1

Audit

Latte edited this page 2026-06-26 12:58:15 +02:00

Table of Contents

• Audit Logging
• Design
• Event Types
• Integrity Validation
• Operational Expectations
• Rotation

Audit Logging

Design

Audit logs are append-only JSON lines with hash chaining:

• prev_hash: previous entry hash.
• entry_hash: hash of current entry payload + previous hash.

This makes tampering detectable.

Event Types

• tool_invocation
• access_denied
• security_event

Each event includes timestamps and correlation context.

Integrity Validation

Use:

python3 scripts/validate_audit_log.py --path /var/log/aegis-mcp/audit.log

Exit code 0 indicates valid chain, non-zero indicates tamper/corruption.

Operational Expectations

• Persist audit logs to durable storage.
• Protect write permissions (service account only).
• Validate integrity during incident response and release checks.

Rotation

The server appends to a single audit file and does not rotate it in process — rotating mid-stream would break the prev_hash/entry_hash chain. Manage growth externally with logrotate using copytruncate so the open file handle keeps appending:

/var/log/aegis-mcp/audit.log {
    weekly
    rotate 12
    compress
    missingok
    notifempty
    copytruncate
}

Run scripts/validate_audit_log.py against each rotated segment to confirm the chain remains intact across rotations before archiving.

AegisGitea-MCP

Start

• Home
• Getting Started
• Configuration

Operating

• Write Mode
• Raw API
• Automation
• Deployment

Internals

• Architecture
• Policy
• Audit
• Observability

Security

• Security
• Hardening
• Governance

Reference

• API Reference
• Troubleshooting
• Roadmap

Generated from the docs/ directory. Edit the docs, not the wiki, then re-run the wiki sync.