Security + Network Hardening
Audit first, then harden with explicit approval. Keep this file short; read the references when needed.
Core rules
- Start read-only unless the user explicitly asks for fixes.
- Require confirmation before any state-changing action.
- Preserve current management access; do not break SSH/RDP/VNC.
- Prefer exact findings over generic advice.
- After workspace edits, commit them.
Read-only baseline
Run:
uname -a
cat /etc/os-release
id
ss -ltnup 2>/dev/null || ss -ltnp 2>/dev/null
openclaw security audit --deep
openclaw update status
openclaw status --deep
If firewall state matters, also run:
ufw status verbose || true
firewall-cmd --state 2>/dev/null || true
nft list ruleset 2>/dev/null || true
Priorities
Check for these first:
- elevated wildcard access in
tools.elevated.allowFrom.* - writable credentials directories
- missing gateway auth rate limiting
- broad or unclear listening ports
- metrics endpoints exposed too widely
- ineffective custom
gateway.nodes.denyCommands - workspace skill symlink escapes
Fix patterns
Read these only when relevant:
- UFW/firewall workflow:
references/ufw-playbook.md - OpenClaw config fixes:
references/openclaw-fix-patterns.md
Artifact generation
When the user wants generated files, create:
firewall-rules.mdapply-firewall.shscripts/rollback-firewall.shscripts/verify-firewall.sh
Safe firewall order
- Confirm allowed source subnet/IPs.
- Add SSH rule first if SSH is in use.
- Apply LAN-only and single-host rules.
- Verify from expected clients.
- Re-check
ufw status verboseandss -ltnp.
Verification
After fixes, verify with:
openclaw security audit --deep
openclaw gateway status
python3 -m json.tool ~/.openclaw/openclaw.json >/dev/null
sudo ufw status verbose
ss -ltnp
Success means:
- no critical audit findings
- no warning audit findings when practical
- gateway reachable
- required ports reachable only from approved sources