Skip to content

Instantly share code, notes, and snippets.

@jspaleta

jspaleta/sensu_sudo_remediate.md

Last active March 28, 2019 19:32
Show Gist options
  • Save jspaleta/b4ee62b5707b56440676f849e9f7c24a to your computer and use it in GitHub Desktop.
Save jspaleta/b4ee62b5707b56440676f849e9f7c24a to your computer and use it in GitHub Desktop.
Download ZIP
Using sudo with sensu user for Sensu Go handlers
Raw
sensu_sudo_remediate.md

1. Setup sudoer using visudo on system hosting sensu-go backend

sudo visudo

2. Add sudo directives to allow sensu group to use a command without password

Ex: control nginx service

### Allow sensu group to control nginx service without requiring a password
%sensu ALL=NOPASSWD:/usr/bin/systemctl stop  nginx.service
%sensu ALL=NOPASSWD:/usr/bin/systemctl stop  nginx
%sensu ALL=NOPASSWD:/usr/bin/systemctl start nginx.service
%sensu ALL=NOPASSWD:/usr/bin/systemctl start nginx
%sensu ALL=NOPASSWD:/usr/bin/systemctl restart nginx.service
%sensu ALL=NOPASSWD:/usr/bin/systemctl restart nginx

Note: explicit syntax for both nginx.service and nginx, so either calling syntax will work under sudo

3. Test sudo under sensu user with sudo su

Run these invocations under your normal user to test sensu user's ability to use sudo to control nginx

Assumes your normal user has sudo access to run the su command

sudo su -s /usr/bin/bash - sensu -c 'sudo -S systemctl restart nginx'
sudo su -s /usr/bin/bash - sensu -c 'sudo -S systemctl restart nginx.service'
sudo su -s /usr/bin/bash - sensu -c 'sudo -S systemctl stop nginx'
sudo su -s /usr/bin/bash - sensu -c 'sudo -S systemctl start nginx.service'
sudo su -s /usr/bin/bash - sensu -c 'sudo -S systemctl start nginx'
sudo su -s /usr/bin/bash - sensu -c 'sudo -S systemctl stop nginx.service'

Note: use systemctl status nginx between invocations to examine state of nginx service

Note: the su -s option to set shell is required for sensu user as sensu user is defined without a login shell in /etc/passwd

Note: the sudo -S option is required to instruct sudo to use stdin as this calling sequence runs sudo disconnected from a valid tty

4. Configure handler to use sudo

Ex: handler to stop nginx service

type: Handler
api_version: core/v2
metadata:
  name: nginx-stop
  namespace: default
spec:
  command: sudo -S systemctl stop nginx
  env_vars: []
  filters: []
  handlers: []
  runtime_assets: []
  timeout: 30
  type: pipe

Note: the sudo -S option is required to instruct sudo to use stdin as this calling sequence is disconnected from a tty

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment