jpskill.com
💬 コミュニケーション コミュニティ

when-configuring-sandbox-security-use-sandbox-configurator

Claude Codeのサンドボックス環境において、ファイルシステムやネットワークへのアクセスを制限し、安全なコード実行を保証するための設定を、適切なアクセス制御とリソース制限のもとで行うSkill。

📜 元の英語説明(参考)

Configure Claude Code sandbox security with file system and network isolation boundaries. Ensures safe code execution with proper access controls and resource limits.

🇯🇵 日本人クリエイター向け解説

一言でいうと

Claude Codeのサンドボックス環境において、ファイルシステムやネットワークへのアクセスを制限し、安全なコード実行を保証するための設定を、適切なアクセス制御とリソース制限のもとで行うSkill。

※ jpskill.com 編集部が日本のビジネス現場向けに補足した解説です。Skill本体の挙動とは独立した参考情報です。

⚡ おすすめ: コマンド1行でインストール(60秒)

下記のコマンドをコピーしてターミナル(Mac/Linux)または PowerShell(Windows)に貼り付けてください。 ダウンロード → 解凍 → 配置まで全自動。

🍎 Mac / 🐧 Linux 
mkdir -p ~/.claude/skills && cd ~/.claude/skills && curl -L -o when-configuring-sandbox-security-use-sandbox-configurator.zip https://jpskill.com/download/18795.zip && unzip -o when-configuring-sandbox-security-use-sandbox-configurator.zip && rm when-configuring-sandbox-security-use-sandbox-configurator.zip
🪟 Windows (PowerShell) 
$d = "$env:USERPROFILE\.claude\skills"; ni -Force -ItemType Directory $d | Out-Null; iwr https://jpskill.com/download/18795.zip -OutFile "$d\when-configuring-sandbox-security-use-sandbox-configurator.zip"; Expand-Archive "$d\when-configuring-sandbox-security-use-sandbox-configurator.zip" -DestinationPath $d -Force; ri "$d\when-configuring-sandbox-security-use-sandbox-configurator.zip"

完了後、Claude Code を再起動 → 普通に「動画プロンプト作って」のように話しかけるだけで自動発動します。

💾 手動でダウンロードしたい(コマンドが難しい人向け)
  1. 1. 下の青いボタンを押して when-configuring-sandbox-security-use-sandbox-configurator.zip をダウンロード
  2. 2. ZIPファイルをダブルクリックで解凍 → when-configuring-sandbox-security-use-sandbox-configurator フォルダができる
  3. 3. そのフォルダを C:\Users\あなたの名前\.claude\skills\(Win)または ~/.claude/skills/(Mac)へ移動
  4. 4. Claude Code を再起動
⬇ .zip でダウンロード(推奨) ⬇ .skill 形式(上級者用) 元のソース ↗

⚠️ ダウンロード・利用は自己責任でお願いします。当サイトは内容・動作・安全性について責任を負いません。

🎯 このSkillでできること

下記の説明文を読むと、このSkillがあなたに何をしてくれるかが分かります。Claudeにこの分野の依頼をすると、自動で発動します。

📦 インストール方法 (3ステップ)

  1. 1. 上の「ダウンロード」ボタンを押して .skill ファイルを取得
  2. 2. ファイル名の拡張子を .skill から .zip に変えて展開(macは自動展開可)
  3. 3. 展開してできたフォルダを、ホームフォルダの .claude/skills/ に置く
    • · macOS / Linux: ~/.claude/skills/
    • · Windows: %USERPROFILE%\.claude\skills\

Claude Code を再起動すれば完了。「このSkillを使って…」と話しかけなくても、関連する依頼で自動的に呼び出されます。

詳しい使い方ガイドを見る →
最終更新
2026-05-18
取得日時
2026-05-18
同梱ファイル
2

📖 Skill本文(日本語訳)

※ 原文(英語/中国語)を Gemini で日本語化したものです。Claude 自身は原文を読みます。誤訳がある場合は原文をご確認ください。

サンドボックスセキュリティ設定 SOP

metadata:
  skill_name: when-configuring-sandbox-security-use-sandbox-configurator
  version: 1.0.0
  category: specialized-tools
  difficulty: intermediate
  estimated_duration: 20-40 minutes
  trigger_patterns:
    - "configure sandbox security"
    - "sandbox isolation"
    - "file system boundaries"
    - "sandbox permissions"
    - "secure sandbox"
  dependencies:
    - Claude Code sandbox environment
    - Admin/root access (if applicable)
  agents:
    - security-manager (security architect)
    - cicd-engineer (infrastructure specialist)
  success_criteria:
    - Security policies defined
    - File boundaries configured
    - Network isolation set
    - Policies tested and verified
    - Documentation complete

概要

Claude Code サンドボックスのセキュリティをファイルシステムとネットワークの分離境界で構成します。適切なアクセス制御とリソース制限により、安全なコード実行を保証します。

前提条件

必須:

  • Claude Code 環境
  • セキュリティ要件の理解

任意:

  • 既存のセキュリティポリシー
  • コンプライアンス要件 (SOC2、HIPAA など)

検証:

# Claude Code のバージョンを確認します
claude --version

# サンドボックスの可用性を確認します
echo "Sandbox check"

エージェントの責任

security-manager (セキュリティアーキテクト)

役割: セキュリティポリシーの設計、境界の定義、構成の検証

専門知識:

  • セキュリティアーキテクチャ
  • アクセス制御システム
  • コンプライアンス要件
  • 脅威モデリング

成果物: セキュリティポリシー、境界定義、検証テスト

cicd-engineer (インフラストラクチャスペシャリスト)

役割: セキュリティ構成の実装、リソースの管理、ポリシーのデプロイ

専門知識:

  • インフラストラクチャ管理
  • システム構成
  • デプロイ自動化
  • 監視設定

成果物: 構成ファイル、デプロイスクリプト、監視ツール

フェーズ 1: セキュリティ要件の評価

目的: セキュリティニーズ、コンプライアンス要件、脅威モデルの特定

エビデンスに基づく検証:

  • 要件が文書化されている
  • 脅威モデルが作成されている
  • コンプライアンスニーズが特定されている
  • リスク評価が完了している

security-manager のアクション:

# 事前タスク調整
npx claude-flow@alpha hooks pre-task --description "Assess sandbox security requirements"

# セキュリティディレクトリ構造を作成します
mkdir -p sandbox-security/{policies,config,tests,docs}

# セキュリティ要件を文書化します
cat > sandbox-security/docs/REQUIREMENTS.md << 'EOF'
# サンドボックスセキュリティ要件

## 目的
- 不正なファイルアクセスを防止する
- ネットワーク通信を分離する
- リソース制限を強制する
- すべての操作を監査する
- セキュリティ標準に準拠する

## 脅威モデル

### 脅威
1. **ファイルシステムエスケープ**: ホストファイルへの不正アクセス
2. **ネットワーク侵入**: 悪意のあるネットワーク接続
3. **リソース枯渇**: リソースの乱用による DoS
4. **データ漏洩**: 不正なデータ転送
5. **権限昇格**: 不正な権限の取得

### 緩和策
1. ファイルシステム境界とホワイトリスト
2. ネットワーク分離とドメイン制限
3. CPU/メモリ/ディスククォータ
4. 監査ログと監視
5. 最小権限の原則

## コンプライアンス要件
- SOC 2 Type II (該当する場合)
- GDPR データ保護
- 内部セキュリティポリシー
- 業界標準 (OWASP, NIST)

## アクセス制御
- システムファイルは読み取り専用
- ワークスペースのみ読み書き可能
- 機密ディレクトリ (/etc, /root, /sys) へのアクセスは不可
- サイズ制限付きの一時ディレクトリ
EOF

# 編集後フック
npx claude-flow@alpha hooks post-edit --file "sandbox-security/docs/REQUIREMENTS.md" --memory-key "sandbox/requirements"

# 脅威評価を作成します
cat > sandbox-security/docs/THREAT-ASSESSMENT.md << 'EOF'
# 脅威評価

## リスクマトリックス

| 脅威 | 可能性 | 影響 | リスクレベル | 緩和策の優先度 |
|--------|-----------|--------|------------|-------------------|
| ファイルエスケープ | 中 | 致命的 | 高 | P0 |
| ネットワーク侵入 | 低 | 高 | 中 | P1 |
| リソース枯渇 | 高 | 中 | 中 | P1 |
| データ漏洩 | 低 | 致命的 | 高 | P0 |
| 権限昇格 | 低 | 致命的 | 高 | P0 |

## 推奨される制御

### 致命的 (P0)
1. 厳格なホワイトリストによるファイルシステム境界
2. 信頼できるドメインリストによるネットワーク分離
3. 強制的な監査ログ

### 高 (P1)
4. リソースクォータと制限
5. リアルタイム監視とアラート
6. 定期的なセキュリティ監査

### 中 (P2)
7. 自動化されたセキュリティテスト
8. インシデント対応手順
9. セキュリティ意識向上トレーニング
EOF

# 編集後フック
npx claude-flow@alpha hooks post-edit --file "sandbox-security/docs/THREAT-ASSESSMENT.md" --memory-key "sandbox/threat-assessment"

# 要件をメモリに保存します
npx claude-flow@alpha memory store \
  --key "sandbox/phase1-complete" \
  --value "{\"status\": \"complete\", \"threats_identified\": 5, \"controls_defined\": 9, \"timestamp\": \"$(date -Iseconds)\"}"

成功基準:

  • [ ] 要件が文書化されている
  • [ ] 脅威モデルが作成されている
  • [ ] リスクマトリックスが定義されている
  • [ ] 制御が優先順位付けされている

フェーズ 2: ファイル分離の構成

目的: ファイルシステム境界の設定、アクセスルールの定義、制限の実装

エビデンスに基づく検証:

  • 境界が構成されている
  • ホワイトリスト/ブラックリストが定義されている
  • アクセスルールがテストされている
  • 不正なアクセスがブロックされている

security-manager のアクション:

# ファイルシステムポリシーを定義します
cat > sandbox-security/policies/file-system-policy.json << 'EOF'
{
  "file_system": {
    "mode": "whitelist",
    "workspace": {
      "path": "/workspace",
      "permissions": "read-write",
      "size_limit_gb": 10
    },
    "allowed_paths": [
      "/workspace/**",
      "/tmp/sandbox/**",
      "/usr/local/bin",
      "/usr/bin",
      "/bin"
    ],
    "denied_paths": [
      "/etc/**",
      "/root/**",
      "/sys/**",
      "/proc/**",
      "/dev/**",
      "/home/**",
      "~/.ssh/**",
      "~/.aws/**",
      "~/.config/**"
    ],
    "temp_direct
📜 原文 SKILL.md(Claudeが読む英語/中国語)を展開

Sandbox Security Configuration SOP

metadata:
  skill_name: when-configuring-sandbox-security-use-sandbox-configurator
  version: 1.0.0
  category: specialized-tools
  difficulty: intermediate
  estimated_duration: 20-40 minutes
  trigger_patterns:
    - "configure sandbox security"
    - "sandbox isolation"
    - "file system boundaries"
    - "sandbox permissions"
    - "secure sandbox"
  dependencies:
    - Claude Code sandbox environment
    - Admin/root access (if applicable)
  agents:
    - security-manager (security architect)
    - cicd-engineer (infrastructure specialist)
  success_criteria:
    - Security policies defined
    - File boundaries configured
    - Network isolation set
    - Policies tested and verified
    - Documentation complete

Overview

Configure Claude Code sandbox security with file system and network isolation boundaries. Ensures safe code execution with proper access controls and resource limits.

Prerequisites

Required:

  • Claude Code environment
  • Understanding of security requirements

Optional:

  • Existing security policies
  • Compliance requirements (SOC2, HIPAA, etc.)

Verification:

# Check Claude Code version
claude --version

# Verify sandbox availability
echo "Sandbox check"

Agent Responsibilities

security-manager (Security Architect)

Role: Design security policies, define boundaries, validate configurations

Expertise:

  • Security architecture
  • Access control systems
  • Compliance requirements
  • Threat modeling

Output: Security policies, boundary definitions, validation tests

cicd-engineer (Infrastructure Specialist)

Role: Implement security configurations, manage resources, deploy policies

Expertise:

  • Infrastructure management
  • System configuration
  • Deployment automation
  • Monitoring setup

Output: Configuration files, deployment scripts, monitoring tools

Phase 1: Assess Security Requirements

Objective: Identify security needs, compliance requirements, and threat models

Evidence-Based Validation:

  • Requirements documented
  • Threat model created
  • Compliance needs identified
  • Risk assessment complete

security-manager Actions:

# Pre-task coordination
npx claude-flow@alpha hooks pre-task --description "Assess sandbox security requirements"

# Create security directory structure
mkdir -p sandbox-security/{policies,config,tests,docs}

# Document security requirements
cat > sandbox-security/docs/REQUIREMENTS.md << 'EOF'
# Sandbox Security Requirements

## Objectives
- Prevent unauthorized file access
- Isolate network communications
- Enforce resource limits
- Audit all operations
- Comply with security standards

## Threat Model

### Threats
1. **File System Escape**: Unauthorized access to host files
2. **Network Intrusion**: Malicious network connections
3. **Resource Exhaustion**: DoS through resource abuse
4. **Data Exfiltration**: Unauthorized data transfer
5. **Privilege Escalation**: Gaining unauthorized permissions

### Mitigations
1. File system boundaries and whitelisting
2. Network isolation and domain restrictions
3. CPU/memory/disk quotas
4. Audit logging and monitoring
5. Least privilege principles

## Compliance Requirements
- SOC 2 Type II (if applicable)
- GDPR data protection
- Internal security policies
- Industry standards (OWASP, NIST)

## Access Control
- Read-only for system files
- Read-write for workspace only
- No access to sensitive directories (/etc, /root, /sys)
- Temp directory with size limits
EOF

# Post-edit hook
npx claude-flow@alpha hooks post-edit --file "sandbox-security/docs/REQUIREMENTS.md" --memory-key "sandbox/requirements"

# Create threat assessment
cat > sandbox-security/docs/THREAT-ASSESSMENT.md << 'EOF'
# Threat Assessment

## Risk Matrix

| Threat | Likelihood | Impact | Risk Level | Mitigation Priority |
|--------|-----------|--------|------------|-------------------|
| File Escape | Medium | Critical | High | P0 |
| Network Intrusion | Low | High | Medium | P1 |
| Resource Exhaustion | High | Medium | Medium | P1 |
| Data Exfiltration | Low | Critical | High | P0 |
| Privilege Escalation | Low | Critical | High | P0 |

## Recommended Controls

### Critical (P0)
1. File system boundaries with strict whitelisting
2. Network isolation with trusted domain list
3. Mandatory audit logging

### High (P1)
4. Resource quotas and limits
5. Real-time monitoring and alerts
6. Regular security audits

### Medium (P2)
7. Automated security testing
8. Incident response procedures
9. Security awareness training
EOF

# Post-edit hook
npx claude-flow@alpha hooks post-edit --file "sandbox-security/docs/THREAT-ASSESSMENT.md" --memory-key "sandbox/threat-assessment"

# Store requirements in memory
npx claude-flow@alpha memory store \
  --key "sandbox/phase1-complete" \
  --value "{\"status\": \"complete\", \"threats_identified\": 5, \"controls_defined\": 9, \"timestamp\": \"$(date -Iseconds)\"}"

Success Criteria:

  • [ ] Requirements documented
  • [ ] Threat model created
  • [ ] Risk matrix defined
  • [ ] Controls prioritized

Phase 2: Configure File Isolation

Objective: Set file system boundaries, define access rules, implement restrictions

Evidence-Based Validation:

  • Boundaries configured
  • Whitelist/blacklist defined
  • Access rules tested
  • Unauthorized access blocked

security-manager Actions:

# Define file system policy
cat > sandbox-security/policies/file-system-policy.json << 'EOF'
{
  "file_system": {
    "mode": "whitelist",
    "workspace": {
      "path": "/workspace",
      "permissions": "read-write",
      "size_limit_gb": 10
    },
    "allowed_paths": [
      "/workspace/**",
      "/tmp/sandbox/**",
      "/usr/local/bin",
      "/usr/bin",
      "/bin"
    ],
    "denied_paths": [
      "/etc/**",
      "/root/**",
      "/sys/**",
      "/proc/**",
      "/dev/**",
      "/home/**",
      "~/.ssh/**",
      "~/.aws/**",
      "~/.config/**"
    ],
    "temp_directory": {
      "path": "/tmp/sandbox",
      "size_limit_mb": 1000,
      "auto_cleanup": true,
      "cleanup_age_hours": 24
    },
    "readonly_paths": [
      "/usr/local/lib",
      "/usr/lib",
      "/lib"
    ]
  },
  "enforcement": {
    "strict_mode": true,
    "symlink_resolution": "deny",
    "case_sensitive": true,
    "audit_all_access": true
  }
}
EOF

# Post-edit hook
npx claude-flow@alpha hooks post-edit --file "sandbox-security/policies/file-system-policy.json" --memory-key "sandbox/file-policy"

cicd-engineer Actions:

# Create file isolation configuration script
cat > sandbox-security/config/configure-file-isolation.sh << 'EOF'
#!/bin/bash
set -e

echo "Configuring file system isolation..."

# Create workspace directory
mkdir -p /workspace
chmod 755 /workspace

# Create isolated temp directory
mkdir -p /tmp/sandbox
chmod 1777 /tmp/sandbox

# Set resource limits
cat > /etc/security/limits.d/sandbox.conf << 'LIMITS'
sandbox soft fsize 10485760
sandbox hard fsize 10485760
sandbox soft nofile 1024
sandbox hard nofile 2048
LIMITS

# Configure AppArmor profile (if available)
if command -v apparmor_parser &> /dev/null; then
  cat > /etc/apparmor.d/sandbox << 'APPARMOR'
#include <tunables/global>

profile sandbox {
  #include <abstractions/base>

  /workspace/** rw,
  /tmp/sandbox/** rw,
  /usr/bin/** rix,
  /bin/** rix,

  deny /etc/** rwklx,
  deny /root/** rwklx,
  deny /sys/** rwklx,
  deny /proc/sys/** rwklx,
  deny /home/** rwklx,
}
APPARMOR

  apparmor_parser -r /etc/apparmor.d/sandbox
  echo "AppArmor profile loaded"
fi

echo "File isolation configured successfully"
EOF

chmod +x sandbox-security/config/configure-file-isolation.sh

# Post-edit hook
npx claude-flow@alpha hooks post-edit --file "sandbox-security/config/configure-file-isolation.sh" --memory-key "sandbox/file-config"

# Store configuration
npx claude-flow@alpha memory store \
  --key "sandbox/phase2-complete" \
  --value "{\"status\": \"complete\", \"file_boundaries\": true, \"timestamp\": \"$(date -Iseconds)\"}"

Success Criteria:

  • [ ] File policy defined
  • [ ] Configuration script created
  • [ ] Boundaries enforced
  • [ ] Access restrictions tested

Phase 3: Configure Network Isolation

Objective: Define trusted domains, implement network restrictions, configure firewall rules

Evidence-Based Validation:

  • Network policy configured
  • Trusted domains whitelisted
  • Malicious connections blocked
  • DNS filtering active

security-manager Actions:

# Define network security policy
cat > sandbox-security/policies/network-policy.json << 'EOF'
{
  "network": {
    "mode": "whitelist",
    "trusted_domains": [
      "*.anthropic.com",
      "api.openai.com",
      "github.com",
      "*.github.com",
      "raw.githubusercontent.com",
      "npmjs.org",
      "*.npmjs.org",
      "pypi.org",
      "*.pypi.org",
      "docker.io",
      "*.docker.io"
    ],
    "blocked_domains": [
      "*.example-malicious.com",
      "suspicious-domain.net"
    ],
    "allowed_ports": {
      "outbound": [80, 443, 22, 3000, 5000, 8000, 8080],
      "inbound": [3000, 5000, 8000, 8080]
    },
    "protocols": {
      "allowed": ["http", "https", "ssh", "git"],
      "denied": ["ftp", "telnet", "smtp"]
    },
    "rate_limiting": {
      "enabled": true,
      "requests_per_minute": 100,
      "burst": 150
    }
  },
  "firewall": {
    "default_policy": "deny",
    "egress_rules": [
      {
        "action": "allow",
        "destination": "trusted_domains",
        "ports": [80, 443]
      }
    ],
    "ingress_rules": [
      {
        "action": "allow",
        "source": "localhost",
        "ports": [3000, 8000, 8080]
      }
    ]
  }
}
EOF

# Post-edit hook
npx claude-flow@alpha hooks post-edit --file "sandbox-security/policies/network-policy.json" --memory-key "sandbox/network-policy"

cicd-engineer Actions:

# Create network isolation configuration
cat > sandbox-security/config/configure-network-isolation.sh << 'EOF'
#!/bin/bash
set -e

echo "Configuring network isolation..."

# Create firewall rules (using iptables)
if command -v iptables &> /dev/null; then
  # Default deny
  iptables -P INPUT DROP
  iptables -P FORWARD DROP
  iptables -P OUTPUT DROP

  # Allow loopback
  iptables -A INPUT -i lo -j ACCEPT
  iptables -A OUTPUT -o lo -j ACCEPT

  # Allow established connections
  iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

  # Allow outbound HTTPS to trusted domains
  iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
  iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT

  # Allow outbound SSH
  iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT

  # Allow inbound on application ports
  iptables -A INPUT -p tcp --dport 3000 -j ACCEPT
  iptables -A INPUT -p tcp --dport 8000 -j ACCEPT
  iptables -A INPUT -p tcp --dport 8080 -j ACCEPT

  echo "Firewall rules configured"
fi

# Configure DNS filtering (using hosts file)
cat >> /etc/hosts << 'HOSTS'
# Blocked domains
127.0.0.1 example-malicious.com
127.0.0.1 suspicious-domain.net
HOSTS

echo "Network isolation configured successfully"
EOF

chmod +x sandbox-security/config/configure-network-isolation.sh

# Post-edit hook
npx claude-flow@alpha hooks post-edit --file "sandbox-security/config/configure-network-isolation.sh" --memory-key "sandbox/network-config"

# Store configuration
npx claude-flow@alpha memory store \
  --key "sandbox/phase3-complete" \
  --value "{\"status\": \"complete\", \"network_isolated\": true, \"timestamp\": \"$(date -Iseconds)\"}"

Success Criteria:

  • [ ] Network policy defined
  • [ ] Firewall rules configured
  • [ ] Trusted domains whitelisted
  • [ ] Malicious domains blocked

Phase 4: Test Security Policies

Objective: Validate all security configurations through comprehensive testing

Evidence-Based Validation:

  • All tests passing
  • Unauthorized access blocked
  • Authorized access permitted
  • No false positives/negatives

security-manager Actions:

# Create security test suite
cat > sandbox-security/tests/security-tests.sh << 'EOF'
#!/bin/bash

PASS=0
FAIL=0

echo "Running Security Test Suite"
echo "============================"

# Test 1: File system boundaries
echo -e "\nTest 1: File system access control"
if ! cat /etc/shadow 2>/dev/null; then
  echo "✓ Cannot read /etc/shadow"
  ((PASS++))
else
  echo "✗ Can read /etc/shadow (SECURITY ISSUE)"
  ((FAIL++))
fi

# Test 2: Workspace access
echo -e "\nTest 2: Workspace access"
if touch /workspace/test.txt 2>/dev/null; then
  echo "✓ Can write to workspace"
  ((PASS++))
  rm -f /workspace/test.txt
else
  echo "✗ Cannot write to workspace"
  ((FAIL++))
fi

# Test 3: Temp directory access
echo -e "\nTest 3: Temp directory access"
if touch /tmp/sandbox/test.txt 2>/dev/null; then
  echo "✓ Can write to temp directory"
  ((PASS++))
  rm -f /tmp/sandbox/test.txt
else
  echo "✗ Cannot write to temp directory"
  ((FAIL++))
fi

# Test 4: SSH key protection
echo -e "\nTest 4: SSH key protection"
if ! cat ~/.ssh/id_rsa 2>/dev/null; then
  echo "✓ Cannot read SSH keys"
  ((PASS++))
else
  echo "✗ Can read SSH keys (SECURITY ISSUE)"
  ((FAIL++))
fi

# Test 5: Network access to trusted domain
echo -e "\nTest 5: Network access (trusted domain)"
if curl -s --max-time 5 https://api.anthropic.com >/dev/null 2>&1; then
  echo "✓ Can access trusted domain"
  ((PASS++))
else
  echo "⚠ Cannot access trusted domain (check network)"
  ((FAIL++))
fi

# Test 6: Network access to blocked domain
echo -e "\nTest 6: Network access (blocked domain)"
if ! curl -s --max-time 5 https://example-malicious.com >/dev/null 2>&1; then
  echo "✓ Cannot access blocked domain"
  ((PASS++))
else
  echo "✗ Can access blocked domain (SECURITY ISSUE)"
  ((FAIL++))
fi

# Summary
echo -e "\n============================"
echo "Test Summary:"
echo "Passed: $PASS"
echo "Failed: $FAIL"
echo "============================"

if [ $FAIL -eq 0 ]; then
  echo "✓ All security tests passed!"
  exit 0
else
  echo "✗ Some security tests failed!"
  exit 1
fi
EOF

chmod +x sandbox-security/tests/security-tests.sh

# Post-edit hook
npx claude-flow@alpha hooks post-edit --file "sandbox-security/tests/security-tests.sh" --memory-key "sandbox/security-tests"

# Run tests
./sandbox-security/tests/security-tests.sh || echo "Tests failed - review configuration"

cicd-engineer Actions:

# Create automated test runner
cat > sandbox-security/tests/run-all-tests.sh << 'EOF'
#!/bin/bash

echo "Running all security tests..."
echo "=============================="

# Run security test suite
./sandbox-security/tests/security-tests.sh

# Capture results
TEST_RESULT=$?

# Log results
echo "{\"timestamp\": \"$(date -Iseconds)\", \"result\": \"$TEST_RESULT\"}" >> sandbox-security/tests/test-results.log

# Notify
if [ $TEST_RESULT -eq 0 ]; then
  npx claude-flow@alpha hooks notify --message "Security tests passed"
else
  npx claude-flow@alpha hooks notify --message "Security tests FAILED - review immediately"
fi

exit $TEST_RESULT
EOF

chmod +x sandbox-security/tests/run-all-tests.sh

# Post-edit hook
npx claude-flow@alpha hooks post-edit --file "sandbox-security/tests/run-all-tests.sh" --memory-key "sandbox/test-runner"

# Store test results
npx claude-flow@alpha memory store \
  --key "sandbox/phase4-complete" \
  --value "{\"status\": \"complete\", \"tests_passed\": true, \"timestamp\": \"$(date -Iseconds)\"}"

Success Criteria:

  • [ ] Test suite created
  • [ ] All tests passing
  • [ ] Security validated
  • [ ] Results logged

Phase 5: Deploy and Monitor

Objective: Deploy security configuration and setup continuous monitoring

Evidence-Based Validation:

  • Configuration deployed
  • Monitoring active
  • Alerts configured
  • Documentation complete

security-manager Actions:

# Create deployment guide
cat > sandbox-security/docs/DEPLOYMENT.md << 'EOF'
# Security Deployment Guide

## Pre-Deployment Checklist
- [ ] All policies reviewed and approved
- [ ] Test suite passing
- [ ] Backup configuration created
- [ ] Rollback plan documented

## Deployment Steps

1. **Backup Current Configuration**
   ```bash
   ./sandbox-security/scripts/backup-config.sh

  1. Deploy File Isolation

    ./sandbox-security/config/configure-file-isolation.sh

  2. Deploy Network Isolation

    ./sandbox-security/config/configure-network-isolation.sh

  3. Verify Deployment

    ./sandbox-security/tests/security-tests.sh

  4. Enable Monitoring

    ./sandbox-security/monitoring/start-monitoring.sh

Post-Deployment

  • Monitor logs for 24 hours
  • Review security alerts
  • Conduct security audit
  • Update documentation

Rollback Procedure

If issues occur:

./sandbox-security/scripts/rollback-config.sh

EOF

Post-task hook

npx claude-flow@alpha hooks post-task --task-id "sandbox-security-config"


**cicd-engineer Actions:**
```bash
# Create monitoring script
cat > sandbox-security/monitoring/start-monitoring.sh << 'EOF'
#!/bin/bash

echo "Starting security monitoring..."

# Monitor file access
tail -f /var/log/audit/audit.log | grep --line-buffered "denied" &

# Monitor network connections
tcpdump -i any -n 'tcp[tcpflags] & (tcp-syn) != 0' &

# Monitor resource usage
while true; do
  echo "[$(date -Iseconds)] Resource usage:"
  df -h /workspace
  du -sh /tmp/sandbox
  sleep 300
done &

echo "Monitoring started (PIDs: $!)"
EOF

chmod +x sandbox-security/monitoring/start-monitoring.sh

# Create final documentation
cat > sandbox-security/docs/SECURITY-SUMMARY.md << 'EOF'
# Security Configuration Summary

## Implemented Controls

### File System Security
- Whitelist mode enabled
- Workspace: /workspace (10GB limit)
- Temp: /tmp/sandbox (1GB limit, 24h cleanup)
- Denied: /etc, /root, /sys, /proc, /dev, /home, ~/.ssh, ~/.aws

### Network Security
- Whitelist mode enabled
- Trusted domains: *.anthropic.com, github.com, npmjs.org, pypi.org
- Allowed ports: 80, 443, 22, 3000, 5000, 8000, 8080
- Firewall: Default deny with specific allow rules
- Rate limiting: 100 req/min, burst 150

### Monitoring
- File access auditing
- Network connection monitoring
- Resource usage tracking
- Security alert system

## Security Posture

| Control | Status | Effectiveness |
|---------|--------|---------------|
| File Isolation | ✓ Active | High |
| Network Isolation | ✓ Active | High |
| Resource Limits | ✓ Active | Medium |
| Audit Logging | ✓ Active | High |
| Monitoring | ✓ Active | Medium |

## Compliance
- SOC 2 Type II controls implemented
- GDPR data protection measures in place
- Internal security policies enforced
- OWASP security guidelines followed

## Maintenance
- Review policies quarterly
- Update trusted domains as needed
- Audit logs monthly
- Test security weekly
- Update documentation continuously
EOF

# Post-edit hooks
npx claude-flow@alpha hooks post-edit --file "sandbox-security/monitoring/start-monitoring.sh" --memory-key "sandbox/monitoring"
npx claude-flow@alpha hooks post-edit --file "sandbox-security/docs/SECURITY-SUMMARY.md" --memory-key "sandbox/summary"

# Session end
npx claude-flow@alpha hooks session-end --export-metrics true

# Store final status
npx claude-flow@alpha memory store \
  --key "sandbox/phase5-complete" \
  --value "{\"status\": \"complete\", \"deployed\": true, \"monitoring\": true, \"timestamp\": \"$(date -Iseconds)\"}"

npx claude-flow@alpha memory store \
  --key "sandbox/workflow-complete" \
  --value "{\"status\": \"success\", \"security_level\": \"high\", \"compliance\": true, \"timestamp\": \"$(date -Iseconds)\"}"

Success Criteria:

  • [ ] Configuration deployed
  • [ ] Monitoring active
  • [ ] Documentation complete
  • [ ] Security validated

Workflow Summary

Total Estimated Duration: 20-40 minutes

Phase Breakdown:

  1. Assess Security Requirements: 5-10 minutes
  2. Configure File Isolation: 5-10 minutes
  3. Configure Network Isolation: 5-10 minutes
  4. Test Security Policies: 3-5 minutes
  5. Deploy and Monitor: 2-5 minutes

Key Deliverables:

  • Security policies
  • File isolation configuration
  • Network isolation configuration
  • Security test suite
  • Monitoring system
  • Complete documentation

Best Practices

  1. Defense in Depth: Multiple security layers
  2. Least Privilege: Minimal access rights
  3. Whitelist Approach: Deny by default
  4. Continuous Monitoring: Real-time security
  5. Regular Testing: Weekly security tests
  6. Documentation: Keep updated
  7. Audit Trail: Log all operations
  8. Incident Response: Plan for breaches

References

  • OWASP Security Guidelines
  • NIST Cybersecurity Framework
  • Claude Code Security Documentation
  • Linux Security Best Practices

同梱ファイル

※ ZIPに含まれるファイル一覧。`SKILL.md` 本体に加え、参考資料・サンプル・スクリプトが入っている場合があります。