KafkaGuard

Compliance & Security Assessment Report · unknown-cluster-id

Executive Summary

Cluster
unknown-cluster-id
Brokers
2
Topics
1
ZK Nodes
3
Mode
zookeeper
88.4%
Compliance Score
88 / 100 points
48
Passed
7
Failed
0
N/A
Policy
finance-iso v1.0
Scan ID
7ec019f4-b980-47ba-b045-87e3227a4c05
Timestamp
Apr 27, 2026 7:37 PM
Duration
0ms

Controls Evaluation

Status Control Title Severity Category Message
KG-001 SASL authentication enabled HIGH security Control passed
KG-002 SSL/TLS encryption enabled HIGH security Control passed
KG-003 ACL authorization enabled HIGH security Control passed
KG-005 TLS certificate expiry >30 days HIGH security Control passed
KG-006 TLS protocol ≥1.2 HIGH security Control passed
KG-007 Inter-broker encryption enabled HIGH security Control passed
KG-010 No default passwords CRITICAL security Control passed
KG-011 SASL mechanism secure HIGH security Control passed
KG-012 Client authentication required HIGH security Control passed
KG-014 Security protocol valid HIGH security Control passed
KG-016 Replication factor ≥3 HIGH reliability Control passed
KG-017 Min ISR ≥2 HIGH reliability Control passed
KG-018 No under-replicated partitions HIGH reliability Control passed
KG-019 No offline partitions CRITICAL reliability Control passed
KG-022 ZK quorum healthy (≥3 nodes) HIGH reliability Control failed
RemediationAdd ZooKeeper nodes to reach quorum of 3 or more
KG-024 Disk usage <90% HIGH reliability Control passed
KG-025 Heap usage <85% HIGH reliability Control passed
KG-029 Log directories not in /tmp HIGH operational Control passed
KG-041 Audit logging enabled HIGH security Control passed
KG-043 Encryption at rest configured HIGH security Control passed
KG-044 Broker-to-broker mutual TLS HIGH security Control passed
KG-045 No deprecated TLS protocols HIGH security Control passed
KG-046 Strong cipher suites only HIGH security Control passed
KG-048 Admin access restricted HIGH security Control passed
KG-053 All KRaft controller voters healthy HIGH reliability Control passed
KG-054 Metadata log replication not lagging HIGH reliability Control passed
KG-056 KRaft authorizer compatible with controller listener HIGH security Control passed
KG-004 No wildcard ACLs MEDIUM security Control passed
KG-008 ZooKeeper authentication enabled MEDIUM security Control failed
RemediationEnable ZooKeeper authentication
KG-009 ZooKeeper ACLs enabled MEDIUM security Control failed
RemediationEnable ZooKeeper ACLs
KG-013 SSL endpoint identification enabled MEDIUM security Control failed
RemediationEnable SSL endpoint identification
KG-015 Monitoring endpoint security MEDIUM security Control failed
RemediationFor Prometheus JMX Exporter: Bind to localhost (127.0.0.1:PORT) or add authentication via reverse proxy For Traditional JMX: Enable authentication and SSL For Jolokia: Enable authentication Example fix (Prometheus): Environment="KAFKA_OPTS=-javaagent:/opt/jmx_exporter/jmx_prometheus_javaagent.jar=127.0.0.1:9999:/opt/jmx_exporter/config/kafka.yml"
KG-020 Unclean leader election disabled MEDIUM reliability Control passed
KG-021 Log retention configured MEDIUM reliability Control passed
KG-023 Broker version consistent MEDIUM reliability Control passed
KG-027 Leader election timeout configured MEDIUM reliability Control passed
KG-028 Auto-create topics disabled MEDIUM operational Control passed
KG-030 Delete topic disabled MEDIUM operational Control passed
KG-033 Log retention hours configured MEDIUM operational Control passed
KG-042 Log retention ≥90 days MEDIUM security Control failed
RemediationSet log.retention.hours=2160 (90 days) or higher in server.properties
KG-047 ACL deny rules configured MEDIUM security Control passed
KG-049 Data retention policies enforced MEDIUM security Control passed
KG-052 KRaft controller quorum size >= 3 MEDIUM reliability Control passed
KG-026 Network threads configured LOW reliability Control passed
KG-031 Compression configured LOW operational Control passed
KG-032 Log segment bytes appropriate LOW operational Control passed
KG-034 Network threads appropriate LOW operational Control passed
KG-035 IO threads appropriate LOW operational Control passed
KG-036 Send buffer bytes configured LOW operational Control passed
KG-037 Receive buffer bytes configured LOW operational Control passed
KG-038 Replica fetch max bytes configured LOW operational Control passed
KG-039 Message max bytes configured LOW operational Control passed
KG-040 GC logging enabled LOW operational Control failed
RemediationEnable GC logging in JVM startup parameters
KG-050 Compliance metadata configured LOW security Control passed
KG-055 Confluent version matches Kafka version LOW reliability Control passed

Compliance Mapping

  • KG-001 — SASL authentication enabled
    8.18.2
  • KG-002 — SSL/TLS encryption enabled
    4.1
  • KG-003 — ACL authorization enabled
    7.17.2
  • KG-005 — TLS certificate expiry >30 days
    4.1
  • KG-006 — TLS protocol ≥1.2
    4.1
  • KG-007 — Inter-broker encryption enabled
    4.1
  • KG-010 — No default passwords
    8.2
  • KG-011 — SASL mechanism secure
    8.2
  • KG-012 — Client authentication required
    8.18.2
  • KG-014 — Security protocol valid
    4.1
  • KG-041 — Audit logging enabled
    10.110.2
  • KG-043 — Encryption at rest configured
    3.43.5
  • KG-044 — Broker-to-broker mutual TLS
    4.1
  • KG-045 — No deprecated TLS protocols
    4.1
  • KG-046 — Strong cipher suites only
    4.1
  • KG-056 — KRaft authorizer compatible with controller listener
    2.210.1
  • KG-004 — No wildcard ACLs
    7.1
  • KG-008 — ZooKeeper authentication enabled
    8.1
  • KG-009 — ZooKeeper ACLs enabled
    7.1
  • KG-013 — SSL endpoint identification enabled
    4.1
  • KG-015 — Monitoring endpoint security
    8.18.2
  • KG-028 — Auto-create topics disabled
    2.2
  • KG-033 — Log retention hours configured
    10.7
  • KG-042 — Log retention ≥90 days
    10.7
  • KG-049 — Data retention policies enforced
    3.1
  • KG-040 — GC logging enabled
    10.1
  • KG-001 — SASL authentication enabled
    CC6.1CC6.2CC9.2CC10.6
  • KG-002 — SSL/TLS encryption enabled
    CC6.5CC6.6CC9.1CC10.6
  • KG-003 — ACL authorization enabled
    CC6.1CC6.2CC6.3CC6.4CC9.2
  • KG-005 — TLS certificate expiry >30 days
    CC6.5CC6.6
  • KG-006 — TLS protocol ≥1.2
    CC6.5CC6.6
  • KG-007 — Inter-broker encryption enabled
    CC6.5CC6.6
  • KG-010 — No default passwords
    CC6.2
  • KG-011 — SASL mechanism secure
    CC6.2
  • KG-012 — Client authentication required
    CC6.1CC6.2
  • KG-014 — Security protocol valid
    CC6.5CC6.6
  • KG-016 — Replication factor ≥3
    CC7.1
  • KG-017 — Min ISR ≥2
    CC7.1
  • KG-018 — No under-replicated partitions
    CC7.1
  • KG-019 — No offline partitions
    CC7.1
  • KG-022 — ZK quorum healthy (≥3 nodes)
    CC7.1
  • KG-024 — Disk usage <90%
    CC7.1
  • KG-025 — Heap usage <85%
    CC7.1
  • KG-029 — Log directories not in /tmp
    CC7.1
  • KG-041 — Audit logging enabled
    CC7.2CC7.3
  • KG-043 — Encryption at rest configured
    CC6.1
  • KG-048 — Admin access restricted
    CC6.2CC6.3
  • KG-053 — All KRaft controller voters healthy
    CC7.1
  • KG-054 — Metadata log replication not lagging
    CC7.1
  • KG-056 — KRaft authorizer compatible with controller listener
    CC6.1CC6.6
  • KG-004 — No wildcard ACLs
    CC6.2CC6.4
  • KG-008 — ZooKeeper authentication enabled
    CC6.1CC6.2
  • KG-009 — ZooKeeper ACLs enabled
    CC6.1CC6.2CC6.4
  • KG-013 — SSL endpoint identification enabled
    CC6.5CC6.6
  • KG-015 — Monitoring endpoint security
    CC6.1CC6.2CC6.6
  • KG-020 — Unclean leader election disabled
    CC8.1
  • KG-021 — Log retention configured
    CC7.2
  • KG-023 — Broker version consistent
    CC7.1
  • KG-027 — Leader election timeout configured
    CC7.1
  • KG-028 — Auto-create topics disabled
    CC6.6
  • KG-030 — Delete topic disabled
    CC7.1
  • KG-033 — Log retention hours configured
    CC7.2
  • KG-042 — Log retention ≥90 days
    CC7.3
  • KG-047 — ACL deny rules configured
    CC6.1
  • KG-052 — KRaft controller quorum size >= 3
    CC7.1
  • KG-026 — Network threads configured
    CC7.1
  • KG-031 — Compression configured
    CC7.1
  • KG-032 — Log segment bytes appropriate
    CC7.1
  • KG-034 — Network threads appropriate
    CC7.1
  • KG-035 — IO threads appropriate
    CC7.1
  • KG-036 — Send buffer bytes configured
    CC7.1
  • KG-037 — Receive buffer bytes configured
    CC7.1
  • KG-038 — Replica fetch max bytes configured
    CC7.1
  • KG-039 — Message max bytes configured
    CC7.1
  • KG-040 — GC logging enabled
    CC7.2
  • KG-050 — Compliance metadata configured
    CC7.1
  • KG-055 — Confluent version matches Kafka version
    CC8.1
  • KG-001 — SASL authentication enabled
    A.9.2.1A.9.2.2A.9.2.3A.9.2.4A.9.4.2A.9.4.3
  • KG-002 — SSL/TLS encryption enabled
    A.10.1.1A.10.1.2A.13.1.1A.13.1.2A.13.1.3A.13.2.1A.13.2.2A.13.2.3A.13.2.4
  • KG-003 — ACL authorization enabled
    A.9.1.1A.9.1.2A.9.2.5A.9.2.6A.9.4.1A.9.4.4A.9.4.5
  • KG-005 — TLS certificate expiry >30 days
    A.10.1.1A.10.1.2
  • KG-006 — TLS protocol ≥1.2
    A.10.1.1A.13.1.1
  • KG-007 — Inter-broker encryption enabled
    A.10.1.1A.13.1.1
  • KG-010 — No default passwords
    A.9.2.4
  • KG-011 — SASL mechanism secure
    A.9.2.4A.9.4.2
  • KG-012 — Client authentication required
    A.9.2.1A.9.2.2
  • KG-014 — Security protocol valid
    A.10.1.1A.13.1.1
  • KG-016 — Replication factor ≥3
    A.12.3.1A.12.3.2A.17.1.1A.17.1.2A.17.2.1
  • KG-017 — Min ISR ≥2
    A.12.3.1A.17.1.1A.17.2.1
  • KG-018 — No under-replicated partitions
    A.12.3.1A.17.1.1
  • KG-019 — No offline partitions
    A.12.3.1A.17.1.1
  • KG-022 — ZK quorum healthy (≥3 nodes)
    A.12.3.1A.17.1.1A.17.2.1
  • KG-024 — Disk usage <90%
    A.12.3.1A.17.1.1
  • KG-025 — Heap usage <85%
    A.12.3.1A.17.1.1
  • KG-029 — Log directories not in /tmp
    A.12.3.1A.12.4.2
  • KG-041 — Audit logging enabled
    A.12.4.1A.12.4.2
  • KG-043 — Encryption at rest configured
    A.10.1.1A.10.1.2
  • KG-044 — Broker-to-broker mutual TLS
    A.13.1.1A.13.1.2
  • KG-045 — No deprecated TLS protocols
    A.13.1.1
  • KG-046 — Strong cipher suites only
    A.10.1.1
  • KG-048 — Admin access restricted
    A.9.2.3A.9.4.1
  • KG-053 — All KRaft controller voters healthy
    A.12.3.1A.17.1.1
  • KG-054 — Metadata log replication not lagging
    A.12.3.1A.17.1.1
  • KG-056 — KRaft authorizer compatible with controller listener
    A.9.4.1A.13.1.1
  • KG-004 — No wildcard ACLs
    A.9.1.1A.9.4.1
  • KG-008 — ZooKeeper authentication enabled
    A.9.2.1A.9.2.2
  • KG-009 — ZooKeeper ACLs enabled
    A.9.1.1A.9.2.5
  • KG-013 — SSL endpoint identification enabled
    A.10.1.1A.13.1.1
  • KG-015 — Monitoring endpoint security
    A.9.2.1A.9.2.2A.9.4.1
  • KG-020 — Unclean leader election disabled
    A.12.3.1A.12.3.2
  • KG-021 — Log retention configured
    A.12.4.1A.12.4.2A.12.4.3
  • KG-023 — Broker version consistent
    A.12.5.1A.12.6.1
  • KG-027 — Leader election timeout configured
    A.12.3.1A.17.1.1
  • KG-028 — Auto-create topics disabled
    A.12.1.1A.12.1.2A.12.1.4
  • KG-030 — Delete topic disabled
    A.12.3.1A.12.4.2
  • KG-033 — Log retention hours configured
    A.12.4.1A.12.4.2A.12.4.3
  • KG-042 — Log retention ≥90 days
    A.12.4.1
  • KG-047 — ACL deny rules configured
    A.9.4.1
  • KG-052 — KRaft controller quorum size >= 3
    A.12.3.1A.17.1.1A.17.2.1
  • KG-026 — Network threads configured
    A.12.4.1A.12.6.1
  • KG-031 — Compression configured
    A.12.3.1
  • KG-032 — Log segment bytes appropriate
    A.12.3.1
  • KG-034 — Network threads appropriate
    A.12.6.1
  • KG-035 — IO threads appropriate
    A.12.6.1
  • KG-036 — Send buffer bytes configured
    A.12.6.1
  • KG-037 — Receive buffer bytes configured
    A.12.6.1
  • KG-038 — Replica fetch max bytes configured
    A.12.3.1
  • KG-039 — Message max bytes configured
    A.12.3.1
  • KG-040 — GC logging enabled
    A.12.4.1A.12.4.2A.12.4.3
  • KG-055 — Confluent version matches Kafka version
    A.12.5.1A.12.6.1
Generated by KafkaGuard vdev · Scan 7ec019f4-b980-47ba-b045-87e3227a4c05 · Apr 27, 2026 7:37 PM