Introduction
The Audit Log files HMAC sha-256 hashed data may be difficult to correlate to known-plaintext values that are expected therein. The API /sys/audit-hash/...
can be used to HMAC plaintext values expected to appear in the Audit Logs. The audit log file may only be searched after getting the precise hash value of the plaintext that was hashed by Vault.
How it works
The Vault API /sys/audit-hash/...
requires the Audit path (in place of the ...
ellipse) and an input
parameter containing the plaintext string to be hashed.
To demonstrate - start by enabling an Audit file device like for example:
vault audit enable -path=example-audit file file_path=/var/log/vault/audit.log
vault audit list --detailed
# Path Type Description Replication Options
# ---- ---- ----------- ----------- -------
# example-audit/ file n/a replicated file_path=/var/log/vault/audit.log
Then enable the a KV secret engine, author an example KV secret document on the kv1/test
path and read it so these operations are logged to the Audit Log that will be searched afterwards.
vault secrets enable -path=kv1 kv
vault kv put kv1/test name=my-secret-vault
# Success! Data written to: kv1/test
vault kv get kv1/test
# ==== Data ====
# Key Value
# --- -----
# name my-secret-vault
Generate the hash value for the key titled name
. Using Vault CLI vault write ...
on the Audit path/sys/audit-hash/example-audit
and the input
value of my-secret-value
. Then search for the hashed value in the audit log.
vault write sys/audit-hash/example-audit input="my-secret-vault"
# Key Value
# --- -----
# hash hmac-sha256:ca4bf88030a347324ba3f40c6c021f76ca080006b1a2d52b888bdcd6407f8359
tail -20f /var/log/vault/audit.log | grep "hmac-sha256:ca4bf88030a347324ba3f40c6c021f76ca080006b1a2d52b888bdcd6407f8359"
# {"time":"...","type":"request", ..., "path":"kv1/test","data":{"name":"hmac-sha256:ca4bf88030a347324ba3f40c6c021f76ca080006b1a2d52b888bdcd6407f8359"}, ...}}
# {"time":"...","type":"response", ..., "path":"kv1/test","data":{"name":"hmac-sha256:ca4bf88030a347324ba3f40c6c021f76ca080006b1a2d52b888bdcd6407f8359"}, ...}
The corresponding request and response for the name
field and its hashed value is show above.
Additional Information: