In company I work for, I’ve launch vault, and try to migrate secrets to it.
In that company, there is a policy, require to “one-use of administrator passwords”, like root, db admin, etc.
In other words, when password was set-up, it is stored in vault. In case, when someone need that password - he/she check it out, and after use - password SHOULD be changed.
For most accounts - this could be solved by dynamic passwords. When person need administrative access, new account created, with time limit, and password can’t be re-used later.
But there are some systems, that has no such secret engine, or has no ability to create plugin to implement this strategy.
For example - stand alone PC without network connection (that still require follow policy for Administrator account).
My question is: what is possible way, to use Vault in that case ?
Currently I have one possible solution - modify KV secret engine, and append functionality, like - when secret was readed, we set some mark in metadata, and later show alert, that secret was compromized and should be changed. Also, such secretes could be monitored via audit log or some job, and notify responsible, block access etc.
Or, may be, there are another “Vault-way” method to organize management for such passwords?