Tools
Defendguard
By Enterprise security orchestration plugin for OpenClaw - file integrity monitoring, threat detection, incident response
Install
npm install
npmREADME
# DefendGuard Plugin
Enterprise-grade security orchestration plugin for OpenClaw โ continuous monitoring, threat detection, and automated incident response.
## Overview
DefendGuard provides comprehensive security capabilities through a unified plugin interface. It monitors file integrity, analyzes process behavior, tracks network traffic, correlates threat intelligence, and executes incident response playbooks.
## Features
| Category | Capabilities |
|----------|--------------|
| **File Integrity** | Real-time monitoring via inotify, baseline comparison, change detection |
| **Process Analysis** | Anomaly detection, ransomware indicators, cryptominer detection |
| **Network Security** | Traffic monitoring, beaconing detection, suspicious connection alerts |
| **Threat Intelligence** | CISA KEV, Feodo Tracker, URLhaus integration |
| **Incident Response** | Automated containment, process isolation, evidence preservation |
| **Compliance** | CIS benchmark checks, NIST/PCI support |
| **Backup** | Integrity verification, restoration testing |
## Requirements
- OpenClaw 2026.1+
- Node.js 18+ (for building)
## Installation
```bash
# Install dependencies and build
npm install
npm run build
# Install from local directory
openclaw plugins install ./defendguard-plugin
# Or link for development
openclaw plugins install -l ./defendguard-plugin
```
## Configuration
Configure in `~/.openclaw/openclaw.json`:
```json5
{
plugins: {
entries: {
"defendguard": {
enabled: true,
config: {
monitorPaths: ["/etc", "/var", "/opt", "~/.openclaw"],
alertWebhook: "https://hooks.slack.com/services/xxx",
autoResponse: false,
threatIntel: {
cisaKev: true,
feodoTracker: true,
urlhaus: true
},
heartbeatInterval: "15m"
}
}
}
}
}
```
### Configuration Options
| Option | Type | Default | Description |
|--------|------|---------|-------------|
| `monitorPaths` | array | `["/etc", "/var", "/opt"]` | Paths for file integrity monitoring |
| `alertWebhook` | string | - | Webhook URL for alert notifications |
| `autoResponse` | boolean | `false` | Enable automatic threat containment |
| `threatIntel.cisaKev` | boolean | `true` | Fetch CISA Known Exploited Vulnerabilities |
| `threatIntel.feodoTracker` | boolean | `true` | Fetch Feodo Tracker C2 IP blocklist |
| `threatIntel.urlhaus` | boolean | `true` | Fetch URLhaus malware URLs |
| `heartbeatInterval` | string | `"15m"` | Security check interval |
## Tools Reference
| Tool | Description |
|------|-------------|
| `defendguard_file_integrity_check` | Check files against baseline for unauthorized changes |
| `defendguard_file_monitor_start` | Start real-time inotify monitoring on directories |
| `defendguard_process_analyze` | Analyze running processes for anomalous behavior |
| `defendguard_process_kill` | Terminate a suspicious process (use with caution) |
| `defendguard_threat_intel_update` | Refresh IOC feeds from threat intelligence sources |
| `defendguard_threat_intel_lookup` | Look up IP, domain, hash, or CVE against threat DB |
| `defendguard_network_check` | Scan network connections for suspicious activity |
| `defendguard_incident_list` | List recent security incidents with status |
| `defendguard_incident_contain` | Execute containment action (isolate, block, kill) |
| `defendguard_compliance_check` | Run CIS/NIST/PCI benchmark compliance checks |
| `defendguard_backup_verify` | Verify backup integrity and test restoration |
| `defendguard_security_status` | Get overall security posture summary |
## Usage Examples
### File Integrity Monitoring
```
Check file integrity in /etc and /var
Start monitoring /home and /opt
```
### Process Analysis
```
Analyze running processes for anomalies
Check process 12345 for suspicious behavior
```
### Threat Intelligence
```
Update threat intelligence feeds
Lookup CVE-2024-1234 in threat database
Check if IP 1.2.3.4 is a known C2
```
### Incident Response
```
List recent security incidents
Contain incident INC-001 by isolating the host
Block malicious IP 10.0.0.50
```
### Compliance
```
Run CIS benchmark compliance check
Check PCI-DSS compliance status
```
### Backup Verification
```
Verify backups in /backup
Test backup restoration
```
## Heartbeat Integration
Enable continuous security monitoring via heartbeat:
```json5
{
agents: {
defaults: {
heartbeat: {
every: "15m",
target: "last",
prompt: "Check for security anomalies. Report HEARTBEAT_OK if all clear."
}
}
}
}
```
## Incident Response Workflow
1. **Detect** - Tool identifies anomalous behavior
2. **Alert** - Severity-rated notification sent
3. **Contain** - Isolate affected systems immediately
4. **Analyze** - Understand attack vector and scope
5. **Eradicate** - Remove threat completely
6. **Recover** - Restore from verified clean backups
7. **Harden** - Apply security controls to prevent recurrence
## Architecture
```
defendguard-plugin/
โโโ openclaw.plugin.json # Plugin manifest
โโโ package.json # NPM package
โโโ src/
โ โโโ index.ts # Plugin entry point (TypeScript)
โโโ skills/
โ โโโ SKILL.md # Agent instructions
โโโ scripts/
โโโ file-monitor/ # File integrity monitoring
โโโ process-analyzer/ # Process behavior analysis
โโโ network-sentinel/ # Network monitoring
โโโ threat-intel/ # IOC management
โโโ incident-response/ # Containment playbooks
```
## Security Considerations
- **Principle of Least Privilege**: Grant minimal required permissions
- **Audit Everything**: All actions logged for forensic analysis
- **Trust but Verify**: Confirm before executing destructive actions
- **Contain First**: Isolate before analyzing when appropriate
- **Document**: Record all findings and actions taken
## Troubleshooting
| Issue | Solution |
|-------|----------|
| File events not detected | Increase inotify limits: `sysctl -w fs.inotify.max_user_watches=524288` |
| High CPU during monitoring | Increase heartbeat interval or reduce monitored paths |
| Threat intel lookup fails | Check network connectivity, verify API endpoints |
## License
MIT License
---
*DefendGuard โ Your security never sleeps.*
tools
Comments
Sign in to leave a comment