WireMCP Secure

# Security Policy ## Overview WireMCP Secure v2.0.0 was built with security as the top priority. This document outlines our security practices, how to report vulnerabilities, and security considerations for deployment. ## Security Features ### ✅ Implemented Security Controls 1. **No Command Injection** - Uses `spawn()` with array arguments (no shell interpretation) - All user input is validated before use - No string interpolation in command execution 2. **Path Traversal Protection** - Whitelist-based directory access - Path resolution and validation - No `..` sequences allowed - File extension validation 3. **Input Validation** - Zod schema validation for all inputs - Network interface validation against system interfaces - IP address format and range validation - Duration and size limits enforced 4. **Rate Limiting** - Per-client request limits - Configurable time windows - Concurrent operation limits - Automatic cleanup of expired entries 5. **Resource Protection** - Maximum capture duration (60s default) - Maximum file size (100MB default) - Maximum output size (1MB default) - Concurrent capture limits (3 default) - Memory exhaustion protection 6. **Audit Logging** - All operations logged - Security events tracked - JSON format for easy parsing - Includes user, timestamp, and details 7. **Data Protection** - Automatic sensitive data sanitization - Configurable privacy controls - Secure temporary file handling - Automatic cleanup of old files 8. **Network Security** - TLS certificate validation - Request timeouts - Response size limits - Cached threat intelligence ## Security Assessment | Vulnerability Type | Status | Details | |-------------------|--------|---------| | Command Injection | ✅ Fixed | Using spawn() without shell | | Path Traversal | ✅ Fixed | Whitelist validation | | Input Validation | ✅ Fixed | Comprehensive Zod schemas | | Privilege Escalation | ⚠️ Mitigated | Requires capabilities, not root | | Information Disclosure | ✅ Fixed | Data sanitization enabled | | Resource Exhaustion | ✅ Fixed | Multiple limits enforced | | CSRF | N/A | stdio transport only | | XSS | N/A | No web interface | | SQL Injection | N/A | No database | **Overall Security Rating: 9/10** ## Reporting a Vulnerability We take security vulnerabilities seriously. If you discover a security issue: ### DO: 1. **Email directly** to [security@yourproject.com] (replace with actual email) 2. **Include details**: Steps to reproduce, impact assessment, suggested fix 3. **Allow time**: Give us reasonable time to fix before public disclosure 4. **Coordinate**: Work with us on disclosure timing ### DO NOT: 1. **Open public issues** for security vulnerabilities 2. **Post on social media** before coordinated disclosure 3. **Exploit** the vulnerability beyond proof-of-concept ### Response Timeline - **24 hours**: Initial acknowledgment - **7 days**: Impact assessment and fix timeline - **30 days**: Target for fix release - **Coordinated disclosure**: After fix is available ## Security Considerations for Deployment ### Required Actions 1. **Review Configuration** ```bash # Copy and customize .env cp env.example.txt .env # Review all security settings vi .env ``` 2. **Enable Audit Logging** ```bash AUDIT_ENABLED=true AUDIT_LOG_FILE=/var/log/wiremcp/audit.log ``` 3. **Configure Rate Limits** ```bash RATE_LIMIT_ENABLED=true RATE_LIMIT_MAX=5 RATE_LIMIT_WINDOW_MS=60000 ``` 4. **Restrict File Access** ```bash # Create dedicated directories mkdir -p /var/wiremcp/pcaps chmod 700 /var/wiremcp/pcaps # Set in configuration ALLOWED_PCAP_DIRS=/var/wiremcp/pcaps ``` 5. **Disable Dangerous Features** ```bash # Keep credential extraction disabled unless specifically needed ENABLE_CREDENTIAL_EXTRACTION=false ``` ### Privilege Management #### Option 1: Linux Capabilities (Recommended) ```bash # Grant only necessary capabilities sudo setcap cap_net_raw,cap_net_admin=eip $(which node) sudo setcap cap_net_raw,cap_net_admin=eip $(which tshark) # Run as unprivileged user node index.js ``` #### Option 2: Dedicated User (Also Good) ```bash # Create dedicated user sudo useradd -r -s /bin/false wiremcp # Grant capabilities to user sudo setcap cap_net_raw,cap_net_admin=eip $(which node) # Run as dedicated user sudo -u wiremcp node index.js ``` #### Option 3: Root (NOT Recommended) ```bash # Only for testing in isolated environments sudo node index.js ``` ### Network Isolation For production deployments: ``` ┌───────────────────────────────────────┐ │ Trust Boundary │ │ ┌─────────────┐ ┌──────────────┐ │ │ │ MCP Client │ │ Monitor │ │ │ │ (LLM) │ │ Dashboard │ │ │ └──────┬──────┘ └──────┬───────┘ │ │ │ stdio │ API │ │ ┌──────▼──────────────────▼───────┐ │ │ │ WireMCP Secure │ │ │ │ (Unprivileged) │ │ │ └──────────────┬──────────────────┘ │ └─────────────────┼─────────────────────┘ │ Monitored Interface ┌────────▼────────┐ │ Isolated VLAN │ │ (Capture Only) │ └─────────────────┘ ``` ### Monitoring #### 1. Audit Log Monitoring ```bash # Real-time monitoring tail -f /var/log/wiremcp/audit.log | jq . # Alert on security events tail -f /var/log/wiremcp/audit.log | \ jq 'select(.action=="SECURITY_EVENT" or .action=="RATE_LIMIT_VIOLATION")' # Daily summary cat /var/log/wiremcp/audit.log | \ jq -r '[.timestamp, .action, .userId] | @csv' | \ awk -F, '{print $2}' | sort | uniq -c ``` #### 2. System Monitoring ```bash # Monitor process ps aux | grep wiremcp # Check resource usage top -p $(pgrep -f wiremcp) # Monitor network netstat -tulpn | grep tshark ``` #### 3. File System Monitoring ```bash # Watch temp directory watch -n 5 'ls -lh /tmp/wiremcp/' # Monitor disk usage df -h /tmp/wiremcp ``` ### Incident Response #### If Compromise Suspected: 1. **Immediate Actions** ```bash # Stop the service pkill -f wiremcp # Isolate the system sudo iptables -A INPUT -j DROP sudo iptables -A OUTPUT -j DROP ``` 2. **Preserve Evidence** ```bash # Copy audit logs cp -a /var/log/wiremcp /tmp/evidence/ # Capture process info ps aux > /tmp/evidence/processes.txt netstat -tulpn > /tmp/evidence/network.txt ``` 3. **Investigate** ```bash # Check audit log for anomalies cat /var/log/wiremcp/audit.log | \ jq 'select(.severity=="error" or .severity=="warning")' # Check for unauthorized file access grep "Access denied" /var/log/wiremcp/audit.log # Check rate limit violations grep "RATE_LIMIT_VIOLATION" /var/log/wiremcp/audit.log ``` 4. **Remediate** - Update to latest version - Review and strengthen configuration - Rotate credentials if applicable - Update access controls 5. **Document** - Timeline of events - Impact assessment - Actions taken - Lessons learned ## Compliance ### GDPR Compliance - ✅ Data minimization: Only capture necessary data - ✅ Purpose limitation: Clear purpose for each capture - ✅ Storage limitation: Automatic cleanup of old files - ✅ Accuracy: Validation of all inputs - ✅ Integrity: Audit logging of all operations - ⚠️ User consent: Implement if capturing user traffic - ⚠️ Right to erasure: Implement if storing personal data ### PCI-DSS Considerations - ✅ Install and maintain firewall configuration - ✅ Do not use vendor-supplied defaults (configure settings) - ✅ Protect stored data (sanitization enabled) - ✅ Encrypt transmission of data (TLS for external APIs) - ✅ Use and regularly update anti-virus software (host responsibility) - ✅ Develop and maintain secure systems (this implementation) - ✅ Restrict access by business need (role-based config) - ✅ Identify and authenticate access (audit logging) - ✅ Restrict physical access (deployment responsibility) - ✅ Track and monitor all access (audit logs) - ✅ Regularly test security (see Testing section) - ✅ Maintain information security policy (this document) ### HIPAA Considerations If capturing healthcare-related traffic: - ⚠️ Ensure PHI is not captured or is properly sanitized - ⚠️ Implement access controls (add authentication layer) - ✅ Audit trails enabled - ⚠️ Encryption at rest (implement if storing long-term) - ✅ Encryption in transit (TLS enabled) - ⚠️ Business associate agreements (if applicable) ## Security Testing ### Automated Testing ```bash # Dependency vulnerabilities npm audit # Outdated packages npm outdated # Linting with security rules npx eslint . --ext .js ``` ### Manual Testing Checklist - [ ] Command injection attempts fail - [ ] Path traversal attempts fail - [ ] Invalid input is rejected - [ ] Rate limiting works correctly - [ ] Concurrent limits enforced - [ ] Audit logging captures events - [ ] Sensitive data is sanitized - [ ] Error messages don't leak info - [ ] Temp files are cleaned up - [ ] Graceful shutdown works ### Penetration Testing Recommended annual penetration testing covering: 1. Input validation bypass attempts 2. Privilege escalation attempts 3. Information disclosure vulnerabilities 4. Denial of service resistance 5. Configuration security review ## Security Updates ### Staying Updated ```bash # Check for updates weekly npm outdated # Update dependencies npm update # Check for security advisories npm audit ``` ### Update Policy - **Critical vulnerabilities**: Patch within 24 hours - **High vulnerabilities**: Patch within 7 days - **Medium vulnerabilities**: Patch within 30 days - **Low vulnerabilities**: Patch in next release ## Security Contact For security-related questions or concerns: - **Email**: security@yourproject.com (replace with actual) - **PGP Key**: [Link to PGP key if available] - **Security Advisory**: Check GitHub Security tab ## Attribution This security policy is based on: - OWASP Security Guidelines - CWE/SANS Top 25 - NIST Cybersecurity Framework - Industry best practices --- **Last Updated**: December 13, 2025 **Version**: 2.0.0