-
Notifications
You must be signed in to change notification settings - Fork 193
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add vault_harden_file_perms to set chmod 0550 on config/plugins path
The [Production Hardening](https://learn.hashicorp.com/tutorials/vault/production-hardening) have a bullet point "Allow minimal write privileges". It states: "its executable binary or any Vault configuration files". Prior to this change, the config and plugins path had chmod 0750, so Vault could actually write config files and change plugins. This commit adds a new parameter named vault_harden_file_perms (turned off by default). When enabled, it changes the chmod of config and plugins path to 0550 to effectively disallow Vault from writing into these dirs. Signed-off-by: Albin Kerouanton <albinker@gmail.com>
- Loading branch information
1 parent
08cd5a2
commit 49941b4
Showing
3 changed files
with
19 additions
and
7 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters