Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

generate-root command is not an auditable action #1142

Closed
mwielgoszewski opened this issue Feb 26, 2016 · 6 comments
Closed

generate-root command is not an auditable action #1142

mwielgoszewski opened this issue Feb 26, 2016 · 6 comments
Milestone
0.6.5

Comments

@mwielgoszewski
Copy link
Contributor

The generate-root command does not write any entries to the audit log when invoked. Your best chance of capturing this information is by ensuring log-level is set to info on the servers. The following information should be captured upon first and subsequent invocations of the command:

  • pgp-key fingerprint
  • current progress
  • nonce
  • hmac-sha256 of the unseal key or the pgp-key fingerprint the unseal key was encrypted to during vault initialization

In some organizations, unseal key holders are not necessarily administrators or even operators of Vault, so knowing who among the unseal key holders performed the operation is pretty important.
@jefferai jefferai added this to the future milestone Feb 26, 2016
@jefferai
Copy link
Member

Hi @mwielgoszewski

I don't really follow what you mean by this statement: Your best chance of capturing this information is by ensuring log-level is set to info on the servers. Whose best chance, exactly? What are you seeing in the info log level that you think relevant to this?

Thanks!

@mwielgoszewski
Copy link
Contributor Author

The only reason I was alerted to an (authorized) invocation of the generate-root command, was because I redirect stdout/stderr to a log file, and the -log-level is set to info. If this command line argument to vault server had been set to warn, I would not have been alerted to this.

@pearkes pearkes closed this as completed Apr 19, 2016
@jefferai jefferai reopened this Apr 19, 2016
@mwielgoszewski
Copy link
Contributor Author

@jefferai any thoughts on auditing this events via the mounted audit backend log? The only way to know the unseal key holders generated a root token is by capturing log messages sent to stdout/stderr, which is not ideal.

2016/12/27 08:49:46.646618 [INFO ] core: root generation initialized: nonce=1d119aa6-806e-d4e2-0c66-0836228c55bc
2016/12/27 08:51:17.781336 [INFO ] core: root generation finished: nonce=1d119aa6-806e-d4e2-0c66-0836228c55bc

@jefferai
Copy link
Member

@mwielgoszewski We have some work done already on a capability that will allow you to know which unseal key holders unsealed Vault (or generated a root token). Once this gets added, I think we will look at also generating audit log messages for these actions. I'm not yet sure if it will be possible for unseal (that may just have to stay in the log) but should be possible for generate-root since that is done against a live Vault server.

I'll add it to the next milestone but may slip depending on when this code gets finished and merged.

@jefferai jefferai modified the milestones: 0.6.5, future Dec 28, 2016
@vishalnayak
Copy link
Contributor

This is being tracked in #2244

@jefferai
Copy link
Member

Closing in favor of #2244

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
0.6.5
Development

No branches or pull requests
4 participants
@jefferai @mwielgoszewski @pearkes @vishalnayak