Enabling vault audit log file gets a 400 error

[Erika Buckman]

I am trying to enable our vault audit log file with the following command:

vault audit-enable file file_path=/var/log/vault_audit.log

It's failing and giving me the following response:

"Error enabling audit backend: Error making API request.

URL: PUT https://XX.XX:8200/v1/sys/audit/file

Code: 400. Errors:

* sanity check failed; unable to open /var/log/vault_audit.log for writing: chmod /var/log/vault_audit.log: operation not permitted"

I have write permissions enabled for it. Not sure what else it could be. 

[Jeff Mitchell]

Hi,

Vault attempts to chmod the file to lock down permissions. If it's not allowed to chmod the file it would cause this error message.

Best,

Jeff

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/f5c2b16e-07e1-4507-8a08-d27adc236f2c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Erika Buckman]

What should the permissions be to allow that? 

On Friday, December 1, 2017 at 1:16:47 PM UTC-5, Jeff Mitchell wrote:

Hi,

Vault attempts to chmod the file to lock down permissions. If it's not allowed to chmod the file it would cause this error message.

Best,

Jeff

On Fri, Dec 1, 2017 at 1:14 PM, Erika Buckman <oblena...@gmail.com> wrote:

I am trying to enable our vault audit log file with the following command:

vault audit-enable file file_path=/var/log/vault_audit.log

It's failing and giving me the following response:

"Error enabling audit backend: Error making API request.

URL: PUT https://XX.XX:8200/v1/sys/audit/file

Code: 400. Errors:

* sanity check failed; unable to open /var/log/vault_audit.log for writing: chmod /var/log/vault_audit.log: operation not permitted"

I have write permissions enabled for it. Not sure what else it could be. 

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.

To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.

[Erika Buckman]

I currently have it set to 600. 

[Erika Buckman]

Even when I set the permissions to 777, I'm getting a 400 response. 

On Friday, December 1, 2017 at 1:16:47 PM UTC-5, Jeff Mitchell wrote:

Hi,

Vault attempts to chmod the file to lock down permissions. If it's not allowed to chmod the file it would cause this error message.

Best,

Jeff

On Fri, Dec 1, 2017 at 1:14 PM, Erika Buckman <oblena...@gmail.com> wrote:

I am trying to enable our vault audit log file with the following command:

vault audit-enable file file_path=/var/log/vault_audit.log

It's failing and giving me the following response:

"Error enabling audit backend: Error making API request.

URL: PUT https://XX.XX:8200/v1/sys/audit/file

Code: 400. Errors:

* sanity check failed; unable to open /var/log/vault_audit.log for writing: chmod /var/log/vault_audit.log: operation not permitted"

I have write permissions enabled for it. Not sure what else it could be. 

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.

To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.

[Jeff Mitchell]

Hi Erika,

The issue isn't what the permissions are, it's that the Vault process is not allowed to change them.

Probably a good future enhancement would be to not attempt to chmod the permissions if they are explicitly set to "000"; I'll lodge that in for 0.9.1.

Best,

Jeff

To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/17b9ea04-d007-4d2f-b143-5bb9c760984d%40googlegroups.com.

[Erika Buckman]

How can I enable auditing to a file then? 

[Jeff Mitchell]

Hi Erika,

You can give the Vault user/process enough permissions to chmod the file. You need to either be the owner of the file or root. If you own the directory but not the file, you can copy the file, rm the original, then mv it back, and then you will be able to chown it.

Best,

Jeff

To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/17e3e730-0c33-4f5e-970d-600e4b1b2094%40googlegroups.com.

[Erika Buckman]

Thank you! 

[Jeff Mitchell]

As a quick follow up, I've lodged https://github.com/hashicorp/vault/issues/3639

Best,

Jeff

To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/394943cd-dd5f-49a3-884b-5612b51f4a03%40googlegroups.com.