Scan reports showing up as "Skipped" in the Compliance server UI

[jeremymv2]

Cookbook version

0.7.1

Chef-client version

12.10.24

Platform Details

Linux node 4.2.0-34-generic #39~14.04.1-Ubuntu SMP Fri Mar 11 11:38:02 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

Scenario:

Converging a node with the audit cookbook in the run_list should report the results back to the Compliance server via the Chef server chef_gate. The reports are coming into the Compliance server but show up as "Skipped".

Steps to Reproduce:

Install Compliance 1.2.3.
Install Compliance/Chef server integration (chef_gate)
Add version 0.7.1 version of the audit cookbook to a node's run_list with the following attributes:

default['audit']['server'] = nil
default['audit']['token'] = nil
default['audit']['variant'] = 'chef'
default['audit']['owner'] = nil
default['audit']['profiles'] = {
  'base/linux' => true,
  'base/apache' => true,
  'base/postgres' => true,
  'base/ssh' => true,
}

# raise exception if Compliance API endpoint is unreachable
# while fetching profiles or posting report
default['audit']['raise_if_unreachable'] = false

# fail converge if downloaded profile is not present
default['audit']['fail_if_not_present'] = false

# fail converge after posting report if any audits have failed
default['audit']['fail_if_any_audits_failed'] = false

# inspec gem version to install(e.g. '0.22.0') or 'latest'
default['audit']['inspec_version'] = '0.22.0'

Verify the inspec version on the client node:

vagrant@node:~$ sudo /opt/chef/embedded/bin/gem list inspec

*** LOCAL GEMS ***

debug_inspector (0.0.2)
inspec (0.22.0)
vagrant@node:~$ /opt/chef/embedded/bin/inspec version
0.22.0
vagrant@node:~$

Expected Result:

Expect to see the results of the inspec scan on the Reports page of the Compliance UI.

Actual Result:

The scan reports show up as "Skipped"
From the Compliance server logs:

==> /var/log/chef-compliance/core/current <==
2016-05-18_13:27:43.28756 13:27:43.287 ERR => Authentication: %!(EXTRA *errors.errorString=missing Authorization header)
2016-05-18_13:27:43.28796 13:27:43.287 DEB => &{Raw:eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdXRoel9pZCI6IjY5YWU5NWUzYjA0ZGFmYmY3MTc3YWEzYzAxMTI0YWZlIiwiY2hlZl91cmwiOiJodHRwczovL2NoZWYuY29tcGxpYW5jZS50ZXN0IiwiZXhwIjoxNDYzNTgxNjg3LCJuYW1lIjoibm9kZSIsIm9yZ19tZW1iZXIiOnRydWUsInB1YmxpY19rZXkiOiItLS0tLUJFR0lOIFBVQkxJQyBLRVktLS0tLVxuTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF4bVZoaVJwenoyeHd0RG1qdEJrNlxuc3lqVDlFcGtmUG5XODN4VCs2UmNYVjAzVjNtbzZNbWcyYmlsaUliZWRJK1pxd2N2Z0xWUVcvNFdCcmhzcjBZR1xua3EzMCtCVzM5b29EekxZMlNtclVQMkNPQW56a2p1RW9TRWczVmRLTENxWUlnSk9yRUk4cVdLakUwTXFobGtTRVxueS9HUVp4R0FVM2VwWllKOWR3cnFNaXhBY2RqYzBrYzVhVkt1T2V6UURTZ2dwUDI2bGVraU96WlJZMkRMMXdFNFxucmFRcEJ3eUZZN1o2dmphUStHOTdZTzhTaFRxbEJsRlNnNUxxb1pEMm5SNDVBcWdmeEZDbXJUQTBlMG5jeVZPR1xudk9iYXBtdGhENzZwYUhCSVVrQzE2WHRwN3VkdlZhb3F2VktGdkowRTVFUG1MMThjQmdBTXg0bGZPMG1hd3BNNFxuRFFJREFRQUJcbi0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLVxuIiwidHlwZSI6ImNsaWVudCJ9.1dbf1ej6Z62xTR6YppcFdVDO6HJMiuPTXkVLK9dqavs Method:0xc8200b50e0 Header:map[alg:HS256 typ:JWT] Claims:map[exp:1.463581687e+09 name:node org_member:true public_key:-----BEGIN PUBLIC KEY-----
2016-05-18_13:27:43.28797 MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxmVhiRpzz2xwtDmjtBk6
2016-05-18_13:27:43.28797 syjT9EpkfPnW83xT+6RcXV03V3mo6Mmg2biliIbedI+ZqwcvgLVQW/4WBrhsr0YG
2016-05-18_13:27:43.28797 kq30+BW39ooDzLY2SmrUP2COAnzkjuEoSEg3VdKLCqYIgJOrEI8qWKjE0MqhlkSE
2016-05-18_13:27:43.28797 y/GQZxGAU3epZYJ9dwrqMixAcdjc0kc5aVKuOezQDSggpP26lekiOzZRY2DL1wE4
2016-05-18_13:27:43.28798 raQpBwyFY7Z6vjaQ+G97YO8ShTqlBlFSg5LqoZD2nR45AqgfxFCmrTA0e0ncyVOG
2016-05-18_13:27:43.28798 vObapmthD76paHBIUkC16Xtp7udvVaoqvVKFvJ0E5EPmL18cBgAMx4lfO0mawpM4
2016-05-18_13:27:43.28798 DQIDAQAB
2016-05-18_13:27:43.28798 -----END PUBLIC KEY-----
2016-05-18_13:27:43.28798  type:client authz_id:69ae95e3b04dafbf7177aa3c01124afe chef_url:https://chef.compliance.test] Signature:1dbf1ej6Z62xTR6YppcFdVDO6HJMiuPTXkVLK9dqavs Valid:true}
2016-05-18_13:27:43.29689 13:27:43.296 DEB => owner: &shared.Owner{PasswordHash:"", Login:"brewinc", Name:"brewinc", IsOrg:true, Source:sql.NullString{String:"8e842a4c-50ee-44de-7e49-c1651e754ee6", Valid:true}, UUID:uuid.UUID{ID:"718957c7-be56-47c6-42a7-8adf369266a1"}}
2016-05-18_13:27:43.29756 13:27:43.297 ERR => DB error: sql: no rows in result set
2016-05-18_13:27:43.29939 13:27:43.299 DEB => [718957c7-be56-47c6-42a7-8adf369266a1/469b440f-3a31-4c5d-4b3a-b5168cb549c4] Process scan result for base / linux
2016-05-18_13:27:43.29945 13:27:43.299 ERR => Calling *ScanSummary.Done(0)
2016-05-18_13:27:43.29949 13:27:43.299 DEB => [718957c7-be56-47c6-42a7-8adf369266a1/469b440f-3a31-4c5d-4b3a-b5168cb549c4] Add scan result for 718957c7-be56-47c6-42a7-8adf369266a1/bc46b8ba-ef97-43b0-4f72-11a90ef12ed2/58860151-d008-436c-7517-19ba5d2f0380:0 with base/linux
2016-05-18_13:27:43.29954 13:27:43.299 DEB => [718957c7-be56-47c6-42a7-8adf369266a1/469b440f-3a31-4c5d-4b3a-b5168cb549c4] Process scan result for base / apache
2016-05-18_13:27:43.29955 13:27:43.299 ERR => Calling *ScanSummary.Done(0)
2016-05-18_13:27:43.29956 13:27:43.299 DEB => [718957c7-be56-47c6-42a7-8adf369266a1/469b440f-3a31-4c5d-4b3a-b5168cb549c4] Add scan result for 718957c7-be56-47c6-42a7-8adf369266a1/bc46b8ba-ef97-43b0-4f72-11a90ef12ed2/58860151-d008-436c-7517-19ba5d2f0380:0 with base/apache
2016-05-18_13:27:43.29957 13:27:43.299 DEB => [718957c7-be56-47c6-42a7-8adf369266a1/469b440f-3a31-4c5d-4b3a-b5168cb549c4] Process scan result for base / postgres
2016-05-18_13:27:43.29958 13:27:43.299 ERR => Calling *ScanSummary.Done(0)
2016-05-18_13:27:43.29960 13:27:43.299 DEB => [718957c7-be56-47c6-42a7-8adf369266a1/469b440f-3a31-4c5d-4b3a-b5168cb549c4] Add scan result for 718957c7-be56-47c6-42a7-8adf369266a1/bc46b8ba-ef97-43b0-4f72-11a90ef12ed2/58860151-d008-436c-7517-19ba5d2f0380:0 with base/postgres
2016-05-18_13:27:43.29961 13:27:43.299 DEB => [718957c7-be56-47c6-42a7-8adf369266a1/469b440f-3a31-4c5d-4b3a-b5168cb549c4] Process scan result for base / ssh
2016-05-18_13:27:43.29964 13:27:43.299 ERR => Calling *ScanSummary.Done(0)
2016-05-18_13:27:43.29967 13:27:43.299 DEB => [718957c7-be56-47c6-42a7-8adf369266a1/469b440f-3a31-4c5d-4b3a-b5168cb549c4] Add scan result for 718957c7-be56-47c6-42a7-8adf369266a1/bc46b8ba-ef97-43b0-4f72-11a90ef12ed2/58860151-d008-436c-7517-19ba5d2f0380:0 with base/ssh
2016-05-18_13:27:43.29977 13:27:43.299 INF => [718957c7-be56-47c6-42a7-8adf369266a1/469b440f-3a31-4c5d-4b3a-b5168cb549c4] scan result | 0 | 0 | 0 | 0 | 0 | packages | 0 | 0 | 0 | 0 | 0 |
2016-05-18_13:27:43.30847 13:27:43.308 DEB => [718957c7-be56-47c6-42a7-8adf369266a1/469b440f-3a31-4c5d-4b3a-b5168cb549c4] db updated
2016-05-18_13:27:43.30859 [GIN] 2016/05/18 - 13:27:43 | 201 |   21.103202ms | 192.168.33.101 |   POST    /chef/organizations/brewinc/inspec

==> /var/log/chef-compliance/nginx/compliance.access.log <==
192.168.33.101 - - [18/May/2016:13:27:43 +0000] "POST /api/chef/organizations/brewinc/inspec HTTP/1.0" 201 46 "-" "Chef Client/12.10.24 (ruby-2.1.8-p440; ohai-8.15.1; x86_64-linux; +https://chef.io)"

From the chef client node running the converge and inspec scan:

...
rspec  # SSH Configuration HostbasedAuthentication should eq "no"
rspec  # SSH Configuration RhostsRSAAuthentication should eq "no"
rspec  # SSH Configuration RSAAuthentication should eq "yes"
rspec  # SSH Configuration PasswordAuthentication should eq "no"
rspec  # SSH Configuration Tunnel should eq "no"
rspec  # SSH Configuration PermitLocalCommand should eq "no"
rspec  # File /etc/ssh should not be readable by others


    - execute compliance profile
    * chef_gem[inspec] action install (up to date)
    * file[/var/chef/cache/compliance/base_ssh_report.json] action create[2016-05-18T13:58:35+00:00] INFO: file[/var/chef/cache/compliance/base_ssh_report.json] backed up to /var/chef/backup/var/chef/cache/compliance/base_ssh_report.json.chef-20160518135835.672152
[2016-05-18T13:58:35+00:00] INFO: file[/var/chef/cache/compliance/base_ssh_report.json] removed backup at /var/chef/backup/var/chef/cache/compliance/base_ssh_report.json.chef-20160518132021.138557
[2016-05-18T13:58:35+00:00] INFO: file[/var/chef/cache/compliance/base_ssh_report.json] updated file contents /var/chef/cache/compliance/base_ssh_report.json

      - update content in file /var/chef/cache/compliance/base_ssh_report.json from e8399a to 133cd2
      - suppressed sensitive resource

  * compliance_report[chef-server] action execute
    - report compliance profiles' results
[2016-05-18T13:58:35+00:00] INFO: Chef Run complete in 3.00964474 seconds

Running handlers:
[2016-05-18T13:58:35+00:00] INFO: Running report handlers
Running handlers complete
[2016-05-18T13:58:35+00:00] INFO: Report handlers complete
Chef Client finished, 13/37 resources updated in 04 seconds
root@node:~#

[alexpop]

Jeremy, thanks for the report.
We've fixed it in audit and inspec. Please test it with the latest publicly available versions:

• audit cookbook 0.8.0
• inspec 0.22.1

[alexpop]

Tested this with Joe Gardener and looks works for him as well. Closing as fixed