bluefly/secure_drupal

Enterprise security baseline extending security_review, key, encrypt, and compliance modules with FedRAMP, PCI, HIPAA, SOC2 automation and AI-powered security monitoring.

Maintainers

Details

gitlab.bluefly.io/llm/drupal-recipes//secure_drupal

Homepage

Source

Issues

Documentation

Installs: 17

Dependents: 1

Suggesters: 0

Security: 0

Type:drupal-recipe

0.1.2 2025-07-11 19:21 UTC

Requires

Suggests

  • bluefly/alternative_services: Alternative service providers support
  • bluefly/api_normalizer: API standardization across providers
  • bluefly/gov_compliance: Government compliance features
  • bluefly/recipe_onboarding: Recipe system onboarding tools
  • drupal/admin_audit_trail: Administrative audit trail
  • drupal/admin_toolbar: Enhanced admin toolbar
  • drupal/advancedqueue: Advanced queue management
  • drupal/ai: AI integration framework
  • drupal/ai_provider_openai: OpenAI provider integration
  • drupal/antibot: Anti-bot protection
  • drupal/autologout: Automatic logout for security
  • drupal/backup_migrate: Secure backup and migration
  • drupal/captcha: CAPTCHA protection
  • drupal/config_split: Configuration management
  • drupal/consumers: API consumer management
  • drupal/ctools: Chaos tool suite
  • drupal/devel: Developer tools
  • drupal/eca: Event-condition-action framework
  • drupal/encrypt: Data encryption
  • drupal/entity: Entity API enhancements
  • drupal/entity_browser: Entity browser interface
  • drupal/entity_reference_revisions: Entity reference revisions
  • drupal/external_entities: External entity integration
  • drupal/facets: Search facets
  • drupal/facets_summary: Facets summary
  • drupal/feeds: Data import/export
  • drupal/field_encrypt: Field-level encryption
  • drupal/field_encryption: Advanced field encryption
  • drupal/field_group: Field grouping
  • drupal/field_permissions: Field permissions
  • drupal/field_validation: Field validation
  • drupal/gdpr: GDPR compliance
  • drupal/gin: Modern admin theme
  • drupal/honeypot: Spam protection
  • drupal/hook_event_dispatcher: Event dispatching
  • drupal/htmlpurifier: HTML purification
  • drupal/http_client_manager: HTTP client management
  • drupal/jsonapi_extras: JSON:API enhancements
  • drupal/key: Key management system
  • drupal/login_history: Login attempt tracking
  • drupal/masquerade: User masquerading
  • drupal/mcp: Model Control Protocol
  • drupal/openapi: OpenAPI documentation
  • drupal/openapi_jsonapi: OpenAPI JSON:API integration
  • drupal/openapi_ui: OpenAPI user interface
  • drupal/paranoia: Additional security hardening
  • drupal/password_policy: Password policy enforcement
  • drupal/pathauto: Automatic URL aliasing
  • drupal/project_browser: Project browsing interface
  • drupal/purge: Cache purging
  • drupal/purge_drush: Drush integration for purge
  • drupal/queue_order: Queue ordering
  • drupal/queue_ui: Queue management UI
  • drupal/redis: Redis cache backend
  • drupal/restui: REST UI management
  • drupal/schema_metatag: Schema.org metatags
  • drupal/search_api: Search API framework
  • drupal/search_api_db: Database search backend
  • drupal/search_api_solr: Solr search backend
  • drupal/seckit: Security kit
  • drupal/security_headers: Security header management
  • drupal/security_review: Security review
  • drupal/session_limit: Limit concurrent user sessions
  • drupal/shield: HTTP authentication for staging environments
  • drupal/simple_oauth: OAuth authentication
  • drupal/stage_file_proxy: Stage file proxy
  • drupal/tfa: Two-factor authentication
  • drupal/token: Token replacement
  • drupal/ui_patterns: UI patterns
  • drupal/ui_styles: UI styles
  • drupal/username_enumeration_prevention: Username enumeration prevention
  • drupal/vault: Vault integration
  • drupal/views_bulk_operations: Bulk operations
  • drupal/webprofiler: Web profiler
  • drupal/workbench_access: Workbench access control

GPL-2.0-or-later 1b96e1eca839b2b9fd879a7c2b9878be91c9c928

securitydrupalenterpriserecipehardeninghipaacompliancepcifedrampsoc2

This package is auto-updated.

Last update: 2025-07-11 23:00:17 UTC

README

Enterprise security baseline with comprehensive security modules, encryption, compliance tools, and audit logging for government and healthcare requirements.

Features

🔒 Enterprise Security Controls

  • AES-256-GCM field-level encryption
  • Multi-factor authentication (TOTP, recovery codes)
  • Advanced password policies (16+ chars, complexity)
  • Session management with auto-logout
  • Username enumeration prevention

🛡️ Comprehensive Protection

  • Content Security Policy (CSP) implementation
  • HTTP Strict Transport Security (HSTS)
  • Anti-bot and honeypot protection
  • CAPTCHA integration
  • Security headers enforcement

📋 Multi-Framework Compliance

  • FedRAMP Moderate: Federal cloud compliance
  • HIPAA/HITECH: Healthcare data protection
  • PCI DSS Level 1: Payment card security
  • SOC 2 Type II: Service organization controls
  • GDPR: European data privacy
  • ISO 27001: Information security management

🔍 Audit & Monitoring

  • Comprehensive audit logging
  • Real-time security monitoring
  • Automated compliance reporting
  • Security review automation
  • Admin activity tracking

⚙️ Advanced Configuration

  • Service discovery and failover
  • Alternative service providers
  • Performance optimization
  • API security with OAuth2
  • Encrypted key management

Requirements

  • Drupal: 10.3+ or 11.0+
  • PHP: 8.1+
  • Composer: 2.0+
  • Database: MySQL 8.0+ / PostgreSQL 13+ / MariaDB 10.6+

Recommended Infrastructure

  • Redis: For secure session storage and caching
  • Solr: For secure search indexing
  • SSL Certificate: For HTTPS enforcement
  • WAF: Web Application Firewall (recommended)

Installation

Method 1: Using the Recipe (Recommended)

# Install the recipe and its dependencies
composer require bluefly/secure_drupal_recipe

# Apply the recipe to your Drupal site
php core/scripts/drupal recipe path/to/secure_drupal

Method 2: With Security Configuration

# Install with specific compliance framework
php core/scripts/drupal recipe path/to/secure_drupal \
  --security_level="maximum" \
  --compliance_framework="fedramp" \
  --admin_email="security@mycompany.com"

Method 3: Development Installation

# Clone the repository
git clone https://github.com/bluefly/secure-drupal-recipe.git

# Install dependencies
cd secure-drupal-recipe
composer install

# Apply the recipe
php core/scripts/drupal recipe .

Post-Installation Setup

1. Security Configuration Review

Critical First Steps:

  1. Review Security Settings: /admin/config/security
  2. Configure Encryption: /admin/config/system/encrypt
  3. Set Up Key Management: /admin/config/system/keys
  4. Run Security Review: /admin/reports/security-review

2. Compliance Framework Selection

Navigate to /admin/config/security/compliance to:

  • Select primary compliance framework
  • Configure framework-specific settings
  • Enable required audit logging
  • Set up compliance reporting

3. User Access Management

  1. Enable Two-Factor Authentication:

    • Visit /admin/config/people/tfa
    • Configure TOTP providers
    • Set required roles for 2FA

  2. Configure Password Policies:

    • Navigate to /admin/config/security/password-policy
    • Review 16-character minimum requirement
    • Enable complexity and history constraints

  3. Session Security:

    • Configure auto-logout timeouts
    • Set maximum session duration
    • Enable admin session enforcement

4. API Security Setup

  1. OAuth2 Configuration:

    • Navigate to /admin/config/services/consumer
    • Create API consumers
    • Configure token expiration

  2. Key Management:

    • Add encryption keys
    • Configure key rotation
    • Set up backup procedures

Configuration

Input Variables

The recipe accepts these security-focused input variables:

VariableTypeDefaultDescription
security_levelstring"high"Security level (standard, high, maximum)
compliance_frameworkstring"fedramp"Primary compliance framework
admin_emailemailsystem.site.mailSecurity administrator email

Security Modules Included

Core Security:

  • key: Secure key management
  • encrypt: Field-level encryption
  • password_policy: Advanced password requirements
  • tfa: Two-factor authentication
  • seckit: Security headers and CSP

Access Control:

  • autologout: Automatic session termination
  • username_enumeration_prevention: User enumeration protection
  • masquerade: Secure user impersonation

Content Protection:

  • captcha: CAPTCHA integration
  • honeypot: Bot detection and blocking
  • antibot: Advanced bot protection
  • security_review: Automated security scanning

Compliance & Audit:

  • gov_compliance: Government compliance framework
  • admin_audit_trail: Administrative action logging
  • gdpr_compliance: GDPR privacy compliance

Compliance Frameworks

FedRAMP (Federal Risk and Authorization Management Program)

Implemented Controls:

  • 325+ security controls from NIST 800-53
  • Continuous monitoring requirements
  • Incident response procedures
  • Risk assessment automation

Configuration:

compliance_framework: 'fedramp'
security_level: 'high'
controls:
  access_control: true
  audit_accountability: true
  system_communications: true
  identification_authentication: true

HIPAA/HITECH (Healthcare)

Safeguards Implemented:

  • Administrative safeguards
  • Physical safeguards
  • Technical safeguards
  • Breach notification procedures

PHI Protection:

  • Field-level encryption for sensitive data
  • Access logging for all PHI access
  • Automatic session timeouts
  • Audit trail requirements

PCI DSS (Payment Card Industry)

Requirements Covered:

  • Secure network architecture
  • Cardholder data protection
  • Vulnerability management
  • Strong access controls
  • Network monitoring
  • Information security policy

SOC 2 (Service Organization Control)

Trust Principles:

  • Security
  • Availability
  • Processing integrity
  • Confidentiality
  • Privacy

GDPR (General Data Protection Regulation)

Privacy Controls:

  • Data subject rights management
  • Consent tracking and management
  • Data breach notification
  • Privacy by design implementation

Security Architecture

Defense in Depth Strategy

Layer 1: Network Security

  • HTTPS enforcement with HSTS
  • Content Security Policy (CSP)
  • Referrer policy controls
  • Feature policy restrictions

Layer 2: Application Security

  • Input validation and sanitization
  • Output encoding
  • CSRF protection
  • XSS prevention

Layer 3: Data Security

  • Field-level encryption (AES-256-GCM)
  • Secure key management
  • Data retention policies
  • Secure deletion procedures

Layer 4: Access Security

  • Multi-factor authentication
  • Role-based access control
  • Session management
  • Password policy enforcement

Layer 5: Monitoring & Response

  • Real-time security monitoring
  • Audit logging
  • Incident response automation
  • Compliance reporting

Encryption Implementation

Data at Rest:

  • Database field encryption
  • File system encryption support
  • Key rotation capabilities
  • Backup encryption

Data in Transit:

  • TLS 1.3 enforcement
  • Certificate validation
  • Perfect forward secrecy
  • HSTS implementation

Key Management:

  • Hardware Security Module (HSM) support
  • Key derivation functions
  • Secure key storage
  • Automated key rotation

Monitoring & Compliance

Security Dashboard

Visit /admin/reports/security-dashboard for:

  • Real-time threat monitoring
  • Compliance status overview
  • Security metrics and KPIs
  • Incident response tracking

Audit Logging

Logged Events:

  • User authentication attempts
  • Administrative actions
  • Data access events
  • Configuration changes
  • Security policy violations

Log Retention:

  • Critical events: 7 years
  • Administrative actions: 3 years
  • Access logs: 1 year
  • Debug logs: 30 days

Compliance Reporting

Automated Reports:

  • Weekly security posture reports
  • Monthly compliance assessments
  • Quarterly risk assessments
  • Annual certification reports

Export Formats:

  • PDF compliance reports
  • CSV audit data
  • JSON security metrics
  • XML configuration exports

API Security

OAuth2 Implementation

Grant Types Supported:

  • Authorization Code
  • Client Credentials
  • Refresh Token

Security Features:

  • Token rotation
  • Scope restrictions
  • Rate limiting
  • Request signing

API Endpoints Security

Authentication Required:

  • Bearer token validation
  • Scope verification
  • Rate limit enforcement
  • IP restriction support

Performance Optimization

Security-Optimized Caching

Redis Integration:

  • Secure session storage
  • Encrypted cache data
  • TTL-based expiration
  • Cluster support

Performance Features:

  • CSS/JS aggregation and compression
  • Image optimization
  • Database query optimization
  • CDN integration support

Troubleshooting

Common Security Issues

Two-Factor Authentication Setup

# Check TFA module status
drush pm:list | grep tfa

# Reset user TFA settings
drush tfa:user-disable username

# Generate backup codes
drush tfa:user-backup-codes username

Encryption Key Issues

# Check key configuration
drush config:get key.key.encryption_key

# Regenerate encryption keys
drush key:generate encryption_key

# Test encryption/decryption
drush encrypt:test

Session Problems

# Clear all sessions
drush sql:query "TRUNCATE sessions"

# Check session configuration
drush config:get system.session

# Verify Redis connection
redis-cli ping

Security Alerts

High Priority Issues:

  • Failed encryption key validation
  • Multiple failed authentication attempts
  • Unusual administrative activity
  • Potential data exfiltration

Response Procedures:

  1. Immediate incident isolation
  2. Evidence preservation
  3. Stakeholder notification
  4. Remediation implementation
  5. Post-incident review

Development & Testing

Security Testing

Automated Scans:

# Run security review
drush security:review

# Check for vulnerabilities
composer audit

# Validate encryption
drush encrypt:validate

Manual Testing:

  • Penetration testing procedures
  • Vulnerability assessment
  • Compliance validation
  • Performance testing

Development Guidelines

Secure Coding Practices:

  • Input validation requirements
  • Output encoding standards
  • Error handling procedures
  • Logging requirements

Code Review Checklist:

  • Security control implementation
  • Compliance requirement coverage
  • Performance impact assessment
  • Documentation completeness

Support & Maintenance

Security Updates

Update Schedule:

  • Critical patches: Within 24 hours
  • High priority: Within 1 week
  • Medium priority: Within 1 month
  • Low priority: Next maintenance window

Update Process:

  1. Security advisory review
  2. Risk assessment
  3. Testing in staging environment
  4. Production deployment
  5. Validation and monitoring

Professional Support

License

GPL-2.0-or-later - see LICENSE file.

Changelog

Version 1.0.0 (2025-01-09)

  • Initial release with Drupal 11 support
  • Multi-framework compliance implementation
  • Advanced encryption and key management
  • Comprehensive audit logging
  • Real-time security monitoring
  • Automated compliance reporting

🔒 Built for enterprise security and compliance