2017-03-15 06:40:33 +00:00
|
|
|
|
---
|
2020-01-18 00:18:09 +00:00
|
|
|
|
layout: api
|
|
|
|
|
page_title: /sys/audit-hash - HTTP API
|
|
|
|
|
sidebar_title: <code>/sys/audit-hash</code>
|
2017-03-15 06:40:33 +00:00
|
|
|
|
description: |-
|
2017-09-21 21:14:40 +00:00
|
|
|
|
The `/sys/audit-hash` endpoint is used to hash data using an audit device's
|
2017-03-15 06:40:33 +00:00
|
|
|
|
hash function and salt.
|
|
|
|
|
---
|
|
|
|
|
|
|
|
|
|
# `/sys/audit-hash`
|
|
|
|
|
|
|
|
|
|
The `/sys/audit-hash` endpoint is used to calculate the hash of the data used by
|
2017-09-21 21:14:40 +00:00
|
|
|
|
an audit device's hash function and salt. This can be used to search audit logs
|
2017-03-15 06:40:33 +00:00
|
|
|
|
for a hashed value when the original value is known.
|
|
|
|
|
|
|
|
|
|
## Calculate Hash
|
|
|
|
|
|
2017-09-21 21:14:40 +00:00
|
|
|
|
This endpoint hashes the given input data with the specified audit device's
|
2017-03-15 06:40:33 +00:00
|
|
|
|
hash function and salt. This endpoint can be used to discover whether a given
|
|
|
|
|
plaintext string (the `input` parameter) appears in the audit log in obfuscated
|
|
|
|
|
form.
|
|
|
|
|
|
|
|
|
|
The audit log records requests and responses. Since the Vault API is JSON-based,
|
|
|
|
|
any binary data returned from an API call (such as a DER-format certificate) is
|
|
|
|
|
base64-encoded by the Vault server in the response. As a result such information
|
|
|
|
|
should also be base64-encoded to supply into the `input` parameter.
|
|
|
|
|
|
2019-03-22 16:15:37 +00:00
|
|
|
|
| Method | Path |
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| :----- | :---------------------- |
|
2019-03-22 16:15:37 +00:00
|
|
|
|
| `POST` | `/sys/audit-hash/:path` |
|
2017-03-15 06:40:33 +00:00
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
2017-09-21 21:14:40 +00:00
|
|
|
|
- `path` `(string: <required>)` – Specifies the path of the audit device to
|
2017-03-15 06:40:33 +00:00
|
|
|
|
generate hashes for. This is part of the request URL.
|
|
|
|
|
|
|
|
|
|
- `input` `(string: <required>)` – Specifies the input string to hash.
|
|
|
|
|
|
|
|
|
|
### Sample Payload
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"input": "my-secret-vault"
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2017-03-15 06:40:33 +00:00
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
--data @payload.json \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/sys/audit-hash/example-audit
|
2017-03-15 06:40:33 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"hash": "hmac-sha256:08ba35..."
|
|
|
|
|
}
|
|
|
|
|
```
|