Vaultx.Sys.Audit (Vaultx v0.7.0)
View SourceHashiCorp Vault audit device management operations.
This module provides comprehensive audit device management capabilities for Vault, allowing you to list, enable, and disable audit devices with full configuration support for all audit device types and enterprise features.
Audit Device Management Features
Core Operations
- List Devices: Retrieve all enabled audit devices
- Enable Device: Create new audit devices with full configuration
- Disable Device: Remove existing audit devices
Supported Audit Device Types
- File: Log audit entries to files with rotation support
- Socket: Stream audit entries to network sockets
- Syslog: Send audit entries to system logging facilities
Configuration Options
- Format Control: JSON and XML output formats
- Security Settings: HMAC accessor hashing and raw logging
- Performance: List response eliding and custom prefixes
- Enterprise Features: Filtering, exclusion, and fallback devices
Enterprise Features
- Audit Filtering: Advanced filtering rules for audit entries
- Audit Exclusion: Remove sensitive fields from audit logs
- Fallback Devices: Designated fallback audit devices
- Local Devices: Replication-aware audit device configuration
Important Security Notes
Security Requirements
- All audit operations require
sudocapability - Audit devices must be enabled before use
- Multiple audit devices can be enabled simultaneously
Disable Considerations
- Disabling an audit device prevents HMAC value comparison
- Re-enabling at the same path creates a new salt for hashing
- Consider backup audit devices before disabling
API Compliance
Fully implements HashiCorp Vault Audit API:
Usage Examples
List Enabled Audit Devices
{:ok, devices} = Vaultx.Sys.Audit.list()
devices["file"].type #=> "file"
devices["file"].options["file_path"] #=> "/var/log/vault.log"Enable File Audit Device
{:ok, _} = Vaultx.Sys.Audit.enable("file-audit", %{
type: "file",
description: "File-based audit logging",
options: %{
file_path: "/var/log/vault/audit.log",
format: "json"
}
})Enable Syslog Audit Device
{:ok, _} = Vaultx.Sys.Audit.enable("syslog-audit", %{
type: "syslog",
description: "System log audit device",
options: %{
facility: "AUTH",
tag: "vault"
}
})Enable Socket Audit Device
{:ok, _} = Vaultx.Sys.Audit.enable("socket-audit", %{
type: "socket",
description: "Network socket audit device",
options: %{
address: "127.0.0.1:9090",
socket_type: "tcp"
}
})Enterprise Filtering and Exclusion
{:ok, _} = Vaultx.Sys.Audit.enable("filtered-audit", %{
type: "file",
options: %{
file_path: "/var/log/vault/filtered.log",
filter: "operation == "read"",
exclude: "request.data.password"
}
})Disable Audit Device
{:ok, _} = Vaultx.Sys.Audit.disable("file-audit")Audit Device Configuration
Common Configuration Options
elide_list_responses: Elide list response bodies (default: false)format: Output format - "json" or "jsonx" (default: "json")hmac_accessor: Enable token accessor hashing (default: true)log_raw: Log sensitive information without hashing (default: false)prefix: Custom string prefix for log lines
Enterprise Configuration Options
exclude: Field exclusion rules for sensitive datafallback: Designate as fallback audit devicefilter: Audit entry filtering expressionslocal: Local-only device for replication scenarios
Summary
Types
Audit device enable configuration.
Audit device information structure.
Audit device configuration options.
Functions
Disables the audit device at the specified path.
Enables a new audit device at the specified path.
Lists all enabled audit devices.
Types
@type audit_config() :: %{ :type => String.t(), optional(:description) => String.t(), optional(:options) => audit_options(), optional(:local) => boolean() }
Audit device enable configuration.
Audit device information structure.
@type audit_options() :: %{ optional(:elide_list_responses) => boolean(), optional(:exclude) => String.t(), optional(:fallback) => boolean(), optional(:filter) => String.t(), optional(:format) => String.t(), optional(:hmac_accessor) => boolean(), optional(:log_raw) => boolean(), optional(:prefix) => String.t(), optional(atom()) => any() }
Audit device configuration options.
Functions
@spec disable(String.t(), Vaultx.Types.options()) :: {:ok, Vaultx.Types.response()} | {:error, Vaultx.Base.Error.t()}
Disables the audit device at the specified path.
Parameters
path- The path of the audit device to disable
Important Notes
Once an audit device is disabled, you will no longer be able to HMAC values for comparison with entries in the audit logs. This is true even if you re-enable the audit device at the same path, as a new salt will be created.
Examples
{:ok, _} = Vaultx.Sys.Audit.disable("file-audit")@spec enable(String.t(), audit_config(), Vaultx.Types.options()) :: {:ok, Vaultx.Types.response()} | {:error, Vaultx.Base.Error.t()}
Enables a new audit device at the specified path.
Parameters
path- The path where the audit device will be enabledconfig- Audit device configuration including type and options
Examples
# Enable file audit device
{:ok, _} = Vaultx.Sys.Audit.enable("file-audit", %{
type: "file",
description: "File-based audit logging",
options: %{
file_path: "/var/log/vault/audit.log"
}
})
# Enable syslog audit device
{:ok, _} = Vaultx.Sys.Audit.enable("syslog-audit", %{
type: "syslog",
options: %{
facility: "AUTH",
tag: "vault"
}
})@spec list(Vaultx.Types.options()) :: {:ok, %{required(String.t()) => audit_info()}} | {:error, Vaultx.Base.Error.t()}
Lists all enabled audit devices.
Returns a map of audit device paths to their configuration details. Only enabled audit devices are returned.
Examples
{:ok, devices} = Vaultx.Sys.Audit.list()
devices["file"].type #=> "file"
devices["file"].description #=> "Store logs in a file"