Troubleshooting Compliance Scanner for PCF

Page last updated:

This topic provides instructions for troubleshooting Compliance Scanner for Pivotal Cloud Foundry (PCF).

scan_results Issues

scan_results Completed with Error (Exit Code 1)

Symptom

Running a scan results in an exit code 1 error similar to the following:

...
Instance   oscap_store/43aba653-4d0a-4cfc-bc72-a136ce33e3e0
Exit Code  1
Stdout     2019/07/05 21:11:04 Starting store on port 28894
           2019/07/05 21:11:05 [10.0.8.6] <nil>
2019/07/05 21:11:05 Starting scan on 10.0.8.6 2019/07/05 21:11:05 Get https://10.0.8.6:28893/run: x509: certificate has expired or is not yet valid
Received no scan results Stderr - 1 errand(s) Errand 'scan_results' completed with error (exit code 1) Exit code 1

Explanation

Your certificates have expired.

Solution

Rotate your certificates. For instructions, see Rotating Certificates.

scan_results Received Signal Terminated (Exit Code 124)

Symptom

Running a scan results in an exit code 124 error similar to the following:

...
Instance   oscap_store/43aba653-4d0a-4cfc-bc72-a136ce33e3e0
Exit Code  124
Stdout    2019/06/24 15:43:30 Starting store on port 28894
          2019/06/24 15:43:30 [10.0.8.5] <nil>
2019/06/24 15:43:30 Starting scan on 10.0.8.5 2019/06/24 15:43:31 Received signal terminated Scanner timed out, did not receive all the scan results in 1200 second(s)

Explanation

Your scan has reached the configured timeout period. This may occur if a VM lacks sufficient memory or CPU to finish its scan in time.

Solution

Do one of the following:

  • Increase the scan timeout for all VMs. For more information, see Scanner Timeout under Configure Scans.

  • Increase the memory or CPU resources for any failing scanned VMs.

scan_results Does Not Include Scans for VMs in the Deployment

Symptom

Only scan results for the oscap_store VM are being generated. VMs in the deployment are not being scanned.

Explanation

Compliance Scanner for PCF is a BOSH add-on, as well as a tile. When a scan is run, the oscap_store VM verifies each VM’s OSCAP release version. Because of this, the latest OSCAP release must be deployed on all VMs to function properly.

Solution

When installing or upgrading Compliance Scanner for PCF, you must Apply Changes on PAS (and any other tiles with VMs you want to scan) after applying changes to the Compliance Scanner for PCF tile. This is so that the version of Compliance Scanner for PCF on the VMs match the version being used by the scanner.

Unable to resolve store domain: no such host

Symptom

Running a scan results in an exit code 1 error similar to the following:

...
Instance   oscap_store/43aba653-4d0a-4cfc-bc72-a136ce33e3e0
Exit Code  1
Stdout    2019/08/05 09:14:01 Starting store on port 28894
          2019/08/05 09:14:01 [172.15.0.3 172.15.0.4 172.15.0.5 172.15.1.5 172.15.1.4] <nil>
2019/08/05 09:14:01 Starting scan on 172.15.0.3 2019/08/05 09:14:01 Unable to scan 172.15.0.3: 500 2019/08/05 09:14:01 Starting scan on 172.15.0.4 2019/08/05 09:14:01 Unable to scan 172.15.0.4: 500 2019/08/05 09:14:01 Starting scan on 172.15.0.5 2019/08/05 09:14:01 Unable to scan 172.15.0.5: 500 2019/08/05 09:14:01 Shutdown Received no scan results

and produces a scanner_web_ctl.log similar to the following:

/var/vcap/sys/log/config_scanner/scanner_web_ctl.log:

2019/08/05 10:21:34 Lookup store
2019/08/05 10:21:34 Unable to resolve store domain: lookup q-s4.oscap-store.NETWORK-NAME.p-compliance-scanner-5f51f48abb5fbf23b617.bosh on 169.254.0.2:53: no such host

Where NETWORK-NAME is the name given to the network being used for the Compliance Scanner for PCF tile.

Explanation

BOSH DNS cannot resolve the oscap_store VM URL if there is any capitalization in the network’s Name.

Solution

Verify that the network you selected inside the Assign AZs and Networks pane of your Compliance Scanner for PCF tile is not capitalized.

If this is the case, you need to edit the name of the network being used to remove capitalization:

  1. On the Ops Manager Installation Dashboard, click BOSH Director.
  2. Click Create Networks.
  3. Change the network Name to a name without capital letters, and click Save.
  4. Click Review Pending Changes, and then Apply Changes to all tiles.

This updates the network name property on all VMs.