Clauditor
Security watchdog that monitors filesystem activity and creates tamper-evident logs. Even if Clawdbot is compromised, it cannot stop the watchdog, forge entries, or delete evidence.
Installation (Guided)
Use the CLI wizard to guide users through installation:
bash
cd /path/to/clauditor cargo build --release
Agent Workflow
- •
Check status:
./target/release/clauditor wizard status- •Returns JSON with
current_step(1-6) andcomplete(true/false)
- •Returns JSON with
- •
Get next step:
./target/release/clauditor wizard next- •Shows WHAT it does, WHY it matters, and the exact COMMAND to run
- •
User runs the sudo command
- •
Verify:
./target/release/clauditor wizard verify- •Confirms step completed
- •
Repeat until
complete: true
Example Interaction
code
User: "Install clauditor" Agent: [runs wizard status → current_step: 1] Agent: "Step 1 of 6: Create system user This creates a 'sysaudit' user that runs the watchdog. Even if you're compromised, you can't kill a process owned by another user. Run this: sudo useradd --system --shell /usr/sbin/nologin --no-create-home sysaudit Let me know when done." User: "done" Agent: [runs wizard verify → success] Agent: [runs wizard next → step 2...]
After Installation
Check status
bash
systemctl status systemd-journaldd
Generate digest
bash
./target/release/clauditor digest \ --log /var/lib/.sysd/.audit/events.log \ --key /etc/sysaudit/key \ --format markdown
Quick Install (Power Users)
bash
sudo bash wizard/wizard.sh
Configuration
- •Config:
/etc/sysaudit/config.toml - •Key:
/etc/sysaudit/key - •Logs:
/var/lib/.sysd/.audit/events.log
Edit config to customize watch_paths and target_uid.