Skip to content
Archodex Docs

hashicorp_vault@v1

HashiCorp Vault Archodex Ruleset

This rule captures all requests to HashiCorp Vault's KV secrets engine. It captures the secret mount path, the secret path, and the secret's mount type. The rule also captures the secret access event.

How to Enable

This ruleset is enabled by default. To disable:

Terminal window
$ archodex --disable-rulesets hashicorp_vault@v1
# or
$ ARCHODEX_DISABLE_RULESETS=hashicorp_vault@v1 archodex

Inputs

VaultAddr

The address of the HashiCorp Vault server

Required: Yes
Command Line Argument: --ruleset-input hashicorp_vault@v1:VaultAddr=<value>
Environment Variables:

  • ARCHODEX_RULESET_INPUT_HASHICORP_VAULT_V1_VAULT_ADDR
  • VAULT_ADDR

Contexts and Rules

Rules:
  - Hostnames:
      - "{Inputs.VaultAddr}"
    TransportRules:
      - Http:
          Request:
            Methods:
              - GET
            Routes:
              - /v1/:SecretMountPath/data/:Path+
              - /v1/:SecretMountPath/:Path+
            IgnoreRoutes:
              - /v1/auth/*
              - /v1/sys/*
          Response:
            Body:
              MountType:
                Path: $.mount_type
                Value: kv
              SecretValues:
                Path: $.data.data..[?match(@, '.+')]
          ResourceCaptures:
            - Type: HashiCorp Vault Service
              Id: "{TlsServerName}"
              Contains:
                - Type: Secrets Engine Mount
                  Id: "{Request.Path.SecretMountPath}"
                  Contains:
                    - Type: Secret
                      Id: "{Request.Path.Path}"
            - Type: Secret Value
              Id: "{Response.BodyCaptures.SecretValues | secret_value_hash}"
          EventCaptures:
            - Principals:
                - Event: Read
                  Resource:
                    - Type: HashiCorp Vault Service
                      Id: "{TlsServerName}"
                    - Type: Secrets Engine Mount
                      Id: "{Request.Path.SecretMountPath}"
                    - Type: Secret
                      Id: "{Request.Path.Path}"
              Events:
                - Types:
                    - Held
                  Resources:
                    - - Type: Secret Value
                        Id: "{Response.BodyCaptures.SecretValues | secret_value_hash}"


      - Http:
          Request:
            Methods:
              - POST
              - PATCH
            Routes:
              - /v1/:SecretMountPath/data/:Path+
              - /v1/:SecretMountPath/:Path+
            IgnoreRoutes:
              - /v1/auth/*
              - /v1/sys/*
            Body:
              SecretValues:
                # This will fail to capture KV v1 engine secrets, for which
                # values are specified at the top level. It's not possible to
                # determine from the request or response which KV engine version
                # the secret is for. This Ruleset prioritizes handling KV v2
                # engine secrets.
                Path: $.data..[?match(@, '.+')]
          Response:
            Body:
              MountType:
                Path: $.mount_type
                Value: kv
          ResourceCaptures:
            - Type: HashiCorp Vault Service
              Id: "{TlsServerName}"
              Contains:
                - Type: Secrets Engine Mount
                  Id: "{Request.Path.SecretMountPath}"
                  Contains:
                    - Type: Secret
                      Id: "{Request.Path.Path}"
            - Type: Secret Value
              Id: "{Request.BodyCaptures.SecretValues | secret_value_hash}"
          EventCaptures:
            - Principals:
                - Event: Updated
                  Resource:
                    - Type: HashiCorp Vault Service
                      Id: "{TlsServerName}"
                    - Type: Secrets Engine Mount
                      Id: "{Request.Path.SecretMountPath}"
                    - Type: Secret
                      Id: "{Request.Path.Path}"
              Events:
                - Types:
                    - Held
                  Resources:
                    - - Type: Secret Value
                        Id: "{Response.BodyCaptures.SecretValues | secret_value_hash}"


      - Http:
          Request:
            Methods:
              - DELETE
            Routes:
              - /v1/:SecretMountPath/data/:Path+
              - /v1/:SecretMountPath/metadata/:Path+
              - /v1/:SecretMountPath/:Path+
            IgnoreRoutes:
              - /v1/auth/*
              - /v1/sys/*
          ResourceCaptures:
            - Type: HashiCorp Vault Service
              Id: "{TlsServerName}"
              Contains:
                - Type: Secrets Engine Mount
                  Id: "{Request.Path.SecretMountPath}"
                  Contains:
                    - Type: Secret
                      Id: "{Request.Path.Path}"
          EventCaptures:
            - Events:
                - Types:
                    - Deleted
                  Resources:
                    - - Type: HashiCorp Vault Service
                        Id: "{TlsServerName}"
                      - Type: Secrets Engine Mount
                        Id: "{Request.Path.SecretMountPath}"
                      - Type: Secret
                        Id: "{Request.Path.Path}"