Permission denied when i try to vault audit enable file

Hi guys i am unable to to enable auditing bcuz i get sanity check permission denied. I have tried doing chown -R to the directory and to the audit log file itself:

vault audit enable file file_path=/var/log/vault_audit.log
Error enabling audit device: Error making API request.

URL: PUT http://10.10.1.91:8200/v1/sys/audit/file
Code: 400. Errors:

* sanity check failed; unable to open "/var/log/vault_audit.log" for writing: open /var/log/vault_audit.log: permission denied

this is my vault.service file:

[Unit]
Description="HashiCorp Vault - A tool for managing secrets" Documentation=https://www.vaultproject.io/docs/
Requires=network-online.target
After=network-online.target ConditionFileNotEmpty=/etc/vault.d/vault.hcl StartLimitIntervalSec=60
StartLimitBurst=3
[Service]
User=vault
Group=vault
ProtectSystem=full
ProtectHome=read-only
PrivateTmp=yes
PrivateDevices=yes
SecureBits=keep-caps
AmbientCapabilities=CAP_IPC_LOCK
Capabilities=CAP_IPC_LOCK+ep
CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
NoNewPrivileges=yes
ExecStart=/usr/local/bin/vault server -config=/etc/vault.d/vault.hcl ExecReload=/bin/kill --signal HUP $MAINPID 
KillMode=process 
KillSignal=SIGINT 
Restart=on-failure 
RestartSec=5
TimeoutStopSec=30
StartLimitInterval=60
StartLimitIntervalSec=60
StartLimitBurst=3
LimitNOFILE=65536
LimitMEMLOCK=infinity
[Install]
WantedBy=multi-user.target

i am on vault version 1.3.0

Personally I wouldn’t change the owner and permissions on the /var/log directory as that could cause problems with other things running on the server.

I found the easiest way to log to /var/log was to enable the syslog audit device and let the syslog deamon handle it (there is a potential issue with log entry truncation if it doesn’t all fit in a UDP packet, but I haven’t hit it yet).

If you’re using rsyslog as your syslog daemon then you’ll want to use something like the following in your rsyslog.conf

# log vault to messages to their own file
:programname, isequal, "vault"                          /var/log/vault.log

You’ll also want to add /var/log/vault.log to the list of syslog files to be rotated by logrotate

Can you show us the exact permissions on directory and file?

Hi,

I have the same problem.

vault audit enable file file_path=/var/log/vault/vault_audit.log

Error enabling audit device: Error making API request.
URL: PUT http://127.0.0.1:8200/v1/sys/audit/file
Code: 400. Errors:

  • sanity check failed; unable to open “/var/log/vault/vault_audit.log” for writing: open /var/log/vault/vault_audit.log: permission denied

And these are the permissions

ls -ld /var/log/vault/vault_audit.log

-rw-r–r-- 1 root root 0 May 2 13:27 /var/log/vault/vault_audit.log

ls -ld /var/log/vault/

drwxr-xr-x 2 root root 4096 May 2 13:27 /var/log/vault/

Are you running Vault as root? If not the error message is correct. You are not allowed to write.

Yes, I’m running the command as vault root.

ps -ef | grep vault

#ps -ef | grep vault
vault 929 1 0 May02 ? 00:02:48 /usr/bin/vault server -config=/etc/vault/config.hcl
root 7683 7649 0 09:37 pts/2 00:00:00 grep --color=auto vault

The interesting part is, that you are running the Vault service as user vault but the audit log is create by a root process. Maybe somebody else could help, I don’t have any glue how to solve this in a proper and secure way.

Hi,

The service was running as vault user so I have changed it and also the ownership of the vault directory to root.

root@ubuntu-ws:~# ps aux | grep -i vault
root 710 1.7 6.4 196800 193720 ? SLsl 14:01 0:02 /bin/vault server -config=/etc/vault/config.hcl

And now able to enable the log.
#vault audit enable file file_path=/etc/vault/log/vault_audit.log
Success! Enabled the file audit device at: file/

what about when you run Vault under the Vault user ? I’m having the same problem, I’ve even given the folder /var/log/vault drwxrwxrwx vault:vault perms. The file vault-audit.log is also owned by the vault:vault user/group and still get the 400 error. " sanity check failed; unable to open “/var/log/vault/vault-audit .log” for writing : open /var/log/vault/vault-audit.log: permission denied "

Any other ideas of what might be the problem ?

I am running into the same issue. Attempting to enable audit logging and getting a permissions error as the root user. permissions on the directory are root:root 0750. This is on Vault 1.6.0

As @Wolfsrudel mentioned earlier in this thread, typically Vault is running under a vault account, with permissions mostly targeted at reading its own config files.

Are you sure the Vault process is running under the root account? You created this environment yourself, as opposed to using an official repo? And it’s definitely this exact “sanity check” type of error? On that, just wondering whether it might be an issue with the permissions associated with your token.

Vault was running under the vault user. I changed it to root and am still getting the same error:

* sanity check failed; unable to open "/var/log/vault.d/vault_audit.log" for writing: mkdir /var/log/vault.d: permission denied

I am using a root token.

I do not have this issue on another vault instance running 1.5.4

H’m. I’d recommend going back to running under the vault account, and set-up that file structure ahead of time. So:

  1. Check the permissions on /var/log
  2. It might be read and write for root, and adm group
  3. Add vault to the adm group or syslog or a new group… However you want to do it
  4. sudo mkdir /var/log/vault.d
  5. sudo touch /var/log/vault.d/vault_audit.log
  6. sudo chown -R vault:vault /var/log/vault.d
  7. Then try to enable your audit device again

Thanks. Looks like the issue was the /var/log/vault.d was owner by vault.

Now running into a new issue: Vault Audit logs stopping daily/not logging

1 Like