infra-automation/docs/security-compliance.md

Security Compliance Documentation

Overview

This document maps infrastructure security controls to industry-standard frameworks and provides evidence of compliance implementation.

Last Updated: 2025-11-11 Review Cycle: Quarterly Document Owner: Security & Infrastructure Team

---

Compliance Frameworks

This infrastructure implements controls aligned with:

• CIS Benchmarks (Center for Internet Security)
• NIST Cybersecurity Framework
• NIST SP 800-53 (Security and Privacy Controls)
• PCI-DSS (if applicable for payment processing)
• HIPAA (if applicable for healthcare data)

---

CIS Benchmarks Compliance

CIS Linux Benchmark

CIS ID	Control	Implementation	Status	Evidence
1.6.1	Ensure SELinux is installed	SELinux package installed on RHEL family	✓	deploy_linux_vm role
1.6.2	Ensure SELinux is not disabled	SELinux set to enforcing mode	✓	/etc/selinux/config, getenforce
1.6.3	Ensure AppArmor is installed	AppArmor installed on Debian family	✓	deploy_linux_vm role
3.5.1	Ensure firewall is installed	UFW/firewalld installed	✓	Automated by role
3.5.2	Ensure firewall is enabled	Firewall active at boot	✓	ufw status, firewall-cmd --state
4.1.1	Ensure auditd is installed	auditd package present	✓	Essential packages list
4.1.2	Ensure auditd is enabled	auditd service running	✓	systemctl status auditd
5.2.1	Ensure SSH Protocol 2	Protocol 2 in sshd_config	✓	SSH hardening config
5.2.9	Ensure PermitRootLogin is disabled	PermitRootLogin no	✓	/etc/ssh/sshd_config.d/99-security.conf
5.2.10	Ensure PasswordAuthentication is disabled	PasswordAuthentication no	✓	SSH hardening config
5.2.11	Ensure GSSAPI authentication is disabled	GSSAPIAuthentication no	✓	CLAUDE.md requirement
5.2.16	Ensure SSH MaxAuthTries is set to 3 or less	MaxAuthTries 3	✓	SSH hardening config
5.3.1	Ensure sudo is installed	sudo package present	✓	All systems
5.3.2	Ensure sudo commands use pty	Defaults use_pty	✓	sudoers config
5.3.3	Ensure sudo log file exists	Defaults logfile	✓	sudoers config

CIS Distribution Support Benchmark

Distribution	Benchmark Version	Compliance Level	Testing
Debian 12	CIS Debian Linux 12 v1.0.0	Level 1	Manual
Ubuntu 22.04	CIS Ubuntu 22.04 LTS v1.0.0	Level 1	Manual
AlmaLinux 9	CIS AlmaLinux OS 9 v1.0.0	Level 1	Manual
Rocky Linux 9	CIS Rocky Linux 9 v1.0.0	Level 1	Manual

---

NIST Cybersecurity Framework

Framework Core Functions

1. Identify (ID)

Category	Control	Implementation	Status
ID.AM-1	Physical devices and systems	system_info role collects inventory	✓
ID.AM-2	Software platforms and applications	system_info detects installed software	✓
ID.AM-3	Organizational communication	Documentation in docs/	✓
ID.AM-4	External information systems	Network topology documented	✓
ID.GV-1	Organizational cybersecurity policy	CLAUDE.md guidelines	✓

2. Protect (PR)

Category	Control	Implementation	Status
PR.AC-1	Identities and credentials are managed	Ansible user with SSH keys	✓
PR.AC-3	Remote access is managed	SSH key-only, no password auth	✓
PR.AC-4	Access permissions managed	Least privilege, sudo logging	✓
PR.DS-1	Data at rest is protected	LVM encryption (planned)	Planned
PR.DS-2	Data in transit is protected	SSH encryption for all comms	✓
PR.IP-1	Baseline configuration	Ansible roles define baseline	✓
PR.IP-3	Configuration change control	Git version control	✓
PR.IP-12	Vulnerability management plan	Automatic security updates	✓
PR.MA-1	Maintenance is performed	Ansible playbooks for maintenance	✓
PR.PT-1	Audit logs are determined and documented	auditd configured	✓
PR.PT-3	Principle of least functionality	Minimal services enabled	✓

3. Detect (DE)

Category	Control	Implementation	Status
DE.AE-3	Event data are aggregated	auditd, journald	✓
DE.CM-1	Network monitored	Firewall logs (basic)	Partial
DE.CM-7	Unauthorized activity detected	Audit rules for privileged ops	✓
DE.DP-4	Event detection communicated	Planned SIEM integration	Planned

4. Respond (RS)

Category	Control	Implementation	Status
RS.AN-1	Notifications investigated	Manual process	Manual
RS.CO-2	Incidents reported	Incident response runbook	Planned
RS.MI-2	Incidents contained	Firewall rules for isolation	✓

5. Recover (RC)

Category	Control	Implementation	Status
RC.RP-1	Recovery plan executed	DR playbook available	✓
RC.RP-2	Recovery plan updated	Playbook versioned in git	✓

---

NIST SP 800-53 Controls

Access Control (AC)

Control	Title	Implementation	Evidence
AC-2	Account Management	ansible service account	Automated provisioning
AC-3	Access Enforcement	SELinux/AppArmor MAC	getenforce, aa-status
AC-6	Least Privilege	sudo with logging	sudoers configuration
AC-7	Unsuccessful Login Attempts	SSH MaxAuthTries = 3	sshd_config
AC-17	Remote Access	SSH key-only authentication	SSH hardening

Audit and Accountability (AU)

Control	Title	Implementation	Evidence
AU-2	Auditable Events	auditd rules configured	/etc/audit/rules.d/
AU-3	Content of Audit Records	auditd log format	/var/log/audit/audit.log
AU-6	Audit Review	Manual review process	Quarterly reviews
AU-8	Time Stamps	chrony time sync	NTP configuration
AU-9	Protection of Audit Information	Restrictive permissions	600 on audit logs
AU-12	Audit Generation	auditd enabled system-wide	systemctl status auditd

Configuration Management (CM)

Control	Title	Implementation	Evidence
CM-2	Baseline Configuration	Ansible roles define baseline	Git repository
CM-3	Configuration Change Control	Pull request workflow	Git history
CM-6	Configuration Settings	CIS Benchmark compliance	Automated hardening
CM-7	Least Functionality	Minimal packages installed	Package lists

Identification and Authentication (IA)

Control	Title	Implementation	Evidence
IA-2	Identification and Authentication	SSH key-based	sshd_config
IA-2(1)	Multi-Factor to Privileged Accounts	Planned (not implemented)	Planned
IA-5	Authenticator Management	SSH key rotation policy	90-day policy
IA-5(1)	Password-Based Authentication	Passwords disabled for SSH	sshd_config

System and Communications Protection (SC)

Control	Title	Implementation	Evidence
SC-7	Boundary Protection	Firewall at each host	UFW/firewalld
SC-8	Transmission Confidentiality	SSH encryption	All Ansible comms via SSH
SC-13	Cryptographic Protection	SSH keys, TLS	SSH v2, strong ciphers

System and Information Integrity (SI)

Control	Title	Implementation	Evidence
SI-2	Flaw Remediation	Automatic security updates	unattended-upgrades/dnf-automatic
SI-3	Malicious Code Protection	ClamAV (planned)	Planned
SI-4	Information System Monitoring	auditd, logs	Log files
SI-7	Software Integrity Checks	AIDE file integrity	AIDE configuration

---

PCI-DSS Compliance (If Applicable)

Requirement Mapping

Req	Title	Implementation	Status
2.2	Configuration Standards	Ansible roles enforce standards	✓
2.3	Encrypt Non-Console Access	SSH only, encrypted	✓
8.1	Unique User IDs	ansible service account per system	✓
8.2	Strong Authentication	SSH keys (4096-bit RSA)	✓
8.3	Multi-Factor Auth	Planned	Planned
10.1	Audit Trails	auditd enabled	✓
10.2	Automated Audit Trails	auditd automatic logging	✓

---

Compliance Evidence Collection

Automated Compliance Checks

Use OpenSCAP for automated compliance scanning:

# Install OpenSCAP
apt-get install libopenscap8 # Debian/Ubuntu
dnf install openscap-scanner # RHEL/AlmaLinux

# Run CIS benchmark scan
oscap xccdf eval \
  --profile xccdf_org.ssgproject.content_profile_cis \
  --results results.xml \
  --report report.html \
  /usr/share/xml/scap/ssg/content/ssg-*.xml

Manual Compliance Verification

# SELinux status
getenforce

# AppArmor status
aa-status

# Firewall status
ufw status verbose  # Debian/Ubuntu
firewall-cmd --list-all  # RHEL

# SSH configuration
sshd -T | grep -E "(PermitRootLogin|PasswordAuthentication|GSSAPIAuthentication)"

# Audit daemon status
systemctl status auditd
auditctl -l

# Automatic updates
systemctl status unattended-upgrades  # Debian/Ubuntu
systemctl status dnf-automatic.timer  # RHEL

---

Compliance Gaps and Remediation Plan

Known Gaps

Gap	Framework	Target Date	Owner
Multi-Factor Authentication	NIST IA-2(1)	Q2 2025	Security Team
Centralized Logging	NIST DE.AE-3	Q1 2025	Ops Team
SIEM Integration	NIST DE.DP-4	Q2 2025	Security Team
Full Disk Encryption	NIST PR.DS-1	Q3 2025	Ops Team
Automated Vulnerability Scanning	PCI 11.2	Q2 2025	Security Team

Remediation Roadmap

Q1 2025:

• Implement centralized logging (ELK or Graylog)
• Enhance audit rules for PCI compliance

Q2 2025:

• Add multi-factor authentication for privileged access
• Deploy SIEM solution
• Implement automated vulnerability scanning

Q3 2025:

• Full disk encryption for sensitive systems
• Implement intrusion detection (IDS/IPS)

---

Audit and Review Schedule

Activity	Frequency	Responsible	Last Completed
CIS Benchmark Scan	Monthly	Ops Team	2025-11-11
Access Review	Quarterly	Security Team	2025-11-11
Configuration Audit	Quarterly	Ops Team	2025-11-11
Vulnerability Scan	Monthly	Security Team	2025-11-11
Penetration Test	Annually	External Auditor	N/A
Compliance Documentation Review	Quarterly	Security Team	2025-11-11

---

Related Documentation

• Security Model
• Architecture Overview
• CLAUDE.md Guidelines
• Runbook: Incident Response

---

Document Version: 1.0.0 Last Updated: 2025-11-11 Next Review: 2026-02-11 Document Owner: Security & Infrastructure Team