Audit Vault token policy

bbros-dev · February 19, 2021, 1:06am

Hi is there a way, for the root token holder only, to take a token and work out the policy rules it was created with.

Use case is to audit the policy a token was created with compared to the policy as it currently stands in Vault.

Appreciate any hints or tips.

Kind regards

mgritter · February 19, 2021, 1:25am

A token always uses the current version of the policy; when a policy is changed it immediately applies to all tokens that have that policy directly attached, or inherited from an entity or group.

So, there is no cached version of the old policy available for comparison within Vault. You would have to store policies in an external version control system if you want a historical record.

The current set of policies attached to a token can be obtained by calling the auth/token/lookup API (or vault token lookup). They will be listed in policies for directly attached policies, identity_policies for those in the same namespace from an entity or group, and external_namespace_policies for those from a group in a child namespace.

Mark

bbros-dev · February 19, 2021, 6:05am

Thanks @mgritter, I’ve moved the other issue to a separate issue.

As it stands there is a considerable auditability opportunity in Vault. A git, gh etc log can tell us what policies should have been in place - by way of the hcl file.

What were the actual policies, and what are the actual policies in place only Vault can report that.

From my PoV something like, here I show the report, but it would be base64 encoded string that the signature relates to, when a user decodes the string they see the report…:

$ vault token report s.nvhgytirp85854784j
{
"signature: "<report-minisign-signature>",
"base64": ""report": {
 "datetime": "<iso8601>",
 "next-key": "<public-minisign-key-for next-report-signature-check>",
   "path": {
     "sys/health": {
        "capabilities": "read"
      }
    }
 ....
}"
}

would be sufficient. This result could be stored in a version system or data base.

Is there an issue tracking this type of feature?

mikegreen · February 19, 2021, 4:08pm

You could put together something to check the paths against the current policy by checking access with vault token capabilities token capabilities - Command | Vault by HashiCorp

Not exactly what you’re asking for, but is doable today.

bbros-dev · February 20, 2021, 9:33pm

Thanks @mikegreen.

We had in mind a service that monitors the policies folder and runs the token capabilities on any change, but that only tells us when someone changed a ‘potential’ policy for a token.

Both types of reports are required for any audit that isn’t just security theater.

In either approach there is a need to get a list of active tokens.
Also in either approach we’d need to monitor a location that indicated when an ‘applied’ token policy had changed.

At the moment we can’t see a way to deterministically prove what policies were in place during a given event window.

stuart-c · February 21, 2021, 1:30pm

You also have the audit backend which tells you what is going on - when tokens are created/destroyed, when policies are changed, when secrets are accessed, etc.