Because monitoring requires some degree of access to your applications, it’s important that you take certain steps to ensure the right amount of access without compromising your app’s security. In this first in a series of posts, we’ll go over some high-level best practices to securing Sensu, followed by a webinar later this month which will offer a deeper dive into setting up certificates.
Don’t let those bad actors in!
5 tips for more secure monitoring
Here are some essential best practices for securing Sensu:
1. Secure network communications
All Sensu network communication can be configured to use TLS. Securing the API and dashboard should be your first priority, since this traffic will contain user authentication traffic. Your next step should then be to secure the agent to backend network traffic, which will protect your agent user password from compromise as well as make sure that all check output and other data submitted by the agents is secure. Finally, if you are running a cluster for your Sensu backend, you can choose to encrypt the etcd peer-to-peer communication.
All of these secure communications efforts have one thing in common: the need for certificates from a Certificate Authority (CA). You can choose to use self-signed certificates, certificates generated by a public CA such as Let's Encrypt, or, if you have one, an internal CA. This process may be unfamiliar to some of you, we walk you through setting up a custom CA in a webinar and show you it’s not as difficult as it sounds (watch it below!).
This configuration is something you will want to plan for as you begin your deployment of Sensu. Some of these configurations, such as securing the etcd peer communication, cannot be accomplished once your cluster is operational.
For more information, check out:
2. Don’t use the default password(s)
If you started using Sensu prior to version 5.16, the admin user was pre-created with a default password, which hopefully you have changed by now. If not, that should be your first course of action.
sensuctl user change-password admin --new-password "SfkxvCm235Xw3qRG"
If you are creating your Sensu backend cluster from scratch, be sure to use a strong password when creating the default user. Below is how you would do so when running
sensu-backend init for clusters running 5.16 or newer.
The other default password in Sensu is the one used by the agents to connect to the backend. Since it affects all of your agents, changing this one is a little more involved. This is something you should consider doing early on in your deployment before you have too many agents deployed that would need to have their passwords updated. Once you change the password for the agent, any agent restarts or new agents will require the new password. Existing agent connections will continue to function.
sensuctl user change-password agent --new-password "KbxdBf56bPNGwKzQ"
3. Enable SSO
The need for strong passwords for Sensu users extends to any of the operators that will need access to your monitoring environment, whether via the dashboard, API, or the CLI tool, sensuctl. With a large number of operators, managing them individually within Sensu could prove burdensome. Thankfully, Sensu can make use of your existing authentication providers — Sensu supports AD, LDAP, and OIDC.
For more information, check out our documentation on authentication.
4. Use RBAC
One of the best ways to leverage SSO is via role-based access control (RBAC). With RBAC you can provide granular access to Sensu resources. For example, you can use AD/LDAP group memberships to allow access to different namespaces and/or to determine what level of access is authorized within those namespaces.
In addition, API keys can be created for users, whether local or SSO. In addition to being handy for operators, API keys are great for creating webhooks via the Sensu API.
For more information, check out:
- RBAC documentation
- API Keys documentation
- Blog post and webinar on RBAC in Sensu Go
- Jef Practice: Reusable RBAC to setup team namespace for self-service monitoring
5. Use mutual TLS (mTLS) authentication
Sensu agent TLS authentication was introduced in version 5.14 and allows the Sensu agent to authenticate to the backend without the need for username and password authentication. Using mTLS for some agents does not preclude you from using the agent username/password combo on others, so this security change can be rolled out to your environment incrementally.
For more information, check out our documentation on Sensu agent TLS authentication.
Going forward: stay tuned for more security topics
We hope you found these quick tips useful in terms of thinking about how you’ll secure your monitoring setup. Don’t forget to check out our webinar on setting up client certs and stay tuned for future posts that will dive deeper into some of these best practices.