vault_audit_tools/
lib.rs

1//! # Vault Audit Tools
2//!
3//! High-performance command-line tools for analyzing HashiCorp Vault audit logs.
4//!
5//! ## Overview
6//!
7//! This crate provides a suite of specialized tools for parsing and analyzing
8//! HashiCorp Vault audit logs. It's designed to handle large production logs
9//! (multi-gigabyte files) efficiently through streaming parsing and minimal
10//! memory overhead.
11//!
12//! ## Performance
13//!
14//! - **3x faster** than equivalent Python implementations
15//! - **10x less memory** usage through streaming parser
16//! - Processes 4M line logs in ~17 seconds (vs ~60s in Python)
17//!
18//! ## Features
19//!
20//! - **16 specialized analysis commands** for different use cases
21//! - **Streaming JSON parser** for memory-efficient processing
22//! - **Entity lifecycle tracking** across multiple days
23//! - **Token usage analysis** and abuse detection
24//! - **KV secrets engine analysis** (v1 and v2)
25//! - **Kubernetes auth analysis**
26//! - **Shell completion** for bash, zsh, fish, powershell, and elvish
27//!
28//! ## Architecture
29//!
30//! The crate is organized into several key modules:
31//!
32//! - [`audit`] - Core audit log parsing and data structures
33//! - [`commands`] - Individual analysis command implementations
34//! - [`utils`] - Shared utilities for time parsing, progress display, etc.
35//! - [`vault_api`] - Vault API client for entity enrichment
36//!
37//! ## Example Usage
38//!
39//! ```bash
40//! # Analyze entity creation patterns
41//! vault-audit entity-creation audit.log
42//!
43//! # Compare entity activity across days to detect churn
44//! vault-audit entity-churn audit-today.log --baseline audit-yesterday.log
45//!
46//! # Analyze KV secret access patterns
47//! vault-audit kv-analyzer audit.log
48//!
49//! # Detect token lookup abuse
50//! vault-audit token-lookup-abuse audit.log
51//! ```
52//!
53//! ## Command Categories
54//!
55//! ### Entity Analysis
56//! - `entity-creation` - Track when entities first appear
57//! - `entity-churn` - Compare activity across multiple days
58//! - `entity-gaps` - Find gaps in entity activity
59//! - `entity-timeline` - Visualize entity activity over time
60//!
61//! ### Token Analysis
62//! - `token-operations` - Analyze token lifecycle operations
63//! - `token-lookup-abuse` - Detect suspicious token lookup patterns
64//! - `token-export` - Export token data for analysis
65//!
66//! ### KV Secrets Analysis
67//! - `kv-analyzer` - Analyze KV secret access patterns
68//! - `kv-summary` - Summarize KV usage by mount point
69//! - `kv-compare` - Compare KV usage across time periods
70//!
71//! ### Authentication Analysis
72//! - `k8s-auth` - Analyze Kubernetes authentication patterns
73//!
74//! ### System Analysis
75//! - `system-overview` - High-level audit log statistics
76//! - `path-hotspots` - Identify most accessed paths
77//!
78//! ## Installation
79//!
80//! From crates.io:
81//! ```bash
82//! cargo install vault-audit-tools
83//! ```
84//!
85//! From source:
86//! ```bash
87//! git clone https://github.com/trenner1/hashicorp-vault-audit-analysis
88//! cd hashicorp-vault-audit-analysis/vault-audit-tools
89//! cargo install --path .
90//! ```
91
92pub mod audit;
93pub mod commands;
94pub mod utils;
95pub mod vault_api;