[SECURITY] Audit logs writable by sandbox user — agent can modify its own audit trail

[h-network]

Problem Statement

NemoClaw sandbox logs are accessible via nemoclaw <name> logs. However, the log files reside within the sandbox's writable filesystem. The agent (or a compromised agent) can:

1. Modify log entries to hide malicious actions
2. Delete log files entirely
3. Inject false log entries to create misleading audit trails

Impact

For enterprise deployments requiring compliance (SOC 2, ISO 27001, HIPAA), audit logs must be:

• Append-only: entries cannot be modified after writing
• Agent-proof: the agent cannot access or modify the log store
• Tamper-evident: modifications are detectable

Current implementation satisfies none of these requirements.

Proposed Design

1. Separate log store: Write audit events to a location outside the sandbox's writable filesystem (e.g., OpenShell host-level log collector)
2. Append-only enforcement: Use chattr +a on log files or write to a dedicated append-only volume
3. Cryptographic chaining: Each log entry includes a hash of the previous entry, creating a tamper-evident chain:

import hashlib, json, time

def append_audit(log_file, event: dict, prev_hash: str) -> str:
    event["timestamp"] = time.time()
    event["prev_hash"] = prev_hash
    payload = json.dumps(event, sort_keys=True).encode()
    event["hash"] = hashlib.sha256(payload).hexdigest()
    with open(log_file, "a") as f:
        f.write(json.dumps(event) + "\n")
    return event["hash"]

4. Remote shipping: Forward audit events to an external SIEM (Splunk, Elastic) in real-time via syslog or webhook

References

• SOC 2 Type II CC7.2: "The entity monitors system components for anomalies"
• ISO 27001 A.12.4.2: "Logging facilities and log information shall be protected against tampering"

Alternatives Considered

No response

Category

enhancement: feature

Checklist

• I searched existing issues and this is not a duplicate
• This is a design proposal, not a "please build this" request

[wscurran]

✨ Thanks for submitting this issue with a detailed explanation, it addresses a security concern that could compromise the integrity of the audit trail, which could improve the security of NemoClaw.

---

Possibly related open PRs:
#871 security: enforce process limit to prevent fork bombs in sandbox,
#654 harden sandbox against agent config tampering (defense-in-depth),
#611 security: remove telegram and discord from baseline sandbox policy