couchbase-security-hardeninglisted

# Couchbase Security Hardening A skill for *hardening* Couchbase deployments — TLS, RBAC, audit logging, encryption at rest, external authentication, network isolation, and compliance alignment. Distinct from: - `couchbase-mcp` — calling the security tools (`admin_user_*`, `admin_encryption_*`, etc.) - `couchbase-app-integration` — TLS/mTLS configuration in SDK client code ## When this skill applies - "How do I secure Couchbase for production?" - "How do I set up TLS / enforce TLS-only connections?" - "How do I integrate Couchbase with LDAP / Active Directory?" - "How do I design RBAC for my team?" - "What audit logging should I enable?" - "How do I enable encryption at rest (DARE)?" - "What's KMIP and when do I need it?" - "How do I harden Couchbase for SOC2 / HIPAA / PCI?" - "How do I configure password policy and account lockout?" ## Pick the right reference | Question | Read | |---|---| | "TLS — enabling, certificate rotation, enforcing TLS-only, mTLS" | `references/tls.md` | | "RBAC — role design, least-privilege, service accounts, group structure" | `references/rbac.md` | | "External auth — LDAP, Active Directory, SAML, PAM" | `references/external-auth.md` | | "Audit logging — what to enable, log rotation, SIEM integration" | `references/audit-logging.md` | | "Encryption at rest — DARE, KMIP, key rotation" | `references/encryption-at-rest.md` | | "Network hardening — ports, firewall rules, node-to-node TLS" | `references/network-hardening.md` | ## Security harden