# CMMC ColdFront Audit Plugin The CMMC Audit plugin provides a single audit trail for governance actions in ColdFront. CMMC stands for **Cybersecurity Maturity Model Certification**, the cybersecurity framework used by the U.S. Department of Defense to assess and validate security practices. This plugin was developed with CMMC Level 2 evidence collection and review in mind. The event categories, terminology, and presentation were intentionally aligned with common CMMC evidence areas such as Access Control (AC), Audit and Accountability (AU), and Configuration Management (CM). The plugin is not intended to make a ColdFront deployment "CMMC compliant." Instead, it helps produce operational evidence that can support audits, reviews, and internal governance processes. ColdFront already stores a significant amount of information in Django admin logs, workflow records, and historical tables. The problem is that the information is spread across multiple places and is often difficult to interpret. Determining who approved an allocation, who renewed access, who changed a project's PI, or who added a user to a project can require tracing multiple records and workflow states. This plugin creates a single append-only audit trail that records these actions in a form that is easier for administrators, project reviewers, and auditors to understand. ## Why Use It? The plugin helps answer questions such as: - Who approved this allocation? - Who renewed this allocation? - Who added this user to the project? - When was a project archived? - When was a user upgraded to PI status? - What changes were made to a resource? - What evidence exists to support a CMMC review? It also provides a historical reconstruction capability that can populate the audit log from existing ColdFront records. ## Evidence Categories The plugin groups events into CMMC-oriented evidence categories. ### Access Control (AC) Examples: - User added to project - User removed from project - User role changes - PI status changes - Allocation approvals - Allocation renewals - Allocation revocations ### Audit and Accountability (AU) Examples: - Administrative actions - Project review activity - Allocation workflow history - Historical reconstruction records ### Configuration Management (CM) Examples: - Resource creation - Resource modification - Resource deletion ## What the Plugin Records ### Project Events - Project creation - Project archival - Project deletion - Project status changes - Project PI changes ### Project Membership Events - User added to project - User removed from project - User role changes ### Allocation Events - Allocation requests - Allocation approvals - Allocation denials and revocations - Allocation renewals - Allocation renewal requests - Allocation expiration ### Project Review Events - Review forced - Review submitted - Review completed - Review status changes ### User and Permission Events - PI status changes - Administrator privilege changes ### Resource Events - Resource creation - Resource modification - Resource deletion ### Administrative Events - Django admin additions - Django admin modifications - Django admin deletions ## Historical Reconstruction The plugin can reconstruct historical audit records from: - Django admin logs - ColdFront historical tables Historical reconstruction is best effort. It does not invent information that was never recorded. For example, it cannot reconstruct IP addresses, user intent, comments, request paths, or actions that do not exist in the source records. Reconstructed records are clearly marked and retain references to their original source. Historical reconstruction is implemented as an explicit management command and is never run automatically during application startup. Recommended sequence: ```bash coldfront backfill_cmmc_audit --dry-run coldfront backfill_cmmc_audit --commit ``` The command records a `BackfillRun` marker after successful completion. Subsequent executions will not recreate events unless explicitly forced. Reconstructed records are marked as reconstructed and retain source provenance information including the originating Django admin log entry or ColdFront historical record. ## Installation The plugin is designed to be installed into an existing ColdFront deployment without modifying ColdFront core code. ### 1. Install the Plugin Copy the plugin into the ColdFront plugins directory: ```bash cp -a cmmc_audit /srv/coldfront/venv/lib/python3.11/site-packages/coldfront/plugins/ ``` Verify the files are present: ```bash ls /srv/coldfront/venv/lib/python3.11/site-packages/coldfront/plugins/cmmc_audit ``` ### 2. Enable the Plugin Add the plugin to the ColdFront configuration: ```python INSTALLED_APPS += [ "coldfront.plugins.cmmc_audit", ] ``` ### 3. Review Database Changes Before applying migrations: ```bash coldfront showmigrations cmmc_audit ``` All migrations should belong to the `cmmc_audit` application. The plugin does not intentionally modify ColdFront core database tables. ### 4. Apply Migrations ```bash coldfront migrate cmmc_audit ``` Validate the installation: ```bash coldfront check ``` ### 5. Restart ColdFront Restart the ColdFront application service using your site's normal deployment procedure. ### 6. Verify Operation Log into Django Admin and confirm that a new section named **CMMC Audit** appears. Verify that events are being recorded when: - Projects are modified - Allocations are approved or renewed - Users are added to projects - Resources are created or modified ### 7. Optional Historical Reconstruction Review the proposed changes: ```bash coldfront backfill_cmmc_audit --dry-run ``` Populate historical records: ```bash coldfront backfill_cmmc_audit --commit ``` ### Rollback To disable the plugin: 1. Remove `coldfront.plugins.cmmc_audit` from `INSTALLED_APPS`. 2. Restart ColdFront. Existing audit data will remain in the database unless the plugin tables are explicitly removed. ## Project Review Workflow Coverage ColdFront project reviews are based on the `Project.force_review` and `Project.requires_review` fields. The plugin records: - Review forced - Review submitted - Review completed - Review status changes The plugin captures review workflow events without modifying ColdFront core source code. ## Limitations - Historical reconstruction is best effort. - The plugin cannot reconstruct information that was never recorded. - Annual review due state is computed by ColdFront and does not generate a database event when a project merely becomes due for review. - Request-for-updates emails do not currently change review state and therefore are not recorded as review status events. - Slurm partition restrictions, FreeIPA administration, operating system account changes, and other external systems are only captured when they are represented by ColdFront records. - Some functionality relies on wrapping existing ColdFront workflow views because suitable extension hooks are not available in all cases. ## Development Notes Smoke tests should use Django's test database or an explicit rollback strategy. Test users, projects, resources, allocations, and audit records should not be left in a shared development database because they become indistinguishable from real operational evidence. During development, reconstructed rows can be reset and regenerated: ```python from coldfront.plugins.cmmc_audit.models import AuditEvent, BackfillRun AuditEvent.objects.filter(is_reconstructed=True).delete() BackfillRun.objects.filter(name="initial_historical_backfill").delete() ``` ## Disclaimer This software is distributed in the hope that it may be useful to other ColdFront administrators and HPC centres. It is provided as-is, without warranty of any kind, express or implied. The author and contributors make no guarantees regarding correctness, fitness for a particular purpose, security, reliability, or suitability for any specific environment. ColdFront deployments vary significantly between institutions. Authentication methods, plugins, workflow customisations, database contents, and local operational practices may differ substantially from the environments in which this plugin was developed and tested. As a result, behaviour may differ from site to site. This plugin is intended to create and populate its own database tables and does not intentionally modify ColdFront core tables or source code. However, as with any software, unknown defects may exist. Bugs, configuration errors, unexpected interactions with local customisations, or future ColdFront changes could result in unintended behaviour, including data corruption or data loss. Before deploying this plugin: - Review the source code and database migrations. - Follow your organisation's normal backup and recovery procedures. - Ensure that recent database backups are available and tested. - Validate the plugin in a development or staging environment that closely resembles production. - Perform representative workflow testing before enabling the plugin in production. - Review the output of any historical reconstruction or backfill operations before committing changes. The responsibility for evaluating, testing, deploying, and operating this software rests entirely with the local site administrators. ## Open Source Work Product This plugin was developed by G. Matthew Fricke at the University of New Mexico Center for Advanced Research Computing (CARC) and is being released as open source software in the hope that it may be useful to other ColdFront administrators and HPC centres. The software was developed to address operational auditing and evidence collection requirements observed during CARC's own governance, compliance, and security review activities. Other organisations may have different policies, workflows, compliance requirements, and interpretations of evidence collection standards. Contributions, bug reports, improvements, and independent review are encouraged. Users are encouraged to inspect the source code, validate the plugin in their own environments, and adapt it as necessary for local requirements.