diff --git a/CHANGELOG.md b/CHANGELOG.md index c9e8299b..f2070ea5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,12 @@ cookbook. Please see HISTORY.md for changes from older versions of this project. ## [Unreleased] +### Security +- locked down permissions of `/etc/default/sensu` to be owned and grouped by `root` and to only be readable or writable by its owner (@majormoses) + +### Added +- support for injecting arbitrary env vars into `/etc/default/sensu` (@majormoses) + ## [5.4.0] - 2018-09-14 ### Added - exposed `package_name` as an optional parameter to the `sensu_gem` resource in case you need to install multiple versions of a gem. (@majormoses) diff --git a/README.md b/README.md index 68f0e943..b34400fd 100644 --- a/README.md +++ b/README.md @@ -211,6 +211,10 @@ for Sensu to start/stop. `node["sensu"]["loaded_tempfile_dir"]` - Where Sensu stores temporary files. Set a persistent directory if you use hardened system that cleans temporary directory regularly. +`node['sensu']['env_vars]` - A hash of key value pairs that will be written to `/etc/default/sensu` which will be passed to the sensu proces as ENV vars. This defaults to `nil` and only triggers when it is not `nil`. + +`node['sensu']['etc_default_sensu']['cookbook']` - A string that allows you to choose the cookbook that you wish to pull the template for writing `/etc/default/sensu` from, this is useful in the case of wanting to write your own template in your wrapper cookbook. This defaults to `'sensu'` which is this cookbook. + ### Windows Sensu requires Microsoft's .Net Framework to run on Windows. The following attributes influence the installation of .Net via this cookbook: diff --git a/attributes/default.rb b/attributes/default.rb index 671118f2..0de42d27 100644 --- a/attributes/default.rb +++ b/attributes/default.rb @@ -69,3 +69,7 @@ default["sensu"]["data_bag"]["ssl_item"] = "ssl" default["sensu"]["data_bag"]["config_item"] = "config" default["sensu"]["data_bag"]["enterprise_item"] = "enterprise" + +# inject arbitrary env vars into the sensu process +default['sensu']['env_vars'] = nil +default['sensu']['etc_default_sensu']['cookbook'] = 'sensu' diff --git a/recipes/_linux.rb b/recipes/_linux.rb index f62ac86f..e873e457 100644 --- a/recipes/_linux.rb +++ b/recipes/_linux.rb @@ -122,5 +122,9 @@ template "/etc/default/sensu" do source "sensu.default.erb" + cookbook node['sensu']['etc_default_sensu']['cookbook'] + mode '400' + user 'root' + group 'root' notifies :create, "ruby_block[sensu_service_trigger]" end diff --git a/templates/default/sensu.default.erb b/templates/default/sensu.default.erb index 1ef2069a..8460944e 100644 --- a/templates/default/sensu.default.erb +++ b/templates/default/sensu.default.erb @@ -5,3 +5,8 @@ SERVICE_MAX_WAIT=<%= node["sensu"]["service_max_wait"] %> CLIENT_DEREGISTER_ON_STOP=<%= node["sensu"]["client_deregister_on_stop"] %> <%= node["sensu"]["client_deregister_handler"] ? %|CLIENT_DEREGISTER_HANDLER=#{node["sensu"]["client_deregister_handler"]}| : nil %> <%= node["sensu"]["loaded_tempfile_dir"] ? %|export SENSU_LOADED_TEMPFILE_DIR=#{node["sensu"]["loaded_tempfile_dir"]}| : nil %> + +<% unless node['sensu']['env_vars'].nil? do |k, v| -%> +<%= k %>=<%= v %> +<% end %> +<% end %>