Hardening HashiCorp Vault with SELinux
We have developed a baseline SELinux policy for securing Vault on Red Hat-based Linux Distributions
Hardening the production environment that runs your HashiCorp Vault clusters is one of the most important tasks you can do to secure the secret data managed by Vault. Our Learn guide on Production Hardening provides a number of invaluable recommendations, each of which add layers of defense in depth to help reduce the likelihood or impact of compromise.
Some of the Operating System specific recommendations include things like not running Vault as the root
user and disabling core dumps. Another recommendation is to configure SELinux or AppArmor. SELinux and AppArmor are two methods to provide Mandatory Access Controls to processes running on Linux distributions. SELinux was originally developed by the United States National Security Agency (NSA), and since then has been included in Red Hat-based Linux Distributions, such as CentOS or Fedora. AppArmor, while very similar to SELinux, is supported by Canonical, and is therefore available on Ubuntu and related Linux Distributions.
To help operations staff implement this recommendation we’re happy to announce a baseline SELinux policy for securing Vault on Red Hat-based Linux Distributions. This will be initially available as an open source GitHub repo, and may eventually make its way to our Linux Repository too.
It is important that you test the SELinux policy out in your non-production environments before running it in production. While we have done baseline testing with CentOS and Fedora, your Vault environment is likely unique and will require modification to the policy.
One of the benefits of SELinux is that it is customizable to your particular security requirements, but with that flexibility comes complexity. To provide an initial, out-of-box experience, the current Targeted Policy is configured to label Vault files and folders as per those deployed if you install Vault using one of our Linux Packages.
» Getting Started
The easiest way to get started is to download and install one of the RPMs from our releases page. The el
RPM files have been packaged and tested on CentOS 7 and 8, while the fc
packages have been packaged and tested on Fedora 31, 32, and 33.
» Customized Policy
If you have a customized deployment of Vault then the packaged RPMs will not work. The best way to proceed is to clone the repo, then follow the steps under Testing Locally to install the policy.
After initial installation, the SELinux policy files that reside in products/vault_selinux
may be edited and re-deployed by re-running the vault.sh
script from within that same directory.
» Next Steps
Long-term we plan to make these RPMs available for installation from our official Linux repository. This will help streamline the process for operators that want to easily install Vault and the Vault SELinux Policy. We’re also going to investigate providing a similar policy for AppArmor for those practitioners running Vault on Ubuntu, Debian, and similar Linux Distributions. As always, we’re interested in community feedback.
Sign up for the latest HashiCorp news
More blog posts like this one
Vault integrations with MongoDB, Private Machines, and walt.id strengthen customer security
Three new HashiCorp Vault ecosystem integrations extend security use cases for customers.
HashiCorp at re:Invent 2024: Security Lifecycle Management with AWS
A recap of HashiCorp security news and developments on AWS from the past year, for your security management playbook.
HCP Vault Dedicated adds secrets sync, cross-region DR, EST PKI, and more
The newest HCP Vault Dedicated 1.18 upgrade includes a range of new features that include expanding DR region coverage, syncing secrets across providers, and adding PKI EST among other key features.