Skip to content

Commit

Permalink
Add vault_harden_file_perms to set chmod 0550 on config/plugins path
Browse files Browse the repository at this point in the history
The [Production
Hardening](https://learn.hashicorp.com/tutorials/vault/production-hardening)
have a bullet point "Allow minimal write privileges". It states: "its
executable binary or any Vault configuration files".

Prior to this change, the config and plugins path had chmod 0750, so
Vault could actually write config files and change plugins.

This commit adds a new parameter named vault_harden_file_perms (turned
off by default). When enabled, it changes the chmod of config and
plugins path to 0550 to effectively disallow Vault from writing into
these dirs.

Signed-off-by: Albin Kerouanton <albinker@gmail.com>
  • Loading branch information
akerouanton authored and bbaassssiiee committed Nov 30, 2021
1 parent 08cd5a2 commit 49941b4
Show file tree
Hide file tree
Showing 3 changed files with 19 additions and 7 deletions.
6 changes: 6 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -171,6 +171,12 @@ The role defines variables in `defaults/main.yml`:
- PID file location
- Default value: `/var/run/vault`

### `vault_harden_file_perms`

- Whether this role should disallow Vault from writing into config and plugin
path. This should be enabled to follow [Production Hardening](https://learn.hashicorp.com/tutorials/vault/production-hardening).
- Default value: false

### `vault_manage_user`

- Should this role manage the vault user?
Expand Down
1 change: 1 addition & 0 deletions defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@ vault_data_path: /var/vault
vault_log_path: /var/log/vault
vault_run_path: /var/run/vault
vault_home: "/home/{{ vault_user }}"
vault_harden_file_perms: true

# System user and group
vault_manage_user: true
Expand Down
19 changes: 12 additions & 7 deletions tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -104,17 +104,22 @@
- name: Create directories
become: true
file:
dest: "{{ item }}"
dest: "{{ item.path }}"
state: directory
owner: "{{ vault_user }}"
group: "{{ vault_group }}"
mode: 0750
mode: "{{ item.mode }}"
with_items:
- "{{ vault_config_path }}"
- "{{ vault_plugin_path }}"
- "{{ vault_data_path }}"
- "{{ vault_log_path }}"
- "{{ vault_run_path }}"
- path: "{{ vault_config_path }}"
mode: "{{ vault_harden_file_perms | ternary('0550', '0750') }}"
- path: "{{ vault_plugin_path }}"
mode: "{{ vault_harden_file_perms | ternary('0550', '0750') }}"
- path: "{{ vault_data_path }}"
mode: "0750"
- path: "{{ vault_log_path }}"
mode: "0750"
- path: "{{ vault_run_path }}"
mode: "0750"

- name: Enable logrotate for vault
become: true
Expand Down

0 comments on commit 49941b4

Please sign in to comment.