Article

HashiCorp Vault Hardening and Compliance Using Chef InSpec

Posted on by

HashiCorp Vault is quickly becoming the de facto secrets management platform used in environments that rely on DevOps concepts for application delivery. Vault is incredibly easy and simple to get started with, but takes a bit of thought and planning to operationalize it.

One of the challenges is ensuring that the installation of your security platform is secure. Chef InSpec is a compliance as code tool that allows us to create profiles that outline a desired security posture. In this post, we’ll be looking at this example InSpec profile for Vault that mimics some of the common controls found in industry standards, such as CIS benchmarks and DISA STIGs.

Requirements

This InSpec profile assumes the following configuration.

  • CentOS 7
  • Vault running as a SystemD service
  • AuditD

Download and Install Chef InSpec

The following command downloads and installs Chef InSpec.

rpm -Uvh
https://packages.chef.io/files/stable/inspec/2.2.50/el/7/inspec-2.2.50
-1.el7.x86_64.rpm

Run InSpec Profile

The following command runs the Vault InSpec profile against the local machine.

inspec exec https://github.com/martezr/inspec-vault

Profile: HashiCorp Vault InSpec Profile (inspec-vault)
 Version: 0.0.1
 Target: local://
✓ vault-1.1: Keep Vault up to date ✓ vault_version version should cmp >= "v0.10.1"
 × vault-1.2: Audit Vault executable
 × Auditd Rules lines should include "-w /usr/local/bin/vault -p rwxa -k vault"
expected ["No rules"] to include "-w /usr/local/bin/vault -p rwxa -k vault"
 × vault-1.3: Secure Vault configuration files (2 failed)
 × Directory /opt/vault should not be readable by others
expected Directory /opt/vault not to be readable by others ✓ Directory /opt/vault should not be writable by others
 × Directory /opt/vault should not be executable by others
expected Directory /opt/vault not to be executable by others ✓ Directory /opt/vault owner should eq "vault"
 × vault-1.4: Audit Vault files and directories
 × Auditd Rules lines should include "-w /opt/vault/ -p rwxa -k vault"
expected ["No rules"] to include "-w /opt/vault/ -p rwxa -k vault"
 × vault-1.5: Audit Vault service configuration
 × Auditd Rules lines should include "-w /etc/systemd/system/vault.service -p rwxa -k vault"
expected ["No rules"] to include "-w /etc/systemd/system/vault.service -p rwxa -k vault" ✓ vault-1.6: Ensure that the vault service is running ✓ Service vault should be installed
  ✓ Service vault should be enabled
  ✓ Service vault should be running
  ✓ vault-1.7: Ensure Vault is not running as root
  ✓ Processes vault users should not eq ["root"]
 × vault-1.8: Ensure swap is disabled on the system
 × Command: `swapon -s | grep -v Filename` exit_status should eq 1
expected: 1
 got: 0 (compared using ==)
✓ vault-1.9: Verify that vault.service file permissions are set to 644 or more restrictive
  ✓File /etc/systemd/system/vault.service should exist
  ✓File /etc/systemd/system/vault.service should be file
  ✓File /etc/systemd/system/vault.service should be readable by owner
  ✓File /etc/systemd/system/vault.service should be writable by owner
  ✓File /etc/systemd/system/vault.service should be readable by group
  ✓File /etc/systemd/system/vault.service should not be writable by group
  ✓File /etc/systemd/system/vault.service should be readable by other
  ✓File /etc/systemd/system/vault.service should not be writable by other
  ✓File /etc/systemd/system/vault.service should not be executable Profile Summary: 4 successful controls, 5 control failures, 0 controls skipped

Test Summary: 16 successful, 6 failures, 0 skipped

Attributes

InSpec attributes allow variables to be changed at runtime such as the name of a user or the path of a directory to check. This allows the InSpec profile be flexible enough to accommodate small differences in configurations.

Running the InSpec Profile with Attributes

The example below shows how we can use an attributes file to change some of the things that the InSpec profile looks for.

The readme of the InSpec profile lists what attributes are available such as vault_dir or vault_user. We just need to create a yaml file such as “attr.yaml” and define the desired attributes like the example below.

Example attributes.yaml File

vault_user: bob
vault_dir: /etc/vault

Running the InSpec Profile with an Attributes File

inspec exec https://github.com/martezr/inspec-vault --attributes file_path/
attributes.yaml

This InSpec profile is in the early stages of development and continues to evolve, but it provides an example of how InSpec can be used as a tool to shift security left.

References

To learn more about HashiCorp Vault capabilities, check out these other AHEAD blog posts, along with my Chef InSpec session at ChefConf 2018.

(This blog post originally appeared on GreenReedTech.com.)

To stay up-to-date on the latest in tech news and events, follow AHEAD on Twitter and LinkedIn or subscribe to our blog newsletter above.