Viewing data behind hmac in vault audit logs

687 views
Skip to first unread message

shawn wilson

unread,
Apr 5, 2019, 4:04:38 PM4/5/19
to vault...@googlegroups.com
What is the workflow to go from hmac string in the audit log to what the original data was supposed to be? I'm hoping there's a cubbyhole or something for this?

If the data is available somehow, loading it in a splunk lookup wouldn't be that hard (but would be no more secure than just turning off hmac altogether). So, is there a decent way to handle this data in splunk?

mic...@hashicorp.com

unread,
Apr 8, 2019, 3:07:05 AM4/8/19
to Vault
Hi Shawn,

the request/response data in the audit logs is hashed. You can use the "sys/audit-hash" API endpoint to generate your own hashes.
This helps you to search for entries where you know the content. See the documentation for more information: https://www.vaultproject.io/docs/audit/index.html#sensitive-information

In general, storing the raw request/response with secrets included is not to be recommended. Can I may ask what is the usecase for storing unencrypted credentials in splunk?
Usually, all data which is needed to monitor the access of Vault is unencrypted.

Cheers,
Michel 

shawn wilson

unread,
Apr 8, 2019, 8:45:07 AM4/8/19
to vault...@googlegroups.com
So I was hoping for a cubbyhole of the hmac with that content in it or something...? Wrt long term log storage, are you suggesting the encrypted data should be left out or that it should just be put there in the clear (with whatever splunk normally does to logs anyway)?

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/ee39fb8a-c5d7-4948-bc82-071cea042b79%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages