What’s still not clear to me, and what doesn’t seem to be clear to other either 1 2, is:
- Executing checks with commands from assets with sudo
- Having the
sensuuser be able to find the path to commands from assets
With Sensu Core, I added secure_path to sudoers. I cannot do the same with Sensu Go, as the path to an asset is unknown (/var/cache/sensu/sensu-agent/$somethingunknown). Then, I would allow the sensu user to execute anything in /opt/sensu/embedded/bin, which I - again - cannot do as the path to asset’s commands are unknown.
How are others solving this issue?