At 5 minute intervals, the CFEngine hub gathers information from all of its connected agents about the current state of the system, including the outcome of its runs. All of this information is available for you. In this tutorial we will show how to verify the actual state of your system using custom reports.

How it works

We will use the user policy we previously made in our managing users tutorial, and create a custom report that looks for compliance changes in this policy.

1. Understand what to look for

In our policy we can find the following line: handle => “ensure_user_setup”,

The use of handle is an identifier we can use when creating a report to check whether our policy to ensure existence of users is compliant or not.

2. Create a new custom report

    1. Log into the mission portal of CFEngine, click the Reporting tab
    2. Click on Custom Report
    3. Select the following tables:  *Hosts* and *Promise executions log*
    4. Select the following fields: 
            *IP-address*, *Change time*, *Promise handle*, *Promise outcome*, and *Promise type*
    5. Filter the report by adding Promise Handle like %ensure_user%
    6. Sort the report according to change time
    7. Hit the Run button to execute the report

Depending on your system, you would now see a report like the one below.

We see that at 2014–06–05 19:55:57+00 on 192.168.33.2 the promise was repaired, which in our case means the ‘Adam’ and ‘Eva’ users were created.

2 minutes later at 2014–06–05 19:57:34+00, on the same host 192.168.33.2, the agent re-run and detected that everything was ok, reporting back that the promise was kept.

The same pattern occured on all our 3 hosts in this case, which is exactly what we wanted to see.

ps. if you now go in and delete the ‘Adam’ or ‘Eva’ user on any host, and later re-run the report, you will see a new line with REPAIRED in it. This tells you that our user policy was not in compliance, but CFEngine was able to fix it.

3. Conclusions

In this tutorial, we have shown how easy it is to prove compliance of any of your policies by simply filtering the Promise Execution Log table on handle-names. By making it a habit to always use handles in your policies, you can now quickly show compliance on any or all of your policies.

Mission accomplished!

Please help us improve:

8 2

Do you have ideas / feedback to share with us? Send feedback