Closed masifpak closed 4 years ago
seifer44
commented
4 years ago This is a problem with your sudoers file, not the handler. Add NOPASSWD to your sudoers file, and you should be fine. Something like this, if you're cool with the sensu account impersonating anyone.
sensu ALL = (ALL) NOPASSWD:ALLEDIT: Also this.
Defaults:sensu !requiretty
asachs01
commented
4 years ago /me grimaces.
While that works, I don't know that it would be considered best practice. #12 and #13 discuss adding a note to add the sensu to sudoers, but in reality, that usage in sudoers should be scoped to the commands that the sensu user needs to run, and not just grant it unrestricted access. There's been an ongoing conversation about this sort of thing the Sensu community, and we'd love y'all's input on that conversation. I think there's also some room for us to be prescriptive in how we recommend setting up sensu as part of sudoers.
seifer44
commented
4 years ago My response was meant to illustrate NOPASSWD and !requiretty portions moreso than to recommend giving the sensu account global admin access. It should be up to the administrator to understand the implications of granting sudo access, and how to properly restrict it.
With the issue in #12 and #13 as a whole, I think that providing a recommendation to the scope of sudo access that the sensu user has should probably be considered a "loose" suggestion. Everyone is going to have different requirements for their remediation tasks, after all.
asachs01
commented
4 years ago Ah! Gotcha. I completely agree that admins should understand the implications of what they do when they're copying examples. And yeah, our recommendations would definitely be loose ones.
That said, since this is really more of an issue with the system that @masifpak is using, I'll close this out and defer to your advice @seifer44 .
I am trying to start crond service using remediation handler but facing this issue.