Vault Audit Devices Overview: Tamper-Resistance and Storage in Practice

Vault guarantees operation traceability by writing requests and responses to audit devices.

This article focuses on tamper-resistance and storage (retention, rotation, aggregation) of audit logs, covering both production practice and certification prep.

Audit Device Basics and Tamper-Resistance Thinking

Vault audit devices emit metadata for every request and response. The main types are file, syslog, and socket, and you can enable multiple devices at once. In production, the standard practice is to enable at least one audit device, and ideally to duplicate audit output across different paths.

Sensitive values inside audit logs (tokens, secrets, and so on) are HMAC-hashed using a key unique to each audit device — the raw values are never recorded. This prevents leakage of sensitive data while still enabling correlation analysis via consistent hashes. Tamper-resistance comes from HMAC hashing combined with immutable storage (append-only/WORM/permissions) and a tamper-resistant transport path.

• Auditing is disabled by default — enable it before going to production
• Each device has its own HMAC key, so the same value hashes differently across devices
• If any enabled audit device fails to write, the default behavior is to fail the request to prevent unaudited operations
• Design tamper-resistance around three pillars: HMAC concealment, tamper-resistant storage, and transport protection (remote forwarding / TLS)

Audit log tamper-resistance and storage paths (example)

Minimum enablement steps: list devices and add a file device

vault audit list
vault audit enable file file_path=/var/log/vault_audit.log mode=0640
# 推奨: root所有、ディレクトリは事前作成、監査専用パーティションも検討

Enablement and Configuration Patterns

Audit devices are enabled by name and mounted under /sys/audit/<name>. You can configure multiple file/syslog/socket devices simultaneously. The operational rule of thumb is to duplicate across heterogeneous systems (local retention + remote aggregation).

For file, write permissions and rotation design are critical. For syslog/socket, network health directly drives audit availability. At initial configuration, prioritize permissions, paths, and network (firewall/TLS) checks.

• file: explicitly set file_path and the permissions (mode)
• syslog: use facility/tag to make filtering easier at the aggregator
• socket: specify socket_type (tcp/udp/unix) and address. Reflect collector availability in your SLO
• Run multiple devices in parallel so a single-side failure does not lose audit data

Configuration examples via CLI and API (including syslog/socket)

# syslog 例
vault audit enable syslog tag=vault facility=AUTH

# socket 例 (TCPでコレクタへ)
vault audit enable socket socket_type=tcp address=collector.internal:1514

# APIでfileデバイスを有効化
curl -sS \
  --header "X-Vault-Token: $VAULT_TOKEN" \
  --request PUT \
  --data '{"type":"file","options":{"file_path":"/var/log/vault_audit.log","mode":"0640"}}' \
  $VAULT_ADDR/v1/sys/audit/file-1

# 無効化
vault audit disable file-1

Log Format and HMAC on Sensitive Data

Audit logs are typically line-delimited JSON. Representative fields include time, type, request (operation/path/remote address/headers), auth (accessor/policies), response (status/warnings), and error. Sensitive values are HMAC-hashed using a per-device key.

To search for occurrences of a specific raw value, have Vault compute the hash for the target device and match against that. This lets you correlate operations involving the value without ever exposing the value itself.

• HMACs differ per device, so always perform searches scoped to the target device
• Design operations on the assumption that tokens and secret values never appear in plaintext
• Prepare per-use-case filters on path/operation/remote_address/response_status to accelerate analysis

Sample log line and hash-based search

# サンプル監査行(JSON一行)
{"time":"2026-04-19T09:12:34.567Z","type":"request","auth":{"client_token":"hmac-sha256:7f...","accessor":"hmac-sha256:62...","policies":["default"],"display_name":"token"},"request":{"id":"6f...","operation":"read","path":"secret/data/foo","remote_address":"10.0.0.5"},"response":{"status":200},"error":false}

# 値のハッシュを生成し、ログ検索に利用
vault audit hash file/ my-actual-token
# => hmac-sha256:abc123...
# 生成されたハッシュ文字列でログをgrep/jq検索

Designing Retention, Rotation, and Availability

Tamper-resistance hinges on hardening the storage layer. For file devices, minimize permissions and combine with append-only or WORM storage. For syslog/socket, ensure immutability on the remote receiver (tamper detection / chained protection of the audit trail).

Rotation is the basic safeguard against capacity exhaustion. For file devices, pick a reliable procedure that fits your environment, such as copytruncate or rename + SIGHUP. Since the default audit-device behavior is to fail requests when writes are blocked, rehearse link outages and disk-full scenarios to understand the SLO impact.

• Files: owner root, mode around 0640, isolate exhaustion impact with a dedicated audit partition
• Rotation: copytruncate or rename + SIGHUP. Periodically verify the reopen procedure
• Remote aggregation: enable WORM, versioning, and delete auditing on the receiver
• Dual paths: combine file with syslog (or socket) to prevent audit data loss

An example logrotate configuration for the file device

/var/log/vault_audit.log {
  daily
  rotate 14
  compress
  missingok
  notifempty
  copytruncate
  create 0640 root root
}
# 監査要件に応じて保持期間/圧縮/暗号化を調整

Operational Validation and Troubleshooting

After configuration, automate write verification. As a simple check, intentionally call the API and verify that audit lines increase and the collector receives the same count.

When troubleshooting, check the state in vault audit list, output permissions and free space, and collector reachability. Because failed audit writes cause requests themselves to fail, a rise in application-side error rates is usually the easiest signal to spot.

• Use vault audit list to confirm that multiple devices are enabled
• Inspect recent request lines with jq/grep, matching timestamps to op/path
• Check the collector-side receive counter for count consistency
• Run scenario tests for permission errors (EACCES), disk-full (ENOSPC), and network outages (ETIMEDOUT)

Verification snippets

# 監査デバイス一覧
vault audit list -format=json | jq '.'

# ダミーリクエストで監査行を発生
vault kv get -field=value secret/data/foo || true

# fileに出る最新10行を確認
tail -n 10 /var/log/vault_audit.log | jq -c '{time,type,req:(.request|{op:.operation,path})}'

# 値検索に必要なHMACの生成
vault audit hash file/ my-actual-token

Exam Prep: Key Points Likely on Associate/Ops

Common exam topics include enabling auditing, the device types, the purpose of HMAC, redundancy, failure-mode behavior, and search methods (audit hash). Lock in these points with their practical context in mind.

• Auditing is disabled by default — enable at least one path before going live
• When to use file/syslog/socket, and the best practice of running them in parallel
• Sensitive values are HMAC-hashed; correlate by computing the hash with vault audit hash
• The baseline behavior is for requests to fail if any audit device cannot write
• Rotation and permission design (0640, root ownership, append-only/WORM)
• For central aggregation / remote retention, protect the path with TCP/TLS or mTLS

Check Your Understanding

Frequently Asked Questions