3NNXffS_v4gkmFJokw_3ZR6m8qbdW3E9y4lXKSMQroLkISH10D1QMNNbbN8tC1Qjj-gbYu7Vp4vkwgSi8gt88E418GLwo7rY3AdFW03T6aRhqaMWZEJulEFEX8-xXuBrJN7Vgg1MaoLSZ-Ac9ono5MLA25Os9DoDEB9Kkmf2crSEyqd-QigurVNmf6smUmkoWuhUa_-XjqkXK5VMwE3Q51pQaIgzNfaJlXEZG-ol3Fb3ziYZ3syNJr_0M2BcUX4YTZStsf2wCtG-Z0SKK8CDRQylaLP1lb418NE-EA"
inspec_version "0.22.1"
profile "windows"
end
Platform:
---------
x64-mingw32
Running handlers:
[2016-05-21T10:21:43-07:00] ERROR: Running exception handlers
Running handlers complete
[2016-05-21T10:21:43-07:00] ERROR: Exception handlers complete
Chef Client failed. 0 resources updated in 11 seconds
[2016-05-21T10:21:43-07:00] FATAL: Stacktrace dumped to C:/Users/vagrant/AppData/Local/Temp/kitchen/cache/chef-stacktrace.out
[2016-05-21T10:21:43-07:00] FATAL: Please provide the contents of the stacktrace.out file if you file a bug report
[2016-05-21T10:21:43-07:00] FATAL: Errno::EACCES: compliance_profile[windows] (audit::default line 30) had an error: Errno::EACCES: Permission denied @ sys_fail2 - (C:/Users/vagrant/AppData/Local/Temp/foo20160521-2220-1c553kw, C:\Users\vagrant\AppData\Local\Temp\kitchen\cache/compliance/base_windows.tgz)
>>>>>> Converge failed on instance <default-windows-2012r2>.
>>>>>> Please see .kitchen/logs/default-windows-2012r2.log for more details
>>>>>> ------Exception-------
>>>>>> Class: Kitchen::ActionFailed
>>>>>> Message: WinRM exited (1) for command: [
$env:PATH = [System.Environment]::GetEnvironmentVariable("PATH","Machine")
& $env:systemdrive\opscode\chef\bin\chef-client.bat --local-mode --config $env:TEMP\kitchen\client.rb --log_level auto --force-formatter --no-color --json-attributes $env:TEMP\kitchen\dna.json --chef-zero-port 8889]
>>>>>> ----------------------
While checking the code it seems that the Windows path has forward instead of backward slashes.
[2016-05-21T10:21:43-07:00] FATAL: Errno::EACCES: compliance_profile[windows] (audit::default line 30) had an error: Errno::EACCES: Permission denied @ sys_fail2 - (C:/Users/vagrant/AppData/Local/Temp/foo20160521-2220-1c553kw, C:\Users\vagrant\AppData\Local\Temp\kitchen\cache/compliance/base_windows.tgz)
`
Seems that the path relies on Chef::Config but for direct connections that does not work.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.