什么是 sys-guard-linux-remediator？

sys-guard-linux-remediator 是为 Openclaw Skills 设计的专业技能，提供了一种结构化的 Linux 安全方法。它专注于非破坏性证据收集、准确的威胁检测，以及在 Ubuntu、RHEL 和 Fedora 等主要发行版上的受控修复。该技能使 AI 代理能够执行复杂的取证任务、管理防火墙（iptables/nftables）并验证系统完整性，同时严格遵守防止系统不稳定或管理锁定的安全护栏。

通过在 Openclaw Skills 中利用此技能，开发人员和安全工程师可以自动检测恶意进程、审计系统日志并实施持久性检查。它集成了强大的取证工具和事件响应最佳实践，确保在生产主机上采取的每项操作都是有记录的、可逆的且在取证上是可靠的。

下载入口:https://github.com/openclaw/skills/tree/main/skills/kiaraho/sys-guard-linux-remediator

安装与下载

1. ClawHub CLI

从源直接安装技能的最快方式。

2. 手动安装

将技能文件夹复制到以下位置之一

优先级：工作区 > 本地 > 内置

3. 提示词安装

将此提示词复制到 OpenClaw 即可自动安装。

sys-guard-linux-remediator 应用场景

• 通过识别可疑的服务或已建立的连接，检测并遏制活动网络威胁。
• 使用系统调用跟踪和打开的文件句柄检查执行深入的进程分析，以发现隐藏的恶意软件。
• 自动化全系统安全审计和 rootkit 扫描，以保持强化的安全态势。
• 验证文件完整性和软件包真实性，以检测对系统二进制文件的未经授权修改。
• 执行受控修复，如 IP 封锁或服务隔离，而不会冒失去管理访问权限的风险。

1. 环境发现：该技能识别 Linux 发行版、防火墙后端（iptables 与 nftables）以及日志机制（syslog 与 journalctl）。
2. 证据收集：它捕获系统的当前状态，包括网络套接字、进程树和用户活动，并为取证追踪记录 UTC 时间戳。
3. 威胁分析：它利用 Lynis、rkhunter 和 Didier Stevens Suite 等工具来分析可疑文件、日志和内核模块。
4. 修复规划：根据发现结果，它提出具体的、非破坏性的操作，如进程终止（TERM 与 KILL）或 IP 丢弃。
5. 执行与验证：在严格的护栏下应用更改，随后进行更改后状态验证，以确保预期的效果和系统稳定性。

sys-guard-linux-remediator 配置指南

要初始化取证工具包和完整性检查以配合 Openclaw Skills 使用，请在 Linux 主机上运行以下命令：

# 安装完整性工具
sudo apt install aide debsums # Debian/Ubuntu
sudo dnf install aide # RHEL/Fedora

# 设置取证套件
sudo mkdir -p /opt/forensics
sudo wget -P /opt/forensics https://raw.githubusercontent.com/DidierStevens/DidierStevensSuite/master/base64dump.py
sudo chmod +x /opt/forensics/*.py

确保您具有 root 或 sudo 权限以及基于 systemd 的环境以获得完整功能。

sys-guard-linux-remediator 数据架构与分类体系

该技能系统地组织取证数据和修复日志，以确保可追溯性：

name: sys-guard-linux-remediator
description: Host-based Linux incident response and remediation skill focused on precise threat detection, forensic-safe data collection, firewall control (iptables/nftables), integrity validation, and controlled remediation while preserving system stability.
metadata:
  author: Edwin Kairu (ekairu@cmu.edu)

Linux Threat Mitigation and Incident Remediation (Hardened Edition)

This skill provides a structured, forensically-aware framework for analyzing and securing a Linux host during or after a security event.

It emphasizes:

• Non-destructive evidence collection
• Accurate threat detection
• Firewall-aware containment
• Integrity verification
• Controlled, reversible remediation
• Distribution-aware command usage

Environment Context

Supported Systems

• Debian / Ubuntu
• RHEL / CentOS / Rocky / Alma
• Fedora
• Arch Linux (limited package guidance)

Execution Assumptions

• Shell: bash or POSIX sh
• Privilege: Root or sudo
• Host-level access (NOT container-restricted environments)
• systemd-based systems preferred

?? If running inside Docker, Kubernetes, LXC, or other containers, firewall, audit, and service commands may not reflect the host system.

Firewall Architecture Awareness

Modern Linux systems may use:

• iptables-legacy
• iptables-nft (compatibility wrapper)
• Native nftables
• firewalld (RHEL-family default)

Identify Firewall Backend

iptables --version
which nft
systemctl status firewalld

If nftables is active:

nft list ruleset

Do NOT assume iptables -L represents the full firewall state.

Logging Differences by Distribution

Always prefer:

journalctl -xe

Operational Toolkit (Hardened)

1. Network Inspection

Listening Services

ss -tulpn

Active Connections

ss -antp | grep ESTABLISHED

Firewall State

iptables

iptables -L -n -v --line-numbers
iptables -S

nftables

nft list ruleset

Local Service Enumeration (Low Noise)

ss -lntup

Avoid unnecessary full scans of localhost unless required.

Conservative Network Scan

nmap -sV -T3 -p- localhost

Packet Capture (Short Snapshot)

tcpdump -i any -nn -c 100

2. Process & Runtime Analysis

Process Tree

ps auxww --forest

High CPU / Memory

top

Open File Handles

lsof -p 

System Call Trace (Caution: Alters Timing)

strace -p 

?? strace may change process behavior. Use carefully during live compromise.

Kernel Modules

lsmod

Kernel Messages

dmesg | tail -50

3. Rootkit & Malware Scanning

Rootkit Scanners

rkhunter --check
chkrootkit

May produce false positives. Validate findings manually.

Antivirus Scan (Targeted)

clamscan -r /home

Use selectively; large scans increase I/O and may alter access timestamps.

Lynis System Audit

lynis audit system

4. File Integrity & Package Verification

AIDE (After Initialization)

Install:

apt install aide
# or
dnf install aide

Initialize:

aideinit
mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

Run Check:

aide --check

RHEL Package Verification

rpm -Va

Debian Package Verification

apt install debsums
debsums -s

5. Forensic Analysis (Didier Stevens Suite)

Install:

sudo mkdir -p /opt/forensics
sudo wget -P /opt/forensics https://raw.githubusercontent.com/DidierStevens/DidierStevensSuite/master/base64dump.py
sudo wget -P /opt/forensics https://raw.githubusercontent.com/DidierStevens/DidierStevensSuite/master/re-search.py
sudo wget -P /opt/forensics https://raw.githubusercontent.com/DidierStevens/DidierStevensSuite/master/zipdump.py
sudo wget -P /opt/forensics https://raw.githubusercontent.com/DidierStevens/DidierStevensSuite/master/1768.py
sudo wget -P /opt/forensics https://raw.githubusercontent.com/DidierStevens/DidierStevensSuite/master/pdf-parser.py
sudo wget -P /opt/forensics https://raw.githubusercontent.com/DidierStevens/DidierStevensSuite/master/oledump.py
sudo chmod +x /opt/forensics/*.py

Decode Base64

python3 /opt/forensics/base64dump.py file.txt

IOC Search

python3 /opt/forensics/re-search.py -n ipv4 logfile

Inspect ZIP (No Extraction)

python3 /opt/forensics/zipdump.py suspicious.zip

Extract Cobalt Strike Beacon Config

python3 /opt/forensics/1768.py payload.bin

Inspect Office/PDF Documents

python3 /opt/forensics/pdf-parser.py file.pdf
python3 /opt/forensics/oledump.py file.doc

Static inspection only. Never execute suspicious files.

6. Authentication & User Activity

Current Sessions

who -a

Login History

last -a

Failed SSH Logins

Ubuntu/Debian:

journalctl -u ssh.service | grep "Failed password"

RHEL/Fedora:

journalctl -u sshd.service | grep "Failed password"

Sudo Activity

journalctl _COMM=sudo

Audit Logs

ausearch -m USER_AUTH,USER_LOGIN,USER_CHAUTHTOK

Controlled Remediation

Blocking an IP

iptables (Immediate)

iptables -I INPUT 1 -s  -j DROP

nftables

nft add rule inet filter input ip saddr  drop

If firewalld is active:

firewall-cmd --add-rich-rule='rule family="ipv4" source address="" drop'

Persisting Firewall Rules

iptables (Debian):

netfilter-persistent save

iptables (manual save):

iptables-save > /etc/iptables/rules.v4

firewalld:

firewall-cmd --runtime-to-permanent

nftables:

nft list ruleset > /etc/nftables.conf

Process Containment Strategy

Preferred escalation:

1. Observe
2. kill -TERM
3. If required: kill -STOP for analysis
4. Use kill -KILL only if necessary

Avoid killall or broad pkill.

Service Isolation

systemctl stop 
systemctl disable 
systemctl mask 

Persistence & Backdoor Checks

Cron Jobs

crontab -l
ls -lah /etc/cron*

Systemd Persistence

ls -lah /etc/systemd/system/

Startup Scripts

cat /etc/rc.local

SELinux Awareness (RHEL/Fedora)

Check status:

getenforce

Review denials:

ausearch -m AVC

Forensic Hygiene

1. Never execute suspicious binaries.
2. Preserve evidence before deletion:

sha256sum file
mkdir -p /root/quarantine
mv file /root/quarantine/file.vir

3. Log every remediation step:

date -u

Document:

• Timestamp
• Command executed
• Observed outcome

Usage Examples

Routine Audit

• Run lynis audit system
• Verify no unknown listening services
• Check for modified system binaries

Active Threat

• Identify high CPU process
• Capture short tcpdump
• Extract file hash
• Contain IP via firewall
• Preserve malicious artifact

Suspicious File

• Use zipdump
• Extract hash
• Move to quarantine
• Search logs for execution attempts

Safety Guardrails

These guardrails are mandatory and apply to all remediation activity. Their purpose is to prevent self-inflicted outages, preserve forensic integrity, and ensure reversible, controlled incident response.

1. State Verification (Pre- and Post-Change Validation)

Before executing any remediation command:

1. Record timestamp (UTC):

   date -u
   

2. Run a discovery command to capture current state:

   • Network: ss -tulpn
   • Active connections: ss -antp
   • Firewall (iptables): iptables -L -n -v
   • Firewall (nftables): nft list ruleset
   • firewalld: firewall-cmd --list-all

After remediation:

3. Re-run the same discovery command.
4. Compare state change and confirm:
   • Intended effect achieved
   • No unintended service disruption
   • No management lockout (e.g., SSH access intact)

Never assume a command succeeded without verifying its effect.

2. No Wildcards or Broad Termination

To prevent catastrophic system damage:

• NEVER use:

  • rm -rf *
  • rm -rf /
  • killall
  • Broad pkill patterns
  • Unbounded globbing in sensitive directories

• Always:

  • Use absolute file paths (e.g., /tmp/malware.bin)
  • Target explicit PIDs (kill -TERM )
  • Confirm file existence with ls -lah
  • Hash suspicious files before modification:

    sha256sum 
    

Wildcard deletions and pattern-based termination are prohibited during incident response.

3. Persistence & Re-Spawn Inspection

After containment of a malicious process or service, immediately inspect for persistence mechanisms.

Check:

Cron Jobs

crontab -l
ls -lah /etc/cron*

systemd Services & Timers

systemctl list-unit-files --type=service
systemctl list-timers --all
ls -lah /etc/systemd/system/

Init Scripts

ls -lah /etc/init.d/
cat /etc/rc.local

User-Level Persistence

ls -lah ~/.config/systemd/user/

SSH Backdoors

cat ~/.ssh/authorized_keys

After removal of malicious artifacts:

• Run integrity verification:

  aide --check
  

• On RHEL-based systems:

  rpm -Va
  

• On Debian-based systems:

  debsums -s
  

Do not consider a threat eradicated until persistence mechanisms are eliminated.

4. Firewall Rule Safety & Persistence

A. Anti-Lockout Requirement

Before modifying firewall rules:

1. Confirm SSH listening port:

   ss -tulpn | grep ssh
   

2. Confirm an explicit ACCEPT rule exists for:

   • Current management IP
   • SSH port

NEVER:

iptables -F

NEVER set a default DROP policy without verifying SSH access rule exists.

B. Immediate vs Persistent Rules

Firewall rule changes are runtime by default and may not survive reboot.

iptables (Debian/Ubuntu)

Runtime only until saved:

iptables-save > /etc/iptables/rules.v4

If using netfilter-persistent:

netfilter-persistent save

RHEL (legacy iptables service)

service iptables save

firewalld

Runtime-to-permanent:

firewall-cmd --runtime-to-permanent

nftables

Persist ruleset:

nft list ruleset > /etc/nftables.conf

Document:

• Whether rule is temporary or permanent
• Location of saved configuration
• Verification after reboot (if applicable)

5. Forensic Preservation Before Destruction

Before deleting or killing:

1. Hash the artifact:

   sha256sum 
   

2. Move to quarantine:

   mkdir -p /root/quarantine
   mv  /root/quarantine/.vir
   

3. Record:

   • Timestamp (UTC)
   • Original path
   • Hash value
   • Reason for containment

Avoid kill -9 unless absolutely required. Prefer:

1. kill -TERM
2. kill -STOP (if forensic inspection needed)
3. kill -KILL only as last resort

6. Change Logging Requirement

Every remediation action must include:

• date -u
• Command executed
• Justification
• Observed outcome
• Updated risk level (if applicable)

Remediation without documentation is non-compliant.

7. Minimal-Impact Principle

All actions must follow:

• Smallest necessary change
• Reversible where possible
• No broad configuration resets
• No service restarts without justification
• No system-wide scans during active compromise unless scoped

Contain first. Eradicate methodically. Recover cautiously.