auditing-cloud-cluster-security

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Auditing Cloud Cluster Security

云集群安全审计

Assesses the security posture of a CockroachDB Cloud cluster by examining network access controls, authentication and SSO configuration, user authorization, encryption, audit logging, and backup status. Produces a structured PASS/WARN/FAIL report with remediation links for each finding. Supports both CockroachDB Cloud and self-hosted clusters — checks that don't apply to the deployment model are marked N/A.

Read-only audit: All operations are read-only. No cluster state is modified during the assessment.

评估CockroachDB云集群的安全状况，检查内容包括网络访问控制、身份验证与SSO配置、用户授权、加密、审计日志以及备份状态。生成结构化的PASS/WARN/FAIL报告，每个检查结果附带修复链接。支持CockroachDB云托管和自托管集群——不适用于当前部署模式的检查项会标记为N/A。

只读审计： 所有操作均为只读。评估过程中不会修改集群状态。

When to Use This Skill

使用本技能的场景

Preparing for SOC 2, HIPAA, or other compliance reviews
Conducting periodic security posture assessments
Onboarding a new production cluster and validating security baseline
Investigating security configuration gaps after an incident
Reviewing cluster security before a major release or customer onboarding

准备SOC 2、HIPAA或其他合规审查
定期开展安全状况评估
上线新生产集群并验证安全基线
事件发生后排查安全配置漏洞
重大版本发布或客户上线前审查集群安全

Prerequisites

前置条件

Tools:

Tool	Cloud	Self-Hosted	Purpose
`ccloud` CLI	Required	N/A	Cluster metadata, network config, CMEK
`cockroach sql`	Required	Required	SQL security checks
`openssl` (v3+)	Recommended	Recommended	TLS/PQC cipher probing ( `-starttls postgres` )
`sslyze`	Optional	Optional	Comprehensive TLS enumeration ( `--starttls postgres` )

Credentials:

Credential	Cloud	Self-Hosted
`ccloud auth login` session	Required	N/A
SQL connection string	Required (from `ccloud cluster sql --url` )	Required (user provides)
DB username/password	Required (admin or VIEWACTIVITY)	Required (admin or VIEWACTIVITY)
TLS certificates directory	N/A (managed)	Required for cert expiry checks
CA certificate file	N/A	Required for `openssl` TLS probing

See permissions reference for detailed privilege requirements.

工具：

工具	云托管	自托管	用途
`ccloud` CLI	必填	N/A	集群元数据、网络配置、CMEK
`cockroach sql`	必填	必填	SQL安全检查
`openssl` (v3+)	推荐	推荐	TLS/PQC密码探测 ( `-starttls postgres` )
`sslyze`	可选	可选	全面TLS枚举 ( `--starttls postgres` )

凭据：

凭据	云托管	自托管
`ccloud auth login` 会话	必填	N/A
SQL连接字符串	必填（来自 `ccloud cluster sql --url` ）	必填（用户提供）
DB用户名/密码	必填（管理员或VIEWACTIVITY权限）	必填（管理员或VIEWACTIVITY权限）
TLS证书目录	N/A（托管）	必填（用于证书过期检查）
CA证书文件	N/A	必填（用于 `openssl` TLS探测）

详细权限要求请参见权限参考文档。

Security Audit Dimensions

安全审计维度

Dimension	Tool	Checks
Network Security	ccloud	IP allowlists, private endpoints
Authentication & SSO	ccloud + sql	Cloud Console SSO, Database SSO (Cluster SSO), SCIM 2.0 provisioning, auto user provisioning
Authorization	sql	Users, roles, admin grants, PUBLIC privileges
Encryption	ccloud + sql	CMEK status, TLS settings
Audit Logging	sql	Audit log config, session logging
Backup & Recovery	ccloud + sql	Managed backup status, self-managed backup schedules
Cryptographic Posture	sql + openssl + sslyze	TLS version, PQC hybrid cipher support, encryption key size
Cluster Context	ccloud + user input	Deployment model, environment, compliance, data sensitivity
Cluster Configuration	ccloud	Version, plan, regions

维度	工具	检查项
网络安全	ccloud	IP白名单、私有端点
身份验证与SSO	ccloud + sql	云控制台SSO、数据库SSO（集群SSO）、SCIM 2.0配置、自动用户配置
授权	sql	用户、角色、管理员权限授予、PUBLIC权限
加密	ccloud + sql	CMEK状态、TLS设置
审计日志	sql	审计日志配置、会话日志
备份与恢复	ccloud + sql	托管备份状态、自托管备份计划
加密态势	sql + openssl + sslyze	TLS版本、PQC混合密码支持、加密密钥长度
集群上下文	ccloud + 用户输入	部署模式、环境、合规要求、数据敏感度
集群配置	ccloud	版本、套餐、区域

Assessment Workflow

评估流程

Step 0: Verify Prerequisites

步骤0：验证前置条件

Run the following checks to determine which tools are available. The audit proceeds regardless — missing tools degrade specific checks rather than blocking the audit.

Cloud clusters:

bash

undefined

运行以下检查确定可用工具。无论工具是否齐全，审计都会继续——缺少工具只会影响特定检查项，不会阻止审计。

云托管集群：

bash

undefined

Verify ccloud authentication

验证ccloud身份验证

ccloud auth whoami

Verify cluster access

验证集群访问权限

ccloud cluster list -o json


**Both deployment models:**
```bash

ccloud cluster list -o json


**两种部署模式通用：**
```bash

Verify SQL connectivity

验证SQL连接性

cockroach sql --url "<connection-string>" -e "SELECT current_user();"

Check openssl version (v3+ recommended for PQC probes)

检查openssl版本（推荐v3+用于PQC探测）

openssl version

Check sslyze availability

检查sslyze是否可用

which sslyze && sslyze --version


**Report tool availability before proceeding:**

| Tool | Status | Impact if Missing |
|------|--------|-------------------|
| `ccloud` | Available / Missing | Network, CMEK, and managed backup checks skipped (Cloud only) |
| `cockroach sql` | Available / Missing | **All SQL-based checks skipped** — audit severely limited |
| `openssl` (v3+) | Available / Missing | TLS cipher and PQC probing degraded |
| `sslyze` | Available / Missing | Comprehensive TLS enumeration unavailable; falls back to `openssl` |

If `cockroach sql` is unavailable, warn the user that the audit will be limited to `ccloud`-only checks and recommend resolving connectivity before continuing. For missing optional tools (`openssl`, `sslyze`), note which checks will produce incomplete results and proceed.

which sslyze && sslyze --version


**继续前报告工具可用性：**

| 工具 | 状态 | 缺失影响 |
|------|--------|-------------------|
| `ccloud` | 可用/缺失 | 跳过网络、CMEK和托管备份检查（仅云托管） |
| `cockroach sql` | 可用/缺失 | **跳过所有基于SQL的检查**——审计范围严重受限 |
| `openssl` (v3+) | 可用/缺失 | TLS密码和PQC探测功能降级 |
| `sslyze` | 可用/缺失 | 无法进行全面TLS枚举；回退至`openssl` |

如果`cockroach sql`不可用，需警告用户审计将仅限于`ccloud`专属检查项，并建议解决连接问题后再继续。对于缺失的可选工具（`openssl`、`sslyze`），需注明哪些检查项会产生不完整结果，然后继续审计。

Step 1: Gather Cluster Metadata and Confirm Audit Context

步骤1：收集集群元数据并确认审计上下文

Cloud clusters:

bash

undefined

云托管集群：

bash

undefined

List clusters and identify target

列出集群并确定目标集群

ccloud cluster list -o json

Get cluster details (use cluster name or ID)

获取集群详情（使用集群名称或ID）

ccloud cluster info <cluster-name> -o json


**Self-hosted clusters:**
```bash

ccloud cluster info <cluster-name> -o json


**自托管集群：**
```bash

Gather metadata via SQL and cockroach CLI

通过SQL和cockroach CLI收集元数据

cockroach node status --certs-dir=<certs-dir> --host=<host> cockroach sql --url "<connection-string>" -e "SELECT version();"


Record: cluster ID, plan type (Basic/Standard/Advanced or self-hosted), cloud provider, regions, CockroachDB version. See [ccloud commands reference](references/ccloud-commands.md) for Cloud CLI syntax.

**Confirm audit context:** Present auto-detected metadata (cluster name, version, provider, regions, plan) and ask the user to confirm and provide:

1. **Deployment model:** CockroachDB Cloud / self-hosted
2. **Environment:** production / staging / development / sandbox
3. **Compliance frameworks:** SOC 2, HIPAA, PCI DSS, ISO 27001, GDPR, or none
4. **Data sensitivity:** PII/PHI, financial/payment, internal business, public/non-sensitive

**Defaults** (if user confirms without changes): Cloud, production, no compliance, internal business data. Deployment model determines check applicability (below). Environment and compliance calibrate severity (see Severity Adjustments).

cockroach node status --certs-dir=<certs-dir> --host=<host> cockroach sql --url "<connection-string>" -e "SELECT version();"


记录：集群ID、套餐类型（基础版/标准版/高级版或自托管）、云服务商、区域、CockroachDB版本。云托管CLI语法请参见[ccloud命令参考文档](references/ccloud-commands.md)。

**确认审计上下文：** 展示自动检测到的元数据（集群名称、版本、服务商、区域、套餐），并请用户确认及提供以下信息：

1. **部署模式：** CockroachDB云托管 / 自托管
2. **环境：** 生产 / 预发布 / 开发 / 沙箱
3. **合规框架：** SOC 2、HIPAA、PCI DSS、ISO 27001、GDPR或无
4. **数据敏感度：** PII/PHI、财务/支付、内部业务、公开/非敏感

**默认值**（若用户确认无修改）：云托管、生产环境、无合规要求、内部业务数据。部署模式决定检查项的适用性（见下文）。环境和合规要求会调整严重程度（参见严重程度调整）。

Check Applicability by Deployment Model

按部署模式确定检查项适用性

Check	Cloud	Self-Hosted
IP allowlists (ccloud)	Yes (all tiers)	N/A — managed externally via firewall/VPC
Ingress Private Endpoints (ccloud)	Yes (Standard+, Advanced)	N/A
Egress Private Endpoints (ccloud)	Yes (Advanced)	N/A
HBA configuration (SQL)	Yes	Yes — primary network-level auth control
Cloud Console SSO	Yes	N/A
SCIM 2.0	Yes	N/A
Database SSO (OIDC)	Yes	Yes
Database SSO (LDAP/AD)	Yes	Yes
Users & Roles (SQL)	Yes	Yes
Privileges (SQL)	Yes	Yes
CMEK (ccloud)	Yes	N/A — check Enterprise Encryption instead
Enterprise Encryption	N/A	Yes — verify encryption-at-rest via store config
TLS	Always PASS (enforced)	Check — verify certs, expiry, config
TLS 1.3 / PQC / Key Size	Yes (INFO)	Yes (INFO)
Audit Logging (SQL)	Yes	Yes
Managed Backups (ccloud)	Yes (automatic)	N/A
Self-Managed Backups (SQL)	Optional (if managed backups present)	Yes — verify backup schedules exist and are running

Skip N/A checks for the detected deployment model and mark them as

[N/A]

in the report rather than PASS/FAIL.

检查项	云托管	自托管
IP白名单（ccloud）	是（所有套餐）	N/A — 由外部防火墙/VPC管理
入站私有端点（ccloud）	是（标准版+、高级版）	N/A
出站私有端点（ccloud）	是（高级版）	N/A
HBA配置（SQL）	是	是 — 主要网络级身份验证控制
云控制台SSO	是	N/A
SCIM 2.0	是	N/A
数据库SSO（OIDC）	是	是
数据库SSO（LDAP/AD）	是	是
用户与角色（SQL）	是	是
权限（SQL）	是	是
CMEK（ccloud）	是	N/A — 改为检查企业级加密
企业级加密	N/A	是 — 通过存储配置验证静态加密
TLS	始终PASS（强制启用）	检查 — 验证证书、过期时间、配置
TLS 1.3 / PQC / 密钥长度	是（信息项）	是（信息项）
审计日志（SQL）	是	是
托管备份（ccloud）	是（自动）	N/A
自托管备份（SQL）	可选（若存在托管备份）	是 — 验证备份计划存在且运行正常

跳过不适用于当前部署模式的检查项，并在报告中标记为

[N/A]

，而非PASS/FAIL。

Step 2: Assess Network Security

步骤2：评估网络安全

Cloud clusters: Check all three layers based on cluster tier:

bash

undefined

云托管集群： 根据集群套餐检查所有三层：

bash

undefined

IP allowlists (all tiers)

IP白名单（所有套餐）

ccloud cluster networking allowlist list <cluster-id> -o json

Ingress private endpoints (Standard+, Advanced) — via Cloud Console or API

入站私有端点（标准版+、高级版）—— 通过云控制台或API

Cloud Console: Networking > Private endpoint tab

云控制台：网络 > 私有端点标签页

API: GET /api/v1/clusters/{cluster_id}/networking/private-endpoint-connections

API：GET /api/v1/clusters/{cluster_id}/networking/private-endpoint-connections

Egress private endpoints (Advanced only) — via Cloud Console or API

出站私有端点（仅高级版）—— 通过云控制台或API

Cloud Console: Networking > Egress tab

云控制台：网络 > 出站标签页

API: GET /api/v1/clusters/{cluster_id}/networking/egress-endpoints

API：GET /api/v1/clusters/{cluster_id}/networking/egress-endpoints


```sql
-- HBA configuration (all tiers)
SHOW CLUSTER SETTING server.host_based_authentication.configuration;

Evaluate (Cloud):

FAIL if
```
0.0.0.0/0
```
is in the IP allowlist (open to all traffic)
WARN if allowlist contains broad CIDR ranges (e.g.,
```
/8
```
or
```
/16
```
)
WARN if no private endpoints configured on Advanced plan
INFO if private endpoints not available on current tier
PASS if allowlist contains only specific, narrow CIDR ranges or private endpoints are configured

Self-hosted clusters: Check HBA configuration as the primary network-level auth control:

sql

SHOW CLUSTER SETTING server.host_based_authentication.configuration;

Evaluate (self-hosted):

WARN if HBA configuration is empty or default — network security may be managed externally (firewalls, security groups, VPCs), so this is WARN not FAIL
PASS if HBA rules restrict connections by IP, subnet, or auth method


```sql
-- HBA配置（所有套餐）
SHOW CLUSTER SETTING server.host_based_authentication.configuration;

评估（云托管）：

FAIL 若IP白名单中存在
```
0.0.0.0/0
```
（对所有流量开放）
WARN 若白名单包含宽泛的CIDR范围（如
```
/8
```
或
```
/16
```
）
WARN 若高级版套餐未配置私有端点
INFO 若当前套餐不支持私有端点
PASS 若白名单仅包含特定、狭窄的CIDR范围，或已配置私有端点

自托管集群： 将HBA配置作为主要网络级身份验证控制进行检查：

sql

SHOW CLUSTER SETTING server.host_based_authentication.configuration;

评估（自托管）：

WARN 若HBA配置为空或默认值——网络安全可能由外部管理（防火墙、安全组、VPC），因此标记为WARN而非FAIL
PASS 若HBA规则按IP、子网或身份验证方法限制连接

Step 3: Check SSO and SCIM Configuration

步骤3：检查SSO和SCIM配置

For self-hosted clusters, skip Cloud Console SSO and SCIM checks (N/A). Database SSO checks still apply — check OIDC and/or LDAP/AD configuration.

Cloud Console SSO (Cloud Console UI > Organization Settings > Authentication — not via ccloud CLI):

FAIL if SSO is not configured
PASS if SAML or OIDC SSO is enabled and enforced

Database SSO (Cluster SSO) — OIDC:

sql

-- Check if Cluster SSO is enabled for SQL authentication
SHOW CLUSTER SETTING server.oidc_authentication.enabled;
SHOW CLUSTER SETTING server.oidc_authentication.provider_url;

FAIL if
```
server.oidc_authentication.enabled
```
is
```
false
```
PASS if enabled with a valid provider URL

Database SSO — LDAP/AD (Cloud and self-hosted):

sql

-- Check if LDAP authentication is configured via HBA
SHOW CLUSTER SETTING server.host_based_authentication.configuration;
-- Look for ldap auth method entries in the HBA configuration

PASS if HBA contains entries with
```
ldap
```
auth method
INFO if LDAP is not configured (OIDC may be used instead)

SCIM 2.0 (Cloud Console UI > Organization Settings > Authentication > SCIM):

FAIL if SCIM endpoint is not enabled; PASS if enabled and connected to an IdP

Auto user provisioning on Database:

sql

-- Check if SQL users are automatically provisioned from SSO identities
SHOW CLUSTER SETTING server.identity_map.configuration;

FAIL if identity mapping is not configured
PASS if identity mapping routes IdP identities to SQL users

对于自托管集群，跳过云控制台SSO和SCIM检查项（N/A）。数据库SSO检查项仍适用——检查OIDC和/或LDAP/AD配置。

云控制台SSO（云控制台UI > 组织设置 > 身份验证——无法通过ccloud CLI操作）：

FAIL 若未配置SSO
PASS 若已启用并强制使用SAML或OIDC SSO

数据库SSO（集群SSO）—— OIDC：

sql

-- 检查是否为SQL身份验证启用了集群SSO
SHOW CLUSTER SETTING server.oidc_authentication.enabled;
SHOW CLUSTER SETTING server.oidc_authentication.provider_url;

FAIL 若
```
server.oidc_authentication.enabled
```
为
```
false
```
PASS 若已启用且提供了有效的提供商URL

数据库SSO—— LDAP/AD（云托管和自托管）：

sql

-- 通过HBA检查是否配置了LDAP身份验证
SHOW CLUSTER SETTING server.host_based_authentication.configuration;
-- 在HBA配置中查找ldap身份验证方法条目

PASS 若HBA包含带有
```
ldap
```
身份验证方法的条目
INFO 若未配置LDAP（可能使用OIDC替代）

SCIM 2.0（云控制台UI > 组织设置 > 身份验证 > SCIM）：

FAIL 若未启用SCIM端点；PASS 若已启用并连接到身份提供商（IdP）

数据库自动用户配置：

sql

-- 检查是否从SSO身份自动配置SQL用户
SHOW CLUSTER SETTING server.identity_map.configuration;

FAIL 若未配置身份映射
PASS 若身份映射将IdP身份路由到SQL用户

Step 4: Audit Users and Roles

步骤4：审计用户与角色

sql

-- List all users and their roles
SELECT
  username,
  options,
  member_of
FROM [SHOW USERS]
ORDER BY username;

See SQL queries reference for additional role audit queries.

sql

-- 列出所有用户及其角色
SELECT
  username,
  options,
  member_of
FROM [SHOW USERS]
ORDER BY username;

更多角色审计查询请参见SQL查询参考文档。

Step 5: Check Privileges

步骤5：检查权限

sql

-- Count admin role members
SELECT COUNT(*) AS admin_count
FROM [SHOW GRANTS ON ROLE admin];

-- Check PUBLIC role privileges on the current database
-- Note: SHOW GRANTS FOR public is scoped to the current database.
-- Run this query from each application database to get full coverage.
SELECT
  database_name,
  schema_name,
  object_name,
  object_type,
  privilege_type
FROM [SHOW GRANTS FOR public]
WHERE privilege_type NOT IN ('USAGE')
  AND schema_name = 'public'
ORDER BY database_name, object_name;

Important:

SHOW GRANTS FOR public

is scoped to the current database. Run

SHOW DATABASES;

and repeat the query from each database for full coverage.

Evaluate:

FAIL if more than 5 users have admin role
FAIL if PUBLIC has SELECT, INSERT, UPDATE, or DELETE on application tables
WARN if admin count is between 3 and 5
PASS if admin count is 1-2 and PUBLIC has minimal grants

sql

-- 统计管理员角色成员数量
SELECT COUNT(*) AS admin_count
FROM [SHOW GRANTS ON ROLE admin];

-- 检查当前数据库中PUBLIC角色的权限
-- 注意：SHOW GRANTS FOR public 仅作用于当前数据库。
-- 需从每个应用数据库运行此查询以获取完整覆盖范围。
SELECT
  database_name,
  schema_name,
  object_name,
  object_type,
  privilege_type
FROM [SHOW GRANTS FOR public]
WHERE privilege_type NOT IN ('USAGE')
  AND schema_name = 'public'
ORDER BY database_name, object_name;

重要提示：

SHOW GRANTS FOR public

仅作用于当前数据库。运行

SHOW DATABASES;

并从每个数据库重复执行此查询以获取完整覆盖范围。

评估：

FAIL 若超过5个用户拥有管理员角色
FAIL 若PUBLIC角色对应用表拥有SELECT、INSERT、UPDATE或DELETE权限
WARN 若管理员数量在3到5之间
PASS 若管理员数量为1-2且PUBLIC角色仅拥有最小权限

Step 6: Verify Encryption

步骤6：验证加密

CMEK status (Cloud clusters):

bash

undefined

CMEK状态（云托管集群）：

bash

undefined

Check CMEK configuration (Advanced plan with Advanced Security Add-on)

检查CMEK配置（高级版套餐+高级安全附加组件）

ccloud cluster info <cluster-name> -o json

Look for cmek_config in the output

在输出中查找cmek_config


**Evaluate by plan type (Cloud):**
- **Standard plan:** INFO — "Upgrade to Advanced plan with Advanced Security Add-on to enable CMEK"
- **Advanced plan without Advanced Security Add-on:** INFO — "Add Advanced Security Add-on to enable CMEK"
- **Advanced plan with Advanced Security Add-on, CMEK not enabled:** FAIL — CMEK not enabled despite plan supporting it
- **Advanced plan with Advanced Security Add-on, CMEK enabled:** PASS

**Enterprise Encryption (self-hosted — skip CMEK, check this instead):**
```bash


**按套餐类型评估（云托管）：**
- **标准版套餐：** INFO — "升级到高级版套餐并添加高级安全附加组件以启用CMEK"
- **高级版套餐（无高级安全附加组件）：** INFO — "添加高级安全附加组件以启用CMEK"
- **高级版套餐（含高级安全附加组件，未启用CMEK）：** FAIL — 套餐支持但未启用CMEK
- **高级版套餐（含高级安全附加组件，已启用CMEK）：** PASS

**企业级加密（自托管——跳过CMEK，检查此项）：**
```bash

Enterprise Encryption is configured via --enterprise-encryption flag at node startup

企业级加密通过节点启动时的--enterprise-encryption标志配置

cockroach node status --certs-dir=<certs-dir> --host=<host> --format=records

```sql
SHOW CLUSTER SETTING enterprise.encryption.type;

FAIL if not enabled and cluster stores sensitive data
WARN if encryption status cannot be determined
PASS if enabled with AES-256

TLS (Cloud): Always PASS — enforced on all connections.

TLS (self-hosted): Verify certificate validity and expiry (NOT auto-PASS):

bash

cockroach cert list --certs-dir=<certs-dir>
openssl x509 -in <certs-dir>/node.crt -noout -enddate

FAIL if any certificate expires within 30 days
WARN if any certificate expires within 90 days
PASS if all certificates valid with 90+ days remaining

Remediation (self-hosted): managing-tls-certificates

Cryptographic posture (both Cloud and self-hosted — informational only):

bash

undefined

cockroach node status --certs-dir=<certs-dir> --host=<host> --format=records

```sql
SHOW CLUSTER SETTING enterprise.encryption.type;

FAIL 若未启用且集群存储敏感数据
WARN 若无法确定加密状态
PASS 若已启用AES-256加密

TLS（云托管）： 始终PASS——所有连接强制启用TLS。

TLS（自托管）： 验证证书有效性和过期时间（不会自动标记为PASS）：

bash

cockroach cert list --certs-dir=<certs-dir>
openssl x509 -in <certs-dir>/node.crt -noout -enddate

FAIL 若任何证书在30天内过期
WARN 若任何证书在90天内过期
PASS 若所有证书有效且剩余有效期超过90天

修复方案（自托管）： 管理TLS证书

加密态势（云托管和自托管——仅信息项）：

bash

undefined

Primary: sslyze with STARTTLS postgres (if available)

首选：使用sslyze并启用STARTTLS postgres（若可用）

sslyze <host>:26257 --starttls postgres

Supplementary: openssl with STARTTLS postgres

补充：使用openssl并启用STARTTLS postgres

openssl s_client -connect <host>:26257 -starttls postgres -showcerts -tlsextdebug 2>&1

PQC probe: offer ML-KEM hybrid, check if server accepts

PQC探测：提供ML-KEM混合密码，检查服务器是否接受

openssl s_client -connect <host>:26257 -starttls postgres -groups X25519MLKEM768:x25519 2>&1

- **INFO** — TLS version (should be TLS 1.3; note if TLS 1.2 only)
- **INFO** — PQC hybrid cipher support (e.g., X25519MLKEM768) — emerging, not yet a FAIL condition
- **INFO** — Encryption key size (check for AES-256; note if AES-128)

> **Note:** CockroachDB uses PostgreSQL wire protocol, so `openssl s_client` requires `-starttls postgres` to negotiate TLS correctly. Without this flag, the connection will fail. `sslyze` similarly requires `--starttls postgres`.

openssl s_client -connect <host>:26257 -starttls postgres -groups X25519MLKEM768:x25519 2>&1

- **INFO** — TLS版本（应为TLS 1.3；若仅支持TLS 1.2需注明）
- **INFO** — PQC混合密码支持（如X25519MLKEM768）——新兴技术，暂不标记为FAIL
- **INFO** — 加密密钥长度（检查是否为AES-256；若为AES-128需注明）

> **注意：** CockroachDB使用PostgreSQL wire协议，因此`openssl s_client`需要`-starttls postgres`才能正确协商TLS。若无此标志，连接将失败。`sslyze`同样需要`--starttls postgres`。

Step 7: Check Audit Logging

步骤7：检查审计日志

sql

-- Check audit log configuration
SHOW CLUSTER SETTING sql.log.user_audit;

-- Check admin audit logging
SHOW CLUSTER SETTING sql.log.admin_audit.enabled;

Evaluate:

FAIL if

sql.log.user_audit

is empty and

sql.log.admin_audit.enabled

false

WARN if only admin audit is enabled but user audit is not configured
PASS if both user and admin audit logging are configured

sql

-- 检查审计日志配置
SHOW CLUSTER SETTING sql.log.user_audit;

-- 检查管理员审计日志
SHOW CLUSTER SETTING sql.log.admin_audit.enabled;

评估：

FAIL 若

sql.log.user_audit

为空且

sql.log.admin_audit.enabled

为

false

WARN 若仅启用管理员审计但未配置用户审计
PASS 若同时配置了用户和管理员审计日志

Step 8: Assess Backup Status

步骤8：评估备份状态

Cloud clusters: Managed backups are automatic — always PASS. Optionally check for self-managed schedules:

bash

ccloud cluster info <cluster-name> -o json  # Look for backup_config

sql

SHOW SCHEDULES;  -- Check for additional self-managed backup schedules

Self-hosted clusters: No managed backups — verify self-managed backup schedules:

sql

SHOW SCHEDULES;
SELECT id, label, schedule_status, next_run, created
FROM [SHOW SCHEDULES]
WHERE label ILIKE '%backup%' OR command @> '{"backup":{}}';

FAIL if no backup schedules exist
WARN if schedules exist but show errors or haven't run recently
PASS if schedules are active and running

Remediation (self-hosted):

sql

CREATE SCHEDULE 'nightly-full-backup'
  FOR BACKUP INTO 'gs://bucket/backups'
  RECURRING '@daily'
  WITH SCHEDULE OPTIONS first_run = 'now';

云托管集群： 托管备份为自动执行——始终PASS。可选择性检查自托管备份计划：

bash

ccloud cluster info <cluster-name> -o json  # 查找backup_config

sql

SHOW SCHEDULES;  # 检查额外的自托管备份计划

自托管集群： 无托管备份——验证自托管备份计划：

sql

SHOW SCHEDULES;
SELECT id, label, schedule_status, next_run, created
FROM [SHOW SCHEDULES]
WHERE label ILIKE '%backup%' OR command @> '{"backup":{}}';

FAIL 若不存在备份计划
WARN 若计划存在但显示错误或近期未运行
PASS 若计划处于活跃状态且运行正常

修复方案（自托管）：

sql

CREATE SCHEDULE 'nightly-full-backup'
  FOR BACKUP INTO 'gs://bucket/backups'
  RECURRING '@daily'
  WITH SCHEDULE OPTIONS first_run = 'now';

Pass/Warn/Fail Criteria

PASS/WARN/FAIL判定标准

Check	PASS	WARN	FAIL
IP Allowlist	Specific CIDRs only	Broad ranges (/8, /16)	`0.0.0.0/0` present
Cloud Console SSO	SSO enabled + enforced	SSO enabled, not enforced	Not configured
Database SSO	Cluster SSO enabled	—	Not configured
SCIM 2.0	SCIM enabled + connected	—	Not enabled
DB Auto User Provisioning	Identity mapping configured	—	Not configured
Admin Users	1-2 admins	3-5 admins	6+ admins
PUBLIC Privileges	No data grants	USAGE-only grants	SELECT/INSERT/UPDATE/DELETE
CMEK (Standard)	N/A	—	— (INFO: upgrade path)
CMEK (Advanced + Security Add-on)	CMEK enabled	—	Not enabled
Enterprise Encryption (self-hosted)	AES-256 enabled	Cannot determine	Not enabled (sensitive data)
TLS (self-hosted)	Certs valid 90+ days	Certs expire in 30-90 days	Certs expire within 30 days
TLS 1.3 / PQC / Key Size	—	—	— (INFO only)
HBA (self-hosted)	Restrictive rules	Empty/default	—
Audit Logging	User + admin audit on	Admin audit only	Disabled
Password Policy	min length >= 12	min length 8-11	min length < 8
Backups (Cloud)	N/A	—	— (INFO: managed)
Backups (self-hosted)	Schedules active	Schedules have errors	No schedules exist

检查项	PASS	WARN	FAIL
IP白名单	仅包含特定CIDR	宽泛范围（/8, /16）	存在 `0.0.0.0/0`
云控制台SSO	已启用并强制使用	已启用但未强制使用	未配置
数据库SSO	集群SSO已启用	—	未配置
SCIM 2.0	已启用并连接	—	未启用
DB自动用户配置	已配置身份映射	—	未配置
管理员用户	1-2名管理员	3-5名管理员	6名及以上管理员
PUBLIC权限	无数据访问权限	仅拥有USAGE权限	拥有SELECT/INSERT/UPDATE/DELETE权限
CMEK（标准版）	N/A	—	—（信息项：升级路径）
CMEK（高级版+安全附加组件）	已启用CMEK	—	未启用
企业级加密（自托管）	已启用AES-256	无法确定状态	未启用（存储敏感数据）
TLS（自托管）	证书有效期>90天	证书有效期30-90天	证书有效期<30天
TLS 1.3 / PQC / 密钥长度	—	—	—（仅信息项）
HBA（自托管）	规则具有限制性	为空或默认值	—
审计日志	用户+管理员审计已开启	仅开启管理员审计	已禁用
密码策略	最小长度≥12	最小长度8-11	最小长度<8
备份（云托管）	N/A	—	—（信息项：托管）
备份（自托管）	计划活跃运行	计划存在错误	无备份计划

Severity Adjustments by Environment

按环境调整严重程度

Severity is calibrated for production by default. Non-production environments downgrade some findings. Compliance requirements override downgrades.

Check	Production	Staging	Development	Sandbox
IP allowlist `0.0.0.0/0` (Cloud)	FAIL	FAIL	WARN	WARN
No private endpoints on Advanced (Cloud)	WARN	WARN	INFO	INFO
Empty HBA conf (self-hosted)	WARN	WARN	INFO	INFO
SSO not configured	FAIL	FAIL	INFO	INFO
SCIM not enabled	FAIL	FAIL	INFO	INFO
Database SSO disabled	FAIL	FAIL	INFO	INFO
Admin count 6+	FAIL	FAIL	WARN	WARN
CMEK not enabled (Cloud)	FAIL	FAIL	WARN	WARN
Enterprise Encryption not enabled (self-hosted)	FAIL	FAIL	WARN	WARN
Audit logging disabled	FAIL	FAIL	WARN	INFO
No backup schedules (self-hosted)	FAIL	FAIL	WARN	INFO

Compliance overrides — these checks cannot be downgraded when a compliance framework is specified (compliance takes precedence over environment):

Framework	Non-Downgradable Checks
SOC 2	SSO, audit logging, admin users, password policy
HIPAA	SSO, CMEK/Enterprise Encryption, audit logging, encryption, password policy, backups
PCI DSS	IP allowlist/HBA, CMEK/Enterprise Encryption, audit logging, admin users, password policy, backups
ISO 27001	SSO, audit logging, admin users
GDPR	Audit logging, encryption

Annotations:

*(downgraded from FAIL — development cluster)*

*(PCI DSS compliance — cannot downgrade)*

默认针对生产环境校准严重程度。非生产环境会降低部分检查结果的严重程度。合规要求会覆盖降级规则。

检查项	生产环境	预发布环境	开发环境	沙箱环境
IP白名单 `0.0.0.0/0` （云托管）	FAIL	FAIL	WARN	WARN
高级版未配置私有端点（云托管）	WARN	WARN	INFO	INFO
HBA配置为空（自托管）	WARN	WARN	INFO	INFO
未配置SSO	FAIL	FAIL	INFO	INFO
未启用SCIM	FAIL	FAIL	INFO	INFO
数据库SSO已禁用	FAIL	FAIL	INFO	INFO
管理员数量≥6	FAIL	FAIL	WARN	WARN
未启用CMEK（云托管）	FAIL	FAIL	WARN	WARN
未启用企业级加密（自托管）	FAIL	FAIL	WARN	WARN
审计日志已禁用	FAIL	FAIL	WARN	INFO
无备份计划（自托管）	FAIL	FAIL	WARN	INFO

合规覆盖——指定合规框架时，以下检查项无法降级（合规优先于环境）：

框架	不可降级检查项
SOC 2	SSO、审计日志、管理员用户、密码策略
HIPAA	SSO、CMEK/企业级加密、审计日志、加密、密码策略、备份
PCI DSS	IP白名单/HBA、CMEK/企业级加密、审计日志、管理员用户、密码策略、备份
ISO 27001	SSO、审计日志、管理员用户
GDPR	审计日志、加密

注释：

*(从FAIL降级——开发集群)*

或

*(PCI DSS合规——无法降级)*

Report Format

报告格式

Save each audit report to

reports/security-audit-<cluster-name>-<YYYY-MM-DD>-<sequence>.md

(gitignored, local-only). The

reports/

directory is not committed to version control — it serves as a local log for historical comparison and remediation tracking.

Generate a markdown report with the following structure:

undefined

将每份审计报告保存至

reports/security-audit-<cluster-name>-<YYYY-MM-DD>-<sequence>.md

（已加入git忽略，仅本地存储）。

reports/

目录不会提交到版本控制——仅作为本地日志用于历史对比和修复跟踪。

生成包含以下结构的Markdown报告：

undefined

Security Audit Report — <Cluster Name>

安全审计报告 — <集群名称>

日期： YYYY-MM-DD 集群ID： <cluster-id> 套餐： 标准版 | 高级版 | 自托管 CockroachDB版本： vXX.X.X 区域： us-east-1, us-west-2 部署模式： CockroachDB云托管 | 自托管 环境： 生产 | 预发布 | 开发 | 沙箱 合规要求： SOC 2, PCI DSS | （未指定） 数据敏感度： PII/PHI | 财务 | 内部 | 公开

Summary

摘要

Status	Count
PASS	X
WARN	X
FAIL	X
INFO	X
N/A	X

状态	数量
PASS	X
WARN	X
FAIL	X
INFO	X
N/A	X

Findings

检查结果

Network Security

网络安全

[PASS|WARN|FAIL|N/A] IP allowlist: <details>
[PASS|WARN|INFO|N/A] Private endpoints: <details>
[PASS|WARN|N/A] HBA configuration: <details>

[PASS|WARN|FAIL|N/A] IP白名单：<详情>
[PASS|WARN|INFO|N/A] 私有端点：<详情>
[PASS|WARN|N/A] HBA配置：<详情>

Authentication & SSO

身份验证与SSO

[PASS|FAIL|N/A] Cloud Console SSO: <details>
[PASS|FAIL] Database SSO (OIDC): <details>
[PASS|INFO] Database SSO (LDAP/AD): <details>
[PASS|FAIL|N/A] SCIM 2.0 provisioning: <details>
[PASS|FAIL] Auto user provisioning: <details>

[PASS|FAIL|N/A] 云控制台SSO：<详情>
[PASS|FAIL] 数据库SSO（OIDC）：<详情>
[PASS|INFO] 数据库SSO（LDAP/AD）：<详情>
[PASS|FAIL|N/A] SCIM 2.0配置：<详情>
[PASS|FAIL] 自动用户配置：<详情>

Authorization

授权

[PASS|WARN|FAIL] Admin user count: X users with admin role
[PASS|FAIL] PUBLIC role privileges: <details>

[PASS|WARN|FAIL] 管理员用户数量：X名用户拥有管理员角色
[PASS|FAIL] PUBLIC角色权限：<详情>

Encryption

加密

[PASS|FAIL|INFO|N/A] CMEK: <details>
[PASS|FAIL|WARN|N/A] Enterprise Encryption: <details>
[PASS|FAIL|N/A] TLS: <details>
[INFO] Cryptographic posture: TLS version, PQC support, key size

[PASS|FAIL|INFO|N/A] CMEK：<详情>
[PASS|FAIL|WARN|N/A] 企业级加密：<详情>
[PASS|FAIL|N/A] TLS：<详情>
[INFO] 加密态势：TLS版本、PQC支持、密钥长度

Audit Logging

审计日志

[PASS|WARN|FAIL] Audit log configuration: <details>

[PASS|WARN|FAIL] 审计日志配置：<详情>

Backup & Recovery

备份与恢复

[PASS|INFO|N/A] Managed backups: <details>
[PASS|WARN|FAIL|N/A] Self-managed backups: <details>

[PASS|INFO|N/A] 托管备份：<详情>
[PASS|WARN|FAIL|N/A] 自托管备份：<详情>

Cluster Configuration

集群配置

[INFO] Version: vXX.X.X
[INFO] Plan: Standard | Advanced | Self-hosted
[INFO] Regions: <list>


**Status markers:** `[PASS]`, `[WARN]`, `[FAIL]`, `[INFO]`, `[N/A]`. Use `[N/A]` for checks that don't apply to the deployment model. Append severity adjustment annotations when applicable (see Severity Adjustments).

[INFO] 版本：vXX.X.X
[INFO] 套餐：标准版 | 高级版 | 自托管
[INFO] 区域：<列表>


**状态标记：** `[PASS]`、`[WARN]`、`[FAIL]`、`[INFO]`、`[N/A]`。对不适用于当前部署模式的检查项使用`[N/A]`。适用时附加严重程度调整注释（参见严重程度调整）。

Remediation

修复方案

For each finding, the corresponding remediation skill can be used independently:

Finding	Remediation Skill
Open IP allowlist	configuring-ip-allowlists
SSO not configured / SCIM not enabled	configuring-sso-and-scim
CMEK not enabled	enabling-cmek-encryption
Audit logging disabled	configuring-audit-logging
Excessive admin privileges	hardening-user-privileges
Weak password policy	enforcing-password-policies
TLS/certificate issues	managing-tls-certificates
No private connectivity	configuring-private-connectivity
Log export not configured	configuring-log-export
Compliance gaps	preparing-compliance-documentation

For each FAIL finding, offer: "Explain how to fix this" (step-by-step guidance) or "Help me fix this now" (interactive remediation).

每个检查结果都对应独立的修复技能：

检查结果	修复技能
开放IP白名单	配置IP白名单
未配置SSO / 未启用SCIM	配置SSO和SCIM
未启用CMEK	启用CMEK加密
审计日志已禁用	配置审计日志
管理员权限过大	强化用户权限
密码策略薄弱	强制密码策略
TLS/证书问题	管理TLS证书
无私有连接	配置私有连接
未配置日志导出	配置日志导出
合规差距	准备合规文档

对于每个FAIL结果，提供："说明如何修复此问题"（分步指导）或**"帮我立即修复此问题"**（交互式修复）。

Safety Considerations

安全注意事项

All operations are read-only. No cluster settings, users, roles, or network configurations are modified during the audit.
SQL queries use SHOW and SELECT only. No DDL or DML statements are executed.
ccloud commands are read-only. Only
```
list
```
,
```
info
```
, and
```
auth
```
subcommands are used.
No secrets are logged. Connection strings and tokens are not included in the report output.
Privilege check: The audit may produce incomplete results if the executing user lacks admin or VIEWACTIVITY privilege. The report notes any permission gaps.

所有操作均为只读。 审计过程中不会修改集群设置、用户、角色或网络配置。
SQL查询仅使用SHOW和SELECT语句。 不会执行任何DDL或DML语句。
ccloud命令均为只读。 仅使用
```
list
```
、
```
info
```
和
```
auth
```
子命令。
不会记录机密信息。 连接字符串和令牌不会包含在报告输出中。
权限检查： 若执行用户缺少管理员或VIEWACTIVITY权限，审计可能产生不完整结果。报告会注明任何权限缺口。

References

参考文档

Skill references:

Sample audit report — Example report with findings and remediation links
SQL queries for security auditing
ccloud CLI commands
RBAC and privileges setup

Remediation skills:

configuring-ip-allowlists — Network access hardening
enabling-cmek-encryption — Customer-managed encryption keys
configuring-audit-logging — SQL audit logging
hardening-user-privileges — RBAC tightening
enforcing-password-policies — Password strength enforcement
configuring-sso-and-scim — SSO and SCIM provisioning
managing-tls-certificates — TLS certificate management
configuring-private-connectivity — Private endpoints and VPC peering
configuring-log-export — Log and metric export
preparing-compliance-documentation — Compliance readiness and documentation

Official CockroachDB Documentation:

技能参考：

示例审计报告 — 包含检查结果和修复链接的示例报告
安全审计SQL查询
ccloud CLI命令
RBAC和权限设置

修复技能：

配置IP白名单 — 网络访问强化
启用CMEK加密 — 客户管理加密密钥
配置审计日志 — SQL审计日志
强化用户权限 — RBAC收紧
强制密码策略 — 密码强度强制
配置SSO和SCIM — SSO和SCIM配置
管理TLS证书 — TLS证书管理
配置私有连接 — 私有端点和VPC对等连接
配置日志导出 — 日志和指标导出
准备合规文档 — 合规就绪和文档

官方CockroachDB文档：