security-monitor

# Security Monitor Skill

## When to use

Run continuous security monitoring to detect breaches, intrusions, and unusual activity on your Clawdbot deployment.

## Setup

No external dependencies required. Runs as a background process.

## How to

### Start real-time monitoring

```bash
node skills/security-monitor/scripts/monitor.cjs --interval 60
```

### Run in daemon mode (background)

```bash
node skills/security-monitor/scripts/monitor.cjs --daemon --interval 60
```

### Monitor for specific threats

```bash
node skills/security-monitor/scripts/monitor.cjs --threats=credentials,ports,api-calls
```

## What It Monitors

| Threat | Detection | Response |
|--------|-----------|----------|
| **Brute force attacks** | Failed login detection | Alert + IP tracking |
| **Port scanning** | Rapid connection attempts | Alert |
| **Process anomalies** | Unexpected processes | Alert |
| **File changes** | Unauthorized modifications | Alert |
| **Container health** | Docker issues | Alert |

## Output

- Console output (stdout)
- JSON logs at `/root/clawd/clawdbot-security/logs/alerts.log`
- Telegram alerts (configurable)

## Daemon Mode

Use systemd or PM2 to keep monitoring active:

```bash
# With PM2
pm2 start monitor.cjs --name "clawdbot-security" -- --daemon --interval 60
```

## Combined with Security Audit

Run audit first, then monitor continuously:

```bash
# One-time audit
node skills/security-audit/scripts/audit.cjs --full

# Continuous monitoring
node skills/security-monitor/scripts/monitor.cjs --daemon
```

## Related skills

- `security-audit` - One-time security scan (install separately)