creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 05:34:55 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
ccce7d4e068efecc2f98c385c8e5c01d969fc9bc
Anthropic-Cybersecurity-Skills/skills/implementing-pam-for-database-access/references/api-reference.md
T
mukul975 c21af3347e Complete folder anatomy for all 649 cybersecurity skills + update LICENSE to Mahipal 
- Add scripts/agent.py and references/api-reference.md to all remaining skills
- Update all 648 LICENSE files: copyright now reads 'Mahipal'
- Add implementing-security-monitoring-with-datadog (new skill with full anatomy)
- All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
2026-03-11 00:22:12 +01:00

77 lines
2.8 KiB
Markdown
Raw Blame History

# API Reference: Implementing PAM for Database Access
## HashiCorp Vault Database Secrets Engine
```bash
# Enable database secrets engine
vault secrets enable database
# Configure PostgreSQL connection
vault write database/config/postgresql \
plugin_name=postgresql-database-plugin \
connection_url="postgresql://{{username}}:{{password}}@db.example.com:5432/mydb" \
allowed_roles="readonly,readwrite" \
username="vault_admin" password="admin_pass"
# Create dynamic credential role
vault write database/roles/readonly \
db_name=postgresql \
creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \
default_ttl="1h" max_ttl="24h"
# Generate dynamic credentials
vault read database/creds/readonly
```
## hvac Python Client
```python
import hvac
client = hvac.Client(url='http://127.0.0.1:8200', token='s.xxx')
creds = client.secrets.database.generate_credentials('readonly')
# creds['data']['username'], creds['data']['password']
```
## CyberArk Privileged Cloud API
| Endpoint | Method | Description |
|----------|--------|-------------|
| `/api/Accounts?search=database` | GET | List database accounts |
| `/api/Accounts/{id}/Password/Retrieve` | POST | Check out password |
| `/api/Accounts/{id}/CheckIn` | POST | Check in password |
| `/api/LiveSessions` | GET | List active PSM sessions |
| `/api/Recordings` | GET | List session recordings |
## Privileged Database Roles
| Database | Privileged Roles | Risk |
|----------|-----------------|------|
| PostgreSQL | pg_read_all_data, rds_superuser | Critical |
| MySQL | SUPER, ALL PRIVILEGES, GRANT OPTION | Critical |
| Oracle | DBA, SYSDBA, SYSOPER | Critical |
| SQL Server | sysadmin, db_owner, securityadmin | Critical |
## Session Proxy Configuration
| Proxy | Protocol | Feature |
|-------|----------|---------|
| CyberArk PSM | RDP/SSH | Full session recording + keystroke logging |
| Teleport | PostgreSQL/MySQL wire | Query audit logging |
| StrongDM | All major DBs | Just-in-time access + approval workflow |
## NIST 800-53 PAM Controls
| Control | Description |
|---------|-------------|
| AC-2(4) | Automatic audit of account actions |
| AC-6(1) | Authorize access to security functions |
| AC-6(2) | Non-privileged access for non-security functions |
| AC-6(5) | Privileged accounts for privileged functions only |
| AU-9 | Protection of audit information |
### References
- Vault Database Secrets: https://developer.hashicorp.com/vault/docs/secrets/databases
- CyberArk REST API: https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/WebServices/Implementing%20Privileged%20Account%20Security%20Web%20Services%20SDK.htm
- NIST SP 800-53 AC-6: https://csf.tools/reference/nist-sp-800-53/r5/ac/ac-6/
Reference in New Issue View Git Blame Copy Permalink