TopDogLabs/test-repo
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2cec30022e
test-repo/memory/2026-02-22-security-monitors.md

127 lines
4.8 KiB
Markdown
Raw Blame History

# Saturday, February 22, 2026
## Task Summary
Set up 3 custom security/monitoring alerts on the OpenClaw infrastructure as requested in Gantt Board sprint (Task ID: ad032eaf-58d5-4783-a5cc-63070774d4e9).
## What Was Requested
1. ✅ Failed SSH login detection - bot messages instantly when someone tries to break in
2. ✅ Disk space monitoring - warn when server hits 90% before it crashes
3. ✅ Daily config audit - check every morning if anything changed that shouldn't have
## What Was Implemented
### Scripts Location
`/Users/mattbruce/.openclaw/workspace/scripts/security-monitors/`
### 1. SSH Failed Login Monitor (`ssh-monitor.sh`)
- **Purpose:** Detects failed SSH login attempts
- **Method:** Monitors macOS unified logs for SSH authentication failures
- **Schedule:** Every 1 minute via cron
- **Alert Cooldown:** 5 minutes between alerts for same pattern
- **Log:** `logs/ssh-monitor.log`
### 2. Disk Space Monitor (`disk-monitor.sh`)
- **Purpose:** Warns when disk usage exceeds thresholds
- **Thresholds:**
- WARNING at 80%
- CRITICAL at 90%
- **Schedule:** Every 5 minutes via cron
- **Exclusions:** CoreSimulator volumes (iOS simulators), devfs, map volumes
- **Log:** `logs/disk-monitor.log`
### 3. Config Audit (`config-audit.sh`)
- **Purpose:** Detects unauthorized changes to critical configuration files
- **Files Monitored:**
- `~/.openclaw/openclaw.json`
- `~/.openclaw/workspace/AGENTS.md`
- `~/.openclaw/workspace/TOOLS.md`
- `~/.openclaw/workspace/BRAIN.md`
- `~/.openclaw/workspace/SOUL.md`
- `~/.openclaw/workspace/HEARTBEAT.md`
- `~/.openclaw/workspace/.openclaw/workspace-state.json`
- `/etc/ssh/sshd_config`
- `/etc/hosts`
- `~/.ssh/authorized_keys`
- `~/.zshrc`
- `~/.bash_profile`
- **Schedule:** Daily at 6:00 AM via cron
- **Baseline Storage:** `state/baselines/`
- **Log:** `logs/config-audit.log`
## Manual Steps Required
### 1. Install Cron Jobs
The crontab command had issues during setup. Please run this manually:
```bash
# Add these lines to your crontab via: crontab -e
# OpenClaw Security Monitors - 2026-02-22
*/1 * * * * /Users/mattbruce/.openclaw/workspace/scripts/security-monitors/ssh-monitor.sh >> /Users/mattbruce/.openclaw/workspace/scripts/security-monitors/logs/ssh-cron.log 2>&1
*/5 * * * * /Users/mattbruce/.openclaw/workspace/scripts/security-monitors/disk-monitor.sh >> /Users/mattbruce/.openclaw/workspace/scripts/security-monitors/logs/disk-cron.log 2>&1
0 6 * * * /Users/mattbruce/.openclaw/workspace/scripts/security-monitors/config-audit.sh check >> /Users/mattbruce/.openclaw/workspace/scripts/security-monitors/logs/audit-cron.log 2>&1
```
### 2. Telegram Integration
Alerts are written to `state/alerts.queue`. To deliver via Telegram, the alert processor needs to be wired up. Options:
- Have heartbeat check and process the queue
- Create a small daemon to process alerts
- Wire directly into the scripts using a Telegram bot token
Current alert queue location: `/Users/mattbruce/.openclaw/workspace/scripts/security-monitors/state/alerts.queue`
## Controller Script
A convenience controller is available:
```bash
/Users/mattbruce/.openclaw/workspace/scripts/security-monitors/security-monitors.sh [command]
Commands:
check-all Run all monitors once
ssh Run SSH monitor only
disk Run disk monitor only
audit Run config audit only
init Initialize config audit baselines
report Show config audit report
status Show monitor status
```
## Current Status
- ✅ All 3 monitoring scripts created and tested
- ✅ Config audit baselines initialized (12 files)
- ⚠️ Cron jobs need manual installation (see above)
- ⚠️ Alert queue has 135 pending alerts from testing
- ✅ Logs created for all monitors
## Log Locations
- SSH Monitor: `~/.openclaw/workspace/scripts/security-monitors/logs/ssh-monitor.log`
- Disk Monitor: `~/.openclaw/workspace/scripts/security-monitors/logs/disk-monitor.log`
- Config Audit: `~/.openclaw/workspace/scripts/security-monitors/logs/config-audit.log`
## Maintenance Notes
### Adding New Monitored Files
Edit `config-audit.sh` and add files to the `get_critical_files()` function.
### Adjusting Thresholds
Edit `disk-monitor.sh` and modify `WARN_THRESHOLD` and `CRITICAL_THRESHOLD` variables.
### Clearing Alert Queue
```bash
> /Users/mattbruce/.openclaw/workspace/scripts/security-monitors/state/alerts.queue
```
### Reinitializing Baselines
```bash
/Users/mattbruce/.openclaw/workspace/scripts/security-monitors/security-monitors.sh init
```
## Security Considerations
- Scripts run as user `mattbruce`
- No credentials stored in scripts
- Baseline files stored with user permissions
- Log files contain file paths but not sensitive content
## Blockers/Notes
- Crontab command had hanging issues during automated setup - requires manual installation
- Telegram delivery requires wiring up the alert processor (currently queues to file)
Reference in New Issue View Git Blame Copy Permalink