Web Server Security Reviewer
Phase 1 web server (nginx / apache, Linux-centric) security configuration review. Validates the target with target_profile.yaml, verifies evidence integrity via MANIFEST.txt + manifest_attestation.txt, and performs read-only inspection across 9 axes either over SSH or against a pre-collected manifest. Windows / IIS hard-fails in v1.
No API Required
Download Skill Package (.skill) View Source on GitHub
Table of Contents
1. Overview
Performs a structured Phase 1 security configuration review of a Linux web server running nginx or apache. Two evidence-collection modes are supported:
- Direct SSH (read-only) — connect with witness approval and run only commands explicitly allowed by the 6-tier guardrail catalog.
- Pre-collected manifest — receive a
MANIFEST.txt(SHA256-listed evidence) and amanifest_attestation.txt(truthfulness attestation) and verify integrity before review.
Findings are scored across three axes (Exploitability × Blast Radius × Service Criticality). Items that cannot be confirmed from the available evidence are not silently dropped — they are managed through observation_status so reviewers and stakeholders can see exactly what is verified vs. unverified. The skill enforces a self-review pass before finalization. Windows / IIS targets hard-fail in v1.
2. Prerequisites
- Python 3.9+ with PyYAML
- For SSH mode: bastion / jump-host approval, witness availability, read-only credentials
- For manifest mode:
MANIFEST.txt,manifest_attestation.txt, and the referenced evidence files - Target: Linux (RHEL family primary; nginx or apache). Windows / IIS is out of scope in v1.
3. Quick Start
# Install the skill locally
make install SKILL=web-server-security-reviewer
# Or fetch the .skill package
curl -L -o web-server-security-reviewer.skill \
https://github.com/takusaotome/claude-skills-library/raw/main/skill-packages/web-server-security-reviewer.skill
# Internal verification (17 PASS expected)
cd skills/web-server-security-reviewer && python3 scripts/verify_skill.py
Then in Claude Code, describe the target (target profile, evidence mode) and the skill will guide you through the workflow.
4. How It Works
- Scope & target_profile — fix the target via
assets/target_profile_template.yaml(host role, OS family, web server, environment). - Integrity gate — for manifest mode, validate every file’s SHA256 against
MANIFEST.txt, and confirmmanifest_attestation.txttruthfulness level. - 9-axis scan — execute checks defined in
references/checklist_9axes.yaml: OS / Resources / Logs / Network / Services / Authentication / Monitoring / Backup / Certificates. - Guardrail enforcement — every command is filtered through 6 tiers:
allowed,conditional,conditional_sensitive,ask-first,exceptional_sensitive_read,forbidden. 21 forbidden commands are explicitly enumerated. - Severity scoring — each finding gets Exploitability + Blast Radius + Service Criticality; unverifiable items go to
observation_status. - Self-review — mandatory pass using
assets/self_review_template.mdbefore report finalization. - Output — populated report, action plan, and finding table; raw evidence kept separate from the report directory.
5. Usage Examples
- Pre-go-live hardening review of a public-facing nginx server
- Periodic posture audit of internal apache servers without direct SSH access (manifest mode)
- Reviewing third-party-provided evidence dumps with integrity proof
- Documenting unverified items via
observation_statusfor follow-up scope - Generating an action plan ready for ops handoff
6. Understanding the Output
- Report (
assets/report_template.md) — narrative review with findings, severity, and recommendations - Action plan (
assets/action_plan_template.md) — prioritized remediation work - Finding table (
assets/finding_table_template.md) — structured table for ticket import - Self-review (
assets/self_review_template.md) — completed before finalization - Evidence directory layout (
assets/evidence_directory_layout.md) — mandates separation ofevidence_dir/andraw_evidence_store/
Each finding is one of: confirmed (verified from evidence), observed-pending (managed unverified state), or out-of-scope (e.g. Windows/IIS hard-fail).
7. Tips & Best Practices
- Do not run any command outside the
command_reference.yamlcatalog without escalation; the catalog is the contract with the witness. - Treat
observation_statusas a feature, not a workaround — silent omission of unverifiable findings is a quality gap. - Keep raw evidence (full configs, key material) in
raw_evidence_store/and never embed it directly in the report. - For manifest mode, refuse to proceed if attestation level is below the documented threshold (
references/secret_masking.mdandverification_summary.md). - Re-run
scripts/verify_skill.pywhenever you change templates or command_reference.
8. Combining with Other Skills
- Pair with
incident-rca-specialistwhen the review uncovers an active incident or recent compromise indicator. - Hand findings to
compliance-advisorfor J-SOX / SOX mapping where applicable. - Browse the broader category for neighboring workflows: category index.
- See the full English skill catalog: skill catalog.
9. Troubleshooting
python3 scripts/verify_skill.pyreports a failure — the skill ships expecting all 22 checks to pass (including section H wizard pipeline smoke). Investigate before using the skill in a real engagement.- Manifest integrity fails — do not proceed. Either re-collect evidence or escalate per
references/guardrails.md. - Windows / IIS target detected — the skill hard-fails by design in v1. Use a different process for those targets.
- Find unresolved template / command IDs —
verify_skill.pywill surface them; fix the cross-reference before running a real review. - Sensitive output appears in the report draft — relocate to
raw_evidence_store/and apply the masking rules fromreferences/secret_masking.md.
10. Reference
References:
skills/web-server-security-reviewer/references/checklist_9axes.yamlskills/web-server-security-reviewer/references/command_reference.yamlskills/web-server-security-reviewer/references/finding_taxonomy.mdskills/web-server-security-reviewer/references/guardrails.mdskills/web-server-security-reviewer/references/input_contract.mdskills/web-server-security-reviewer/references/observation_status.mdskills/web-server-security-reviewer/references/schema_validation.mdskills/web-server-security-reviewer/references/secret_masking.mdskills/web-server-security-reviewer/references/severity_criteria.mdskills/web-server-security-reviewer/references/unsupported_matrix.mdskills/web-server-security-reviewer/references/verification_summary.mdskills/web-server-security-reviewer/references/role_extensions/_schema.yamlskills/web-server-security-reviewer/references/role_extensions/generic_edge.yamlskills/web-server-security-reviewer/references/role_extensions/generic_internal.yamlskills/web-server-security-reviewer/references/role_extensions/generic_public_facing.yamlskills/web-server-security-reviewer/references/interview_wizard.md— Phase 0 interactive wizard 7-stage declarative spec (v1.1+)
Scripts:
skills/web-server-security-reviewer/scripts/verify_skill.py— internal integrity verifier (22 checks)skills/web-server-security-reviewer/scripts/verification_run.pyskills/web-server-security-reviewer/scripts/build_target_profile.py— wizard answers JSON → target_profile.yaml builder (defaults / derivations / hard-fail gates)
Assets:
skills/web-server-security-reviewer/assets/target_profile_template.yamlskills/web-server-security-reviewer/assets/manifest_template.txtskills/web-server-security-reviewer/assets/manifest_attestation_template.txtskills/web-server-security-reviewer/assets/finding_table_template.mdskills/web-server-security-reviewer/assets/report_template.mdskills/web-server-security-reviewer/assets/action_plan_template.mdskills/web-server-security-reviewer/assets/wizard_answers_example.json— sample wizard answers forbuild_target_profile.pyskills/web-server-security-reviewer/assets/evidence_directory_layout.mdskills/web-server-security-reviewer/assets/self_review_template.md