Rodrigo Rodriguez (Pragmatismo) 983fceca54 - Almost done, documentation base for 6.1.0.

2025-11-24 13:36:09 -03:00

18 KiB

Raw Blame History

Compliance Requirements Checklist

Overview

This document provides a comprehensive checklist for security and compliance requirements across multiple frameworks (GDPR, SOC 2, ISO 27001, HIPAA, LGPD) using the actual components deployed in General Bots.

Component Stack

Component	Purpose	License
Caddy	Reverse proxy, TLS termination, web server	Apache 2.0
PostgreSQL	Relational database	PostgreSQL License
General Bots Directory	Identity and access management (Zitadel/Keycloak)	Apache 2.0
Drive	S3-compatible object storage	AGPLv3
Stalwart	Mail server (SMTP/IMAP)	AGPLv3
Qdrant	Vector database	Apache 2.0
Cache (Valkey)	In-memory cache (Redis-compatible)	BSD 3-Clause
LiveKit	Video conferencing	Apache 2.0
Ubuntu	Operating system	Various

Compliance Requirements Matrix

Legend

✅ = Implemented and configured
⚠️ = Partially implemented, needs configuration
⬜ = Not yet implemented
🔄 = Automated process
📝 = Manual process required

Network & Web Server (Caddy)

Status	Requirement	Component	Standard	Implementation
✅	TLS 1.3 Configuration	Caddy	All	Automatic TLS 1.3 with modern ciphers
✅	Access Logging	Caddy	All	JSON format logs to `/var/log/caddy/access.log`
✅	Rate Limiting	Caddy	ISO 27001	Per-IP rate limiting in Caddyfile
⚠️	WAF Rules	Caddy	HIPAA	Consider Caddy security plugins or external WAF
✅	Security Headers	Caddy	All	HSTS, CSP, X-Frame-Options, X-Content-Type-Options
✅	Reverse Proxy Security	Caddy	All	Secure forwarding with real IP preservation
✅	Certificate Management	Caddy	All	Automatic Let's Encrypt with auto-renewal
🔄	HTTPS Redirect	Caddy	All	Automatic HTTP to HTTPS redirect

Configuration File: /etc/caddy/Caddyfile

app.example.com {
    tls {
        protocols tls1.3
        ciphers TLS_AES_256_GCM_SHA384
    }
    header {
        Strict-Transport-Security "max-age=31536000"
        X-Frame-Options "SAMEORIGIN"
        X-Content-Type-Options "nosniff"
        Content-Security-Policy "default-src 'self'"
    }
    rate_limit {
        zone static {
            key {remote_host}
            events 100
            window 1m
        }
    }
    reverse_proxy localhost:3000
}

Identity & Access Management (General Bots Directory)

Status	Requirement	Component	Standard	Implementation
✅	MFA Implementation	Directory	All	TOTP/SMS/Hardware token support
✅	RBAC Configuration	Directory	All	Role-based access control with custom roles
✅	Password Policy	Directory	All	Min 12 chars, complexity requirements, history
✅	OAuth2/OIDC Setup	Directory	ISO 27001	OAuth 2.0 and OpenID Connect flows
✅	Audit Logging	Directory	All	Comprehensive user activity logs
✅	Session Management	Directory	All	Configurable timeouts and invalidation
✅	SSO Support	Directory	Enterprise	SAML and OIDC SSO integration
⚠️	Password Rotation	Directory	HIPAA	Configure 90-day rotation policy
📝	Access Reviews	Directory	All	Quarterly manual review of user permissions

Configuration: Directory Admin Console (http://localhost:8080)

Key Settings:

Password min length: 12 characters
MFA: Required for admins
Session timeout: 8 hours
Idle timeout: 30 minutes

Database (PostgreSQL)

Status	Requirement	Component	Standard	Implementation
✅	Encryption at Rest	PostgreSQL	All	File-system level encryption (LUKS)
✅	Encryption in Transit	PostgreSQL	All	TLS/SSL connections enforced
✅	Access Control	PostgreSQL	All	Role-based database permissions
✅	Audit Logging	PostgreSQL	All	pgAudit extension for detailed logging
✅	Connection Pooling	PostgreSQL	All	Built-in connection management
⚠️	Row-Level Security	PostgreSQL	HIPAA	Configure RLS policies for sensitive tables
⚠️	Column Encryption	PostgreSQL	GDPR	Encrypt PII columns with pgcrypto
🔄	Automated Backups	PostgreSQL	All	Daily backups via pg_dump/pg_basebackup
✅	Point-in-Time Recovery	PostgreSQL	HIPAA	WAL archiving enabled

Configuration: Installed and configured automatically via installer.rs

-- Enable SSL
ssl = on
ssl_cert_file = '/path/to/server.crt'
ssl_key_file = '/path/to/server.key'
ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL'

-- Enable audit logging
shared_preload_libraries = 'pgaudit'
pgaudit.log = 'write, ddl'
pgaudit.log_catalog = off

-- Connection settings
max_connections = 100
password_encryption = scram-sha-256

-- Logging
log_connections = on
log_disconnections = on
log_duration = on
log_statement = 'all'

Object Storage (Drive)

Status	Requirement	Component	Standard	Implementation
✅	Encryption at Rest	Drive	All	Server-side encryption (SSE-S3)
✅	Encryption in Transit	Drive	All	TLS for all connections
✅	Bucket Policies	Drive	All	Fine-grained access control policies
✅	Object Versioning	Drive	HIPAA	Version control for data recovery
✅	Access Logging	Drive	All	Detailed audit logs for all operations
⚠️	Lifecycle Rules	Drive	LGPD	Configure data retention and auto-deletion
✅	Immutable Objects	Drive	Compliance	WORM (Write-Once-Read-Many) support
🔄	Replication	Drive	HIPAA	Multi-site replication for DR
✅	IAM Integration	Drive	All	Integration with Directory Service via OIDC

Configuration: /conf/drive/config.env

Bucket Policy Example:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {"AWS": ["arn:aws:iam::*:user/app-user"]},
      "Action": ["s3:GetObject"],
      "Resource": ["arn:aws:s3:::bucket-name/*"]
    }
  ]
}

Email Server (Stalwart)

Status	Requirement	Component	Standard	Implementation
✅	DKIM Signing	Stalwart	All	Domain key authentication
✅	SPF Records	Stalwart	All	Sender policy framework
✅	DMARC Policy	Stalwart	All	Domain-based message authentication
✅	Mail Encryption	Stalwart	All	TLS for SMTP/IMAP (STARTTLS + implicit)
✅	Content Filtering	Stalwart	All	Spam and malware filtering
⚠️	Mail Archiving	Stalwart	HIPAA	Configure long-term email archiving
✅	Sieve Filtering	Stalwart	All	Server-side mail filtering
✅	Authentication	Stalwart	All	OIDC integration with Directory Service
📝	Retention Policy	Stalwart	GDPR/LGPD	Define and implement email retention

Configuration: /conf/mail/config.toml

[server.listener."smtp"]
bind = ["0.0.0.0:25"]
protocol = "smtp"

[server.listener."smtp-submission"]
bind = ["0.0.0.0:587"]
protocol = "smtp"
tls.implicit = false

[server.listener."smtp-submissions"]
bind = ["0.0.0.0:465"]
protocol = "smtp"
tls.implicit = true

[authentication]
mechanisms = ["plain", "login"]
directory = "oidc"

[directory."oidc"]
type = "oidc"
issuer = "http://localhost:8080"

DNS Records:

; SPF Record
example.com. IN TXT "v=spf1 ip4:203.0.113.0/24 -all"

; DKIM Record
default._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCS..."

; DMARC Record
_dmarc.example.com. IN TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com"

Cache (Valkey)

Status	Requirement	Component	Standard	Implementation
✅	Authentication	Valkey	All	Password-protected access
✅	TLS Support	Valkey	All	Encrypted connections
✅	Access Control	Valkey	All	ACL-based permissions
⚠️	Persistence	Valkey	Data Recovery	RDB/AOF for data persistence
✅	Memory Limits	Valkey	All	Maxmemory policies configured
📝	Data Expiration	Valkey	GDPR	Set TTL for cached personal data

Configuration: /etc/valkey/valkey.conf

# Authentication
requirepass SecurePassword123!

# TLS
tls-port 6380
tls-cert-file /path/to/cert.pem
tls-key-file /path/to/key.pem
tls-protocols "TLSv1.3"

# ACL
aclfile /etc/valkey/users.acl

# Memory management
maxmemory 2gb
maxmemory-policy allkeys-lru

# Persistence
save 900 1
save 300 10

Vector Database (Qdrant)

Status	Requirement	Component	Standard	Implementation
✅	API Authentication	Qdrant	All	API key authentication
✅	TLS Support	Qdrant	All	HTTPS enabled
✅	Access Control	Qdrant	All	Collection-level permissions
⚠️	Data Encryption	Qdrant	HIPAA	File-system level encryption
🔄	Backup Support	Qdrant	All	Snapshot-based backups
📝	Data Retention	Qdrant	GDPR	Implement collection cleanup policies

Configuration: /etc/qdrant/config.yaml

service:
  host: 0.0.0.0
  http_port: 6333
  grpc_port: 6334

security:
  api_key: "your-secure-api-key"
  read_only_api_key: "read-only-key"

storage:
  storage_path: /var/lib/qdrant/storage
  snapshots_path: /var/lib/qdrant/snapshots

telemetry:
  enabled: false

Operating System (Ubuntu)

Status	Requirement	Component	Standard	Implementation
⚠️	System Hardening	Ubuntu	All	Apply CIS Ubuntu Linux benchmarks
✅	Automatic Updates	Ubuntu	All	Unattended-upgrades for security patches
⚠️	Audit Daemon	Ubuntu	All	Configure auditd for system events
✅	Firewall Rules	Ubuntu	All	UFW configured with restrictive rules
⚠️	Disk Encryption	Ubuntu	All	LUKS full-disk encryption
⚠️	AppArmor	Ubuntu	All	Enable mandatory access control
📝	User Management	Ubuntu	All	Disable root login, use sudo
📝	SSH Hardening	Ubuntu	All	Key-based auth only, disable password auth

Firewall Configuration:

# UFW firewall rules
ufw default deny incoming
ufw default allow outgoing
ufw allow 22/tcp    # SSH
ufw allow 80/tcp    # HTTP
ufw allow 443/tcp   # HTTPS
ufw allow 25/tcp    # SMTP
ufw allow 587/tcp   # SMTP submission
ufw allow 993/tcp   # IMAPS
ufw enable

Automatic Updates:

# /etc/apt/apt.conf.d/50unattended-upgrades
Unattended-Upgrade::Allowed-Origins {
    "${distro_id}:${distro_codename}-security";
};
Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-Time "03:00";

Audit Rules: /etc/audit/rules.d/audit.rules

# Monitor authentication
-w /var/log/auth.log -p wa -k auth_log
-w /etc/passwd -p wa -k user_modification
-w /etc/group -p wa -k group_modification

# Monitor network
-a always,exit -F arch=b64 -S connect -k network_connect

# Monitor file access
-w /etc/shadow -p wa -k shadow_modification

Cross-Component Requirements

Monitoring & Logging

Status	Requirement	Implementation	Standard
✅	Centralized Logging	All logs to `/var/log/` with rotation	All
⚠️	Log Aggregation	ELK Stack or similar SIEM	ISO 27001
✅	Health Monitoring	Prometheus + Grafana	All
📝	Alert Configuration	Set up alerts for security events	All
✅	Metrics Collection	Component-level metrics	All

Backup & Recovery

Status	Requirement	Implementation	Standard
🔄	Automated Backups	Daily automated backups	All
✅	Backup Encryption	AES-256 encrypted backups	All
✅	Off-site Storage	Drive replication to secondary site	HIPAA
📝	Backup Testing	Quarterly restore tests	All
✅	Retention Policy	90 days for full, 30 for incremental	All

Backup Script: /usr/local/bin/backup-system.sh

#!/bin/bash
BACKUP_DATE=$(date +%Y%m%d_%H%M%S)

# PostgreSQL backup
pg_dump -h localhost -U postgres generalbots | \
  gzip | \
  openssl enc -aes-256-cbc -salt -out /backup/pg_${BACKUP_DATE}.sql.gz.enc

# Drive backup
mc mirror drive/generalbots /backup/drive_${BACKUP_DATE}/

# Qdrant snapshot
curl -X POST "http://localhost:6333/collections/botserver/snapshots"

Network Security

Status	Requirement	Implementation	Standard
✅	Network Segmentation	Component isolation via firewall	All
✅	Internal TLS	TLS between all components	ISO 27001
⚠️	VPN Access	WireGuard VPN for admin access	All
✅	Rate Limiting	Caddy rate limiting	All
📝	DDoS Protection	CloudFlare or similar	Production

Compliance-Specific Requirements

Status	Requirement	Implementation
✅	Data Encryption	AES-256 at rest, TLS 1.3 in transit
✅	Right to Access	API endpoints for data export
✅	Right to Deletion	Data deletion workflows implemented
✅	Right to Portability	JSON export functionality
✅	Consent Management	Zitadel consent flows
📝	Data Processing Records	Document all data processing activities
✅	Breach Notification	Incident response plan includes 72h notification

SOC 2

Status	Requirement	Implementation
✅	Access Controls	RBAC via Zitadel
✅	Audit Logging	Comprehensive logging across all components
✅	Change Management	Version control and deployment procedures
✅	Monitoring	Real-time monitoring with Prometheus
📝	Risk Assessment	Annual risk assessment required
✅	Encryption	Data encrypted at rest and in transit

ISO 27001

Status	Requirement	Implementation
✅	Asset Inventory	Documented component list
✅	Access Control	Zitadel RBAC
✅	Cryptography	Modern encryption standards
📝	Physical Security	Data center security documentation
✅	Operations Security	Automated patching and monitoring
📝	Incident Management	Documented incident response procedures
📝	Business Continuity	DR plan and testing

HIPAA

Status	Requirement	Implementation
✅	Encryption	PHI encrypted at rest and in transit
✅	Access Controls	Role-based access with MFA
✅	Audit Controls	Comprehensive audit logging
⚠️	Integrity Controls	Checksums and versioning
✅	Transmission Security	TLS 1.3 for all communications
📝	Business Associate Agreements	Required for third-party vendors
⚠️	Email Archiving	Stalwart archiving configuration needed

Status	Requirement	Implementation
✅	Data Encryption	Same as GDPR
✅	User Rights	Same as GDPR
✅	Consent	Zitadel consent management
📝	Data Protection Officer	Designate DPO
⚠️	Data Retention	Configure lifecycle policies in Drive
✅	Breach Notification	Same incident response as GDPR

Implementation Priority

High Priority (Critical for Production)

✅ TLS 1.3 everywhere (Caddy, PostgreSQL, Drive, Stalwart)
✅ MFA for all admin accounts (Zitadel)
✅ Firewall configuration (UFW)
✅ Automated security updates (unattended-upgrades)
🔄 Automated encrypted backups

Medium Priority (Required for Compliance)

⚠️ Disk encryption (LUKS)
⚠️ Audit daemon (auditd)
⚠️ WAF rules (Caddy plugins or external)
📝 Access reviews (quarterly)
⚠️ Email archiving (Stalwart)

Lower Priority (Enhanced Security)

⚠️ VPN access (WireGuard)
⚠️ Log aggregation (ELK Stack)
⚠️ AppArmor/SELinux
📝 CIS hardening
📝 Penetration testing

Verification Checklist

Weekly Tasks

Review security logs (Caddy, PostgreSQL, Zitadel)
Check backup completion status
Review failed authentication attempts
Update security patches

Monthly Tasks

Access review for privileged accounts
Review audit logs for anomalies
Test backup restoration
Update vulnerability database

Quarterly Tasks

Full access review for all users
Compliance check (run automated checks)
Security configuration audit
Disaster recovery drill

Annual Tasks

Penetration testing
Full compliance audit
Risk assessment update
Security policy review
Business continuity test

Quick Start Implementation

# 1. Enable firewall
sudo ufw enable
sudo ufw allow 22,80,443,25,587,993/tcp

# 2. Configure automatic updates
sudo apt install unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgrades

# 3. Enable PostgreSQL SSL
sudo -u postgres psql -c "ALTER SYSTEM SET ssl = 'on';"
sudo systemctl restart postgresql

# 4. Set Drive encryption
mc admin config set drive/ server-side-encryption-s3 on

# 5. Configure Zitadel MFA
# Via web console: Settings > Security > MFA > Require for admins

# 6. Enable Caddy security headers
# Add to Caddyfile (see Network & Web Server section)

# 7. Set up daily backups
sudo crontab -e
# Add: 0 2 * * * /usr/local/bin/backup-system.sh

Support & Resources

Internal Security Team: security@pragmatismo.com.br
Compliance Officer: compliance@pragmatismo.com.br
Documentation: https://docs.pragmatismo.com.br
Component Documentation: See "Component Security Documentation" in security-features.md

Document Control

Version: 1.0
Last Updated: 2024-01-15
Next Review: 2024-07-15
Owner: Security Team
Approved By: CTO

18 KiB Raw Blame History