Hiding information in conf.d command files?


#1

in my /etc/sensu/conf.d file, i have json files that contain the commands for my checks to run. however, some of these commands contain sensitive information that i don’t want users to be able to see. what would be the best way to hide the information in the commands?


#2

Hi there!

If I understand what you’re hoping to accomplish, Sensu provides two features for this specific use case: command token substitution, and config/logging redaction. For checks which require sensitive data to run (e.g. api tokens or username/password credentials), the configuration on the Sensu server can be set using check command tokens, which tokens can be replaced by providing the corresponding values on the client side (in the client definition). As for protecting the credentials on the clients, this can be done by securing the config directory, and setting the redact attribute to prevent the client from including any sensitive data in log files or outgoing check results.

References:

···

On Tuesday, May 3, 2016 at 10:04:19 AM UTC-7, dmak…@bu.edu wrote:

in my /etc/sensu/conf.d file, i have json files that contain the commands for my checks to run. however, some of these commands contain sensitive information that i don’t want users to be able to see. what would be the best way to hide the information in the commands?


#3

Thank you this is very helpful!

···

On Tuesday, May 3, 2016 at 2:41:18 PM UTC-4, Caleb Hailey wrote:

Hi there!

If I understand what you’re hoping to accomplish, Sensu provides two features for this specific use case: command token substitution, and config/logging redaction. For checks which require sensitive data to run (e.g. api tokens or username/password credentials), the configuration on the Sensu server can be set using check command tokens, which tokens can be replaced by providing the corresponding values on the client side (in the client definition). As for protecting the credentials on the clients, this can be done by securing the config directory, and setting the redact attribute to prevent the client from including any sensitive data in log files or outgoing check results.

References:

On Tuesday, May 3, 2016 at 10:04:19 AM UTC-7, dmak…@bu.edu wrote:

in my /etc/sensu/conf.d file, i have json files that contain the commands for my checks to run. however, some of these commands contain sensitive information that i don’t want users to be able to see. what would be the best way to hide the information in the commands?