# Security Compliance Documentation ## Overview This document maps infrastructure security controls to industry-standard frameworks and provides evidence of compliance implementation. **Last Updated**: 2025-11-11 **Review Cycle**: Quarterly **Document Owner**: Security & Infrastructure Team --- ## Compliance Frameworks This infrastructure implements controls aligned with: - **CIS Benchmarks** (Center for Internet Security) - **NIST Cybersecurity Framework** - **NIST SP 800-53** (Security and Privacy Controls) - **PCI-DSS** (if applicable for payment processing) - **HIPAA** (if applicable for healthcare data) --- ## CIS Benchmarks Compliance ### CIS Linux Benchmark | CIS ID | Control | Implementation | Status | Evidence | |--------|---------|----------------|--------|----------| | **1.6.1** | Ensure SELinux is installed | SELinux package installed on RHEL family | ✓ | `deploy_linux_vm` role | | **1.6.2** | Ensure SELinux is not disabled | SELinux set to enforcing mode | ✓ | `/etc/selinux/config`, `getenforce` | | **1.6.3** | Ensure AppArmor is installed | AppArmor installed on Debian family | ✓ | `deploy_linux_vm` role | | **3.5.1** | Ensure firewall is installed | UFW/firewalld installed | ✓ | Automated by role | | **3.5.2** | Ensure firewall is enabled | Firewall active at boot | ✓ | `ufw status`, `firewall-cmd --state` | | **4.1.1** | Ensure auditd is installed | auditd package present | ✓ | Essential packages list | | **4.1.2** | Ensure auditd is enabled | auditd service running | ✓ | `systemctl status auditd` | | **5.2.1** | Ensure SSH Protocol 2 | `Protocol 2` in sshd_config | ✓ | SSH hardening config | | **5.2.9** | Ensure PermitRootLogin is disabled | `PermitRootLogin no` | ✓ | `/etc/ssh/sshd_config.d/99-security.conf` | | **5.2.10** | Ensure PasswordAuthentication is disabled | `PasswordAuthentication no` | ✓ | SSH hardening config | | **5.2.11** | Ensure GSSAPI authentication is disabled | `GSSAPIAuthentication no` | ✓ | **CLAUDE.md requirement** | | **5.2.16** | Ensure SSH MaxAuthTries is set to 3 or less | `MaxAuthTries 3` | ✓ | SSH hardening config | | **5.3.1** | Ensure sudo is installed | sudo package present | ✓ | All systems | | **5.3.2** | Ensure sudo commands use pty | `Defaults use_pty` | ✓ | sudoers config | | **5.3.3** | Ensure sudo log file exists | `Defaults logfile` | ✓ | sudoers config | ### CIS Distribution Support Benchmark | Distribution | Benchmark Version | Compliance Level | Testing | |--------------|-------------------|------------------|---------| | Debian 12 | CIS Debian Linux 12 v1.0.0 | Level 1 | Manual | | Ubuntu 22.04 | CIS Ubuntu 22.04 LTS v1.0.0 | Level 1 | Manual | | AlmaLinux 9 | CIS AlmaLinux OS 9 v1.0.0 | Level 1 | Manual | | Rocky Linux 9 | CIS Rocky Linux 9 v1.0.0 | Level 1 | Manual | --- ## NIST Cybersecurity Framework ### Framework Core Functions #### 1. Identify (ID) | Category | Control | Implementation | Status | |----------|---------|----------------|--------| | **ID.AM-1** | Physical devices and systems | system_info role collects inventory | ✓ | | **ID.AM-2** | Software platforms and applications | system_info detects installed software | ✓ | | **ID.AM-3** | Organizational communication | Documentation in `docs/` | ✓ | | **ID.AM-4** | External information systems | Network topology documented | ✓ | | **ID.GV-1** | Organizational cybersecurity policy | CLAUDE.md guidelines | ✓ | #### 2. Protect (PR) | Category | Control | Implementation | Status | |----------|---------|----------------|--------| | **PR.AC-1** | Identities and credentials are managed | Ansible user with SSH keys | ✓ | | **PR.AC-3** | Remote access is managed | SSH key-only, no password auth | ✓ | | **PR.AC-4** | Access permissions managed | Least privilege, sudo logging | ✓ | | **PR.DS-1** | Data at rest is protected | LVM encryption (planned) | Planned | | **PR.DS-2** | Data in transit is protected | SSH encryption for all comms | ✓ | | **PR.IP-1** | Baseline configuration | Ansible roles define baseline | ✓ | | **PR.IP-3** | Configuration change control | Git version control | ✓ | | **PR.IP-12** | Vulnerability management plan | Automatic security updates | ✓ | | **PR.MA-1** | Maintenance is performed | Ansible playbooks for maintenance | ✓ | | **PR.PT-1** | Audit logs are determined and documented | auditd configured | ✓ | | **PR.PT-3** | Principle of least functionality | Minimal services enabled | ✓ | #### 3. Detect (DE) | Category | Control | Implementation | Status | |----------|---------|----------------|--------| | **DE.AE-3** | Event data are aggregated | auditd, journald | ✓ | | **DE.CM-1** | Network monitored | Firewall logs (basic) | Partial | | **DE.CM-7** | Unauthorized activity detected | Audit rules for privileged ops | ✓ | | **DE.DP-4** | Event detection communicated | Planned SIEM integration | Planned | #### 4. Respond (RS) | Category | Control | Implementation | Status | |----------|---------|----------------|--------| | **RS.AN-1** | Notifications investigated | Manual process | Manual | | **RS.CO-2** | Incidents reported | Incident response runbook | Planned | | **RS.MI-2** | Incidents contained | Firewall rules for isolation | ✓ | #### 5. Recover (RC) | Category | Control | Implementation | Status | |----------|---------|----------------|--------| | **RC.RP-1** | Recovery plan executed | DR playbook available | ✓ | | **RC.RP-2** | Recovery plan updated | Playbook versioned in git | ✓ | --- ## NIST SP 800-53 Controls ### Access Control (AC) | Control | Title | Implementation | Evidence | |---------|-------|----------------|----------| | **AC-2** | Account Management | ansible service account | Automated provisioning | | **AC-3** | Access Enforcement | SELinux/AppArmor MAC | `getenforce`, `aa-status` | | **AC-6** | Least Privilege | sudo with logging | sudoers configuration | | **AC-7** | Unsuccessful Login Attempts | SSH MaxAuthTries = 3 | sshd_config | | **AC-17** | Remote Access | SSH key-only authentication | SSH hardening | ### Audit and Accountability (AU) | Control | Title | Implementation | Evidence | |---------|-------|----------------|----------| | **AU-2** | Auditable Events | auditd rules configured | `/etc/audit/rules.d/` | | **AU-3** | Content of Audit Records | auditd log format | `/var/log/audit/audit.log` | | **AU-6** | Audit Review | Manual review process | Quarterly reviews | | **AU-8** | Time Stamps | chrony time sync | NTP configuration | | **AU-9** | Protection of Audit Information | Restrictive permissions | `600` on audit logs | | **AU-12** | Audit Generation | auditd enabled system-wide | `systemctl status auditd` | ### Configuration Management (CM) | Control | Title | Implementation | Evidence | |---------|-------|----------------|----------| | **CM-2** | Baseline Configuration | Ansible roles define baseline | Git repository | | **CM-3** | Configuration Change Control | Pull request workflow | Git history | | **CM-6** | Configuration Settings | CIS Benchmark compliance | Automated hardening | | **CM-7** | Least Functionality | Minimal packages installed | Package lists | ### Identification and Authentication (IA) | Control | Title | Implementation | Evidence | |---------|-------|----------------|----------| | **IA-2** | Identification and Authentication | SSH key-based | sshd_config | | **IA-2(1)** | Multi-Factor to Privileged Accounts | Planned (not implemented) | Planned | | **IA-5** | Authenticator Management | SSH key rotation policy | 90-day policy | | **IA-5(1)** | Password-Based Authentication | Passwords disabled for SSH | sshd_config | ### System and Communications Protection (SC) | Control | Title | Implementation | Evidence | |---------|-------|----------------|----------| | **SC-7** | Boundary Protection | Firewall at each host | UFW/firewalld | | **SC-8** | Transmission Confidentiality | SSH encryption | All Ansible comms via SSH | | **SC-13** | Cryptographic Protection | SSH keys, TLS | SSH v2, strong ciphers | ### System and Information Integrity (SI) | Control | Title | Implementation | Evidence | |---------|-------|----------------|----------| | **SI-2** | Flaw Remediation | Automatic security updates | unattended-upgrades/dnf-automatic | | **SI-3** | Malicious Code Protection | ClamAV (planned) | Planned | | **SI-4** | Information System Monitoring | auditd, logs | Log files | | **SI-7** | Software Integrity Checks | AIDE file integrity | AIDE configuration | --- ## PCI-DSS Compliance (If Applicable) ### Requirement Mapping | Req | Title | Implementation | Status | |-----|-------|----------------|--------| | **2.2** | Configuration Standards | Ansible roles enforce standards | ✓ | | **2.3** | Encrypt Non-Console Access | SSH only, encrypted | ✓ | | **8.1** | Unique User IDs | ansible service account per system | ✓ | | **8.2** | Strong Authentication | SSH keys (4096-bit RSA) | ✓ | | **8.3** | Multi-Factor Auth | Planned | Planned | | **10.1** | Audit Trails | auditd enabled | ✓ | | **10.2** | Automated Audit Trails | auditd automatic logging | ✓ | --- ## Compliance Evidence Collection ### Automated Compliance Checks Use OpenSCAP for automated compliance scanning: ```bash # Install OpenSCAP apt-get install libopenscap8 # Debian/Ubuntu dnf install openscap-scanner # RHEL/AlmaLinux # Run CIS benchmark scan oscap xccdf eval \ --profile xccdf_org.ssgproject.content_profile_cis \ --results results.xml \ --report report.html \ /usr/share/xml/scap/ssg/content/ssg-*.xml ``` ### Manual Compliance Verification ```bash # SELinux status getenforce # AppArmor status aa-status # Firewall status ufw status verbose # Debian/Ubuntu firewall-cmd --list-all # RHEL # SSH configuration sshd -T | grep -E "(PermitRootLogin|PasswordAuthentication|GSSAPIAuthentication)" # Audit daemon status systemctl status auditd auditctl -l # Automatic updates systemctl status unattended-upgrades # Debian/Ubuntu systemctl status dnf-automatic.timer # RHEL ``` --- ## Compliance Gaps and Remediation Plan ### Known Gaps | Gap | Framework | Target Date | Owner | |-----|-----------|-------------|-------| | Multi-Factor Authentication | NIST IA-2(1) | Q2 2025 | Security Team | | Centralized Logging | NIST DE.AE-3 | Q1 2025 | Ops Team | | SIEM Integration | NIST DE.DP-4 | Q2 2025 | Security Team | | Full Disk Encryption | NIST PR.DS-1 | Q3 2025 | Ops Team | | Automated Vulnerability Scanning | PCI 11.2 | Q2 2025 | Security Team | ### Remediation Roadmap **Q1 2025**: - Implement centralized logging (ELK or Graylog) - Enhance audit rules for PCI compliance **Q2 2025**: - Add multi-factor authentication for privileged access - Deploy SIEM solution - Implement automated vulnerability scanning **Q3 2025**: - Full disk encryption for sensitive systems - Implement intrusion detection (IDS/IPS) --- ## Audit and Review Schedule | Activity | Frequency | Responsible | Last Completed | |----------|-----------|-------------|----------------| | CIS Benchmark Scan | Monthly | Ops Team | 2025-11-11 | | Access Review | Quarterly | Security Team | 2025-11-11 | | Configuration Audit | Quarterly | Ops Team | 2025-11-11 | | Vulnerability Scan | Monthly | Security Team | 2025-11-11 | | Penetration Test | Annually | External Auditor | N/A | | Compliance Documentation Review | Quarterly | Security Team | 2025-11-11 | --- ## Related Documentation - [Security Model](./architecture/security-model.md) - [Architecture Overview](./architecture/overview.md) - [CLAUDE.md Guidelines](../CLAUDE.md) - [Runbook: Incident Response](./runbooks/incident-response.md) --- **Document Version**: 1.0.0 **Last Updated**: 2025-11-11 **Next Review**: 2026-02-11 **Document Owner**: Security & Infrastructure Team