From a6aaec74ff4af8d8006edf56590e375f278a86e5 Mon Sep 17 00:00:00 2001 From: Ben Abrams Date: Wed, 13 Mar 2019 18:14:29 -0700 Subject: [PATCH 1/2] llow injecting of arbitrary env variables As these variables _could_ contain secrets we should make sure that this file is only accessible via the root user. If you do choose to store secrets here I would highly reccommend not storing them in SCM unencrypted and should pull them from a key management solution such as Hashicorp Vault or AWS SSM. Alternatively you could use something like `git-crypt` or some process pulling values from an encrypted databag and writing to the attribute. In either scenario with secrets please understand that these secrets will be exposed to the node and therefore accessible to anyone who has chef access. This includes any `sudoer` as they can run `sudo chef-shell -z` and then query the attribute. If you do need this functionality for secrets you should probably use `node['sensu']['etc_default_sensu']['cookbook']` and override it with a template in your wrapper. You should leverage `node.run_state` object as this removes it from the node being queried externally but allows locally storing the secret and is only persisted during an actual chef convergence. Signed-off-by: Ben Abrams --- CHANGELOG.md | 6 ++++++ README.md | 4 ++++ attributes/default.rb | 4 ++++ recipes/_linux.rb | 4 ++++ templates/default/sensu.default.erb | 5 +++++ 5 files changed, 23 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index c9e8299b..f2070ea5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,12 @@ cookbook. Please see HISTORY.md for changes from older versions of this project. ## [Unreleased] +### Security +- locked down permissions of `/etc/default/sensu` to be owned and grouped by `root` and to only be readable or writable by its owner (@majormoses) + +### Added +- support for injecting arbitrary env vars into `/etc/default/sensu` (@majormoses) + ## [5.4.0] - 2018-09-14 ### Added - exposed `package_name` as an optional parameter to the `sensu_gem` resource in case you need to install multiple versions of a gem. (@majormoses) diff --git a/README.md b/README.md index 68f0e943..b34400fd 100644 --- a/README.md +++ b/README.md @@ -211,6 +211,10 @@ for Sensu to start/stop. `node["sensu"]["loaded_tempfile_dir"]` - Where Sensu stores temporary files. Set a persistent directory if you use hardened system that cleans temporary directory regularly. +`node['sensu']['env_vars]` - A hash of key value pairs that will be written to `/etc/default/sensu` which will be passed to the sensu proces as ENV vars. This defaults to `nil` and only triggers when it is not `nil`. + +`node['sensu']['etc_default_sensu']['cookbook']` - A string that allows you to choose the cookbook that you wish to pull the template for writing `/etc/default/sensu` from, this is useful in the case of wanting to write your own template in your wrapper cookbook. This defaults to `'sensu'` which is this cookbook. + ### Windows Sensu requires Microsoft's .Net Framework to run on Windows. The following attributes influence the installation of .Net via this cookbook: diff --git a/attributes/default.rb b/attributes/default.rb index 671118f2..d33e63d7 100644 --- a/attributes/default.rb +++ b/attributes/default.rb @@ -69,3 +69,7 @@ default["sensu"]["data_bag"]["ssl_item"] = "ssl" default["sensu"]["data_bag"]["config_item"] = "config" default["sensu"]["data_bag"]["enterprise_item"] = "enterprise" + +# inject arbitrary env vars into the sensu process +default['sensu']['env_vars'] = nil +default['sensu']['etc_default_sensu']['cookbook'] = 'sensu' \ No newline at end of file diff --git a/recipes/_linux.rb b/recipes/_linux.rb index f62ac86f..e873e457 100644 --- a/recipes/_linux.rb +++ b/recipes/_linux.rb @@ -122,5 +122,9 @@ template "/etc/default/sensu" do source "sensu.default.erb" + cookbook node['sensu']['etc_default_sensu']['cookbook'] + mode '400' + user 'root' + group 'root' notifies :create, "ruby_block[sensu_service_trigger]" end diff --git a/templates/default/sensu.default.erb b/templates/default/sensu.default.erb index 1ef2069a..8460944e 100644 --- a/templates/default/sensu.default.erb +++ b/templates/default/sensu.default.erb @@ -5,3 +5,8 @@ SERVICE_MAX_WAIT=<%= node["sensu"]["service_max_wait"] %> CLIENT_DEREGISTER_ON_STOP=<%= node["sensu"]["client_deregister_on_stop"] %> <%= node["sensu"]["client_deregister_handler"] ? %|CLIENT_DEREGISTER_HANDLER=#{node["sensu"]["client_deregister_handler"]}| : nil %> <%= node["sensu"]["loaded_tempfile_dir"] ? %|export SENSU_LOADED_TEMPFILE_DIR=#{node["sensu"]["loaded_tempfile_dir"]}| : nil %> + +<% unless node['sensu']['env_vars'].nil? do |k, v| -%> +<%= k %>=<%= v %> +<% end %> +<% end %> From acc92bfe17d4800bd1a7aad5d8d4cfe6d9f85250 Mon Sep 17 00:00:00 2001 From: Ben Abrams Date: Wed, 13 Mar 2019 19:04:10 -0700 Subject: [PATCH 2/2] add missing newline --- attributes/default.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/attributes/default.rb b/attributes/default.rb index d33e63d7..0de42d27 100644 --- a/attributes/default.rb +++ b/attributes/default.rb @@ -72,4 +72,4 @@ # inject arbitrary env vars into the sensu process default['sensu']['env_vars'] = nil -default['sensu']['etc_default_sensu']['cookbook'] = 'sensu' \ No newline at end of file +default['sensu']['etc_default_sensu']['cookbook'] = 'sensu'