Permission denied when i try to vault audit enable file

Vault
#1

Hi guys i am unable to to enable auditing bcuz i get sanity check permission denied. I have tried doing chown -R to the directory and to the audit log file itself:

vault audit enable file file_path=/var/log/vault_audit.log
Error enabling audit device: Error making API request.

URL: PUT http://10.10.1.91:8200/v1/sys/audit/file
Code: 400. Errors:

* sanity check failed; unable to open "/var/log/vault_audit.log" for writing: open /var/log/vault_audit.log: permission denied

this is my vault.service file:

[Unit]
Description="HashiCorp Vault - A tool for managing secrets" Documentation=https://www.vaultproject.io/docs/
Requires=network-online.target
After=network-online.target ConditionFileNotEmpty=/etc/vault.d/vault.hcl StartLimitIntervalSec=60
StartLimitBurst=3
[Service]
User=vault
Group=vault
ProtectSystem=full
ProtectHome=read-only
PrivateTmp=yes
PrivateDevices=yes
SecureBits=keep-caps
AmbientCapabilities=CAP_IPC_LOCK
Capabilities=CAP_IPC_LOCK+ep
CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
NoNewPrivileges=yes
ExecStart=/usr/local/bin/vault server -config=/etc/vault.d/vault.hcl ExecReload=/bin/kill --signal HUP $MAINPID 
KillMode=process 
KillSignal=SIGINT 
Restart=on-failure 
RestartSec=5
TimeoutStopSec=30
StartLimitInterval=60
StartLimitIntervalSec=60
StartLimitBurst=3
LimitNOFILE=65536
LimitMEMLOCK=infinity
[Install]
WantedBy=multi-user.target

i am on vault version 1.3.0

#2

Personally I wouldn’t change the owner and permissions on the /var/log directory as that could cause problems with other things running on the server.

I found the easiest way to log to /var/log was to enable the syslog audit device and let the syslog deamon handle it (there is a potential issue with log entry truncation if it doesn’t all fit in a UDP packet, but I haven’t hit it yet).

If you’re using rsyslog as your syslog daemon then you’ll want to use something like the following in your rsyslog.conf

# log vault to messages to their own file
:programname, isequal, "vault"                          /var/log/vault.log

You’ll also want to add /var/log/vault.log to the list of syslog files to be rotated by logrotate

#3

Can you show us the exact permissions on directory and file?

#4

Hi,

I have the same problem.

vault audit enable file file_path=/var/log/vault/vault_audit.log

Error enabling audit device: Error making API request.
URL: PUT http://127.0.0.1:8200/v1/sys/audit/file
Code: 400. Errors:

  • sanity check failed; unable to open “/var/log/vault/vault_audit.log” for writing: open /var/log/vault/vault_audit.log: permission denied

And these are the permissions

ls -ld /var/log/vault/vault_audit.log

-rw-r–r-- 1 root root 0 May 2 13:27 /var/log/vault/vault_audit.log

ls -ld /var/log/vault/

drwxr-xr-x 2 root root 4096 May 2 13:27 /var/log/vault/

#5

Are you running Vault as root? If not the error message is correct. You are not allowed to write.

#6

Yes, I’m running the command as vault root.

#7

ps -ef | grep vault

#8

#ps -ef | grep vault
vault 929 1 0 May02 ? 00:02:48 /usr/bin/vault server -config=/etc/vault/config.hcl
root 7683 7649 0 09:37 pts/2 00:00:00 grep --color=auto vault

#9

The interesting part is, that you are running the Vault service as user vault but the audit log is create by a root process. Maybe somebody else could help, I don’t have any glue how to solve this in a proper and secure way.

#10

Hi,

The service was running as vault user so I have changed it and also the ownership of the vault directory to root.

root@ubuntu-ws:~# ps aux | grep -i vault
root 710 1.7 6.4 196800 193720 ? SLsl 14:01 0:02 /bin/vault server -config=/etc/vault/config.hcl

And now able to enable the log.
#vault audit enable file file_path=/etc/vault/log/vault_audit.log
Success! Enabled the file audit device at: file/