Compliance results no longer reports back to Chef Compliance with latest version of inspec

[yvovandoorn]

Cookbook version

0.6.0

Chef-client version

12.9.41

Inspec version

0.21.0

Platform Details

Windows 2012 R2 (Azure)

Scenario:

Running audit cookbook with Windows specific profile to report back into Compliance

Steps to Reproduce:

Install inspec 0.21.0
You get 0 results reported back to Compliance

Expected Result:

Compliant / Issues reporting back into Compliance dashboard

Actual Result:

2016-05-12_17:13:43.76370 17:13:43.763 DEB => owner: &shared.Owner{PasswordHash:"", Login:"unit4", Name:"unit4", IsOrg:true, Source:sql.NullString{String:"9cf58bf8-a53b-4bf9-58fe-2f493bf4adfc", Valid:true}, UUID:uuid.UUID{ID:"2a50ead3-2918-41a6-5915-48f45a41b74f"}}
2016-05-12_17:13:43.76466 17:13:43.764 ERR => DB error: sql: no rows in result set
2016-05-12_17:13:43.76908 17:13:43.769 ERR => [2a50ead3-2918-41a6-5915-48f45a41b74f/a9df344b-5c01-4359-50ff-5016064a2c8f] Couldn't find rule  in profile unit4/identity-server-level-1
2016-05-12_17:13:43.76923 17:13:43.769 ERR => [2a50ead3-2918-41a6-5915-48f45a41b74f/a9df344b-5c01-4359-50ff-5016064a2c8f] Couldn't find rule  in profile unit4/identity-server-level-1
2016-05-12_17:13:43.76934 17:13:43.769 ERR => [2a50ead3-2918-41a6-5915-48f45a41b74f/a9df344b-5c01-4359-50ff-5016064a2c8f] Couldn't find rule  in profile unit4/identity-server-level-1
2016-05-12_17:13:43.76944 17:13:43.769 ERR => [2a50ead3-2918-41a6-5915-48f45a41b74f/a9df344b-5c01-4359-50ff-5016064a2c8f] Couldn't find rule  in profile unit4/identity-server-level-1
2016-05-12_17:13:43.76954 17:13:43.769 ERR => [2a50ead3-2918-41a6-5915-48f45a41b74f/a9df344b-5c01-4359-50ff-5016064a2c8f] Couldn't find rule  in profile unit4/identity-server-level-1

2016-05-12_17:13:43.76975 17:13:43.769 DEB => [2a50ead3-2918-41a6-5915-48f45a41b74f/a9df344b-5c01-4359-50ff-5016064a2c8f] Add scan result for 2a50ead3-2918-41a6-5915-48f45a41b74f/732b4772-0122-4ec8-468f-ce4bc706f254/937ab0a4-2f99-4ccc-4d74-8809956ec7dd:0 with unit4/identity-server-level-1
2016-05-12_17:13:43.76989 17:13:43.769 INF => [2a50ead3-2918-41a6-5915-48f45a41b74f/a9df344b-5c01-4359-50ff-5016064a2c8f] scan result | 0 | 0 | 0 | 0 | 0 | packages | 0 | 0 | 0 | 0 | 0 |

[chris-rock]

Thanks yvo, that is not restricted to windows. We changed the default json formatter that is used in audit cookbook with version https://github.com/chef/inspec/tree/v0.21.0 This was marked as a breaking change :-) We should have pinned that until the new Chef Compliance arrives.

[chris-rock]

Pinning InSpec to 0.20.1 should fix that problem until a new Chef Compliance release is out.

[sclark007]

@chris-rock i still see issues with this. the client looks to send to the compliance server correctly but there is no result from the report.

[root@statvprchefcomp01 ~]# rpm -qa | grep chef
chef-compliance-1.2.3-1.el6.x86_64
chef-12.5.1-1.el6.x86_64

wrapper cookbook attributes:
default['audit']['inspec_version'] = '0.22.0'
default['audit']['profiles']['base/ssh'] = true

Chef-client
chef-12.9.38-1.el7.x86_64

[root@stlabvdv001 ~]# chef-client -o neustar-audit
Starting Chef Client, version 12.9.38
resolving cookbooks for run list: ["neustar-audit"]
Synchronizing Cookbooks:

• audit (0.7.0)
• neustar-audit (1.0.0)
  Installing Cookbook Gems:
  Compiling Cookbooks...
  Converging 2 resources
  Recipe: audit::default
• compliance_profile[ssh] action fetch
  • chef_gem[inspec] action install
    • install version 0.22.0 of package inspec
  • install/update inspec
  • directory[/var/chef/cache/compliance] action create (up to date)
  • fetch compliance profile
  • chef_gem[inspec] action install (up to date)
  • directory[/var/chef/cache/compliance] action create (up to date)
• compliance_profile[ssh] action execute
  • chef_gem[inspec] action install (up to date)
  • install/update inspec.F..FF.FFFFFFFFFFF..........F..F.FF.FFFFF.FFFFF.F.FF..FFFFFFFF.F....F

Failures:

Lots of fails removing results

- execute compliance profile
* chef_gem[inspec] action install (up to date)
* file[/var/chef/cache/compliance/base_ssh_report.json] action create
  - update content in file /var/chef/cache/compliance/base_ssh_report.json from 710f33 to 3bb01f
  - suppressed sensitive resource
  - restore selinux security context

• compliance_report[chef-server] action execute
  • report compliance profiles' results

Running handlers:
Running handlers complete
Chef Client finished, 5/10 resources updated in 17 seconds

[chris-rock]

This is fixed with the latest versions. Also we added a matrix that shows the compatibility: https://github.com/chef-cookbooks/audit#chef-compliance-and-inspec

[sonykphilip]

Still facing this problem with the latest Chef Compliance and Inspec. Once the scan is completed, it does not list the rows in the browser when you click on the machine name. However, if you do a 'sudo chef-compliance-ctl restart core', the page then lists the rows. Rinse and repeat on the next scan.

OS: Red Hat Enterprise Linux Server release 7.2 (Maipo) 64-bit

RPMs Installed: chef-compliance-1.7.7-1.el7.x86_64.rpm, inspec-1.14.1-1.el7.x86_64.rpm

$ inspec -v
1.14.1

==> /var/log/chef-compliance/core/current <==
2017-02-23_04:19:32.50753 04:19:32.507 ERR => DB error: sql: no rows in result set
2017-02-23_04:19:32.50794 04:19:32.507 DEB => ID of user admin changed: b31f7a6d-22a1-4649-6e04-cdf59eb2c3a7 -> 696fe0a3-d9d3-4da9-bd20-4eae7b1676fb (resetting)
2017-02-23_04:19:32.50794 04:19:32.507 DEB => Authenticated user: &{PasswordHash: Login:compliance Name:Foo Bar Admin IsOrg:false Source:{String: Valid:false} UUID:{ID:b31f7a6d-22a1-4649-6e04-cdf59eb2c3a7}}
2017-02-23_04:19:32.50827 04:19:32.508 ERR => DB error: sql: no rows in result set
2017-02-23_04:19:32.50894 [GIN] 2017/02/23 - 04:19:32 | 200 | 2.268823ms | 192.168.166.236 | GET /owners/b31f7a6d-22a1-4649-6e04-cdf59eb2c3a7/scans/151f9220-06c7-49d9-6879-12bd38b712bd

[chris-rock]

@sonykphilip Seems like you are not using the audit cookbook. Could you please place your question in https://www.chef.io/support/ then?