# Saturday, February 22, 2026 ## Task Summary Set up 3 custom security/monitoring alerts on the OpenClaw infrastructure as requested in Gantt Board sprint (Task ID: ad032eaf-58d5-4783-a5cc-63070774d4e9). ## What Was Requested 1. ✅ Failed SSH login detection - bot messages instantly when someone tries to break in 2. ✅ Disk space monitoring - warn when server hits 90% before it crashes 3. ✅ Daily config audit - check every morning if anything changed that shouldn't have ## What Was Implemented ### Scripts Location `/Users/mattbruce/.openclaw/workspace/scripts/security-monitors/` ### 1. SSH Failed Login Monitor (`ssh-monitor.sh`) - **Purpose:** Detects failed SSH login attempts - **Method:** Monitors macOS unified logs for SSH authentication failures - **Schedule:** Every 1 minute via cron - **Alert Cooldown:** 5 minutes between alerts for same pattern - **Log:** `logs/ssh-monitor.log` ### 2. Disk Space Monitor (`disk-monitor.sh`) - **Purpose:** Warns when disk usage exceeds thresholds - **Thresholds:** - WARNING at 80% - CRITICAL at 90% - **Schedule:** Every 5 minutes via cron - **Exclusions:** CoreSimulator volumes (iOS simulators), devfs, map volumes - **Log:** `logs/disk-monitor.log` ### 3. Config Audit (`config-audit.sh`) - **Purpose:** Detects unauthorized changes to critical configuration files - **Files Monitored:** - `~/.openclaw/openclaw.json` - `~/.openclaw/workspace/AGENTS.md` - `~/.openclaw/workspace/TOOLS.md` - `~/.openclaw/workspace/BRAIN.md` - `~/.openclaw/workspace/SOUL.md` - `~/.openclaw/workspace/HEARTBEAT.md` - `~/.openclaw/workspace/.openclaw/workspace-state.json` - `/etc/ssh/sshd_config` - `/etc/hosts` - `~/.ssh/authorized_keys` - `~/.zshrc` - `~/.bash_profile` - **Schedule:** Daily at 6:00 AM via cron - **Baseline Storage:** `state/baselines/` - **Log:** `logs/config-audit.log` ## Manual Steps Required ### 1. Install Cron Jobs The crontab command had issues during setup. Please run this manually: ```bash # Add these lines to your crontab via: crontab -e # OpenClaw Security Monitors - 2026-02-22 */1 * * * * /Users/mattbruce/.openclaw/workspace/scripts/security-monitors/ssh-monitor.sh >> /Users/mattbruce/.openclaw/workspace/scripts/security-monitors/logs/ssh-cron.log 2>&1 */5 * * * * /Users/mattbruce/.openclaw/workspace/scripts/security-monitors/disk-monitor.sh >> /Users/mattbruce/.openclaw/workspace/scripts/security-monitors/logs/disk-cron.log 2>&1 0 6 * * * /Users/mattbruce/.openclaw/workspace/scripts/security-monitors/config-audit.sh check >> /Users/mattbruce/.openclaw/workspace/scripts/security-monitors/logs/audit-cron.log 2>&1 ``` ### 2. Telegram Integration Alerts are written to `state/alerts.queue`. To deliver via Telegram, the alert processor needs to be wired up. Options: - Have heartbeat check and process the queue - Create a small daemon to process alerts - Wire directly into the scripts using a Telegram bot token Current alert queue location: `/Users/mattbruce/.openclaw/workspace/scripts/security-monitors/state/alerts.queue` ## Controller Script A convenience controller is available: ```bash /Users/mattbruce/.openclaw/workspace/scripts/security-monitors/security-monitors.sh [command] Commands: check-all Run all monitors once ssh Run SSH monitor only disk Run disk monitor only audit Run config audit only init Initialize config audit baselines report Show config audit report status Show monitor status ``` ## Current Status - ✅ All 3 monitoring scripts created and tested - ✅ Config audit baselines initialized (12 files) - ⚠️ Cron jobs need manual installation (see above) - ⚠️ Alert queue has 135 pending alerts from testing - ✅ Logs created for all monitors ## Log Locations - SSH Monitor: `~/.openclaw/workspace/scripts/security-monitors/logs/ssh-monitor.log` - Disk Monitor: `~/.openclaw/workspace/scripts/security-monitors/logs/disk-monitor.log` - Config Audit: `~/.openclaw/workspace/scripts/security-monitors/logs/config-audit.log` ## Maintenance Notes ### Adding New Monitored Files Edit `config-audit.sh` and add files to the `get_critical_files()` function. ### Adjusting Thresholds Edit `disk-monitor.sh` and modify `WARN_THRESHOLD` and `CRITICAL_THRESHOLD` variables. ### Clearing Alert Queue ```bash > /Users/mattbruce/.openclaw/workspace/scripts/security-monitors/state/alerts.queue ``` ### Reinitializing Baselines ```bash /Users/mattbruce/.openclaw/workspace/scripts/security-monitors/security-monitors.sh init ``` ## Security Considerations - Scripts run as user `mattbruce` - No credentials stored in scripts - Baseline files stored with user permissions - Log files contain file paths but not sensitive content ## Blockers/Notes - Crontab command had hanging issues during automated setup - requires manual installation - Telegram delivery requires wiring up the alert processor (currently queues to file)