Security Audit Schedule
SPEC_SECURITY_AUDIT_SCHEDULE.md
CGNT-1 Specification — Security Audit Schedule
Status: SPECIFIED
Version: v1.0
Author: VELA (Thread #13)
Conceived by: NOUS (α.13)
Date: 2026-04-20
Born from: 4 security incidents in 5 months, port 8891 auto-restart discovery, unauthorized daemon incidents
PURPOSE
Security incidents on the ship have been reactive — something breaks, we find it, we fix it, we write a protocol. This spec makes security PROACTIVE. Scheduled audits on a fixed cadence so vulnerabilities are found before they're exploited.
AUDIT CADENCE
| Frequency | Audit | Owner | Output |
|---|---|---|---|
| Daily (04:30 ET) | GAPX automated scan | GAPX/CRONX | ~/gap_reports/daily/ |
| Daily (04:30 ET) | Vacuum scan (open ports) | MEDX via "health" | Part of GAPX report |
| Weekly (Sunday 04:00 ET) | Full port + process audit | Lobster | ~/audits/weekly/ |
| Monthly (1st, 04:00 ET) | Credential review + rotation check | Lobster | ~/audits/monthly/ |
| Quarterly (Jan/Apr/Jul/Oct 1st) | Full security review | Captain + Lobster | ~/audits/quarterly/ |
DAILY AUDIT (automated, no human needed)
GAPX runs at 04:30 ET and checks:
- Vacuum scan:
ss -tlnp→ any unexpected listening ports? Compare against whitelist. - Handshake freshness: any handshake older than 24 hours?
- Backup freshness: last
backup.logentry within 24 hours? - Key rotation: any credential past its rotation date?
- Rogue processes: any unknown systemd user services? Any unexpected node/python processes?
- Spec integrity: spec count matches MANIFEST?
- Output: health score 0-100. Written to
~/gap_reports/daily/[date].md
Port Whitelist (expected listeners)
| Port | Service | Binding | Status |
|---|---|---|---|
| 443 | Caddy (42sisters.ai HTTPS) | 0.0.0.0 | Intentional |
| 9191 | ROUTX | 0.0.0.0 | Intentional |
| 8888 | RAG server | 0.0.0.0 | Intentional |
| 8001 | Heartbeat daemon | 0.0.0.0 | Intentional |
| 8006 | Email Graph API | 0.0.0.0 | Intentional |
| 11434 | Ollama | localhost only | Intentional |
Any port NOT on this list → MEDIUM alert. Any port on 0.0.0.0 NOT on the whitelist → HIGH alert.
WEEKLY AUDIT (Lobster runs, Captain reviews Monday)
Every Sunday at 04:00 ET:
1. Full port scan
ss -tlnp # compare to whitelist above — any new listeners since last week?
2. Process audit
ps aux --sort=-%mem | head -20 # unexpected processes?
systemctl --user list-units --type=service # unknown services?
3. File permission check
ls -la ~/.env ~/gcs-service-account.json ~/.google_token.json
# All must be chmod 600. Any change → HIGH alert.
4. UFW status
sudo ufw status verbose # rules match expected config? Any deny rules removed?
5. Login audit
last -20 # unexpected SSH sessions?
grep "Failed password" /var/log/auth.log | tail -20 # brute force attempts?
6. Disk usage
df -h # any filesystem above 85%?
Output: ~/audits/weekly/[date].md — Captain reviews Monday as part of CAPTAIN_BRIEF.
MONTHLY AUDIT (Lobster runs, Captain reviews)
First of every month at 04:00 ET — everything from weekly audit PLUS:
2. Credential rotation check
cat ~/key_rotation.log # compare dates against SPEC_KEY_ROTATION schedule
# Any credential overdue? → HIGH alert
3. Dependencies check
pip list --outdated 2>/dev/null | head -20
npm outdated 2>/dev/null
# Any known vulnerabilities in installed packages?
4. Backup restore test
- Pick one random spec from GCS backup
- Download it. Compare to local copy. Must be identical.
- If different → CRITICAL alert (backup integrity compromised)
5. Sisters shell filter review
- Review
sisters_gemini_api.pywhitelist - Any commands that should be added or removed?
- Have the Sisters attempted any blocked commands? Check logs.
6. HACKX honeypot review (when implemented)
- Any probes detected? What patterns? New attack vectors?
Output: ~/audits/monthly/[month].md
QUARTERLY AUDIT (Captain + Lobster, comprehensive)
January 1, April 1, July 1, October 1 — everything from monthly audit PLUS:
2. Full incident review
ls ~/incidents/ # review all incidents this quarter
# Patterns? Recurring root causes? Systemic issues?
3. Spec audit against reality
python3 ~/routx_engine.py "spec audit"
# Any drift between specs and implementation?
4. Agency Walls review
- Are PERMITTED/APPROVAL/NEVER tiers still correct?
- Any actions that should move between tiers?
- Have the Sisters hit any Agency Wall violations?
5. Governance review
- Review Sister protocols (Grey Rock, Sentinel, Social, Feminine)
- Any incidents that tested them? Did they hold?
6. External surface review
- Check 42sisters.ai: SSL valid? DNS correct? Content current?
- Check all public-facing endpoints
- Run a basic vulnerability scan from outside the network
7. Threat model update
- What new threats exist that didn't exist last quarter?
- New AI attack vectors? New social engineering patterns?
- Does HACKX need new knowledge domains?
Output: ~/audits/quarterly/[quarter].md — Captain and Lobster review together. Decisions logged.
ALERT SEVERITY FROM AUDITS
| Finding | Severity | Action |
|---|---|---|
| Unknown port listening on 0.0.0.0 | HIGH | Investigate immediately. Kill if unauthorized. |
| Unknown systemd user service | HIGH | Investigate. Disable if unauthorized. |
| Credential past rotation date | MEDIUM | Schedule rotation within 48 hours. |
| File permission wrong on ~/.env | HIGH | Fix immediately: chmod 600 |
| Backup older than 48 hours | HIGH | Run backup manually. Fix CRONX job. |
| Failed SSH login attempts >100 | MEDIUM | Review IPs. Consider fail2ban. |
| Disk usage >85% | MEDIUM | Clean logs, old models, temp files. |
| Backup restore mismatch | CRITICAL | Backup integrity compromised. Full re-sync. |
| Spec drift from implementation | LOW | Update spec or fix implementation. |
AUTOMATION PATH
- Phase 1 (now): daily GAPX scan automated. Weekly/monthly/quarterly are Lobster-driven with manual review.
- Phase 2 (when GAPX module is coded): weekly audit automated. Lobster reviews output.
- Phase 3 (mature): monthly audit automated except backup restore test and dependency review. Quarterly always has human review — security decisions need Captain.
INVARIANTS
INV-01: Daily scans are automated and run without human intervention. If the daily scan stops running, that IS the security incident.
INV-02: Weekly audits happen every Sunday. Skipping a week requires Captain approval and is logged.
INV-03: Monthly credential rotation checks are non-negotiable. Overdue credentials are HIGH alerts.
INV-04: Quarterly reviews always involve the Captain. Security posture decisions are not delegated.
INV-05: The port whitelist is the source of truth. Any port not on the list is suspicious until proven otherwise.
INV-06: Audit outputs are stored in ~/audits/ and never deleted. They're the security timeline.
INV-07: Findings from audits generate incident postmortems (SPEC_INCIDENT_POSTMORTEM.md) if severity is HIGH or above.
INV-08: The audit schedule itself is audited quarterly — is the cadence right? Adjust based on incident rate.
INTEGRATION
| System | Relationship |
|---|---|
| SPEC_INCIDENT_POSTMORTEM.md | HIGH/CRITICAL findings from audits trigger postmortems. INV-07. |
| SPEC_KEY_ROTATION.md | Monthly audit includes credential rotation check. Overdue = HIGH. |
| SPEC_BACKUP_RECOVERY.md | Monthly audit includes backup restore test. Mismatch = CRITICAL. |
| GAPX | Daily scan is the GAPX security layer. Port whitelist lives in this spec; GAPX enforces it. |
| SPEC_CRONX_JOB_REGISTRY.md | Weekly/monthly audits are Lobster-run; need CRONX entries when automated. |
| HACKX | Quarterly threat model update feeds new patterns to HACKX detection corpus. |
Jeremy Zlabis
Chronogeometer · Visionary · Disruptor · Chief
42 Sisters AI · East York, Toronto
🍁 Φ 0.042