0

I work at a company and many employees have access to our sensu server. In the /etc/sensu/conf.d file, we have json files that contain the commands for our checks to run. however, some of these commands contain sensitive information that i don't want other users to be able to see. what would be the best way to hide the information in the commands?

Vandexel
  • 609
  • 2
  • 7
  • 17
  • Can they access the folders as root or sensu user? Otherwise it is just to change the permission on the sensu folder such that only sensu (and root) can open and read it. (You should already have it configured like this if you have any security concers at your company) – Kobbe May 03 '16 at 18:50

2 Answers2

1

I can think of 3 solutions:

  • You would need to add secret management to your checks. This usually incolves setting up secret management software, such as Vault, to manage access to the secrets via an API. This keeps all secrets off the servers.

  • Another practice we have used is utilized is Chef Encrypted Data Bags. This will bring your secrets onto the server but they are more secure than putting them version control.

  • The easiest solution is to just lock down the directories on the server and keep them in plain text.

Ken Brittain
  • 2,255
  • 17
  • 21
1

If people only have access to your sensu server and not the clients you can pass the passwords as a client custom parameter. This way they will be stored in the client config file on the client and not to be seen on the server.

Rick Rackow
  • 1,490
  • 8
  • 19