redis-securitylisted
Install: claude install-skill hlsitechio/claude-skills-security
# Redis Security Audit
Audit Redis deployment and application usage. Redis security has historically been weak in defaults (no auth, plain TCP); current versions are better but require explicit configuration.
## When this skill applies
- Reviewing Redis server configuration (`redis.conf`)
- Auditing client library usage and connection handling
- Reviewing key naming/namespacing for tenant isolation
- Checking Lua scripts (EVAL) for safety
- Reviewing pub/sub channel scoping
## Workflow
Follow `../_shared/audit-workflow.md`.
### Phase 1: Stack detection
```bash
# Client libraries
grep -E '"(ioredis|redis|redis-py|@upstash/redis)":' package.json
grep -E '^redis|^ioredis' requirements.txt 2>/dev/null
# Connection strings
grep -rn 'redis://\|rediss://' src/ . --include='*.js' --include='*.ts' --include='*.py' 2>/dev/null
```
### Phase 2: Inventory
```bash
# Key patterns
grep -rnE '"[a-zA-Z]+:[^"]*"' src/ | grep -iE 'set\(|get\(|hset|hget|lpush|rpush' | head -20
# Lua scripts
grep -rn 'EVAL\|eval(\|evalsha' src/ | head
# Pub/sub
grep -rn 'subscribe\|publish\|psubscribe' src/
# redis.conf if present
ls **/redis.conf 2>/dev/null
```
### Phase 3: Detection — the checks
#### Network exposure
- **RDS-NET-1** Redis bound to localhost or VPN-only interface; `bind 0.0.0.0` only with firewall enforcing isolation.
- **RDS-NET-2** `protected-mode yes` (default in modern versions). Refuses connections without auth from external interfaces.
- **RDS-NET-3** Port not exposed to p