hashicorp_vault@v1
HashiCorp Vault Archodex Ruleset
This rule captures all requests to HashiCorp Vault's KV secrets engine. It captures the secret mount path, the secret path, and the secret's mount type. The rule also captures the secret access event.
How to Enable
This ruleset is disabled by default. To enable:
$ archodex --enable-rulesets hashicorp_vault@v1# or$ ARCHODEX_ENABLE_RULESETS=hashicorp_vault@v1 archodexInputs
VaultAddr
The address of the HashiCorp Vault server
Required: Yes
Command Line Argument: --ruleset-input hashicorp_vault@v1:VaultAddr=<value>
Environment Variables:
ARCHODEX_RULESET_INPUT_HASHICORP_VAULT_V1_VAULT_ADDRVAULT_ADDR
Contexts and Rules
Rules: - Hostnames: - "{Inputs.VaultAddr}" TransportRules: SecretRoutes: Http: Request: Methods: - GET - POST - DELETE Routes: - /v1/:SecretMountPath/data/:Path+ - /v1/:SecretMountPath/metadata/:Path+ - /v1/:SecretMountPath/:Path+ IgnoreRoutes: - /v1/auth/* - /v1/sys/* Response: Body: MountType: Path: $.mount_type Value: kv ResourceCaptures: VaultService: Type: HashiCorp Vault Service Id: "{TLSServerName}" Contains: - Type: Secrets Engine Mount Id: "{Request.Path.SecretMountPath}" Contains: - Type: Secret Id: "{Request.Path.Path}" EventCaptures: SecretAccess: Events: - Types: - "{Request.Method}" Resources: - - Type: HashiCorp Vault Service Id: "{TLSServerName}" - Type: Secrets Engine Mount Id: "{Request.Path.SecretMountPath}" - Type: Secret Id: "{Request.Path.Path}"