Unable to validate the auditing for Vault

Vault
1

Hi, I’m following this doc to set up file_path auditing device. I understand that the username/passwords/tokens in the audit log are are hashed with a salt using HMAC-SHA256.

My goal is to use Vault to translate a token/username/password back to the original token (non hashed version) so that I know who initiated that request.

In my payload.json file, I have the hashed token like this:

{
“input”: “hmac-sha256:0f6621d2813df41ccf2ffabd7dd97148c0302aae59e00f81abb41ae5c0000000”
}

When I run the following Vault command:

curl
–header “X-Vault-Token: hvs.rUzPWfowWGKDQcxhV0000000”
–request POST
–data @payload.json
http://127.0.0.1:8200/v1/sys/audit-hash/vault_audit_1

I get this output:

{“hash”:“hmac-sha256:22947eca0c31dff00b0d2f6bd32fe5824b81e72dce89eaf5a888600aa0000000”,“request_id”:“f0d73cbc-5bb8-e8a8-f554-6b03fb2f622c”,“lease_id”:"",“renewable”:false,“lease_duration”:0,“data”:{“hash”:“hmac-sha256:22947eca0c31dff00b0d2f6bd32fe5824b81e72dce89eaf5a888600aa8a5c42e”},“wrap_info”:null,“warnings”:null,“auth”:null}

I’m failing to understand how to use the above data to audit who requested a username/password since the data is hashed here.

  • some values are masked intentionally
2

The audit-hash function takes in clear-text and converts it to the hash value that would be seen in the audit log (each audit log has a unique salt so the resulting hash differs from log to log; e.g. syslog vs file if you have both setup)

It does not “un-hash” the value. There is no way to “un-hash” as
hashing is a one way operation.

Basically if you suspect a particular known value was used you could verify that by comparing the resulting hash from the command with what you see in the log.

However, you should be able to see authentication information in the audit records such as auth.display_name, auth.entity_id, auth.policies, auth.token_issue_time, and more.

You can disable hashing of specific fields when creating or tuning the mount using the audit_non_hmac_request_keys and audit_non_hmac_response_keys but I would recommend not doing so unless absolutely required and you understand the risks in doing so.

Example: /sys/auth - HTTP API | Vault by HashiCorp

2 Likes
3

Thank you @jeffsanicola