# HashiCorp Vault Policies

## Defualt Policy

The **default** policy is created automatically when Vault is initialized, but can be modified as needed. It provides basic access to Vault features for authenticated users.

To restore the default policy to the newest default version, launch a development Vault server and copy the default policy from there:

```bash
vault policy read default > default_policy.hcl
vault policy write default default_policy.hcl
```

## Policy Commands

```bash
vault policy list
vault policy read <policy-name>
vault policy write <policy-name> <policy-file.hcl>
vault policy delete <policy-name>
```

Format a policy file using `vault policy fmt <policy-file.hcl>`.

Display required capabilities for a given path with:

```bash
vault <anycommand> -output-policy
```

## Auditing

To enable auditing, use the following command:

```bash
vault audit enable file file_path=/var/log/vault_audit.log mode=0640
```

Configure Alloy to read the audit logs from the specified file path.

Add the following configuration to your Alloy setup:

```hcl
loki.source.file "vault_audit_log" {
    targets = [
        {"__path__" = "/var/log/vault/audit.log", "log_name" = "vault_audit", "level" = "info", "service" = "vault"},
    ]
    tail_from_end = true
    forward_to = [loki.process.vault_audit.receiver]
}

loki.process "vault_audit" {
    stage.json {
        expressions = {error = "error"}
    }

    stage.labels {
        values = { __has_error = "error" }
    }

    stage.match {
        selector = "{__has_error!=\"\"}"

        stage.static_labels {
            values = {level = "error"}
        }
    }

    stage.label_drop {
        values = ["__has_error"]
    }

    forward_to = [loki.write.default.receiver]
}
```

> **Note:** `tail_from_end = true` ensures that only new log entries are read, preventing the ingestion of old lines/entries.
> It is (probably) required because the audit log file does not contain timestamps and only entry guids.
> Without this setting, Alloy may re-ingest old log entries upon restart.
>
> `loki.process` extracts message level from the `error` field in the JSON log entry.

Check auditing configuration with:

```bash
vault audit list -detailed
```

To disable auditing, use:

```bash
vault audit disable file
```

## References

- [RSoP Tool](https://github.com/threatkey-oss/hvresult) - **hvresult** computes the Resultant Set of Policy (RSoP) for Hashicorp Vault ACLs.