TopDogLabs/test-repo
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
4fade17f49
test-repo/scripts/security-monitors/README.md

2.9 KiB
Raw Blame History

OpenClaw Security Monitors

Lightweight security monitoring suite for OpenClaw infrastructure.

Quick Start

# Run all monitors once
./security-monitors.sh check-all

# Check status
./security-monitors.sh status

# View audit report
./security-monitors.sh report

Monitors

1. SSH Monitor (ssh-monitor.sh)

Detects failed SSH login attempts by monitoring macOS unified logs.

  • Runs: Every minute
  • Threshold: Any failed attempt (with 5-min cooldown)

2. Disk Monitor (disk-monitor.sh)

Monitors disk usage and alerts when thresholds are exceeded.

  • Runs: Every 5 minutes
  • Warning: 80%
  • Critical: 90%

3. Config Audit (config-audit.sh)

Tracks changes to critical configuration files.

  • Runs: Daily at 6 AM
  • Tracks: File hashes and metadata
  • Baselines stored in: state/baselines/

Installation

1. Install Cron Jobs

Add to crontab (crontab -e):

# OpenClaw Security Monitors
*/1 * * * * /Users/mattbruce/.openclaw/workspace/scripts/security-monitors/ssh-monitor.sh >> /Users/mattbruce/.openclaw/workspace/scripts/security-monitors/logs/ssh-cron.log 2>&1
*/5 * * * * /Users/mattbruce/.openclaw/workspace/scripts/security-monitors/disk-monitor.sh >> /Users/mattbruce/.openclaw/workspace/scripts/security-monitors/logs/disk-cron.log 2>&1
0 6 * * * /Users/mattbruce/.openclaw/workspace/scripts/security-monitors/config-audit.sh check >> /Users/mattbruce/.openclaw/workspace/scripts/security-monitors/logs/audit-cron.log 2>&1

2. Initialize Baselines

./security-monitors.sh init

3. Configure Telegram Alerts (Optional)

Alerts are queued to state/alerts.queue. To enable Telegram delivery:

  • Option A: Have your heartbeat process check the queue
  • Option B: Add Telegram bot token to scripts

File Structure

security-monitors/
├── ssh-monitor.sh        # SSH failed login detection
├── disk-monitor.sh       # Disk space monitoring
├── config-audit.sh       # Config file change tracking
├── security-monitors.sh  # Main controller script
├── alert-processor.sh    # Alert queue processor
├── logs/                 # Log files
│   ├── ssh-monitor.log
│   ├── disk-monitor.log
│   └── config-audit.log
└── state/                # Runtime state
    ├── baselines/        # Config file baselines
    ├── alerts.queue      # Pending alerts
    └── *.cooldown        # Alert cooldown tracking

Troubleshooting

No alerts received

  • Check state/alerts.queue for pending alerts
  • Verify cron jobs are installed: crontab -l
  • Check log files for errors

Too many alerts

  • Check cooldown files in state/
  • Adjust thresholds in monitor scripts

Baseline issues

  • Reinitialize: ./security-monitors.sh init
  • Check file permissions

Security Notes

  • Scripts run as current user
  • No credentials in repository
  • Log rotation not implemented (monitor log sizes)