Initialize ops repository
This commit is contained in:
vaultsovereign
9
70-audits/README.md
Normal file
9
70-audits/README.md
Normal file
@@ -0,0 +1,9 @@
|
||||
# Audits
|
||||
|
||||
Audits are how drift is prevented.
|
||||
|
||||
- Checklists live in `70-audits/checklists/`.
|
||||
- Evidence and outcomes live in `70-audits/reports/`.
|
||||
|
||||
If a checklist item cannot be verified, treat it as failed until proven otherwise.
|
||||
|
||||
1
70-audits/checklists/.gitkeep
Normal file
1
70-audits/checklists/.gitkeep
Normal file
@@ -0,0 +1 @@
|
||||
|
||||
12
70-audits/checklists/README.md
Normal file
12
70-audits/checklists/README.md
Normal file
@@ -0,0 +1,12 @@
|
||||
# Checklists
|
||||
|
||||
Use these to perform regular drift control.
|
||||
|
||||
When you run a checklist, file the result under `70-audits/reports/` with:
|
||||
|
||||
- date/time
|
||||
- operator role used
|
||||
- what changed
|
||||
- what was revoked/rotated
|
||||
- any failures and follow-ups
|
||||
|
||||
17
70-audits/checklists/quarterly.md
Normal file
17
70-audits/checklists/quarterly.md
Normal file
@@ -0,0 +1,17 @@
|
||||
# Quarterly Drift Control
|
||||
|
||||
## Identity
|
||||
|
||||
- Rotate high-value credentials and invalidate old material.
|
||||
- Re-evaluate role scopes; remove privileges that became “default”.
|
||||
|
||||
## Backup reality check
|
||||
|
||||
- Perform a full restore drill of at least one critical system.
|
||||
- Verify restore validation steps still match reality.
|
||||
|
||||
## Infra sanity
|
||||
|
||||
- Identify and remove orphaned resources (accounts, hosts, services).
|
||||
- Confirm all critical infrastructure is reproducible from `ops/`.
|
||||
|
||||
22
70-audits/checklists/weekly.md
Normal file
22
70-audits/checklists/weekly.md
Normal file
@@ -0,0 +1,22 @@
|
||||
# Weekly Drift Control
|
||||
|
||||
## Identity
|
||||
|
||||
- Review active leases; revoke anything unused or unclear.
|
||||
- Confirm least-privilege matches reality (roles/policies still correct).
|
||||
- Confirm no new long-lived credentials exist without rotation plan.
|
||||
|
||||
## Backups
|
||||
|
||||
- Verify latest backups completed for all critical sets.
|
||||
- Confirm at least one restore proof is recent (per backup cadence).
|
||||
|
||||
## Inventory / Naming
|
||||
|
||||
- Confirm new systems/services are inventoried and named `<role>-<scope>-<id>`.
|
||||
- Rename unclear entries before deleting anything.
|
||||
|
||||
## Core boundary
|
||||
|
||||
- Confirm critical changes still originate only from `op-core-vm`.
|
||||
|
||||
1
70-audits/reports/.gitkeep
Normal file
1
70-audits/reports/.gitkeep
Normal file
@@ -0,0 +1 @@
|
||||
|
||||
9
70-audits/reports/README.md
Normal file
9
70-audits/reports/README.md
Normal file
@@ -0,0 +1,9 @@
|
||||
# Reports
|
||||
|
||||
Store audit outcomes and evidence here.
|
||||
|
||||
Suggested format:
|
||||
|
||||
- `YYYY-MM-DD-weekly.md`
|
||||
- `YYYY-Q#-quarterly.md`
|
||||
|
||||
Reference in New Issue
Block a user