← Back to Skills Marketplace
55
Downloads
0
Stars
0
Active Installs
4
Versions
Install in OpenClaw
/install linux-security-guardian
Description
Autonomous Linux server security management. Runs full audit at 1 AM IST nightly via cron. Covers system hardening, CVE scanning, user auditing, SSH config,...
README (SKILL.md)
Linux Security Guardian
⚡ SSH MCP — REQUIRED DEPENDENCY
SSH MCP is a hard dependency. The agent MUST have SSH MCP tools available to operate. No local/legacy fallback. All operations go through SSH MCP.
Prerequisite
# SSH MCP server must be running and accessible
# Tools required: ssh_conn, ssh_exec
# Config reference: /save_data/projects/ssh_mcp/
dependency: ssh_mcp
status: required # if unavailable → ABORT, alert owner
Server Profile Config
Each target server needs a saved connection in SSH MCP database. Configure in SERVER_PROFILE.md:
ssh_mcp:
connection_id: "\x3Cid-name-or-alias-from-ssh-conn-list>" # Saved connection ID, Name, or Alias
# OR inline config:
# host: "\x3Cserver-ip>"
# port: 22
# username: "\x3Cuser>"
# key_path: "\x3C/path/to/key>"
Connection Lifecycle
1. ssh_conn(op="list") → find target server connection_id
→ If not found → log error, ABORT audit (no fallback)
2. ssh_exec(op="open", connectionId) → returns sessionId
→ If fails → log error, ABORT audit
→ sessionId used for ALL subsequent commands
3. Run commands in audit modules:
→ Prefer passing multiple commands in a module as a sequential array to reduce overhead: `ssh_exec(op="run", sessionId, command=["cmd1", "cmd2", ...])` → returns a single commandId.
→ Alternatively, run individually: `ssh_exec(op="run", sessionId, command="\x3Ccommand>")`.
→ If multiple command runs are triggered concurrently, the SSH MCP server's self-healing queue handles concurrency. If the target server rejects channel opens (due to low `MaxSessions`), the MCP server dynamically drops the concurrency limit, unshifts the task, and retries with backoff.
→ Retrieve output: `ssh_exec(op="logs", commandId=commandId, stream="stdout")`.
4. ssh_exec(op="close", sessionId) after audit complete
SSH MCP Tool Usage
| Operation | SSH MCP Tool | Notes |
|---|---|---|
| List/Manage connections | ssh_conn(op="list") |
Find target server by name/IP |
| Connect to server | ssh_exec(op="open", connectionId) |
Returns sessionId |
| Execute command | ssh_exec(op="run", sessionId, command) |
Returns commandId (non-blocking) |
| Get command output | ssh_exec(op="logs", commandId) |
Can filter: grep, head, tail, fromLine, toLine |
| Get command status | ssh_exec(op="status", commandId) |
Check if still running |
| Disconnect | ssh_exec(op="close", sessionId) |
Always disconnect after audit |
| List active sessions | ssh_exec(op="list") |
Monitor active connections |
| Bulk execution | ssh_bulk_exec(commands, connectionIds) |
Run command(s) in bulk across servers |
| Bulk audit checks | ssh_bulk_audit(op, client) |
Run health/sysinfo/security checks in bulk |
| Client CRUD management | ssh_client(op="list") |
Manage client groups and servers ownership |
Audit Modules
All 18 modules execute commands via SSH MCP. Each module file lists commands that get wrapped with ssh_exec(op="run", sessionId, command):
module command → ssh_exec(op="run", sessionId, command="module command")
→ ssh_exec(op="logs", commandId=cmdId)
→ parse output
CVE Scan
The external CVE scan also goes through SSH MCP:
# 1. ssh_exec(op="run", sessionId, command="dpkg-query -W -f='${Package} ${Version}\
'") → installed packages
# 2. ssh_exec(op="run", sessionId, command="cat /etc/os-release") → OS info
# 3. ssh_exec(op="run", sessionId, command="curl -s 'https://www.cisa.gov/...'") → CISA KEV fetch from remote
# 4. ssh_exec(op="run", sessionId, command="curl -s -X POST 'https://api.osv.dev/...'") → OSV.dev query from remote
# 5. ssh_exec(op="run", sessionId, command="curl -s 'https://services.nvd.nist.gov/...'") → NVD query from remote
# Parse results locally, write advisories to cve/advisories/
Purpose
Agent manages complete Linux server security autonomously via SSH MCP. Every night at 1 AM IST:
- Full security audit runs via SSH MCP
- CVEs scanned against installed packages
- Auto-fixes applied for safe issues
- Critical issues queued for owner confirmation
- Email report delivered
Action Decision Matrix
The most important thing — what agent does vs what it asks first:
| Finding Type | CVSS / Severity | Action |
|---|---|---|
| CVE — Critical | ≥ 9.0 | EMAIL ALERT immediately + queue for confirm |
| CVE — High | 7.0–8.9 | Queue for confirm + include in report |
| CVE — Medium | 4.0–6.9 | Include in report + advisory |
| CVE — Low | \x3C 4.0 | Info in report only |
| CVE — KEV (CISA) | any | Treated as CRITICAL — immediate alert + confirm within due date |
| CVE — KEV + Ransomware | any | 🔥 HIGHEST PRIORITY — immediate alert, confirm ASAP |
| Kernel update available | any | Confirm required before patch |
| Security-only pkg update | any | Confirm required |
| SSH: PermitRootLogin yes | critical | Alert + confirm to fix |
| SSH: PasswordAuth yes | high | Alert + confirm to fix |
| SSH: Port 22 | medium | Advisory only |
| Empty password account | critical | AUTO-LOCK immediately |
| Unknown root-uid account | critical | Alert + confirm to lock |
| Inactive account > 90d | medium | Alert + confirm to lock |
| World-writable /tmp | medium | AUTO-FIX chmod |
| World-writable system dir | high | Alert + confirm to fix |
| Unexpected SUID binary | high | Alert only (owner decides) |
| Failed login spike > 20/hr | high | Alert immediately |
| New unknown cron job | high | Alert immediately |
| Firewall rule change needed | any | CONFIRM REQUIRED always |
| Open unexpected port | high | Alert + confirm to close |
| Service: unnecessary running | medium | Alert + confirm to stop |
| SSL cert expiring \x3C 30d | warning | Alert |
| SSL cert expired | critical | Alert immediately |
| Disk > 85% full | warning | Alert |
| Disk > 95% full | critical | Alert immediately |
| Auditd not running | high | AUTO-START + alert |
| fail2ban not running | high | AUTO-START + alert |
| Log file suspicious entry | high | Alert with extract |
Audit Modules
| Module | What it checks | SSH MCP Command |
|---|---|---|
01-system |
OS, kernel, uptime, last reboot, hardware | ssh_exec(op="run", sessionId, command="uname -a; cat /etc/*release") |
02-users |
Accounts, root access, sudo, empty passwords, inactive | ssh_exec(op="run", sessionId, command="cat /etc/passwd; cat /etc/shadow; ...") |
03-ssh |
sshd_config full audit — 20+ checks | ssh_exec(op="run", sessionId, command="cat /etc/ssh/sshd_config") |
04-auth |
Login history, failed logins, PAM config | ssh_exec(op="run", sessionId, command="last; cat /var/log/auth.log") |
05-services |
Running services, unnecessary ones, failed units | ssh_exec(op="run", sessionId, command="systemctl list-units ...") |
06-packages |
Pending updates, security updates count | ssh_exec(op="run", sessionId, command="apt list --upgradable 2>/dev/null") |
07-cve |
CVE scan — remote via SSH MCP + API-based | ssh_exec(op="run", sessionId, command="dpkg-query -W ...; curl ...") |
08-network |
Open ports, listening services, active connections | ssh_exec(op="run", sessionId, command="ss -tulpn; netstat -tulpn") |
09-firewall |
iptables/nftables/ufw rules audit | ssh_exec(op="run", sessionId, command="iptables-save 2>/dev/null") |
10-filesystem |
SUID/SGID, world-writable, /tmp, sticky bits | ssh_exec(op="run", sessionId, command="find / -perm -4000 ...") |
11-kernel |
sysctl security params — 15+ checks | ssh_exec(op="run", sessionId, command="sysctl -a 2>/dev/null") |
12-logs |
auth.log, syslog, kern.log — anomaly scan | ssh_exec(op="run", sessionId, command="tail -100 /var/log/syslog") |
13-crons |
System + user cron jobs — unknown jobs flagged | ssh_exec(op="run", sessionId, command="cat /etc/crontab; ls -la /var/spool/cron/") |
14-ssl |
Cert expiry check for all domains/services | ssh_exec(op="run", sessionId, command="openssl x509 -in ... -noout -dates") |
15-docker |
If running — image vulns, container config | ssh_exec(op="run", sessionId, command="docker ps; docker images") |
16-disk |
Disk usage, inode usage | ssh_exec(op="run", sessionId, command="df -h; df -i") |
17-integrity |
AIDE/tripwire check if installed | ssh_exec(op="run", sessionId, command="aide --check") |
18-rootkit |
rkhunter/chkrootkit if installed | ssh_exec(op="run", sessionId, command="rkhunter --check --skip-keypress") |
Execution rule: All commands go through ssh_exec(op="run", sessionId, command="\x3Ccommand>") → ssh_exec(op="logs", commandId=cmdId). No local execution.
Finding Severity Levels
| Level | Color | Meaning |
|---|---|---|
CRITICAL |
🔴 | Immediate risk, action required now |
HIGH |
🟠 | Significant risk, fix this week |
MEDIUM |
🟡 | Moderate risk, fix this month |
LOW |
🔵 | Minor issue, fix when possible |
INFO |
⚪ | Informational, no action needed |
PASS |
🟢 | Check passed, all good |
Confirmation Flow
When owner confirmation is needed:
Finding detected (requires confirm)
↓
Write to actions/pending-confirm/\x3Cslug>.md
↓
Include in email report under "NEEDS YOUR DECISION"
↓
Owner replies with: APPROVE \x3Cslug> / DENY \x3Cslug> / SKIP \x3Cslug>
↓
APPROVE → agent executes action → logs to actions/history/
DENY → action skipped, noted
SKIP → deferred to next audit
Email Report Structure
Report is sent via email plugin/skill (not implemented inline — use available email skill).
Subject: [Linux Guardian] Server Audit — YYYY-MM-DD | CRITICAL:N HIGH:N
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
LINUX SECURITY GUARDIAN — NIGHTLY REPORT
Server: \x3Chostname> | \x3CIP> | YYYY-MM-DD 01:00 IST
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
EXECUTIVE SUMMARY
Security Score: N/100
Critical: N | High: N | Medium: N | Low: N
Auto-fixed: N | Pending confirm: N | Passed: N
━━ 🔴 CRITICAL (immediate action needed)
[Finding details]
━━ 🟠 HIGH
[Finding details]
━━ ⚡ AUTO-ACTIONS TAKEN (safe, non-breaking)
[What was auto-fixed]
━━ 🔑 NEEDS YOUR DECISION (reply APPROVE/DENY/SKIP \x3Cid>)
[Pending confirmations with IDs]
━━ 📦 CVE REPORT
[CVEs found by severity]
━━ 🌐 NETWORK & FIREWALL
[Port/firewall status]
━━ 🟡 MEDIUM / LOW
[Less urgent findings]
━━ 🟢 ALL PASSING
[Checks that passed]
━━ NEXT AUDIT: Tomorrow 01:00 IST
Security Score Formula
score = 100
score -= (critical_count × 20)
score -= (high_count × 10)
score -= (medium_count × 3)
score -= (low_count × 1)
score = max(0, score)
Grade: 90-100 = A | 75-89 = B | 60-74 = C | \x3C 60 = F
Folder Structure
linux-security-guardian/
audit/
modules/
01-system.md ... 18-rootkit.md ← audit module definitions
results/
critical/ high/ warning/ info/ pass/
YYYY-MM-DD-\x3Ccheck>.md ← finding entries
actions/
auto-done/ ← auto-fixed actions (logged)
YYYY-MM-DD-\x3Cslug>.md
pending-confirm/ ← waiting for owner
\x3Cid>-\x3Cslug>.md
history/ ← all approved/denied actions
cve/
cve-scan.sh ← external CVE scanner (CISA KEV + OSV.dev + NVD API)
external-sources.md ← all API URLs, query params, working examples
.cache/ ← cached API responses (avoids re-fetch)
scan-results/
YYYY-MM-DD.md ← full CVE scan output
advisories/
\x3Ccve-id>.md ← notable CVE details w/ source attribution
reports/
daily/YYYY-MM-DD.md
weekly/YYYY-WNN.md
archive/
network/
firewall-snapshots/
YYYY-MM-DD-rules.txt ← iptables/nft snapshot
port-scans/
YYYY-MM-DD.md
proposed-changes/
\x3Cid>-\x3Cchange>.md ← firewall changes awaiting confirm
hooks/
audit-runner.md ← main 1 AM audit orchestrator
on-critical.md ← fires on any critical finding
on-confirm-reply.md ← processes owner APPROVE/DENY/SKIP
pre-action.md ← safety check before any action
post-action.md ← verify action succeeded
mail-sender.md ← uses email plugin/skill to send report
crons/
active/
nightly-audit.md ← 1 AM IST permanent
completed/
memory/
schema.json
index.json
SOUL.md
AGENT.md
SERVER_PROFILE.md ← server details, owner config
AUDIT_LOG.md ← append-only master log
BASELINE.md ← expected state snapshot
STATS.md
Capability Tags
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install linux-security-guardian - After installation, invoke the skill by name or use
/linux-security-guardian - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.3.0
v1.3.0: SSH MCP API restructured — consolidated to 2 tools (ssh_conn + ssh_exec). ssh_conn: list/test/save connections. ssh_exec: open/run/logs/status/close/list. Array commands support for reduced channel overhead. Self-healing concurrency queue handles MaxSessions limits. audit-runner.md, SKILL.md, 07-cve.md, SERVER_PROFILE.md all updated to new op-based API.
v1.2.0
v1.2.0: Removed inline email implementation (Python smtplib, Himalaya CLI, sendmail). Replaced with email plugin/skill redirect — mail-sender.md now delegates to available email skill. Removed mail/ directory with templates. SERVER_PROFILE.md email config simplified. Critical alerts also go through email plugin. SKILL.md, AGENT.md, audit-runner.md updated to reflect no bundled email.
v1.1.0
v1.1.0: SSH MCP hard dependency integration — all 18 audit modules now execute via ssh_execute/ssh_get_logs. SERVER_PROFILE.md updated with REQUIRED ssh_mcp connection fields. audit-runner.md: SSH MCP connect/disconnect lifecycle, ABORT on failure (no local fallback). CVE module: API calls routed through SSH MCP. SKILL.md: full SSH MCP usage patterns, tools mapping, connection lifecycle documented.
v1.0.0
Initial release: full 18-module Linux security audit — CVE scanning, auto-fix safe issues, confirm-required for critical/firewall/patches, 1AM IST cron, email report via Himalaya/SMTP, action decision matrix, security scoring, baseline tracking
Metadata
Frequently Asked Questions
What is Linux Security Guardian?
Autonomous Linux server security management. Runs full audit at 1 AM IST nightly via cron. Covers system hardening, CVE scanning, user auditing, SSH config,... It is an AI Agent Skill for Claude Code / OpenClaw, with 55 downloads so far.
How do I install Linux Security Guardian?
Run "/install linux-security-guardian" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Linux Security Guardian free?
Yes, Linux Security Guardian is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Linux Security Guardian support?
Linux Security Guardian is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Linux Security Guardian?
It is built and maintained by cyber-bye (@cyber-bye); the current version is v1.3.0.
More Skills