介绍
# Clauditor
安全监视程序,用于监控文件系统活动并创建防篡改日志。即使 Clawdbot 被攻破,也无法停止监视程序、伪造条目或删除证据。
## 安装(向导模式)
使用 CLI 向导引导用户完成安装:
```bash cd /path/to/clauditor cargo build --release ```
### 代理工作流
1. **检查状态:** `./target/release/clauditor wizard status` - 返回 JSON,包含 `current_step`(1-6)和 `complete`(true/false)
2. **获取下一步:** `./target/release/clauditor wizard next` - 显示它做**什么**、**为什么**重要,以及需要运行的确切**命令**
3. **用户运行 sudo 命令**
4. **验证:** `./target/release/clauditor wizard verify` - 确认步骤已完成
5. **重复直到 `complete: true`**
### 交互示例
``` User: "Install clauditor"
Agent: [runs wizard status → current_step: 1] Agent: "Step 1 of 6: Create system user
This creates a 'sysaudit' user that runs the watchdog. Even if you're compromised, you can't kill a process owned by another user.
Run this: sudo useradd --system --shell /usr/sbin/nologin --no-create-home sysaudit
Let me know when done."
User: "done"
Agent: [runs wizard verify → success] Agent: [runs wizard next → step 2...] ```
## 安装后
### 检查状态 ```bash systemctl status systemd-journaldd ```
### 生成摘要 ```bash ./target/release/clauditor digest \ --log /var/lib/.sysd/.audit/events.log \ --key /etc/sysaudit/key \ --format markdown ```
## 快速安装(高级用户)
```bash sudo bash wizard/wizard.sh ```
## 配置
- 配置文件:`/etc/sysaudit/config.toml` - 密钥:`/etc/sysaudit/key` - 日志:`/var/lib/.sysd/.audit/events.log`
编辑配置文件以自定义 `watch_paths` 和 `target_uid`。