mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-10 21:24:56 +03:00
mukul975
c21af3347e
- Add scripts/agent.py and references/api-reference.md to all remaining skills - Update all 648 LICENSE files: copyright now reads 'Mahipal' - Add implementing-security-monitoring-with-datadog (new skill with full anatomy) - All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
2.8 KiB
2.8 KiB
API Reference: Implementing PAM for Database Access
HashiCorp Vault Database Secrets Engine
# Enable database secrets engine
vault secrets enable database
# Configure PostgreSQL connection
vault write database/config/postgresql \
plugin_name=postgresql-database-plugin \
connection_url="postgresql://{{username}}:{{password}}@db.example.com:5432/mydb" \
allowed_roles="readonly,readwrite" \
username="vault_admin" password="admin_pass"
# Create dynamic credential role
vault write database/roles/readonly \
db_name=postgresql \
creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \
default_ttl="1h" max_ttl="24h"
# Generate dynamic credentials
vault read database/creds/readonly
hvac Python Client
import hvac
client = hvac.Client(url='http://127.0.0.1:8200', token='s.xxx')
creds = client.secrets.database.generate_credentials('readonly')
# creds['data']['username'], creds['data']['password']
CyberArk Privileged Cloud API
| Endpoint | Method | Description |
|---|---|---|
/api/Accounts?search=database |
GET | List database accounts |
/api/Accounts/{id}/Password/Retrieve |
POST | Check out password |
/api/Accounts/{id}/CheckIn |
POST | Check in password |
/api/LiveSessions |
GET | List active PSM sessions |
/api/Recordings |
GET | List session recordings |
Privileged Database Roles
| Database | Privileged Roles | Risk |
|---|---|---|
| PostgreSQL | pg_read_all_data, rds_superuser | Critical |
| MySQL | SUPER, ALL PRIVILEGES, GRANT OPTION | Critical |
| Oracle | DBA, SYSDBA, SYSOPER | Critical |
| SQL Server | sysadmin, db_owner, securityadmin | Critical |
Session Proxy Configuration
| Proxy | Protocol | Feature |
|---|---|---|
| CyberArk PSM | RDP/SSH | Full session recording + keystroke logging |
| Teleport | PostgreSQL/MySQL wire | Query audit logging |
| StrongDM | All major DBs | Just-in-time access + approval workflow |
NIST 800-53 PAM Controls
| Control | Description |
|---|---|
| AC-2(4) | Automatic audit of account actions |
| AC-6(1) | Authorize access to security functions |
| AC-6(2) | Non-privileged access for non-security functions |
| AC-6(5) | Privileged accounts for privileged functions only |
| AU-9 | Protection of audit information |
References
- Vault Database Secrets: https://developer.hashicorp.com/vault/docs/secrets/databases
- CyberArk REST API: https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/WebServices/Implementing%20Privileged%20Account%20Security%20Web%20Services%20SDK.htm
- NIST SP 800-53 AC-6: https://csf.tools/reference/nist-sp-800-53/r5/ac/ac-6/