cli-appsec

__This is a Beta Software__

Akamai CLI for Application Security

NOTE: This tool is intended to be installed via the Akamai CLI package manager, which can be retrieved from the releases page of the Akamai CLI tool.

Local Install, if you choose not to use the akamai package manager

Assumed Defaults

If left to these assumptions, the commands will perform slower than when these options are provided explicitly.

Credentials

In order to use this configuration, you need to:

Account Switching

Account switching can be performed by providing the --account-key option with account ID as the value.

Overview

The akamai appsec Kit is a set of nodejs libraries that wraps Akamai’s {OPEN} APIs to help simplify protection to the properties delivered by Akamai. This kit can be used as a no-fuss command line utility to interact with the library.

$ akamai appsec
Usage: akamai appsec <command> [options]

Commands:
  activate                                  Activate a version.
  activation                                Get activation status.
  clone                                     Clone a config.
  configs                                   List all available configurations.
  enable-custom-rule                        Assigns an action (such as alert or deny) to an existing custom rule in a policy.
  create-custom-rule                        Create a custom rule.
  delete-custom-rule                        Delete a custom rule.
  custom-rule                               Display contents of custom rule.
  modify-custom-rule                        Update existing custom rule.
  structured-rule-template                  Prints sample JSON of a structured custom rule.                     [aliases: srt]
  custom-rules                              List all custom rules.
  export                                    Export a configuration version.
  add-hostname                              Add hostnames to selected list.
  selectable-hostnames                      List all selectable hostnames.
  selected-hostnames                        List all currently chosen hostnames.
  create-match-target                       Creates a match target.
  modify-match-target                       Updates a match target.
  match-target-order                        Change the match target sequence.
  match-targets                             List all match targets.
  policies                                  List all security policies.
  clone-policy                              Clone security policy.
  version                                   Read a config version.
  versions                                  List all config versions.
  create-rate-policy                        (Beta) Create a rate policy.
  delete-rate-policy                        (Beta) Delete a rate policy.
  rate-policy                               (Beta) Display contents of a rate policy.
  modify-rate-policy                        (Beta) Update existing rate policy.
  rate-policies                             (Beta) List all rate policies.
  api-endpoints                             (Beta) List all api endpoints.
  mode                                      (Beta) Display the WAF Mode.
  set-mode                                  (Beta) Set the WAF Mode.
  protections                               (Beta) List all protections of a policy.
  set-protections                           (Beta) Update protections of a policy.
  rate-policies-actions                     (Beta) List all enabled rate policies actions of a policy.
  enable-rate-policy                        (Beta) Assigns an action to an existing rate policy in a policy.
  disable-rate-policy                       (Beta) Removes an action set to an existing rate policy in a policy.
  slow-post                                 (Beta) Display contents of slow post in a policy.
  enable-slow-post                          (Beta) Enable slow post in a policy.
  disable-slow-post                         (Beta) Disable slow post in a policy.
  penalty-box                               (Beta) Display penalty box action in a policy.
  disable-penalty-box                       (Beta) Disable penalty box in a policy.
  enable-penalty-box                        (Beta) Enable penalty box in a policy.
  attack-groups                             (Beta) List all attack group actions in a policy.
  attack-group                              (Beta) Display attack group action in a policy.
  enable-attack-group                       (Beta) Enable attack group in a policy.
  disable-attack-group                      (Beta) Disable attack group  in a policy.
  rule-actions                              (Beta) List all rule actions in a policy.
  rule-action                               (Beta) Display rule action in a policy.
  enable-rule-action                        (Beta) Enable rule action in a policy.
  disable-rule-action                       (Beta) Disable rule action in a policy.
  rule-condition-exception                  (Beta) Display rule conditions and exceptions in a policy.
  modify-rule-condition-exception           (Beta) Update rule conditions and exceptions in a policy.
  eval-rule-actions                         (Beta) Display evaluation rules and actions in a policy.
  eval-rule-action                          (Beta) Display evaluation rule action in a policy.
  enable-eval-rule-action                   (Beta) Enable evaluation rule action in a policy.
  disable-eval-rule-action                  (Beta) Disable evaluation rule action in a policy.
  eval-rule-condition-exception             (Beta) Display evaluation rule conditions and exceptions in a policy.
  modify-eval-rule-condition-exception      (Beta) Update evaluation rule conditions and exceptions in a policy.
  start-eval                                (Beta) Start evaluation in a policy.
  end-eval                                  (Beta) Stop evaluation in a policy.
  restart-eval                              (Beta) Restart evaluation in a policy.
  update-eval                               (Beta) Update evaluation in a policy.
  complete-eval                             (Beta) Complete evaluation in a policy.
  krs-rules-upgrade                         (Beta) Upgrade the KRS rules in a policy.
  upgrade-details                           (Beta) Display rules updates.

Command options:
  --json        Print the raw json response. All commands respect this option.                       [boolean]
  --edgerc      The full path to the .edgerc file.                                                    [string]
  --section     The section of .edgerc to use.                                                        [string]
  --help        Prints help information.                                            [commands: help] [boolean]
  --version     Current version of the program.                                                      [boolean]
  --account-key Account ID to switch to when performing the operation                                 [string]
Copyright (C) Akamai Technologies, Inc
Visit http://github.com/akamai/cli-appsec for detailed documentation

akamai-appsec

This script wraps all of the functionality from the library into a command line utility which can be used to support the following use cases.

Protect Hosts

Akamai customers can currently configure delivery of a new web property using the PAPI API/CLI. This use case enables protecting these new web properties. This protection is limited to adding the host to an existing security policy. The typical steps are listed in the following table:

# Commands Comments
1 akamai property create  
2 akamai property activate  
3 akamai appsec configs  
4 akamai appsec versions --config=<config id>  
5 akamai appsec clone --config=<config id> Optional. You can skip this step if you choose to use an existing editable1 configuration version
6 akamai appsec selectable-hostnames  
7 akamai appsec add-hostname <comma separated hostnames>  
8a akamai appsec policies --config=<config id> --version=<version number>  
8b akamai appsec create-match-target --hostnames=<comma separated hostnames> --paths=<comma separated paths> --policy=<security policy id>  
8c akamai appsec match-target-order --insert=<match target id> --config=<config id> --version=<version number>  
8d akamai appsec modify-match-target <match target id> add-hostname <hostname>  
9 akamai appsec activate --network=<activation network> --notes=<activation notes> --notify=<emails>  
10 akamai appsec activation --activation-id=<activation id>  

Custom Rule

Adding or updating a custom rule to the protection of a hostname requires a change to a policy. The custom rule action API is used to enable the custom rule.

# Commands Comments
1 akamai appsec clone --config=<config id> Optional. You can skip this step if you choose to use an existing editable1 configuration version
2 akamai appsec structured-rule-template > structuredRule.json This prints a template json to the standard output. You must edit this template appropriately before creating the custom rule
3 vim structuredRule.json  
4 akamai appsec create-custom-rule @structuredRule.json  
5 akamai appsec enable-custom-rule --custom-rule=<custom rule id> --policy=<security policy id> --action=<alert or deny>  
6 akamai appsec activate --network=<activation network> --notes=<activation notes> --notify=<emails>  
7 akamai appsec activation --activation-id=<activation id>  

For details about individual commands, please look at Commands

Commands

List Configurations

Usage: akamai appsec configs [options]

Command options:
  --json     Print the raw json response. All commands respect this option.                          [boolean]
  --edgerc   The full path to the .edgerc file. Defaults to ~/.edgrrc                                 [string]
  --section  The section of .edgerc to use.                                                           [string]
  --help     Prints help information.                                               [commands: help] [boolean]
  --version  Current version of the program.                                                         [boolean]

List Configuration versions

Usage: akamai appsec versions [options]

Options:
  --config <id>  Configuration id. Mandatory if you have more than one configuration.                       [number]
  --limit <num>  Specifies the number of most recent versions of the selected configuration to be fetched.  [number]
  --verbose      Provides more details about each version.                                                  [boolean]
                 
Command options:
  --json     Print the raw json response. All commands respect this option.                          [boolean]
  --edgerc   The full path to the .edgerc file. Defaults to ~/.edgrrc                                 [string]
  --section  The section of .edgerc to use.                                                           [string]
  --help     Prints help information.                                               [commands: help] [boolean]
  --version  Current version of the program.                                                         [boolean]

Retrieve Configuration version

Usage: akamai appsec version [options]

Options:
  --config <id>    Configuration id number. If not provided, assumes there is only one configuration and
                   chooses it. If there's more, an error is thrown.
                   [number]

  --version <num>  The version number. It can also take the values 'PROD' or 'PRODUCTION' or 'STAGING'. If
                   not provided, latest version is assumed.
                   [string]

Command options:
  --json     Print the raw json response. All commands respect this option.                          [boolean]
  --edgerc   The full path to the .edgerc file. Defaults to ~/.edgrrc                                 [string]
  --section  The section of .edgerc to use.                                                           [string]
  --help     Prints help information.                                               [commands: help] [boolean]
  --version  Current version of the program.                                                         [boolean]

Clone Configuration version

Clones the configuration version.

sage: akamai appsec clone [options]

Options:
  --config <id>    Configuration id. Mandatory if you have more than one configuration.               [number]
  --version <num>  The version number to clone                                             [required] [string]

Command options:
  --json     Print the raw json response. All commands respect this option.                          [boolean]
  --edgerc   The full path to the .edgerc file.                                                       [string]
  --section  The section of .edgerc to use.                                                           [string]
  --help     Prints help information.                                               [commands: help] [boolean]
  --version  Current version of the program.                                                         [boolean]

Copyright (C) Akamai Technologies, Inc
Visit http://github.com/akamai/cli-appsec for detailed documentation

List Selectable Hostnames

These are the hostnames that the user can choose from, to add to the configuration version for protection.

Usage: akamai appsec selectable-hostnames [options]

Options:
  --config <id>   Configuration id. Mandatory if you have more than one configuration.
                  [number]

  --version <id>  The version number. It can also take the values 'PROD' or 'PRODUCTION' or 'STAGING'. If not
                  provided, latest version is assumed.
                  [string]

Command options:
  --json     Print the raw json response. All commands respect this option.                          [boolean]
  --edgerc   The full path to the .edgerc file.                                                       [string]
  --section  The section of .edgerc to use.                                                           [string]
  --help     Prints help information.                                               [commands: help] [boolean]
  --version  Current version of the program.                                                         [boolean]

List Selected hostnames

These are the hostnames that the user is already protecting as part of this configuration version.


Usage: akamai appsec selected-hostnames [options]

Options:
  --config <id>   Configuration id. Mandatory if you have more than one configuration.
                  [number]

  --version <id>  The version number. It can also take the values 'PROD' or 'PRODUCTION' or 'STAGING'. If not
                  provided, latest version is assumed.
                  [string]

Command options:
  --json     Print the raw json response. All commands respect this option.                          [boolean]
  --edgerc   The full path to the .edgerc file.                                                       [string]
  --section  The section of .edgerc to use.                                                           [string]
  --help     Prints help information.                                               [commands: help] [boolean]
  --version  Current version of the program.                                                         [boolean]

Add hostnames

Adds a new hostname to the protected list(selected hostnames). The hostnames chosen here should be from the selectable hostnames list.

Usage: akamai appsec add-hostname <hostnames> [options]

Arguments:
  <hostnames>      The comma separated list of hostnames to add.
                   [required] [array:string]

Options:
  --config <id>    Configuration id. Mandatory if you have more than one configuration.
                   [number]

  --version <num>  The version number. It can also take the values 'PROD' or 'PRODUCTION' or 'STAGING'. If
                   not provided, latest version is assumed.
                   [string]

Command options:
  --json     Print the raw json response. All commands respect this option.                          [boolean]
  --edgerc   The full path to the .edgerc file.                                                       [string]
  --section  The section of .edgerc to use.                                                           [string]
  --help     Prints help information.                                               [commands: help] [boolean]
  --version  Current version of the program.                                                         [boolean]

List Security policies

Retrieves the list of security policies present in this configuration version.

Usage: akamai appsec policies [options]

Options:
  --config <id>   Configuration id. Mandatory if you have more than one configuration.
                  [number]

  --version <id>  The version number. It can also take the values 'PROD' or 'PRODUCTION' or 'STAGING'. If not
                  provided, latest version is assumed.
                  [string]

Command options:
  --json     Print the raw json response. All commands respect this option.                          [boolean]
  --edgerc   The full path to the .edgerc file.                                                       [string]
  --section  The section of .edgerc to use.                                                           [string]
  --help     Prints help information.                                               [commands: help] [boolean]
  --version  Current version of the program.                                                         [boolean]

Create security policy from another policy

Creates a new security policy by cloning another policy available within the same configuration version.

Usage: akamai appsec clone-policy <policy> [options]

Arguments:
  <policy>        The policyId of the policy to clone.                                     [required] [string]

Options:
  --config <id>       Configuration id. Mandatory if you have more than one configuration.
                      [number]

  --version <num>     The version number. It can also take the values 'PROD' or 'PRODUCTION' or 'STAGING'. If
                      not provided, latest version is assumed.
                      [string]
  
  --prefix  <prefix>  A 4 character alphanumeric prefix for the policy ID of the new security policy being created. If
                      not provided, it will be auto-generated.
                      [string]
  
  --name    <name>    Name of the security policy. Maximum 255 characters. If not provided, it will be auto-generated.
                      [string]

Command options:
  --json     Print the raw json response. All commands respect this option.                          [boolean]
  --edgerc   The full path to the .edgerc file.                                                       [string]
  --section  The section of .edgerc to use.                                                           [string]
  --help     Prints help information.                                               [commands: help] [boolean]
  --version  Current version of the program.                                                         [boolean]

Create website match target

Usage: akamai appsec create-match-target [options]

Options:
  --config <id>                        Configuration id. Mandatory if you have more than one configuration.
                                       [number]

  --version <id>                       The version number. It can also take the values 'PROD' or 'PRODUCTION'
                                       or 'STAGING'. If not provided, latest version is assumed.
                                       [string]

  --hostnames <a.com, b.net, c.d.com>  Hostnames to add.
                                       [required] [array:string]

  --paths <x,y,z>                      The file paths
                                       [required] [array:string]

  --policy <id>                        The policy id to use. If not provided, we try to use the policy
                                       available on file(slow). If you have more than one policy, this option must
                                       be provided.
                                       [string]

Command options:
  --json     Print the raw json response. All commands respect this option.                          [boolean]
  --edgerc   The full path to the .edgerc file.                                                       [string]
  --section  The section of .edgerc to use.                                                           [string]
  --help     Prints help information.                                               [commands: help] [boolean]
  --version  Current version of the program.                                                         [boolean]

List website match targets

Usage: akamai appsec match-targets [options]

Options:
  --config <id>    Configuration id. Mandatory if you have more than one configuration.
                   [number]

  --version <num>  The version number. It can also take the values 'PROD' or 'PRODUCTION' or 'STAGING'. If
                   not provided, latest version is assumed.
                   [string]

Command options:
  --json     Print the raw json response. All commands respect this option.                          [boolean]
  --edgerc   The full path to the .edgerc file.                                                       [string]
  --section  The section of .edgerc to use.                                                           [string]
  --help     Prints help information.                                               [commands: help] [boolean]
  --version  Current version of the program.                                                         [boolean]

Modify website match target

Updates an existing match target. As of now, the only supported operation is to add a hostname to the existing match target.

Usage: akamai appsec modify-match-target <match-target> <subcommand> <hostname> [options]

Arguments:
  <match-target>  The match target id.                                                     [required] [string]
  <hostname>      The hostname to add to the match target.                                 [required] [string]

Sub Commands:
  <subcommand>  The subcommand. [add-hostname]                                             [required] [string]

Options:
  --config <id>    Configuration id. Mandatory if you have more than one configuration.
                   [number]

  --version <num>  The version number. It can also take the values 'PROD' or 'PRODUCTION' or 'STAGING'. If
                   not provided, latest version is assumed.
                   [string]

Command options:
  --json     Print the raw json response. All commands respect this option.                          [boolean]
  --edgerc   The full path to the .edgerc file.                                                       [string]
  --section  The section of .edgerc to use.                                                           [string]
  --help     Prints help information.                                               [commands: help] [boolean]
  --version  Current version of the program.                                                         [boolean]

Change website match target order

Updates the order of the website match targets

Usage: akamai appsec match-target-order [options]

Options:
  --config <id>    Configuration id. Mandatory if you have more than one configuration.
                   [number]

  --version <num>  The version number. It can also take the values 'PROD' or 'PRODUCTION' or 'STAGING'. If
                   not provided, latest version is assumed.
                   [string]

  --insert <id>    Match target id to move to the start.
                   [number]

  --append <id>    Match target id to move to the end.
                   [number]

  [order]          The comma separated list of numeric match target ids in desired order.
                   [array:number]

Command options:
  --json     Print the raw json response. All commands respect this option.                          [boolean]
  --edgerc   The full path to the .edgerc file.                                                       [string]
  --section  The section of .edgerc to use.                                                           [string]
  --help     Prints help information.                                               [commands: help] [boolean]
  --version  Current version of the program.                                                         [boolean]

Custom rule template

The custom rule needs to be fed as as json and this command prints the json template for creating a custom rule. You must add the required details in the json and remove the rest before creating a custom rule.

Usage: akamai appsec structured-rule-template

Create custom rule

Usage: akamai appsec create-custom-rule [options]

Options:
  --config <id>  Configuration id. Mandatory if you have more than one configuration.                 [number]
  --file <path>  File with JSON rules                                           [required] [file] [must exist]

Command options:
  --json     Print the raw json response. All commands respect this option.                          [boolean]
  --edgerc   The full path to the .edgerc file.                                                       [string]
  --section  The section of .edgerc to use.                                                           [string]
  --help     Prints help information.                                               [commands: help] [boolean]
  --version  Current version of the program.                                                         [boolean]

Modify custom rule

Usage: akamai appsec modify-custom-rule [options]

Options:
  --config <id>       Configuration id. Mandatory if you have more than one configuration.            [number]
  --custom-rule <id>  Rule ID.                                                             [required] [number]
  --file <path>       File with JSON rules                                                 [file] [must exist]

Command options:
  --json     Print the raw json response. All commands respect this option.                          [boolean]
  --edgerc   The full path to the .edgerc file.                                                       [string]
  --section  The section of .edgerc to use.                                                           [string]
  --help     Prints help information.                                               [commands: help] [boolean]
  --version  Current version of the program.                                                         [boolean]

Enable custom rule

Usage: akamai appsec enable-custom-rule [options]

Options:
  --custom-rule <id>  Rule ID.
                      [required] [number]

  --policy <id>       Policy ID.
                      [required] [string]

  --action <action>   Action to assign. If the action is "none", it is not associated with the policy
                      [required] [enum] [alert, deny, none]

  --config <id>       Configuration id. Mandatory if you have more than one configuration.
                      [number]

  --version <num>     The version number. It can also take the values 'PROD' or 'PRODUCTION' or 'STAGING'. If
                      not provided, latest version is assumed.
                      [string]

Command options:
  --json     Print the raw json response. All commands respect this option.                          [boolean]
  --edgerc   The full path to the .edgerc file.                                                       [string]
  --section  The section of .edgerc to use.                                                           [string]
  --help     Prints help information.                                               [commands: help] [boolean]
  --version  Current version of the program.                                                         [boolean]

List custom rules

Usage: akamai appsec custom-rules [options]

Options:
  --config <id>  Configuration id. Mandatory if you have more than one configuration.                 [number]

Command options:
  --json     Print the raw json response. All commands respect this option.                          [boolean]
  --edgerc   The full path to the .edgerc file.                                                       [string]
  --section  The section of .edgerc to use.                                                           [string]
  --help     Prints help information.                                               [commands: help] [boolean]
  --version  Current version of the program.                                                         [boolean]

Retrieve custom rule

Usage: akamai appsec custom-rule [options]

Options:
  --config <id>       Configuration id. Mandatory if you have more than one configuration.            [number]
  --custom-rule <id>  Rule ID.                                                             [required] [number]

Command options:
  --json     Print the raw json response. All commands respect this option.                          [boolean]
  --edgerc   The full path to the .edgerc file.                                                       [string]
  --section  The section of .edgerc to use.                                                           [string]
  --help     Prints help information.                                               [commands: help] [boolean]
  --version  Current version of the program.                                                         [boolean]

Activate Configuration version

Activates a configuration version and provides the activation id. This ID is required to monitor the activation status.

Usage: akamai appsec activate [options]

Options:
  --config <id>        Configuration id.
                       [number]

  --version <id>       The version number.
                       [string]

  --network <network>  The network in which the configuration must be activated.
                       [required] [enum] [PRODUCTION, STAGING]

  --note <note>        The activation notes.
                       [string]

  --notify <emails>    The comma separated email ids to get notification.
                       [required] [array:string]

Command options:
  --json     Print the raw json response. All commands respect this option.                          [boolean]
  --edgerc   The full path to the .edgerc file.                                                       [string]
  --section  The section of .edgerc to use.                                                           [string]
  --help     Prints help information.                                               [commands: help] [boolean]
  --version  Current version of the program.                                                         [boolean]

Copyright (C) Akamai Technologies, Inc
Visit http://github.com/akamai/cli-appsec for detailed documentation

Check Activation status

Prints the current state of the activation request. This command needs the activation id from the activation step.

Usage: akamai appsec activation [options]

Options:
  --activation-id <id>  Activation request id.                                             [required] [number]
  --verbose             Provides more details about the activation status.                           [boolean]

Command options:
  --json     Print the raw json response. All commands respect this option.                          [boolean]
  --edgerc   The full path to the .edgerc file.                                                       [string]
  --section  The section of .edgerc to use.                                                           [string]
  --help     Prints help information.                                               [commands: help] [boolean]
  --version  Current version of the program.                                                         [boolean]

Copyright (C) Akamai Technologies, Inc
Visit http://github.com/akamai/cli-appsec for detailed documentation

Delete custom rule

Usage: akamai appsec delete-custom-rule [options]

Options:
  --config <id>       Configuration id. Mandatory if you have more than one configuration.            [number]
  --custom-rule <id>  Rule ID.                                                             [required] [number]

Command options:
  --json     Print the raw json response. All commands respect this option.                          [boolean]
  --edgerc   The full path to the .edgerc file.                                                       [string]
  --section  The section of .edgerc to use.                                                           [string]
  --help     Prints help information.                                               [commands: help] [boolean]
  --version  Current version of the program.                                                         [boolean]

Export Configuration Version

Exports the complete details of a configuration version.

Usage: akamai appsec export [options]

Options:
  --config <id>    Configuration id. Mandatory if you have more than one configuration.               [number]
  --version <num>  The version number to Export                                                       [string]

Command options:
  --json     Print the raw json response. All commands respect this option.                          [boolean]
  --edgerc   The full path to the .edgerc file.                                                       [string]
  --section  The section of .edgerc to use.                                                           [string]
  --help     Prints help information.                                               [commands: help] [boolean]
  --version  Current version of the program.                                                         [boolean]

Caveats

The Akamai CLI is a new tool and as such we have made some design choices worth mentioning.

References

1A configuration version is editable if it is not active currently or in the past in any of the environments(staging or production).