From 246a4dc1072da4f55950e4c1935f5ee3119d39b9 Mon Sep 17 00:00:00 2001 From: viragtripathi <15679776+viragtripathi@users.noreply.github.com> Date: Mon, 6 Jul 2026 10:37:51 +0000 Subject: [PATCH] chore: update cockroachdb-skills submodule --- .cursor-plugin/plugin.json | 1 + .../auditing-cis-benchmark/SKILL.md | 213 +++++ .../references/cis-controls.md | 806 ++++++++++++++++++ .../references/sample-report.md | 127 +++ .../references/sql-queries.md | 163 ++++ submodules/cockroachdb-skills | 2 +- 6 files changed, 1311 insertions(+), 1 deletion(-) create mode 100644 skills/cockroachdb-security-and-governance/auditing-cis-benchmark/SKILL.md create mode 100644 skills/cockroachdb-security-and-governance/auditing-cis-benchmark/references/cis-controls.md create mode 100644 skills/cockroachdb-security-and-governance/auditing-cis-benchmark/references/sample-report.md create mode 100644 skills/cockroachdb-security-and-governance/auditing-cis-benchmark/references/sql-queries.md diff --git a/.cursor-plugin/plugin.json b/.cursor-plugin/plugin.json index edfc187..27b62f2 100644 --- a/.cursor-plugin/plugin.json +++ b/.cursor-plugin/plugin.json @@ -44,6 +44,7 @@ "./skills/cockroachdb-operations-and-lifecycle/reviewing-cluster-health", "./skills/cockroachdb-operations-and-lifecycle/upgrading-cluster-version", "./skills/cockroachdb-query-and-schema-design/cockroachdb-sql", + "./skills/cockroachdb-security-and-governance/auditing-cis-benchmark", "./skills/cockroachdb-security-and-governance/auditing-cloud-cluster-security", "./skills/cockroachdb-security-and-governance/configuring-audit-logging", "./skills/cockroachdb-security-and-governance/configuring-ip-allowlists", diff --git a/skills/cockroachdb-security-and-governance/auditing-cis-benchmark/SKILL.md b/skills/cockroachdb-security-and-governance/auditing-cis-benchmark/SKILL.md new file mode 100644 index 0000000..cd9e89e --- /dev/null +++ b/skills/cockroachdb-security-and-governance/auditing-cis-benchmark/SKILL.md @@ -0,0 +1,213 @@ +--- +name: auditing-cis-benchmark +description: Audits a self-hosted CockroachDB cluster against the CIS CockroachDB Benchmark v1.0.0 Level 1 controls. Supports two audit depths — quick automated scans and full CIS audit procedures. Produces a structured PASS/FAIL/MANUAL report covering installation, system hardening, logging, user access, data protection, and CockroachDB settings. Use when preparing for CIS compliance assessments, hardening self-hosted deployments, or validating security posture against industry benchmarks. +compatibility: "CockroachDB self-hosted (all versions). Requires shell access to cluster nodes and SQL admin or VIEWACTIVITY privilege." +metadata: + author: cockroachdb + version: "1.0" +--- + +# Auditing CIS Benchmark Compliance + +Assesses a self-hosted CockroachDB cluster against the CIS CockroachDB Benchmark v1.0.0 Level 1 profile. Evaluates 30 controls across six domains: installation and patches, system hardening and topology, logging and monitoring, user access and authorization, data protection, and CockroachDB settings. Produces a structured report with PASS, FAIL, and MANUAL REVIEW findings, including CIS Controls v7/v8 mappings with Implementation Group coverage. + +**Scope:** Self-hosted CockroachDB deployments only. For CockroachDB Cloud clusters, use [auditing-cloud-cluster-security](../auditing-cloud-cluster-security/SKILL.md) instead — Cloud clusters have managed controls that supersede many CIS self-hosted checks. + +**Authoritative source:** This skill implements the benchmark defined at https://github.com/cockroachlabs/CIS-benchmarks-crdb + +**Read-only audit:** All operations are read-only. No cluster state, OS configuration, or files are modified during the assessment. + +## When to Use This Skill + +- Preparing for a CIS benchmark compliance assessment or external audit +- Hardening a new self-hosted CockroachDB production deployment +- Validating security posture against industry-standard benchmarks +- Performing periodic compliance checks as part of security operations +- Mapping CockroachDB security controls to CIS Controls frameworks +- Responding to auditor requests for CIS benchmark evidence + +## Prerequisites + +**Access requirements:** + +| Requirement | Purpose | +|-------------|---------| +| SSH/shell access to cluster nodes | OS-level checks (systemd, swap, THP, file descriptors, certs) | +| SQL access (admin or VIEWACTIVITY) | Cluster settings, user/role audit, logging config | +| Access to systemd service files | Service configuration verification | +| Access to certificate directory | Certificate permission and validity checks | + +**Tools:** + +| Tool | Required | Purpose | +|------|----------|---------| +| `cockroach` CLI | Yes | Version check, cert inspection, SQL access | +| `systemctl` | Yes | Service status, NTP verification | +| `openssl` | Recommended | Certificate validation and expiry checks | +| Standard Unix tools | Yes | `ps`, `ls`, `cat`, `grep`, `swapon`, `ulimit` | + +## Audit Depth + +This skill supports two audit depths. Choose based on your needs: + +| Depth | When to Use | What It Does | +|-------|-------------|--------------| +| **Quick Scan** | Periodic checks, CI/CD gates, rapid triage | Runs one-liner shell/SQL commands per control, returns pass/fail | +| **Full Audit** | Compliance evidence, external auditor requests, thorough assessments | Multi-step procedures per control from the official CIS benchmark | + +At Step 0, confirm which depth the user wants. Both depths can be combined — run the quick scan first to identify failures, then run the full audit on those failures for evidence collection. + +## CIS Benchmark Structure + +The CIS CockroachDB Benchmark v1.0.0 Level 1 profile contains 30 controls organized into six sections: + +| Section | Domain | Controls | Automated | Manual | +|---------|--------|----------|-----------|--------| +| 1 | Installation and Patches | 1.1–1.7 (7) | 3 | 4 | +| 2 | System Hardening and Topology | 2.1–2.7 (7) | 5 | 2 | +| 3 | Logging and Monitoring | 3.1–3.4 (4) | 1 | 3 | +| 4 | User Access and Authorization | 4.1–4.4 (4) | 0 | 4 | +| 5 | Data Protection | 5.1–5.3 (3) | 0 | 3 | +| 6 | CockroachDB Settings | 6.1–6.5 (5) | 1 | 4 | + +See [CIS controls reference](references/cis-controls.md) for full control definitions with both quick scan commands and full audit procedures. + +## Assessment Workflow + +### Step 0: Confirm Audit Scope + +Before starting, confirm with the user: + +1. **Audit depth** — Quick scan, full audit, or both +2. **Target nodes** — Which nodes to audit (all nodes recommended) +3. **CockroachDB service account** — Username running CockroachDB (default: `cockroach`) +4. **Certificate directory** — Path to TLS certificates (default: `/var/lib/cockroach/certs`) +5. **Data directory** — Path to CockroachDB data store (default: `/var/lib/cockroach`) +6. **Log directory** — Path to logs (default: `/var/lib/cockroach/logs` or `/logs`) +7. **Enterprise license** — Whether Enterprise features (EAR) are available + +Record these values — they parameterize the checks below. + +### Step 1: Installation and Patches (Controls 1.1–1.7) + +These controls verify binary integrity, systemd service management, TLS initialization, version uniformity, upgrade processes, and encryption at rest. + +**Key checks:** +- 1.1: Binary downloaded from official source, SHA-256 verified (Manual) +- 1.2: `systemctl is-enabled cockroach.service` → `enabled` (Automated) +- 1.3: No `--insecure` flag; certs directory exists with valid CA-signed certs (Automated) +- 1.4: `ps aux | grep -c insecure` → `0` (Automated) +- 1.5: All nodes run same version — quick scan via `cockroach version`, full audit via DB Console Node List and `crdb_internal.gossip_nodes` (Automated) +- 1.6: Rolling upgrade runbook exists and has been tested (Manual) +- 1.7: `--enterprise-encryption` configured with external KMS, keys not on disk (Manual) + +### Step 2: System Hardening and Topology (Controls 2.1–2.7) + +These controls verify OS-level configuration: time synchronization, process isolation, network segmentation, memory settings, file descriptors, and privilege restrictions. + +**Key checks (run on each node):** +- 2.1: NTP/chrony active, offsets below `--max-offset` (Automated) +- 2.2: One CockroachDB process per host (Automated) +- 2.3: Dedicated subnet with restricted ingress on ports 26257/8080 (Manual) +- 2.4: `swapon --show | wc -l` → `0` (Automated) +- 2.5: THP set to `madvise` or `never` (Automated) +- 2.6: File descriptor limit ≥ 15,000 for cockroach user (Automated) +- 2.7: cockroach user has no sudo privileges (Automated) + +### Step 3: Logging and Monitoring (Controls 3.1–3.4) + +These controls verify logging configuration, rotation, authentication event capture, and monitoring/alerting. + +**Key checks:** +- 3.1: Log directory exists, owned by cockroach, permissions 700 (Manual) +- 3.2: Log rotation configured via CockroachDB config or logrotate (Manual) +- 3.3: Both `server.auth_log.sql_connections.enabled` AND `server.auth_log.sql_sessions.enabled` = `true` (Automated) +- 3.4: Monitoring system scraping metrics, alerts configured (Manual) + +### Step 4: User Access and Authorization (Controls 4.1–4.4) + +These controls verify host-based authentication, password security, root user hardening, and centralized identity management. + +> ⚠️ **Control 4.2 (Full Audit only):** Inspecting stored password hashes requires `SET allow_unsafe_internals = true`. This is a break-glass, audit-only operation — run only in a dedicated admin session by authorized operators, and reset immediately after with `SET allow_unsafe_internals = false`. Do not expose this to application workloads. + +**Key checks (all SQL):** +- 4.1: HBA has specific IP ranges, strong auth methods, reject catch-all (Manual) +- 4.2: `password_encryption` = `scram-sha-256`, stored hashes are SCRAM format (Manual) +- 4.3: Root restricted to specific hosts via HBA with cert method, activity audited (Manual) +- 4.4: OIDC/LDAP enabled, identity mapping configured, local accounts minimized (Manual) + +### Step 5: Data Protection (Controls 5.1–5.3) + +These controls verify backup encryption, recovery testing, and multi-region data localization. + +**Key checks:** +- 5.1: Backups use `kms` or `encryption_passphrase`, or storage-layer encryption enforced (Manual) +- 5.2: Recovery procedures tested quarterly with documented results (Manual) +- 5.3: Multi-region tables use `REGIONAL BY ROW` or zone constraints for data residency (Manual) + +### Step 6: CockroachDB Settings (Controls 6.1–6.5) + +These controls verify certificate security, setting redaction, audit logging, session timeouts, and OCSP. + +**Key checks:** +- 6.1: Private key permissions `0600`, certs valid 90+ days (Automated) +- 6.2: Debug bundles use `--redact`, no secrets in logs (Manual) +- 6.3: `sql.log.user_audit` non-empty, `sql.log.admin_audit.enabled` = `true`, security channels configured (Manual) +- 6.4: `sql.defaults.idle_in_session_timeout` set (e.g., `15m`) (Manual) +- 6.5: `security.ocsp.mode` = `strict` or `lax` (Manual) + +## Report Format + +Generate a markdown report following the structure in [sample report](references/sample-report.md). + +**Status markers:** +- `[PASS]` — Control is satisfied +- `[FAIL]` — Control is not satisfied, remediation required +- `[MANUAL]` — Requires human review; automated check cannot determine compliance +- `[N/A]` — Control does not apply (e.g., EAR without Enterprise license) + +## Relationship to Other Security Skills + +| CIS Section | Related Remediation Skills | +|-------------|---------------------------| +| 1 Installation | [managing-tls-certificates](../managing-tls-certificates/SKILL.md), [enabling-cmek-encryption](../enabling-cmek-encryption/SKILL.md) | +| 3 Logging | [configuring-audit-logging](../configuring-audit-logging/SKILL.md), [configuring-log-export](../configuring-log-export/SKILL.md) | +| 4 User Access | [hardening-user-privileges](../hardening-user-privileges/SKILL.md), [enforcing-password-policies](../enforcing-password-policies/SKILL.md), [configuring-sso-and-scim](../configuring-sso-and-scim/SKILL.md) | +| 5 Data Protection | [preparing-compliance-documentation](../preparing-compliance-documentation/SKILL.md) | +| 6 Settings | [managing-tls-certificates](../managing-tls-certificates/SKILL.md), [configuring-audit-logging](../configuring-audit-logging/SKILL.md) | + +For a broader security posture assessment (covering Cloud and self-hosted), use [auditing-cloud-cluster-security](../auditing-cloud-cluster-security/SKILL.md). + +## Safety Considerations + +- **All operations are read-only.** No cluster settings, OS configuration, or files are modified. +- **Shell commands use read-only tools:** `ps`, `ls`, `cat`, `grep`, `systemctl is-enabled/is-active`, `swapon --show`, `ulimit`, `openssl x509`, `openssl verify`. +- **SQL queries use SHOW and SELECT only.** No DDL or DML statements. +- **One exception (4.2):** The full audit procedure for password hash inspection requires `SET allow_unsafe_internals = true` — this is a read-only break-glass operation that must be reset immediately after (`SET allow_unsafe_internals = false`). Only authorized operators should run this step. +- **No secrets are logged.** Certificate private keys and passwords are not included in report output. +- **Privilege check:** Some SQL queries require admin or VIEWACTIVITY privilege. The report notes any permission gaps. + +## References + +**Skill references:** +- [CIS controls reference](references/cis-controls.md) — All 30 controls with quick scan commands and full audit procedures +- [SQL queries for CIS audit](references/sql-queries.md) — All SQL queries used in the assessment +- [Sample audit report](references/sample-report.md) — Example report with findings + +**Authoritative source:** +- [CIS CockroachDB Benchmark (official repo)](https://github.com/cockroachlabs/CIS-benchmarks-crdb) + +**Related skills:** +- [auditing-cloud-cluster-security](../auditing-cloud-cluster-security/SKILL.md) — Broader security posture assessment +- [configuring-audit-logging](../configuring-audit-logging/SKILL.md) — SQL audit logging setup +- [hardening-user-privileges](../hardening-user-privileges/SKILL.md) — RBAC tightening +- [enforcing-password-policies](../enforcing-password-policies/SKILL.md) — Password policy enforcement +- [managing-tls-certificates](../managing-tls-certificates/SKILL.md) — TLS certificate management +- [enabling-cmek-encryption](../enabling-cmek-encryption/SKILL.md) — Encryption at rest +- [configuring-sso-and-scim](../configuring-sso-and-scim/SKILL.md) — SSO and SCIM provisioning + +**Official CockroachDB documentation:** +- [Security Overview](https://www.cockroachlabs.com/docs/stable/security-reference/security-overview.html) +- [Recommended Production Settings](https://www.cockroachlabs.com/docs/stable/recommended-production-settings.html) +- [Releases](https://www.cockroachlabs.com/docs/releases/) +- [Security Advisories](https://www.cockroachlabs.com/docs/advisories/) \ No newline at end of file diff --git a/skills/cockroachdb-security-and-governance/auditing-cis-benchmark/references/cis-controls.md b/skills/cockroachdb-security-and-governance/auditing-cis-benchmark/references/cis-controls.md new file mode 100644 index 0000000..2f0f1ea --- /dev/null +++ b/skills/cockroachdb-security-and-governance/auditing-cis-benchmark/references/cis-controls.md @@ -0,0 +1,806 @@ +# CIS CockroachDB Benchmark v1.0.0 — Level 1 Controls Reference + +All 30 controls with both **Quick Scan** (one-liner automated checks) and **Full Audit** (multi-step CIS procedures). Sourced from https://github.com/cockroachlabs/CIS-benchmarks-crdb + +--- + +## 1. Installation and Patches + +### 1.1 Verify Binary Integrity (Manual) + +| Field | Value | +|-------|-------| +| **Severity** | Medium | +| **CIS v8** | 16.5 Use Up-to-Date and Trusted Third-Party Software Components (IG1/2/3) | +| **CIS v7** | 18.4 Only Use Up-to-date And Trusted Third-Party Components (IG1/2/3) | +| **Default** | N/A — operational process control external to CockroachDB | + +**Quick Scan:** +```bash +cockroach version +# Manual review: compare installed version against https://binaries.cockroachdb.com/ +``` + +**Full Audit:** +1. Inspect CI/CD pipelines and automation scripts — confirm they download only from `https://binaries.cockroachdb.com/` or a vetted internal mirror +2. Verify checksum for installed binary: +```bash +VERSION="v25.3.4" +FILE_NAME="cockroach-${VERSION}.linux-amd64.tgz" +SHA_URL="https://binaries.cockroachdb.com/${FILE_NAME}.sha256sum" +if [ "$(wget -qO- "$SHA_URL" | awk '{print $1}')" == "$(sha256sum "$FILE_NAME" | awk '{print $1}')" ]; then + echo "OK: SHA-256 matches" +else + echo "FAIL: SHA-256 mismatch" +fi +``` + +--- + +### 1.2 Ensure Systemd Service Files Are Enabled (Automated) + +| Field | Value | +|-------|-------| +| **Severity** | Medium | +| **CIS v8** | 4.1 Establish and Maintain a Secure Configuration Process (IG1/2/3) | +| **CIS v7** | 5.1 Establish Secure Configurations (IG1/2/3) | +| **Default** | Not configured — must be created manually | + +**Quick Scan:** +```bash +systemctl is-enabled cockroach.service 2>/dev/null || echo 'not enabled' +# Expected: enabled +``` + +**Full Audit:** +1. Verify service is enabled: `systemctl is-enabled cockroach.service` +2. Verify service is running: `systemctl is-active cockroach.service` +3. Inspect service file for security settings: +```bash +sudo systemctl cat cockroach.service | grep -E 'User=|ExecStart=|Restart=|Type=' +# Expected: User=cockroach, Type=notify, Restart=always +``` + +--- + +### 1.3 Ensure Cluster is Initialized Securely with TLS (Automated) + +| Field | Value | +|-------|-------| +| **Severity** | High | +| **CIS v8** | 3.10 Encrypt Sensitive Data in Transit (IG1/2/3); 4.1 Secure Configuration (IG1/2/3) | +| **CIS v7** | 14.4 Encrypt All Sensitive Information in Transit (IG1/2/3) | +| **Default** | Secure when `--insecure` is not set and valid certs present in `--certs-dir` | + +**Quick Scan:** +```bash +ps aux | grep '[c]ockroach start' | grep -o 'insecure' || echo 'secure mode' +# Expected: must NOT contain "insecure" +``` + +**Full Audit:** +1. Confirm no `--insecure` flag: +```bash +ps -ef | grep cockroach +# Check for --insecure or --accept-sql-without-tls +``` +2. Verify certificate directory ownership: +```bash +ls -ld /var/lib/cockroach/certs +ls -l /var/lib/cockroach/certs +# Expected: owned by cockroach:cockroach, contains ca.crt, node.crt, node.key +``` +3. Validate node certificate against CA: +```bash +openssl verify -CAfile /var/lib/cockroach/certs/ca.crt /var/lib/cockroach/certs/node.crt +# Expected: OK +``` +4. Confirm cluster identity via secure CLI: +```bash +cockroach node status --certs-dir=/var/lib/cockroach/certs --host= +# All nodes report same Cluster ID +cockroach sql --certs-dir=/var/lib/cockroach/certs --host= -e "SHOW DATABASES;" +# Successful connection confirms secure SQL connectivity +``` + +--- + +### 1.4 Do Not Use --insecure Flag in Production (Automated) + +| Field | Value | +|-------|-------| +| **Severity** | High | +| **CIS v8** | 3.10 Encrypt Sensitive Data in Transit (IG1/2/3); 4.1 Secure Configuration (IG1/2/3) | +| **CIS v7** | 14.4 Encrypt All Sensitive Information in Transit (IG1/2/3) | +| **Default** | Not set (secure by default when certs provided) | + +**Quick Scan:** +```bash +ps aux | grep '[c]ockroach start' | grep -c 'insecure' +# Expected: 0 +``` + +**Full Audit:** +1. Check running processes: `ps -ef | grep cockroach` — no `--insecure` +2. Check systemd service file: `sudo systemctl cat cockroach.service | grep insecure` — no matches +3. Check any wrapper scripts: `grep -ri insecure /etc/cockroach/ /usr/lib/systemd/system/` + +--- + +### 1.5 Ensure All Nodes Are Running the Same Version (Automated) + +| Field | Value | +|-------|-------| +| **Severity** | Medium | +| **CIS v8** | 2.2 Ensure Authorized Software is Currently Supported (IG1/2/3); 4.1 Secure Configuration (IG1/2/3) | +| **CIS v7** | 2.2 Ensure Software is Supported by Vendor (IG1/2/3) | +| **Default** | Temporary version skew tolerated during rolling upgrades | + +**Quick Scan:** +```bash +cockroach version | grep 'Build Tag' +``` + +**Full Audit:** +1. Check version on each node: `cockroach version` +2. Check via DB Console: Cluster Overview → Node List — all versions match +3. Check upgrade status: +```sql +SHOW CLUSTER SETTING version; +-- After major upgrade, should show new major version (e.g., 25.4) +``` +4. Check node status: +```bash +cockroach node status --certs-dir=/var/lib/cockroach/certs --host= --format=table +# Review build/version fields for mismatches +``` + +--- + +### 1.6 Establish Rolling Upgrade Process (Manual) + +| Field | Value | +|-------|-------| +| **Severity** | Medium | +| **CIS v8** | 7.3 Perform Automated Operating System Patch Management (IG1/2/3) | +| **CIS v7** | 3.4 Deploy Automated Operating System Patch Management Tools (IG1/2/3) | +| **Default** | No process exists by default — must be documented by organization | + +**Quick Scan:** +```bash +echo 'Manual: Verify rolling upgrade runbook exists and has been tested' +``` + +**Full Audit:** +1. Request operational runbook — must cover: pre-upgrade backup, sequential node drain/stop/upgrade/start, version finalization, rollback +2. Verify last test date in non-production environment +3. Confirm security advisory monitoring at https://www.cockroachlabs.com/docs/advisories/ + +--- + +### 1.7 Encryption at Rest Keys Managed by External KMS (Manual) + +| Field | Value | +|-------|-------| +| **Severity** | Medium | +| **CIS v8** | 3.11 Encrypt Sensitive Data at Rest (IG1/2/3); 4.1 Secure Configuration (IG1/2/3) | +| **CIS v7** | 13.5 Manage Access Control for Remote Assets (IG1/2/3) | +| **Default** | EAR disabled — no encryption at rest unless configured with `--enterprise-encryption` | + +**Quick Scan:** +```bash +ps aux | grep '[c]ockroach start' | grep 'enterprise-encryption' || echo 'EAR not configured' +``` + +**Full Audit:** +1. Check for enterprise encryption flag: +```bash +ps -ef | grep cockroach | grep -- '--enterprise-encryption' +# Expected: --enterprise-encryption=path=...,key=...,old-key=...,rotation-period=... +``` +2. Inspect configuration for external key source: +```bash +grep -Ri "vault" /etc/cockroach /usr/lib/systemd/system +grep -Ri "encryption-key" /etc/cockroach /usr/lib/systemd/system +# Look for Vault, Transit, or other secret loader references +``` +3. Verify key files are NOT on same volume as data: +```bash +find /etc/cockroach /var/lib/cockroach -type f -name "*.key" -ls +# Key files must not be in data directory; must be on separate volume with 400 permissions +``` +4. Verify encryption is active: +```bash +cockroach debug encryption-active-key /var/lib/cockroach +``` + +--- + +## 2. System Hardening and Topology + +### 2.1 NTP Service Configured for Clock Synchronization (Automated) + +| Field | Value | +|-------|-------| +| **Severity** | High | +| **CIS v8** | 8.7 Ensure Time Synchronization Across Enterprise Assets (IG1/2/3) | +| **CIS v7** | 6.1 Maintain an Accurate Time Source (IG1/2/3) | +| **Default** | `--max-offset` defaults to 500ms; NTP must be configured at OS level | + +**Quick Scan:** +```bash +systemctl is-active chronyd 2>/dev/null || systemctl is-active ntpd 2>/dev/null || echo 'no time sync' +# Expected: active +``` + +**Full Audit:** +1. Confirm NTP/chrony is active: `systemctl status chronyd` or `timedatectl` +2. Verify time source selection — all nodes use compatible leap-smearing sources: + - AWS: Amazon Time Sync (`169.254.169.123`) via `chronyc sources -v` + - GCE: Google internal NTP (`metadata.google.internal`) + - Other: Google Public NTP (`time.google.com`) +3. Check CockroachDB clock offsets via Prometheus metric `clock_offset_meannanos` or DB Console — offsets below `--max-offset` (500ms) +4. Check logs for clock skew errors: +```bash +grep -i "clock" /var/lib/cockroach/logs/cockroach.log +# Expected: no offset error entries +``` + +--- + +### 2.2 One CockroachDB Process Per Host (Automated) + +| Field | Value | +|-------|-------| +| **Severity** | Medium | +| **CIS v8** | 4.1 Establish and Maintain a Secure Configuration Process (IG1/2/3) | +| **CIS v7** | 14.1 Segment the Network Based on Sensitivity (IG1/2/3) | +| **Default** | Not enforced — operator responsibility | + +**Quick Scan:** +```bash +ps aux | grep '[c]ockroach start' | wc -l +# Expected: 1 +``` + +**Full Audit:** +1. Count CockroachDB processes per host: `ps aux | grep '[c]ockroach start' | wc -l` → must be 1 +2. For Kubernetes: verify pod anti-affinity rules prevent co-scheduling + +--- + +### 2.3 Database Servers in Dedicated Subnet (Manual) + +| Field | Value | +|-------|-------| +| **Severity** | Medium | +| **CIS v8** | 12.1 Ensure Network Infrastructure is Up-to-Date (IG1/2/3) | +| **CIS v7** | 9.2 Ensure Only Approved Ports, Protocols and Services Are Running (IG1/2/3) | +| **Default** | Not enforced — operator responsibility | + +**Quick Scan:** +```bash +echo 'Manual: Review network topology and firewall rules' +``` + +**Full Audit:** +1. Verify CockroachDB nodes are in a dedicated subnet/VPC +2. Verify firewall/security group rules: + - Ingress 26257 allowed from app tier and cluster nodes only + - Ingress 8080 allowed from admin/bastion hosts only + - All other inbound denied + - Outbound restricted to necessary services +3. Document network topology for evidence + +--- + +### 2.4 Disable Linux Memory Swapping (Automated) + +| Field | Value | +|-------|-------| +| **Severity** | Medium | +| **CIS v8** | 4.1 Secure Configuration (IG1/2/3) | +| **CIS v7** | 5.1 Establish Secure Configurations (IG1/2/3) | +| **Default** | Swap typically enabled in default Linux installations | + +**Quick Scan:** +```bash +swapon --show | wc -l +# Expected: 0 +``` + +**Full Audit:** +1. Check swap: `swapon --show` and `free -h` — no swap space active +2. Check `/etc/fstab` for swap entries: `grep swap /etc/fstab` — all should be commented out + +--- + +### 2.5 Configure THP to madvise (Automated) + +| Field | Value | +|-------|-------| +| **Severity** | Low | +| **CIS v8** | 4.1 Secure Configuration (IG1/2/3) | +| **CIS v7** | 5.1 Establish Secure Configurations (IG1/2/3) | +| **Default** | `always` on most Linux distributions | + +**Quick Scan:** +```bash +cat /sys/kernel/mm/transparent_hugepage/enabled 2>/dev/null | grep -o '\[.*\]' | tr -d '[]' +# Expected: madvise or never +``` + +**Full Audit:** +1. Check THP enabled mode: `cat /sys/kernel/mm/transparent_hugepage/enabled` +2. Check THP defrag mode: `cat /sys/kernel/mm/transparent_hugepage/defrag` +3. Verify persistence — check for systemd unit or rc.local entry + +--- + +### 2.6 File Descriptor Limit >= 15,000 (Automated) + +| Field | Value | +|-------|-------| +| **Severity** | Medium | +| **CIS v8** | 4.1 Secure Configuration (IG1/2/3) | +| **CIS v7** | 5.1 Establish Secure Configurations (IG1/2/3) | +| **Default** | 1024 or 4096 on most Linux distributions — insufficient | + +**Quick Scan:** +```bash +su - cockroach -c 'ulimit -n' 2>/dev/null || echo 'not configured' +# Expected: >= 15000 (recommended: 35000) +``` + +**Full Audit:** +1. Check limits for cockroach user: `su - cockroach -c 'ulimit -n'` +2. Check running process limits: `cat /proc/$(pgrep cockroach)/limits | grep 'open files'` +3. Check `/etc/security/limits.conf` and systemd `LimitNOFILE` + +--- + +### 2.7 No Sudo Privileges for CockroachDB User (Automated) + +| Field | Value | +|-------|-------| +| **Severity** | Medium | +| **CIS v8** | 5.4 Restrict Administrator Privileges to Dedicated Accounts (IG1/2/3) | +| **CIS v7** | 4.3 Ensure the Use of Dedicated Administrative Accounts (IG1/2/3) | +| **Default** | Depends on how cockroach user was created | + +**Quick Scan:** +```bash +sudo -l -U cockroach 2>&1 | grep -c 'not allowed' +# Expected: >= 1 +``` + +**Full Audit:** +1. Check sudo access: `sudo -l -U cockroach` — should show "not allowed to run sudo" +2. Check `/etc/sudoers` and `/etc/sudoers.d/` for cockroach entries + +--- + +## 3. Logging and Monitoring + +### 3.1 Logging Enabled with Secure Storage (Manual) + +| Field | Value | +|-------|-------| +| **Severity** | Medium | +| **CIS v8** | 8.2 Collect Audit Logs (IG1/2/3); 8.5 Collect Detailed Audit Logs (IG2/3) | +| **CIS v7** | 6.2 Activate Audit Logging (IG1/2/3) | +| **Default** | Logging enabled; file sinks write to `/logs`; permissions 0644; `server.eventlog.enabled` = true | + +**Quick Scan:** +```bash +ls -ld /var/lib/cockroach/logs 2>/dev/null || echo 'logs directory not found' +``` + +**Full Audit:** +1. Check logging configuration: +```bash +cockroach debug check-log-config +sudo systemctl cat cockroach.service | grep ExecStart +# Look for --log-dir, --log-config-file, or --log={yaml} +``` +2. Verify log files exist with recent timestamps: +```bash +ls -lh /var/lib/cockroach/logs/ +tail -n 10 /var/lib/cockroach/logs/cockroach.log +# Expect: cockroach.log, cockroach-security.log, cockroach-sql-audit.log, cockroach-sql-auth.log +``` +3. Verify directory ownership and permissions: +```bash +ls -ld /var/lib/cockroach/logs +# Expected: cockroach:cockroach, drwx------ (700) +``` + +--- + +### 3.2 Log Rotation and Retention Configured (Manual) + +| Field | Value | +|-------|-------| +| **Severity** | Low | +| **CIS v8** | 8.3 Ensure Adequate Audit Log Storage (IG1/2/3) | +| **CIS v7** | 6.3 Enable Detailed Logging (IG1/2/3) | +| **Default** | max-file-size: 10 MiB, max-group-size: 100 MiB per group | + +**Quick Scan:** +```bash +echo 'Manual: Review log rotation configuration' +``` + +**Full Audit:** +1. Check CockroachDB log config: `cockroach debug check-log-config` — review `max-file-size`, `max-group-size` +2. Check OS logrotate: `cat /etc/logrotate.d/cockroach` if present +3. Verify retention meets compliance requirements (typically 90+ days) + +--- + +### 3.3 Connection and Authentication Logging Enabled (Automated) + +| Field | Value | +|-------|-------| +| **Severity** | Medium | +| **CIS v8** | 8.5 Collect Detailed Audit Logs (IG1/2/3); 8.2 Collect Audit Logs (IG1/2/3) | +| **CIS v7** | 6.3 Enable Detailed Logging (IG1/2/3) | +| **Default** | Both `sql_connections.enabled` and `sql_sessions.enabled` are `false` | + +**Quick Scan:** +```sql +SHOW CLUSTER SETTING server.auth_log.sql_connections.enabled; +-- Expected: true +SHOW CLUSTER SETTING server.auth_log.sql_sessions.enabled; +-- Expected: true +``` + +**Full Audit:** +1. Verify both cluster settings are `true` +2. Verify SESSIONS log file is present with recent events: +```bash +ls -lh /var/lib/cockroach/logs/cockroach-sql-auth.log +tail -n 10 /var/lib/cockroach/logs/cockroach-sql-auth.log +# Expect JSON entries: client_connection_start, client_authentication_ok/failed, client_session_end +``` +3. Verify events via system.eventlog: +```sql +SELECT timestamp, (info::JSONB)->>'EventType' AS eventtype +FROM system.eventlog +WHERE (info::JSONB)->>'EventType' IN ('client_connection_start','client_authentication_failed') +ORDER BY timestamp DESC LIMIT 20; +``` +4. Verify integration with SIEM/log aggregator if applicable + +--- + +### 3.4 Monitoring and Alerting in Place (Manual) + +| Field | Value | +|-------|-------| +| **Severity** | Medium | +| **CIS v8** | 8.2 Collect Audit Logs (IG1/2/3) | +| **CIS v7** | 6.2 Activate Audit Logging (IG1/2/3) | +| **Default** | Not configured — Prometheus endpoint available at `/_status/vars` on port 8080 | + +**Quick Scan:** +```bash +echo 'Manual: Verify monitoring system is configured and alerting is active' +``` + +**Full Audit:** +1. Verify Prometheus/Datadog/equivalent is scraping CockroachDB metrics endpoint +2. Verify alerts for: node unavailability, under-replicated ranges, cert expiration (<30 days), disk usage >80%, clock offset >100ms, version mismatch +3. Verify DB Console is accessible and shows cluster health + +--- + +## 4. User Access and Authorization + +### 4.1 Restrict Access Using Host-Based Authentication (Manual) + +| Field | Value | +|-------|-------| +| **Severity** | High | +| **CIS v8** | 3.3 Configure Data Access Control Lists (IG1/2/3); 4.4 Implement Firewall at App Layer (IG1/2/3); 6.6 Inventory and Control Auth Systems (IG2/3) | +| **CIS v7** | 14.6 Protect Information Through Access Control Lists (IG1/2/3) | +| **Default** | `host all root all cert-password` / `host all all all cert-password` / `local all all password` | + +**Quick Scan:** +```sql +SHOW CLUSTER SETTING server.host_based_authentication.configuration; +-- FAIL if empty or equivalent to default (no IP restrictions) +``` + +**Full Audit:** +1. Review HBA for allowed network origins — rules should list specific IP/CIDR ranges +2. Final rule should be `host all all all reject` (default-deny) +3. FAIL if empty, `host all all all password`, or `trust` method present +4. Verify strong auth methods (cert, cert-password, cert-scram-sha-256, scram-sha-256) + +--- + +### 4.2 Restrict and Secure Password Authentication (Manual) + +| Field | Value | +|-------|-------| +| **Severity** | High | +| **CIS v8** | 5.2 Use Strong Authentication (IG1/2/3); 3.3 Implement Access Control (IG1/2/3); 6.6 Manage Authorization Systems (IG2/3) | +| **CIS v7** | 16.4 Encrypt or Hash Authentication Credentials (IG1/2/3) | +| **Default** | `password_encryption` defaults vary by version; HBA defaults to cert-password | + +**Quick Scan:** +```sql +SHOW CLUSTER SETTING server.user_login.password_encryption; +-- Expected: scram-sha-256 +``` + +**Full Audit:** +1. Inspect stored password hashes (⚠️ break-glass, authorized operators only): +```sql +SET allow_unsafe_internals = true; +SET bytea_output = 'escape'; +SELECT username, "hashedPassword" FROM system.users WHERE "hashedPassword" IS NOT NULL; +SET allow_unsafe_internals = false; +-- SCRAM hashes show SCRAM-SHA-256$... prefix +``` +2. Verify SCRAM-SHA-256 enforcement: +```sql +SHOW CLUSTER SETTING server.user_login.password_encryption; +SHOW CLUSTER SETTING server.user_login.upgrade_bcrypt_stored_passwords_to_scram.enabled; +``` +3. Review HBA for password method entries — FAIL if broad rules allow password from unbounded origins + +--- + +### 4.3 Secure the root User and Administrative Roles (Manual) + +| Field | Value | +|-------|-------| +| **Severity** | High | +| **CIS v8** | 5.4 Restrict Administrator Privileges (IG1/2/3); 6.6 Manage Authorization Systems (IG2/3) | +| **CIS v7** | 4.3 Ensure Use of Dedicated Administrative Accounts (IG1/2/3) | +| **Default** | root has full cluster access with cert-password auth from any IP | + +**Quick Scan:** +```sql +SHOW CLUSTER SETTING sql.log.user_audit; +-- Expected: includes 'root ALL' +``` + +**Full Audit:** +1. Verify root restricted in HBA to specific admin hosts with cert-only auth +2. Verify root activity audited via `sql.log.user_audit` +3. Verify limited admin roles exist for routine tasks +4. Count admin members: +```sql +SELECT member FROM [SHOW GRANTS ON ROLE admin] WHERE is_admin = true; +-- Should be minimal (1-2 accounts) +``` + +--- + +### 4.4 Centralize and Standardize User Management (Manual) + +| Field | Value | +|-------|-------| +| **Severity** | Medium | +| **CIS v8** | 5.1 Establish and Maintain an Inventory of Accounts (IG1/2/3); 6.6 Manage Authorization Systems (IG2/3) | +| **CIS v7** | 16.8 Disable Any Unassociated Accounts (IG1/2/3) | +| **Default** | Local database accounts only; OIDC/LDAP disabled | + +**Quick Scan:** +```sql +SHOW CLUSTER SETTING server.oidc_authentication.enabled; +-- Expected: true +``` + +**Full Audit:** +1. Check OIDC enabled and provider URL configured +2. Check identity mapping: `SHOW CLUSTER SETTING server.identity_map.configuration;` +3. Check HBA for LDAP entries +4. Review local accounts — minimize to emergency access (root with cert) +5. Verify provisioning/deprovisioning process exists + +--- + +## 5. Data Protection + +### 5.1 Backups Are Encrypted (Manual) + +| Field | Value | +|-------|-------| +| **Severity** | High | +| **CIS v8** | 3.11 Encrypt Sensitive Data at Rest (IG1/2/3); 4.1 Secure Configuration (IG1/2/3); 6.2 Establish Access Revoking Process (IG2/3) | +| **CIS v7** | 10.4 Ensure Protection of Backups (IG1/2/3); 13.10 Encrypt Sensitive Information at Rest (IG1/2/3) | +| **Default** | Backups NOT encrypted by default; EAR does NOT encrypt backups | + +**Quick Scan:** +```sql +SELECT id, label, schedule_status, next_run FROM [SHOW SCHEDULES] WHERE label ILIKE '%backup%'; +``` + +**Full Audit:** +1. Identify recent backups: `SHOW BACKUPS IN 's3://bucket/path?AUTH=...';` +2. Inspect backup options — verify `encryption_passphrase` or `kms` present +3. Validate storage-layer encryption (S3 SSE, GCS CMEK, Azure SSE) +4. Verify passphrases/keys NOT in plaintext scripts, service files, logs, or source code + +--- + +### 5.2 Periodically Test Backup Recovery (Manual) + +| Field | Value | +|-------|-------| +| **Severity** | Medium | +| **CIS v8** | 11.3 Perform Automated Backup (IG1/2/3) | +| **CIS v7** | 10.4 Ensure Protection of Backups (IG1/2/3) | +| **Default** | No recovery testing by default | + +**Quick Scan:** +```bash +echo 'Manual: Review backup testing logs and documentation' +``` + +**Full Audit:** +1. Request documentation of most recent recovery test — date, duration, results +2. Verify testing covers: full restore, PITR, RTO validation +3. Verify quarterly minimum frequency +4. Verify test environment separate from production + +--- + +### 5.3 Multi-Region Data Localization (Manual) + +| Field | Value | +|-------|-------| +| **Severity** | Medium | +| **CIS v8** | 3.3 Configure Data Access Control Lists (IG1/2/3) | +| **CIS v7** | 14.4 Encrypt All Sensitive Information in Transit (IG1/2/3) | +| **Default** | No data localization by default | + +**Quick Scan:** +```sql +SHOW REGIONS FROM DATABASE ; +-- N/A if single-region or no data residency requirements +``` + +**Full Audit:** +1. Check database regions, table locality (`REGIONAL BY ROW`), data placement (`SHOW RANGES`) +2. Verify zone constraints match regulatory requirements +3. Mark N/A if single-region with no data residency requirements + +--- + +## 6. CockroachDB Settings + +### 6.1 Certificate File Permissions and Validity (Automated) + +| Field | Value | +|-------|-------| +| **Severity** | High | +| **CIS v8** | 3.3 Configure Data Access Control Lists (IG1/2/3) | +| **CIS v7** | 14.4 Encrypt All Sensitive Information in Transit (IG1/2/3) | +| **Default** | Depends on how certificates were deployed | + +**Quick Scan:** +```bash +ls -l /var/lib/cockroach/certs/*.key | awk '{print $1}' | grep -v '^-rw-------' | wc -l +# Expected: 0 +``` + +**Full Audit:** +1. Check key permissions: `ls -l /var/lib/cockroach/certs/*.key` — expected 0600, owned by cockroach +2. Check certificate expiry: +```bash +for cert in /var/lib/cockroach/certs/*.crt; do + echo "Certificate: $cert" + openssl x509 -in "$cert" -noout -dates +done +# Expected: > 90 days remaining +``` +3. Verify cert chain: `openssl verify -CAfile ca.crt node.crt` + +--- + +### 6.2 Sensitive Cluster Settings Are Redacted (Manual) + +| Field | Value | +|-------|-------| +| **Severity** | Medium | +| **CIS v8** | 3.11 Encrypt Sensitive Data at Rest (IG1/2/3) | +| **CIS v7** | 13.5 Manage Access Control for Remote Assets (IG1/2/3) | +| **Default** | Some settings auto-redacted; debug bundles not redacted by default | + +**Quick Scan:** +```bash +echo 'Manual: Verify --redact flag used for debug bundles' +``` + +**Full Audit:** +1. Verify `cockroach debug zip --redact` is used for support bundles +2. Check logs for sensitive values: `grep -i 'password\|secret\|key\|token' logs/*.log` +3. Review `SHOW ALL CLUSTER SETTINGS;` for redacted values + +--- + +### 6.3 Security Audit Logging Enabled (Manual) + +| Field | Value | +|-------|-------| +| **Severity** | High | +| **CIS v8** | 8.2 Collect Audit Logs (IG1/2/3); 8.3 Ensure Adequate Audit Log Storage (IG1/2/3); 8.4 Ensure Logging Policies Are Enforced (IG2/3) | +| **CIS v7** | 6.2 Activate Audit Logging (IG1/2/3); 6.3 Ensure Audit Logs Are Reviewed Regularly (IG2/3) | +| **Default** | `sql.log.user_audit` empty; table-level audit disabled | + +**Quick Scan:** +```sql +SHOW CLUSTER SETTING sql.log.user_audit; +SHOW CLUSTER SETTING sql.log.admin_audit.enabled; +-- FAIL if both empty/false +``` + +**Full Audit:** +1. Verify `sql.log.user_audit` non-empty (e.g., `ALL ALL` or role-specific) +2. Verify security sink includes SESSIONS, USER_ADMIN, PRIVILEGES, SENSITIVE_ACCESS with `auditable: true` +3. Verify `server.auth_log.sql_connections.enabled` = true +4. Test: execute statement as audited user, verify entry in `cockroach-security.log` + +--- + +### 6.4 SQL Session Idle Timeouts Configured (Manual) + +| Field | Value | +|-------|-------| +| **Severity** | Medium | +| **CIS v8** | 4.3 Configure Automatic Session Locking (IG1/2/3) | +| **CIS v7** | 16.6 Maintain an Inventory of Accounts (IG1/2/3) | +| **Default** | `sql.defaults.idle_in_session_timeout` = `0s` (disabled) | + +**Quick Scan:** +```sql +SHOW CLUSTER SETTING sql.defaults.idle_in_session_timeout; +-- Expected: non-zero (e.g., 15m0s) +``` + +**Full Audit:** +1. Check cluster-wide timeout (PCI DSS requires 15 minutes) +2. Check role-level timeouts: +```sql +SELECT rolname, rolconfig FROM pg_catalog.pg_roles +WHERE rolconfig IS NOT NULL AND rolconfig::text LIKE '%idle_in_session_timeout%'; +``` + +--- + +### 6.5 OCSP Certificate Revocation Checking Enabled (Manual) + +| Field | Value | +|-------|-------| +| **Severity** | Medium | +| **CIS v8** | 3.10 Encrypt Sensitive Data in Transit (IG1/2/3); 5.2 Use Strong Authentication (IG1/2/3) | +| **CIS v7** | 16.7 Use Standard Hardening Configuration Templates (IG1/2/3); 14.4 Encrypt All Sensitive Information in Transit (IG1/2/3); 16.4 Encrypt or Hash Authentication Credentials (IG1/2/3) | +| **Default** | `security.ocsp.mode` = `off`; `security.ocsp.timeout` = `3s` | + +**Quick Scan:** +```sql +SHOW CLUSTER SETTING security.ocsp.mode; +-- Expected: strict or lax (not off) +``` + +**Full Audit:** +1. Verify OCSP mode (strict recommended, lax acceptable): +```sql +SHOW CLUSTER SETTING security.ocsp.mode; +SHOW CLUSTER SETTING security.ocsp.timeout; +``` +2. Verify certificates include OCSP responder URLs: +```bash +openssl x509 -in certs/client.crt -noout -ocsp_uri +``` +3. Test OCSP query: +```bash +openssl ocsp -issuer certs/ca.crt -cert certs/client.crt \ + -url $(openssl x509 -in certs/client.crt -noout -ocsp_uri) +``` +4. Check logs: `grep -i "ocsp" /var/lib/cockroach/logs/cockroach.log | tail -20` \ No newline at end of file diff --git a/skills/cockroachdb-security-and-governance/auditing-cis-benchmark/references/sample-report.md b/skills/cockroachdb-security-and-governance/auditing-cis-benchmark/references/sample-report.md new file mode 100644 index 0000000..f9cea48 --- /dev/null +++ b/skills/cockroachdb-security-and-governance/auditing-cis-benchmark/references/sample-report.md @@ -0,0 +1,127 @@ +# CIS CockroachDB Benchmark Audit Report + +This is a sample report from an audit of a self-hosted CockroachDB production cluster. It demonstrates the expected output format with both quick scan and full audit findings. Use this as a template when producing audit reports — replace all values with actual findings from the target cluster. + +--- + +**Date:** 2026-06-09 +**Benchmark:** CIS CockroachDB 2.x v1.0.0 — Level 1 +**Audit Depth:** Quick Scan + Full Audit on failures +**Cluster:** prod-east-cluster +**CockroachDB Version:** v25.2.3 +**Nodes Assessed:** 3 (node1, node2, node3) +**Auditor:** +**Compliance Context:** SOC 2, PCI DSS +**Enterprise License:** Yes + +## Summary + +| Status | Count | +|--------|-------| +| PASS | 19 | +| FAIL | 5 | +| MANUAL | 5 | +| N/A | 1 | + +## Findings + +### 1. Installation and Patches + +| Control | Description | Status | Details | +|---------|-------------|--------|---------| +| 1.1 | Binary integrity | MANUAL | v25.2.3 confirmed. SHA-256 verification requires comparison against binaries.cockroachdb.com | +| 1.2 | Systemd service enabled | PASS | `systemctl is-enabled` → `enabled` on all 3 nodes. Service runs as User=cockroach with Type=notify, Restart=always | +| 1.3 | TLS enabled | PASS | No `--insecure` flag. Cert directory owned by cockroach:cockroach. `openssl verify` confirms node.crt signed by ca.crt. All nodes report same Cluster ID | +| 1.4 | No --insecure flag | PASS | `grep -c insecure` → `0` on all nodes. No insecure flags in service files or wrapper scripts | +| 1.5 | All nodes same version | PASS | All 3 nodes report `build_tag: v25.2.3`. `SHOW CLUSTER SETTING version` = `25.2` | +| 1.6 | Rolling upgrade process | MANUAL | Runbook exists. Last tested 2026-04-01. Security advisories monitored | +| 1.7 | EAR with external KMS | PASS | `--enterprise-encryption` present with Vault KMS URI. Key files on separate `/secure-keys` volume with 400 permissions | + +### 2. System Hardening and Topology + +| Control | Description | Status | Details | +|---------|-------------|--------|---------| +| 2.1 | NTP active | PASS | chronyd active on all 3 nodes, synced to Amazon Time Sync (169.254.169.123). Clock offsets < 5ms per DB Console | +| 2.2 | One process per host | PASS | 1 CockroachDB process per node | +| 2.3 | Dedicated subnet | MANUAL | VPC security groups reviewed — port 26257 restricted to app subnet, 8080 to bastion only | +| 2.4 | Swap disabled | PASS | `swapon --show` returns 0 lines, swap commented in /etc/fstab | +| 2.5 | THP madvise | PASS | `[madvise]` on all 3 nodes, persistent via systemd unit | +| 2.6 | File descriptors >= 15k | PASS | `ulimit -n` → 35000, confirmed via `/proc/$(pgrep cockroach)/limits` | +| 2.7 | No sudo for cockroach | PASS | "not allowed to run sudo" on all nodes. No entries in sudoers | + +### 3. Logging and Monitoring + +| Control | Description | Status | Details | +|---------|-------------|--------|---------| +| 3.1 | Logging enabled | PASS | `--log-dir=/var/lib/cockroach/logs` in service file. Log files present with recent timestamps. Directory owned by cockroach, permissions drwx------ | +| 3.2 | Log rotation | MANUAL | CockroachDB defaults: max-file-size 10MiB, max-group-size 100MiB. Logrotate also configured with 30-day retention | +| 3.3 | Auth logging | FAIL | `sql_connections.enabled` = `false`, `sql_sessions.enabled` = `false`. No SESSIONS events in cockroach-sql-auth.log | +| 3.4 | Monitoring/alerting | PASS | Prometheus scraping confirmed, Grafana dashboards active, PagerDuty alerts for node health, replication, disk, clock offset | + +### 4. User Access and Authorization + +| Control | Description | Status | Details | +|---------|-------------|--------|---------| +| 4.1 | HBA configured | FAIL | HBA configuration is empty (using defaults: `host all all all cert-password`). No IP restrictions, no reject catch-all | +| 4.2 | SCRAM-SHA-256 | PASS | `password_encryption` = `scram-sha-256`. Bcrypt migration enabled. All stored hashes show SCRAM-SHA-256 prefix | +| 4.3 | Root user secured | FAIL | `sql.log.user_audit` is empty — root activity not audited. HBA does not restrict root to specific hosts. 3 users have admin role | +| 4.4 | Centralized users | FAIL | `oidc_authentication.enabled` = `false`. All users are local database accounts. No identity mapping configured | + +### 5. Data Protection + +| Control | Description | Status | Details | +|---------|-------------|--------|---------| +| 5.1 | Backup encryption | PASS | Backup schedules use `WITH kms = 'aws:///...'`. S3 bucket also has SSE-KMS enforced. No plaintext passphrases in scripts | +| 5.2 | Recovery testing | PASS | Last test 2026-04-15. Full restore in 47 minutes. PITR also tested. Documented in Confluence | +| 5.3 | Data localization | N/A | Single-region deployment. No data residency requirements | + +### 6. CockroachDB Settings + +| Control | Description | Status | Details | +|---------|-------------|--------|---------| +| 6.1 | Cert permissions | PASS | All `.key` files have 0600. node.crt expires 2027-03-15 (279 days). ca.crt expires 2028-01-01 (571 days). `openssl verify` OK | +| 6.2 | Settings redacted | PASS | Support bundle procedures use `--redact` per runbook. No secrets found in log grep | +| 6.3 | Audit logging | FAIL | `sql.log.user_audit` is empty. `sql.log.admin_audit.enabled` = `false`. No security sink with auditable: true | +| 6.4 | Session timeouts | PASS | `idle_in_session_timeout` = `15m0s`. PCI DSS compliant | +| 6.5 | OCSP checking | MANUAL | `security.ocsp.mode` = `off`. Requires review — certs do not currently include OCSP responder URLs | + +## CIS Controls Mapping (Failures Only) + +| CIS Control | NIST Safeguards Affected | Status | +|-------------|-------------------------|--------| +| 3.3 | CIS v8 8.5, 8.2; CIS v7 6.3 | FAIL | +| 4.1 | CIS v8 3.3, 4.4, 6.6; CIS v7 14.6 | FAIL | +| 4.3 | CIS v8 5.4, 6.6; CIS v7 4.3 | FAIL | +| 4.4 | CIS v8 5.1, 6.6; CIS v7 16.8 | FAIL | +| 6.3 | CIS v8 8.2, 8.3, 8.4; CIS v7 6.2, 6.3 | FAIL | + +## Remediation Summary + +Ordered by severity: + +| # | Control | Finding | Severity | Remediation | +|---|---------|---------|----------|-------------| +| 1 | 4.1 | HBA not configured — all IPs allowed with cert-password | High | Configure HBA with specific IP ranges, strong auth, reject catch-all | +| 2 | 4.3 | Root user not secured — no audit, no IP restriction | High | Restrict root via HBA; set `sql.log.user_audit = 'root ALL'` | +| 3 | 6.3 | Audit logging disabled — no user or admin audit | High | `SET CLUSTER SETTING sql.log.user_audit = 'ALL ALL'; SET CLUSTER SETTING sql.log.admin_audit.enabled = true;` | +| 4 | 3.3 | Connection/auth logging disabled | Medium | `SET CLUSTER SETTING server.auth_log.sql_connections.enabled = true; SET CLUSTER SETTING server.auth_log.sql_sessions.enabled = true;` | +| 5 | 4.4 | No centralized identity — all local accounts | Medium | Enable OIDC authentication, configure identity mapping | + +## How to Use This Report + +For each FAIL finding: + +1. **"Explain how to fix this"** — Open the linked remediation skill for step-by-step guidance +2. **"Help me fix this now"** — Walk through remediation interactively + +After remediating, re-run the audit (quick scan first) to verify PASS. + +## Evidence Artifacts + +For compliance evidence, the following were collected during this audit: +- Quick scan output (all 30 control one-liners) +- Full security settings dump (comprehensive SQL query) +- Certificate expiry report +- HBA configuration export +- Screenshot of DB Console Node List (version uniformity) +- Prometheus/Grafana alerting configuration \ No newline at end of file diff --git a/skills/cockroachdb-security-and-governance/auditing-cis-benchmark/references/sql-queries.md b/skills/cockroachdb-security-and-governance/auditing-cis-benchmark/references/sql-queries.md new file mode 100644 index 0000000..c85b183 --- /dev/null +++ b/skills/cockroachdb-security-and-governance/auditing-cis-benchmark/references/sql-queries.md @@ -0,0 +1,163 @@ +# SQL Queries for CIS Benchmark Audit + +All SQL queries used during CIS CockroachDB Benchmark assessments. All queries are read-only (SELECT and SHOW statements only), except the break-glass `allow_unsafe_internals` step in 4.2 which is audit-only and must be reset immediately. + +## Installation and Patches + +### 1.5 — Verify All Nodes Same Version +```sql +SELECT version(); + +-- Compare versions across all cluster nodes +SELECT node_id, build_tag FROM crdb_internal.gossip_nodes ORDER BY node_id; + +-- Check cluster logical version (upgrade finalization status) +SHOW CLUSTER SETTING version; +``` + +## Logging and Monitoring + +### 3.3 — Connection and Authentication Logging +```sql +-- Both must be true for comprehensive SESSIONS logging +SHOW CLUSTER SETTING server.auth_log.sql_connections.enabled; +SHOW CLUSTER SETTING server.auth_log.sql_sessions.enabled; + +-- Verify events in system.eventlog +SELECT timestamp, (info::JSONB)->>'EventType' AS eventtype +FROM system.eventlog +WHERE (info::JSONB)->>'EventType' IN ('client_connection_start','client_authentication_failed') +ORDER BY timestamp DESC LIMIT 20; +``` + +## User Access and Authorization + +### 4.1 — Host-Based Authentication +```sql +SHOW CLUSTER SETTING server.host_based_authentication.configuration; +-- FAIL if empty (default allows all with cert-password) +-- FAIL if contains trust method +-- FAIL if no reject catch-all +``` + +### 4.2 — Password Authentication Security +```sql +-- Check password hashing algorithm +SHOW CLUSTER SETTING server.user_login.password_encryption; +-- Expected: scram-sha-256 + +-- Check bcrypt-to-SCRAM migration +SHOW CLUSTER SETTING server.user_login.upgrade_bcrypt_stored_passwords_to_scram.enabled; + +-- ⚠️ Break-glass: inspect stored password hashes (authorized operators only) +SET allow_unsafe_internals = true; +SET bytea_output = 'escape'; +SELECT username, "hashedPassword" FROM system.users WHERE "hashedPassword" IS NOT NULL; +SET allow_unsafe_internals = false; +-- SCRAM hashes show SCRAM-SHA-256$... prefix when decoded +``` + +### 4.3 — Root User and Admin Audit +```sql +-- Check user audit logging (should include root) +SHOW CLUSTER SETTING sql.log.user_audit; + +-- List admin role members +SELECT member AS admin_user FROM [SHOW GRANTS ON ROLE admin] WHERE is_admin = true ORDER BY member; + +-- List all users with roles +SELECT username, options, member_of FROM [SHOW USERS] ORDER BY username; + +-- Find users without role membership (potential orphaned accounts) +SELECT username FROM [SHOW USERS] +WHERE 'NOLOGIN' != ALL(options) AND array_length(member_of, 1) IS NULL +ORDER BY username; +``` + +### 4.4 — Centralized Identity Management +```sql +SHOW CLUSTER SETTING server.oidc_authentication.enabled; +SHOW CLUSTER SETTING server.oidc_authentication.provider_url; +SHOW CLUSTER SETTING server.oidc_authentication.client_id; +SHOW CLUSTER SETTING server.identity_map.configuration; + +-- Check HBA for LDAP entries +SHOW CLUSTER SETTING server.host_based_authentication.configuration; +-- Look for lines with ldap method +``` + +## Data Protection + +### 5.1 — Backup Encryption Verification +```sql +-- List backup schedules +SELECT id, label, schedule_status, next_run, created +FROM [SHOW SCHEDULES] +WHERE label ILIKE '%backup%'; + +-- Check recent backup jobs +SELECT job_id, job_type, status, created, finished +FROM [SHOW JOBS] +WHERE job_type = 'BACKUP' +ORDER BY created DESC LIMIT 10; + +-- View backups in a location +SHOW BACKUPS IN 's3://bucket/path?AUTH=...'; +``` + +### 5.3 — Multi-Region Data Placement +```sql +SHOW REGIONS FROM DATABASE ; +SHOW CREATE TABLE ; +SHOW RANGES FROM TABLE ; +``` + +## CockroachDB Settings + +### 6.3 — Security Audit Logging +```sql +SHOW CLUSTER SETTING sql.log.user_audit; +SHOW CLUSTER SETTING sql.log.admin_audit.enabled; +SHOW CLUSTER SETTING server.auth_log.sql_connections.enabled; +``` + +### 6.4 — Session Idle Timeout +```sql +SHOW CLUSTER SETTING sql.defaults.idle_in_session_timeout; + +-- Check role-level timeouts +SELECT rolname, rolconfig FROM pg_catalog.pg_roles +WHERE rolconfig IS NOT NULL AND rolconfig::text LIKE '%idle_in_session_timeout%'; +``` + +### 6.5 — OCSP Configuration +```sql +SHOW CLUSTER SETTING security.ocsp.mode; +SHOW CLUSTER SETTING security.ocsp.timeout; +``` + +## Comprehensive Security Settings Dump + +Capture all security-relevant cluster settings in a single pass for evidence collection: + +```sql +SELECT variable, value +FROM [SHOW ALL CLUSTER SETTINGS] +WHERE variable IN ( + 'server.auth_log.sql_connections.enabled', + 'server.auth_log.sql_sessions.enabled', + 'server.host_based_authentication.configuration', + 'server.user_login.password_encryption', + 'server.user_login.upgrade_bcrypt_stored_passwords_to_scram.enabled', + 'server.user_login.min_password_length', + 'server.oidc_authentication.enabled', + 'server.oidc_authentication.provider_url', + 'server.identity_map.configuration', + 'sql.log.user_audit', + 'sql.log.admin_audit.enabled', + 'sql.defaults.idle_in_session_timeout', + 'security.ocsp.mode', + 'security.ocsp.timeout' +) +ORDER BY variable; +``` \ No newline at end of file diff --git a/submodules/cockroachdb-skills b/submodules/cockroachdb-skills index 8716a65..9e73c9d 160000 --- a/submodules/cockroachdb-skills +++ b/submodules/cockroachdb-skills @@ -1 +1 @@ -Subproject commit 8716a6593b7ef577e17d87c4d196ba18d9349c52 +Subproject commit 9e73c9d45894449490c23ce90d18e6f233251dfa