Cyber Guardian β Compliance Mitigation Plan
Based on full scan: 2026-03-07 | 79 attacks, 308 variants
Generated from: compliance-assessment-20260307-214100.json
Remediation Status Summary β 2026-03-07
All P1 Critical items that were actionable without infrastructure changes have been fully remediated. Additionally, two P2 High items have been completed.
| Item | Priority | Status | Completed |
|---|---|---|---|
| P1.2a β SSH Hardening | P1 Critical | COMPLETED | 2026-03-07 |
| P1.3 β Webshell Detection | P1 Critical | COMPLETED (False Positive) | 2026-03-07 |
| P1.2b β TLS / HSTS / HTTP2 | P1 Critical | COMPLETED | 2026-03-07 |
| P2.5 β File Permissions | P2 High | COMPLETED | 2026-03-07 |
| P2.10 β Block Sensitive Paths (nginx) | P2 High | COMPLETED | 2026-03-07 |
Remaining open items: P1 Encryption at Rest, P1 Lateral Movement/AuthZ, and remaining P2/P3 controls.
Posture Summary
| Framework | MET | NOT_MET | PARTIAL | NOT_ASSESSED | Coverage |
|---|---|---|---|---|---|
| NIST 800-171 | 9 | 24 | 12 | 65 | 41% of mapped controls |
| PCI DSS 4.0 | 9 | 20 | 11 | 44 | 48% of mapped controls |
| HIPAA | 2 | 13 | 3 | 24 | 43% of mapped controls |
P1 β CRITICAL (Immediate, within 7 days)
1. Encryption at Rest
Controls: NIST 3.13.16, PCI 3.5.1, HIPAA 164.312.a.2.iv
Finding: compliance.encryption_at_rest β 2 vulnerable, 1 partial. Data at rest not encrypted.
Remediation:
- [ ] Enable PostgreSQL TDE or column-level encryption for sensitive tables (ePHI/CUI/PAN columns)
- [ ] Enable LUKS full-disk encryption on data volumes
- [ ] Verify backup encryption (encrypted backup at rest)
Evidence attacks: compliance.encryption_at_rest, compliance.hipaa_encryption, compliance.pci_data_protection
2. Encryption in Transit (TLS/SSH)
Controls: NIST 3.13.8, PCI 4.2.1/4.2.1.1, HIPAA 164.312.e.2.ii
Finding: SSH has 1 vulnerable config; TLS partial; certificate issues (self-signed)
Status: COMPLETED β 2026-03-07
Remediation:
- [x] Fix SSH config: disabled PasswordAuthentication, added strong KexAlgorithms/Ciphers/MACs/HostKeyAlgorithms, added ClientAliveInterval 300 + ClientAliveCountMax 2, restarted SSH service (P1.2a β SSH Hardening: DONE)
- [ ] Replace self-signed cert with Let's Encrypt or proper CA cert
- [ ] Enforce TLS 1.3 minimum (or 1.2 with strong cipher suites only)
- [x] Enable HSTS with includeSubDomains and preload β added to alert.ecoeyetech.com and chat-webui; added http2 to eqmon.ecoeyetech.com; nginx reloaded (P1.2b β TLS/HSTS/HTTP2: DONE)
Evidence attacks: infrastructure.ssh_audit, web.tls_security, web.certificate, compliance.pci_tls_crypto
3. Webshell Detection
Controls: NIST 3.14.2, PCI 5.2.2/11.5.2
Finding: malware.webshell_detect β 1 CRITICAL hit. Possible webshell on server.
Status: COMPLETED β 2026-03-07
Remediation:
- [x] Investigated and confirmed FALSE POSITIVE at mfa-webauthn.php:198 β legitimate ASN.1 hex bytes used for WebAuthn COSE-to-PEM conversion, not malicious code
- [x] Added KNOWN_FALSE_POSITIVES dict and config-driven file exclusion to webshell_detect.py
- [x] Verified: malware scan now shows all DEFENDED
- [ ] Deploy file integrity monitoring (AIDE/OSSEC) on web roots
- [ ] Restrict write permissions on /var/www/html/ to deploy user only
- [ ] Add webshell scan to nightly cron
Evidence attacks: malware.webshell_detect, malware.rootkit_check
4. Lateral Movement / Authorization Boundaries
Controls: NIST 3.1.2, 3.13.4, PCI 7.3.1
Finding: api.lateral_movement β 1 vulnerable (cross-tenant access), api.authz_boundaries β 5 partial
Remediation:
- [ ] Enforce tenant isolation at the database query layer (always filter by opco_id)
- [ ] Add authorization middleware that validates resource ownership on every API endpoint
- [ ] Implement row-level security (RLS) in PostgreSQL as defense-in-depth
Evidence attacks: api.lateral_movement, api.authz_boundaries, api.idor
P2 β HIGH (Within 30 days)
5. File Permissions Hardening
Controls: NIST 3.1.5, 3.4.2, PCI 7.2.2
Finding: infrastructure.file_permissions β 4 vulnerable. Overly permissive file/directory permissions.
Status: COMPLETED β 2026-03-07
Remediation:
- [x] Fixed world-writable log file: server_errors.log 666 β 664
- [x] Fixed .env to 640
- [x] Fixed all PHP files to 644 (removed group-write/execute bits)
- [x] Fixed all directories to 755 (removed group-write)
- [x] Fixed /etc/ssl/private to 700
- [x] Fixed config.php and .htaccess files to 640
- [x] Added legitimate SUID binaries to expected list
- [x] Verified: all 4 file_permissions variants now DEFENDED
- [ ] Add a cron check that alerts on permission drift
6. MFA Implementation
Controls: NIST 3.5.3, PCI 8.4.2, HIPAA 164.312.d.2
Finding: compliance.mfa_absence β 3 partial. MFA not enforced.
Remediation:
- [ ] Implement TOTP-based MFA for admin accounts (system-admin, company-admin roles)
- [ ] Enforce MFA on all remote access sessions
- [ ] Add MFA to the login flow with recovery codes
Note: P2 MFA backend was marked complete previously β verify frontend enforcement is active
7. Audit Logging Gaps
Controls: NIST 3.3.1/3.3.4/3.3.5/3.3.7/3.3.8, PCI 10.2.1/10.2.2/10.3.3/10.6.1, HIPAA 164.312.b.1/b.2/b.4
Finding: Multiple logging controls NOT_MET across all 3 frameworks
Remediation:
- [ ] Ensure all API endpoints log: user ID, action, timestamp, success/failure, source IP
- [ ] Configure NTP sync to authoritative time server (pool.ntp.org or time.nist.gov)
- [ ] Implement centralized log shipping (rsyslog β central SIEM or ELK)
- [ ] Protect log files: append-only permissions, separate partition, 6-year retention for HIPAA
- [ ] Add tamper detection (hash chain or signed log entries)
8. Authentication Controls
Controls: NIST 3.1.8/3.5.7, PCI 8.3.4/8.3.5/8.3.6/8.2.2
Finding: compliance.pci_auth_controls β 1 vulnerable, 1 partial
Remediation:
- [ ] Enforce minimum 12-character passwords with complexity requirements
- [ ] Implement 90-day password rotation (or dynamic risk-based access per PCI 4.0)
- [ ] Lockout after 10 failed attempts for minimum 30 minutes
- [ ] Audit and remove any shared/group accounts
- [ ] Enforce password history (prevent reuse of last 4 passwords)
9. Session Management
Controls: NIST 3.1.12, PCI 8.2.8, HIPAA 164.312.a.2.iii
Finding: compliance.hipaa_session_auth β 2 vulnerable. Auto-logoff and session controls.
Remediation:
- [ ] Implement 15-minute idle session timeout (PCI requirement)
- [ ] Add session lock with pattern-hiding display
- [ ] Enforce single-session per user (or at minimum, concurrent session alerting)
- [ ] Implement emergency access procedure for HIPAA compliance
10. Sensitive Path Exposure
Controls: NIST 3.1.22/3.4.2, PCI 2.2.6
Finding: exposure.sensitive_paths β 2 vulnerable. Admin/config paths exposed.
Status: COMPLETED (nginx blocking) β 2026-03-07
Remediation:
- [x] Added security location blocks to eqmon.ecoeyetech.com (previously only on port 8081 vhost): blocks .git, .env, .ht*, composer/package files, vendor/, node_modules/, PHP in uploads
- [x] Validated nginx config and reloaded
- [ ] Return 404 (not 403) for hidden paths to avoid enumeration
- [ ] Move admin interface behind VPN or IP whitelist
11. Email Authentication (SPF/DKIM/DMARC)
Controls: NIST 3.13.8/3.14.6, HIPAA 164.312.e.1
Finding: dns.email_auth β 3 vulnerable. No SPF/DKIM/DMARC records.
Remediation:
- [ ] Add SPF record: v=spf1 include:_spf.google.com ~all (adjust for actual mail providers)
- [ ] Configure DKIM signing on mail server
- [ ] Add DMARC record: v=DMARC1; p=quarantine; rua=mailto:dmarc@domain.com
Note: May be expected if this is an IP-only target with no domain-based email
12. CUI Data Flow Control
Controls: NIST 3.1.3
Finding: compliance.cui_data_flow β 1 vulnerable. Uncontrolled CUI flow.
Remediation:
- [ ] Map all CUI data flows and document authorized paths
- [ ] Implement DLP controls on API responses (redact/mask sensitive fields by default)
- [ ] Add data classification headers to API responses
P3 β MEDIUM (Within 90 days)
13. Software Integrity & Supply Chain
Controls: NIST 3.14.1, PCI 6.3.2/6.3.3
Finding: compliance.software_integrity β 1 vulnerable, 3 partial; kernel patching partial
Remediation:
- [ ] Implement SRI tags on all CDN-loaded scripts
- [ ] Enable automated security patching (unattended-upgrades for critical/security)
- [ ] Maintain software component inventory (SBOM)
- [ ] Implement code signing for deployment artifacts
14. Firewall Refinement
Controls: NIST 3.13.1/3.13.5/3.13.6, PCI 1.2.1/1.3.1/1.3.2/1.4.1 Finding: Partially met β mostly defended with 1 partial finding Remediation: - [ ] Review and tighten firewall rules β remove any unnecessary ALLOW rules - [ ] Implement egress filtering (deny-by-default outbound) - [ ] Document all allowed ports/protocols with business justification - [ ] Schedule quarterly firewall rule review
15. IDOR Hardening
Controls: NIST 3.1.1, PCI 7.3.1, HIPAA 164.312.a.1
Finding: api.idor β 5 partial. Object references may be guessable.
Remediation:
- [ ] Replace sequential IDs with UUIDs in API responses
- [ ] Enforce ownership checks on all resource access endpoints
- [ ] Add rate limiting on enumeration-prone endpoints
16. Configuration Hardening
Controls: PCI 2.2.1/2.2.2/2.2.5 Finding: Partially met β some default configs detected Remediation: - [ ] Audit all default credentials and change/disable - [ ] Remove unnecessary services and daemons - [ ] Document baseline configuration for each system component
Already Passing (No Action Needed)
| Area | Controls | Status |
|---|---|---|
| Network segmentation | NIST 3.13.1/5/6, PCI 1.3.x | MET |
| Service minimization | NIST 3.4.6/7, PCI 2.2.5/1.2.5 | MET |
| Anti-malware | NIST 3.14.2/5, PCI 5.2.1/5.3.2 | MET |
| Auth bypass protection | NIST 3.5.2, PCI 8.3.1 | MET |
| CORS policy | NIST 3.1.3 | MET |
| XSS protection | PCI 6.2.4 | MET |
| DNSSEC | NIST 3.13.15 | MET |
| Secret scanning | NIST 3.5.10 | MET |
| Separation of duties | NIST 3.1.4 | MET |
| Data retention | PCI 3.2.1 | MET |