Not able to enable audit logs in /usr/local/logs/vault/vault_audit.log.
1,299 views
Skip to first unread message
jigar vora
May 30, 2019, 7:56:59 AM5/30/19
to Vault
Hi,
I am not able to enable audit logs in /usr/local/logs/vault/vault_audit.log but I am able to enable audit logs in /vault/logs.
In both the cases vault folder is owned by vaut:vault recursively and permission bit set to 777.
*****
jivora@myvault101:/usr/local/logs/vault$ vault audit enable -path="vault_audit_prod" file file_path=/usr/local/logs/vault/vault_audit.log
Error enabling audit device: Error making API request.
Code: 400. Errors:
* sanity check failed; unable to open "/usr/local/logs/vault/vault_audit.log" for writing: open /usr/local/logs/vault/vault_audit.log: read-only file system
******
******
jivora@myvault101:/$ vault audit enable -path="vault_audit_prod" file file_path=/vault/vault_audit.log
Success! Enabled the file audit device at: vault_audit_prod/
******
OS is ubuntu 18.04 on azure.
Wanted to check why use vault is allowed to write in /vault/logs but not in /usr/local/logs/
Thanks,
Jigar
Lowe Schmidt
Jun 1, 2019, 4:14:16 AM6/1/19
to Vault
Are /vault and /usr/local/logs/vault the same filesystem?
Because vault is telling you it can't create a file because /usr/local/logs/vault is read only.
What does mount give you?
--
Lowe Schmidt | +46 723 867 157
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/5be74493-e059-47e5-89c0-a96d5270fc6b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
jigar vora
Jun 3, 2019, 2:34:51 AM6/3/19
to vault...@googlegroups.com
Thanks for your response.
Yes they are the same file system.
jivora@myvault101:~$ mount
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
udev on /dev type devtmpfs (rw,nosuid,relatime,size=8187940k,nr_inodes=2046985,mode=755)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000)
tmpfs on /run type tmpfs (rw,nosuid,noexec,relatime,size=1640060k,mode=755)
/dev/sda1 on / type ext4 (rw,relatime,discard)
securityfs on /sys/kernel/security type securityfs (rw,nosuid,nodev,noexec,relatime)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev)
tmpfs on /run/lock type tmpfs (rw,nosuid,nodev,noexec,relatime,size=5120k)
tmpfs on /sys/fs/cgroup type tmpfs (ro,nosuid,nodev,noexec,mode=755)
cgroup on /sys/fs/cgroup/unified type cgroup2 (rw,nosuid,nodev,noexec,relatime)
cgroup on /sys/fs/cgroup/systemd type cgroup (rw,nosuid,nodev,noexec,relatime,xattr,name=systemd)
pstore on /sys/fs/pstore type pstore (rw,nosuid,nodev,noexec,relatime)
cgroup on /sys/fs/cgroup/perf_event type cgroup (rw,nosuid,nodev,noexec,relatime,perf_event)
cgroup on /sys/fs/cgroup/memory type cgroup (rw,nosuid,nodev,noexec,relatime,memory)
cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup (rw,nosuid,nodev,noexec,relatime,cpu,cpuacct)
cgroup on /sys/fs/cgroup/net_cls,net_prio type cgroup (rw,nosuid,nodev,noexec,relatime,net_cls,net_prio)
cgroup on /sys/fs/cgroup/freezer type cgroup (rw,nosuid,nodev,noexec,relatime,freezer)
cgroup on /sys/fs/cgroup/rdma type cgroup (rw,nosuid,nodev,noexec,relatime,rdma)
cgroup on /sys/fs/cgroup/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,cpuset)
cgroup on /sys/fs/cgroup/blkio type cgroup (rw,nosuid,nodev,noexec,relatime,blkio)
cgroup on /sys/fs/cgroup/pids type cgroup (rw,nosuid,nodev,noexec,relatime,pids)
cgroup on /sys/fs/cgroup/devices type cgroup (rw,nosuid,nodev,noexec,relatime,devices)
cgroup on /sys/fs/cgroup/hugetlb type cgroup (rw,nosuid,nodev,noexec,relatime,hugetlb)
systemd-1 on /proc/sys/fs/binfmt_misc type autofs (rw,relatime,fd=24,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=19449)
debugfs on /sys/kernel/debug type debugfs (rw,relatime)
mqueue on /dev/mqueue type mqueue (rw,relatime)
fusectl on /sys/fs/fuse/connections type fusectl (rw,relatime)
configfs on /sys/kernel/config type configfs (rw,relatime)
hugetlbfs on /dev/hugepages type hugetlbfs (rw,relatime,pagesize=2M)
/dev/sda15 on /boot/efi type vfat (rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro,discard)
/dev/sdb1 on /mnt type ext4 (rw,relatime,x-systemd.requires=cloud-init.service)
lxcfs on /var/lib/lxcfs type fuse.lxcfs (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
tmpfs on /run/user/1000 type tmpfs (rw,nosuid,nodev,relatime,size=1640060k,mode=700,uid=1000,gid=1000)
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
udev on /dev type devtmpfs (rw,nosuid,relatime,size=8187940k,nr_inodes=2046985,mode=755)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000)
tmpfs on /run type tmpfs (rw,nosuid,noexec,relatime,size=1640060k,mode=755)
/dev/sda1 on / type ext4 (rw,relatime,discard)
securityfs on /sys/kernel/security type securityfs (rw,nosuid,nodev,noexec,relatime)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev)
tmpfs on /run/lock type tmpfs (rw,nosuid,nodev,noexec,relatime,size=5120k)
tmpfs on /sys/fs/cgroup type tmpfs (ro,nosuid,nodev,noexec,mode=755)
cgroup on /sys/fs/cgroup/unified type cgroup2 (rw,nosuid,nodev,noexec,relatime)
cgroup on /sys/fs/cgroup/systemd type cgroup (rw,nosuid,nodev,noexec,relatime,xattr,name=systemd)
pstore on /sys/fs/pstore type pstore (rw,nosuid,nodev,noexec,relatime)
cgroup on /sys/fs/cgroup/perf_event type cgroup (rw,nosuid,nodev,noexec,relatime,perf_event)
cgroup on /sys/fs/cgroup/memory type cgroup (rw,nosuid,nodev,noexec,relatime,memory)
cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup (rw,nosuid,nodev,noexec,relatime,cpu,cpuacct)
cgroup on /sys/fs/cgroup/net_cls,net_prio type cgroup (rw,nosuid,nodev,noexec,relatime,net_cls,net_prio)
cgroup on /sys/fs/cgroup/freezer type cgroup (rw,nosuid,nodev,noexec,relatime,freezer)
cgroup on /sys/fs/cgroup/rdma type cgroup (rw,nosuid,nodev,noexec,relatime,rdma)
cgroup on /sys/fs/cgroup/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,cpuset)
cgroup on /sys/fs/cgroup/blkio type cgroup (rw,nosuid,nodev,noexec,relatime,blkio)
cgroup on /sys/fs/cgroup/pids type cgroup (rw,nosuid,nodev,noexec,relatime,pids)
cgroup on /sys/fs/cgroup/devices type cgroup (rw,nosuid,nodev,noexec,relatime,devices)
cgroup on /sys/fs/cgroup/hugetlb type cgroup (rw,nosuid,nodev,noexec,relatime,hugetlb)
systemd-1 on /proc/sys/fs/binfmt_misc type autofs (rw,relatime,fd=24,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=19449)
debugfs on /sys/kernel/debug type debugfs (rw,relatime)
mqueue on /dev/mqueue type mqueue (rw,relatime)
fusectl on /sys/fs/fuse/connections type fusectl (rw,relatime)
configfs on /sys/kernel/config type configfs (rw,relatime)
hugetlbfs on /dev/hugepages type hugetlbfs (rw,relatime,pagesize=2M)
/dev/sda15 on /boot/efi type vfat (rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro,discard)
/dev/sdb1 on /mnt type ext4 (rw,relatime,x-systemd.requires=cloud-init.service)
lxcfs on /var/lib/lxcfs type fuse.lxcfs (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
tmpfs on /run/user/1000 type tmpfs (rw,nosuid,nodev,relatime,size=1640060k,mode=700,uid=1000,gid=1000)
jivora@vault101:~$ df -h
Filesystem Size Used Avail Use% Mounted on
udev 7.9G 0 7.9G 0% /dev
tmpfs 1.6G 684K 1.6G 1% /run
/dev/sda1 29G 3.3G 26G 12% /
tmpfs 7.9G 0 7.9G 0% /dev/shm
tmpfs 5.0M 0 5.0M 0% /run/lock
tmpfs 7.9G 0 7.9G 0% /sys/fs/cgroup
/dev/sda15 105M 3.6M 101M 4% /boot/efi
/dev/sdb1 32G 49M 30G 1% /mnt
tmpfs 1.6G 0 1.6G 0% /run/user/1000
Filesystem Size Used Avail Use% Mounted on
udev 7.9G 0 7.9G 0% /dev
tmpfs 1.6G 684K 1.6G 1% /run
/dev/sda1 29G 3.3G 26G 12% /
tmpfs 7.9G 0 7.9G 0% /dev/shm
tmpfs 5.0M 0 5.0M 0% /run/lock
tmpfs 7.9G 0 7.9G 0% /sys/fs/cgroup
/dev/sda15 105M 3.6M 101M 4% /boot/efi
/dev/sdb1 32G 49M 30G 1% /mnt
tmpfs 1.6G 0 1.6G 0% /run/user/1000
Thanks,
Jigar
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAC-wWcSar131SOhyM4HuGmja-gKjVis6mz29_fzmUt8jONu7xg%40mail.gmail.com.
Lowe Schmidt
Jun 3, 2019, 4:47:16 AM6/3/19
to Vault
And the path exists?
--
Lowe Schmidt | +46 723 867 157
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAMiOinbN5oD9MHfn9Mer8Xpi%2B-xtN-fwQ2z1D1GfGjnNqMtzsw%40mail.gmail.com.
jigar vora
Jun 3, 2019, 8:20:20 AM6/3/19
to vault...@googlegroups.com
Yes. The path exists.
I was wondering if there was some kind of ACL at play. Thanks for looking into this.
#############################
jivora@vault101:/usr/local/mdc/logs$ ls -ld $PWD/*
drwxr-xr-x 2 vault vault 4096 May 30 10:11 /usr/local/mdc/logs/vault
jivora@vault101:/usr/local/mdc/logs$ vault audit enable -ca-cert=/usr/local/mdc/ssl_ca/mdp-root-cacert.pem -path="vault_audit_prod" file file_path=/usr/local/mdc/logs/vault/vault_audit.log
jivora@vault101:/usr/local/mdc/logs$ ls -ld $PWD/*
drwxr-xr-x 2 vault vault 4096 May 30 10:11 /usr/local/mdc/logs/vault
jivora@vault101:/usr/local/mdc/logs$ vault audit enable -ca-cert=/usr/local/mdc/ssl_ca/mdp-root-cacert.pem -path="vault_audit_prod" file file_path=/usr/local/mdc/logs/vault/vault_audit.log
Error enabling audit device: Error making API request.
URL: PUT https://vault101.eastus.cloudapp.azure.com:8200/v1/sys/audit/vault_audit_prod
Code: 400. Errors:
* sanity check failed; unable to open "/usr/local/mdc/logs/vault/vault_audit.log" for writing: open /usr/local/mdc/logs/vault/vault_audit.log: read-only file system
#############################
jivora@vault101:/usr/local/mdc/logs$ cd /
jivora@vault101:/$ ls -ld $PWD/vault
drwxr-xr-x 2 vault vault 4096 Jun 3 12:11 /vault
jivora@vault101:/$ vault audit enable -ca-cert=/usr/local/mdc/ssl_ca/mdp-root-cacert.pem -path="vault_audit_prod" file file_path=/vault/vault_audit.log
Code: 400. Errors:
* sanity check failed; unable to open "/usr/local/mdc/logs/vault/vault_audit.log" for writing: open /usr/local/mdc/logs/vault/vault_audit.log: read-only file system
#############################
jivora@vault101:/usr/local/mdc/logs$ cd /
jivora@vault101:/$ ls -ld $PWD/vault
drwxr-xr-x 2 vault vault 4096 Jun 3 12:11 /vault
jivora@vault101:/$ vault audit enable -ca-cert=/usr/local/mdc/ssl_ca/mdp-root-cacert.pem -path="vault_audit_prod" file file_path=/vault/vault_audit.log
Success! Enabled the file audit device at: vault_audit_prod/
#############################
jivora@vault101:/usr/local/mdc/logs$ df -h
jivora@vault101:/usr/local/mdc/logs$ df -h
Filesystem Size Used Avail Use% Mounted on
udev 7.9G 0 7.9G 0% /dev
tmpfs 1.6G 676K 1.6G 1% /run
/dev/sda1 29G 3.3G 26G 12% /
tmpfs 7.9G 0 7.9G 0% /dev/shm
tmpfs 5.0M 0 5.0M 0% /run/lock
tmpfs 7.9G 0 7.9G 0% /sys/fs/cgroup
/dev/sda15 105M 3.6M 101M 4% /boot/efi
/dev/sdb1 32G 49M 30G 1% /mnt
tmpfs 1.6G 0 1.6G 0% /run/user/1000
-Jigar
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAC-wWcSbpOjFEmTUJDW1AHTzNzVVC52FrTsduVdcTeN7TivD8w%40mail.gmail.com.
Nick Cabatoff
Jun 3, 2019, 11:04:07 AM6/3/19
to vault...@googlegroups.com
Are you able to write to the path in question yourself? e.g.
$ touch /usr/local/mdc/logs/vault/vault_audit.log
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAMiOinYzJ2RywVYXVYeL2K%2B-zC_G-A1vUiNv0guCV%2BJvV0uR_g%40mail.gmail.com.
jigar vora
Jun 4, 2019, 1:06:25 AM6/4/19
to vault...@googlegroups.com
I am not allowed to write in both the folders as my user is 'jivora' and 'jivora' doesn't have permission to write in either of the folders since they are owned by user 'vault'.
With Sudo I am able to write in both the places.
jivora@vault101:/usr/local/mdc/logs$ touch /usr/local/mdc/logs/vault/vault_audit.log
touch: cannot touch '/usr/local/mdc/logs/vault/vault_audit.log': Permission denied
jivora@vault101:/usr/local/mdc/logs$ touch /vault/vault_audit.log
touch: cannot touch '/vault/vault_audit.log': Permission denied
I am using systemd. following is my systemd service file.
***************
[Unit]
Description="HashiCorp Vault - A tool for managing secrets"
Documentation=https://www.vaultproject.io/docs/
Requires=network-online.target
After=network-online.target
ConditionFileNotEmpty=/etc/vault.d/vault.hcl
[Service]
User=vault
Group=vault
ProtectSystem=full
ProtectHome=read-only
PrivateTmp=yes
PrivateDevices=yes
SecureBits=keep-caps
AmbientCapabilities=CAP_IPC_LOCK
Capabilities=CAP_IPC_LOCK+ep
CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
NoNewPrivileges=yes
ExecStart=/usr/local/bin/vault server -config=/etc/vault.d/vault.hcl
ExecReload=/bin/kill --signal HUP $MAINPID
KillMode=process
KillSignal=SIGINT
Restart=on-failure
RestartSec=5
TimeoutStopSec=30
StartLimitIntervalSec=60
StartLimitBurst=3
[Install]
WantedBy=multi-user.target
***************
With Sudo I am able to write in both the places.
jivora@vault101:/usr/local/mdc/logs$ touch /usr/local/mdc/logs/vault/vault_audit.log
touch: cannot touch '/usr/local/mdc/logs/vault/vault_audit.log': Permission denied
jivora@vault101:/usr/local/mdc/logs$ touch /vault/vault_audit.log
touch: cannot touch '/vault/vault_audit.log': Permission denied
I am using systemd. following is my systemd service file.
***************
[Unit]
Description="HashiCorp Vault - A tool for managing secrets"
Documentation=https://www.vaultproject.io/docs/
Requires=network-online.target
After=network-online.target
ConditionFileNotEmpty=/etc/vault.d/vault.hcl
[Service]
User=vault
Group=vault
ProtectSystem=full
ProtectHome=read-only
PrivateTmp=yes
PrivateDevices=yes
SecureBits=keep-caps
AmbientCapabilities=CAP_IPC_LOCK
Capabilities=CAP_IPC_LOCK+ep
CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
NoNewPrivileges=yes
ExecStart=/usr/local/bin/vault server -config=/etc/vault.d/vault.hcl
ExecReload=/bin/kill --signal HUP $MAINPID
KillMode=process
KillSignal=SIGINT
Restart=on-failure
RestartSec=5
TimeoutStopSec=30
StartLimitIntervalSec=60
StartLimitBurst=3
[Install]
WantedBy=multi-user.target
***************
Thanks,
Jigar
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAF%3DRO8K0yG2z2k9zHk7AFjUX48LvR8tAtiM56zR3ek_DeQgssA%40mail.gmail.com.
Nick Cabatoff
Jun 4, 2019, 8:02:42 AM6/4/19
to vault...@googlegroups.com
Looks like the culprit is ProtectSystem=full.
ProtectSystem=
Takes a boolean argument or the special values "full" or
"strict". If true, mounts the /usr and /boot directories
read-only for processes invoked by this unit. If set to "full",
the /etc directory is mounted read-only, too.To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAMiOina8PqxuHF94TBu6CCRgXKZ6h6P3cZ6ZnxcA-8931ou9og%40mail.gmail.com.
jigar vora
Jun 5, 2019, 12:48:55 AM6/5/19
to vault...@googlegroups.com
Thanks Nick for looking into this for me. Now it makes sense.
-Jigar
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAF%3DRO8JcsE3N_cXZYXRn%3D7OVt%2BZyVw8sCPV74vmx%3DLcy%3Deg%3D4A%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages