Skip to content

Latest commit

 

History

History
179 lines (160 loc) · 3.57 KB

vault_secret_scanner.sh.README.md

File metadata and controls

179 lines (160 loc) · 3.57 KB

vault_secret_scanner.sh

Purpose

Performs comprehensive scanning and auditing of HashiCorp Vault secrets, providing detailed analysis of secret usage, access patterns, and security compliance. This script helps maintain security and governance of secrets stored in Vault.

Features

  • Secret scanning
  • Access pattern analysis
  • Policy compliance checks
  • Secret rotation tracking
  • Usage monitoring
  • Lifecycle management
  • Security auditing
  • Version control
  • Expiration tracking

Requirements

  • Linux environment
  • HashiCorp Vault
  • Vault CLI tools
  • Authentication tokens
  • Appropriate permissions
  • jq for JSON processing
  • Network connectivity
  • Bash 4.0 or later

Usage

./vault_secret_scanner.sh [-p path] [-t type] [-a action]

Parameters:
  -p    Path in Vault to scan
  -t    Secret type (kv/pki/ssh/etc)
  -a    Action (scan/audit/report)

Scanning Operations

  1. Secret Discovery

    • Path enumeration
    • Secret detection
    • Metadata analysis
    • Version tracking
    • Access patterns
    • Usage statistics
    • Lifecycle status

  2. Security Analysis

    • Permission review
    • Policy compliance
    • Access patterns
    • Rotation status
    • Expiration check
    • Usage validation
    • Risk assessment

  3. Compliance Checks

    • Policy validation
    • Access controls
    • Rotation compliance
    • Lifecycle rules
    • Audit requirements
    • Security standards
    • Best practices

  4. Usage Monitoring

    • Access tracking
    • Usage patterns
    • Client identification
    • Rate monitoring
    • Error tracking
    • Performance impact
    • Resource usage

Configuration

The script uses a JSON configuration file:

{
    "ScanSettings": {
        "RecursiveScan": true,
        "IncludeMetadata": true,
        "CheckVersions": true,
        "TrackAccess": true
    },
    "Security": {
        "RequireRotation": true,
        "MaxSecretAge": 90,
        "EnforceCompliance": true,
        "ValidatePermissions": true
    },
    "Reporting": {
        "OutputPath": "./reports",
        "Format": "HTML",
        "IncludeMetrics": true,
        "NotifyAdmin": true
    }
}

Security Features

  • Access pattern detection
  • Policy validation
  • Rotation tracking
  • Usage monitoring
  • Risk assessment
  • Compliance checking
  • Audit logging

Error Handling

  • Authentication failures
  • Permission issues
  • Network problems
  • Rate limiting
  • Path errors
  • Version conflicts
  • Access denials

Log Files

The script maintains logs in:

  • Main log: /var/log/vault_scanner.log
  • Report file: ./reports/<timestamp>_scan.html
  • Error log: /var/log/vault_errors.log

Report Sections

Generated reports include:

  • Executive Summary
  • Secret Inventory
  • Access Patterns
  • Policy Compliance
  • Security Risks
  • Usage Statistics
  • Recommendations

Best Practices

  • Regular scanning
  • Policy reviews
  • Access monitoring
  • Rotation enforcement
  • Documentation
  • Audit reviews
  • Risk assessment
  • Change tracking
  • User training
  • Incident response
  • Recovery planning
  • Compliance updates

Integration Options

  • CI/CD pipelines
  • Security tools
  • Monitoring systems
  • SIEM platforms
  • Ticketing systems
  • Automation tools
  • Compliance systems

Secret Types Supported

  • Key/Value secrets
  • PKI certificates
  • SSH keys
  • Database credentials
  • Cloud credentials
  • API tokens
  • Encryption keys
  • TLS certificates

Assessment Areas

  • Secret Management
  • Access Control
  • Policy Compliance
  • Rotation Status
  • Usage Patterns
  • Security Posture
  • Risk Assessment
  • Audit Compliance
  • Performance Impact
  • Resource Usage
  • Version Control
  • Lifecycle Management