Permission denied when i try to vault audit enable file

EricBourland · March 12, 2020, 3:41pm

Hi guys i am unable to to enable auditing bcuz i get sanity check permission denied. I have tried doing chown -R to the directory and to the audit log file itself:

vault audit enable file file_path=/var/log/vault_audit.log
Error enabling audit device: Error making API request.

URL: PUT http://10.10.1.91:8200/v1/sys/audit/file
Code: 400. Errors:

* sanity check failed; unable to open "/var/log/vault_audit.log" for writing: open /var/log/vault_audit.log: permission denied

this is my vault.service file:

[Unit]
Description="HashiCorp Vault - A tool for managing secrets" Documentation=https://www.vaultproject.io/docs/
Requires=network-online.target
After=network-online.target ConditionFileNotEmpty=/etc/vault.d/vault.hcl StartLimitIntervalSec=60
StartLimitBurst=3
[Service]
User=vault
Group=vault
ProtectSystem=full
ProtectHome=read-only
PrivateTmp=yes
PrivateDevices=yes
SecureBits=keep-caps
AmbientCapabilities=CAP_IPC_LOCK
Capabilities=CAP_IPC_LOCK+ep
CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
NoNewPrivileges=yes
ExecStart=/usr/local/bin/vault server -config=/etc/vault.d/vault.hcl ExecReload=/bin/kill --signal HUP $MAINPID 
KillMode=process 
KillSignal=SIGINT 
Restart=on-failure 
RestartSec=5
TimeoutStopSec=30
StartLimitInterval=60
StartLimitIntervalSec=60
StartLimitBurst=3
LimitNOFILE=65536
LimitMEMLOCK=infinity
[Install]
WantedBy=multi-user.target

i am on vault version 1.3.0

jlcooper · March 13, 2020, 8:29am

Personally I wouldn’t change the owner and permissions on the /var/log directory as that could cause problems with other things running on the server.

I found the easiest way to log to /var/log was to enable the syslog audit device and let the syslog deamon handle it (there is a potential issue with log entry truncation if it doesn’t all fit in a UDP packet, but I haven’t hit it yet).

If you’re using rsyslog as your syslog daemon then you’ll want to use something like the following in your rsyslog.conf

# log vault to messages to their own file
:programname, isequal, "vault"                          /var/log/vault.log

You’ll also want to add /var/log/vault.log to the list of syslog files to be rotated by logrotate

Wolfsrudel · March 13, 2020, 10:20am

Can you show us the exact permissions on directory and file?

asakth22 · May 2, 2020, 8:06am

Hi,

I have the same problem.

vault audit enable file file_path=/var/log/vault/vault_audit.log

Error enabling audit device: Error making API request.
URL: PUT http://127.0.0.1:8200/v1/sys/audit/file
Code: 400. Errors:

sanity check failed; unable to open “/var/log/vault/vault_audit.log” for writing: open /var/log/vault/vault_audit.log: permission denied

And these are the permissions

ls -ld /var/log/vault/vault_audit.log

-rw-r–r-- 1 root root 0 May 2 13:27 /var/log/vault/vault_audit.log

ls -ld /var/log/vault/

drwxr-xr-x 2 root root 4096 May 2 13:27 /var/log/vault/

Wolfsrudel · May 2, 2020, 8:22am

Are you running Vault as root? If not the error message is correct. You are not allowed to write.

asakth22 · May 2, 2020, 8:26am

Yes, I’m running the command as vault root.

Wolfsrudel · May 2, 2020, 2:02pm

ps -ef | grep vault

asakth22 · May 3, 2020, 4:10am

#ps -ef | grep vault
vault 929 1 0 May02 ? 00:02:48 /usr/bin/vault server -config=/etc/vault/config.hcl
root 7683 7649 0 09:37 pts/2 00:00:00 grep --color=auto vault

Wolfsrudel · May 3, 2020, 6:12am

The interesting part is, that you are running the Vault service as user vault but the audit log is create by a root process. Maybe somebody else could help, I don’t have any glue how to solve this in a proper and secure way.

asakth22 · May 15, 2020, 8:40am

Hi,

The service was running as vault user so I have changed it and also the ownership of the vault directory to root.

root@ubuntu-ws:~# ps aux | grep -i vault
root 710 1.7 6.4 196800 193720 ? SLsl 14:01 0:02 /bin/vault server -config=/etc/vault/config.hcl

And now able to enable the log.
#vault audit enable file file_path=/etc/vault/log/vault_audit.log
Success! Enabled the file audit device at: file/

alexparaschin · August 10, 2020, 7:42pm

what about when you run Vault under the Vault user ? I’m having the same problem, I’ve even given the folder /var/log/vault drwxrwxrwx vault:vault perms. The file vault-audit.log is also owned by the vault:vault user/group and still get the 400 error. " sanity check failed; unable to open “/var/log/vault/vault-audit .log” for writing : open /var/log/vault/vault-audit.log: permission denied "

Any other ideas of what might be the problem ?

awidner · December 3, 2020, 11:22pm

I am running into the same issue. Attempting to enable audit logging and getting a permissions error as the root user. permissions on the directory are root:root 0750. This is on Vault 1.6.0

jlj7 · December 4, 2020, 3:53pm

As @Wolfsrudel mentioned earlier in this thread, typically Vault is running under a vault account, with permissions mostly targeted at reading its own config files.

Are you sure the Vault process is running under the root account? You created this environment yourself, as opposed to using an official repo? And it’s definitely this exact “sanity check” type of error? On that, just wondering whether it might be an issue with the permissions associated with your token.

awidner · December 4, 2020, 4:15pm

Vault was running under the vault user. I changed it to root and am still getting the same error:

* sanity check failed; unable to open "/var/log/vault.d/vault_audit.log" for writing: mkdir /var/log/vault.d: permission denied

I am using a root token.

awidner · December 4, 2020, 4:16pm

I do not have this issue on another vault instance running 1.5.4

jlj7 · December 4, 2020, 4:35pm

H’m. I’d recommend going back to running under the vault account, and set-up that file structure ahead of time. So:

Check the permissions on /var/log
It might be read and write for root, and adm group
Add vault to the adm group or syslog or a new group… However you want to do it
sudo mkdir /var/log/vault.d
sudo touch /var/log/vault.d/vault_audit.log
sudo chown -R vault:vault /var/log/vault.d
Then try to enable your audit device again

awidner · December 4, 2020, 4:47pm

Thanks. Looks like the issue was the /var/log/vault.d was owner by vault.

awidner · December 4, 2020, 5:49pm

Now running into a new issue: Vault Audit logs stopping daily/not logging

javier.limon · February 18, 2021, 12:24am

As it says @jlj7 its better to use the vault user, and besides his solution, I think you can also add to the vault.service the line

[Service]
LogsDirectory=vault

this will automatically add the directory /var/log/vault and give permissions to be used by vault

Behner · May 12, 2022, 2:38pm

I had the same issue, I am using storage type: RAFT across a few servers. In the end I did the following:

On all servers in the cluster:

touch /var/log/vault_audit.log
chmod 644 /var/log/vault_audit.log
chown vault:vault /var/log/vault_audit.log

Then I found the leader and executed the following there:

To find the leader

vault operator raft list-peers

Execute on the leader to enable audit log

vault audit enable file file_path=/var/log/vault_audit.log

You may need to restart and unseal vault to see the logs on the leader (only the leader generates logs)

tail -f /var/log/vault_audit.log

I’m not 100% sure you “have to” run this on the leader but that is what I did.