Security 如何理解hashicorp vault audit中的内容?
我正在尝试熟悉Hashicorp Vault,但不知道如何使用其审核日志 例如,假设其中一个管理员受到攻击,有人使用根令牌创建了另一个根令牌。我得到的审计日志如下:Security 如何理解hashicorp vault audit中的内容?,security,hashicorp-vault,Security,Hashicorp Vault,我正在尝试熟悉Hashicorp Vault,但不知道如何使用其审核日志 例如,假设其中一个管理员受到攻击,有人使用根令牌创建了另一个根令牌。我得到的审计日志如下: { "time": "2019-08-17T21:53:07.625384189Z", "type": "request", "auth": { "client_token": "hmac-sha256:0c97855631748ce0a775e3efc79fc607b0d2f61ddeb78b15e915a50
{
"time": "2019-08-17T21:53:07.625384189Z",
"type": "request",
"auth": {
"client_token": "hmac-sha256:0c97855631748ce0a775e3efc79fc607b0d2f61ddeb78b15e915a5087013fb5b",
"accessor": "hmac-sha256:c081cc37603419f02e67fb93f2f1362aa0eb37fa42635606cc51b9b7ed1ed561",
"display_name": "root",
"policies": [
"root"
],
"token_policies": [
"root"
],
"token_type": "service"
},
"request": {
"id": "f8b0f707-7e38-1410-4173-235ff9e250b6",
"operation": "update",
"client_token": "hmac-sha256:0c97855631748ce0a775e3efc79fc607b0d2f61ddeb78b15e915a5087013fb5b",
"client_token_accessor": "hmac-sha256:c081cc37603419f02e67fb93f2f1362aa0eb37fa42635606cc51b9b7ed1ed561",
"namespace": {
"id": "root"
},
"path": "auth/token/create",
"data": {
"display_name": "hmac-sha256:0f235cb7061e26e25b346c787a036860e247e0e32181b8adf13850812a27a9f1",
"entity_alias": "hmac-sha256:0f235cb7061e26e25b346c787a036860e247e0e32181b8adf13850812a27a9f1",
"explicit_max_ttl": "hmac-sha256:3cf83aa363c8f73a7e23ccd56baa8f4e1119bc15800030f663f2d07c5420ce91",
"num_uses": "hmac-sha256:943213e389eae841e8d03f94149bc8e564973fd4c6f0eabe76061dd4355b03b0",
"period": "hmac-sha256:3cf83aa363c8f73a7e23ccd56baa8f4e1119bc15800030f663f2d07c5420ce91",
"renewable": true,
"ttl": "hmac-sha256:3cf83aa363c8f73a7e23ccd56baa8f4e1119bc15800030f663f2d07c5420ce91",
"type": "hmac-sha256:792572c378bcb0b0400ad2033078e80334dfd06d76d948866960ad9b8547ba62"
},
"remote_address": "127.0.0.1"
}
}
{
"time": "2019-08-17T21:53:07.709275872Z",
"type": "response",
"auth": {
"client_token": "hmac-sha256:0c97855631748ce0a775e3efc79fc607b0d2f61ddeb78b15e915a5087013fb5b",
"accessor": "hmac-sha256:c081cc37603419f02e67fb93f2f1362aa0eb37fa42635606cc51b9b7ed1ed561",
"display_name": "root",
"policies": [
"root"
],
"token_policies": [
"root"
],
"token_type": "service"
},
"request": {
"id": "f8b0f707-7e38-1410-4173-235ff9e250b6",
"operation": "update",
"client_token": "hmac-sha256:0c97855631748ce0a775e3efc79fc607b0d2f61ddeb78b15e915a5087013fb5b",
"client_token_accessor": "hmac-sha256:c081cc37603419f02e67fb93f2f1362aa0eb37fa42635606cc51b9b7ed1ed561",
"namespace": {
"id": "root"
},
"path": "auth/token/create",
"data": {
"display_name": "hmac-sha256:0f235cb7061e26e25b346c787a036860e247e0e32181b8adf13850812a27a9f1",
"entity_alias": "hmac-sha256:0f235cb7061e26e25b346c787a036860e247e0e32181b8adf13850812a27a9f1",
"explicit_max_ttl": "hmac-sha256:3cf83aa363c8f73a7e23ccd56baa8f4e1119bc15800030f663f2d07c5420ce91",
"num_uses": "hmac-sha256:943213e389eae841e8d03f94149bc8e564973fd4c6f0eabe76061dd4355b03b0",
"period": "hmac-sha256:3cf83aa363c8f73a7e23ccd56baa8f4e1119bc15800030f663f2d07c5420ce91",
"renewable": true,
"ttl": "hmac-sha256:3cf83aa363c8f73a7e23ccd56baa8f4e1119bc15800030f663f2d07c5420ce91",
"type": "hmac-sha256:792572c378bcb0b0400ad2033078e80334dfd06d76d948866960ad9b8547ba62"
},
"remote_address": "127.0.0.1"
},
"response": {
"auth": {
"client_token": "hmac-sha256:fdb305fbabaf0044fc6d696fb2d0ff3d96574ff4d7fab804e8d5d36b7f2ddd14",
"accessor": "hmac-sha256:19f3a70ceea337f067c053249504fbf8e8c164304b66a8c97fad421d43b5e4af",
"display_name": "token",
"policies": [
"root"
],
"token_policies": [
"root"
],
"token_type": "service"
}
}
}
我怎么才能知道是谁?
我如何获取已被泄露令牌的访问者?
我在哪里可以获得刚刚创建的令牌的访问器来撤销它
或者可能我没有正确理解Vault审核的目的?我发现了一个很酷的选项:
hmac\u accessor=false
,下面是启用了tis选项的审核日志:
{
"time": "2019-08-27T07:55:57.888464574Z",
"type": "response",
"auth": {
"client_token": "hmac-sha256:84c8887e815c04aeef145ebffa05f9ef6fde166d7645b5046416d76add283fef",
"accessor": "y1lRcyzxkPgL0gmQ45WqliPy",
"display_name": "root",
...
},
"request": {
"id": "f4dc76af-b562-ae2c-8d6f-dd6a0d6f7ef6",
"operation": "update",
"client_token": "hmac-sha256:84c8887e815c04aeef145ebffa05f9ef6fde166d7645b5046416d76add283fef",
"client_token_accessor": "y1lRcyzxkPgL0gmQ45WqliPy",
...
},
"response": {
...
},
"error": ""
}
UPD:当前访问者列表:
$ vault list auth/token/accessors
Keys
----
MelMLthx4K4FznCbNIB8xbC6
bOnatDe7MXfdB9f3CRuGPo0h
y1lRcyzxkPgL0gmQ45WqliPy
VerAvaBln92HG38gKbKEcXOZ
通过访问者获取有关令牌的信息:
$ vault write auth/token/lookup-accessor accessor=VerAvaBln92HG38gKbKEcXOZ
Key Value
--- -----
accessor VerAvaBln92HG38gKbKEcXOZ
creation_time 1566893336
creation_ttl 3m
display_name token
entity_id n/a
expire_time 2019-08-27T11:11:56.903211142+03:00
explicit_max_ttl 0s
id n/a
issue_time 2019-08-27T11:08:56.903210949+03:00
meta <nil>
num_uses 0
orphan false
path auth/token/create
period 3m
policies [root]
renewable true
ttl 2m55s
type service
$vault write auth/token/lookup accessor accessor=veravabln92hg38gkbkexoz
关键值
--- -----
存取器Veravabln92HG38GKBKEXOZ
创建时间156689336
创建ttl 3m
显示名称令牌
实体识别号不适用
过期时间2019-08-27T11:11:56.903211142+03:00
显式\u最大\u ttl 0s
身份证号码不适用
发布时间2019-08-27T11:08:56.903210949+03:00
元
num_使用0
孤儿假
路径auth/token/create
第3m期
策略[根]
可更新的真实
ttl 2m55s
类型服务
我发现了一个很酷的选项:hmac\u accessor=false,下面是启用了tis选项的审核日志:
{
"time": "2019-08-27T07:55:57.888464574Z",
"type": "response",
"auth": {
"client_token": "hmac-sha256:84c8887e815c04aeef145ebffa05f9ef6fde166d7645b5046416d76add283fef",
"accessor": "y1lRcyzxkPgL0gmQ45WqliPy",
"display_name": "root",
...
},
"request": {
"id": "f4dc76af-b562-ae2c-8d6f-dd6a0d6f7ef6",
"operation": "update",
"client_token": "hmac-sha256:84c8887e815c04aeef145ebffa05f9ef6fde166d7645b5046416d76add283fef",
"client_token_accessor": "y1lRcyzxkPgL0gmQ45WqliPy",
...
},
"response": {
...
},
"error": ""
}
UPD:当前访问者列表:
$ vault list auth/token/accessors
Keys
----
MelMLthx4K4FznCbNIB8xbC6
bOnatDe7MXfdB9f3CRuGPo0h
y1lRcyzxkPgL0gmQ45WqliPy
VerAvaBln92HG38gKbKEcXOZ
通过访问者获取有关令牌的信息:
$ vault write auth/token/lookup-accessor accessor=VerAvaBln92HG38gKbKEcXOZ
Key Value
--- -----
accessor VerAvaBln92HG38gKbKEcXOZ
creation_time 1566893336
creation_ttl 3m
display_name token
entity_id n/a
expire_time 2019-08-27T11:11:56.903211142+03:00
explicit_max_ttl 0s
id n/a
issue_time 2019-08-27T11:08:56.903210949+03:00
meta <nil>
num_uses 0
orphan false
path auth/token/create
period 3m
policies [root]
renewable true
ttl 2m55s
type service
$vault write auth/token/lookup accessor accessor=veravabln92hg38gkbkexoz
关键值
--- -----
存取器Veravabln92HG38GKBKEXOZ
创建时间156689336
创建ttl 3m
显示名称令牌
实体识别号不适用
过期时间2019-08-27T11:11:56.903211142+03:00
显式\u最大\u ttl 0s
身份证号码不适用
发布时间2019-08-27T11:08:56.903210949+03:00
元
num_使用0
孤儿假
路径auth/token/create
第3m期
策略[根]
可更新的真实
ttl 2m55s
类型服务