Introduction
The Vault audit logs contain full request and response objects for every authenticated interaction to Vault. Most strings within these objects are hashed so that sensitive information is not stored in plaintext using a salt using HMAC-SHA256. However, you are still able to confirm the hashed value of secrets by generating HMACs manually, by using the hash function and salt with the /sys/audit-hash API endpoint.
Procedure
The Vault /sys/audit-hash/:path API endpoint is used to calculate the hash of data used by an audit device. This endpoint hashes the given input data with the specified audit device's hash function and salt.
To demonstrate this example, first enable an audit device:
vault audit enable -path=example-audit file file_path=/var/log/vault/audit.log
vault audit list --detailed
Path Type Description Replication Options
---- ---- ----------- ----------- -------
example-audit/ file n/a replicated file_path=/var/log/vault/audit.log
Next, enable a KV secrets engine and store a secret within the engine:
vault secrets enable -path=kv1 kv
Create a secret at the path test with the key/value of name=my-secret-vault:
vault kv put kv1/test name=my-secret-vault
Success! Data written to: kv1/test
vault kv get kv1/test
==== Data ====
Key Value
--- -----
name my-secret-vault
With the above operations, Vault will log these requests and responses in the audit device previously enabled. However, the sensitive information will be hased in the logs. Using the /sys/audit-hash API endpoint, we can generate the hash value for the key and search the audit logs for the value. Below is an example command to find the hashed value for the value my-secret-vault:
vault write sys/audit-hash/example-audit input="my-secret-value"
Key Value
--- -----
hash hmac-sha256:fffa7a292d3575dffd37cec1188d639336672c6e0dbd66dec7b5aeea38e79ae4
This returned value can then be used to search the Vault audit logs:
grep 'hmac-sha256:fffa7a292d3575dffd37cec1188d639336672c6e0dbd66dec7b5aeea38e79ae4' /var/log/vault/audit.log | jq
{
"auth": {
...
},
"request": {
"client_id": "0DHqvq2D77kL2/JTPSZkTMJbkFVmUu0TzMi0jiXcFy8=",
"client_token": "hmac-sha256:...",
"client_token_accessor": "hmac-sha256:...",
"data": {
"name": "hmac-sha256:fffa7a292d3575dffd37cec1188d639336672c6e0dbd66dec7b5aeea38e79ae4"
},
"id": "63ecf86d-7a09-9316-0107-0032eccbb89a",
"mount_accessor": "kv_365e3043",
"mount_class": "secret",
"mount_point": "kv1/",
"mount_running_version": "v0.20.0+builtin",
"mount_type": "kv",
"namespace": {
"id": "root"
},
"operation": "update",
"path": "kv1/test",
"remote_address": "127.0.0.1",
"remote_port": 55892
},
"time": "2024-11-11T12:57:26.883619Z",
"type": "request"
}