In chef Automate server UI My node is showing in converge status but not in compliance status


#1

I want to add my node to compliance in chef Automate server. In chef Automate server UI My node is showing in converge status but not in compliance status.

I want to scan my node with compliance.


#2

As I understand it, out of the box Inspec runs and chef-client are two separate things. Automate (Visibility) of course shows both - so it’s a matter of getting inspec running on your nodes. It sounds like some new options might be coming soon, but I believe most people (my company included) connect these dots with the audit cookbook. By including this in your node’s runlist and specifying specific attributes to declare which profiles to run, this cookbook will wire up some handlers to the chef-client run that will automatically run inspec at the end of the run. I recommend first running inspec on your nodes manually or through knife exec. That should publish data to Compliance. From there, getting this happening automatically on a schedule is best done through the audit cookbook.

Hope that helps


#3

Thanks for your reply.

I have installed audit cookbook (4.0.0) by including in the run_list. but i am unable to see my node in “compliance status” tab. if i am not wrong the compliance is the part of automate right?? do we need a special compliance server?? i am sending some screen shots of my chef automate help me if there are any issues.

Thank You.


#4

Looks right so far - yes Automate should include all you need.

On your node in the attributes pane, what do you have under
[‘audit’][‘profiles’]? You’ll need to point to at least one profile to
run - the dev-sec profile on github it’s a good place to start


#5

can you please help doing that profile. tell me the process.


#6

‘profile’ in inspec terminology is a suite of tests. This can be something you author custom, or it can be something external authored by someone else. The power of this model are profiles built by the community that align with established standards (e.g. PCI). You need to specify which profiles should be ran against your nodes. When using the audit cookbook, this is done by specifying attributes that instruct the audit cookbook which profiles should be ran. In your cookbook’s attributes/default.rb you would specify something like this:

override['audit'].tap do |audit|
  audit['reporter'] = 'chef-server-automate'
  audit['interval']['enabled'] = true
  audit['interval']['time'] = 10
  audit['quiet'] = true
  audit['insecure'] = false
  audit['inspec_version'] = 'latest'
  audit['profiles'] = [
    {
      name: 'windows_patch_benchmark',
      url: 'https://github.com/dev-sec/windows-patch-benchmark'
    }
  ]
end

I recommend create a shared/common cookbook that includes attributes of this nature specifying the compliance profiles that should be ran on all nodes. You might end up with platform specific cookbooks like core_win and core_linux. In those cookbooks, you will have an attribute file that contains something like the above. You’ll then need to ensure that these shared/common cookbooks are included by your application cookbook (so that they are in the runlist on your node). At runtime of the chef-client, with the audit cookbook is converged, it will see these attributes and run the profiles you specified. Then you should see compliance data showing up in Automate. If it’s not showing up, ensure the dots are connected by inspecting the Attributes pane on the Compliance Status tab of Visibility and ensure the attributes are populated.

You can create your own profiles, but I’d forget that until you get comfortable with how these pieces fit together


#7

Hi kbrowns,

I have tired your code in my attribute file but nothing is showing in compliance status tab in my chef automate.
My requirement is to scan a windows node and do the patching on it if there is any issue but i am unable to scan my windows node.

Do we need to change anything in audit cookbook recipe’s. (upload.rb)
Thank you.


#8

I suggest doing two things - 1) confirm the attributes are showing up on your node’s converge report. It’s not uncommon to think the attributes are there, but they are not (either because of a cookbook version mismatch or some other not-obvious reason). 2) run the chef-client manually on your node and you should see the audit cookbook and the inspec tests kick in after the normal chef-client run (i.e. post Report Handlers have ran and a Success message). Any time compliance reports aren’t showing up for us, those two troubleshooting steps have revealed the problem.


#9

Yes… they are showing in converge.

The chef client run is successfull. it installed inspec.

I am sharing the screen shots.

Thank you


#10

Looks like I got my wires crossed w/ the attribute code I sent you above. Note, in your screen shot the line that says

INFO: Audit run skipped due to interval configuration

I believe that’s because I included something we’ve been toying around with that decouples the compliance run from the chef-client run. You can read up on the audit cookbook about what ‘interval’. Try removing those 2 interval attributes I sent you and run the chef-client again.


#11

hi ,

I have tried removing those intervals. still it’s not showing in compliance status.

I am getting this

I don’t know whats the problem. I want to scan my Windows node for vulnerabilities… I am trying this from a week. I am not able figure out this. help me.

Thank you


#12

You might want to open a support ticket with Chef and talk with a paid
support engineer. Everything you’re showing me looks right - there’s
clearly a message there stating the report to Chef Automate was
successful.


#13

Hi,
The issue is resolved. The problem is with chef server is older version.

Can you tell me that how to create .chef folder contents(knife.rb, user.pem, and validator.pem) from commandline. I want to automate my chef automate from cli. So i can’t download starter kit. so i want to create through cli Manually.

Thank you.