Clauditor
Security watchdog that monitors filesystem activity and creates tamper-evident logs. Even if Clawdbot is compromised, it cannot stop the watchdog, forge entries, or delete evidence.
Installation (Guided)
Use the CLI wizard to guide users through installation:
cd /path/to/clauditor
cargo build --release
Agent Workflow
-
Check status:
./target/release/clauditor wizard status- Returns JSON with
current_step(1-6) andcomplete(true/false)
- Returns JSON with
-
Get next step:
./target/release/clauditor wizard next- Shows WHAT it does, WHY it matters, and the exact COMMAND to run
-
User runs the sudo command
-
Verify:
./target/release/clauditor wizard verify- Confirms step completed
-
Repeat until
complete: true
Example Interaction
User: "Install clauditor"
Agent: [runs wizard status → current_step: 1]
Agent: "Step 1 of 6: Create system user
This creates a 'sysaudit' user that runs the watchdog. Even if you're
compromised, you can't kill a process owned by another user.
Run this:
sudo useradd --system --shell /usr/sbin/nologin --no-create-home sysaudit
Let me know when done."
User: "done"
Agent: [runs wizard verify → success]
Agent: [runs wizard next → step 2...]
After Installation
Check status
systemctl status systemd-journaldd
Generate digest
./target/release/clauditor digest \
--log /var/lib/.sysd/.audit/events.log \
--key /etc/sysaudit/key \
--format markdown
Quick Install (Power Users)
sudo bash wizard/wizard.sh
Configuration
- Config:
/etc/sysaudit/config.toml - Key:
/etc/sysaudit/key - Logs:
/var/lib/.sysd/.audit/events.log
Edit config to customize watch_paths and target_uid.