Vault root token

Set up the vault integration.

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect when a vault root token is used. Root tokens can perform any activity and have the highest level of privileges in Vault and should only be used in emergencies.

Strategy

This rule monitors Vault Audit Logs (source:vault) to detect when root is seen in:

  • auth policy (@auth.policies)

This rule also monitors the API endpoint /sys/generate-root which is used to create new root keys.

Triage & Response

  1. Determine who created the root token and when. You can get token creation time using the token accessor with vault token lookup -accessor <accessor>.
  2. Inspect the requests made with the root token and ensure that its usage is valid.
  3. Ensure that after the root token is no longer needed, it is revoked (vault token revoke -accessor <token>).

Change Log

  • 29 June 2022 - Updated queries to reduce noise levels. Replaced initial query with token creation detection.
  • 17 October 2022 - Updated queries and cases.
  • 13 December 2023 - Updated group by values.
  • 23 September 2024 - Reduce severity of cases to Medium.
PREVIEWING: brett0000FF/node-compatibility