diff options
| author | doc <doc@filenotfound.org> | 2025-06-30 20:06:28 +0000 |
|---|---|---|
| committer | doc <doc@filenotfound.org> | 2025-06-30 20:06:28 +0000 |
| commit | 717fcb9c81d2bc3cc7a84a3ebea6572d7ff0f5cf (patch) | |
| tree | 7cbd6a8d5046409a82b22d34b01aac93b3e24818 /genesishosting/master_compliance_checklist.md | |
| parent | 8368ff389ec596dee6212ebeb85e01c638364fb3 (diff) | |
Diffstat (limited to 'genesishosting/master_compliance_checklist.md')
| -rw-r--r-- | genesishosting/master_compliance_checklist.md | 63 |
1 files changed, 63 insertions, 0 deletions
diff --git a/genesishosting/master_compliance_checklist.md b/genesishosting/master_compliance_checklist.md new file mode 100644 index 0000000..10485bc --- /dev/null +++ b/genesishosting/master_compliance_checklist.md @@ -0,0 +1,63 @@ +# ✅ Master Compliance Checklist +*(Status: ☐ = Not Started | 🟨 = In Progress | ✅ = Complete)* + +## 🧑💼 Access & User Management +- [ ] Role-Based Access Control (RBAC) in place (Customer, Admin, etc.) +- [ ] Account creation follows secure onboarding workflows +- [ ] Admin access restricted to SSH keys only +- [ ] Inactive accounts locked or removed quarterly +- [ ] Least privilege enforced across all services + +## 💾 Backups & Disaster Recovery +- [ ] Daily backups enabled for all key services (DirectAdmin, WHMCS, AzuraCast, TeamTalk) +- [ ] Weekly offsite backups with verification +- [ ] ZFS snapshots scheduled (hourly/daily/weekly) +- [ ] Backup integrity validated with checksums or scrubs +- [ ] Quarterly disaster recovery drill completed +- [ ] Restore instructions documented and tested + +## 🔐 Security +- [ ] 2FA enabled on all admin interfaces (WHMCS, SSH, DirectAdmin) +- [ ] SSH password auth disabled, key-only enforced +- [ ] Weekly patching or updates scheduled (Sunday 7–9 PM) +- [ ] Centralized logging active and stored 30–90 days +- [ ] Fail2Ban + Genesis Shield integrated and alerting +- [ ] TLS 1.2+ enforced for all public services +- [ ] AES-256 encryption at rest on backups and sensitive volumes + +## 🖥️ Provisioning & Automation +- [ ] WHMCS integrated with DirectAdmin, AzuraCast, TeamTalk +- [ ] All provisioning scripts tested and logged +- [ ] Post-deploy verification checklist followed +- [ ] DNS + SSL automation in place (Let's Encrypt) +- [ ] Monitoring added after provisioning (Prometheus/Grafana) + +## 📋 Client Policies +- [ ] Acceptable Use Policy posted and enforced +- [ ] Abuse response process defined and working +- [ ] DMCA policy publicly available and followed +- [ ] Suspension and refund rules defined in WHMCS +- [ ] Privacy Policy and Terms of Service available on client portal + +## 🌐 Services Configuration +- [ ] DirectAdmin quotas enforced (disk, bandwidth, email) +- [ ] AzuraCast listener/storage/bitrate limits respected +- [ ] TeamTalk server abuse protection and user limits enforced +- [ ] Domain registration/renewal workflows tested +- [ ] SSL auto-renew working correctly (Let's Encrypt + certbot) + +## ⚙️ Infrastructure +- [ ] ZFS pools configured for redundancy (RAIDZ1, mirrors) +- [ ] rclone mount points with caching working and monitored +- [ ] Genesis Shield actively alerting via Telegram/Mastodon +- [ ] All VMs named per convention (e.g., `krang`, `shredderv2`) +- [ ] Sunday maintenance window consistently followed +- [ ] Ansible playbooks used for provisioning/config consistency + +## 🛠️ Tools & Scripts +- [ ] All scripts version-controlled and documented +- [ ] Backups and restore tools tested and working +- [ ] Mastodon alert bot operating with secure tokens +- [ ] Rclone VFS stats monitored regularly +- [ ] Admin tools accessible only by authorized users +""" |