Clauditor is a tamper-resistant audit watchdog that monitors filesystem activity and logs events with an HMAC-chained digest, ensuring evidence cannot be forged or deleted even if the agent is compromised.

What are the prerequisites?

Clauditor runs on Linux and requires cargo and systemctl. It also uses a config at /etc/sysaudit/config.toml and a key at /etc/sysaudit/key; watch_paths can be customized in the config.

How do I install and verify Clauditor?

Build the release, run the guided wizard (wizard status and wizard next), create the sysaudit user, verify completion, and optionally generate a digest to prove log integrity.

Clauditor

@apollostreetcompany

npx machina-cli add skill @apollostreetcompany/clauditor --openclaw

Files (1)

SKILL.md

2.1 KB

Clauditor

Security watchdog that monitors filesystem activity and creates tamper-evident logs. Even if Clawdbot is compromised, it cannot stop the watchdog, forge entries, or delete evidence.

Installation (Guided)

Use the CLI wizard to guide users through installation:

cd /path/to/clauditor
cargo build --release

Agent Workflow

Check status: ./target/release/clauditor wizard status
- Returns JSON with current_step (1-6) and complete (true/false)
Get next step: ./target/release/clauditor wizard next
- Shows WHAT it does, WHY it matters, and the exact COMMAND to run
User runs the sudo command
Verify: ./target/release/clauditor wizard verify
- Confirms step completed
Repeat until complete: true

Example Interaction

User: "Install clauditor"

Agent: [runs wizard status → current_step: 1]
Agent: "Step 1 of 6: Create system user

This creates a 'sysaudit' user that runs the watchdog. Even if you're 
compromised, you can't kill a process owned by another user.

Run this:
sudo useradd --system --shell /usr/sbin/nologin --no-create-home sysaudit

Let me know when done."

User: "done"

Agent: [runs wizard verify → success]
Agent: [runs wizard next → step 2...]

After Installation

Check status

systemctl status systemd-journaldd

Generate digest

./target/release/clauditor digest \
  --log /var/lib/.sysd/.audit/events.log \
  --key /etc/sysaudit/key \
  --format markdown

Quick Install (Power Users)

sudo bash wizard/wizard.sh

Configuration

Config: /etc/sysaudit/config.toml
Key: /etc/sysaudit/key
Logs: /var/lib/.sysd/.audit/events.log

Edit config to customize watch_paths and target_uid.

Source

git clone https://clawhub.ai/apollostreetcompany/clauditorView on GitHub

Overview

Clauditor is a security watchdog that monitors filesystem activity and creates tamper-evident logs using an HMAC-chained evidence mechanism. It ensures that even if a Clawdbot is compromised, logs cannot be forged or deleted. Installation is guided by a CLI wizard on Linux and requires cargo and systemctl.

How This Skill Works

Clauditor continuously watches filesystem events and records them in a verifiable log stream. Each entry is linked via an HMAC chain to prevent tampering, so compromised agents cannot delete or alter evidence without breaking the chain. The installer guides you through setup, creating a dedicated audit user, configuring log paths, and validating progress step-by-step.

When to Use It

To enforce tamper-resistant logging for a fleet of Clawdbot agents.
During suspected compromise or incident response to preserve evidence.
For compliance or forensic investigations requiring verifiable digests of events.
When deploying via the guided installer and needing stepwise status and next-step guidance.
When you need to customize watch_paths and target_uid in /etc/sysaudit/config.toml.

Quick Start

Step 1: Build and start the guided installer: cd /path/to/clauditor; cargo build --release
Step 2: Run the wizard to check status and advance steps: ./target/release/clauditor wizard status; ./target/release/clauditor wizard next
Step 3: Verify installation and (optionally) generate a digest: systemctl status systemd-journaldd; ./target/release/clauditor digest --log /var/lib/.sysd/.audit/events.log --key /etc/sysaudit/key --format markdown

Best Practices

Ensure the host is Linux and that cargo and systemctl are available before installation.
Use the guided wizard rather than manual setup for correct user and paths.
Regularly run clauditor digest to generate a verifiable proof of the log state.
Store the key at /etc/sysaudit/key and protect the config at /etc/sysaudit/config.toml.
Compare digests against the logs to validate integrity and monitor configured watch_paths.

Example Use Cases

Deploy Clauditor across a fleet of Clawdbot agents to maintain tamper-proof filesystem logs.
During a suspected compromise, use Clauditor to provide verifiable evidence of activity.
Use Clauditor in a compliance audit to demonstrate tamper-evident logging for forensic trails.
Run digest generation to prove log integrity during incident response investigations.
Onboard new servers with the guided wizard to configure sysaudit user and log paths consistently.

Frequently Asked Questions

Add this skill to your agents

Clauditor

Clauditor

Installation (Guided)

Agent Workflow

Example Interaction

After Installation

Check status

Generate digest

Quick Install (Power Users)

Configuration

Source

Overview

How This Skill Works

When to Use It

Quick Start

Best Practices

Example Use Cases

Frequently Asked Questions

What is Clauditor?

What are the prerequisites?

How do I install and verify Clauditor?