Security Audit Checklist

Use this checklist as a quick-reference audit for your SmallBlock CMS production instance. Each section lists key items you should confirm regularly—ideally during quarterly maintenance or after system updates.

Note

This list is intentionally concise and focuses on the most important, verifiable controls. Customize it for your organization’s compliance or change management requirements.

Operating System & Environment

Description

All packages are up to date (dnf update or apt upgrade)

Kernel updates applied and host rebooted if required

SELinux or AppArmor is enforcing

Firewall allows only ports 22, 80, 443

Root login disabled or key-only SSH access

smallblock service user exists and runs the app

System clock synchronized via NTP

Application & Configuration

Description

DEBUG mode is disabled in production

SECRET_KEY is unique and stored securely

.env file has permissions 600 and owned by smallblock

Environment variables loaded from a protected source

HTTPS enforced via Nginx configuration

ALLOWED_HOSTS correctly defined

Access and error logs enabled and rotated

Database Security

Description

Database user has least-privilege access

Remote DB connections disabled unless required

Database passwords stored securely (not in code)

Backups encrypted and tested for restore

Database version supported and patched

File System & Permissions

Description

/srv/smallblock/ owned by smallblock:smallblock

No world-readable or writable files

Static and media paths served by Nginx only

Directory listing disabled in Nginx

Sensitive files (.env, .py, .db) inaccessible via HTTP

Log files rotated and protected

Network & TLS

Description

Valid TLS certificate (Let’s Encrypt or custom)

Auto-renewal tested (certbot renew --dry-run)

Strong cipher suites configured

Redirect HTTP → HTTPS

Security headers present: X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy

Monitoring & Logging

Description

Nginx and application logs centralized or monitored

Error rates and latency tracked

Health endpoint monitored (/health or /status)

Disk usage and DB growth monitored

Security events audited (failed logins, privilege changes)

User & Access Management

Description

Admin passwords use strong complexity rules

Two-factor authentication enforced where possible

User accounts reviewed quarterly

Inactive or former users removed

API tokens and webhook keys rotated annually

Incident Response & Documentation

Description

Contact list for escalation current

Incident response plan documented

Backup restoration procedure tested

Disaster recovery drill conducted in last 6 months

Review Schedule

Frequency

Activity

Weekly

Review system logs and disk usage

Monthly

Test backup restoration

Quarterly

Run full checklist review

Annually

Renew TLS certificate, rotate secrets, test disaster recovery

Next Steps