finding-security-misconfigurations

# Finding Security Misconfigurations

## Overview

Scan infrastructure-as-code templates, application configuration files, and system settings to detect security misconfigurations mapped to OWASP A05:2021 (Security Misconfiguration) and CIS Benchmarks. Cover cloud resources (AWS, GCP, Azure), container orchestration (Kubernetes, Docker), web servers (Nginx, Apache), and application frameworks.

## Prerequisites

- Infrastructure-as-code files accessible in `${CLAUDE_SKILL_DIR}/` (Terraform `.tf`, CloudFormation `.yaml/.json`, Ansible playbooks, Kubernetes manifests)
- Application configuration files available (`application.yml`, `config.json`, `.env.example`, `web.config`)
- Container definitions (`Dockerfile`, `docker-compose.yml`, Helm charts)
- Web server configs (`nginx.conf`, `httpd.conf`, `.htaccess`) if applicable
- Write permissions for findings output in `${CLAUDE_SKILL_DIR}/security-findings/`
- Optional: `tfsec`, `checkov`, or `trivy config` installed for automated pre-scanning

## Instructions

1. Discover all configuration files by scanning `${CLAUDE_SKILL_DIR}/` for IaC templates (`.tf`, `.yaml`, `.json`, `.template`), application configs, container definitions, and web server configs.
2. **Cloud storage**: check for publicly accessible S3 buckets, unencrypted storage accounts, missing versioning, and overly permissive bucket policies (CIS AWS 2.1.1, 2.1.2).
3. **Network security**: flag security groups allowing `0.0.0.0/0` ingress on sensitive ports (22, 3389, 3306, 5432, 27017), missing VPC flow logs, and absent network segmentation.
4. **IAM and access**: detect wildcard (`*`) permissions in IAM policies, service accounts with admin privileges, missing MFA enforcement, and hardcoded credentials in source (CWE-798).
5. **Compute resources**: identify EC2/VM instances with unnecessary public IPs, unencrypted volumes, missing IMDSv2 enforcement, and outdated base images.
6. **Database security**: flag publicly accessible RDS/Cloud SQL instances, missing encryption at rest, disabled automated backups, default ports exposed without IP restrictions.
7. **Application config**: detect debug mode enabled in production, default credentials, CORS wildcard (`*`), missing CSRF protection, disabled authentication endpoints, and API keys in config files.
8. **Container security**: check for containers running as root, missing resource limits, `privileged: true`, writable root filesystems, and images without pinned digests.
9. Classify each finding: **Critical** (immediate exploitation risk), **High** (significant security impact), **Medium** (configuration weakness), **Low** (best practice violation).
10. Generate findings report at `${CLAUDE_SKILL_DIR}/security-findings/misconfig-YYYYMMDD.md` with per-finding severity, CIS/CWE mapping, affected file and line, remediation code, and verification command.

See `${CLAUDE_SKILL_DIR}/references/implementation.md` for the full six-section implementation guide covering IaC, application, and system checks.

## Output

- **Findings Report**: `${CLAUDE_SKILL_DIR}/security-findings/misconfig-YYYYMMDD.md` with all misconfigurations categorized by severity
- **Remediation Plan**: minimal-change fixes with before/after config snippets and verification commands
- **Compliance Mapping**: each finding linked to CIS Benchmark, OWASP, or CWE reference
- **Summary Dashboard**: finding counts by severity and category

## Error Handling

| Error | Cause | Solution |
|-------|-------|----------|
| Syntax error in `${CLAUDE_SKILL_DIR}/terraform/main.tf` | Malformed HCL, YAML, or JSON | Validate file syntax first; skip malformed files and note parse errors in report |
| Cannot determine cloud provider from configuration | Missing provider blocks or ambiguous file structure | Look for provider blocks and file naming conventions; fall back to generic security checks |
| Cannot read encrypted configuration | SOPS-encrypted or binary config files | Request decrypted version or exported config; document inability to audit |
| Too many config files (500+) | Large monorepo or multi-service project | Prioritize by file type: IaC first, then app configs, then system configs |
| Flagged configuration is intentional (dev environment) | False positive in non-production context | Support environment-specific exception rules; allow `.securityignore` overrides |

## Examples

- "Scan Terraform files in `${CLAUDE_SKILL_DIR}/` for overly permissive security groups and IAM wildcard policies."
- "Review Kubernetes manifests for insecure defaults: privileged containers, missing resource limits, and root execution."
- "Audit the Nginx and application configs for debug mode, information disclosure, and missing security headers."

## Resources

- CIS Benchmarks: https://www.cisecurity.org/cis-benchmarks/
- OWASP IaC Security Cheatsheet: https://cheatsheetseries.owasp.org/cheatsheets/Infrastructure_as_Code_Security_Cheatsheet.html
- OWASP A05:2021 Security Misconfiguration: https://owasp.org/Top10/A05_2021-Security_Misconfiguration/
- tfsec (Terraform scanner): https://github.com/aquasecurity/tfsec
- Checkov (multi-cloud IaC scanner): https://www.checkov.io/
- CWE-16 Configuration: https://cwe.mitre.org/data/definitions/16.html
- `${CLAUDE_SKILL_DIR}/references/errors.md` -- full error handling reference
- `${CLAUDE_SKILL_DIR}/references/examples.md` -- additional usage examples
- https://intentsolutions.io