Compliance Scanner for VMware Tanzu doesn't generate reports for TKGi clusters
search cancel

Compliance Scanner for VMware Tanzu doesn't generate reports for TKGi clusters

book

Article ID: 383177

calendar_today

Updated On:

Products

VMware Tanzu Kubernetes Grid Integrated Edition

Issue/Introduction

TKGi CIS and STIG benchmarks are configured in Compliance Scanner for VMware Tanzu as per https://techdocs.broadcom.com/us/en/vmware-tanzu/compliance/compliance-scanner-for-tanzu/1-3/compliance-tanzu/installing.html

After running the scans, no reports are generated for any TKGi node.

"Error: dial tcp <TKGi VM IP>:28893: i/o timeout" errors are observed in oscap_store VM's /var/vcap/data/sys/log/scan_results logs.

Cause

This can be caused by:

  1. Scanner configuration not propagated to TKGi VMs.
  2. Scanner jobs failing in TKGi VMs.
  3. Firewall rules blocking ports used by the scanner in TKGi VMs.

Resolution

  1. Verify the Scanner configuration has been propagated to TKGi clusters and no related pending changes need to be pushed: Apply changes from your configuration

  2. Verify scanner_web and scanner_daemon jobs are running in all TKGi VMs:
    # bosh -d <tkgi-deployment-name> is --ps

    Within the VMs:
    # ps -elf | grep scanner
    0 S vcap   9274  1     0  70  -10   1091   0 -      Nov25 ?        00:00:00 /bin/bash /var/vcap/jobs/config_scanner/bin/scanner_web_ctl start
    0 S vcap   9276  9274  0  70  -10  418841  0 -      Nov25 ?        00:00:00 /var/vcap/jobs/config_scanner/packages/scanner/scanner_web --config /var/vcap/jobs/config_scanner/conf/scanner_web.conf
    0 S root   9297  1     0  70  -10   1091   0 -      Nov25 ?        00:00:00 /bin/bash /var/vcap/jobs/config_scanner/bin/scanner_daemon_ctl start
    0 S root   9300  9297  0  70  -10  418735  0 -      Nov25 ?        00:00:00 /var/vcap/jobs/config_scanner/packages/scanner/scanner_daemon --config /var/vcap/jobs/config_scanner/conf/scanner_daemon.conf

    If any of the above jobs are in failing status, collect Bosh logs for the deployment and examine scanner_web and scanner_daemon logs in /var/vcap/sys/log/config_scanner directory within the VMs.
    If any of the above jobs are missing, verify the Scanner configuration has been propagated to TKGi clusters as outlined in above point #1.

    Please, open a Support Request if you can't identify the root cause for the jobs to be failing or missing. Upload Bosh logs for the impacted deployment to the case.

  3. Log into oscap_store VM and check /var/vcap/data/sys/log/scan_results logs. See if you find any errors as follows: "Error: dial tcp <TKGi VM IP>:28893: i/o timeout"

    The scanner_web in the VMs listens on port 28893 as per /var/vcap/jobs/config_scanner/conf/scanner_web.conf

    Check the port is open in the VMs:
    # netstat -putan | grep 28893
    tcp        0      0 0.0.0.0:28893       0.0.0.0:*         LISTEN      9274/scanner_web

    Verify there're no firewall rules blocking connections on the port.
Powered by Wolken Software