Skip to main content

Anti-tampering

Turn on anti-tempering, find information on tampering attempts, and enable your system after it is locked by suspected tampering

Anti-tampering detects changes made directly within the database – rather than through the Vault software – to the IAM, the collection schemas, and many more configuration items. This provides protection from side-channel attacks by a malicious actor who has gained unauthorized direct database access. When a tampering event is detected, Vault provides a report and can lockdown to prevent further data access until the issue is investigated and appropriate action taken. With this feature, Vault protects your data from potential leaks and prevents privilege escalation.

Enable anti-tampering

Anti-tampering is controlled by the PVAULT_FEATURES_ANTI_TAMPERING service and features environment variable. This environment variable takes:

  • off, Vault does not identify tampering.
  • log, Vault identifies and records tampering incidents to the system logs.
  • enforce, Vault records tampering incidents, and stop serving clients.

The default setting is log. However, enforce is recommended for production environments.

Tampering attempt reporting

When anti-tampering is enabled and Vault detects an anomaly, it logs a warning message for error code PV2002 to the system logs like this:

... "status_code":503,"error_code":"PV2002","message":"[WARNING] Anti-tampering alert." ...

If anti-tampering is in enforce mode, Vault responds to all requests made after the tampering attempt was detected with a 503 Service Unavailable response like this:

{
    "context":{},
    "error_code":"PV2002",
    "message":"[WARNING] Anti-tampering alert."
}

Enabling Vault after a suspected tampering attempt

An anti-tampering alert is a serious security event. Investigation of any incident and appropriate remedial action are recommended to prevent further tampering attempts. Once you have eliminated the risk or are sure that the alert is a false positive, restore normal Vault processing:

  1. Shut down the Vault instance.
  2. Start a new Vault instance with the environment variable PVAULT_FEATURES_ANTI_TAMPERING set to log.
  3. Use the API or CLI to override the alerted entities. For example, if the alert was triggered by a change to remove encryption from the first_name property, use the API or CLI to apply encryption to the first_name property again.
  4. Shut down the Vault instance.
  5. Start a new Vault instance with the environment variable PVAULT_FEATURES_ANTI_TAMPERING set to enforce.

On this page