Can you show us the exact permissions on directory and file?
Hi,
I have the same problem.
vault audit enable file file_path=/var/log/vault/vault_audit.log
Error enabling audit device: Error making API request.
URL: PUT http://127.0.0.1:8200/v1/sys/audit/file
Code: 400. Errors:
- sanity check failed; unable to open “/var/log/vault/vault_audit.log” for writing: open /var/log/vault/vault_audit.log: permission denied
And these are the permissions
ls -ld /var/log/vault/vault_audit.log
-rw-r–r-- 1 root root 0 May 2 13:27 /var/log/vault/vault_audit.log
ls -ld /var/log/vault/
drwxr-xr-x 2 root root 4096 May 2 13:27 /var/log/vault/
Are you running Vault as root
? If not the error message is correct. You are not allowed to write.
Yes, I’m running the command as vault root.
ps -ef | grep vault
#ps -ef | grep vault
vault 929 1 0 May02 ? 00:02:48 /usr/bin/vault server -config=/etc/vault/config.hcl
root 7683 7649 0 09:37 pts/2 00:00:00 grep --color=auto vault
The interesting part is, that you are running the Vault service as user vault
but the audit log is create by a root
process. Maybe somebody else could help, I don’t have any glue how to solve this in a proper and secure way.
Hi,
The service was running as vault user so I have changed it and also the ownership of the vault directory to root.
root@ubuntu-ws:~# ps aux | grep -i vault
root 710 1.7 6.4 196800 193720 ? SLsl 14:01 0:02 /bin/vault server -config=/etc/vault/config.hcl
And now able to enable the log.
#vault audit enable file file_path=/etc/vault/log/vault_audit.log
Success! Enabled the file audit device at: file/
what about when you run Vault under the Vault user ? I’m having the same problem, I’ve even given the folder /var/log/vault drwxrwxrwx vault:vault perms. The file vault-audit.log is also owned by the vault:vault user/group and still get the 400 error. " sanity check failed; unable to open “/var/log/vault/vault-audit .log” for writing : open /var/log/vault/vault-audit.log: permission denied "
Any other ideas of what might be the problem ?
I am running into the same issue. Attempting to enable audit logging and getting a permissions error as the root user. permissions on the directory are root:root 0750. This is on Vault 1.6.0
As @Wolfsrudel mentioned earlier in this thread, typically Vault is running under a vault
account, with permissions mostly targeted at reading its own config files.
Are you sure the Vault process is running under the root
account? You created this environment yourself, as opposed to using an official repo? And it’s definitely this exact “sanity check” type of error? On that, just wondering whether it might be an issue with the permissions associated with your token.
Vault was running under the vault user. I changed it to root and am still getting the same error:
* sanity check failed; unable to open "/var/log/vault.d/vault_audit.log" for writing: mkdir /var/log/vault.d: permission denied
I am using a root token.
I do not have this issue on another vault instance running 1.5.4
H’m. I’d recommend going back to running under the vault
account, and set-up that file structure ahead of time. So:
- Check the permissions on
/var/log
- It might be read and write for
root
, andadm
group - Add
vault
to theadm
group orsyslog
or a new group… However you want to do it sudo mkdir /var/log/vault.d
sudo touch /var/log/vault.d/vault_audit.log
sudo chown -R vault:vault /var/log/vault.d
- Then try to enable your audit device again
Thanks. Looks like the issue was the /var/log/vault.d
was owner by vault
.
As it says @jlj7 its better to use the vault user, and besides his solution, I think you can also add to the vault.service the line
[Service]
LogsDirectory=vault
this will automatically add the directory /var/log/vault and give permissions to be used by vault
I had the same issue, I am using storage type: RAFT across a few servers. In the end I did the following:
On all servers in the cluster:
touch /var/log/vault_audit.log
chmod 644 /var/log/vault_audit.log
chown vault:vault /var/log/vault_audit.log
Then I found the leader and executed the following there:
To find the leader
vault operator raft list-peers
Execute on the leader to enable audit log
vault audit enable file file_path=/var/log/vault_audit.log
You may need to restart and unseal vault to see the logs on the leader (only the leader generates logs)
tail -f /var/log/vault_audit.log
I’m not 100% sure you “have to” run this on the leader but that is what I did.
Hello All,
Can someone help me here
I want to apply below password restriction policy to the Cipher AD. Can someone help me here for the CLI commands
length = 14
rule “charset” {
charset = “abcdefghijklmnopqrstuvwxyz”
min-chars = 1
}
rule “charset” {
charset = “ABCDEFGHIJKLMNOPQRSTUVWXYZ”
min-chars = 1
}
rule “charset” {
charset = “0123456789”
min-chars = 1
}
rule “charset” {
charset = “#$_@”
min-chars = 1
}
Please do not post new questions in old unrelated topics. It just makes for a confusing experience for everyone. Start a new topic for a new unrelated question.