Commit graph

47 commits

Author SHA1 Message Date
Mark Gritter 8c67bed7ae
Send a test message before committing a new audit device. (#10520)
* Send a test message before committing a new audit device.
Also, lower timeout on connection attempts in socket device.
* added changelog
* go mod vendor (picked up some unrelated changes.)
* Skip audit device check in integration test.
Co-authored-by: swayne275 <swayne@hashicorp.com>
2020-12-16 16:00:32 -06:00
Jeff Mitchell ebc1e64c62
Format requests/responses ahead of time in file audit (#7024)
This was inspired by #7022 but has the advantage of avoiding
double-locking and needing to perform lock upgrades while also
simplifying the logic and being faster.

Original, #7022, this:

goos: linux
goarch: amd64
pkg: github.com/hashicorp/vault/builtin/audit/file
BenchmarkAuditFile_request-4       30000             60734 ns/op
PASS
ok      github.com/hashicorp/vault/builtin/audit/file   2.428s

goos: linux
goarch: amd64
pkg: github.com/hashicorp/vault/builtin/audit/file
BenchmarkAuditFile_request-4       50000             34772 ns/op
PASS
ok      github.com/hashicorp/vault/builtin/audit/file   2.086s

goos: linux
goarch: amd64
pkg: github.com/hashicorp/vault/builtin/audit/file
BenchmarkAuditFile_request-4       50000             25302 ns/op
PASS
ok      github.com/hashicorp/vault/builtin/audit/file   1.542s

Fixes #7014
Closes #7022
2019-07-01 16:07:03 -04:00
ncabatoff ad28263b69
Allow plugins to submit audit requests/responses via extended SystemView (#6777)
Move audit.LogInput to sdk/logical.  Allow the Data values in audited
logical.Request and Response to implement OptMarshaler, in which case
we delegate hashing/serializing responsibility to them.  Add new
ClientCertificateSerialNumber audit request field.

SystemView can now be cast to ExtendedSystemView to expose the Auditor
interface, which allows submitting requests and responses to the audit
broker.
2019-05-22 18:52:53 -04:00
Jeff Mitchell 8bcb533a1b
Create sdk/ and api/ submodules (#6583) 2019-04-12 17:54:35 -04:00
Jim Kalafut e1a326152d
Switch to strings.EqualFold (#5284) 2018-09-11 16:22:29 -07:00
Vishal Nayak 28e3eb9e2c
Errwrap everywhere (#4252)
* package api

* package builtin/credential

* package builtin/logical

* package command

* package helper

* package http and logical

* package physical

* package shamir

* package vault

* package vault

* address feedback

* more fixes
2018-04-05 11:49:21 -04:00
Brian Kassouf 9dba3590ac
Add context to the NewSalt function (#4102) 2018-03-08 11:21:11 -08:00
Calvin Leung Huang e2fb199ce5
Non-HMAC audit values (#4033)
* Add non-hmac request keys

* Update comment

* Initial audit request keys implementation

* Add audit_non_hmac_response_keys

* Move where req.NonHMACKeys gets set

* Minor refactor

* Add params to auth tune endpoints

* Sync cache on loadCredentials

* Explicitly unset req.NonHMACKeys

* Do not error if entry is nil

* Add tests

* docs: Add params to api sections

* Refactor audit.Backend and Formatter interfaces, update audit broker methods

* Add audit_broker.go

* Fix method call params in audit backends

* Remove fields from logical.Request and logical.Response, pass keys via LogInput

* Use data.GetOk to allow unsetting existing values

* Remove debug lines

* Add test for unsetting values

* Address review feedback

* Initialize values in FormatRequest and FormatResponse using input values

* Update docs

* Use strutil.StrListContains

* Use strutil.StrListContains
2018-03-02 12:18:39 -05:00
Brian Kassouf 2f19de0305 Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 01:44:44 -05:00
Brian Shumate a0d1092420 Conditionally set file audit log mode (#3649) 2017-12-07 11:44:15 -05:00
Jeff Mitchell 8acef196a8 Add 'discard' target to file audit backend (#3262)
Fixes #seth
2017-08-30 19:16:47 -04:00
Christopher Pauley eccbb21ce8 stdout support for file backend via logger (#3235) 2017-08-29 14:51:16 -04:00
Jeff Mitchell 98f64e5154 Opportunistically try re-opening file audit fd on error (#2999)
Addresses a pain point from
https://github.com/hashicorp/vault/issues/2863#issuecomment-309434605
2017-07-14 11:03:01 -04:00
Lars Lehtonen 3f0b15826a Fix swallowed errors in builtin (#2977) 2017-07-07 08:23:12 -04:00
Jeff Mitchell 7cc72a9066 Delay salt initialization for audit backends 2017-05-23 20:36:20 -04:00
Jeff Mitchell d7a6ec8d43 Add some repcluster handling to audit and add some tests (#2384)
* Add some repcluster handling to audit and add some tests

* Fix incorrect assumption about nil auth
2017-02-16 13:09:53 -05:00
Tommy Murphy ca06bc0b53 audit: support a configurable prefix string to write before each message (#2359)
A static token at the beginning of a log line can help systems parse
logs better. For example, rsyslog and syslog-ng will recognize the
'@cee: ' prefix and will parse the rest of the line as a valid json message.
This is useful in environments where there is a mix of structured and
unstructured logs.
2017-02-10 16:56:28 -08:00
Laura Bennett 0da9d1ac0c test updates to address feedback 2016-10-10 12:58:30 -04:00
Laura Bennett 962a383bfb address latest feedback 2016-10-10 11:58:26 -04:00
Laura Bennett 290ccee990 minor fix 2016-10-10 10:05:36 -04:00
Laura Bennett 9fc5a37e84 address feedback 2016-10-09 22:23:30 -04:00
Laura Bennett 05519a1267 adding unit tests for file mode 2016-10-09 00:33:24 -04:00
Laura Bennett 1b8d12fe82 changes for 'mode' 2016-10-08 19:52:49 -04:00
Laura Bennett 60ceea5532 initial commit for adding audit file permission changes 2016-10-07 15:09:32 -04:00
Jeff Mitchell 6d00f0c483 Adds HUP support for audit log files to close and reopen. (#1953)
Adds HUP support for audit log files to close and reopen. This makes it
much easier to deal with normal log rotation methods.

As part of testing this I noticed that HUP and other items that come out
of command/server.go are going to stderr, which is where our normal log
lines go. This isn't so much problematic with our normal output but as
we officially move to supporting other formats this can cause
interleaving issues, so I moved those to stdout instead.
2016-09-30 12:04:50 -07:00
Jeff Mitchell 0ff76e16d2 Transit and audit enhancements 2016-09-21 10:49:26 -04:00
Jeff Mitchell 638e61192a Actually show the error occurring if a file audit log can't be opened 2016-08-15 16:26:36 -04:00
Jeff Mitchell e925987cb6 Add token accessor to wrap information if one exists 2016-06-13 23:58:17 +00:00
vishalnayak 39a0c8e91f Read from 'path' to retain backward compatibility 2016-03-15 20:05:51 -04:00
vishalnayak 71fc07833f Rename id to path and path to file_path, print audit backend paths 2016-03-14 17:15:07 -04:00
Jeff Mitchell 9bfd24cd69 s/hash_accessor/hmac_accessor/g 2016-03-14 14:52:29 -04:00
vishalnayak ea108fba18 Use accessor being set as the condition to restore non-hashed values 2016-03-14 11:23:30 -04:00
vishalnayak e09819fedc Added hash_accessor option to audit backends 2016-03-11 19:28:06 -05:00
Jeff Mitchell 1c7157e632 Reintroduce the ability to look up obfuscated values in the audit log
with a new endpoint '/sys/audit-hash', which returns the given input
string hashed with the given audit backend's hash function and salt
(currently, always HMAC-SHA256 and a backend-specific salt).

In the process of adding the HTTP handler, this also removes the custom
HTTP handlers for the other audit endpoints, which were simply
forwarding to the logical system backend. This means that the various
audit functions will now redirect correctly from a standby to master.
(Tests all pass.)

Fixes #784
2015-11-18 20:26:03 -05:00
Jeff Mitchell 80705b7963 If we fail to open a file path, show which it is in the error output 2015-10-30 14:30:21 -04:00
Jeff Mitchell 5dde76fa1c Expand HMAC support in Salt; require an identifier be passed in to specify type but allow generation with and without. Add a StaticSalt ID for testing functions. Fix bugs; unit tests pass. 2015-09-18 17:38:30 -04:00
Jeff Mitchell b655f6b858 Add HMAC capability to salt. Pass a salt into audit backends. Require it for audit.Hash. 2015-09-18 17:38:22 -04:00
Jeff Mitchell 2098446d47 Ensure that the 'file' audit backend can successfully open its given path before returning success. Fixes #550. 2015-08-26 09:13:10 -07:00
Armon Dadgar 96d6455ef5 audit: properly restore TLS state 2015-07-08 16:45:15 -06:00
Armon Dadgar 12d3aee58e audit: fixing panic caused by tls connection state. Fixes #322 2015-06-29 17:16:17 -07:00
Nate Brown 4ec685dc1a Logging authentication errors and bad token usage 2015-06-18 18:30:18 -07:00
Armon Dadgar b07d0bc56f audit/file: Create file if it does not exist. Fixes #148 2015-05-06 11:33:06 -07:00
Armon Dadgar 848433a355 audit/file: add log_raw parameter and default to hashing 2015-04-27 15:56:41 -07:00
Armon Dadgar 27c73da308 audit/file: Attempt to create directory path. Fixes #38 2015-04-27 12:40:32 -07:00
Mitchell Hashimoto ee2b113831 audit/file: append 2015-04-19 22:43:39 -07:00
Mitchell Hashimoto ef95d9a10e audit/file: use JSON formatter to write output 2015-04-13 14:12:14 -07:00
Mitchell Hashimoto 8bfa12297d builtin/audit: add file audit 2015-04-04 18:10:25 -07:00