security_audit_config

Instructions

Implementation Reference

• src/opensips_mcp/tools/security_tools.py:142-204 (handler)

  The main handler function for the 'security_audit_config' MCP tool. Decorated with @mcp.tool() and @require_permission('config.read'). Takes a config_content string, runs regex-based security checks against _SECURITY_CHECKS patterns, and checks for missing essential security modules (pike, permissions). Returns findings with severity levels and a summary.

  @mcp.tool()
  @require_permission("config.read")
  async def security_audit_config(
      ctx: Context,
      config_content: str,
  ) -> dict[str, Any]:
      """Perform a basic security audit on an OpenSIPS configuration snippet.
  
      Checks for common misconfigurations and security anti-patterns.
  
      Parameters
      ----------
      config_content:
          The OpenSIPS configuration text to analyse.
  
      Returns
      -------
      dict
          Contains ``findings`` (list of issues) and ``summary`` counts.
      """
      findings: list[dict[str, str]] = []
      warnings = 0
      info = 0
  
      for pattern, check_id, message in _SECURITY_CHECKS:
          if re.search(pattern, config_content):
              severity = "info" if check_id in ("pike_present", "force_send_socket") else "warning"
              findings.append(
                  {
                      "check": check_id,
                      "severity": severity,
                      "message": message,
                  }
              )
              if severity == "warning":
                  warnings += 1
              else:
                  info += 1
  
      # Check for missing security modules
      essential_modules = [
          ("pike", "Anti-flood protection (pike) module is not loaded."),
          ("permissions", "IP-based permissions module is not loaded."),
      ]
      for module, msg in essential_modules:
          if f'loadmodule "{module}.so"' not in config_content and f"loadmodule \"{module}\"" not in config_content:
              findings.append(
                  {
                      "check": f"missing_{module}",
                      "severity": "warning",
                      "message": msg,
                  }
              )
              warnings += 1
  
      return {
          "findings": findings,
          "summary": {
              "total": len(findings),
              "warnings": warnings,
              "info": info,
          },
      }

• src/opensips_mcp/tools/security_tools.py:87-139 (schema)

  The _SECURITY_CHECKS list defines the regex patterns, check IDs, and human-readable messages used by the security_audit_config tool to detect security issues in OpenSIPS configs. This serves as the rule definitions/schema for the audit.

  # Patterns that indicate potential security issues in OpenSIPS configs
  _SECURITY_CHECKS: list[tuple[str, str, str]] = [
      (
          r"(?i)\blisten\s*=\s*udp:\*:",
          "wildcard_listen",
          "Listening on all interfaces (0.0.0.0 / *) — consider binding to specific IPs.",
      ),
      (
          r"(?i)\blisten\s*=\s*udp:0\.0\.0\.0:",
          "wildcard_listen_v4",
          "Listening on all IPv4 interfaces — consider binding to specific IPs.",
      ),
      (
          r"(?i)modparam\s*\(\s*[\"']auth_db[\"']\s*,\s*[\"']calculate_ha1[\"']\s*,\s*1\s*\)",
          "plaintext_passwords",
          "calculate_ha1=1 means passwords are stored in plaintext — use pre-computed HA1 hashes instead.",
      ),
      (
          r"(?i)modparam\s*\(\s*[\"']tls_mgm[\"']\s*,\s*[\"']verify_cert[\"']\s*,\s*[\"']0[\"']\s*\)",
          "tls_no_verify",
          "TLS certificate verification is disabled — enable it in production.",
      ),
      (
          r"(?i)#!define\s+WITH_DEBUG",
          "debug_enabled",
          "Debug mode is enabled — disable in production to reduce log volume and improve performance.",
      ),
      (
          r"(?i)modparam\s*\(\s*[\"']permissions[\"']\s*,\s*[\"']default_allow_file[\"']",
          "permissions_allow",
          "Using file-based permissions — ensure allow/deny files are properly maintained.",
      ),
      (
          r"(?i)xlog\s*\(\s*[\"'].*\$ru.*[\"']\s*\)",
          "uri_logging",
          "Logging SIP URIs may expose PII — ensure log access is restricted.",
      ),
      (
          r"(?i)modparam\s*\(\s*[\"']httpd[\"']\s*,\s*[\"']ip[\"']\s*,\s*[\"']0\.0\.0\.0[\"']\s*\)",
          "httpd_wildcard",
          "MI HTTP interface bound to all interfaces — restrict to localhost or private network.",
      ),
      (
          r"(?i)force_send_socket",
          "force_send_socket",
          "force_send_socket is used — verify the bound socket is correct for your topology.",
      ),
      (
          r"(?i)modparam\s*\(\s*[\"']pike[\"']\s*,",
          "pike_present",
          "Pike module is loaded — good, anti-flood protection is configured.",
      ),
  ]

• src/opensips_mcp/tools/security_tools.py:142-142 (registration)

  The @mcp.tool() decorator on line 142 registers the security_audit_config function as an MCP tool. The @require_permission('config.read') decorator enforces RBAC access control.

  @mcp.tool()