Skill/security and governance/expand security skills

.gitignore

@@ -78,3 +78,6 @@ coverage/
 # Backup Files
 *.bak
 *.backup
+
+# Audit report run logs (local-only, not committed)
+**/reports/

skills/security-and-governance/auditing-cloud-cluster-security/references/ccloud-commands.md

@@ -0,0 +1,167 @@
+# ccloud CLI Commands for Security Auditing
+
+This reference provides `ccloud` CLI commands used during security posture assessments. All commands are read-only operations.
+
+## Authentication
+
+### Verify Authentication
+
+```bash
+# Check current authentication status
+ccloud auth whoami
+```
+
+### Login (If Not Authenticated)
+
+```bash
+# Interactive login (opens browser)
+ccloud auth login
+```
+
+## Cluster Information
+
+### List All Clusters
+
+```bash
+# List clusters in the organization
+ccloud cluster list -o json
+```
+
+### Get Cluster Info
+
+```bash
+# Get detailed cluster info including plan type, regions, version
+# Accepts cluster name or ID
+ccloud cluster info <cluster-name> -o json
+```
+
+**Key fields to inspect:**
+- `plan` — Basic, Standard, or Advanced
+- `cockroach_version` — CockroachDB version
+- `regions` — Deployed regions
+- `state` — Cluster state (CREATED, READY, etc.)
+
+## Network Security
+
+### List IP Allowlist Entries
+
+```bash
+# List all IP allowlist entries
+ccloud cluster networking allowlist list <cluster-id> -o json
+```
+
+**Key fields to inspect:**
+- `cidr_ip` / `cidr_mask` — The allowed IP range
+- `name` — Description of the entry
+- `sql` — Whether SQL access is allowed
+- `ui` — Whether DB Console access is allowed
+
+**Red flags:**
+- `0.0.0.0/0` — Open to all IPv4 addresses
+- `/8` or `/16` ranges — Overly broad network access
+
+### List Private Endpoint Connections
+
+Private endpoint connections are managed via the **Cloud Console** or **Cloud API** (not the `ccloud` CLI).
+
+**Cloud Console:** Navigate to your cluster's **Networking > Private endpoint** tab.
+
+**Cloud API:**
+```bash
+curl "https://cockroachlabs.cloud/api/v1/clusters/<cluster-id>/networking/private-endpoint-connections" \
+  -H "Authorization: Bearer <api-key>"
+```
+
+## SSO and SCIM
+
+Cloud Console SSO and SCIM 2.0 are configured via the **Cloud Console UI** (Organization Settings > Authentication). The `ccloud` CLI does not currently expose SSO or SCIM configuration commands.
+
+**To check SSO status:**
+1. Log into the CockroachDB Cloud Console
+2. Navigate to Organization Settings > Authentication
+3. Check if SSO (SAML/OIDC) is enabled and whether it is enforced
+
+**To check SCIM status:**
+1. Log into the CockroachDB Cloud Console
+2. Navigate to Organization Settings > Authentication > SCIM
+3. Check if the SCIM endpoint is enabled and connected to an IdP
+
+**Database SSO (Cluster SSO)** is checked via SQL — see the SQL queries reference.
+
+## Encryption (CMEK)
+
+### Check CMEK Status
+
+```bash
+# CMEK configuration is part of cluster info output
+ccloud cluster info <cluster-name> -o json
+# Look for cmek_config section
+```
+
+**Key fields to inspect:**
+- `cmek_config.status` — CMEK status (enabled/disabled)
+- `cmek_config.key_spec` — KMS key details
+
+**Note:** CMEK requires Advanced plan with Advanced Security Add-on.
+
+## Backup Configuration
+
+### Check Managed Backup Status
+
+```bash
+# Backup configuration is part of cluster info output
+ccloud cluster info <cluster-name> -o json
+# Look for backup_config section
+```
+
+**Key fields to inspect:**
+- `backup_config.frequency` — Backup frequency
+- `backup_config.retention` — Backup retention period
+
+**Note:** CockroachDB Cloud automatically manages backups for all clusters. This is informational only.
+
+## SQL User Management
+
+### List SQL Users
+
+```bash
+# List SQL users for a cluster
+ccloud cluster user list <cluster-name>
+```
+
+### Create SQL User
+
+```bash
+# Create a SQL user with password
+ccloud cluster user create <cluster-name> <username> -p '<password>'
+```
+
+### Connect via SQL
+
+```bash
+# Open interactive SQL shell
+ccloud cluster sql <cluster-name> -u <username> -p '<password>'
+
+# Get connection URL (for use with cockroach sql)
+ccloud cluster sql <cluster-name> -u <username> -p '<password>' --connection-url
+```
+
+## Output Formatting
+
+All commands support `-o json` for machine-readable output:
+
+```bash
+# JSON output (recommended for automation)
+ccloud cluster list -o json
+
+# Table output (default, human-readable)
+ccloud cluster list
+```
+
+## Notes
+
+- All audit commands are read-only (`list`, `info`, `whoami`)
+- No commands modify cluster state, network configuration, or user access
+- JSON output (`-o json`) is recommended for structured parsing during audits
+- SSO and SCIM configuration must be checked via the Cloud Console UI
+- Cluster networking commands accept cluster ID; other commands accept cluster name or ID

skills/security-and-governance/auditing-cloud-cluster-security/references/permissions.md

@@ -0,0 +1,107 @@
+# RBAC and Privileges for Security Auditing
+
+This reference details the privileges required to run security audit queries and how to grant minimal access for audit operations.
+
+## Required Privileges
+
+### For Full Security Audit
+
+| Privilege | Purpose | Required? |
+|-----------|---------|-----------|
+| `admin` role | Full cluster visibility, all settings, all grants | Recommended |
+| `VIEWACTIVITY` | View all active sessions and queries | Alternative to admin |
+| `VIEWACTIVITYREDACTED` | View sessions with redacted constants | Minimum for session visibility |
+
+### For Specific Audit Checks
+
+| Audit Check | Minimum Privilege | Notes |
+|-------------|------------------|-------|
+| User/role listing | Any authenticated user | `SHOW USERS` is available to all |
+| Admin role membership | Any authenticated user | `SHOW GRANTS ON ROLE admin` is available to all |
+| PUBLIC grants | Any authenticated user | `SHOW GRANTS FOR public` is available to all |
+| Cluster settings | `admin` or `MODIFYCLUSTERSETTING` | `SHOW CLUSTER SETTING` requires elevated access |
+| System grants | `admin` | `SHOW SYSTEM GRANTS` requires admin |
+| Database grants | Database-level privilege | Can view grants on databases you have access to |
+
+### For ccloud CLI
+
+| Operation | Required Cloud Console Role |
+|-----------|---------------------------|
+| `ccloud cluster list` | Org Member (minimum) |
+| `ccloud cluster describe` | Cluster Reader (minimum) |
+| `ccloud cluster networking allowlist list` | Cluster Reader |
+| `ccloud auth describe-sso` | Org Admin |
+| `ccloud auth describe-scim` | Org Admin |
+
+## Granting Audit Privileges
+
+### Option 1: Create a Dedicated Audit Role (Recommended)
+
+```sql
+-- Create a security audit role with read-only access
+CREATE ROLE security_auditor;
+
+-- Grant the minimum privileges for a full audit
+GRANT SYSTEM VIEWACTIVITYREDACTED TO security_auditor;
+
+-- Assign the role to audit users
+GRANT security_auditor TO <audit_username>;
+```
+
+**Limitation:** Some cluster setting queries require admin. The auditor will get partial results for those checks, which the audit report will note.
+
+### Option 2: Use Admin Role (Full Visibility)
+
+```sql
+-- Grant admin for complete audit coverage
+GRANT admin TO <audit_username>;
+```
+
+**Warning:** Admin grants full cluster control. Only use for trusted audit operators and consider revoking after the audit.
+
+### Option 3: Temporary Admin Grant
+
+```sql
+-- Grant admin temporarily for the audit
+GRANT admin TO <audit_username>;
+
+-- After audit is complete, revoke
+REVOKE admin FROM <audit_username>;
+```
+
+## Checking Current Privileges
+
+```sql
+-- Check your own privileges
+SHOW GRANTS ON ROLE <your_username>;
+
+-- Check system-level privileges
+SHOW SYSTEM GRANTS;
+
+-- Check if you have admin
+SELECT member FROM [SHOW GRANTS ON ROLE admin] WHERE member = current_user();
+```
+
+## Security Best Practices for Audit Access
+
+1. **Use dedicated audit accounts** — Do not use personal admin accounts for audits
+2. **Time-bound access** — Grant admin temporarily and revoke after the audit
+3. **Use VIEWACTIVITYREDACTED** — Protects sensitive data in query constants
+4. **Audit the auditor** — Enable admin audit logging before granting audit access
+5. **Document access grants** — Track who has audit privileges and why
+
+```sql
+-- Enable admin audit logging before granting audit access
+SET CLUSTER SETTING sql.log.admin_audit.enabled = true;
+
+-- Then grant temporary audit access
+GRANT admin TO audit_user;
+```
+
+## References
+
+**Official CockroachDB Documentation:**
+- [Authorization Overview](https://www.cockroachlabs.com/docs/stable/security-reference/authorization.html)
+- [GRANT (System Privilege)](https://www.cockroachlabs.com/docs/stable/grant.html)
+- [SHOW GRANTS](https://www.cockroachlabs.com/docs/stable/show-grants.html)
+- [Cloud Console Roles](https://www.cockroachlabs.com/docs/cockroachcloud/authorization.html)