From 49941b415e2192dbb96bf58f36f39e6fd51cc641 Mon Sep 17 00:00:00 2001
From: Albin Kerouanton <albinker@gmail.com>
Date: Fri, 26 Nov 2021 17:27:13 +0100
Subject: [PATCH] Add vault_harden_file_perms to set chmod 0550 on
 config/plugins path

The [Production
Hardening](https://learn.hashicorp.com/tutorials/vault/production-hardening)
have a bullet point "Allow minimal write privileges". It states: "its
executable binary or any Vault configuration files".

Prior to this change, the config and plugins path had chmod 0750, so
Vault could actually write config files and change plugins.

This commit adds a new parameter named vault_harden_file_perms (turned
off by default). When enabled, it changes the chmod of config and
plugins path to 0550 to effectively disallow Vault from writing into
these dirs.

Signed-off-by: Albin Kerouanton <albinker@gmail.com>
---
 README.md         |  6 ++++++
 defaults/main.yml |  1 +
 tasks/main.yml    | 19 ++++++++++++-------
 3 files changed, 19 insertions(+), 7 deletions(-)

diff --git a/README.md b/README.md
index 6a09c6a8..9d163116 100644
--- a/README.md
+++ b/README.md
@@ -171,6 +171,12 @@ The role defines variables in `defaults/main.yml`:
 - PID file location
 - Default value: `/var/run/vault`
 
+### `vault_harden_file_perms`
+
+- Whether this role should disallow Vault from writing into config and plugin
+  path. This should be enabled to follow [Production Hardening](https://learn.hashicorp.com/tutorials/vault/production-hardening).
+- Default value: false
+
 ### `vault_manage_user`
 
 - Should this role manage the vault user?
diff --git a/defaults/main.yml b/defaults/main.yml
index 27f3cba0..0b4d0cac 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -38,6 +38,7 @@ vault_data_path: /var/vault
 vault_log_path: /var/log/vault
 vault_run_path: /var/run/vault
 vault_home: "/home/{{ vault_user }}"
+vault_harden_file_perms: true
 
 # System user and group
 vault_manage_user: true
diff --git a/tasks/main.yml b/tasks/main.yml
index a5d4a713..564daddb 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -104,17 +104,22 @@
 - name: Create directories
   become: true
   file:
-    dest: "{{ item }}"
+    dest: "{{ item.path }}"
     state: directory
     owner: "{{ vault_user }}"
     group: "{{ vault_group }}"
-    mode: 0750
+    mode: "{{ item.mode }}"
   with_items:
-    - "{{ vault_config_path }}"
-    - "{{ vault_plugin_path }}"
-    - "{{ vault_data_path }}"
-    - "{{ vault_log_path }}"
-    - "{{ vault_run_path }}"
+    - path: "{{ vault_config_path }}"
+      mode: "{{ vault_harden_file_perms | ternary('0550', '0750') }}"
+    - path: "{{ vault_plugin_path }}"
+      mode: "{{ vault_harden_file_perms | ternary('0550', '0750') }}"
+    - path: "{{ vault_data_path }}"
+      mode: "0750"
+    - path: "{{ vault_log_path }}"
+      mode: "0750"
+    - path: "{{ vault_run_path }}"
+      mode: "0750"
 
 - name: Enable logrotate for vault
   become: true