doctator/bin-there-done-that
doctator/bin-there-done-that
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
bin-there-done-that/genesishostingmd/master_compliance_checklist.md

64 lines
2.8 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# ✅ Master Compliance Checklist
*(Status: ☐ = Not Started | 🟨 = In Progress | ✅ = Complete)*
## 🧑‍💼 Access & User Management
- [ ] Role-Based Access Control (RBAC) in place (Customer, Admin, etc.)
- [ ] Account creation follows secure onboarding workflows
- [ ] Admin access restricted to SSH keys only
- [ ] Inactive accounts locked or removed quarterly
- [ ] Least privilege enforced across all services
## 💾 Backups & Disaster Recovery
- [ ] Daily backups enabled for all key services (DirectAdmin, WHMCS, AzuraCast, TeamTalk)
- [ ] Weekly offsite backups with verification
- [ ] ZFS snapshots scheduled (hourly/daily/weekly)
- [ ] Backup integrity validated with checksums or scrubs
- [ ] Quarterly disaster recovery drill completed
- [ ] Restore instructions documented and tested
## 🔐 Security
- [ ] 2FA enabled on all admin interfaces (WHMCS, SSH, DirectAdmin)
- [ ] SSH password auth disabled, key-only enforced
- [ ] Weekly patching or updates scheduled (Sunday 79 PM)
- [ ] Centralized logging active and stored 3090 days
- [ ] Fail2Ban + Genesis Shield integrated and alerting
- [ ] TLS 1.2+ enforced for all public services
- [ ] AES-256 encryption at rest on backups and sensitive volumes
## 🖥️ Provisioning & Automation
- [ ] WHMCS integrated with DirectAdmin, AzuraCast, TeamTalk
- [ ] All provisioning scripts tested and logged
- [ ] Post-deploy verification checklist followed
- [ ] DNS + SSL automation in place (Let's Encrypt)
- [ ] Monitoring added after provisioning (Prometheus/Grafana)
## 📋 Client Policies
- [ ] Acceptable Use Policy posted and enforced
- [ ] Abuse response process defined and working
- [ ] DMCA policy publicly available and followed
- [ ] Suspension and refund rules defined in WHMCS
- [ ] Privacy Policy and Terms of Service available on client portal
## 🌐 Services Configuration
- [ ] DirectAdmin quotas enforced (disk, bandwidth, email)
- [ ] AzuraCast listener/storage/bitrate limits respected
- [ ] TeamTalk server abuse protection and user limits enforced
- [ ] Domain registration/renewal workflows tested
- [ ] SSL auto-renew working correctly (Let's Encrypt + certbot)
## ⚙️ Infrastructure
- [ ] ZFS pools configured for redundancy (RAIDZ1, mirrors)
- [ ] rclone mount points with caching working and monitored
- [ ] Genesis Shield actively alerting via Telegram/Mastodon
- [ ] All VMs named per convention (e.g., `krang`, `shredderv2`)
- [ ] Sunday maintenance window consistently followed
- [ ] Ansible playbooks used for provisioning/config consistency
## 🛠️ Tools & Scripts
- [ ] All scripts version-controlled and documented
- [ ] Backups and restore tools tested and working
- [ ] Mastodon alert bot operating with secure tokens
- [ ] Rclone VFS stats monitored regularly
- [ ] Admin tools accessible only by authorized users
"""
Reference in New Issue View Git Blame Copy Permalink