@@ -742,6 +742,142 @@ difficult for a compromised Velociraptor administrator account to
742742remove the lockdown and use Velociraptor as a lateral movement
743743vehicle.
744744
745+ # ## API client security
746+
747+ Because the API allows external programs to run powerful Velociraptor
748+ Query Language (VQL) queries directly on your server, a poorly
749+ configured or compromised API client is a major security risk.
750+
751+ # ### IP-based Access Control
752+
753+ By default the API server only listens on 127.0.0.1 - this allows
754+ scripts on the local machine to call into the API, but if you want to
755+ use an external caller you can change the server’s configuration file
756+ by setting the bind_address field under the API section to 0.0.0.0
757+ allowing the API to bind on all interfaces.
758+
759+ See
760+ [Protecting the API](/docs/server_automation/server_api/#protecting-the-api)
761+ for more information.
762+
763+ # ### Authentication
764+
765+ API clients authenticate using mTLS and their own key, which is issued
766+ to them by the built-in CA. This operates independently of the
767+ authentication methods you have set up for your users. The API
768+ client's authentication credentials are stored in a plain text file
769+ which needs to be tightly guarded, however the keys in such files can
770+ be passphrase-secured.
771+
772+ API client certificates are **valid for one year**, by default. You
773+ must reissue them before they expire to avoid breaking your automation
774+ pipelines.
775+
776+ **Encrypt Private Keys**: When generating an API config using
777+ ` velociraptor config api_client` it is possible to set a
778+ password/passphrase to encrypt the private key. This ensures that if
779+ the config file is stolen, it cannot be used without the passphrase.
780+ However, this is not useful for credentials used by automated API
781+ clients because unlocking the key is a user-interactive process. For
782+ interactive API access (for example when using the API client that's
783+ included in the Velociraptor binary) where the API config might reside
784+ on a laptop, we recommend that you secure the key this way.
785+
786+ **Offline CA**: For high-security environments, keep your CA private
787+ key offline, which usually means keeping an offline copy of the full
788+ config with the CA key included in it, while removing the CA key from
789+ the config on your production server. This prevents an attacker who
790+ gains root on the Velociraptor server from being able to mint their
791+ own valid API keys. You can issue new API keys if you have the full
792+ offline config - access to the production server is not required,
793+ although you will also need to provision the new user on the server
794+ and grant it access.
795+
796+ # #### Instant Revocation
797+
798+ If an API key is compromised, or suspected to be compromised, you
799+ don't need to struggle with complex certificate revocation lists
800+ (CRLs). Simply use the `acl grant` command to set an empty policy for
801+ that principal.
802+
803+ ` ` ` sh
804+ velociraptor acl grant --name "CompromisedKey" --role ""
805+ ` ` `
806+
807+ This immediately strips all permissions, thus denying that user the
808+ ability to make an API calls. Any applications using that API user
809+ will need to be configured to use a new account with a new key.
810+
811+ API client accounts can alternatively have their roles and permissions
812+ revoked via the User Management screen in the GUI.
813+
814+ Be aware that allowing the user account to exist with no roles
815+ assigned is still a risky situation as someone could accidentally
816+ grant permissions to it.
817+
818+ To permanently delete the user you can run the
819+ [user_delete()](/vql_reference/server/user_delete/)
820+ function in a notebook. There is currently no GUI option to delete a
821+ user.
822+
823+
824+ # ### Authorization
825+
826+ The "API Client" (`api`) role is mandatory for API access. Every
827+ programmatic connection requires the "API Client" role as a baseline .
828+ Without it, even a user with full administrator privileges will be met
829+ with a "permission denied" error when trying to connect via the API
830+ port. Think of it as the "passport" that gets you through the front
831+ door of the API .
832+
833+ In addition, the client also needs permissions (usually assigned via
834+ the predefined Roles) to do the things you need it to do.
835+
836+ # #### Apply the Principle of Least Privilege
837+
838+ It is tempting to grant your API clients the `administrator` role to
839+ " just make it work," but this is a dangerous shortcut. An API key
840+ with admin rights is effectively `root` on your entire server.
841+
842+ Instead, evaluate exactly what the script needs to do and choose the
843+ appropriate "least privilege" role or permissions set :
844+ - Need to read results for a dashboard? Use the `reader` role.
845+ - Need to perform data analysis or post-processing? Use the `analyst`
846+ role.
847+ - Need to trigger specific collections? Use the `investigator` role.
848+
849+ # #### Beware of "Admin-Equivalent" Permissions
850+
851+ Some permissions are more dangerous than they might appear because
852+ they provide a path to full server control :
853+ - `ARTIFACT_WRITER` : This role allows a user to edit artifact
854+ definitions. Since VQL runs unrestricted on endpoints, an artifact
855+ writer effectively has root access to every client on your network.
856+ - `EXECVE` : This permission allows the execution of arbitrary shell
857+ commands on clients or the server (subject to
858+ [additional restrictions](/docs/deployment/security/#accessing-files-from-vql)
859+ that are in place by default). It is typically reserved for
860+ administrators because it can be easily misused.
861+ - `FILESYSTEM_WRITE` : On the server side, this allows creating files,
862+ which can be used to overwrite ACL objects and escalate privileges.
863+
864+ # #### Use Wrapper Artifacts and Impersonation
865+
866+ One of the most elegant ways to manage security is to avoid giving
867+ raw, dangerous permissions to users or API clients. Instead, create a
868+ wrapper artifact. For example, instead of giving a an artifact
869+ ` EXECVE` access to run any command, write a custom artifact
870+ [that only runs a specific, safe command](/docs/artifacts/security/#controlling-access-to-client-artifacts)
871+ (like `ipconfig`) with hard-coded
872+ arguments. You can then
873+ [mark this artifact as "basic"](/docs/artifacts/security/#basic-artifacts)
874+ and allow a lower-privilege API client to run it.
875+
876+ You can use [the impersonation field](https://docs.velociraptor.app/docs/artifacts/security/#server-artifacts-and-impersonation).
877+ This allows an artifact to run with the privileges of a different user
878+ (like a "sudo" for VQL), letting a low-privilege API client perform a
879+ specific high-privilege task in a controlled, audited environment.
880+
745881# ## Preventing new client enrollments
746882
747883By default, new clients can enroll at any time if they have a valid
0 commit comments