98 lines
2.4 KiB
Markdown
98 lines
2.4 KiB
Markdown
# HashiCorp Vault Policies
|
|
|
|
## Defualt Policy
|
|
|
|
The **default** policy is created automatically when Vault is initialized, but can be modified as needed. It provides basic access to Vault features for authenticated users.
|
|
|
|
To restore the default policy to the newest default version, launch a development Vault server and copy the default policy from there:
|
|
|
|
```bash
|
|
vault policy read default > default_policy.hcl
|
|
vault policy write default default_policy.hcl
|
|
```
|
|
|
|
## Policy Commands
|
|
|
|
```bash
|
|
vault policy list
|
|
vault policy read <policy-name>
|
|
vault policy write <policy-name> <policy-file.hcl>
|
|
vault policy delete <policy-name>
|
|
```
|
|
|
|
Format a policy file using `vault policy fmt <policy-file.hcl>`.
|
|
|
|
Display required capabilities for a given path with:
|
|
|
|
```bash
|
|
vault <anycommand> -output-policy
|
|
```
|
|
|
|
## Auditing
|
|
|
|
To enable auditing, use the following command:
|
|
|
|
```bash
|
|
vault audit enable file file_path=/var/log/vault_audit.log mode=0640
|
|
```
|
|
|
|
Configure Alloy to read the audit logs from the specified file path.
|
|
|
|
Add the following configuration to your Alloy setup:
|
|
|
|
```hcl
|
|
loki.source.file "vault_audit_log" {
|
|
targets = [
|
|
{"__path__" = "/var/log/vault/audit.log", "log_name" = "vault_audit", "level" = "info", "service" = "vault"},
|
|
]
|
|
tail_from_end = true
|
|
forward_to = [loki.process.vault_audit.receiver]
|
|
}
|
|
|
|
loki.process "vault_audit" {
|
|
stage.json {
|
|
expressions = {error = "error"}
|
|
}
|
|
|
|
stage.labels {
|
|
values = { __has_error = "error" }
|
|
}
|
|
|
|
stage.match {
|
|
selector = "{__has_error!=\"\"}"
|
|
|
|
stage.static_labels {
|
|
values = {level = "error"}
|
|
}
|
|
}
|
|
|
|
stage.label_drop {
|
|
values = ["__has_error"]
|
|
}
|
|
|
|
forward_to = [loki.write.default.receiver]
|
|
}
|
|
```
|
|
|
|
> **Note:** `tail_from_end = true` ensures that only new log entries are read, preventing the ingestion of old lines/entries.
|
|
> It is (probably) required because the audit log file does not contain timestamps and only entry guids.
|
|
> Without this setting, Alloy may re-ingest old log entries upon restart.
|
|
>
|
|
> `loki.process` extracts message level from the `error` field in the JSON log entry.
|
|
|
|
Check auditing configuration with:
|
|
|
|
```bash
|
|
vault audit list -detailed
|
|
```
|
|
|
|
To disable auditing, use:
|
|
|
|
```bash
|
|
vault audit disable file
|
|
```
|
|
|
|
## References
|
|
|
|
- [RSoP Tool](https://github.com/threatkey-oss/hvresult) - **hvresult** computes the Resultant Set of Policy (RSoP) for Hashicorp Vault ACLs.
|