MIT Network Audit docs
Getting started

Installation

Installing a trust tool raises a fair question right away: am I about to add yet another moving part to my Odoo, one I'll have to take on faith just like everything else? With MIT Network Audit the answer is no. This module is open source and never obfuscated — you can read every line before you install it, and after it is running you can open the Trust Report and watch it account for your instance's traffic in real time.

6 min read

Installing a trust tool raises a fair question right away: am I about to add yet another moving part to my Odoo, one I'll have to take on faith just like everything else? With MIT Network Audit the answer is no. This module is open source and never obfuscated — you can read every line before you install it, and after it is running you can open the Trust Report and watch it account for your instance's traffic in real time.

Installing it is ordinary Odoo. The only thing worth getting right is how the module is loaded, because that determines whether it sees all of your network traffic or only some of it. There are two paths below — pick the one that matches where your Odoo runs. Both end the same way: you open Network Audit → Trust Report and confirm capture is live.

Before you start

  • You need administrator access to Odoo — enough to open the Apps list, install a module, and edit a server configuration (for self-hosted deployments).
  • You need to know where your Odoo runs: on a server or container you control (self-hosted, Docker, Kubernetes), or on a managed platform such as Odoo.sh. This decides which of the two install paths below applies to you.
  • MIT Network Audit runs on Odoo 17, 18, and 19. The steps are the same on each.

Open source by design — verify before you trust

MIT ships its commercial modules (MailDesk, the license locker) obfuscated, so you cannot read their bytecode. This module is the deliberate exception: it is shipped in the clear and is never obfuscated, precisely so you can audit it yourself. Reading the source before installing is not just allowed — it is the point.

What installation does

When you install mit_network_audit, Odoo loads the module's models, views, the Trust Report dashboard, the two security groups, and the seeded catalogue of known destinations. The part that does the actual work is a small interceptor that wraps your instance's network calls so that every inbound and outbound operation is attributed to the Odoo module that made it and recorded — as metadata only — in an append-only, hash-chained log.

That interceptor has to be in place inside each Odoo worker process before any traffic flows. How it gets there is the one thing that differs between the two deployment styles below.

Load it server-wide on self-hosted and Kubernetes

On a server you control, the interceptor installs from the module's post_load step, which runs once per worker process at startup. For every worker to be patched before it serves a single request, the module must be in the server-wide load list. Add it with --load or server_wide_modules (see below). If you install it only as an ordinary app on a self-hosted server, some workers may start un-patched and traffic in those workers will not be captured. On managed platforms like Odoo.sh you cannot set the load list — and there you do not need to; see Managed platforms (Odoo.sh).

Self-hosted, Docker and Kubernetes (server-wide load)

This is the path for any deployment where you control how the Odoo server is started — a bare server, a Docker container, or a Kubernetes pod. Here you install the module and add it to the server-wide load list, so the interceptor is present in every worker.

1. Install the module

  1. Make sure the mit_network_audit module is on your Odoo addons path (drop it in alongside your other addons and restart so Odoo can see it).
  2. In Odoo, go to Apps, update the apps list if you just added the files, search for MIT Network Audit, and click Activate (Install).

2. Add it to the server-wide load list

Tell Odoo to load the module server-wide, before any database, so its post_load patches every worker at startup. Use either the command-line flag or the configuration file — not both is required, pick one.

On the command line:

--load=base,web,mit_network_audit

Or in your odoo.conf:

[options]
server_wide_modules = base,web,mit_network_audit

Keep base and web in the list — they are Odoo's own default server-wide modules, and mit_network_audit is simply added after them. Then restart Odoo so the new load list takes effect.

Docker / Kubernetes

If you start Odoo from a container, set the load list the same way you set any other Odoo argument — for example through your ODOO_EXTRA_ARGS environment variable or the command: in your compose / pod spec — so that mit_network_audit is in --load (or server_wide_modules) every time the container starts. The repository's own docker-compose.yaml wires this up as a reference.

3. Restart and confirm

Restart the Odoo service. Then jump to Confirm it is running below.

Managed platforms (Odoo.sh)

On a managed platform such as Odoo.sh, you do not control the Odoo start-up command, so you cannot set a server-wide load list — and you do not need to. The module is built to install cleanly here too.

  1. Add mit_network_audit to your Odoo.sh repository (your custom addons), let the platform build, and then install it from the Apps list exactly like any other module.
  2. That is all. On an ordinary Apps install the interceptor attaches itself through Odoo's own ir.http._register_hook, so it comes online without any server-wide configuration.

Both deployment styles funnel through a single, idempotent install step internally, so the end result is the same — a patched instance that records its own traffic.

One module, two install routes

Server-wide post_load (self-hosted / Kubernetes) and the ir.http._register_hook route (managed PaaS) are two doors into the same install logic. You do not choose between them in the UI; you simply install the way your hosting allows, and the module picks the right path.

Confirm it is running

Installation is only finished when capture is actually live. The dashboard tells you in one glance.

  1. Open the top menu Network Audit → Trust Report.
  2. Look at the forensic-capture status banner at the top of the dashboard — it reports whether capture is active.
  3. Within a short while of normal use you should see the summary cardsTotal events, MIT-bound events, Third-party events — begin to fill, and destinations appear in the MIT-bound destinations and Third-party destinations panels.

The Trust Report dashboard showing an all-clear verdict The Trust Report after install: the capture banner is active and the verdict card reads all-clear.

If the dashboard shows the capture banner as active and events start to accumulate, the interceptor is in place. If it does not, re-check that on a self-hosted server the module is in the server-wide load list and that you restarted Odoo after adding it.

Network auditing must be switched on

Capture is governed by the Network auditing enabled master switch in Configuration → Settings (Network Audit section). If the banner reports that auditing is off, turn this switch on — with it off, nothing is captured. See Configuration for every setting.

What to do next

  • Read the verdict. Learn what the hero verdict, the trust chips, and the destination panels are telling you on the Trust Report.
  • Understand the mechanism. See exactly which network channels are wrapped and how each call is attributed in How it works.
  • Tune capture. Adjust strict redaction, retention, and disabled channels in Configuration.
  • Prove it to a third party. Export a signed, independently verifiable record from Verification & signed export.