101 lines
2.9 KiB
Markdown
101 lines
2.9 KiB
Markdown
# OpenClaw Security Monitors
|
|
|
|
Lightweight security monitoring suite for OpenClaw infrastructure.
|
|
|
|
## Quick Start
|
|
|
|
```bash
|
|
# Run all monitors once
|
|
./security-monitors.sh check-all
|
|
|
|
# Check status
|
|
./security-monitors.sh status
|
|
|
|
# View audit report
|
|
./security-monitors.sh report
|
|
```
|
|
|
|
## Monitors
|
|
|
|
### 1. SSH Monitor (`ssh-monitor.sh`)
|
|
Detects failed SSH login attempts by monitoring macOS unified logs.
|
|
- Runs: Every minute
|
|
- Threshold: Any failed attempt (with 5-min cooldown)
|
|
|
|
### 2. Disk Monitor (`disk-monitor.sh`)
|
|
Monitors disk usage and alerts when thresholds are exceeded.
|
|
- Runs: Every 5 minutes
|
|
- Warning: 80%
|
|
- Critical: 90%
|
|
|
|
### 3. Config Audit (`config-audit.sh`)
|
|
Tracks changes to critical configuration files.
|
|
- Runs: Daily at 6 AM
|
|
- Tracks: File hashes and metadata
|
|
- Baselines stored in: `state/baselines/`
|
|
|
|
## Installation
|
|
|
|
### 1. Install Cron Jobs
|
|
|
|
Add to crontab (`crontab -e`):
|
|
|
|
```
|
|
# OpenClaw Security Monitors
|
|
*/1 * * * * /Users/mattbruce/.openclaw/workspace/scripts/security-monitors/ssh-monitor.sh >> /Users/mattbruce/.openclaw/workspace/scripts/security-monitors/logs/ssh-cron.log 2>&1
|
|
*/5 * * * * /Users/mattbruce/.openclaw/workspace/scripts/security-monitors/disk-monitor.sh >> /Users/mattbruce/.openclaw/workspace/scripts/security-monitors/logs/disk-cron.log 2>&1
|
|
0 6 * * * /Users/mattbruce/.openclaw/workspace/scripts/security-monitors/config-audit.sh check >> /Users/mattbruce/.openclaw/workspace/scripts/security-monitors/logs/audit-cron.log 2>&1
|
|
```
|
|
|
|
### 2. Initialize Baselines
|
|
|
|
```bash
|
|
./security-monitors.sh init
|
|
```
|
|
|
|
### 3. Configure Telegram Alerts (Optional)
|
|
|
|
Alerts are queued to `state/alerts.queue`. To enable Telegram delivery:
|
|
- Option A: Have your heartbeat process check the queue
|
|
- Option B: Add Telegram bot token to scripts
|
|
|
|
## File Structure
|
|
|
|
```
|
|
security-monitors/
|
|
├── ssh-monitor.sh # SSH failed login detection
|
|
├── disk-monitor.sh # Disk space monitoring
|
|
├── config-audit.sh # Config file change tracking
|
|
├── security-monitors.sh # Main controller script
|
|
├── alert-processor.sh # Alert queue processor
|
|
├── logs/ # Log files
|
|
│ ├── ssh-monitor.log
|
|
│ ├── disk-monitor.log
|
|
│ └── config-audit.log
|
|
└── state/ # Runtime state
|
|
├── baselines/ # Config file baselines
|
|
├── alerts.queue # Pending alerts
|
|
└── *.cooldown # Alert cooldown tracking
|
|
```
|
|
|
|
## Troubleshooting
|
|
|
|
### No alerts received
|
|
- Check `state/alerts.queue` for pending alerts
|
|
- Verify cron jobs are installed: `crontab -l`
|
|
- Check log files for errors
|
|
|
|
### Too many alerts
|
|
- Check cooldown files in `state/`
|
|
- Adjust thresholds in monitor scripts
|
|
|
|
### Baseline issues
|
|
- Reinitialize: `./security-monitors.sh init`
|
|
- Check file permissions
|
|
|
|
## Security Notes
|
|
|
|
- Scripts run as current user
|
|
- No credentials in repository
|
|
- Log rotation not implemented (monitor log sizes)
|