chef-boneyard / audit Goto Github PK
View Code? Open in Web Editor NEWAudit Cookbook for Chef Compliance
Home Page: https://supermarket.chef.io/cookbooks/audit
License: Apache License 2.0
audit's People
Contributors
Stargazers
Watchers
Forkers
andy-dufour jeremymv2 anirudh-gupta mhedgpeth jwmathe rwun gannettdigital thomascate rx007 stephenlauck username-is-already-taken2 brentm5 laugen qubitrenegade jeremiahsnapp rhass kishorerc nickrycar jdgoins kapapradeep kevinreedy drrk jainthomas87 saurabh1611 ericcalabretta srb3 arielrolfo msystechnologiesllc jvogt gsreynolds alexeydemidov mechastorm moutons teknofire sesoccer911 rreilly-edr jedatwork jonlives zordrak binoykl sarahbakal nordstrom sandratiffin stevendanna tiobagio debarron1 mkennedy85 sean-horn shwethakk phiggins chef-davin jmassardo naveenkashyapdv aknarts trickyearlobe jaymzh anhgrewaudit's Issues
Run inspec tests using a custom resource
Since cookbooks have the test/integration directory already, it would be great if we could use a audit resource to trigger the inspec tests via a Chef run. The resource name could be
inspec do
dir 'test/integration/...'
end
add default recipe that reads profiles from attributes
node[:audit][:profiles] = [ 'base/ssh', 'base/linux', 'admin/cis-level-1' ]This should cause the default recipe to run these profiles, and report against the chef server that it is currently using.
Later on, we may change this to compliance://base/ssh, to also support other inspec targets.
Update to InSpec 1.0
Vendor InSpec gem
Instead of requiring Chef to install the InSpec gem, we vendor the gem into the cookbook. This allows users to update easier.
Cookbook version
1.0.0
README.md "Upload cookbook to Chef Server"
Cookbook version
2.0.0
Chef-client version
n/a
Platform Details
n/a
Scenario:
https://github.com/chef-cookbooks/audit#upload-cookbook-to-chef-server
If you want to upload the cookbook from git, use the following commands:
mkdir chef-cookbooks
cd chef-cookbooks
git clone https://github.com/chef-cookbooks/audit
cd ..
knife cookbook upload audit -o ./chef-cookbooks
Steps to Reproduce:
Follow the exact commands above verbatim.
Expected Result:
audit cookbook uploaded
Actual Result:
$ knife cookbook upload audit -o ./chef-cookbooks
Uploading audit [2.0.0]
ERROR: Cookbook audit depends on cookbooks which are not currently
ERROR: being uploaded and cannot be found on the server.
ERROR: The missing cookbook(s) are: 'compat_resource' version '>= 0.0.0', 'chef_handler' version '>= 0.0.0'
$
Since there are dependency cookbooks now (compat_resource, chef_handler), we need to use berks to help.
$ berks vendor -e integration
Resolving cookbook dependencies...
Fetching 'audit' from source at .
Using audit (2.0.0) from source at .
Using compat_resource (12.16.1)
Using chef_handler (2.0.0)
Vendoring audit (2.0.0) to /Users/jmiller/Devel/ChefProject/audit/berks-cookbooks/audit
Vendoring chef_handler (2.0.0) to /Users/jmiller/Devel/ChefProject/audit/berks-cookbooks/chef_handler
Vendoring compat_resource (12.16.1) to /Users/jmiller/Devel/ChefProject/audit/berks-cookbooks/compat_resource
$ knife cookbook upload -a -o berks-cookbooks
Uploading audit [2.0.0]
Uploading chef_handler [2.0.0]
Uploading compat_resource [12.16.1]
Uploaded all cookbooks.
$
Some tests against windows machines will fail with winrm unitialized constant errors
Cookbook version
0.14.4
Platform Details
Windows Server 2k12 r2
This error looks to be related to winrm v1/v2 issues that were fixed in inspec 0.33.0. Bumping the inspec version in a wrapper cookbook fixes the issue. I'll make a PR to bump the version.
Missing profile results in misleading error message in chef_gate log
Cookbook version
[0.14.1]
Chef-client version
[12.13.37]
Platform Details
[RHEL 7.2 on AWS]
Scenario:
[When you run the audit cookbook for a profile that does not exist, the chef_gate log will say Authentication failed. Please check your system's clock. This is misleading because the problem is a missing profile, not any authentication or problem with the clock.]
Steps to Reproduce:
[Run the audit cookbook for a profile that doesn't exist, then look at your chef_gate current log.]
Expected Result:
[If an error is because of a missing profile, the error message should state that the profile is missing.]
Actual Result:
[chef_gate current log will say Authentication failed. Please check your system's clock.]
audit cookbook compliance run and report should not report converge
Scenario:
We still can't run the audit cookbook in production because it reports resources that are converged, which causes us to lose the ability to know when our run is entirely idempotent.
Steps to Reproduce:
Run the audit cookbook configured to run against profiles
Expected Result:
At the end of an audit cookbook run, 0 resources should report as failed
Actual Result:
resources report as converged
Implementation
The audit cookbook is implemented incorrectly. Resources in chef are there to configure the machine, not report on that machine. This is a fundamental misuse of the chef model.
Instead a report handler should be used to both download and report on the chef run. The recipe can ensure that inspec is properly installed and that the handler is used.
I am happy to create a PR for this if you think it's the right direction for the cookbook. It is a fundamental departure from what is there now.
Eliminate the need for `.inspec/compliance/config.json` for Chef Compliance reporter
Version 2.0 of the cookbook still requires .inspec/compliance/config.json. We should just keep the information in-memory and just use node attributes.
Remove temporary report file
Cookbook version
2.0.0
Scenario:
Previously we used the runner with generating a json file: https://github.com/chef-cookbooks/audit/blob/v1.1.0/resources/profile.rb#L121-L135 (edited)
output = quiet ? ::File::NULL : $stdout
runner = ::Inspec::Runner.new('report' => true, 'format' => formatter, 'output' => output)
report = runner.report.to_json
This helps us to remove https://github.com/chef-cookbooks/audit/blob/master/files/default/audit_report.rb#L86-L87 and https://github.com/chef-cookbooks/audit/blob/master/libraries/helper.rb#L74-L80. For users who require a local json report, we should implement #126
Undefined method 'path' for nil:NilClass
Cookbook version
0.5.0
Chef-client version
12.9.38-1
Platform Details
Windows 7 Enterprise
Scenario:
Trying to run audit cookbook on node.
Steps to Reproduce:
Execute a remote chef-client call using knife windows winrm that has the audit cookbook in the node's runlist
Expected Result:
INFO: Processing compliance_profile[windows] action fetch (audit::default line 28)
WARN: Using inspec version: (0.19.3)
INFO: Fetch compliance profile base/windows
INFO: Processing directory[c:/chef/cache/compliance] action create (c:/chef/cache/cookbooks/audit/libraries/profile.rb line 40)
INFO: Processing directory[c:/chef/cache/compliance] action create (c:/chef/cache/cookbooks/audit/libraries/profile.rb line 40)
INFO: Processing compliance_profile[windows] action execute (audit::default line 28)
WARN: Using inspec version: (0.19.3)
INFO: Execute compliance profile base/windows
https://gist.github.com/chef09210/c8b116b747e340e5ba6afbe81d4adb62
Actual Result:
================================================================================
[Error executing action `fetch` on resource 'compliance_profile[windows]'
================================================================================
NoMethodError
-------------
undefined method `path' for nil:NilClass
Cookbook Trace:
---------------
c:/chef/cache/cookbooks/audit/libraries/profile.rb:71:in `block (2 levels) in <class:ComplianceProfile>'
c:/chef/cache/cookbooks/audit/libraries/profile.rb:35:in `block in <class:ComplianceProfile>'
Resource Declaration:
---------------------
# In c:/chef/cache/cookbooks/audit/recipes/default.rb
28: compliance_profile p do
29: owner o
30: server server
31: token token
32: inspec_version node['audit']['inspec_version']
33: action [:fetch, :execute]
34: end
35: end
Compiled Resource:
------------------
# Declared in c:/chef/cache/cookbooks/audit/recipes/default.rb:28:in `block in from_file'
compliance_profile("windows") do
action [:fetch, :execute]
retries 0
retry_delay 2
default_guard_interpreter :default
declared_type :compliance_profile
cookbook_name "audit"
recipe_name "default"
owner "base"
inspec_version "latest"
profile "windows"
end
Platform:
---------
x64-mingw32
https://gist.github.com/chef09210/77b1e9d23118bf06864b3bbb8a88eb50
Harmonize audit cookbook profile fetcher with InSpec fetchers
Cookbook version
1.0.0
The current version of the audit cookbook is duplicating the following inspec features:
- fetch profiles (and multiple profiles)
- agregate profile reports
Node information sent to Compliance after first audit run are not accurate
Cookbook version
0.6.0
Chef-client version
12.9.38-1
Platform Details
Windows 7 Enterprise
Scenario:
When a Windows node initiates a chef-client run with the audit cookbook, certain information is sent back to Chef Compliance such as hostname/IP and WinRM account. However the hostname/IP field is not filled in and WinRM account name is listed as Administrator even though node is a domain account with a domain administrative account. This prevents reconnection to the node until this information is entered in manually.
Steps to Reproduce:
Run the audit cookbook for the first time on a Win7 client. View the node information result in Chef Compliance after the chef-client run is complete.
Expected Result:
Hostname/IP of machine and account used to run chef-client command remotely through winrm should be sent back to Chef Compliance and listed in the node details on Chef Compliance page.
Actual Result:
Hostname/IP field is empty and account is listed as generic Administrator
Do not crash default recipe, if node['audit'] is not defined
In #2 we introduced the use of node attributes: node['audit']['profiles'].each. This crashes if audit is not defined. We should fix that https://github.com/chef/audit-cookbook/pull/2/files#diff-55bf87238c9b8af164c5133a60721f12R20
quiet should control whether converge is reported by Chef
Cookbook version
0.12
Chef-client version
12.8.1
Platform Details
Windows 2012 R2
Scenario:
When I run chef-client it always reports that a resource was converged, even when node['audit']['quiet'] = true.
Steps to Reproduce:
Set node['audit']['interval']['enabled'] = true
Run chef-client twice
Expected Result:
0 resources converge
Actual Result:
1 resource converges (the compliance report)
Recipe: audit::default
* directory[D:/chef/cache/compliance] action create (up to date)
* file[D:/chef/cache/compliance/windows] action nothing (skipped due to action :nothing)
* compliance_profile[windows] action fetch (skipped due to only_if)
* compliance_profile[windows] action execute (skipped due to only_if)
* compliance_report[chef-server] action execute
- report compliance profiles' results
←[0m
Running handlers:
Running handlers complete
←[0m
Chef Client finished, 1/84 resources updated in 01 minutes 03 seconds
The compliance_report resource in this case is reporting a converge.
Provide support for additional profile hosting sources
Cookbook version
0.8.0
Chef-client version
12.9.41
Platform Details
all
Scenario:
Execute scans and report on profiles hosted from Supermarket, Github and local filesystem paths.
This could prove beneficial where direct access to the Compliance server from all scanned nodes is not desirable. Also other sources would provide more highly available hosting options.
Steps to Reproduce:
N/A
Expected Result:
Given paths to Profiles hosted on Supermarket, Github and local filesystem, I expect the audit cookbook to execute scans and report on results.
Actual Result:
audit cookbook should not report a converge
Since the audit cookbook does not do any converge, it should not report to chef as a changed converge.
Interval setting is not working properly
Cookbook version
0.14.4
Chef-client version
Chef: 12.14.89
Platform Details
Ubuntu 14.04
Scenario:
Setting the interval attributes doesn't work. The compliance profiles are never executed.
Steps to Reproduce:
I use a wrapper cookbook to set the following attributes. I'm setting the interval to 1 minute for troubleshooting purposes.
default['audit']['profiles']['base/linux'] = true
default['audit']['profiles']['base/ssh'] = true
default['audit']['interval']['enabled'] = true
default['audit']['interval']['time'] = 1
Expected Result:
The compliance_profile should fetch AND execute properly according to the interval.
Actual Result:
Run chef-client -l debug and notice that the compliance profiles are fetched but they are not executed at all. (skipped due to only_if)
The file that is used to calculate if the interval has passed is being touched by the compliance_profile's notifies property.
The problem is the compliance_profile has both the :fetch AND :execute action. The :fetch action works and touches the interval file immediately so when the :execute action runs the only_if guard is rechecked and sees (incorrectly) that the interval has not passed.
I tested changing the notifies to a :delayed instead of :immediately and it fixed this for me. The compliance_profile fetched AND executed properly according to the interval.
Workaround
Putting the following in my audit wrapper cookbook's default.rb recipe worked for me. It creates :delayed notifications and deletes the :immediate notifications.
include_recipe 'audit'
run_context.immediate_notification_collection.each do |k,v|
if (k =~ /^compliance_profile\[\w*\]$/) && (v.first.action == :touch)
resources(k).notifies :touch, v.first.resource, :delayed
end
end
run_context.immediate_notification_collection.delete_if { |k,v| (k =~ /^compliance_profile\[\w*\]$/) && (v.first.action == :touch) }
Timing issues during report aggregation
As reported by Jeff Mathe
Cookbook version
0.14.1
Scenario:
A user selects multiple profiles via the audit cookbook. All profiles are downloaded and executed and reported in one report.
Expected Result:
All executed profiles are part of the report.
Actual Result:
I run multiple profiles via InSpec, but only one profile is reported to Chef Compliance / Chef Visibility. The current audit cookbook has a timing issue, where reports are not properly aggregated.
Implement reporting as InSpec plugin
The basic reporting should be implemented as plain ruby InSpec plugin instead of using chef dsl. This would simplify the audit cookbook and allows us to focus the audit cookbook to be the glue between Chef + InSpec
Cookbook version
1.0
we not use inspec progress formatter
version 2.0.0 reporting resources updated
Cookbook version
2.0.0
Chef-client version
12.15.19
Platform Details
ubuntu 14.04
Scenario:
version 2.0.0 uses chef-handler in attempt to not report resources being updated, however each subsequent chef-client converge is reporting resources updated.
Steps to Reproduce:
use wrapper cookbook with these attributes:
default['audit']['inspec_version'] = '1.2.0'
# collector possible values: chef-server, chef-compliance, chef-visibility, json-file
# chef-visibility requires inspec version 0.27.1 or above
default['audit']['collector'] = 'chef-server'
# Attributes server, insecure and token/refresh_token are only needed for the 'chef-compliance' collector
# server format example: 'https://comp-server.example.com/api'
default['audit']['server'] = nil
# choose between the permanent refresh_token or ephemeral token(access_token). Needed only for the 'chef-compliance' collector
default['audit']['refresh_token'] = nil
# the token(access_token) expires in 12h after creation
default['audit']['token'] = nil
# set this insecure attribute to true if the compliance server / chef server uses self-signed ssl certificates
default['audit']['insecure'] = nil
# Chef Compliance organization to post the report to. Defaults to Chef Server org if not defined
# needed for the 'chef-compliance' collector, optional for 'chef-server' collector
default['audit']['owner'] = nil
# raise exception if Compliance API endpoint is unreachable
# while fetching profiles or posting report
default['audit']['raise_if_unreachable'] = true
# fail converge if downloaded profile is not present
default['audit']['fail_if_not_present'] = false
# by default run audit every time
default['audit']['interval']['enabled'] = false
# by default run compliance once a day
default['audit']['interval']['time'] = 1440
# quiet mode, on by default because this is testing, resources aren't converged in the normal chef sense
default['audit']['quiet'] = true
# overwrite existing profile in upload mode
default['audit']['overwrite'] = true
# use json format since this is for reporting
default['audit']['format'] = 'json'
# set profiles to empty array as default
default['audit']['profiles'] = [{
'name' => 'linux',
'compliance' => 'base/linux'
}]
Expected Result:
Chef-client runs should report 0/x resources updated at the end of the report handlers phase.
Actual Result:
I'm seeing 2 resources updated on each chef-client converge.
root@node:/tmp/vagrant-chef# chef-client -c client.rb
[2016-11-01T19:32:37+00:00] INFO: Forking chef instance to converge...
Starting Chef Client, version 12.15.19
[2016-11-01T19:32:37+00:00] INFO: *** Chef 12.15.19 ***
[2016-11-01T19:32:37+00:00] INFO: Platform: x86_64-linux
[2016-11-01T19:32:37+00:00] INFO: Chef-client pid: 4712
[2016-11-01T19:32:39+00:00] INFO: Run List is [recipe[audit_wrapper]]
[2016-11-01T19:32:39+00:00] INFO: Run List expands to [audit_wrapper]
[2016-11-01T19:32:39+00:00] INFO: Starting Chef Run for node
[2016-11-01T19:32:39+00:00] INFO: Running start handlers
[2016-11-01T19:32:39+00:00] INFO: Start handlers complete.
[2016-11-01T19:32:39+00:00] INFO: HTTP Request Returned 404 Not Found:
resolving cookbooks for run list: ["audit_wrapper"]
[2016-11-01T19:32:39+00:00] INFO: Loading cookbooks [[email protected], [email protected], [email protected], [email protected]]
Synchronizing Cookbooks:
- audit_wrapper (0.1.0)
- audit (2.0.0)
- compat_resource (12.16.1)
- chef_handler (2.0.0)
Installing Cookbook Gems:
Compiling Cookbooks...
[2016-11-01T19:32:39+00:00] INFO: Chef Handlers will be located at: /var/chef/handlers
Recipe: chef_handler::default
* remote_directory[/var/chef/handlers] action create
Recipe: <Dynamically Defined Resource>
* cookbook_file[/var/chef/handlers/README] action create (up to date)
(up to date)
Converging 5 resources
Recipe: chef_handler::default
* remote_directory[/var/chef/handlers] action nothing (skipped due to action :nothing)
Recipe: audit::default
* inspec[inspec] action install
* chef_gem[inspec] action install (up to date)
- install/update inspec[2016-11-01T19:32:39+00:00] WARN: Using inspec version: (1.2.0)
- verifies the inspec version
* chef_gem[inspec] action install (up to date)
* directory[/var/chef/cache/handler] action create (up to date)
* cookbook_file[/var/chef/cache/handler/audit_report.rb] action create (up to date)
* chef_handler[Chef::Handler::AuditReport] action enable[2016-11-01T19:32:39+00:00] INFO: Disabling Chef::Handler::AuditReport as a report handler.
- disable Chef::Handler::AuditReport as a report handler[2016-11-01T19:32:39+00:00] INFO: Disabling Chef::Handler::AuditReport as a exception handler.
- disable Chef::Handler::AuditReport as a exception handler
- load Chef::Handler::AuditReport from /var/chef/cache/handler/audit_report.rb[2016-11-01T19:32:39+00:00] INFO: Enabling Chef::Handler::AuditReport as a report handler.
- enable chef_handler[Chef::Handler::AuditReport] as a report handler[2016-11-01T19:32:39+00:00] INFO: Enabling Chef::Handler::AuditReport as a exception handler.
- enable chef_handler[Chef::Handler::AuditReport] as a exception handler
[2016-11-01T19:32:39+00:00] INFO: Chef Run complete in 0.674548823 seconds
Running handlers:
[2016-11-01T19:32:39+00:00] INFO: Running report handlers
[2016-11-01T19:32:39+00:00] WARN: Format is json-min
[2016-11-01T19:32:39+00:00] INFO: Initialize InSpec
[2016-11-01T19:32:39+00:00] INFO: Running tests from: [{:name=>"linux", :compliance=>"base/linux"}]
[2016-11-01T19:32:40+00:00] INFO: Reporting to chef-server
[2016-11-01T19:32:40+00:00] INFO: Control Profile: ["linux"]
[2016-11-01T19:32:40+00:00] INFO: Control Profil: linux
[2016-11-01T19:32:40+00:00] INFO: Compliance Profils: [{:owner=>"base", :profile_id=>"linux"}]
[2016-11-01T19:32:40+00:00] INFO: Report to Chef Server: https://chef-server.test/compliance/organizations/brewinc/inspec
- Chef::Handler::AuditReport
Running handlers complete
[2016-11-01T19:32:40+00:00] INFO: Report handlers complete
Chef Client finished, 2/9 resources updated in 02 seconds
root@node:/tmp/vagrant-chef#
standalone Compliance report
We should allow direct reporting to Chef Compliance:
compliance_report 'chef-compliance' do
type 'compliance'
url 'http://mycompliance endpoint'
end
Add unit tests
#122 re-added support for compliance profile upload. This PR has not covered the unit tests and we should add enable them for 2.0 release.
cookbook in master fails to converge
Cookbook version
master
Chef-client version
12.14.89
Platform Details
CentOS 6.6, kitchen vagrant
InSpec 1.2.0
Scenario:
Trying to converge using collector: 'chef-compliance'
Steps to Reproduce:
Point Berkshelf to master:
cookbook 'audit', github: 'chef-cookbooks/audit'
Expected Result:
Successful converge
Actual Result:
Failed converge
Recipe: audit::default
* audit_token[Compliance Token] action create[2016-10-14T09:50:54+00:00] INFO: Processing audit_token[Compliance Token] action create (audit::default line 30)
[2016-10-14T09:50:54+00:00] INFO: Using refresh_token to exchange for an access token.
- compliance server auth token setup
* directory[/tmp/kitchen/cache/compliance] action create[2016-10-14T09:50:54+00:00] INFO: Processing directory[/tmp/kitchen/cache/compliance] action create (audit::default line 48)
[2016-10-14T09:50:54+00:00] INFO: directory[/tmp/kitchen/cache/compliance] created directory /tmp/kitchen/cache/compliance
- create new directory /tmp/kitchen/cache/compliance
- restore selinux security context
* file[/tmp/kitchen/cache/compliance/ssh] action nothing[2016-10-14T09:50:54+00:00] INFO: Processing file[/tmp/kitchen/cache/compliance/ssh] action nothing (audit::default line 66)
(skipped due to action :nothing)
* audit_profile[ssh] action fetch[2016-10-14T09:50:54+00:00] INFO: Processing audit_profile[ssh] action fetch (audit::default line 71)
- load required inspec modules
* directory[/tmp/kitchen/cache/compliance] action create[2016-10-14T09:50:54+00:00] INFO: Processing directory[/tmp/kitchen/cache/compliance] action create (/tmp/kitchen/cache/cookbooks/audit/resources/profile.rb line 41)
(up to date)
- create cache directory[2016-10-14T09:50:54+00:00] INFO: Fetch compliance profile base/ssh
[2016-10-14T09:50:54+00:00] INFO: Load profile from: https://ap-cc6.opschef.tv/api/owners/base/compliance/ssh/tar
- fetch compliance profile
* directory[/tmp/kitchen/cache/compliance] action create[2016-10-14T09:50:54+00:00] INFO: Processing directory[/tmp/kitchen/cache/compliance] action create (/tmp/kitchen/cache/cookbooks/audit/resources/profile.rb line 41)
(up to date)
[2016-10-14T09:50:54+00:00] INFO: audit_profile[ssh] sending touch action to file[/tmp/kitchen/cache/compliance/ssh] (immediate)
* file[/tmp/kitchen/cache/compliance/ssh] action touch[2016-10-14T09:50:54+00:00] INFO: Processing file[/tmp/kitchen/cache/compliance/ssh] action touch (audit::default line 66)
[2016-10-14T09:50:54+00:00] INFO: file[/tmp/kitchen/cache/compliance/ssh] created file /tmp/kitchen/cache/compliance/ssh
- create new file /tmp/kitchen/cache/compliance/ssh
- restore selinux security context[2016-10-14T09:50:54+00:00] INFO: file[/tmp/kitchen/cache/compliance/ssh] updated atime and mtime to 2016-10-14 09:50:54 +0000
- update utime on file /tmp/kitchen/cache/compliance/ssh
* audit_profile[ssh] action execute[2016-10-14T09:50:54+00:00] INFO: Processing audit_profile[ssh] action execute (audit::default line 71)
- load required inspec modules
* directory[/tmp/kitchen/cache/compliance] action create[2016-10-14T09:50:54+00:00] INFO: Processing directory[/tmp/kitchen/cache/compliance] action create (/tmp/kitchen/cache/cookbooks/audit/resources/profile.rb line 103)
(up to date)
- create/verify cache directory[2016-10-14T09:50:54+00:00] INFO: Executing: /tmp/kitchen/cache/compliance/base_ssh.tgz
- execute compliance profile
* directory[/tmp/kitchen/cache/compliance] action create[2016-10-14T09:50:55+00:00] INFO: Processing directory[/tmp/kitchen/cache/compliance] action create (/tmp/kitchen/cache/cookbooks/audit/resources/profile.rb line 103)
(up to date)
* file[/tmp/kitchen/cache/compliance/base_ssh_report.json] action create[2016-10-14T09:50:55+00:00] INFO: Processing file[/tmp/kitchen/cache/compliance/base_ssh_report.json] action create (/tmp/kitchen/cache/cookbooks/audit/resources/profile.rb line 131)
[2016-10-14T09:50:55+00:00] INFO: file[/tmp/kitchen/cache/compliance/base_ssh_report.json] created file /tmp/kitchen/cache/compliance/base_ssh_report.json
- create new file /tmp/kitchen/cache/compliance/base_ssh_report.json[2016-10-14T09:50:55+00:00] INFO: file[/tmp/kitchen/cache/compliance/base_ssh_report.json] updated file contents /tmp/kitchen/cache/compliance/base_ssh_report.json
- update content in file /tmp/kitchen/cache/compliance/base_ssh_report.json from none to 4fa098
- suppressed sensitive resource
- restore selinux security context
[2016-10-14T09:50:55+00:00] INFO: audit_profile[ssh] sending touch action to file[/tmp/kitchen/cache/compliance/ssh] (immediate)
* file[/tmp/kitchen/cache/compliance/ssh] action touch[2016-10-14T09:50:55+00:00] INFO: Processing file[/tmp/kitchen/cache/compliance/ssh] action touch (audit::default line 66)
[2016-10-14T09:50:55+00:00] INFO: file[/tmp/kitchen/cache/compliance/ssh] updated atime and mtime to 2016-10-14 09:50:55 +0000
- update utime on file /tmp/kitchen/cache/compliance/ssh
* audit_report[chef-compliance] action execute[2016-10-14T09:50:55+00:00] INFO: Processing audit_report[chef-compliance] action execute (audit::default line 84)
================================================================================
Error executing action `execute` on resource 'audit_report[chef-compliance]'
================================================================================
NameError
---------
uninitialized constant Custom resource audit_report from cookbook audit::ComplianceProfile
Cookbook Trace:
---------------
/tmp/kitchen/cache/cookbooks/audit/resources/report.rb:93:in `block in profiles'
/tmp/kitchen/cache/cookbooks/audit/resources/report.rb:92:in `profiles'
/tmp/kitchen/cache/cookbooks/audit/resources/report.rb:24:in `block (2 levels) in class_from_file'
/tmp/kitchen/cache/cookbooks/audit/resources/report.rb:23:in `block in class_from_file'
Resource Declaration:
---------------------
# In /tmp/kitchen/cache/cookbooks/audit/recipes/default.rb
84: compliance_report report_collector do
85: owner node['audit']['owner']
86: server server
87: collector report_collector
88: quiet node['audit']['quiet'] unless node['audit']['quiet'].nil?
89: action :execute
90: end if node['audit']['profiles'].values.any?
Compiled Resource:
------------------
# Declared in /tmp/kitchen/cache/cookbooks/audit/recipes/default.rb:84:in `from_file'
audit_report("chef-compliance") do
action [:execute]
retries 0
retry_delay 2
default_guard_interpreter :default
declared_type :compliance_report
cookbook_name "audit"
recipe_name "default"
owner "admin"
server "https://ap-cc6.opschef.tv/api/"
collector "chef-compliance"
quiet true
end
Platform:
---------
x86_64-linux
[2016-10-14T09:50:55+00:00] INFO: Running queued delayed notifications before re-raising exception
Running handlers:
[2016-10-14T09:50:55+00:00] ERROR: Running exception handlers
Running handlers complete
[2016-10-14T09:50:55+00:00] ERROR: Exception handlers complete
Chef Client failed. 9 resources updated in 11 seconds
[2016-10-14T09:50:55+00:00] FATAL: Stacktrace dumped to /tmp/kitchen/cache/chef-stacktrace.out
[2016-10-14T09:50:55+00:00] FATAL: Please provide the contents of the stacktrace.out file if you file a bug report
[2016-10-14T09:50:55+00:00] ERROR: audit_report[chef-compliance] (audit::default line 84) had an error: NameError: uninitialized constant Custom resource audit_report from cookbook audit::ComplianceProfile
[2016-10-14T09:50:55+00:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)
audit cookbook usage in wrapper cookbook
Cookbook version
0.14.0
Scenario:
I want to use the audit cookbook in my wrapper cookbook.
Steps to Reproduce:
include_recipe 'audit::default'
node.default['audit']['collector'] = 'chef-visibility'
Expected Result:
InSpec reports are shipped to Chef Visibility.
Actual Result:
The audit cookbook tries to report to Chef Server. The problem is the Chef attribute system. A solution is to set the attribute before the recipe is included:
node.default['audit']['collector'] = 'chef-visibility'
include_recipe 'audit::default'
JSON file reporter
We should enable the audit cookbook to write json reports into a specific directory. By default the nameing of a report should use the pattern {profilename}-{timestamp}.json
inspec_version attribute specified twice
Cookbook version
2.0.0
Chef-client version
n/a
Platform Details
n/a
Issue:
https://github.com/chef-cookbooks/audit/blob/master/attributes/default.rb#L19
and
https://github.com/chef-cookbooks/audit/blob/master/attributes/default.rb#L68
are redundant/identical
Support chef-client < 12.5.1
Cookbook version
latest
Chef-client version
< 12.5.1
Platform Details
all
Scenario:
Run the audit cookbook in chef-client < 12.5.1
Steps to Reproduce:
Run the audit cookbook as part of a converge run.
Expected Result:
audit cookbook works fine, even with older versions of the Chef Client
Actual Result:
use_automatic_resource_name is not supported
Support Visibility in Automate via Chef Server
Cookbook version
2.0
Scenario:
Customers use the latest version of Automate that allows users to send reports to Visibility Data Collector API via Chef Server. This increases security, since all requests are signed now. The audit cookbook should support that scenario
Solution
As discussed with @alexpop, we are two different endpoints that are being used based on the setup. We have the following flows:
- chef-client (with dc_token) —> chef-server(
/data-collector/) —> chef-automate authenticates using dc_token from client - chef-client —> chef-server(
/organizations/ORG/data-collector) —> chef-automate authenticates using dc_token added by chef-server after verifying the client
The first flow is already implemented. We need to add support for the second flow.
/data-collector/requires dc_token/organizations/([^/]+)/data-collectorrequires chef signed headers
403 Forbidden
I configured my Chef Server and Chef Compliance instances for integration. When I attempting to run an audit cookbook this is the error message I am getting:
================================================================================
Error executing action `fetch` on resource 'compliance_profile[linux]'
================================================================================
Net::HTTPServerException
------------------------
403 "Forbidden"
Cookbook Trace:
---------------
/var/chef/cache/cookbooks/audit/libraries/server_api.rb:23:in `binmode_streaming_request'
/var/chef/cache/cookbooks/audit/libraries/profile.rb:55:in `block (2 levels) in <class:ComplianceProfile>'
/var/chef/cache/cookbooks/audit/libraries/profile.rb:46:in `block in <class:ComplianceProfile>'
Resource Declaration:
---------------------
# In /var/chef/cache/cookbooks/audit/recipes/default.rb
25: compliance_profile p do
26: owner o
27: action [:fetch, :execute]
28: end
29: end
Compiled Resource:
------------------
# Declared in /var/chef/cache/cookbooks/audit/recipes/default.rb:25:in `block in from_file'
compliance_profile("linux") do
action [:fetch, :execute]
retries 0
retry_delay 2
default_guard_interpreter :default
declared_type :compliance_profile
cookbook_name "audit"
recipe_name "default"
owner "base"
profile "linux"
end
Running handlers:
[2016-04-08T16:13:15-07:00] ERROR: Running exception handlers
Running handlers complete
[2016-04-08T16:13:15-07:00] ERROR: Exception handlers complete
Chef Client failed. 0 resources updated in 05 seconds
[2016-04-08T16:13:15-07:00] FATAL: Stacktrace dumped to /var/chef/cache/chef-stacktrace.out
[2016-04-08T16:13:15-07:00] FATAL: Please provide the contents of the stacktrace.out file if you file a bug report
[2016-04-08T16:13:15-07:00] ERROR: compliance_profile[linux] (audit::default line 25) had an error: Net::HTTPServerException: 403 "Forbidden"
[2016-04-08T16:13:15-07:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)
Both servers are able to access each other over 443.
Modify wording of `ERROR: Please take a look at your interval settings`
Issue
When running this cookbook for the first time and specifying an interval, the user is presented with this error:
Chef::Log.error 'Please take a look at your interval settings'
This may lead the user to believe that something is configured incorrectly. However, they may be getting this error because this returned false:
seconds_since_last_run > interval
Possible Solution
Could we modify this error to be a warning and say something similar to:
Chef::Log.warn 'Audit run skipped due to interval configuration'
Cannot run profiles from Supermarket
Cookbook version
2.0.0
Chef-client version
12.15.19
Platform Details
ubuntu 14.04
Scenario:
Cannot run Supermarket profiles
Steps to Reproduce:
Use a wrapper cookbook and set your attributes to this:
default['audit']['inspec_version'] = '1.2.0'
# collector possible values: chef-server, chef-compliance, chef-visibility, json-file
# chef-visibility requires inspec version 0.27.1 or above
default['audit']['collector'] = 'chef-server'
# Attributes server, insecure and token/refresh_token are only needed for the 'chef-compliance' collector
# server format example: 'https://comp-server.example.com/api'
default['audit']['server'] = nil
# choose between the permanent refresh_token or ephemeral token(access_token). Needed only for the 'chef-compliance' collector
default['audit']['refresh_token'] = nil
# the token(access_token) expires in 12h after creation
default['audit']['token'] = nil
# set this insecure attribute to true if the compliance server / chef server uses self-signed ssl certificates
default['audit']['insecure'] = nil
# Chef Compliance organization to post the report to. Defaults to Chef Server org if not defined
# needed for the 'chef-compliance' collector, optional for 'chef-server' collector
default['audit']['owner'] = nil
# raise exception if Compliance API endpoint is unreachable
# while fetching profiles or posting report
default['audit']['raise_if_unreachable'] = true
# fail converge if downloaded profile is not present
default['audit']['fail_if_not_present'] = false
# by default run audit every time
default['audit']['interval']['enabled'] = false
# by default run compliance once a day
default['audit']['interval']['time'] = 1440
# quiet mode, on by default because this is testing, resources aren't converged in the normal chef sense
default['audit']['quiet'] = true
# overwrite existing profile in upload mode
default['audit']['overwrite'] = true
# use json format since this is for reporting
default['audit']['format'] = 'json'
# set profiles to empty array as default
default['audit']['profiles'] = [
{
"name" => "ssh-hardening",
"supermarket" => "hardening/ssh-hardening"
}
]
Expected Result:
Execute and report on Supermarket profile
Actual Result:
Stacktrace:
root@node:/tmp/vagrant-chef# chef-client -c client.rb
[2016-11-01T20:31:26+00:00] INFO: Forking chef instance to converge...
Starting Chef Client, version 12.15.19
[2016-11-01T20:31:26+00:00] INFO: *** Chef 12.15.19 ***
[2016-11-01T20:31:26+00:00] INFO: Platform: x86_64-linux
[2016-11-01T20:31:26+00:00] INFO: Chef-client pid: 14557
[2016-11-01T20:31:27+00:00] INFO: Run List is [recipe[audit_wrapper]]
[2016-11-01T20:31:27+00:00] INFO: Run List expands to [audit_wrapper]
[2016-11-01T20:31:27+00:00] INFO: Starting Chef Run for node
[2016-11-01T20:31:27+00:00] INFO: Running start handlers
[2016-11-01T20:31:27+00:00] INFO: Start handlers complete.
[2016-11-01T20:31:27+00:00] INFO: HTTP Request Returned 404 Not Found:
resolving cookbooks for run list: ["audit_wrapper"]
[2016-11-01T20:31:27+00:00] INFO: Loading cookbooks [[email protected], [email protected], [email protected], [email protected]]
Synchronizing Cookbooks:
- audit (2.0.0)
- chef_handler (2.0.0)
- compat_resource (12.16.1)
[2016-11-01T20:31:27+00:00] INFO: Storing updated cookbooks/audit_wrapper/attributes/default.rb in the cache.
- audit_wrapper (0.1.0)
Installing Cookbook Gems:
Compiling Cookbooks...
[2016-11-01T20:31:27+00:00] INFO: Chef Handlers will be located at: /var/chef/handlers
Recipe: chef_handler::default
* remote_directory[/var/chef/handlers] action create
Recipe: <Dynamically Defined Resource>
* cookbook_file[/var/chef/handlers/README] action create (up to date)
(up to date)
Converging 5 resources
Recipe: chef_handler::default
* remote_directory[/var/chef/handlers] action nothing (skipped due to action :nothing)
Recipe: audit::default
* inspec[inspec] action install
* chef_gem[inspec] action install (up to date)
- install/update inspec[2016-11-01T20:31:28+00:00] WARN: Using inspec version: (1.2.0)
- verifies the inspec version
* chef_gem[inspec] action install (up to date)
* directory[/var/chef/cache/handler] action create (up to date)
* cookbook_file[/var/chef/cache/handler/audit_report.rb] action create (up to date)
* chef_handler[Chef::Handler::AuditReport] action enable[2016-11-01T20:31:28+00:00] INFO: Disabling Chef::Handler::AuditReport as a report handler.
- disable Chef::Handler::AuditReport as a report handler[2016-11-01T20:31:28+00:00] INFO: Disabling Chef::Handler::AuditReport as a exception handler.
- disable Chef::Handler::AuditReport as a exception handler
- load Chef::Handler::AuditReport from /var/chef/cache/handler/audit_report.rb[2016-11-01T20:31:28+00:00] INFO: Enabling Chef::Handler::AuditReport as a report handler.
- enable chef_handler[Chef::Handler::AuditReport] as a report handler[2016-11-01T20:31:28+00:00] INFO: Enabling Chef::Handler::AuditReport as a exception handler.
- enable chef_handler[Chef::Handler::AuditReport] as a exception handler
[2016-11-01T20:31:28+00:00] INFO: Chef Run complete in 0.716410089 seconds
Running handlers:
[2016-11-01T20:31:28+00:00] INFO: Running report handlers
[2016-11-01T20:31:28+00:00] WARN: Format is json-min
[2016-11-01T20:31:28+00:00] INFO: Initialize InSpec
[2016-11-01T20:31:29+00:00] WARN: URL target https://github.com/dev-sec/tests-ssh-hardening transformed to https://github.com/dev-sec/tests-ssh-hardening/archive/master.tar.gz. Consider using the git fetcher
[2016-11-01T20:31:29+00:00] INFO: Running tests from: [{:name=>"ssh-hardening", :supermarket=>"hardening/ssh-hardening"}]
[2016-11-01T20:31:30+00:00] INFO: Reporting to chef-server
[2016-11-01T20:31:30+00:00] INFO: Control Profile: ["ssh-hardening"]
[2016-11-01T20:31:30+00:00] INFO: Control Profil: ssh-hardening
[2016-11-01T20:31:30+00:00] INFO: Compliance Profils: []
[2016-11-01T20:31:30+00:00] ERROR: Report handler Chef::Handler::AuditReport raised #<NoMethodError: undefined method `[]' for nil:NilClass>
[2016-11-01T20:31:30+00:00] ERROR: /var/chef/cache/cookbooks/audit/libraries/collector_classes.rb:243:in `block in enriched_report'
[2016-11-01T20:31:30+00:00] ERROR: /var/chef/cache/cookbooks/audit/libraries/collector_classes.rb:238:in `each'
[2016-11-01T20:31:30+00:00] ERROR: /var/chef/cache/cookbooks/audit/libraries/collector_classes.rb:238:in `enriched_report'
[2016-11-01T20:31:30+00:00] ERROR: /var/chef/cache/cookbooks/audit/libraries/collector_classes.rb:273:in `send_report'
[2016-11-01T20:31:30+00:00] ERROR: /var/chef/cache/handler/audit_report.rb:155:in `send_report'
[2016-11-01T20:31:30+00:00] ERROR: /var/chef/cache/handler/audit_report.rb:46:in `block in report'
[2016-11-01T20:31:30+00:00] ERROR: /var/chef/cache/handler/audit_report.rb:33:in `each'
[2016-11-01T20:31:30+00:00] ERROR: /var/chef/cache/handler/audit_report.rb:33:in `report'
[2016-11-01T20:31:30+00:00] ERROR: /opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/handler.rb:259:in `run_report_unsafe'
[2016-11-01T20:31:30+00:00] ERROR: /opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/handler.rb:247:in `run_report_safely'
[2016-11-01T20:31:30+00:00] ERROR: /opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/handler.rb:125:in `block in run_report_handlers'
[2016-11-01T20:31:30+00:00] ERROR: /opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/handler.rb:123:in `each'
[2016-11-01T20:31:30+00:00] ERROR: /opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/handler.rb:123:in `run_report_handlers'
[2016-11-01T20:31:30+00:00] ERROR: /opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/handler.rb:135:in `block in <class:Handler>'
[2016-11-01T20:31:30+00:00] ERROR: /opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/client.rb:440:in `block in run_completed_successfully'
[2016-11-01T20:31:30+00:00] ERROR: /opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/client.rb:439:in `each'
[2016-11-01T20:31:30+00:00] ERROR: /opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/client.rb:439:in `run_completed_successfully'
[2016-11-01T20:31:30+00:00] ERROR: /opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/client.rb:298:in `run'
[2016-11-01T20:31:30+00:00] ERROR: /opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/application.rb:302:in `block in fork_chef_client'
[2016-11-01T20:31:30+00:00] ERROR: /opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/application.rb:290:in `fork'
[2016-11-01T20:31:30+00:00] ERROR: /opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/application.rb:290:in `fork_chef_client'
[2016-11-01T20:31:30+00:00] ERROR: /opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/application.rb:255:in `block in run_chef_client'
[2016-11-01T20:31:30+00:00] ERROR: /opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/local_mode.rb:44:in `with_server_connectivity'
[2016-11-01T20:31:30+00:00] ERROR: /opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/application.rb:243:in `run_chef_client'
[2016-11-01T20:31:30+00:00] ERROR: /opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/application/client.rb:464:in `sleep_then_run_chef_client'
[2016-11-01T20:31:30+00:00] ERROR: /opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/application/client.rb:451:in `block in interval_run_chef_client'
[2016-11-01T20:31:30+00:00] ERROR: /opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/application/client.rb:450:in `loop'
[2016-11-01T20:31:30+00:00] ERROR: /opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/application/client.rb:450:in `interval_run_chef_client'
[2016-11-01T20:31:30+00:00] ERROR: /opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/application/client.rb:434:in `run_application'
[2016-11-01T20:31:30+00:00] ERROR: /opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/application.rb:60:in `run'
[2016-11-01T20:31:30+00:00] ERROR: /opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/bin/chef-client:26:in `<top (required)>'
[2016-11-01T20:31:30+00:00] ERROR: /usr/bin/chef-client:54:in `load'
[2016-11-01T20:31:30+00:00] ERROR: /usr/bin/chef-client:54:in `<main>'
- Chef::Handler::AuditReport
Running handlers complete
[2016-11-01T20:31:30+00:00] INFO: Report handlers complete
Chef Client finished, 2/9 resources updated in 04 seconds
root@node:/tmp/vagrant-chef#
Reports are not displayed in Chef Compliance
Cookbook version
0.8.0
Chef-client version
no client
Platform Details
MacOS 10.11.4
Scenario:
I want to see the reports of the audit cookbook run in Chef Compliance.
Steps to Reproduce:
Just run the audit cookbook and see if the reports are generated in Chef Compliance (Compliance only, no Chef Server)
Expected Result:
List of reports
Actual Result:
The path is misconfigured in the helper.rb when report.rb calls the construct_url method.
#<URI::HTTPS:0x00000005076318 URL:https://172.28.128.4/api/owners/base/compliance/windows/tarowners/cjohannsen/inspec>
That´s because the server.value is still set from the profile.rb run.
Provide gem_source attribute for fetching any required gems
Right now the source for where we fetch the inspec gem is hardcoded to rubygems.org. Some customers cannot access rubygems.org due to network restrictions. We should provide a gem_source attribute to override the source. The chef-vault cookbook provides this override as well...
https://github.com/chef-cookbooks/chef-vault
default['chef-vault']['gem_source'] = nil
chef_gem 'chef-vault' do # ~FC009
23 source node['chef-vault']['gem_source']
24 version node['chef-vault']['version']
25 clear_sources true unless node['chef-vault']['gem_source'].nil?
26 compile_time true
27 end
profile scan is reported every chef-client run even if compliance_profile resource wasn't executed
Cookbook version
0.14.4
Chef-client version
Chef: 12.14.89
Platform Details
Ubuntu 14.04
Scenario:
After working around issue #101 the audit cookbook properly fetches and executes compliance profiles according to the interval set in attributes. However, even when the compliance_profile resource does not get executed because of the interval the compliance_report resource still reports the results of the profile using the report results from previous chef-client runs that get cached in /var/chef/cache/compliance.
Here is the code that reads the cached report.
https://github.com/chef-cookbooks/audit/blob/v0.14.4/libraries/report.rb#L85
Seems like a possible solution would be to delete cached reports at the beginning of the audit recipe. Doing it at the beginning seems safer than at the end because if the chef-client run should fail somehow the cached files could accidentally remain in place for the next chef-client run
Steps to Reproduce:
Use the workaround in issue #101 to get interval settings to work properly.
Then use the following attributes in the audit wrapper cookbook.
default['audit']['profiles']['base/ssh'] = true
default['audit']['interval']['enabled'] = true
default['audit']['interval']['time'] = 2
Then run chef-client twice (one run right after the other) with this wrapper cookbook in the run list.
Expected Result:
Cached profile reports from previous chef-client runs should not get accidentally sent to the server.
Actual Result:
As you can see below the fetch and execute action for the ssh compliance profile was skipped but its cached report was still read, summarized in this output and posted to the server.
* compliance_profile[ssh] action fetch[2016-09-29T11:13:08+00:00] INFO: Processing compliance_profile[ssh] action fetch (audit::default line 78)
(skipped due to only_if)
* compliance_profile[ssh] action execute[2016-09-29T11:13:08+00:00] INFO: Processing compliance_profile[ssh] action execute (audit::default line 78)
(skipped due to only_if)
* compliance_report[chef-server] action execute[2016-09-29T11:13:08+00:00] INFO: Processing compliance_report[chef-server] action execute (audit::default line 93)
[2016-09-29T11:13:08+00:00] INFO: Summary for ssh {"duration":0.162846326,"example_count":69,"failure_count":44,"skip_count":0}
[2016-09-29T11:13:08+00:00] INFO: Report to Chef Server: https://chef.lxc/compliance/organizations/demo/inspec
Workaround
Putting the following in my audit wrapper cookbook's default.rb recipe worked for me. It deletes the reports before including the audit cookbook.
compliance_cache_directory = ::File.join(Chef::Config[:file_cache_path], 'compliance')
Dir.glob(File.join(compliance_cache_directory, '*report.json')).each do |f|
file f do
action :delete
end
end
include_recipe 'audit'
we should use the latest inspec version by default
Currently, the inspec version is hardcoded:
https://github.com/chef/audit-cookbook/blob/6b18c581bb6103aca79a4a3c28fe5f605545bde3/libraries/profile.rb#L25
We should use latest as default and allow users to pin versions if required.
Gzip error executing on windows host
Cookbook version
'audit', '~> 0.14.4'
Chef-client version
12.13.37
Platform Details
MS Windows 2012 R2
Scenario:
Simply running the audit cookbook in a recipe.
Steps to Reproduce:
nothing fancy, running the cookbook with the below attributes:
default['audit']['server'] = 'https://servername/api'
default['audit']['collector'] = 'chef-compliance'
default['audit']['token'] = 'token_here'
default['audit']['owner'] = 'owner'
default['audit']['quiet'] = true
default['audit']['profiles']['base/windows'] = true
Expected Result:
Cookbook to run compliance against the node with the base/windows compliance profile.
Actual Result:
Error below:
[2016-09-13T11:24:33+01:00] INFO: Executing: c:/chef/cache/compliance/base_windows.tgz
================================================================================
Error executing action execute on resource 'compliance_profile[windows]'
Zlib::GzipFile::Error
not in gzip format
Cookbook Trace:
c:/chef/cache/cookbooks/audit/libraries/profile.rb:128:in block (2 levels) in <class:ComplianceProfile>' c:/chef/cache/cookbooks/audit/libraries/profile.rb:111:inblock in class:ComplianceProfile'
Resource Declaration:
In c:/chef/cache/cookbooks/audit/recipes/default.rb
78: compliance_profile p do
79: owner o
80: formatter formatter
81: server server
82: token lazy { node['audit']['token'] }
83: insecure node['audit']['insecure'] unless node['audit']['insecure'].nil?
84: path path unless path.nil?
85: quiet node['audit']['quiet'] unless node['audit']['quiet'].nil?
86: only_if { profile_overdue_to_run?(p, interval_seconds) }
87: action [:fetch, :execute]
88: notifies :touch, "file[#{compliance_cache_directory}/#{p}]", :immediately
89: end
90: end
Compiled Resource:
Declared in c:/chef/cache/cookbooks/audit/recipes/default.rb:78:in `block in from_file'
compliance_profile("windows") do
action [:fetch, :execute]
updated true
retries 0
retry_delay 2
default_guard_interpreter :default
declared_type :compliance_profile
cookbook_name "audit"
recipe_name "default"
owner "base"
formatter "json-min"
server "https://servername.domainname.com/api/"
token #Chef::DelayedEvaluator:0x0000000526fcf0@c:/chef/cache/cookbooks/audit/recipes/default.rb:82
quiet true
profile "windows"
only_if { #code block }
end
Platform:
x64-mingw32
[2016-09-13T11:24:34+01:00] INFO: Running queued delayed notifications before re-raising exception
[2016-09-13T11:24:34+01:00] ERROR: Running exception handlers
[2016-09-13T11:24:34+01:00] ERROR: Exception handlers complete
[2016-09-13T11:24:34+01:00] INFO: Sending resource update report (run-id: d940188d-1693-46df-b5e8-184adf24092f)
[2016-09-13T11:24:34+01:00] FATAL: Stacktrace dumped to c:/chef/cache/chef-stacktrace.out
[2016-09-13T11:24:34+01:00] FATAL: Please provide the contents of the stacktrace.out file if you file a bug report
[2016-09-13T11:24:34+01:00] FATAL: Zlib::GzipFile::Error: compliance_profile[windows](audit::default line 78) had an error: Zlib::GzipFile::Error: not in gzip format
ERROR: Failed to execute command on return code 1
Implement RFC: Harmonize profile location targets
Cookbook version
2.x
Scenario:
It should be easy for customer to copy profile locations from inspec.yml to chef attributes. In inspec/inspec#1227 we defined the target format for audit cookbook. We change from
"profiles" => {
# org / profile name from Chef Compliance
"base/linux" => true,
# supermarket url
"brewinc/ssh-hardening" => {
# location where inspec will fetch the profile from
"source" => "supermarket://hardening/ssh-hardening"
},
# local Windows path
"brewinc/win2012_audit" => {
# filesystem path
"source" => "E:/profiles/win2012_audit"
},
# github url
"brewinc/tmp_compliance_profile" => {
"source" => "https://github.com/nathenharvey/tmp_compliance_profile"
},
# disable profile
"brewinc/tmp_compliance_profile-master" => {
"source" => "/tmp/tmp_compliance_profile-master",
"disabled" => true
}
}
to
{
"profiles": [
{
"name": "hardening/ssh-hardening"
},
{
"name": "os-hardening",
"url": "https://github.com/dev-sec/tests-os-hardening/archive/master.zip"
},
{
"git": "https://github.com/dev-sec/tests-ssh-hardening.git"
},
{
"git": "https://github.com/dev-sec/tests-os-hardening.git"
}
]
}
Scan reports showing up as "Skipped" in the Compliance server UI
Cookbook version
0.7.1
Chef-client version
12.10.24
Platform Details
Linux node 4.2.0-34-generic #39~14.04.1-Ubuntu SMP Fri Mar 11 11:38:02 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
Scenario:
Converging a node with the audit cookbook in the run_list should report the results back to the Compliance server via the Chef server chef_gate. The reports are coming into the Compliance server but show up as "Skipped".
Steps to Reproduce:
Install Compliance 1.2.3.
Install Compliance/Chef server integration (chef_gate)
Add version 0.7.1 version of the audit cookbook to a node's run_list with the following attributes:
default['audit']['server'] = nil
default['audit']['token'] = nil
default['audit']['variant'] = 'chef'
default['audit']['owner'] = nil
default['audit']['profiles'] = {
'base/linux' => true,
'base/apache' => true,
'base/postgres' => true,
'base/ssh' => true,
}
# raise exception if Compliance API endpoint is unreachable
# while fetching profiles or posting report
default['audit']['raise_if_unreachable'] = false
# fail converge if downloaded profile is not present
default['audit']['fail_if_not_present'] = false
# fail converge after posting report if any audits have failed
default['audit']['fail_if_any_audits_failed'] = false
# inspec gem version to install(e.g. '0.22.0') or 'latest'
default['audit']['inspec_version'] = '0.22.0'
Verify the inspec version on the client node:
vagrant@node:~$ sudo /opt/chef/embedded/bin/gem list inspec
*** LOCAL GEMS ***
debug_inspector (0.0.2)
inspec (0.22.0)
vagrant@node:~$ /opt/chef/embedded/bin/inspec version
0.22.0
vagrant@node:~$
Expected Result:
Expect to see the results of the inspec scan on the Reports page of the Compliance UI.
Actual Result:
The scan reports show up as "Skipped"
From the Compliance server logs:
==> /var/log/chef-compliance/core/current <==
2016-05-18_13:27:43.28756 13:27:43.287 ERR => Authentication: %!(EXTRA *errors.errorString=missing Authorization header)
2016-05-18_13:27:43.28796 13:27:43.287 DEB => &{Raw:eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdXRoel9pZCI6IjY5YWU5NWUzYjA0ZGFmYmY3MTc3YWEzYzAxMTI0YWZlIiwiY2hlZl91cmwiOiJodHRwczovL2NoZWYuY29tcGxpYW5jZS50ZXN0IiwiZXhwIjoxNDYzNTgxNjg3LCJuYW1lIjoibm9kZSIsIm9yZ19tZW1iZXIiOnRydWUsInB1YmxpY19rZXkiOiItLS0tLUJFR0lOIFBVQkxJQyBLRVktLS0tLVxuTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF4bVZoaVJwenoyeHd0RG1qdEJrNlxuc3lqVDlFcGtmUG5XODN4VCs2UmNYVjAzVjNtbzZNbWcyYmlsaUliZWRJK1pxd2N2Z0xWUVcvNFdCcmhzcjBZR1xua3EzMCtCVzM5b29EekxZMlNtclVQMkNPQW56a2p1RW9TRWczVmRLTENxWUlnSk9yRUk4cVdLakUwTXFobGtTRVxueS9HUVp4R0FVM2VwWllKOWR3cnFNaXhBY2RqYzBrYzVhVkt1T2V6UURTZ2dwUDI2bGVraU96WlJZMkRMMXdFNFxucmFRcEJ3eUZZN1o2dmphUStHOTdZTzhTaFRxbEJsRlNnNUxxb1pEMm5SNDVBcWdmeEZDbXJUQTBlMG5jeVZPR1xudk9iYXBtdGhENzZwYUhCSVVrQzE2WHRwN3VkdlZhb3F2VktGdkowRTVFUG1MMThjQmdBTXg0bGZPMG1hd3BNNFxuRFFJREFRQUJcbi0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLVxuIiwidHlwZSI6ImNsaWVudCJ9.1dbf1ej6Z62xTR6YppcFdVDO6HJMiuPTXkVLK9dqavs Method:0xc8200b50e0 Header:map[alg:HS256 typ:JWT] Claims:map[exp:1.463581687e+09 name:node org_member:true public_key:-----BEGIN PUBLIC KEY-----
2016-05-18_13:27:43.28797 MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxmVhiRpzz2xwtDmjtBk6
2016-05-18_13:27:43.28797 syjT9EpkfPnW83xT+6RcXV03V3mo6Mmg2biliIbedI+ZqwcvgLVQW/4WBrhsr0YG
2016-05-18_13:27:43.28797 kq30+BW39ooDzLY2SmrUP2COAnzkjuEoSEg3VdKLCqYIgJOrEI8qWKjE0MqhlkSE
2016-05-18_13:27:43.28797 y/GQZxGAU3epZYJ9dwrqMixAcdjc0kc5aVKuOezQDSggpP26lekiOzZRY2DL1wE4
2016-05-18_13:27:43.28798 raQpBwyFY7Z6vjaQ+G97YO8ShTqlBlFSg5LqoZD2nR45AqgfxFCmrTA0e0ncyVOG
2016-05-18_13:27:43.28798 vObapmthD76paHBIUkC16Xtp7udvVaoqvVKFvJ0E5EPmL18cBgAMx4lfO0mawpM4
2016-05-18_13:27:43.28798 DQIDAQAB
2016-05-18_13:27:43.28798 -----END PUBLIC KEY-----
2016-05-18_13:27:43.28798 type:client authz_id:69ae95e3b04dafbf7177aa3c01124afe chef_url:https://chef.compliance.test] Signature:1dbf1ej6Z62xTR6YppcFdVDO6HJMiuPTXkVLK9dqavs Valid:true}
2016-05-18_13:27:43.29689 13:27:43.296 DEB => owner: &shared.Owner{PasswordHash:"", Login:"brewinc", Name:"brewinc", IsOrg:true, Source:sql.NullString{String:"8e842a4c-50ee-44de-7e49-c1651e754ee6", Valid:true}, UUID:uuid.UUID{ID:"718957c7-be56-47c6-42a7-8adf369266a1"}}
2016-05-18_13:27:43.29756 13:27:43.297 ERR => DB error: sql: no rows in result set
2016-05-18_13:27:43.29939 13:27:43.299 DEB => [718957c7-be56-47c6-42a7-8adf369266a1/469b440f-3a31-4c5d-4b3a-b5168cb549c4] Process scan result for base / linux
2016-05-18_13:27:43.29945 13:27:43.299 ERR => Calling *ScanSummary.Done(0)
2016-05-18_13:27:43.29949 13:27:43.299 DEB => [718957c7-be56-47c6-42a7-8adf369266a1/469b440f-3a31-4c5d-4b3a-b5168cb549c4] Add scan result for 718957c7-be56-47c6-42a7-8adf369266a1/bc46b8ba-ef97-43b0-4f72-11a90ef12ed2/58860151-d008-436c-7517-19ba5d2f0380:0 with base/linux
2016-05-18_13:27:43.29954 13:27:43.299 DEB => [718957c7-be56-47c6-42a7-8adf369266a1/469b440f-3a31-4c5d-4b3a-b5168cb549c4] Process scan result for base / apache
2016-05-18_13:27:43.29955 13:27:43.299 ERR => Calling *ScanSummary.Done(0)
2016-05-18_13:27:43.29956 13:27:43.299 DEB => [718957c7-be56-47c6-42a7-8adf369266a1/469b440f-3a31-4c5d-4b3a-b5168cb549c4] Add scan result for 718957c7-be56-47c6-42a7-8adf369266a1/bc46b8ba-ef97-43b0-4f72-11a90ef12ed2/58860151-d008-436c-7517-19ba5d2f0380:0 with base/apache
2016-05-18_13:27:43.29957 13:27:43.299 DEB => [718957c7-be56-47c6-42a7-8adf369266a1/469b440f-3a31-4c5d-4b3a-b5168cb549c4] Process scan result for base / postgres
2016-05-18_13:27:43.29958 13:27:43.299 ERR => Calling *ScanSummary.Done(0)
2016-05-18_13:27:43.29960 13:27:43.299 DEB => [718957c7-be56-47c6-42a7-8adf369266a1/469b440f-3a31-4c5d-4b3a-b5168cb549c4] Add scan result for 718957c7-be56-47c6-42a7-8adf369266a1/bc46b8ba-ef97-43b0-4f72-11a90ef12ed2/58860151-d008-436c-7517-19ba5d2f0380:0 with base/postgres
2016-05-18_13:27:43.29961 13:27:43.299 DEB => [718957c7-be56-47c6-42a7-8adf369266a1/469b440f-3a31-4c5d-4b3a-b5168cb549c4] Process scan result for base / ssh
2016-05-18_13:27:43.29964 13:27:43.299 ERR => Calling *ScanSummary.Done(0)
2016-05-18_13:27:43.29967 13:27:43.299 DEB => [718957c7-be56-47c6-42a7-8adf369266a1/469b440f-3a31-4c5d-4b3a-b5168cb549c4] Add scan result for 718957c7-be56-47c6-42a7-8adf369266a1/bc46b8ba-ef97-43b0-4f72-11a90ef12ed2/58860151-d008-436c-7517-19ba5d2f0380:0 with base/ssh
2016-05-18_13:27:43.29977 13:27:43.299 INF => [718957c7-be56-47c6-42a7-8adf369266a1/469b440f-3a31-4c5d-4b3a-b5168cb549c4] scan result | 0 | 0 | 0 | 0 | 0 | packages | 0 | 0 | 0 | 0 | 0 |
2016-05-18_13:27:43.30847 13:27:43.308 DEB => [718957c7-be56-47c6-42a7-8adf369266a1/469b440f-3a31-4c5d-4b3a-b5168cb549c4] db updated
2016-05-18_13:27:43.30859 [GIN] 2016/05/18 - 13:27:43 | 201 | 21.103202ms | 192.168.33.101 | POST /chef/organizations/brewinc/inspec
==> /var/log/chef-compliance/nginx/compliance.access.log <==
192.168.33.101 - - [18/May/2016:13:27:43 +0000] "POST /api/chef/organizations/brewinc/inspec HTTP/1.0" 201 46 "-" "Chef Client/12.10.24 (ruby-2.1.8-p440; ohai-8.15.1; x86_64-linux; +https://chef.io)"
From the chef client node running the converge and inspec scan:
...
rspec # SSH Configuration HostbasedAuthentication should eq "no"
rspec # SSH Configuration RhostsRSAAuthentication should eq "no"
rspec # SSH Configuration RSAAuthentication should eq "yes"
rspec # SSH Configuration PasswordAuthentication should eq "no"
rspec # SSH Configuration Tunnel should eq "no"
rspec # SSH Configuration PermitLocalCommand should eq "no"
rspec # File /etc/ssh should not be readable by others
- execute compliance profile
* chef_gem[inspec] action install (up to date)
* file[/var/chef/cache/compliance/base_ssh_report.json] action create[2016-05-18T13:58:35+00:00] INFO: file[/var/chef/cache/compliance/base_ssh_report.json] backed up to /var/chef/backup/var/chef/cache/compliance/base_ssh_report.json.chef-20160518135835.672152
[2016-05-18T13:58:35+00:00] INFO: file[/var/chef/cache/compliance/base_ssh_report.json] removed backup at /var/chef/backup/var/chef/cache/compliance/base_ssh_report.json.chef-20160518132021.138557
[2016-05-18T13:58:35+00:00] INFO: file[/var/chef/cache/compliance/base_ssh_report.json] updated file contents /var/chef/cache/compliance/base_ssh_report.json
- update content in file /var/chef/cache/compliance/base_ssh_report.json from e8399a to 133cd2
- suppressed sensitive resource
* compliance_report[chef-server] action execute
- report compliance profiles' results
[2016-05-18T13:58:35+00:00] INFO: Chef Run complete in 3.00964474 seconds
Running handlers:
[2016-05-18T13:58:35+00:00] INFO: Running report handlers
Running handlers complete
[2016-05-18T13:58:35+00:00] INFO: Report handlers complete
Chef Client finished, 13/37 resources updated in 04 seconds
root@node:~#
Compliance Profile inheritence does not work with audit cookbook
Cookbook version
0.6.0
Chef-client version
12.9.41
Platform Details
RHEL 7.2
Scenario:
Attempting to run an audit profile that inherits another profile on the compliance server
Steps to Reproduce:
Run the audit cookbook with a compliance policy that is inherited
Expected Result:
Audit cookbook passes
Actual Result:
* compliance_profile[cis-rhel7-level1-lite] action execute * chef_gem[inspec] action install (up to date) [2016-05-04T11:33:00-04:00] WARN: Using inspec version: (0.20.1) - install/update inspec ================================================================================ Error executing actionexecute` on resource 'compliance_profile[cis-rhel7-level1-lite]'
================================================================================
RuntimeError
------------
You must supply a --profiles-path to inherit from other profiles.
Cookbook Trace:
---------------
/var/chef/cache/cookbooks/audit/libraries/profile.rb:111:in `block (2 levels) in <class:ComplianceProfile>'
/var/chef/cache/cookbooks/audit/libraries/profile.rb:94:in `block in <class:ComplianceProfile>'
Resource Declaration:
---------------------
# In /var/chef/cache/cookbooks/audit/recipes/default.rb
30: compliance_profile p do
31: owner o
32: server server
33: token token
34: inspec_version node['audit']['inspec_version']
35: action [:fetch, :execute]
36: end
37: end
Compiled Resource:
------------------
# Declared in /var/chef/cache/cookbooks/audit/recipes/default.rb:30:in `block in from_file'
compliance_profile("cis-rhel7-level1-lite") do
action [:fetch, :execute]
updated true
retries 0
retry_delay 2
default_guard_interpreter :default
declared_type :compliance_profile
cookbook_name "audit"
recipe_name "default"
owner "thomasrgcheforg"
inspec_version "latest"
profile "cis-rhel7-level1-lite"
end
Platform:
---------
x86_64-linux
`
way to ensure that the cookbook runs as last cookbook
add option to fail chef run, if the audit failed
We should be able to define a node attribute to tell the chef client if it should fail or pass in an event of a detected compliance issue.
Add Chef Server authentication support
Cookbook version
2.0.0
Implementation
In order to address those issues and harmonize the implementation between audit cookbook and inspec, we need to write InSpec fetcher for Chef Server (to have Chef Server authentication), this implicitly removes the need to download profiles manually before execution and also removes the need to aggregate the reports, since InSpec is already doing that out-of-the-box
Report to Chef Compliance directly
Cookbook version
0.8.0
Scenario:
User want to use a api token for Chef Compliance and report to compliance directly instead of sending the data via the Chef Server
Features missing from 2.0.0
Cookbook version
2.0.0
Chef-client version
any
Platform Details
any
Info:
These capabilities are removed from 2.0.0. What is the consensus on re-adding them?
- upload profiles to Compliance server
- report via Chef Server #129
- report to Compliance Server
- interval reports
Changelog documentation Diff Link error
Not sure how else to surface this issue and its not that big of a deal but your changelog generator is producing broken links:
https://github.com/chef-cookbooks/audit/blame/master/CHANGELOG.md#L4
# This line
[Full Changelog](https://github.com/chef-cookbooks/audit/compare/v0.12.0...0.13.0)
# Should be this
[Full Changelog](https://github.com/chef-cookbooks/audit/compare/v0.12.0...v0.13.0)
Notice the V ->^
Not sure how to fix it myself or I would
chef-client audit-mode exception when the audit cookbook is used
Cookbook version
audit 0.5.0
Chef-client version
12.5.1, 12.9.38
Platform Details
CentOS 6
Steps to Reproduce:
Run chef-client in audit mode with the audit::default in the runlist. The failure is not impacting in any way the chef-client run.
[root@vagrant-local-linux ~]# chef-client --audit-mode enabled
Starting Chef Client, version 12.5.1
resolving cookbooks for run list: ["audit::default"]
Synchronizing Cookbooks:
- audit (0.5.0)
Compiling Cookbooks...
Converging 2 resources
Recipe: audit::default
* compliance_profile[mylinux] action fetch
* chef_gem[inspec] action install (up to date)
[2016-04-26T18:13:30+00:00] WARN: Using inspec version: (0.19.3)
- install/update inspec
* directory[/var/chef/cache/compliance] action create (up to date)
- fetch compliance profile
* chef_gem[inspec] action install (up to date)
* directory[/var/chef/cache/compliance] action create (up to date)
* compliance_profile[mylinux] action execute
* chef_gem[inspec] action install (up to date)
[2016-04-26T18:13:30+00:00] WARN: Using inspec version: (0.19.3)
- install/update inspec..F
Failures:
1) Service iptables should be running
Failure/Error: Unable to find admin/mylinux/controls/services_spec.rb to read failed line
expected that `Service iptables` is running
# admin/mylinux/controls/services_spec.rb:12:in `block (3 levels) in load'
# /var/chef/cache/cookbooks/audit/libraries/profile.rb:112:in `block (2 levels) in <class:ComplianceProfile>'
# /var/chef/cache/cookbooks/audit/libraries/profile.rb:93:in `block in <class:ComplianceProfile>'
Finished in 0.09885 seconds (files took 0.78511 seconds to load)
3 examples, 1 failure
Failed examples:
rspec # Service iptables should be running
- execute compliance profile
* chef_gem[inspec] action install (up to date)
* file[/var/chef/cache/compliance/admin_mylinux_report.json] action create
- update content in file /var/chef/cache/compliance/admin_mylinux_report.json from 6f5303 to de6456
- suppressed sensitive resource
- restore selinux security context
* compliance_report[chef-server] action execute
- report compliance profiles' results
Starting audit phase
RSpec's reporter has already been initialized with #<IO:<STDOUT>> as the output stream, so your change to `output_stream` will be ignored. You should configure it earlier for it to take effect. (Called from /opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.5.1/lib/chef/audit/runner.rb:120:in `set_streams')
[2016-04-26T18:13:31+00:00] ERROR: Audit phase failed with error message: undefined method `split' for nil:NilClass
Audit phase exception:
undefined method `split' for nil:NilClass
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.5.1/lib/chef/audit/audit_event_proxy.rb:63:in `build_control_from'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.5.1/lib/chef/audit/audit_event_proxy.rb:48:in `block in stop'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.5.1/lib/chef/audit/audit_event_proxy.rb:47:in `each'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.5.1/lib/chef/audit/audit_event_proxy.rb:47:in `stop'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/rspec-core-3.3.2/lib/rspec/core/reporter.rb:184:in `block in notify'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/rspec-core-3.3.2/lib/rspec/core/reporter.rb:183:in `each'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/rspec-core-3.3.2/lib/rspec/core/reporter.rb:183:in `notify'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/rspec-core-3.3.2/lib/rspec/core/reporter.rb:178:in `stop'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/rspec-core-3.3.2/lib/rspec/core/reporter.rb:152:in `block in finish'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/rspec-core-3.3.2/lib/rspec/core/reporter.rb:170:in `close_after'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/rspec-core-3.3.2/lib/rspec/core/reporter.rb:151:in `finish'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/rspec-core-3.3.2/lib/rspec/core/reporter.rb:79:in `report'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/rspec-core-3.3.2/lib/rspec/core/runner.rb:113:in `run_specs'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.5.1/lib/chef/audit/runner.rb:189:in `do_run'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.5.1/lib/chef/audit/runner.rb:35:in `run'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.5.1/lib/chef/client.rb:721:in `run_audits'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.5.1/lib/chef/client.rb:276:in `run'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.5.1/lib/chef/application.rb:270:in `block in fork_chef_client'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.5.1/lib/chef/application.rb:258:in `fork'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.5.1/lib/chef/application.rb:258:in `fork_chef_client'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.5.1/lib/chef/application.rb:224:in `block in run_chef_client'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.5.1/lib/chef/local_mode.rb:44:in `with_server_connectivity'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.5.1/lib/chef/application.rb:212:in `run_chef_client'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.5.1/lib/chef/application/client.rb:408:in `block in interval_run_chef_client'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.5.1/lib/chef/application/client.rb:398:in `loop'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.5.1/lib/chef/application/client.rb:398:in `interval_run_chef_client'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.5.1/lib/chef/application/client.rb:388:in `run_application'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.5.1/lib/chef/application.rb:60:in `run'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.5.1/bin/chef-client:26:in `<top (required)>'
/usr/bin/chef-client:54:in `load'
/usr/bin/chef-client:54:in `<main>'
Running handlers:
Running handlers complete
Chef Client finished, 4/10 resources updated in 05 seconds
[2016-04-26T18:13:31+00:00] FATAL: Stacktrace dumped to /var/chef/cache/chef-stacktrace.out
[2016-04-26T18:13:31+00:00] ERROR: Found 1 errors, they are stored in the backtrace
[2016-04-26T18:13:32+00:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)
[root@vagrant-local-linux ~]#
Compliance results no longer reports back to Chef Compliance with latest version of inspec
Cookbook version
0.6.0
Chef-client version
12.9.41
Inspec version
0.21.0
Platform Details
Windows 2012 R2 (Azure)
Scenario:
Running audit cookbook with Windows specific profile to report back into Compliance
Steps to Reproduce:
Install inspec 0.21.0
You get 0 results reported back to Compliance
Expected Result:
Compliant / Issues reporting back into Compliance dashboard
Actual Result:
2016-05-12_17:13:43.76370 17:13:43.763 DEB => owner: &shared.Owner{PasswordHash:"", Login:"unit4", Name:"unit4", IsOrg:true, Source:sql.NullString{String:"9cf58bf8-a53b-4bf9-58fe-2f493bf4adfc", Valid:true}, UUID:uuid.UUID{ID:"2a50ead3-2918-41a6-5915-48f45a41b74f"}}
2016-05-12_17:13:43.76466 17:13:43.764 ERR => DB error: sql: no rows in result set
2016-05-12_17:13:43.76908 17:13:43.769 ERR => [2a50ead3-2918-41a6-5915-48f45a41b74f/a9df344b-5c01-4359-50ff-5016064a2c8f] Couldn't find rule in profile unit4/identity-server-level-1
2016-05-12_17:13:43.76923 17:13:43.769 ERR => [2a50ead3-2918-41a6-5915-48f45a41b74f/a9df344b-5c01-4359-50ff-5016064a2c8f] Couldn't find rule in profile unit4/identity-server-level-1
2016-05-12_17:13:43.76934 17:13:43.769 ERR => [2a50ead3-2918-41a6-5915-48f45a41b74f/a9df344b-5c01-4359-50ff-5016064a2c8f] Couldn't find rule in profile unit4/identity-server-level-1
2016-05-12_17:13:43.76944 17:13:43.769 ERR => [2a50ead3-2918-41a6-5915-48f45a41b74f/a9df344b-5c01-4359-50ff-5016064a2c8f] Couldn't find rule in profile unit4/identity-server-level-1
2016-05-12_17:13:43.76954 17:13:43.769 ERR => [2a50ead3-2918-41a6-5915-48f45a41b74f/a9df344b-5c01-4359-50ff-5016064a2c8f] Couldn't find rule in profile unit4/identity-server-level-1
2016-05-12_17:13:43.76975 17:13:43.769 DEB => [2a50ead3-2918-41a6-5915-48f45a41b74f/a9df344b-5c01-4359-50ff-5016064a2c8f] Add scan result for 2a50ead3-2918-41a6-5915-48f45a41b74f/732b4772-0122-4ec8-468f-ce4bc706f254/937ab0a4-2f99-4ccc-4d74-8809956ec7dd:0 with unit4/identity-server-level-1
2016-05-12_17:13:43.76989 17:13:43.769 INF => [2a50ead3-2918-41a6-5915-48f45a41b74f/a9df344b-5c01-4359-50ff-5016064a2c8f] scan result | 0 | 0 | 0 | 0 | 0 | packages | 0 | 0 | 0 | 0 | 0 |
Cookbook issue with Windows path
Hey,
I just tested the cookbook against a Windows node and it fails:
cjo@Christians-MBP ~/Downloads/chef-repo/cookbooks/atom git:(master) ✗ kitchen converge
-----> Starting Kitchen (v1.7.3)
-----> Converging <default-windows-2012r2>...
Preparing files for transfer
Preparing dna.json
Resolving cookbook dependencies with Berkshelf 4.2.1...
Removing non-cookbook files before transfer
Preparing validation.pem
Preparing client.rb
-----> Chef Omnibus installation detected (install only if missing)
Transferring files to <default-windows-2012r2>
Starting Chef Client, version 12.10.24
resolving cookbooks for run list: ["audit::default"]
Synchronizing Cookbooks:
- audit (0.8.0)
Installing Cookbook Gems:
Compiling Cookbooks...
Converging 2 resources
Recipe: audit::default
* compliance_profile[windows] action fetch
* chef_gem[inspec] action install (up to date)
[2016-05-21T10:21:42-07:00] WARN: Using inspec version: (0.22.1)
- install/update inspec
* directory[C:\Users\vagrant\AppData\Local\Temp\kitchen\cache/compliance] action create (up to date)
URL: https://192.168.178.221/api/owners/base/compliance/windows/tar
================================================================================
Error executing action `fetch` on resource 'compliance_profile[windows]'
================================================================================
Errno::EACCES
-------------
Permission denied @ sys_fail2 - (C:/Users/vagrant/AppData/Local/Temp/foo20160521-2220-1c553kw, C:\Users\vagrant\AppData\Local\Temp\kitchen\cache/compliance/base_windows.tgz)
Resource Declaration:
---------------------
# In C:/Users/vagrant/AppData/Local/Temp/kitchen/cache/cookbooks/audit/recipes/default.rb
30: compliance_profile p do
31: owner o
32: server server
33: token token
34: inspec_version node['audit']['inspec_version']
35: action [:fetch, :execute]
36: end
37: end
Compiled Resource:
------------------
# Declared in C:/Users/vagrant/AppData/Local/Temp/kitchen/cache/cookbooks/audit/recipes/default.rb:30:in `block in from_file'
compliance_profile("windows") do
action [:fetch, :execute]
retries 0
retry_delay 2
default_guard_interpreter :default
declared_type :compliance_profile
cookbook_name "audit"
recipe_name "default"
owner "base"
server #<URI::HTTPS:0x0000000132e3e8 URL:https://192.168.178.221/api/owners/base/compliance/windows/tar>
token "eyJhbGciOiJSUzI1NiIsImtpZCI6InFfa3ZHdWVLSHJhSkRCelY0NjBEMFBVb0g1ZnFTTGhSdC1odGh0WGhHbVZPNFJXeHRLNTYzR2JZbmNtNlRkRWVlZTFjdUJwUDJvWDkyRC1ndWRneEhXSUZybF85Yno0cGVVNTVvcDNmekNaeUxDWTk0RDNiMlhXRE9rdy1CTVhIM2dpTmtIeHVjblRMV045LS04eU9aY0p0WXliOU9DNDV1ZUFjNkc2YkhoYWY5YTZlbTZfelNiMlFmN01FN2h2bDJtX2JzVW9LUzB4RGNpYjdRb2FYTldNamdqX3A1b2xHUEdzaVZ3SzA4RXR4MmVva0FENk1MeEdIYlB0ZFRpOTFDQzFPVVhIOFUzQXVUc2tsOVZwci14OG91SDBnRzB6NlZYT3FWM0JzczNZbVQ1czhGWktTWVdseE9hcFRtSGJ1UlZqZ2hCcUVraHZjdnBnZ2ZYRG1CUT09IiwidHlwIjoiSldUIn0.eyJhdWQiOiIwTHZDTVh3ODUwVXg0Rzh5U2ljWW9BUVpnR2ZCRUpkV2VPQkxHWVo3dmtFPUB2YWdyYW50LXVidW50dS10cnVzdHktNjQiLCJjb25uZWN0b3JfaWQiOiJDb21wbGlhbmNlIFNlcnZlciIsImNvbm5lY3Rvcl9pbmZvIjoiaHR0cHM6Ly92YWdyYW50LXVidW50dS10cnVzdHktNjQvYXBpLyIsImNvbm5lY3Rvcl90eXBlIjoiY29tcGxpYW5jZSIsImVtYWlsIjoiY2hyaXN0aWFuQGNvbXBsaWFuY2UuZmFrZSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJleHAiOjEuNDYzODg0M2UrMDksImlhdCI6MS40NjM4NDExZSswOSwiaXNzIjoiaHR0cHM6Ly92YWdyYW50LXVidW50dS10cnVzdHktNjQiLCJuYW1lIjoiY2hyaXN0aWFuIiwic3ViIjoiOWZkYWFmNDUtZWI0YS00MDYzLWJkOWQtZjRmMDk1YjU2ODg3In0.O4YpXz3PeJf91eEXwh7QGLt6u1sfyaVUwD4VcrfRmH-zJ97a3NNXffS_v4gkmFJokw_3ZR6m8qbdW3E9y4lXKSMQroLkISH10D1QMNNbbN8tC1Qjj-gbYu7Vp4vkwgSi8gt88E418GLwo7rY3AdFW03T6aRhqaMWZEJulEFEX8-xXuBrJN7Vgg1MaoLSZ-Ac9ono5MLA25Os9DoDEB9Kkmf2crSEyqd-QigurVNmf6smUmkoWuhUa_-XjqkXK5VMwE3Q51pQaIgzNfaJlXEZG-ol3Fb3ziYZ3syNJr_0M2BcUX4YTZStsf2wCtG-Z0SKK8CDRQylaLP1lb418NE-EA"
inspec_version "0.22.1"
profile "windows"
end
Platform:
---------
x64-mingw32
Running handlers:
[2016-05-21T10:21:43-07:00] ERROR: Running exception handlers
Running handlers complete
[2016-05-21T10:21:43-07:00] ERROR: Exception handlers complete
Chef Client failed. 0 resources updated in 11 seconds
[2016-05-21T10:21:43-07:00] FATAL: Stacktrace dumped to C:/Users/vagrant/AppData/Local/Temp/kitchen/cache/chef-stacktrace.out
[2016-05-21T10:21:43-07:00] FATAL: Please provide the contents of the stacktrace.out file if you file a bug report
[2016-05-21T10:21:43-07:00] FATAL: Errno::EACCES: compliance_profile[windows] (audit::default line 30) had an error: Errno::EACCES: Permission denied @ sys_fail2 - (C:/Users/vagrant/AppData/Local/Temp/foo20160521-2220-1c553kw, C:\Users\vagrant\AppData\Local\Temp\kitchen\cache/compliance/base_windows.tgz)
>>>>>> Converge failed on instance <default-windows-2012r2>.
>>>>>> Please see .kitchen/logs/default-windows-2012r2.log for more details
>>>>>> ------Exception-------
>>>>>> Class: Kitchen::ActionFailed
>>>>>> Message: WinRM exited (1) for command: [
$env:PATH = [System.Environment]::GetEnvironmentVariable("PATH","Machine")
& $env:systemdrive\opscode\chef\bin\chef-client.bat --local-mode --config $env:TEMP\kitchen\client.rb --log_level auto --force-formatter --no-color --json-attributes $env:TEMP\kitchen\dna.json --chef-zero-port 8889]
>>>>>> ----------------------
While checking the code it seems that the Windows path has forward instead of backward slashes.
[2016-05-21T10:21:43-07:00] FATAL: Errno::EACCES: compliance_profile[windows] (audit::default line 30) had an error: Errno::EACCES: Permission denied @ sys_fail2 - (C:/Users/vagrant/AppData/Local/Temp/foo20160521-2220-1c553kw, C:\Users\vagrant\AppData\Local\Temp\kitchen\cache/compliance/base_windows.tgz)
`
Seems that the path relies on Chef::Config but for direct connections that does not work.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.