GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → splunk → vault-plugin-splunk

splunk / vault-plugin-splunk

Licence: Apache-2.0 license
Vault plugin to securely manage Splunk admin accounts and password rotation

Programming Languages

go
31211 projects - #10 most used programming language
shell
77523 projects
Makefile
30231 projects

Labels

splunkhashicorp-vault

Projects that are alternatives of or similar to vault-plugin-splunk

hookpick
A tool to manage some operational concepts of Hashicorp Vault
Stars: ✭ 83 (+260.87%)
Mutual labels:  hashicorp-vault
vault-consul-docker
Vault + Consul + Docker
Stars: ✭ 75 (+226.09%)
Mutual labels:  hashicorp-vault
vault-consul-swarm
Deploy Vault and Consul with Docker Swarm
Stars: ✭ 20 (-13.04%)
Mutual labels:  hashicorp-vault
splunk-connect-for-syslog
Splunk Connect for Syslog
Stars: ✭ 111 (+382.61%)
Mutual labels:  splunk
TA ETW
Splunk Technology Add-On (TA) for collecting ETW events from Windows systems
Stars: ✭ 17 (-26.09%)
Mutual labels:  splunk
rundeck-vault-plugin
Development continues here:
Stars: ✭ 17 (-26.09%)
Mutual labels:  hashicorp-vault
TA-Sysmon-deploy
Deploy and maintain Symon through the Splunk Deployment Sever
Stars: ✭ 31 (+34.78%)
Mutual labels:  splunk
SplunkScriplets
Various Splunk Scripts and applets, all in one place
Stars: ✭ 24 (+4.35%)
Mutual labels:  splunk
evtx2json
A tool to convert Windows evtx files (Windows Event Log Files) into JSON format and log to Splunk (optional) using HTTP Event Collector.
Stars: ✭ 38 (+65.22%)
Mutual labels:  splunk
splunk modinput prometheus
A Splunk modular input for ingesting Prometheus metrics
Stars: ✭ 40 (+73.91%)
Mutual labels:  splunk
puppet-vault
Puppet module to manage Vault (https://vaultproject.io)
Stars: ✭ 41 (+78.26%)
Mutual labels:  hashicorp-vault
hashicorp-vault-monitor
🔑 HashiCorp Vault Monitoring Tool
Stars: ✭ 22 (-4.35%)
Mutual labels:  hashicorp-vault
vault-token-helper
@hashicorp Vault Token Helper for macOS, Linux and Windows with support for secure token storage and multiple Vault servers 🔐
Stars: ✭ 74 (+221.74%)
Mutual labels:  hashicorp-vault
vault-pki-monitor-venafi
Venafi PKI Monitoring Secrets Engine for HashiCorp Vault that enforces security policy and provides certificate visiblity to the enterprise.
Stars: ✭ 18 (-21.74%)
Mutual labels:  hashicorp-vault
splunk-connect-for-ethereum
Splunk Connect for Ethereum
Stars: ✭ 50 (+117.39%)
Mutual labels:  splunk
consul-vault
HashiCorp Vault service running on Consul cluster backend with HAProxy frontend
Stars: ✭ 27 (+17.39%)
Mutual labels:  hashicorp-vault
django-postgresql-setrole
Executes SET ROLE on every database connection opened by Django.
Stars: ✭ 19 (-17.39%)
Mutual labels:  hashicorp-vault
semantic logger
Semantic Logger is a feature rich logging framework, and replacement for existing Ruby & Rails loggers.
Stars: ✭ 730 (+3073.91%)
Mutual labels:  splunk
rhythm
Time-based job scheduler for Apache Mesos
Stars: ✭ 30 (+30.43%)
Mutual labels:  hashicorp-vault
TA-dmarc
Add-on for ingesting DMARC aggregate reports into Splunk
Stars: ✭ 14 (-39.13%)
Mutual labels:  splunk
View All Similar Projects ➔

vault-plugin-splunk

A Hashicorp Vault[1] plugin that aims to securely manage Splunk admin accounts, including secrets rotation for compliance purposes.

[1] https://www.vaultproject.io/

Project status

Build Status GoReport

Building from Source

git clone [email protected]:splunk/vault-plugin-splunk
cd vault-plugin-splunk
make

Testing

Splunk Setup

The go test command creates new Splunk instances for running integration tests, which requires Docker. Since this can be slow, alternatively, if a SPLUNK_ADDR environment variable is set, this instance will be reused. An example for starting a new instance:

export SPLUNK_ADDR='https://localhost:8089'
export SPLUNK_PASSWORD='test1234'
docker run -d -p 8000:8000 -p 8089:8089 -e 'SPLUNK_START_ARGS=--accept-license' -e SPLUNK_PASSWORD splunk/splunk:latest

Integration tests can be turned off entirely by using go test -short. However, note that this disables the majority of tests, which is not recommended.

Vault Setup

# server
export VAULT_ADDR='http://localhost:8200'
vault server -log-level debug -dev -dev-root-token-id="root" -config=vault.hcl  # does not detach
# client use
export VAULT_ADDR='http://localhost:8200'
vault login root

Rebuilding and Loading Plugin

export SPLUNK_ADDR='https://localhost:8089'
export SPLUNK_PASSWORD='test1234'
export VAULT_ADDR='http://localhost:8200'
make dev

Plugin Setup

vault secrets enable -path=splunk -plugin-name=vault-plugin-splunk plugin || true
vault write splunk/config/local url="${SPLUNK_ADDR}" insecure_tls=true username=admin password="${SPLUNK_PASSWORD}" allowed_roles='*'
vault write splunk/roles/local-admin roles=admin email='[email protected]' connection=local default_ttl=30s max_ttl=5m
vault read splunk/roles/local-admin
Key            Value
---            -----
connection     local
default_app    n/a
default_ttl    30s
email          [email protected]
max_ttl        5m
roles          [admin]
tz             n/a
user_prefix    vault

Plugin Usage

Create temporary admin account:

$ vault read splunk/creds/local-admin
Key                Value
---                -----
lease_id           splunk/creds/local-admin/5htFZ7QytJKbvslG5gukSPNd
lease_duration     5m
lease_renewable    true
connection         local
password           439e831b-e395-9999-2cd7-856381db3394
roles              [admin]
url                https://localhost:8089
username           vault_70c6c140-238d-e12b-3289-8e38f8c4d9f5

This creates a new user account vault_70c6c140-238d-e12b-3289-8e38f8c4d9f5 with a new random password. The account was configured to have the admin role. It will automatically be queued for deletion by vault after the configured lease ends, in 5 minutes. We can use vault lease [renew|revoke] to manually alter the length of the lease, up to the configured maximum time.

For clustered stacks, we create ephemeral credentials for specific nodes:

$ vault read splunk/creds/local-admin/idx.example.com
Key                Value
---                -----
lease_id           splunk/creds/local-admin/idx.example.com/u2N97uUVVDw3YVaETB1yRK74
lease_duration     30s
lease_renewable    true
connection         local
password           &R1iX5W%$41QGcf^yN2i9%%#tUNf58h!
roles              [admin]
url                https://idx.example.com:8089
username           vault_29079642-4aa1-1979-f402-b3775f2713a7

Rotate the Splunk admin password:

vault write -f splunk/rotate-root/local

NOTE: this alters the password of the configured admin account. It does not print out the new password. In order not to lock yourself out of the Splunk instance during testing, it is recommended to create another admin account.

Test driver

GoConvey automatically tests on saving a file:

go get github.com/smartystreets/goconvey

Usage:

export SPLUNK_ADDR=https://localhost:8089
goconvey -excludedDirs vendor

TODO

Vault Plugin

  • benchmark with thousands of simultaneous connections
  • vault client cert & auto-renewal
  • support "DIY" Splunk cluster without CM
  • better HTTP error codes
  • support for license rotation?
  • add (default) secrets mount description (currently "n/a")
  • DisplayName for config parameters (where is it shown?)

Tests

  • TTLs roundtrip
  • externally deleted user
  • externally revoked admin access
  • not in allowed_roles
  • updating roles, connections with partial params
  • creating conns first, then roles, and vice versa

Splunk API

  • use ctx in every operation
  • metrics
  • error handling
  • move to separate package
  • generate API from OpenAPI spec
  • expand doc strings
  • comment strings: caps, punctuation
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].