Audit

Examples

audit_devices = client.sys.list_enabled_audit_devices()

options = {
    'path': '/tmp/vault.log',
    'log_raw': True,
}

client.sys.enable_audit_device('file', options=options, path='somefile')
client.sys.disable_audit_device('oldfile')

List Enabled Audit Devices

Audit.list_enabled_audit_devices()[source]

List enabled audit devices.

It does not list all available audit devices. This endpoint requires sudo capability in addition to any path-specific capabilities.

Supported methods:
GET: /sys/audit. Produces: 200 application/json
Returns:JSON response of the request.
Return type:dict

Examples

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')

enabled_audit_devices = client.sys.list_enabled_audit_devices()
print('The following audit devices are enabled: {audit_devices_list}'.format(
    audit_devices_list=', '.join(enabled_audit_devices['data'].keys()),
))

Example output:

The following audit devices are enabled: somefile/

Enable Audit Device

Audit.enable_audit_device(device_type, description=None, options=None, path=None)[source]

Enable a new audit device at the supplied path.

The path can be a single word name or a more complex, nested path.

Supported methods:
PUT: /sys/audit/{path}. Produces: 204 (empty body)
Parameters:
  • device_type (str | unicode) – Specifies the type of the audit device.
  • description (str | unicode) – Human-friendly description of the audit device.
  • options (str | unicode) – Configuration options to pass to the audit device itself. This is dependent on the audit device type.
  • path (str | unicode) – Specifies the path in which to enable the audit device. This is part of the request URL.
Returns:

The response of the request.

Return type:

requests.Response

Examples

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')

options = {
    'path': '/tmp/vault.audit.log'
}

client.sys.enable_audit_device(
    device_type='file',
    options=options,
    path='tmp-file-audit',
)

Disable Audit Device

Audit.disable_audit_device(path)[source]

Disable the audit device at the given path.

Supported methods:
DELETE: /sys/audit/{path}. Produces: 204 (empty body)
Parameters:path (str | unicode) – The path of the audit device to delete. This is part of the request URL.
Returns:The response of the request.
Return type:requests.Response

Examples

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')

client.sys.disable_audit_device(
    path='tmp-file-audit',
)

Calculate Hash

Audit.calculate_hash(path, input_to_hash)[source]

Hash the given input data with the specified audit device’s hash function and salt.

This endpoint can be used to discover whether a given plaintext string (the input parameter) appears in the audit log in obfuscated form.

Supported methods:
POST: /sys/audit-hash/{path}. Produces: 204 (empty body)
Parameters:
  • path (str | unicode) – The path of the audit device to generate hashes for. This is part of the request URL.
  • input_to_hash (str | unicode) – The input string to hash.
Returns:

The JSON response of the request.

Return type:

requests.Response

Examples

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')

input_to_hash = 'some sort of string thinger'

audit_hash = client.sys.calculate_hash(
    path='tmp-file-audit',
    input_to_hash=input_to_hash,
)

print('The hash for the provided input is: %s' % audit_hash['data']['hash'])

Example output:

The hash for the provided input is: hmac-sha256:...