Hardening HashiCorp Vault with SELinux
We have developed a baseline SELinux policy for securing Vault on Red Hat-based Linux Distributions
Hardening the production environment that runs your HashiCorp Vault clusters is one of the most important tasks you can do to secure the secret data managed by Vault. Our Learn guide on Production Hardening provides a number of invaluable recommendations, each of which add layers of defense in depth to help reduce the likelihood or impact of compromise.
Some of the Operating System specific recommendations include things like not running Vault as the root user and disabling core dumps. Another recommendation is to configure SELinux or AppArmor. SELinux and AppArmor are two methods to provide Mandatory Access Controls to processes running on Linux distributions. SELinux was originally developed by the United States National Security Agency (NSA), and since then has been included in Red Hat-based Linux Distributions, such as CentOS or Fedora. AppArmor, while very similar to SELinux, is supported by Canonical, and is therefore available on Ubuntu and related Linux Distributions.
To help operations staff implement this recommendation we’re happy to announce a baseline SELinux policy for securing Vault on Red Hat-based Linux Distributions. This will be initially available as an open source GitHub repo, and may eventually make its way to our Linux Repository too.
It is important that you test the SELinux policy out in your non-production environments before running it in production. While we have done baseline testing with CentOS and Fedora, your Vault environment is likely unique and will require modification to the policy.
One of the benefits of SELinux is that it is customizable to your particular security requirements, but with that flexibility comes complexity. To provide an initial, out-of-box experience, the current Targeted Policy is configured to label Vault files and folders as per those deployed if you install Vault using one of our Linux Packages.
»Getting Started
The easiest way to get started is to download and install one of the RPMs from our releases page. The el RPM files have been packaged and tested on CentOS 7 and 8, while the fc packages have been packaged and tested on Fedora 31, 32, and 33.
»Customized Policy
If you have a customized deployment of Vault then the packaged RPMs will not work. The best way to proceed is to clone the repo, then follow the steps under Testing Locally to install the policy.
After initial installation, the SELinux policy files that reside in products/vault_selinux may be edited and re-deployed by re-running the vault.sh script from within that same directory.
»Next Steps
Long-term we plan to make these RPMs available for installation from our official Linux repository. This will help streamline the process for operators that want to easily install Vault and the Vault SELinux Policy. We’re also going to investigate providing a similar policy for AppArmor for those practitioners running Vault on Ubuntu, Debian, and similar Linux Distributions. As always, we’re interested in community feedback.
Sign up for the latest HashiCorp news
More blog posts like this one
Introducing The Infrastructure Cloud
Do cloud right with The Infrastructure Cloud from HashiCorp. Unlock developer potential while controlling cloud costs and risk.
How secret scanning works
HCP Vault Radar conducts ongoing reconnaissance of unsecured secrets stored as plain text in code repositories as well as configuration, DevOps, and collaboration tools.
Secrets sync now available on Vault Enterprise to manage secrets sprawl
Secrets sync is a new feature in HashiCorp Vault that facilitates centralized management, governance, and control of secrets for multiple external secret managers.