# OpenClaw Security Monitors

Lightweight security monitoring suite for OpenClaw infrastructure.

## Quick Start

```bash
# Run all monitors once
./security-monitors.sh check-all

# Check status
./security-monitors.sh status

# View audit report
./security-monitors.sh report
```

## Monitors

### 1. SSH Monitor (`ssh-monitor.sh`)
Detects failed SSH login attempts by monitoring macOS unified logs.
- Runs: Every minute
- Threshold: Any failed attempt (with 5-min cooldown)

### 2. Disk Monitor (`disk-monitor.sh`)
Monitors disk usage and alerts when thresholds are exceeded.
- Runs: Every 5 minutes
- Warning: 80%
- Critical: 90%

### 3. Config Audit (`config-audit.sh`)
Tracks changes to critical configuration files.
- Runs: Daily at 6 AM
- Tracks: File hashes and metadata
- Baselines stored in: `state/baselines/`

## Installation

### 1. Install Cron Jobs

Add to crontab (`crontab -e`):

```
# OpenClaw Security Monitors
*/1 * * * * /Users/mattbruce/.openclaw/workspace/scripts/security-monitors/ssh-monitor.sh >> /Users/mattbruce/.openclaw/workspace/scripts/security-monitors/logs/ssh-cron.log 2>&1
*/5 * * * * /Users/mattbruce/.openclaw/workspace/scripts/security-monitors/disk-monitor.sh >> /Users/mattbruce/.openclaw/workspace/scripts/security-monitors/logs/disk-cron.log 2>&1
0 6 * * * /Users/mattbruce/.openclaw/workspace/scripts/security-monitors/config-audit.sh check >> /Users/mattbruce/.openclaw/workspace/scripts/security-monitors/logs/audit-cron.log 2>&1
```

### 2. Initialize Baselines

```bash
./security-monitors.sh init
```

### 3. Configure Telegram Alerts (Optional)

Alerts are queued to `state/alerts.queue`. To enable Telegram delivery:
- Option A: Have your heartbeat process check the queue
- Option B: Add Telegram bot token to scripts

## File Structure

```
security-monitors/
├── ssh-monitor.sh        # SSH failed login detection
├── disk-monitor.sh       # Disk space monitoring
├── config-audit.sh       # Config file change tracking
├── security-monitors.sh  # Main controller script
├── alert-processor.sh    # Alert queue processor
├── logs/                 # Log files
│   ├── ssh-monitor.log
│   ├── disk-monitor.log
│   └── config-audit.log
└── state/                # Runtime state
    ├── baselines/        # Config file baselines
    ├── alerts.queue      # Pending alerts
    └── *.cooldown        # Alert cooldown tracking
```

## Troubleshooting

### No alerts received
- Check `state/alerts.queue` for pending alerts
- Verify cron jobs are installed: `crontab -l`
- Check log files for errors

### Too many alerts
- Check cooldown files in `state/`
- Adjust thresholds in monitor scripts

### Baseline issues
- Reinitialize: `./security-monitors.sh init`
- Check file permissions

## Security Notes

- Scripts run as current user
- No credentials in repository
- Log rotation not implemented (monitor log sizes)