【问题标题】:How can I understand something from hashicorp vault audit?我如何从 hashcorp 保险库审计中理解某些内容?
【发布时间】:2019-12-23 16:48:28
【问题描述】:

我正在尝试熟悉 Hashicorp Vault,但我不明白如何使用它的审计日志?

例如,假设其中一位管理员遭到入侵,而拥有 root-token 的某人创建了另一个 root-token。我收到这样的审核日志:

{
  "time": "2019-08-17T21:53:07.625384189Z",
  "type": "request",
  "auth": {
    "client_token": "hmac-sha256:0c97855631748ce0a775e3efc79fc607b0d2f61ddeb78b15e915a5087013fb5b",
    "accessor": "hmac-sha256:c081cc37603419f02e67fb93f2f1362aa0eb37fa42635606cc51b9b7ed1ed561",
    "display_name": "root",
    "policies": [
      "root"
    ],
    "token_policies": [
      "root"
    ],
    "token_type": "service"
  },
  "request": {
    "id": "f8b0f707-7e38-1410-4173-235ff9e250b6",
    "operation": "update",
    "client_token": "hmac-sha256:0c97855631748ce0a775e3efc79fc607b0d2f61ddeb78b15e915a5087013fb5b",
    "client_token_accessor": "hmac-sha256:c081cc37603419f02e67fb93f2f1362aa0eb37fa42635606cc51b9b7ed1ed561",
    "namespace": {
      "id": "root"
    },
    "path": "auth/token/create",
    "data": {
      "display_name": "hmac-sha256:0f235cb7061e26e25b346c787a036860e247e0e32181b8adf13850812a27a9f1",
      "entity_alias": "hmac-sha256:0f235cb7061e26e25b346c787a036860e247e0e32181b8adf13850812a27a9f1",
      "explicit_max_ttl": "hmac-sha256:3cf83aa363c8f73a7e23ccd56baa8f4e1119bc15800030f663f2d07c5420ce91",
      "num_uses": "hmac-sha256:943213e389eae841e8d03f94149bc8e564973fd4c6f0eabe76061dd4355b03b0",
      "period": "hmac-sha256:3cf83aa363c8f73a7e23ccd56baa8f4e1119bc15800030f663f2d07c5420ce91",
      "renewable": true,
      "ttl": "hmac-sha256:3cf83aa363c8f73a7e23ccd56baa8f4e1119bc15800030f663f2d07c5420ce91",
      "type": "hmac-sha256:792572c378bcb0b0400ad2033078e80334dfd06d76d948866960ad9b8547ba62"
    },
    "remote_address": "127.0.0.1"
  }
}
{
  "time": "2019-08-17T21:53:07.709275872Z",
  "type": "response",
  "auth": {
    "client_token": "hmac-sha256:0c97855631748ce0a775e3efc79fc607b0d2f61ddeb78b15e915a5087013fb5b",
    "accessor": "hmac-sha256:c081cc37603419f02e67fb93f2f1362aa0eb37fa42635606cc51b9b7ed1ed561",
    "display_name": "root",
    "policies": [
      "root"
    ],
    "token_policies": [
      "root"
    ],
    "token_type": "service"
  },
  "request": {
    "id": "f8b0f707-7e38-1410-4173-235ff9e250b6",
    "operation": "update",
    "client_token": "hmac-sha256:0c97855631748ce0a775e3efc79fc607b0d2f61ddeb78b15e915a5087013fb5b",
    "client_token_accessor": "hmac-sha256:c081cc37603419f02e67fb93f2f1362aa0eb37fa42635606cc51b9b7ed1ed561",
    "namespace": {
      "id": "root"
    },
    "path": "auth/token/create",
    "data": {
      "display_name": "hmac-sha256:0f235cb7061e26e25b346c787a036860e247e0e32181b8adf13850812a27a9f1",
      "entity_alias": "hmac-sha256:0f235cb7061e26e25b346c787a036860e247e0e32181b8adf13850812a27a9f1",
      "explicit_max_ttl": "hmac-sha256:3cf83aa363c8f73a7e23ccd56baa8f4e1119bc15800030f663f2d07c5420ce91",
      "num_uses": "hmac-sha256:943213e389eae841e8d03f94149bc8e564973fd4c6f0eabe76061dd4355b03b0",
      "period": "hmac-sha256:3cf83aa363c8f73a7e23ccd56baa8f4e1119bc15800030f663f2d07c5420ce91",
      "renewable": true,
      "ttl": "hmac-sha256:3cf83aa363c8f73a7e23ccd56baa8f4e1119bc15800030f663f2d07c5420ce91",
      "type": "hmac-sha256:792572c378bcb0b0400ad2033078e80334dfd06d76d948866960ad9b8547ba62"
    },
    "remote_address": "127.0.0.1"
  },
  "response": {
    "auth": {
      "client_token": "hmac-sha256:fdb305fbabaf0044fc6d696fb2d0ff3d96574ff4d7fab804e8d5d36b7f2ddd14",
      "accessor": "hmac-sha256:19f3a70ceea337f067c053249504fbf8e8c164304b66a8c97fad421d43b5e4af",
      "display_name": "token",
      "policies": [
        "root"
      ],
      "token_policies": [
        "root"
      ],
      "token_type": "service"
    }
  }
}

我怎样才能知道是谁? 如何获取被泄露令牌的访问者? 我在哪里可以获得刚刚创建的令牌的访问者来撤销它?

或者我没有正确理解保险柜审计的目的?

【问题讨论】:

    标签: security hashicorp-vault


    【解决方案1】:

    我发现了一个很酷的选项,对我有帮助:hmac_accessor = false,这是启用 tis 选项的审核日志:

    {
      "time": "2019-08-27T07:55:57.888464574Z",
      "type": "response",
      "auth": {
        "client_token": "hmac-sha256:84c8887e815c04aeef145ebffa05f9ef6fde166d7645b5046416d76add283fef",
        "accessor": "y1lRcyzxkPgL0gmQ45WqliPy",
        "display_name": "root",
        ...
      },
      "request": {
        "id": "f4dc76af-b562-ae2c-8d6f-dd6a0d6f7ef6",
        "operation": "update",
        "client_token": "hmac-sha256:84c8887e815c04aeef145ebffa05f9ef6fde166d7645b5046416d76add283fef",
        "client_token_accessor": "y1lRcyzxkPgL0gmQ45WqliPy",
        ...
      },
      "response": {
        ...
      },
      "error": ""
    }
    

    UPD:当前访问者列表:

    $ vault list auth/token/accessors                                                
    Keys
    ----
    MelMLthx4K4FznCbNIB8xbC6
    bOnatDe7MXfdB9f3CRuGPo0h
    y1lRcyzxkPgL0gmQ45WqliPy
    VerAvaBln92HG38gKbKEcXOZ
    

    通过访问者获取令牌信息:

    $ vault write auth/token/lookup-accessor accessor=VerAvaBln92HG38gKbKEcXOZ
    Key                 Value
    ---                 -----
    accessor            VerAvaBln92HG38gKbKEcXOZ
    creation_time       1566893336
    creation_ttl        3m
    display_name        token
    entity_id           n/a
    expire_time         2019-08-27T11:11:56.903211142+03:00
    explicit_max_ttl    0s
    id                  n/a
    issue_time          2019-08-27T11:08:56.903210949+03:00
    meta                <nil>
    num_uses            0
    orphan              false
    path                auth/token/create
    period              3m
    policies            [root]
    renewable           true
    ttl                 2m55s
    type                service
    

    【讨论】:

      猜你喜欢
      • 1970-01-01
      • 1970-01-01
      • 2020-06-27
      • 1970-01-01
      • 1970-01-01
      • 2020-02-02
      • 2014-10-28
      • 1970-01-01
      • 2014-10-29
      相关资源
      最近更新 更多