[pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci
CivicActions · Oct 10, 2023 · c8814bd · c8814bd
1 parent 27be555
commit c8814bd
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/practice-areas/engineering/security-compliance.md b/practice-areas/engineering/security-compliance.md
@@ -66,6 +66,7 @@ When creating test or exploratory accounts on staging or production systems, we,
 Privileged access to applications, websites, source code, and servers (SSH/shell, file system, database) carries a high-level of responsibility and trust. We are familiar with and follow best practices and processes, engaging our professional development and developing our skills.
 
 Privileged account holders (Drupal, Moodle, Ilias, GNU/Linux SSH, etc.) must:
+
 -   Respect the privacy of site users, avoiding accessing personal data such as private messages
 -   Employ [Multi-Factor Authentication (MFA)](../common-practices-tools/security/#use-multi-factor-authentication-mfa) to ensure access is granted only to authorized personnel.
 
@@ -82,6 +83,7 @@ SSH public/private key pairs are used to access CivicActions and client servers
 ### IT Team specifics
 
 IT team system administrators working on CivicActions servers must also:
+
 -   Take the utmost caution when working on server configuration - document and test each change.
 -   Non-urgent yet risky changes (those with significant risk of introducing undesired side-effects) should only be made when the person expects to remain online and available for at leat two hours after the change.
 -   Minimize the use of root or other group accounts
@@ -91,18 +93,21 @@ IT team system administrators working on CivicActions servers must also:
 ### Sharing Service Accounts
 
 Group accounts with shared passwords should be avoided.
+
 -   If a required service only allows a single account, LastPass password sharing or encrypted credential files can be used to share a password to a limited number of users on an "as needed" basis.
 -   Shared account passwords should rotate to ensure that only those users needing access continue to have access, revoking individual accounts particularly when people offboard from the project or company.
 
 ### External Developers
 
 Ensure that external developers (client or 3rd party) working on the site codebase are either:
+
 -   A full part of our developer team, such that they been assessed/trained to have the appropriate skills and are subject to CivicActions code review, or
 -   the client confirms understanding that we have neither assessed their skills nor are we reviewing their code.
 
 ## Continuous Monitoring
 
 We use tools to support continuous monitoring for performance and efficiency, and to ensure proper operation and security. These tools include (not an exhaustive list):
+
 -   Event and error log capture: auditd (SELinux), fail2ban and AIDE.
 -   Continuous monitoring dashboards: Cloudwatch, StatusCake, OpsGenie, Splunk and New Relic.
 -   Automated security scanning: OpenSCAP, OWASP ZAP, and Trivy.