Problem Description
Vault keeps working even after either removing the audit log file or changing the permission of the audit log file to 0000.
Solution
Based on the following Bug Fix that happened during the release of Vault v1.11.0 back in June 2022, Vault prevents changes to audit log file permissions when the mode0000is used. The vault will keep on working as expected. The reason for this fix was to prevent accidental changes to the audit file permissions so that Vault does not get into panic mode and stop working in the absence of the audit log file for any reason. Even if you delete the audit log file, Vault will generate it itself once the service is restarted because of the inbuilt auditreloadfunction as called out here. You can also observe the operational log something like the below:
2023-01-31T11:46:06.685+0530 [DEBUG] audit: adding reload function: path=file/
2023-01-31T11:46:06.685+0530 [DEBUG] audit: file backend options: path=file/ file_path=/home/ubuntu/audit_log.log
However, the audit logs obviously vanish whenreloadtriggers as it creates the same file with the same name for Vault to write new audit logs. Hence to prevent this, it is always advised to have two different audit device mounts enabled to log the audit logs. You can also enable the file audit backend device as many times as you want and attach it on different mounts on Vault. Something like:
ubuntu@test:~$ vault audit enable file file_path=/home/ubuntu/vault_audit.log
Success! Enabled the file audit device at: file/
ubuntu@test:~$ vault audit enable -path="file_1" file file_path=/home/ubuntu/vault1_audit.log
Success! Enabled the file audit device at: file_1/
ubuntu@test:~$ vault audit list -detailed
Path Type Description Replication Options
---- ---- ----------- ----------- -------
file/ file n/a replicated file_path=/home/ubuntu/vault_audit.log
file_1/ file n/a replicated file_path=/home/ubuntu/vault1_audit.log