Audit doesn't run when CCR fails #289
Comments
|
Running audit on success or failure of a CCR feels like the right thing to do so long as we've managed to populate the list of profiles to run. After all, we want to know the security posture of ALL the nodes, not just the ones that have successfully converged. It could be made optional by addition of an attribute to turn if on/off (with default being on) |
|
@drrk @trickyearlobe @thommay As far as I can see, this is a feature we need to introduce in chef-client to support running the auditreporter in any case. Not sure if we can tackle this from cookbook perspective. |
|
Not sure what you mean... maybe the description's not that clear. All we're proposing is that the @drrk already submitted a PR #290 for it. We just need to decide if thats the behaviour we want, or if we want to make it optional or something. |
|
Oh, thank you @trickyearlobe I missed that :-) |
|
@trickyearlobe I think the proposed solution in #290 is okay for now. The real solution would be that we have a real audit handler, that works in both cases. This would also allow us to ensure the audit run is always executed at the end. @thommay is there something planned for the next major release of Chef? |
tas50
added
Status: Incomplete
Cookbook version
5.0.3
Chef-client version
13.5.3
Platform Details
ubuntu-16.04 (as test system)
Scenario:
Run audits when CCR failrs
Steps to Reproduce:
Have a failing CCR with audit cookbook default recipe included
Expected Result:
Audit still runs
Actual Result:
Audit doesn't run
I have created a PR to resolve this, but I guess a discussion is needed to decide if it is actually wanted. The workaround is to manually add the exception handler in your wrapper cookbook after the include of the audit cookbook default recipe like so:
include_recipe 'audit' Chef::Config.send('exception_handlers') << Chef::Handler::AuditReport.newThe text was updated successfully, but these errors were encountered: