Auto-commit from giteapush.sh at 2025-05-01 06:36:22

2025-05-01 06:36:22 -04:00 · 2025-05-01 06:36:22 -04:00 · 16d9616b2f
commit 16d9616b2f
parent 07de704133
1 changed files with 63 additions and 0 deletions
--- a/genesishostingmd/master_compliance_checklist.md
+++ b/genesishostingmd/master_compliance_checklist.md
@ -0,0 +1,63 @@
 # ✅ Master Compliance Checklist  
 *(Status: ☐ = Not Started | 🟨 = In Progress | ✅ = Complete)*
 ## 🧑‍💼 Access & User Management
 - [ ] Role-Based Access Control (RBAC) in place (Customer, Admin, etc.)
 - [ ] Account creation follows secure onboarding workflows
 - [ ] Admin access restricted to SSH keys only
 - [ ] Inactive accounts locked or removed quarterly
 - [ ] Least privilege enforced across all services
 ## 💾 Backups & Disaster Recovery
 - [ ] Daily backups enabled for all key services (DirectAdmin, WHMCS, AzuraCast, TeamTalk)
 - [ ] Weekly offsite backups with verification
 - [ ] ZFS snapshots scheduled (hourly/daily/weekly)
 - [ ] Backup integrity validated with checksums or scrubs
 - [ ] Quarterly disaster recovery drill completed
 - [ ] Restore instructions documented and tested
 ## 🔐 Security
 - [ ] 2FA enabled on all admin interfaces (WHMCS, SSH, DirectAdmin)
 - [ ] SSH password auth disabled, key-only enforced
 - [ ] Weekly patching or updates scheduled (Sunday 7–9 PM)
 - [ ] Centralized logging active and stored 30–90 days
 - [ ] Fail2Ban + Genesis Shield integrated and alerting
 - [ ] TLS 1.2+ enforced for all public services
 - [ ] AES-256 encryption at rest on backups and sensitive volumes
 ## 🖥️ Provisioning & Automation
 - [ ] WHMCS integrated with DirectAdmin, AzuraCast, TeamTalk
 - [ ] All provisioning scripts tested and logged
 - [ ] Post-deploy verification checklist followed
 - [ ] DNS + SSL automation in place (Let's Encrypt)
 - [ ] Monitoring added after provisioning (Prometheus/Grafana)
 ## 📋 Client Policies
 - [ ] Acceptable Use Policy posted and enforced
 - [ ] Abuse response process defined and working
 - [ ] DMCA policy publicly available and followed
 - [ ] Suspension and refund rules defined in WHMCS
 - [ ] Privacy Policy and Terms of Service available on client portal
 ## 🌐 Services Configuration
 - [ ] DirectAdmin quotas enforced (disk, bandwidth, email)
 - [ ] AzuraCast listener/storage/bitrate limits respected
 - [ ] TeamTalk server abuse protection and user limits enforced
 - [ ] Domain registration/renewal workflows tested
 - [ ] SSL auto-renew working correctly (Let's Encrypt + certbot)
 ## ⚙️ Infrastructure
 - [ ] ZFS pools configured for redundancy (RAIDZ1, mirrors)
 - [ ] rclone mount points with caching working and monitored
 - [ ] Genesis Shield actively alerting via Telegram/Mastodon
 - [ ] All VMs named per convention (e.g., `krang`, `shredderv2`)
 - [ ] Sunday maintenance window consistently followed
 - [ ] Ansible playbooks used for provisioning/config consistency
 ## 🛠️ Tools & Scripts
 - [ ] All scripts version-controlled and documented
 - [ ] Backups and restore tools tested and working
 - [ ] Mastodon alert bot operating with secure tokens
 - [ ] Rclone VFS stats monitored regularly
 - [ ] Admin tools accessible only by authorized users
 """