Document updated on Jan 31, 2023
The krakend audit
command is a rule evaluation tool that checks configuration files written in any of its supported formats and returns practical security recommendations. It is designed to raise basic red flags and provide essential advice on your configuration. The output of the configuration and classification is inspired by the CIS Benchmarks.
The tool displays practical and helpful information, including (but not limited to) misconfigurations opening the door to vulnerabilities, presence/absence of key components, dangerous flags or combinations, conflicting declarations, and statistics (planned), to put a few examples.
The audit
command is complementary to the check
command. Still, instead of focusing on the configuration file structure and linting, it evaluates the logic at a different stage. The command executes after parsing the configuration, using a summarized tree of the final recognized components and flags loaded. It does not has access to the values of the properties (but check
does). For instance, if you write a jwk_url
to validate tokens, audit
does not know if you are using HTTPS or HTTP or which domain, but it does see if you have disable_jwk_security
, which is dangerous in production.
The purpose of the audit command is to add extra checks in your automated CI pipeline to have safer deployments.
The audit
command has the following options:
$krakend audit --help
╓▄█ ▄▄▌ ╓██████▄µ
▐███ ▄███╨▐███▄██H╗██████▄ ║██▌ ,▄███╨ ▄██████▄ ▓██▌█████▄ ███▀╙╙▀▀███╕
▐███▄███▀ ▐█████▀"╙▀▀"╙▀███ ║███▄███┘ ███▀""▀███ ████▀╙▀███H ███ ╙███
▐██████▌ ▐███⌐ ,▄████████M║██████▄ ║██████████M███▌ ███H ███ ,███
▐███╨▀███µ ▐███ ███▌ ,███M║███╙▀███ ███▄```▄▄` ███▌ ███H ███,,,╓▄███▀
▐███ ╙███▄▐███ ╙█████████M║██▌ ╙███▄`▀███████╨ ███▌ ███H █████████▀
`` `'`
Version: 2.5
Audits a KrakenD configuration.
Usage:
krakend audit [flags]
Examples:
krakend audit -i 1.1.1,1.1.2 -s CRITICAL -c krakend.json
Flags:
-c, --config string Path to the configuration file
-f, --format string Inline go template to render the results (default "{{ range .Recommendations }}{{.Rule}}\t[{{colored .Severity}}] \t{{.Message}}\n{{ end }}")
-h, --help help for audit
-i, --ignore string List of rules to ignore (comma-separated, no spaces)
-I, --ignore-file string Path to a text-plain file containing the list of rules to exclude
-s, --severity string List of severities to include (comma-separated, no spaces) (default "CRITICAL,HIGH,MEDIUM,LOW")
The simplest version of the command requires the path to the configuration file only, and outputs any problems found:
$krakend audit -c krakend.json
1.2.1 [HIGH] Prioritize using JWT for endpoint authorization to ensure security.
2.2.1 [MEDIUM] Hide the version banner in runtime.
3.3.4 [CRITICAL] Set timeouts to below 1 minute for improved performance.
5.2.3 [LOW] Avoid coupling clients by overusing no-op encoding.
It also accepts different flags to customize its behavior:
--severity
, -s
: Severity requirements--ignore
, -i
: Rules to ignore (inline)--ignore-file
, -I
: Rules to ignore (from file)--format
, --f
: Format of the output (Go template)More details of the flags below.
By default, the audit command will include all severity levels. However, you can choose through the --severity
flag which groups you want to be printed in the console, separated by commas. The list is:
CRITICAL
HIGH
MEDIUM
LOW
When the --severity
is not defined, KrakenD uses --severity CRITICAL,HIGH,MEDIUM,LOW
. You can use a comma separated string (no spaces) with all the severities you want to print. For instance, using the same example we had above, to filter by the most severe problems you would type:
$krakend audit --severity CRITICAL,HIGH -c krakend.json
1.2.1 [HIGH] Prioritize using JWT for endpoint authorization to ensure security.
3.3.4 [CRITICAL] Set timeouts to below 1 minute for improved performance.
The outputted security recommendations by the command are generic to any installation and might not apply to your setup, or you might disagree with our assigned severity. You can exclude future checking of any specific audit rules by passing a list or creating an exception file. To do that, use the --ignore
flag passing a comma-separated list (no spaces) with all the ignore rules or a --ignore-file
with the path to an ignore file.
All rules must have the numeric format x.y.z
.
For the inline option, you could do the following:
$krakend audit --ignore=1.2.3,4.5.6 -c krakend.json
For the option of an ignore file, you should create a plain text file with one rule per line. You can place this file anywhere and it does not require a specific extension or name. However, if it is not in the KrakenD workdir (/etc/krakend/
), you must specify its relative or absolute path:
$cat .audit_ignore
1.2.3
4.5.6
And then calling it with:
$krakend audit --ignore-file=.audit_ignore -c krakend.json
Finally, you can choose the format of the output according to your needs by injecting a Go template using the -f
flag. The flag expects an inline template.
The default template, as shown in the screenshot, applies the following go template:
{{ range .Recommendations }}{{.Rule}}\t[{{colored .Severity}}]\t{{.Message}}\n{{ end }}
As the ouput is processed using a template, you can inject anything you like. For instance, the example below generates a TOML file into recommendations.toml
.
$krakend audit -f '{{range .Recommendations}}
[[recommendation]]
rule = "{{.Rule}}"
message = "{{.Message}}"
severity = "{{.Severity}}"
{{end}}' > recommendations.toml
Or the JSON format is even easier to write:
$krakend audit -f '{{ marshal . }}' > recommendations.json
As you can see, the templates use a series of variables and functions, as follows:
.Recommendations
: An array with all the recommendations, where each recommendation has the following structure:.Rule
: The identifier of this rule. E.g., 1.1.1
.Message
: A short message describing the recommendation..Severity
: The level of severity for this recommendationIn addition, you can use two functions:
colored
to add colors to the severity ({{colored .Severity}}
) when the output is in a terminalmarshal
to return a JSON representation of the variable. E.g., {{ marshal . }}
The following is the list of recommendations you can find in the audit results. The recommendations are classified using a numeric code with the format x.y.z
. You can use this rule identifier to exclude the rules during its checking, as explained above.
Recommendations for implementations of authorization or authentication to a more secure access control.
Recommendations for authentication issues only
1.1.1
Implement more secure alternatives than Basic Auth to protect your data.1.1.2
Implement stateless authorization methods such as JWT to secure your endpoints as opposed to using API keys.Recommendations for authorization issues only (token validation)
1.2.1
Prioritize using JWT for endpoint authorization to ensure security.This section covers recommendations for securing the HTTP transport, including TLS and securing HTTP headers.
Recommendations for securing the use of TLS, ensuring that insecure connections are not allowed, that TLS is enabled and configured properly, and that strong cryptographic ciphers are used.
2.1.1
Only allow secure connections (avoid insecure_connections).2.1.2
Enable TLS or use a terminator in front of KrakenD.2.1.3
TLS is configured but its disable flag prevents from using itdisable
2.1.7
Enable HTTP security header checks (security/http).2.1.8
Avoid clear text communication (h2c).2.1.9
Establish secure connections in internal traffic (avoid insecure_connections internally).Recommendations for HTTP headers configuration and parameter forwarding
2.2.1
Hide the version banner in runtime.2.2.2
Enable CORS.2.2.3
Avoid passing all input headers to the backend.2.2.4
Avoid passing all input query strings to the backend.2.2.5
Avoid exposing gRPC server without services declared.Recommendations for a better control of traffic and avoid disruptions
Recommendations for ensuring Quality of Service
3.1.1
Enable a bot detector.3.1.2
Implement a rate-limiting strategy and avoid having an All-You-Can-Eat API.3.1.3
Protect your backends with a circuit breaker.Retry policies to reconnect to key services behind KrakenD (future release)
Recommendations for healthy timeouts and avoid overloading the system
3.3.1
Set timeouts to below 3 seconds for improved performance.3.3.2
Set timeouts to below 5 seconds for improved performance.3.3.3
Set timeouts to below 30 seconds for improved performance.3.3.4
Set timeouts to below 1 minute for improved performance.Recommendations for having full visibility of the gateway and underlying services activity.
Recommendations for the use of metrics.
4.1.1
Implement a telemetry system for collecting metrics for monitoring and troubleshooting.4.1.3
Avoid duplicating telemetry options to prevent system overload.Recommendations for the use of traces
4.2.1
Implement a telemetry system for tracing for monitoring and troubleshooting.Recommendations for logging activity and best practices
4.3.1
Use the improved logging component for better log parsing.General recommendations to have a better API gateway definition
Recommendations for routing and endpoint structure
5.1.1
Follow a RESTful endpoint structure for improved readability and maintainability.disable_rest
5.1.2
Disable the /__debug/ endpoint for added security./__debug/
endpoint is a special endpoint that is used for debugging and testing purposes, and despite is considered safe to use in production, it’s not necessary in production environments. Remove the debug endpoint.5.1.3
Disable the /__echo/ endpoint for added security./__echo/
endpoint is a special endpoint that is used for debugging and testing purposes. It’s not necessary in production environments. Remove the echo endpoint.5.1.4
Declare explicit endpoints instead of using wildcards.5.1.5
Declare explicit endpoints instead of using /__catchall.5.1.6
Avoid using multiple write methods in endpoint definitions.5.1.7
Avoid using sequential proxy.Recommendations for proxy pipe configurations and best practices
5.2.1
Ensure all endpoints have at least one backend for proper functionality.5.2.2
Benefit from the backend for frontend pattern capabilities5.2.3
Avoid coupling clients by overusing no-op encoding.Recommendations for implementations of event-driven gateway and async agents that can lead to problems.
Recommendations for async agents configuration and deployment issues
6.1.1
Ensure Async Agents do not start sequentially to avoid overloading the system. (+10 agents)Components that are unsupported or discontinued. Their usage is descouraged as they will be removed in new versions and they do not receive security updates.
Plugins that even might be functional, they are marked as deprecated and do not receive security patches. Upgrade to their alternative when available.
7.1.1
Virtual Host is now a native component7.1.2
Static Filesystem is now a native component7.1.3
Basic-Auth is now a native component7.1.4
Wildcard is now a native component7.1.5
HTTP PROXY is now a native component7.1.6
Static Filesystem is now a native component7.1.7
No-redirect is now a native componentNamespaces that even might be functional, they are marked as deprecated and do not receive security patches. Upgrade to their alternative when available.
7.2.1
Unsupported namespace telemetry/ganalytics7.2.2
Unsupported namespace telemetry/instana7.2.3
Deprecated component telemetry/opencensusConfiguration options that will become unavailable in future versions.
7.3.1
Add missing level `keys`private_key
and public_key
directly under tls
and place them inside the keys
array. See TLS Server SettingsThe documentation is only a piece of the help you can get! Whether you are looking for Open Source or Enterprise support, see more support channels that can help you.