search

hashicorp / vault

A tool for secrets management, encryption as a service, and privileged access management
https://www.vaultproject.io/
Other
31.1k stars 4.21k forks source link

Vault enables or lists wrong path for audit device #28546

Closed Flamefire closed 3 weeks ago

Flamefire commented 3 weeks ago

To Reproduce Steps to reproduce the behavior:

  1. Run vault audit enable file file_path=/tmp/foo
  2. Run vault audit list
  3. See error

Expected behavior

Audit log goes to file /tmp/foo and vault audit list shows that. BUT:

$ vault audit enable file file_path=/tmp/log 
Success! Enabled the file audit device at: file/
$ vault audit list
Path     Type    Description
----     ----    -----------
file/    file    n/a

Environment:

kubawi commented 3 weeks ago

Hi 👋

I think what's happening here is that the audit device path—which is effectively the unique identifier of the audit device—is easy to mistake for the file_path, which is where the file where the audit device will write the log to. I do see that our docs aren't very clear on it right now, but we are currently working on improving the CLI documentation, so I will pass this on as feedback to my colleagues who are working on that.

For the future, if you'd like to change the audit device path, i.e. the ID of the device, you can pass the -path flag with your command:

vault audit enable -path=bar file file_path=/tmp/foo

Otherwise the CLI just automatically uses the type of the device as path.

Also, if you want to see the file_path (and other options) for an audit device you have, please try adding the -detailed flag to the list command, like this:

~ 
➜ vault audit enable -path=bar file file_path=/tmp/foo                            
Success! Enabled the file audit device at: bar/

~ 
➜ vault audit list -detailed                           
Path    Type    Description    Replication    Options
----    ----    -----------    -----------    -------
bar/    file    n/a            replicated     file_path=/tmp/foo

That should give you the expected output.

Relevant docs:

Flamefire commented 3 weeks ago

I understand. path is confusing at this point, especially with the trailing slash.
Maybe the documentation can also be improved as the examples don't make it easy to understand the difference of "path" and "file_path":

Enable at the default path:

$ vault audit enable file file_path=/var/log/vault_audit.log

Enable at a different path. It is possible to enable multiple copies of an audit device:

$ vault audit enable -path="vault_audit_1" file file_path=/home/user/vault_audit.log

The example for "different path" changes both "paths" at once. And "Place where the audit device will be accessible." isn't really clear either. What does "accessible" mean here, accessible by and for what? Maybe just "[...] accessible for/to vault commands" already helps.

Anyway this isn't a bug and for me the distinction is clear now.

kubawi commented 3 weeks ago

I appreciate you taking the time to write up the feedback. I have already passed it on to the peeps looking at improving our CLI documentation. I will close the issue now, thanks!