TopDogLabs/test-repo
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
77908bbf09
test-repo/memory/2026-02-22-security-monitors.md

4.8 KiB
Raw Blame History

Security Monitoring Setup - 2026-02-22

Task Summary

Set up 3 custom security/monitoring alerts on the OpenClaw infrastructure as requested in Gantt Board sprint (Task ID: ad032eaf-58d5-4783-a5cc-63070774d4e9).

What Was Requested

  1. Failed SSH login detection - bot messages instantly when someone tries to break in
  2. Disk space monitoring - warn when server hits 90% before it crashes
  3. Daily config audit - check every morning if anything changed that shouldn't have

What Was Implemented

Scripts Location

/Users/mattbruce/.openclaw/workspace/scripts/security-monitors/

1. SSH Failed Login Monitor (ssh-monitor.sh)

  • Purpose: Detects failed SSH login attempts
  • Method: Monitors macOS unified logs for SSH authentication failures
  • Schedule: Every 1 minute via cron
  • Alert Cooldown: 5 minutes between alerts for same pattern
  • Log: logs/ssh-monitor.log

2. Disk Space Monitor (disk-monitor.sh)

  • Purpose: Warns when disk usage exceeds thresholds
  • Thresholds:
    • WARNING at 80%
    • CRITICAL at 90%
  • Schedule: Every 5 minutes via cron
  • Exclusions: CoreSimulator volumes (iOS simulators), devfs, map volumes
  • Log: logs/disk-monitor.log

3. Config Audit (config-audit.sh)

  • Purpose: Detects unauthorized changes to critical configuration files
  • Files Monitored:
    • ~/.openclaw/openclaw.json
    • ~/.openclaw/workspace/AGENTS.md
    • ~/.openclaw/workspace/TOOLS.md
    • ~/.openclaw/workspace/BRAIN.md
    • ~/.openclaw/workspace/SOUL.md
    • ~/.openclaw/workspace/HEARTBEAT.md
    • ~/.openclaw/workspace/.openclaw/workspace-state.json
    • /etc/ssh/sshd_config
    • /etc/hosts
    • ~/.ssh/authorized_keys
    • ~/.zshrc
    • ~/.bash_profile
  • Schedule: Daily at 6:00 AM via cron
  • Baseline Storage: state/baselines/
  • Log: logs/config-audit.log

Manual Steps Required

1. Install Cron Jobs

The crontab command had issues during setup. Please run this manually:

# Add these lines to your crontab via: crontab -e

# OpenClaw Security Monitors - 2026-02-22
*/1 * * * * /Users/mattbruce/.openclaw/workspace/scripts/security-monitors/ssh-monitor.sh >> /Users/mattbruce/.openclaw/workspace/scripts/security-monitors/logs/ssh-cron.log 2>&1
*/5 * * * * /Users/mattbruce/.openclaw/workspace/scripts/security-monitors/disk-monitor.sh >> /Users/mattbruce/.openclaw/workspace/scripts/security-monitors/logs/disk-cron.log 2>&1
0 6 * * * /Users/mattbruce/.openclaw/workspace/scripts/security-monitors/config-audit.sh check >> /Users/mattbruce/.openclaw/workspace/scripts/security-monitors/logs/audit-cron.log 2>&1

2. Telegram Integration

Alerts are written to state/alerts.queue. To deliver via Telegram, the alert processor needs to be wired up. Options:

  • Have heartbeat check and process the queue
  • Create a small daemon to process alerts
  • Wire directly into the scripts using a Telegram bot token

Current alert queue location: /Users/mattbruce/.openclaw/workspace/scripts/security-monitors/state/alerts.queue

Controller Script

A convenience controller is available:

/Users/mattbruce/.openclaw/workspace/scripts/security-monitors/security-monitors.sh [command]

Commands:
  check-all    Run all monitors once
  ssh          Run SSH monitor only
  disk         Run disk monitor only
  audit        Run config audit only
  init         Initialize config audit baselines
  report       Show config audit report
  status       Show monitor status

Current Status

  • All 3 monitoring scripts created and tested
  • Config audit baselines initialized (12 files)
  • ⚠️ Cron jobs need manual installation (see above)
  • ⚠️ Alert queue has 135 pending alerts from testing
  • Logs created for all monitors

Log Locations

  • SSH Monitor: ~/.openclaw/workspace/scripts/security-monitors/logs/ssh-monitor.log
  • Disk Monitor: ~/.openclaw/workspace/scripts/security-monitors/logs/disk-monitor.log
  • Config Audit: ~/.openclaw/workspace/scripts/security-monitors/logs/config-audit.log

Maintenance Notes

Adding New Monitored Files

Edit config-audit.sh and add files to the get_critical_files() function.

Adjusting Thresholds

Edit disk-monitor.sh and modify WARN_THRESHOLD and CRITICAL_THRESHOLD variables.

Clearing Alert Queue

> /Users/mattbruce/.openclaw/workspace/scripts/security-monitors/state/alerts.queue

Reinitializing Baselines

/Users/mattbruce/.openclaw/workspace/scripts/security-monitors/security-monitors.sh init

Security Considerations

  • Scripts run as user mattbruce
  • No credentials stored in scripts
  • Baseline files stored with user permissions
  • Log files contain file paths but not sensitive content

Blockers/Notes

  • Crontab command had hanging issues during automated setup - requires manual installation
  • Telegram delivery requires wiring up the alert processor (currently queues to file)