akamai / cli-appsec

Akamai CLI for Application Security
https://developer.akamai.com/cli
Apache License 2.0
13 stars 9 forks source link
akamai akamai-cli appsec cli security-cli

Akamai CLI for Application Security

NOTE: This tool is intended to be installed via the Akamai CLI package manager, which can be retrieved from the releases page of the Akamai CLI tool.

Local Install, if you choose not to use the akamai package manager

Assumed Defaults

If left to these assumptions, the commands will perform slower than when these options are provided explicitly.

Credentials

In order to use this configuration, you need to:

Account Switching

Account switching can be performed by providing the --account-key option with account ID as the value.

Overview

The akamai appsec Kit is a set of nodejs libraries that wraps Akamai's {OPEN} APIs to help simplify protection to the properties delivered by Akamai. This kit can be used as a no-fuss command line utility to interact with the library.

$ akamai appsec
Usage: akamai appsec <command> [options]

Commands:
  accept-recommendation                        Accept a recommendation.
  activate                                     Activate a version.
  activation                                   Get activation status.
  activation-history                           List activation history for the configuration.
  akamai-bot-category                          Display contents of akamai bot category.
  akamai-bot-category-action                   Display contents of akamai bot category action.
  akamai-bot-category-action-list              List all akamai bot category action.
  akamai-bot-category-list                     List all akamai bot category.
  akamai-defined-bot                           Display contents of akamai defined bot.
  akamai-defined-bot-list                      List all akamai defined bot.
  api-endpoints                                List all api endpoints.
  api-request-constraints-action               Display API Request Constraint action.
  api-pii-learning                             Display the API PII Learning settings.
  attack-group                                 Display attack group action in a policy.
  attack-groups                                List all attack group actions in a policy.
  attackgroup-condition-exception              Display attack group exceptions.
  bot-analytics-cookie                         Display contents of bot analytics cookie.
  bot-analytics-cookie-values                  Display contents of bot analytics cookie values.
  bot-detection                                Display contents of bot detection.
  bot-detection-action                         Display contents of bot detection action.
  bot-detection-action-list                    List all bot detection action.
  bot-detection-list                           List all bot detection.
  bot-endpoint-coverage-report                 Display contents of bot endpoint coverage report.
  bot-endpoint-coverage-report-config-version  Display contents of bot endpoint coverage report - config version.
  bot-management-settings                      Display contents of bot management settings.
  bot-protection-exceptions                    Display contents of bot protection exceptions.
  bypass-network-lists                         List all bypass network lists.
  challenge-action                             Display contents of challenge action.
  challenge-action-list                        List all challenge action.
  challenge-injection-rules                    Display contents of challenge injection rules.
  challenge-interception-rules                 (Deprecated) Display contents of challenge interception rules.
  client-side-security                         Display contents of client side security.
  clone                                        Clone a config.
  clone-policy                                 Clone security policy.
  complete-eval                                Complete evaluation in a policy.
  conditional-action                           Display contents of conditional action.
  conditional-action-list                      List all conditional action.
  configs                                      List all available configurations.
  content-protection-detections                Display content protection detections.
  content-protection-javascript-injection-rule-list Display contents of content protection javascript injection rules.
  content-protection-javascript-injection-rule  Display contents of content protection javascript injection rule.
  content-protection-rule                      Display contents of content protection rule.
  content-protection-rule-detection-settings   Display overridden detection settings of content protection rule.
  content-protection-rule-list                 List all content protection rules.
  content-protection-rule-sequence             Display contents of content bot category sequence.
  contracts-groups                             List contracts and groups with KSD/WAP line items.
  create-api-match-target                      Creates an API match target.
  create-challenge-action                      Create a challenge action.
  create-conditional-action                    Create a conditional action.
  create-config                                Create a new security config.
  create-content-protection-rule               Create a content protection rule.
  create-content-protection-javascript-injection-rule  Create a content protection javascript injection rule.
  create-custom-bot-category                   Create a custom bot category.
  create-custom-client                         Create a custom client.
  create-custom-defined-bot                    Create a custom defined bot.
  create-custom-deny                           Create-custom-deny action.
  create-custom-deny-action                    Create a custom deny action.
  create-custom-rule                           Create a custom rule.
  create-eval-penalty-box-conditions           Create evaluation penalty box conditions in a policy.
  create-malware-policy                        Create a malware policy.
  create-match-target                          Creates a website match target.
  create-penalty-box-conditions                Create penalty box conditions in a policy.
  create-rate-policy                           Create a rate policy.
  create-recategorized-akamai-defined-bot      Create a recategorized akamai defined bot.
  create-reputation-profile                    Create a reputation profile.
  create-security-policy                       Create a security policy.
  create-serve-alternate-action                Create a serve alternate action.
  create-transactional-endpoint                Create a transactional endpoint.
  custom-bot-category                          Display contents of custom bot category.
  custom-bot-category-action                   Display contents of custom bot category action.
  custom-bot-category-action-list              List all custom bot category action.
  custom-bot-category-list                     List all custom bot category.
  custom-bot-category-sequence                 Display contents of custom bot category sequence.
  custom-bot-category-item-sequence            Display contents of custom bot category item sequence.
  custom-client                                Display contents of custom client.
  custom-client-list                           List all custom client.
  custom-client-sequence                       Display contents of custom client sequence.
  custom-defined-bot                           Display contents of custom defined bot.
  custom-defined-bot-list                      List all custom defined bot.
  custom-deny                                  Display contents of custom deny action. 
  custom-deny-action                           Display contents of custom deny action.
  custom-deny-action-list                      List all custom deny action.
  custom-deny-list                             List all custom deny actions.
  custom-rule                                  Display contents of custom rule.
  custom-rules                                 List all custom rules.
  decline-recommendation                       Decline a recommendation.
  delete-challenge-action                      Delete a challenge action.
  delete-conditional-action                    Delete a conditional action.
  delete-config                                Delete a security config.
  delete-content-protection-rule               Delete a content protection rule.
  delete-content-protection-javascript-injection-rule Delete a content protection JavaScript injection rule.
  delete-custom-bot-category                   Delete a custom bot category.
  delete-custom-client                         Delete a custom client.
  delete-custom-defined-bot                    Delete a custom defined bot.
  delete-custom-deny                           Delete a custom deny action.
  delete-custom-deny-action                    Delete a custom deny action.
  delete-custom-rule                           Delete a custom rule.
  delete-eval-penalty-box-conditions           Delete evaluation penalty box conditions in a policy.
  delete-malware-policy                        Delete an existing malware policy.
  delete-match-target                          Deletes a match target.
  delete-penalty-box-conditions                Delete penalty box conditions in a policy.
  delete-rate-policy                           Delete a rate policy.
  delete-recategorized-akamai-defined-bot      Delete a recategorized akamai defined bot.
  delete-reputation-profile                    Delete a reputation profile.
  delete-security-policy                       Delete a security policy.
  delete-serve-alternate-action                Delete a serve alternate action.
  delete-transactional-endpoint                Delete a transactional endpoint.
  disable-api-request-constraints              Disable API Request Constraint.
  disable-attack-group                         Disable attack group  in a policy.
  disable-eval-penalty-box                     Disable evaluation penalty box in a policy.
  disable-eval-rule-action                     Disable evaluation rule action in a policy.
  disable-evasive-path-match                   Disable Evasive Path Match.
  disable-http-header-logging                  Disable the HTTP Header Logging settings.
  disable-malware-policy                       Remove actions to an existing malware policy in a firewall policy.
  disable-override-http-header-logging         Disable the HTTP Header Logging Override settings.
  disable-penalty-box                          Disable penalty box in a policy.
  disable-rate-policy                          Removes an action set to an existing rate policy in a policy.
  disable-reputation-profile                   Disable the action for a reputation profile.
  disable-rule-action                          Disable rule action in a policy.
  disable-slow-post                            Disable slow post in a policy.
  enable-api-request-constraints               Set the API Request Constraint action.
  enable-attack-group                          Enable attack group in a policy.
  enable-custom-rule                           Assigns an action (such as alert or deny) to an existing custom rule in a policy.
  enable-eval-penalty-box                      Enable evaluation penalty box in a policy.
  enable-eval-rule-action                      Enable evaluation rule action in a policy.
  enable-evasive-path-match                    Enable Evasive Path Match.
  enable-http-header-logging                   Enable the HTTP Header Logging settings.
  enable-malware-policy                        Assign actions to an existing malware policy in a firewall policy.
  enable-override-http-header-logging          Enable the HTTP Header Logging Override settings.
  enable-penalty-box                           Enable penalty box in a policy.
  enable-rate-policy                           Assigns an action to an existing rate policy in a policy.
  enable-reputation-profile                    Enable and set the action for a reputation profile.
  enable-rule-action                           Enable rule action in a policy.
  enable-slow-post                             Enable slow post in a policy.
  end-eval                                     Stop evaluation in a policy.
  eval-hostnames                               List all hosts under evaluation.
  eval-penalty-box                             Display evaluation penalty box action in a policy.
  eval-penalty-box-conditions                  Display evaluation penalty box conditions in a policy.
  eval-rule-action                             Display evaluation rule action in a policy.
  eval-rule-actions                            Display evaluation rules and actions in a policy.
  eval-rule-condition-exception                Display evaluation rule conditions and exceptions in a policy.
  evasive-path-match                           Display the Evasive Path Match settings.
  export                                       Export a configuration version.
  failover-hostnames                           List all failover hostnames on a config.
  hostname-coverage                            Display the Hostname Coverage.
  http-header-logging                          Display the HTTP Header Logging settings.
  ip-geo-firewall                              Display the IP Geo Firewall network lists in a policy
  javascript-injection-rules                   Display contents of javascript injection rules.
  krs-rules-upgrade                            Upgrade the KRS rules in a policy.
  malware-content-types                        List all malware content types.
  malware-policies                             List all malware policies.
  malware-policies-actions                     Display all enabled malware policy actions.
  malware-policy                               Display contents of a malware policy.
  match-target                                 Read a match target.
  match-target-order                           Change the match target sequence.
  match-targets                                List all match targets.
  mode                                         Display the WAF Mode.
  modify-akamai-bot-category-action            Update existing akamai bot category action.
  modify-api-match-target                      Updates an API match target.
  modify-attackgroup-condition-exception       Update attack group exceptions.    
  modify-bot-analytics-cookie                  Update existing bot analytics cookie.
  modify-bot-detection-action                  Update existing bot detection action.
  modify-bot-management-settings               Update existing bot management settings.
  modify-bot-protection-exceptions             Update existing bot protection exceptions.
  modify-bypass-network-lists                  Update bypass network lists.
  modify-challenge-action                      Update existing challenge action.
  modify-challenge-injection-rules             Update existing challenge injection rules.
  modify-challenge-interception-rules          (Deprecated) Update existing challenge interception rules.
  modify-client-side-security                  Update existing client side security.
  modify-conditional-action                    Update existing conditional action.
  modify-content-protection-rule               Update content protection rule.
  modify-content-protection-javascript-injection-rule Update a content protection JavaScript injection rule.
  modify-content-protection-rule-detection-settings Update detection settings of content protection rule.
  modify-content-protection-rule-sequence      Update existing content protection rule sequence.
  modify-custom-bot-category                   Update existing custom bot category.
  modify-custom-bot-category-action            Update existing custom bot category action.
  modify-custom-bot-category-sequence          Update existing custom bot category sequence.
  modify-custom-bot-category-item-sequence     Update existing custom bot category item sequence.
  modify-custom-client                         Update existing custom client.
  modify-custom-client-sequence                Update existing custom client sequence.
  modify-custom-defined-bot                    Update existing custom defined bot.
  modify-custom-deny                           Update existing custom deny action.
  modify-custom-deny-action                    Update existing custom deny action.
  modify-custom-rule                           Update existing custom rule.
  modify-eval-hostnames                        Modify hostnames under evaluation.
  modify-eval-penalty-box-conditions           Modify evaluation penalty box conditions in a policy.
  modify-eval-rule-condition-exception         Update evaluation rule conditions and exceptions in a policy.
  modify-google-recaptcha-secret-key           Update existing google recaptcha secret key.
  modify-hostnames                             Modify hostnames for the configuration version.
  modify-ip-geo-firewall                       Update the IP Geo Firewall network lists in a policy
  modify-javascript-injection-rules            Update existing javascript injection rules.
  modify-malware-policy                        Modify an existing malware policy.
  modify-match-target                          Updates a website match target.
  modify-penalty-box-conditions                Modify penalty box conditions in a policy.
  modify-pragma-header                         Update Pragma Header settings.
  modify-prefetch-requests                     Update the Prefetch Requests settings.
  modify-rate-policy                           Update existing rate policy.
  modify-recategorized-akamai-defined-bot      Update existing recategorized akamai defined bot.
  modify-reputation-profile                    Update existing reputation profile.
  modify-rule-condition-exception              Update rule conditions and exceptions in a policy.
  modify-security-policy                       Update a security policy.
  modify-serve-alternate-action                Update existing serve alternate action.
  modify-siem                                  Modify the SIEM settings.
  modify-transactional-endpoint                Update existing transactional endpoint.
  modify-transactional-endpoint-protection     Update existing transactional endpoint protection.
  modify-version-notes                         Update the version notes.
  penalty-box                                  Display penalty box action in a policy.
  penalty-box-conditions                       Display penalty box conditions in a policy.
  policies                                     List all security policies.
  pragma-header                                Display Pragma Header settings.
  prefetch-requests                            Display the Prefetch Requests settings.
  protect-eval-hostnames                       Move evaluation hostnames to protection.
  protections                                  List all protections of a policy.
  rate-policies                                List all rate policies.
  rate-policies-actions                        List all enabled rate policies actions of a policy.
  rate-policy                                  Display contents of a rate policy.
  recategorized-akamai-defined-bot             Display contents of recategorized akamai defined bot.
  recategorized-akamai-defined-bot-list        List all recategorized akamai defined bot.
  recommendations                              Display recommendations in a policy.
  reputation-profile                           Display contents of a reputation profile.
  reputation-profile-action                    Display the current reputation profile action.
  reputation-profile-actions                   List all reputation profile actions.
  reputation-profile-analysis                  Display the current reputation profile analysis settings.
  reputation-profiles                          List all reputation profiles.
  reset-recommendation                         Reset a recommendation.
  response-actions-list                        List all response actions.
  restart-eval                                 Restart evaluation in a policy.
  rotate-bot-analytics-cookie-values           Rotate bot analytics cookie values.
  rule-action                                  Display rule action in a policy.
  rule-actions                                 List all rule actions in a policy.
  rule-condition-exception                     Display rule conditions and exceptions in a policy.
  security-policy                              Display contents of security policy.  
  selectable-hostnames                         List all selectable hostnames.
  selected-hostnames                           List all currently chosen hostnames.
  serve-alternate-action                       Display contents of serve alternate action.
  serve-alternate-action-list                  List all serve alternate action.
  set-mode                                     Set the WAF Mode.
  set-protections                              Update protections of a policy.
  set-reputation-profile-analysis              Set the reputation profile analysis settings.
  siem                                         Display the SIEM settings.
  siem-definitions                             List all siem definitions.
  slow-post                                    Display contents of slow post in a policy.
  start-eval                                   Start evaluation in a policy.
  structured-rule-template                     Prints sample JSON of a structured custom rule.                     [aliases: srt]
  transactional-endpoint                       Display contents of transactional endpoint.
  transactional-endpoint-list                  List all transactional endpoint.
  transactional-endpoint-protection            Display contents of transactional endpoint protection.
  update-eval                                  Update evaluation in a policy.
  upgrade-details                              Display rules updates.
  version                                      Read a config version.
  version-notes                                Display the version notes.
  versions                                     List all config versions.

Command options:
  --json        Print the raw json response. All commands respect this option.                       [boolean]
  --edgerc      The full path to the .edgerc file.                                                    [string]
  --section     The section of .edgerc to use.                                                        [string]
  --help        Prints help information.                                            [commands: help] [boolean]
  --version     Current version of the program.                                                      [boolean]
  --account-key Account ID to switch to when performing the operation                                 [string]
Copyright (C) Akamai Technologies, Inc
Visit http://github.com/akamai/cli-appsec for detailed documentation

Command details

For details about any individual command including arguments, options, and command options, you can run -

akamai appsec <command> --help

akamai-appsec

This script wraps all of the functionality from the library into a command line utility which can be used to support the following use cases.

Protect Hosts

Akamai customers can currently configure delivery of a new web property using the PAPI API/CLI. This use case enables protecting these new web properties. This protection is limited to adding the host to an existing security policy. The typical steps are listed in the following table:

# Commands Comments
1 akamai property create
2 akamai property activate
3 akamai appsec configs
4 akamai appsec versions --config <config id>
5 akamai appsec clone --config <config id> Optional. You can skip this step if you choose to use an existing editable1 configuration version
6 akamai appsec selectable-hostnames
7 akamai appsec modify-hostnames @input.json --append
8a akamai appsec policies --config <config id> --version <version number>
8b akamai appsec create-match-target --hostnames <comma separated hostnames> --paths <comma separated paths> --policy <security policy id>
8c akamai appsec match-target-order --insert <match target id> --config <config id> --version <version number>
8d akamai appsec modify-match-target <match target id> add-hostname <hostname>
9 akamai appsec activate --network <activation network> --notes <activation notes> --notify <emails>
10 akamai appsec activation --activation-id <activation id>

Custom Rule

Adding or updating a custom rule to the protection of a hostname requires a change to a policy. The custom rule action API is used to enable the custom rule.

# Commands Comments
1 akamai appsec clone --config <config id> Optional. You can skip this step if you choose to use an existing editable1 configuration version
2 akamai appsec structured-rule-template > structuredRule.json This prints a template json to the standard output. You must edit this template appropriately before creating the custom rule
3 vim structuredRule.json
4 akamai appsec create-custom-rule @structuredRule.json
5 akamai appsec enable-custom-rule --custom-rule <custom rule id> --policy <security policy id> --action <alert or deny>
6 akamai appsec activate --network <activation network> --notes <activation notes> --notify <emails>
7 akamai appsec activation --activation-id <activation id>

Caveats

The Akamai CLI is a new tool and as such we have made some design choices worth mentioning.

References

1A configuration version is editable if it is not active currently or in the past in any of the environments(staging or production).