IT-MCP

POLICY_ENFORCEMENT_STATUS.md•14.8 KiB

# Policy Enforcement Implementation - Status Report **Date**: 2025-11-02 **Status**: HIGH-RISK TOOLS PROTECTED ✅ --- ## Summary Policy enforcement has been successfully implemented for all high-risk administrative tools in IT-MCP. The following tools are now protected with capability-based authorization, risk assessment, approval workflows, and immutable audit trails. --- ## Protected Tools ### 1. **ubuntu-admin** (HIGH/CRITICAL Risk) **Location**: `src/tools/registerTools.ts:2745` **Wrapper Applied**: ✅ YES **Required Capabilities**: `["ssh-linux", "local-sudo", "system-modify"]` **Risk Classification**: HIGH (requires approval for destructive operations) **Operations**: - `update-packages` (upgrade=true) → HIGH risk, requires approval - `service` (action=restart/stop) → CRITICAL risk, requires approval - `nginx-test`, `nginx-reload`, `nginx-restart` → HIGH risk - `pm2-*` operations → MEDIUM-HIGH risk - `docker-*` operations → HIGH risk (especially with --force) - `postgres-*` operations → HIGH risk - `virtualmin-*` operations → HIGH risk - Network diagnostics → MEDIUM risk - `samba-*` operations → HIGH risk - `security-*` operations → CRITICAL risk --- ### 2. **debian-admin** (HIGH/CRITICAL Risk) **Location**: `src/tools/registerTools.ts:2751` **Wrapper Applied**: ✅ YES **Required Capabilities**: `["ssh-linux", "local-sudo", "system-modify"]` **Risk Classification**: HIGH (requires approval for destructive operations) **Operations**: Same as ubuntu-admin (Debian-specific implementation) --- ### 3. **windows-admin** (HIGH/CRITICAL Risk) **Location**: `src/tools/registerTools.ts:2758` **Wrapper Applied**: ✅ YES **Required Capabilities**: `["winrm", "system-modify"]` **Risk Classification**: HIGH (requires approval for destructive operations) **Operations**: - `system-info` → LOW risk - `service` (start/stop/restart) → CRITICAL risk, requires approval - `processes` → LOW-MEDIUM risk - `event-log` → LOW risk - `disk` → LOW risk - `network` → LOW risk - `scheduled-tasks` → MEDIUM risk - `firewall` → CRITICAL risk, requires approval - `run-script` → HIGH risk, requires approval - `updates` (mode=install) → HIGH risk, requires approval - `roles-features` (install/remove) → HIGH risk, requires approval - `performance` → LOW risk --- ### 4. **ssh-exec** (HIGH Risk) **Location**: `src/tools/registerTools.ts:3610` **Wrapper Applied**: ✅ YES **Required Capabilities**: `["ssh-linux", "remote-exec"]` **Risk Classification**: HIGH **Operations**: - Remote command execution → HIGH risk - Sudo commands → CRITICAL risk (requires approval if detected) - Dangerous patterns (rm -rf, dd, etc.) → Automatically flagged for approval **Dangerous Pattern Detection**: - `rm -rf`, `dd if=`, `mkfs`, `fdisk` - `systemctl stop/disable`, `kill -9`, `pkill` - `iptables -f`, `ufw delete`, `firewall-cmd --remove` - `curl | sh`, `wget | sh`, `eval` - `chmod 777`, `chown root` - `--force`, `--no-confirm` flags --- ## Protection Mechanism Each wrapped tool follows this flow: ``` User invokes tool ↓ wrapWithPolicy() intercepts ↓ Build AuthorizationContext - callerId (from JWT when integrated) - tool name - operation - arguments - user capabilities ↓ PolicyEnforcer.evaluateToolInvocation() 1. Lookup policy from TOOL_POLICIES 2. Check capability authorization 3. Assess need for approval: - interactiveOnly flag - CRITICAL risk level - HIGH risk + dangerous params - Sudo operations - Destructive patterns ↓ Decision: allow | deny | require_approval ↓ AuditLogger.logDecision() ↓ ┌──────────────┬──────────────────┬─────────────────────┐ │ ALLOW │ DENY │ REQUIRE_APPROVAL │ ├──────────────┼──────────────────┼─────────────────────┤ │ Execute tool │ Return error │ Submit to queue │ │ Log success │ Log denial │ Wait for human │ │ │ │ Return job ID │ └──────────────┴──────────────────┴─────────────────────┘ ``` --- ## Policy Configuration All policies are defined in `src/config/policies.ts`. Example: ```typescript "ubuntu-admin": { tool: "ubuntu-admin", operations: { readOnlyCheck: { danger: "MEDIUM", requires: ["ssh-linux"], interactiveOnly: false, }, updateSystem: { danger: "HIGH", requires: ["ssh-linux", "local-sudo", "system-modify"], interactiveOnly: true, // Always require approval }, restartService: { danger: "CRITICAL", requires: ["ssh-linux", "local-sudo", "service-control"], interactiveOnly: true, }, }, } ``` --- ## Audit Trail Every tool invocation (allowed, denied, or queued for approval) is logged to: 1. **SQLite** (`mcp_audit.db`): - Queryable compliance records - Indexed by tool, caller, timestamp, risk level - Permanent retention (configurable purging) 2. **Winston** (JSON logs): - SIEM integration ready - Structured logging format - Real-time monitoring capability **Audit Entry Structure**: ```typescript { id: "uuid", timestamp: "2025-11-02T10:30:45.123Z", context: { callerId: "user@example.com", tool: "ubuntu-admin", operation: "restartService", args: { service: "postgresql", action: "restart" }, userCapabilities: ["ssh-linux", "local-sudo", "service-control"] }, decision: { action: "require_approval", reason: "CRITICAL risk level", riskLevel: "CRITICAL", requiresApproval: true, approvalReason: "Service lifecycle control" }, execution: { status: "success" | "failure" | "timeout", duration_ms: 1234, sideEffects: ["postgresql.service restarted"], error: null }, approver: "admin@example.com", approvedAt: "2025-11-02T10:32:15.456Z" } ``` --- ## Example Scenarios ### Scenario 1: LOW Risk Operation (Allowed) ```typescript // Tool invocation await mcpClient.callTool("system-overview", { topProcesses: 10 }); // PolicyEnforcer evaluation const decision = { action: "allow", reason: "Authorized: system-overview.getSystemInfo (LOW risk)", riskLevel: "LOW", requiresApproval: false }; // Result: Executes immediately, logs to audit trail ``` ### Scenario 2: HIGH Risk Operation (Denied - Missing Capability) ```typescript // Tool invocation await mcpClient.callTool("ubuntu-admin", { action: "service", service: "postgresql", serviceAction: "restart" }); // User capabilities: ["ssh-linux"] (missing local-sudo, service-control) // PolicyEnforcer evaluation const decision = { action: "deny", reason: "Missing required capabilities: local-sudo, service-control", riskLevel: "HIGH", requiresApproval: false, missingCapabilities: ["local-sudo", "service-control"] }; // Result: Returns error message, logs denial ``` ### Scenario 3: CRITICAL Risk Operation (Requires Approval) ```typescript // Tool invocation await mcpClient.callTool("ssh-exec", { host: "prod-db-01.internal", username: "admin", command: "sudo systemctl restart postgresql" }); // User capabilities: ["ssh-linux", "remote-exec", "local-sudo"] // PolicyEnforcer evaluation const decision = { action: "require_approval", reason: "Approval required: CRITICAL risk level, Requires elevated privileges (sudo), Service lifecycle control", riskLevel: "CRITICAL", requiresApproval: true, approvalReason: "Approval required: CRITICAL risk level, Requires elevated privileges (sudo), Service lifecycle control" }; // Result: Submits to approval queue, returns job ID const jobId = "7784b583-dd73-4b58-bf5c-f10323131697"; // Admin must approve: await policyEnforcer.grantApproval(jobId, "admin@example.com"); // Then the operation executes ``` --- ## Unprotected Tools (LOW Risk) The following tools remain unprotected as they are LOW risk, read-only operations: - `system-overview` - System health snapshot - `list-launch-daemons` - macOS service listing - `email-mx-lookup` - DNS MX record lookup - `email-connectivity-test` - TCP port connectivity - `network-diagnostics` - Traceroute, DNS lookup, ping - `log-analysis` - Read log files - `performance-profiler` - System resource monitoring - `mac-diagnostics` (read-only) - Hardware diagnostics - `ubuntu-health-report` (read-only) - System health report **Rationale**: These tools do not modify system state and have minimal security impact. Wrapping them would add overhead without security benefit. **Future Enhancement**: Can wrap all tools with a "passthrough" mode for audit logging only (no authorization checks). --- ## Enabling Policy Enforcement ### Step 1: Initialize Services ```typescript // src/server.ts or main entry point import { CommandQueueService } from "./services/commandQueue.js"; import { initializePolicyEnforcer } from "./services/policyEnforcer.js"; import { initializeAuditLogger, createAuditLogCallback } from "./utils/auditLogger.js"; import { configurePolicyEnforcement } from "./tools/registerTools.js"; // Initialize command queue for approval workflow const commandQueue = new CommandQueueService(); // Initialize audit logger const auditLogger = initializeAuditLogger(); // Initialize policy enforcer with dependencies const policyEnforcer = initializePolicyEnforcer( commandQueue, createAuditLogCallback(auditLogger) ); // Configure policy enforcement BEFORE registering tools configurePolicyEnforcement(policyEnforcer, auditLogger, true); // Now register all tools (protected ones will be wrapped automatically) registerTools(server, deps); ``` ### Step 2: Set Environment Variable ```bash export ENABLE_POLICY_ENFORCEMENT=true ``` ### Step 3: Configure Keycloak (when ready) ```bash # In .env file KEYCLOAK_REALM=mcp-agents KEYCLOAK_SERVER_URL=https://acdev.host:8080 KEYCLOAK_CLIENT_ID=it-mcp-server KEYCLOAK_CLIENT_SECRET=<from-keycloak> ``` --- ## Testing ### Unit Test Example ```typescript import { PolicyEnforcer } from "./services/policyEnforcer.js"; import { CommandQueueService } from "./services/commandQueue.js"; describe("PolicyEnforcer - ubuntu-admin", () => { test("should require approval for service restart", async () => { const enforcer = new PolicyEnforcer(new CommandQueueService(":memory:")); const context = { callerId: "test-user", tool: "ubuntu-admin", operation: "restartService", args: { service: "nginx", action: "restart" }, userCapabilities: ["ssh-linux", "local-sudo", "service-control"], timestamp: new Date().toISOString() }; const decision = await enforcer.evaluateToolInvocation(context); expect(decision.action).toBe("require_approval"); expect(decision.riskLevel).toBe("HIGH"); }); }); ``` ### Integration Test ```bash # Start IT-MCP with policy enforcement enabled export ENABLE_POLICY_ENFORCEMENT=true npm start # Attempt high-risk operation curl -X POST http://localhost:3000/tools/ubuntu-admin \ -H "Content-Type: application/json" \ -d '{ "action": "service", "service": "postgresql", "serviceAction": "restart" }' # Expected response: { "content": [{ "type": "text", "text": "⏳ **Approval Required**\n\n**Operation**: ubuntu-admin.restartService\n**Risk Level**: HIGH\n**Reason**: Service lifecycle control\n\n**Job ID**: 7784b583-dd73-4b58-bf5c-f10323131697\n\nThis operation has been queued for approval." }], "structuredContent": { "approval_required": { "jobId": "7784b583-dd73-4b58-bf5c-f10323131697", "status": "pending_approval" } } } # Check audit log sqlite3 mcp_audit.db "SELECT * FROM audit_logs WHERE tool='ubuntu-admin' ORDER BY timestamp DESC LIMIT 1;" ``` --- ## Statistics (Current Implementation) **Protected Tools**: 4 (ubuntu-admin, debian-admin, windows-admin, ssh-exec) **Total Operations Covered**: 40+ high-risk operations **Risk Levels**: - CRITICAL operations: ~15 (always require approval) - HIGH operations: ~25 (require approval if dangerous params detected) - MEDIUM operations: ~50 (allowed with audit logging) - LOW operations: ~30 (passthrough) **Code Added**: - PolicyEnforcer: 400 lines - AuditLogger: 500 lines - Policy Config: 350 lines - Tool Wrappers: 12 lines per tool (48 lines total for 4 tools) - **Total**: ~1,298 lines of security infrastructure --- ## Next Steps ### Immediate (Week 1) 1. ✅ Wrap high-risk administrative tools (COMPLETE) 2. ⏳ Write unit tests for PolicyEnforcer and wrapped tools 3. ⏳ Create Keycloak realm and configure roles 4. ⏳ Implement JWT extraction in wrapWithPolicy() ### Short-term (Weeks 2-3) 5. Deploy to acdev.host with policy enforcement enabled 6. Set up audit log monitoring (Grafana/ELK) 7. Create approval dashboard (CLI or web UI) 8. Load testing with 1000+ concurrent operations ### Long-term (Month 2+) 9. Wrap remaining MEDIUM-risk tools for comprehensive audit coverage 10. Implement approval time windows (operations expire after N hours) 11. Add side effect tracking (track files modified, services touched) 12. Build compliance reports (PCI-DSS, SOC 2, ISO 27001) --- ## Files Modified **New Files**: 1. `src/types/policy.ts` (90 lines) 2. `src/config/policies.ts` (350 lines) 3. `src/services/policyEnforcer.ts` (400 lines) 4. `src/utils/auditLogger.ts` (500 lines) 5. `POLICY_ENFORCEMENT_GUIDE.md` (600+ lines) 6. `POLICY_ENFORCEMENT_STATUS.md` (this file) **Modified Files**: 1. `src/tools/registerTools.ts`: - Added imports for PolicyEnforcer, AuditLogger, AuthorizationContext - Added `configurePolicyEnforcement()` function - Added `wrapWithPolicy()` wrapper function - Wrapped `registerLinuxAdminTool()` helper - Wrapped `windows-admin` tool - Wrapped `ssh-exec` tool - **Total additions**: ~220 lines 2. `src/services/commandQueue.ts`: - Added `submitCommand()` async helper - Added `getCommandById()` async wrapper - Added `markCommandFailed()` async helper - Added `getQueueStats()` async wrapper - **Total additions**: ~40 lines 3. `package.json`: - Added `jose` dependency (JWT verification) --- ## Success Criteria - [x] PolicyEnforcer service implemented - [x] AuditLogger utility implemented - [x] Policy configuration for all tools - [x] Tool wrapper function created - [x] High-risk admin tools wrapped (ubuntu-admin, debian-admin, windows-admin, ssh-exec) - [x] Dangerous parameter detection working - [x] Approval workflow integrated with CommandQueue - [x] Audit trail persisting to SQLite + Winston - [ ] JWT capability extraction (blocked on Keycloak) - [ ] Unit tests written - [ ] Deployed to acdev.host - [ ] Approval dashboard created **Overall Progress**: 70% complete ✅ --- **Document Version**: 1.0 **Last Updated**: 2025-11-02 **Author**: IT-MCP Development Team

Loading blob content...

Latest Blog Posts

Redis vs ioredis vs valkey-glide
By punkpeye on January 26, 2026.
benchmark
Redis
valkey
Quickstart: Publish an MCP Server to the MCP Registry
By punkpeye on January 24, 2026.
mcp
official reference mirror
Official MCP Registry Server.json Requirements
By punkpeye on January 24, 2026.
mcp
official reference mirror

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/acampkin95/MCP'

If you have feedback or need assistance with the MCP directory API, please join our Discord server

POLICY_ENFORCEMENT_STATUS.md•14.8 KiB