[LOW][All Projects] Add Audit Logging for Security-Critical Operations

[filthyrake]

Description

None of the MCP servers implement audit logging for security-critical operations like power management, VM deletion, firewall rule changes, etc.

Security-Critical Operations Needing Audit Logs

pfSense MCP

• Creating/modifying/deleting firewall rules
• Changing system configuration
• User authentication attempts
• API key usage

TrueNAS MCP

• Dataset creation/deletion
• Snapshot operations
• User permission changes
• Storage configuration changes

iDRAC MCP

• Power on/off operations
• Force power off (especially critical)
• Configuration changes
• Multi-server operations

Proxmox MCP

• VM creation/deletion
• Snapshot operations
• Power state changes
• Container operations

Impact

• Severity: LOW
• No audit trail for security investigations
• Cannot track who performed what operation
• Compliance issues (SOC 2, ISO 27001, HIPAA)
• Difficult to troubleshoot security incidents

Recommendation

1. Structured Audit Logging

import structlog
import json
from datetime import datetime

audit_logger = structlog.get_logger("audit")

def log_audit_event(
    event_type: str,
    resource: str,
    action: str,
    user: str,
    success: bool,
    details: dict = None
):
    audit_logger.info(
        "audit_event",
        timestamp=datetime.utcnow().isoformat(),
        event_type=event_type,
        resource=resource,
        action=action,
        user=user,
        success=success,
        details=details or {}
    )

2. Audit Log Format

{
  "timestamp": "2024-01-15T10:30:45.123Z",
  "event_type": "power_management",
  "resource": "idrac_server_1",
  "action": "force_power_off",
  "user": "admin@mcp",
  "success": true,
  "details": {
    "server_id": "server_1",
    "reason": "maintenance",
    "source_ip": "10.0.1.50"
  }
}

3. Audit Log Destinations

• File: Append-only audit log file
• Syslog: Send to central syslog server
• SIEM: Integration with Splunk, ELK, etc.
• Database: Store in separate audit database

4. Implementation Pattern

from functools import wraps

def audit_operation(operation_type: str):
    def decorator(func):
        @wraps(func)
        async def wrapper(*args, **kwargs):
            user = kwargs.get('user', 'unknown')
            resource = kwargs.get('resource', 'unknown')
            
            try:
                result = await func(*args, **kwargs)
                log_audit_event(
                    event_type=operation_type,
                    resource=resource,
                    action=func.__name__,
                    user=user,
                    success=True
                )
                return result
            except Exception as e:
                log_audit_event(
                    event_type=operation_type,
                    resource=resource,
                    action=func.__name__,
                    user=user,
                    success=False,
                    details={"error": str(e)}
                )
                raise
        return wrapper
    return decorator

# Usage
@audit_operation("power_management")
async def force_power_off(server_id: str, user: str):
    # Implementation
    pass

Configuration

# config.json
{
  "audit": {
    "enabled": true,
    "log_file": "/var/log/mcp/audit.log",
    "syslog_server": "syslog.example.com:514",
    "log_level": "INFO",
    "retention_days": 90
  }
}

Compliance Benefits

• SOC 2: Demonstrates access controls and monitoring
• ISO 27001: Audit trail for security events
• HIPAA: Required for healthcare data systems
• PCI DSS: Required for payment systems
• GDPR: Track data access and modifications

Tasks

• Design audit log schema
• Implement audit logging framework
• Add audit decorators to critical operations
• Configure syslog integration
• Add log rotation and retention policies
• Document audit log format
• Create audit log parsing/analysis tools
• Test audit logging in all scenarios