search

sensu / sensu-ansible

An Ansible role to deploy a fully dynamic Sensu stack!
https://ansible-sensu.readthedocs.io
MIT License
126 stars 96 forks source link

roles is not working with hardening umask #94

Closed roumano closed 6 years ago

roumano commented 7 years ago

with a hardening umask, the role is not working due to 2 failing parts :

ssl part

i have modify the ssl.yml to add mode : 

  - name: Ensure Sensu SSL directory exists
    file:
      dest: "{{ sensu_config_path }}/ssl"
      state: directory
      owner: "{{ sensu_user_name }}"
      group: "{{ sensu_group_name }}"
      mode: "0755"
    when: sensu_ssl_gen_certs and sensu_ssl_manage_certs

  - include: ssl_generate.yml
    when: sensu_ssl_gen_certs
    static: false

  - name: Deploy the Sensu client SSL cert/key
    copy:
      src: "{{ item.src }}"
      owner: "{{ sensu_user_name }}"
      remote_src: "{{ sensu_ssl_deploy_remote_src }}"
      group: "{{ sensu_group_name }}"
      dest: "{{ sensu_config_path }}/ssl/{{ item.dest }}"
      mode: " {{ item.perm }}"
    with_items:
      - {src: "{{ sensu_ssl_client_cert }}", dest: cert.pem , perm: "0644" }
      - {src: "{{ sensu_ssl_client_key }}" , dest: key.pem  , perm: "0640" }
    notify: restart sensu-client service
when: sensu_ssl_manage_certs

--> this modification can also improve the security : previously if the umask was too open, the key.pem was readable by everybody

plugins part

(we use sensu_user_name = sensu ) sensu-install -p will install plugings not readable by every body , my modification : 

  - name: Ensure any remote plugins defined are present
    shell: umask 0022; sensu-install -p {{ item }}
    with_items: "{{ sensu_remote_plugins }}"
    changed_when: false
when: sensu_remote_plugins > 0
roumano commented 7 years ago

If it's installing plugins with "bad" umask, sensu service failed to start : 

/etc/init.d/sensu-client start
Starting sensu-client/opt/sensu/embedded/lib/ruby/site_ruby/2.3.0/rubygems/stub_specification.rb:111:in `initialize': Permission denied @ rb_sysopen - /opt/sensu/embedded/lib/ruby/gems/2.3.0/specifications/net-ldap-0.11.gemspec (Errno::EACCES)
    from /opt/sensu/embedded/lib/ruby/site_ruby/2.3.0/rubygems/stub_specification.rb:111:in `open'
    from /opt/sensu/embedded/lib/ruby/site_ruby/2.3.0/rubygems/stub_specification.rb:111:in `data'
    from /opt/sensu/embedded/lib/ruby/site_ruby/2.3.0/rubygems/stub_specification.rb:202:in `valid?'
    from /opt/sensu/embedded/lib/ruby/site_ruby/2.3.0/rubygems/specification.rb:749:in `select'
    from /opt/sensu/embedded/lib/ruby/site_ruby/2.3.0/rubygems/specification.rb:749:in `gemspec_stubs_in'
    from /opt/sensu/embedded/lib/ruby/site_ruby/2.3.0/rubygems/specification.rb:774:in `block in map_stubs'
    from /opt/sensu/embedded/lib/ruby/site_ruby/2.3.0/rubygems/specification.rb:771:in `each'
    from /opt/sensu/embedded/lib/ruby/site_ruby/2.3.0/rubygems/specification.rb:771:in `flat_map'
    from /opt/sensu/embedded/lib/ruby/site_ruby/2.3.0/rubygems/specification.rb:771:in `map_stubs'
    from /opt/sensu/embedded/lib/ruby/site_ruby/2.3.0/rubygems/specification.rb:763:in `installed_stubs'
    from /opt/sensu/embedded/lib/ruby/site_ruby/2.3.0/rubygems/specification.rb:831:in `stubs'
    from /opt/sensu/embedded/lib/ruby/site_ruby/2.3.0/rubygems/specification.rb:1036:in `find_by_path'
    from /opt/sensu/embedded/lib/ruby/site_ruby/2.3.0/rubygems.rb:209:in `try_activate'
    from /opt/sensu/embedded/lib/ruby/site_ruby/2.3.0/rubygems/core_ext/kernel_require.rb:126:in `rescue in require'
    from /opt/sensu/embedded/lib/ruby/site_ruby/2.3.0/rubygems/core_ext/kernel_require.rb:40:in `require'
    from <internal:gem_prelude>:6:in `<internal:gem_prelude>'
cjchand commented 6 years ago

@roumano Sorry for the delay. We've recently gotten folks dedicated to supporting this repo, hence the delay. Again, apologies for that.

Can you elaborate on what umask was set and what OS you're installing on so I can take a look?

Also, I might be misunderstanding you, but generally the sensu user is the only one that really needs to use anything in /opt/sensu/embedded (which is where sensu-install -p drops stuff). Are you saying that the Sensu user can't see stuff in there without setting umask 022 as you run sensu-install -p?

Thanks in advance!

roumano commented 6 years ago

Hi, we use a harderned linux (with umask: '027'). we deploy sensu on :

For me, it's mandatory to set the mode into ssl Tasks as we are never sure about default umask and if it's not the default one , it's can create a security issue (ssl file readable for everyone or sensu not working as ssl not readable)

Due to this issue (and some other #93 ), we have a role diverge of your existing role but if you want, i can share ours ...

Regards

jaredledvina commented 6 years ago

Hey @roumano,

I would definitely be game for checking out a PR for this change if you're able to. Additionally, if you've diverged other useful/interesting things, feel free to PR back here if you're open to it.

jaredledvina commented 6 years ago

https://github.com/sensu/sensu-ansible/pull/132 should have taken care of this, let me know if you hit anything else!