openclaw-sentinel 0.1.0 → 0.2.0

package/README.md

@@ -67,7 +67,7 @@ sudo yum install osquery
 ## Installation
 
 ```bash
-openclaw plugins install /path/to/openclaw-sentinel
+openclaw plugins install openclaw-sentinel
 openclaw gateway restart
 ```
 

package/dist/__tests__/alerts.test.js

@@ -18,20 +18,19 @@ describe("shouldAlert", () => {
         const state = createAlertState();
         assert.equal(shouldAlert(makeEvent("Test"), state), true);
     });
-    it("deduplicates same title within 5 minutes", () => {
+    it("deduplicates same title within 1 minute", () => {
         const state = createAlertState();
         const now = Date.now();
         assert.equal(shouldAlert(makeEvent("Same Event"), state, now), true);
         assert.equal(shouldAlert(makeEvent("Same Event"), state, now + 1000), false);
-        assert.equal(shouldAlert(makeEvent("Same Event"), state, now + 60_000), false);
-        assert.equal(shouldAlert(makeEvent("Same Event"), state, now + 299_000), false);
+        assert.equal(shouldAlert(makeEvent("Same Event"), state, now + 30_000), false);
+        assert.equal(shouldAlert(makeEvent("Same Event"), state, now + 59_000), false);
     });
-    it("allows same title after 5 minute window (entries expire from rate limit window)", () => {
+    it("allows same title after 1 minute window", () => {
         const state = createAlertState();
         const now = Date.now();
         shouldAlert(makeEvent("Recurring"), state, now);
-        // After 5+ minutes AND after the 1-min rate limit window cleans up
-        assert.equal(shouldAlert(makeEvent("Recurring"), state, now + 301_000), true);
+        assert.equal(shouldAlert(makeEvent("Recurring"), state, now + 61_000), true);
     });
     it("allows different titles", () => {
         const state = createAlertState();

package/dist/__tests__/analyzer.test.js

@@ -120,30 +120,34 @@ describe("analyzeProcessEvents", () => {
 });
 describe("analyzeLoginEvents", () => {
     const knownHosts = new Set(["192.168.1.100", "100.64.0.1"]);
-    it("detects unknown remote host", () => {
+    it("detects unknown remote host as high severity", () => {
         const rows = [
             { user: "root", host: "203.0.113.42", type: "user" },
         ];
         const events = analyzeLoginEvents(rows, knownHosts);
         assert.equal(events.length, 1);
         assert.equal(events[0].severity, "high");
-        assert.equal(events[0].category, "auth");
+        assert.equal(events[0].category, "ssh_login");
     });
-    it("skips known hosts", () => {
+    it("emits info event for known hosts", () => {
         const rows = [
             { user: "sunil", host: "192.168.1.100", type: "user" },
         ];
         const events = analyzeLoginEvents(rows, knownHosts);
-        assert.equal(events.length, 0);
+        assert.equal(events.length, 1);
+        assert.equal(events[0].severity, "info");
+        assert.equal(events[0].category, "ssh_login");
     });
-    it("skips Tailscale CGNAT range (100.64-127.x.x)", () => {
+    it("emits info event for Tailscale CGNAT range (100.64-127.x.x)", () => {
         const rows = [
             { user: "sunil", host: "100.79.207.74", type: "user" },
             { user: "sunil", host: "100.94.48.17", type: "user" },
             { user: "sunil", host: "100.127.255.255", type: "user" },
         ];
         const events = analyzeLoginEvents(rows, new Set());
-        assert.equal(events.length, 0);
+        assert.equal(events.length, 3);
+        assert.equal(events[0].severity, "info");
+        assert.ok(events[0].description.includes("Tailscale"));
     });
     it("does NOT skip non-Tailscale 100.x IPs", () => {
         const rows = [

package/dist/__tests__/log-stream.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/__tests__/log-stream.test.js

@@ -0,0 +1,165 @@
+import { describe, it } from "node:test";
+import assert from "node:assert/strict";
+// We can't easily test the spawned process, but we can test the parsing logic
+// by importing and testing the module's parse functions.
+// Since parse functions are not exported, we test via the public class behavior.
+// Instead, test the SSH event patterns that the parser handles:
+describe("SSH log line patterns", () => {
+    // These patterns match what sshd outputs and our parser expects
+    it("matches 'Accepted publickey' pattern", () => {
+        const line = '2026-02-22 16:30:00.123456-0500  0x1234  Default  0x0  0  sshd: Accepted publickey for sunil from 100.79.207.74 port 52341 ssh2';
+        const match = line.match(/sshd.*?:\s+Accepted\s+(\S+)\s+for\s+(\S+)\s+from\s+(\S+)\s+port\s+(\d+)/);
+        assert.ok(match);
+        assert.equal(match[1], "publickey");
+        assert.equal(match[2], "sunil");
+        assert.equal(match[3], "100.79.207.74");
+        assert.equal(match[4], "52341");
+    });
+    it("matches 'Accepted password' pattern", () => {
+        const line = '2026-02-22 16:30:00.123456-0500  0x1234  Default  0x0  0  sshd: Accepted password for root from 203.0.113.42 port 22 ssh2';
+        const match = line.match(/sshd.*?:\s+Accepted\s+(\S+)\s+for\s+(\S+)\s+from\s+(\S+)\s+port\s+(\d+)/);
+        assert.ok(match);
+        assert.equal(match[1], "password");
+        assert.equal(match[2], "root");
+        assert.equal(match[3], "203.0.113.42");
+    });
+    it("matches 'Failed password' pattern", () => {
+        const line = '2026-02-22 16:30:00.123456-0500  0x1234  Default  0x0  0  sshd: Failed password for sunil from 203.0.113.42 port 22 ssh2';
+        const match = line.match(/sshd.*?:\s+Failed\s+password\s+for\s+(?:invalid\s+user\s+)?(\S+)\s+from\s+(\S+)\s+port\s+(\d+)/);
+        assert.ok(match);
+        assert.equal(match[1], "sunil");
+        assert.equal(match[2], "203.0.113.42");
+    });
+    it("matches 'Failed password for invalid user' pattern", () => {
+        const line = '2026-02-22 16:30:00.123456-0500  0x1234  Default  0x0  0  sshd: Failed password for invalid user admin from 203.0.113.42 port 22 ssh2';
+        const match = line.match(/sshd.*?:\s+Failed\s+password\s+for\s+(?:invalid\s+user\s+)?(\S+)\s+from\s+(\S+)\s+port\s+(\d+)/);
+        assert.ok(match);
+        assert.equal(match[1], "admin");
+        assert.equal(match[2], "203.0.113.42");
+    });
+    it("matches 'Invalid user' pattern", () => {
+        const line = '2026-02-22 16:30:00.123456-0500  0x1234  Default  0x0  0  sshd: Invalid user admin from 203.0.113.42 port 22';
+        const match = line.match(/sshd.*?:\s+Invalid\s+user\s+(\S+)\s+from\s+(\S+)\s+port\s+(\d+)/);
+        assert.ok(match);
+        assert.equal(match[1], "admin");
+        assert.equal(match[2], "203.0.113.42");
+    });
+    it("matches macOS sshd-session USER_PROCESS pattern", () => {
+        const line = "Feb 22 16:39:32 sunils-mac-mini sshd-session: sunil [priv][58912]: USER_PROCESS: 58916 ttys001";
+        const match = line.match(/sshd-session:\s+(\S+)\s+\[priv\]\[(\d+)\]:\s+USER_PROCESS:\s+(\d+)\s+(\S+)/);
+        assert.ok(match);
+        assert.equal(match[1], "sunil");
+        assert.equal(match[2], "58912");
+        assert.equal(match[3], "58916");
+        assert.equal(match[4], "ttys001");
+    });
+    it("does not match sshd-session DEAD_PROCESS", () => {
+        const line = "Feb 22 16:38:12 sunils-mac-mini sshd-session: sunil [priv][53930]: DEAD_PROCESS: 53934 ttys012";
+        const match = line.match(/sshd-session:\s+(\S+)\s+\[priv\]\[(\d+)\]:\s+USER_PROCESS:\s+(\d+)\s+(\S+)/);
+        assert.equal(match, null);
+    });
+    it("does not match unrelated sshd lines", () => {
+        const line = '2026-02-22 16:30:00.123456-0500  0x1234  Default  0x0  0  sshd: Connection closed by 100.79.207.74 port 52341';
+        const accepted = line.match(/sshd.*?:\s+Accepted/);
+        const failed = line.match(/sshd.*?:\s+Failed\s+password/);
+        const invalid = line.match(/sshd.*?:\s+Invalid\s+user/);
+        assert.equal(accepted, null);
+        assert.equal(failed, null);
+        assert.equal(invalid, null);
+    });
+});
+describe("Tailscale IP detection", () => {
+    function isTailscaleIP(host) {
+        const octets = host.split(".").map(Number);
+        return octets[0] === 100 && octets[1] >= 64 && octets[1] <= 127;
+    }
+    it("identifies Tailscale IPs", () => {
+        assert.equal(isTailscaleIP("100.79.207.74"), true);
+        assert.equal(isTailscaleIP("100.94.48.17"), true);
+        assert.equal(isTailscaleIP("100.64.0.1"), true);
+        assert.equal(isTailscaleIP("100.127.255.255"), true);
+    });
+    it("rejects non-Tailscale IPs", () => {
+        assert.equal(isTailscaleIP("100.63.255.255"), false);
+        assert.equal(isTailscaleIP("100.128.0.1"), false);
+        assert.equal(isTailscaleIP("192.168.1.1"), false);
+        assert.equal(isTailscaleIP("203.0.113.42"), false);
+    });
+});
+describe("Linux sudo log patterns", () => {
+    it("matches sudo command execution", () => {
+        const line = "Feb 22 16:30:00 myhost sudo[1234]:   sunil : TTY=pts/0 ; PWD=/home/sunil ; USER=root ; COMMAND=/usr/bin/apt update";
+        const match = line.match(/sudo\[\d+\]:\s+(\S+)\s*:\s*(?:.*?;\s*)?TTY=(\S+)\s*;\s*PWD=(\S+)\s*;\s*USER=(\S+)\s*;\s*COMMAND=(.*)/);
+        assert.ok(match);
+        assert.equal(match[1], "sunil");
+        assert.equal(match[2], "pts/0");
+        assert.equal(match[4], "root");
+        assert.equal(match[5].trim(), "/usr/bin/apt update");
+    });
+    it("matches sudo with incorrect password attempts", () => {
+        const line = "Feb 22 16:30:00 myhost sudo[1234]:   sunil : 3 incorrect password attempts ; TTY=pts/0 ; PWD=/home/sunil ; USER=root ; COMMAND=/usr/bin/rm -rf /";
+        const match = line.match(/sudo\[\d+\]:\s+(\S+)\s*:\s*(?:.*?;\s*)?TTY=(\S+)\s*;\s*PWD=(\S+)\s*;\s*USER=(\S+)\s*;\s*COMMAND=(.*)/);
+        assert.ok(match);
+        assert.equal(match[1], "sunil");
+        assert.ok(line.includes("incorrect password"));
+    });
+    it("matches sudo PAM session opened", () => {
+        const line = "Feb 22 16:30:00 myhost sudo[1234]: pam_unix(sudo:session): session opened for user root(uid=0) by sunil(uid=1000)";
+        const match = line.match(/sudo\[\d+\]:\s+pam_unix\(sudo:session\):\s+session\s+opened\s+for\s+user\s+(\S+).*?by\s+(\S+)/);
+        assert.ok(match);
+        assert.equal(match[1], "root(uid=0)");
+        assert.equal(match[2], "sunil(uid=1000)");
+    });
+});
+describe("Linux user account log patterns", () => {
+    it("matches useradd new user (strips trailing comma)", () => {
+        const line = "Feb 22 16:30:00 myhost useradd[1234]: new user: name=backdoor, UID=1001, GID=1001, home=/home/backdoor, shell=/bin/bash";
+        const match = line.match(/useradd\[\d+\]:\s+new\s+user:\s+name=([^,\s]+)/);
+        assert.ok(match);
+        assert.equal(match[1], "backdoor");
+    });
+    it("matches userdel delete user", () => {
+        const line = "Feb 22 16:30:00 myhost userdel[1234]: delete user 'olduser'";
+        const match = line.match(/userdel\[\d+\]:\s+delete\s+user\s+'(\S+)'/);
+        assert.ok(match);
+        assert.equal(match[1], "olduser");
+    });
+    it("matches passwd password changed", () => {
+        const line = "Feb 22 16:30:00 myhost passwd[1234]: pam_unix(passwd:chauthtok): password changed for sunil";
+        const match = line.match(/passwd\[\d+\]:\s+pam_unix\(passwd:chauthtok\):\s+password\s+changed\s+for\s+(\S+)/);
+        assert.ok(match);
+        assert.equal(match[1], "sunil");
+    });
+    it("matches usermod change user", () => {
+        const line = "Feb 22 16:30:00 myhost usermod[1234]: change user 'sunil' shell";
+        const match = line.match(/usermod\[\d+\]:\s+change\s+user\s+'(\S+)'/);
+        assert.ok(match);
+        assert.equal(match[1], "sunil");
+    });
+    it("matches groupadd new group (strips trailing comma)", () => {
+        const line = "Feb 22 16:30:00 myhost groupadd[1234]: new group: name=newgroup, GID=1002";
+        const match = line.match(/groupadd\[\d+\]:\s+new\s+group:\s+name=([^,\s]+)/);
+        assert.ok(match);
+        assert.equal(match[1], "newgroup");
+    });
+});
+describe("Linux remote desktop log patterns", () => {
+    it("matches xrdp client connection", () => {
+        const line = "Feb 22 16:30:00 myhost xrdp[1234]: connected client: 203.0.113.42";
+        const match = line.match(/xrdp\[\d+\]:\s+.*?(?:connected|connection).*?(\d+\.\d+\.\d+\.\d+)/i);
+        assert.ok(match);
+        assert.equal(match[1], "203.0.113.42");
+    });
+    it("matches xrdp session started", () => {
+        const line = "Feb 22 16:30:00 myhost xrdp-sesman[1234]: session started for user sunil";
+        const match = line.match(/xrdp-sesman\[\d+\]:\s+.*?session\s+started.*?user\s+(\S+)/i);
+        assert.ok(match);
+        assert.equal(match[1], "sunil");
+    });
+    it("matches VNC connection", () => {
+        const line = "Feb 22 16:30:00 myhost x11vnc[1234]: Got connection from client 203.0.113.42";
+        const match = line.match(/(?:x11vnc|vnc|Xvnc)\[\d+\]:\s+.*?(?:connection|connect).*?(\d+\.\d+\.\d+\.\d+)/i);
+        assert.ok(match);
+        assert.equal(match[1], "203.0.113.42");
+    });
+});

package/dist/alerts.js

@@ -3,7 +3,7 @@
  */
 import { SEVERITY_ORDER } from "./config.js";
 const MAX_ALERTS_PER_MINUTE = 10;
-const ALERT_DEDUP_WINDOW_MS = 5 * 60 * 1000; // 5 minutes
+const ALERT_DEDUP_WINDOW_MS = 60 * 1000; // 1 minute
 export function createAlertState() {
     return { recentAlerts: [] };
 }
@@ -11,17 +11,22 @@ export function createAlertState() {
  * Check if an alert should be sent (rate limit + dedup).
  */
 export function shouldAlert(evt, alertState, now = Date.now()) {
-    // Clean entries older than the dedup window (5 min)
+    // Clean entries older than the dedup window (1 min)
     alertState.recentAlerts = alertState.recentAlerts.filter((a) => now - a.time < ALERT_DEDUP_WINDOW_MS);
     // Rate limit: max alerts per minute (count only last 60s)
     const recentCount = alertState.recentAlerts.filter((a) => now - a.time < 60_000).length;
     if (recentCount >= MAX_ALERTS_PER_MINUTE) {
         return false;
     }
-    // Dedup: same title within window
-    const isDupe = alertState.recentAlerts.some((a) => a.title === evt.title && now - a.time < ALERT_DEDUP_WINDOW_MS);
-    if (isDupe)
-        return false;
+    // Skip dedup for failed auth — every attempt matters
+    const skipDedup = evt.category === "ssh_login" &&
+        (evt.title.includes("failed") || evt.title.includes("Failed") || evt.title.includes("invalid") || evt.title.includes("Invalid"));
+    if (!skipDedup) {
+        // Dedup: same title within window
+        const isDupe = alertState.recentAlerts.some((a) => a.title === evt.title && now - a.time < ALERT_DEDUP_WINDOW_MS);
+        if (isDupe)
+            return false;
+    }
     alertState.recentAlerts.push({ time: now, title: evt.title });
     return true;
 }

package/dist/analyzer.js

@@ -78,13 +78,16 @@ export function analyzeLoginEvents(rows, knownHosts) {
         // Skip local logins
         if (!host || host === "localhost" || host === "::1" || host === "127.0.0.1")
             continue;
-        // Skip Tailscale CGNAT range (100.64.0.0/10)
+        // Check if Tailscale CGNAT range (100.64.0.0/10)
         const octets = host.split(".").map(Number);
-        if (octets[0] === 100 && octets[1] >= 64 && octets[1] <= 127)
-            continue;
-        // New remote login from unknown host
-        if (!knownHosts.has(host)) {
-            events.push(event("high", "auth", "SSH login from unknown host", `User "${user}" logged in from unknown host: ${host}\nLogin type: ${type}`, { user, host, type }));
+        const isTailscale = octets[0] === 100 && octets[1] >= 64 && octets[1] <= 127;
+        if (isTailscale || knownHosts.has(host)) {
+            // Known host / Tailscale login — info-level awareness
+            events.push(event("info", "ssh_login", "SSH login detected", `User "${user}" logged in from ${isTailscale ? "Tailscale" : "known"} host: ${host}\nLogin type: ${type}`, { user, host, type, tailscale: isTailscale }));
+        }
+        else {
+            // Unknown host — high severity
+            events.push(event("high", "ssh_login", "SSH login from unknown host", `User "${user}" logged in from unknown host: ${host}\nLogin type: ${type}`, { user, host, type }));
         }
     }
     return events;

package/dist/config.d.ts

@@ -25,9 +25,9 @@ export interface SecurityEvent {
     id: string;
     timestamp: number;
     severity: Severity;
-    category: "process" | "network" | "file" | "auth" | "privilege";
+    category: "process" | "network" | "file" | "auth" | "privilege" | "ssh_login";
     title: string;
     description: string;
-    details: Record<string, unknown>;
+    details: string | Record<string, unknown>;
     hostname: string;
 }

package/dist/index.js

@@ -13,7 +13,7 @@
  * Note: osqueryd requires root/sudo — it must be started separately
  * (e.g., via launchd). This plugin only watches the result logs.
  */
-import { existsSync } from "node:fs";
+import { existsSync, readFileSync } from "node:fs";
 import { readFile } from "node:fs/promises";
 import { join } from "node:path";
 import { homedir } from "node:os";
@@ -22,6 +22,10 @@ import { findOsquery, query } from "./osquery.js";
 import { shouldAlert, meetsThreshold, createAlertState } from "./alerts.js";
 import { EventStore } from "./persistence.js";
 import { ResultLogWatcher } from "./watcher.js";
+import { LogStreamWatcher } from "./log-stream.js";
+import { execFile } from "node:child_process";
+import { promisify } from "node:util";
+const execFileAsync = promisify(execFile);
 import { analyzeProcessEvents, analyzeLoginEvents, analyzeFailedAuth, analyzeListeningPorts, analyzeFileEvents, formatAlert, } from "./analyzer.js";
 // ── State ──
 const state = {
@@ -129,19 +133,35 @@ function handleResult(result, config, sendAlert) {
  * OpenClaw plugin entry point.
  */
 export default function sentinel(api) {
-    const pluginConfig = api.getConfig?.() ?? {};
+    // api.getConfig() may not return all fields — merge with config file as fallback
+    const apiConfig = api.getConfig?.() ?? {};
+    let fileConfig = {};
+    try {
+        const cfgPath = join(homedir(), ".openclaw", "openclaw.json");
+        const raw = JSON.parse(readFileSync(cfgPath, "utf8"));
+        fileConfig = raw?.plugins?.entries?.sentinel?.config ?? {};
+    }
+    catch { /* ignore */ }
+    const pluginConfig = { ...fileConfig, ...apiConfig };
+    console.log(`[sentinel] Config: alertSeverity=${pluginConfig.alertSeverity}, alertChannel=${pluginConfig.alertChannel}`);
     let watcher = null;
+    let logStreamWatcher = null;
     const sentinelDir = pluginConfig.logPath ?? SENTINEL_DIR_DEFAULT;
     const sendAlert = async (text) => {
+        const channel = pluginConfig.alertChannel;
+        const to = pluginConfig.alertTo;
+        if (!channel || !to) {
+            console.error("[sentinel] Alert skipped: no alertChannel/alertTo configured");
+            return;
+        }
         try {
-            await api.sendMessage?.({
-                channel: pluginConfig.alertChannel,
-                to: pluginConfig.alertTo,
-                message: text,
-            });
+            // Use openclaw CLI for reliable message delivery
+            const args = ["message", "send", "--channel", channel, "--target", to, "--message", text];
+            await execFileAsync("openclaw", args, { timeout: 15_000 });
+            console.log(`[sentinel] Alert sent via ${channel} to ${to}`);
         }
-        catch {
-            console.error("[sentinel] Alert delivery failed:", text);
+        catch (err) {
+            console.error("[sentinel] Alert delivery failed:", err?.message ?? err, text.slice(0, 200));
         }
     };
     // ── Agent tool: sentinel_status ──
@@ -269,6 +289,10 @@ export default function sentinel(api) {
             watcher = null;
             state.watching = false;
         }
+        if (logStreamWatcher) {
+            logStreamWatcher.stop();
+            logStreamWatcher = null;
+        }
     };
     process.on("exit", cleanup);
     process.on("SIGTERM", cleanup);
@@ -326,6 +350,18 @@ export default function sentinel(api) {
                 console.log("[sentinel] Event-driven monitoring active ⚡");
             });
             await watcher.start();
+            // Start real-time log stream watcher for SSH events
+            logStreamWatcher = new LogStreamWatcher((evt) => {
+                logEvent(evt);
+                if (meetsThreshold(evt.severity, pluginConfig.alertSeverity) &&
+                    shouldAlert(evt, alertRateState)) {
+                    sendAlert(formatAlert(evt)).catch((err) => {
+                        console.error("[sentinel] alert failed:", err);
+                    });
+                }
+                console.log(`[sentinel] [real-time] ${evt.severity}/${evt.category}: ${evt.title}`);
+            }, state.knownHosts);
+            logStreamWatcher.start();
         }
         catch (err) {
             console.error("[sentinel] Failed to start:", err);

package/dist/log-stream.d.ts

@@ -0,0 +1,26 @@
+/**
+ * LogStreamWatcher — Real-time event monitoring via macOS `log stream` or Linux `journalctl`.
+ *
+ * Spawns a long-running subprocess that tails system logs for specific events
+ * (SSH login, failed password, sudo) and emits SecurityEvents in real-time.
+ */
+import type { SecurityEvent } from "./config.js";
+type EventCallback = (event: SecurityEvent) => void;
+export declare class LogStreamWatcher {
+    private process;
+    private callback;
+    private knownHosts;
+    private platform;
+    private running;
+    constructor(callback: EventCallback, knownHosts: Set<string>, platform?: string);
+    start(): void;
+    private syslogProcess;
+    private startMacOS;
+    private startMacOSUnifiedLog;
+    private startLinux;
+    private wireUp;
+    stop(): void;
+    /** Update known hosts (e.g. after baseline refresh) */
+    updateKnownHosts(hosts: Set<string>): void;
+}
+export {};

package/dist/log-stream.js

@@ -0,0 +1,414 @@
+/**
+ * LogStreamWatcher — Real-time event monitoring via macOS `log stream` or Linux `journalctl`.
+ *
+ * Spawns a long-running subprocess that tails system logs for specific events
+ * (SSH login, failed password, sudo) and emits SecurityEvents in real-time.
+ */
+import { spawn } from "node:child_process";
+import { createInterface } from "node:readline";
+function event(severity, category, title, description, details) {
+    return {
+        id: `ls-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`,
+        timestamp: Date.now(),
+        severity,
+        category,
+        title,
+        description,
+        details: details ?? {},
+        hostname: "",
+    };
+}
+/**
+ * Parse a macOS `log stream` line for SSH events.
+ * Lines look like:
+ *   2026-02-22 16:30:00.123456-0500  0x1234  Default  0x0  0  sshd: Accepted publickey for sunil from 100.79.207.74 port 52341 ssh2
+ *   2026-02-22 16:30:00.123456-0500  0x1234  Default  0x0  0  sshd: Failed password for sunil from 203.0.113.42 port 22 ssh2
+ *   2026-02-22 16:30:00.123456-0500  0x1234  Default  0x0  0  sshd: Invalid user admin from 203.0.113.42 port 22
+ */
+function parseMacOSLogLine(line, knownHosts) {
+    // Match "Accepted" logins
+    const acceptedMatch = line.match(/sshd.*?:\s+Accepted\s+(\S+)\s+for\s+(\S+)\s+from\s+(\S+)\s+port\s+(\d+)/);
+    if (acceptedMatch) {
+        const [, method, user, host, port] = acceptedMatch;
+        const isTailscale = isTailscaleIP(host);
+        const isKnown = knownHosts.has(host) || isTailscale;
+        return event(isKnown ? "info" : "high", "ssh_login", isKnown ? "SSH login detected" : "SSH login from unknown host", `User "${user}" logged in via ${method} from ${isTailscale ? "Tailscale" : isKnown ? "known" : "UNKNOWN"} host: ${host}:${port}`, { user, host, port, method, tailscale: isTailscale, known: isKnown });
+    }
+    // Match "Failed password"
+    const failedMatch = line.match(/sshd.*?:\s+Failed\s+password\s+for\s+(?:invalid\s+user\s+)?(\S+)\s+from\s+(\S+)\s+port\s+(\d+)/);
+    if (failedMatch) {
+        const [, user, host, port] = failedMatch;
+        return event("high", "ssh_login", "SSH failed password attempt", `Failed password for "${user}" from ${host}:${port}`, { user, host, port, type: "failed_password" });
+    }
+    // Match "Invalid user"
+    const invalidMatch = line.match(/sshd.*?:\s+Invalid\s+user\s+(\S+)\s+from\s+(\S+)\s+port\s+(\d+)/);
+    if (invalidMatch) {
+        const [, user, host, port] = invalidMatch;
+        return event("high", "ssh_login", "SSH invalid user attempt", `Invalid user "${user}" from ${host}:${port}`, { user, host, port, type: "invalid_user" });
+    }
+    return null;
+}
+/**
+ * Parse a Linux journalctl line for SSH events.
+ * Lines look like:
+ *   Feb 22 16:30:00 hostname sshd[1234]: Accepted publickey for sunil from 100.79.207.74 port 52341 ssh2
+ */
+function parseLinuxLogLine(line, knownHosts) {
+    // Same patterns work for both — sshd output is consistent
+    return parseMacOSLogLine(line, knownHosts);
+}
+/**
+ * Parse Linux sudo events from journalctl / auth.log.
+ * Lines look like:
+ *   Feb 22 16:30:00 hostname sudo[1234]:   sunil : TTY=pts/0 ; PWD=/home/sunil ; USER=root ; COMMAND=/usr/bin/apt update
+ *   Feb 22 16:30:00 hostname sudo[1234]: pam_unix(sudo:session): session opened for user root(uid=0) by sunil(uid=1000)
+ *   Feb 22 16:30:00 hostname sudo[1234]:   sunil : 3 incorrect password attempts ; TTY=pts/0 ; PWD=/home/sunil ; USER=root ; COMMAND=/usr/bin/rm -rf /
+ */
+function parseLinuxSudo(line) {
+    // Standard sudo command log
+    const cmdMatch = line.match(/sudo\[\d+\]:\s+(\S+)\s*:\s*(?:.*?;\s*)?TTY=(\S+)\s*;\s*PWD=(\S+)\s*;\s*USER=(\S+)\s*;\s*COMMAND=(.*)/);
+    if (cmdMatch) {
+        const [, user, tty, pwd, targetUser, command] = cmdMatch;
+        const hasFailure = line.includes("incorrect password");
+        return event(hasFailure ? "high" : "medium", "privilege", hasFailure ? "sudo authentication failure" : "sudo command executed", `${user} → ${targetUser}: ${command.trim()} (TTY ${tty})`, { user, targetUser, command: command.trim(), tty, pwd, failed: hasFailure });
+    }
+    // PAM session opened for sudo
+    const sessionMatch = line.match(/sudo\[\d+\]:\s+pam_unix\(sudo:session\):\s+session\s+opened\s+for\s+user\s+(\S+).*?by\s+(\S+)/);
+    if (sessionMatch) {
+        const [, targetUser, user] = sessionMatch;
+        return event("info", "privilege", "sudo session started", `sudo session opened: ${user} → ${targetUser}`, { user: user.replace(/\(.*\)/, ""), targetUser: targetUser.replace(/\(.*\)/, ""), source: "pam" });
+    }
+    return null;
+}
+/**
+ * Parse Linux user account change events.
+ * Lines from useradd/userdel/usermod/passwd via journalctl or auth.log:
+ *   Feb 22 16:30:00 hostname useradd[1234]: new user: name=backdoor, UID=1001, GID=1001, home=/home/backdoor, shell=/bin/bash
+ *   Feb 22 16:30:00 hostname userdel[1234]: delete user 'olduser'
+ *   Feb 22 16:30:00 hostname usermod[1234]: change user 'sunil' password
+ *   Feb 22 16:30:00 hostname passwd[1234]: pam_unix(passwd:chauthtok): password changed for sunil
+ *   Feb 22 16:30:00 hostname groupadd[1234]: new group: name=newgroup, GID=1002
+ */
+function parseLinuxUserAccount(line) {
+    // New user created (name field ends with comma in useradd output)
+    const useraddMatch = line.match(/useradd\[\d+\]:\s+new\s+user:\s+name=([^,\s]+)/);
+    if (useraddMatch) {
+        return event("critical", "auth", "User account created", `New user account created: ${useraddMatch[1]}`, { user: useraddMatch[1], type: "user_created" });
+    }
+    // User deleted
+    const userdelMatch = line.match(/userdel\[\d+\]:\s+delete\s+user\s+'(\S+)'/);
+    if (userdelMatch) {
+        return event("high", "auth", "User account deleted", `User account deleted: ${userdelMatch[1]}`, { user: userdelMatch[1], type: "user_deleted" });
+    }
+    // Password changed via passwd command
+    const passwdMatch = line.match(/passwd\[\d+\]:\s+pam_unix\(passwd:chauthtok\):\s+password\s+changed\s+for\s+(\S+)/);
+    if (passwdMatch) {
+        return event("high", "auth", "User password changed", `Password changed for user: ${passwdMatch[1]}`, { user: passwdMatch[1], type: "password_changed" });
+    }
+    // User modified (usermod)
+    const usermodMatch = line.match(/usermod\[\d+\]:\s+change\s+user\s+'(\S+)'/);
+    if (usermodMatch) {
+        return event("high", "auth", "User account modified", `User account modified: ${usermodMatch[1]}`, { user: usermodMatch[1], type: "user_modified" });
+    }
+    // New group (often accompanies user creation)
+    const groupaddMatch = line.match(/groupadd\[\d+\]:\s+new\s+group:\s+name=([^,\s]+)/);
+    if (groupaddMatch) {
+        return event("medium", "auth", "Group created", `New group created: ${groupaddMatch[1]}`, { group: groupaddMatch[1], type: "group_created" });
+    }
+    return null;
+}
+/**
+ * Parse Linux remote desktop / VNC events.
+ * Lines from xrdp, vncserver, x11vnc:
+ *   Feb 22 16:30:00 hostname xrdp[1234]: connected client: 203.0.113.42
+ *   Feb 22 16:30:00 hostname xrdp-sesman[1234]: session started for user sunil
+ *   Feb 22 16:30:00 hostname x11vnc[1234]: Got connection from client 203.0.113.42
+ */
+function parseLinuxRemoteDesktop(line) {
+    // xrdp client connection
+    const xrdpMatch = line.match(/xrdp\[\d+\]:\s+.*?(?:connected|connection).*?(\d+\.\d+\.\d+\.\d+)/i);
+    if (xrdpMatch) {
+        return event("high", "auth", "RDP connection detected", `RDP connection from ${xrdpMatch[1]}`, { type: "rdp", host: xrdpMatch[1] });
+    }
+    // xrdp session started
+    const xrdpSessionMatch = line.match(/xrdp-sesman\[\d+\]:\s+.*?session\s+started.*?user\s+(\S+)/i);
+    if (xrdpSessionMatch) {
+        return event("high", "auth", "RDP session started", `RDP session started for user: ${xrdpSessionMatch[1]}`, { type: "rdp_session", user: xrdpSessionMatch[1] });
+    }
+    // VNC connection (x11vnc, tigervnc, etc.)
+    const vncMatch = line.match(/(?:x11vnc|vnc|Xvnc)\[\d+\]:\s+.*?(?:connection|connect).*?(\d+\.\d+\.\d+\.\d+)/i);
+    if (vncMatch) {
+        return event("high", "auth", "VNC connection detected", `VNC connection from ${vncMatch[1]}`, { type: "vnc", host: vncMatch[1] });
+    }
+    return null;
+}
+/**
+ * Parse macOS /var/log/system.log lines for SSH events.
+ * Lines look like:
+ *   Feb 22 16:39:32 sunils-mac-mini sshd-session: sunil [priv][58912]: USER_PROCESS: 58916 ttys001
+ *   Feb 22 16:38:12 sunils-mac-mini sshd-session: sunil [priv][53930]: DEAD_PROCESS: 53934 ttys012
+ *   Feb 22 16:51:16 sunils-mac-mini sshd[60738]: Failed password for sunil from 100.79.207.74 port 52341 ssh2
+ *   Feb 22 16:51:16 sunils-mac-mini sshd[60738]: Invalid user admin from 100.79.207.74 port 52341
+ */
+function parseMacOSSyslog(line, knownHosts) {
+    // Match sshd-session USER_PROCESS (successful login)
+    const sessionMatch = line.match(/sshd-session:\s+(\S+)\s+\[priv\]\[(\d+)\]:\s+USER_PROCESS:\s+(\d+)\s+(\S+)/);
+    if (sessionMatch) {
+        const [, user, parentPid, pid, tty] = sessionMatch;
+        // We don't have the source IP from syslog — query utmpx for it
+        return event("info", "ssh_login", "SSH session started", `User "${user}" started SSH session (PID ${pid}, TTY ${tty})`, { user, pid, parentPid, tty, source: "syslog" });
+    }
+    // Match Failed password (if sshd logs this to system.log)
+    const failedMatch = line.match(/sshd\[\d+\]:\s+Failed\s+password\s+for\s+(?:invalid\s+user\s+)?(\S+)\s+from\s+(\S+)\s+port\s+(\d+)/);
+    if (failedMatch) {
+        const [, user, host, port] = failedMatch;
+        return event("high", "ssh_login", "SSH failed password attempt", `Failed password for "${user}" from ${host}:${port}`, { user, host, port, type: "failed_password" });
+    }
+    // Match Invalid user
+    const invalidMatch = line.match(/sshd\[\d+\]:\s+Invalid\s+user\s+(\S+)\s+from\s+(\S+)\s+port\s+(\d+)/);
+    if (invalidMatch) {
+        const [, user, host, port] = invalidMatch;
+        return event("high", "ssh_login", "SSH invalid user attempt", `Invalid user "${user}" from ${host}:${port}`, { user, host, port, type: "invalid_user" });
+    }
+    // Match sudo from system.log
+    const sudoMatch = line.match(/sudo\[(\d+)\]:\s+(\S+)\s*:\s*TTY=(\S+)\s*;\s*PWD=(\S+)\s*;\s*USER=(\S+)\s*;\s*COMMAND=(.*)/);
+    if (sudoMatch) {
+        const [, pid, user, tty, pwd, targetUser, command] = sudoMatch;
+        return event("medium", "privilege", "sudo command executed", `${user} → ${targetUser}: ${command.trim()} (TTY ${tty}, PID ${pid})`, { user, targetUser, command: command.trim(), tty, pwd, pid });
+    }
+    // Match sudo USER_PROCESS from system.log (macOS Sequoia format)
+    const sudoSessionMatch = line.match(/sudo\[(\d+)\]:\s+USER_PROCESS/);
+    if (sudoSessionMatch) {
+        return event("info", "privilege", "sudo session started", `sudo session started (PID ${sudoSessionMatch[1]})`, { pid: sudoSessionMatch[1], source: "syslog" });
+    }
+    return null;
+}
+/**
+ * Parse macOS unified log lines for PAM authentication errors.
+ * Line format:
+ *   2026-02-22 16:56:51.705020-0500  0x14e5ecb  Default  0x0  62761  0  sshd-session: error: PAM: authentication error for sunil from 100.79.207.74
+ */
+function parseMacOSAuthError(line, _knownHosts) {
+    // PAM authentication error (valid user, wrong password)
+    const authMatch = line.match(/sshd-session.*?PAM:\s+authentication\s+error\s+for\s+(\S+)\s+from\s+(\S+)/);
+    if (authMatch) {
+        const [, user, host] = authMatch;
+        return event("high", "ssh_login", "SSH failed authentication", `Failed authentication (PAM) for "${user}" from ${host}`, { user, host, type: "pam_auth_error" });
+    }
+    // PAM unknown user (invalid username)
+    const unknownMatch = line.match(/sshd-session.*?PAM:\s+unknown\s+user\s+for\s+illegal\s+user\s+(\S+)\s+from\s+(\S+)/);
+    if (unknownMatch) {
+        const [, user, host] = unknownMatch;
+        return event("high", "ssh_login", "SSH invalid user attempt", `Unknown user "${user}" attempted login from ${host}`, { user, host, type: "unknown_user" });
+    }
+    // Invalid user line
+    const invalidMatch = line.match(/sshd-session.*?Invalid\s+user\s+(\S+)\s+from\s+(\S+)\s+port\s+(\d+)/);
+    if (invalidMatch) {
+        const [, user, host, port] = invalidMatch;
+        return event("high", "ssh_login", "SSH invalid user attempt", `Invalid user "${user}" from ${host}:${port}`, { user, host, port, type: "invalid_user" });
+    }
+    // Failed keyboard-interactive/pam
+    const failedMatch = line.match(/sshd-session.*?Failed\s+\S+\s+for\s+(?:invalid\s+user\s+)?(\S+)\s+from\s+(\S+)\s+port\s+(\d+)/);
+    if (failedMatch) {
+        const [, user, host, port] = failedMatch;
+        return event("high", "ssh_login", "SSH failed authentication", `Failed login for "${user}" from ${host}:${port}`, { user, host, port, type: "failed_auth" });
+    }
+    return null;
+}
+/**
+ * Parse screen sharing / VNC connection events.
+ */
+function parseScreenSharing(line) {
+    // Authentication attempt
+    const authMatch = line.match(/screensharingd.*?Authentication:\s+(.*)/);
+    if (authMatch) {
+        return event("high", "auth", "Screen sharing authentication", `Screen sharing auth attempt: ${authMatch[1]}`, { type: "screen_sharing", detail: authMatch[1] });
+    }
+    // VNC connection
+    const vncMatch = line.match(/screensharingd.*?VNC.*?(\d+\.\d+\.\d+\.\d+)/);
+    if (vncMatch) {
+        return event("high", "auth", "VNC connection detected", `VNC connection from ${vncMatch[1]}`, { type: "vnc", host: vncMatch[1] });
+    }
+    // Client connection
+    const clientMatch = line.match(/screensharingd.*?client\s+(\S+)\s+connected/i);
+    if (clientMatch) {
+        return event("high", "auth", "Screen sharing client connected", `Screen sharing client connected: ${clientMatch[1]}`, { type: "screen_sharing_client", client: clientMatch[1] });
+    }
+    return null;
+}
+/**
+ * Parse user account change events from opendirectoryd.
+ */
+function parseUserAccountChange(line) {
+    const createdMatch = line.match(/opendirectoryd.*?(?:user|record)\s+(\S+).*?created/i);
+    if (createdMatch) {
+        return event("critical", "auth", "User account created", `New user account created: ${createdMatch[1]}`, { user: createdMatch[1], type: "user_created" });
+    }
+    const deletedMatch = line.match(/opendirectoryd.*?(?:user|record)\s+(\S+).*?deleted/i);
+    if (deletedMatch) {
+        return event("high", "auth", "User account deleted", `User account deleted: ${deletedMatch[1]}`, { user: deletedMatch[1], type: "user_deleted" });
+    }
+    const passwordMatch = line.match(/opendirectoryd.*?(?:user|record)\s+(\S+).*?password\s+changed/i);
+    if (passwordMatch) {
+        return event("high", "auth", "User password changed", `Password changed for user: ${passwordMatch[1]}`, { user: passwordMatch[1], type: "password_changed" });
+    }
+    return null;
+}
+function isTailscaleIP(host) {
+    const octets = host.split(".").map(Number);
+    return octets[0] === 100 && octets[1] >= 64 && octets[1] <= 127;
+}
+export class LogStreamWatcher {
+    process = null;
+    callback;
+    knownHosts;
+    platform;
+    running = false;
+    constructor(callback, knownHosts, platform) {
+        this.callback = callback;
+        this.knownHosts = knownHosts;
+        this.platform = platform ?? process.platform;
+    }
+    start() {
+        if (this.running)
+            return;
+        this.running = true;
+        if (this.platform === "darwin") {
+            this.startMacOS();
+        }
+        else {
+            this.startLinux();
+        }
+    }
+    syslogProcess = null;
+    startMacOS() {
+        // Two sources on modern macOS:
+        // 1. /var/log/system.log — successful SSH sessions (sshd-session USER_PROCESS)
+        // 2. unified log stream — failed auth (PAM errors from sshd-session)
+        // Source 1: tail system.log for successful logins
+        this.process = spawn("tail", ["-F", "-n", "0", "/var/log/system.log"], {
+            stdio: ["ignore", "pipe", "ignore"],
+        });
+        console.log("[sentinel] LogStreamWatcher started (macOS system.log tail, SSH sessions)");
+        this.wireUp((line) => parseMacOSSyslog(line, this.knownHosts));
+        // Source 2: log stream for failed SSH auth + sudo + screen sharing + user account changes
+        const predicate = [
+            // SSH failed auth
+            '(process == "sshd-session" AND (eventMessage CONTAINS "authentication error" OR eventMessage CONTAINS "unknown user" OR eventMessage CONTAINS "Invalid user" OR eventMessage CONTAINS "Failed"))',
+            // Screen sharing connections
+            '(process == "screensharingd" AND (eventMessage CONTAINS "Authentication" OR eventMessage CONTAINS "client" OR eventMessage CONTAINS "VNC"))',
+            // User account changes (creation, deletion, modification)
+            '(process == "opendirectoryd" AND (eventMessage CONTAINS "created" OR eventMessage CONTAINS "deleted" OR eventMessage CONTAINS "password changed"))',
+        ].join(" OR ");
+        this.syslogProcess = spawn("log", ["stream", "--predicate", predicate, "--style", "default", "--info"], {
+            stdio: ["ignore", "pipe", "ignore"],
+        });
+        if (this.syslogProcess.stdout) {
+            const rl = createInterface({ input: this.syslogProcess.stdout });
+            rl.on("line", (line) => {
+                const evt = parseMacOSAuthError(line, this.knownHosts)
+                    ?? parseScreenSharing(line)
+                    ?? parseUserAccountChange(line);
+                if (evt)
+                    this.callback(evt);
+            });
+        }
+        console.log("[sentinel] LogStreamWatcher started (macOS log stream, auth + screen sharing + user accounts)");
+        this.syslogProcess.on("exit", (code) => {
+            console.log(`[sentinel] LogStream (unified log) exited (code ${code})`);
+            if (this.running) {
+                setTimeout(() => this.startMacOSUnifiedLog(), 5000);
+            }
+        });
+    }
+    startMacOSUnifiedLog() {
+        const predicate = [
+            '(process == "sshd-session" AND (eventMessage CONTAINS "authentication error" OR eventMessage CONTAINS "unknown user" OR eventMessage CONTAINS "Invalid user" OR eventMessage CONTAINS "Failed"))',
+            '(process == "screensharingd" AND (eventMessage CONTAINS "Authentication" OR eventMessage CONTAINS "client" OR eventMessage CONTAINS "VNC"))',
+            '(process == "opendirectoryd" AND (eventMessage CONTAINS "created" OR eventMessage CONTAINS "deleted" OR eventMessage CONTAINS "password changed"))',
+        ].join(" OR ");
+        this.syslogProcess = spawn("log", ["stream", "--predicate", predicate, "--style", "default", "--info"], {
+            stdio: ["ignore", "pipe", "ignore"],
+        });
+        if (this.syslogProcess.stdout) {
+            const rl = createInterface({ input: this.syslogProcess.stdout });
+            rl.on("line", (line) => {
+                const evt = parseMacOSAuthError(line, this.knownHosts)
+                    ?? parseScreenSharing(line)
+                    ?? parseUserAccountChange(line);
+                if (evt)
+                    this.callback(evt);
+            });
+        }
+    }
+    startLinux() {
+        // Watch multiple systemd units for comprehensive monitoring:
+        // - sshd/ssh: SSH login/failure events
+        // - sudo: privilege escalation
+        // - systemd-logind: session events
+        // - xrdp/vnc: remote desktop access
+        // Also use SYSLOG_IDENTIFIER for useradd/userdel/usermod/passwd/groupadd
+        this.process = spawn("journalctl", [
+            "-f", "--no-pager", "-o", "short",
+            "-u", "sshd", "-u", "ssh",
+            "-u", "sudo",
+            "-u", "systemd-logind",
+            "-u", "xrdp", "-u", "xrdp-sesman",
+            // Catch useradd/userdel/passwd via syslog identifiers
+            "-t", "useradd", "-t", "userdel", "-t", "usermod", "-t", "passwd", "-t", "groupadd",
+            // VNC servers
+            "-t", "x11vnc", "-t", "Xvnc",
+        ], {
+            stdio: ["ignore", "pipe", "ignore"],
+        });
+        console.log("[sentinel] LogStreamWatcher started (Linux journalctl, SSH + sudo + user accounts + remote desktop)");
+        this.wireUp((line) => {
+            return parseLinuxLogLine(line, this.knownHosts)
+                ?? parseLinuxSudo(line)
+                ?? parseLinuxUserAccount(line)
+                ?? parseLinuxRemoteDesktop(line);
+        });
+    }
+    wireUp(parser) {
+        if (!this.process?.stdout)
+            return;
+        const rl = createInterface({ input: this.process.stdout });
+        rl.on("line", (line) => {
+            const evt = parser(line);
+            if (evt) {
+                this.callback(evt);
+            }
+        });
+        this.process.on("exit", (code) => {
+            console.log(`[sentinel] LogStreamWatcher exited (code ${code})`);
+            if (this.running) {
+                // Auto-restart after 5 seconds
+                setTimeout(() => {
+                    console.log("[sentinel] LogStreamWatcher restarting...");
+                    if (this.platform === "darwin")
+                        this.startMacOS();
+                    else
+                        this.startLinux();
+                }, 5000);
+            }
+        });
+        this.process.on("error", (err) => {
+            console.error("[sentinel] LogStreamWatcher error:", err.message);
+        });
+    }
+    stop() {
+        this.running = false;
+        if (this.process) {
+            this.process.kill("SIGTERM");
+            this.process = null;
+        }
+        if (this.syslogProcess) {
+            this.syslogProcess.kill("SIGTERM");
+            this.syslogProcess = null;
+        }
+    }
+    /** Update known hosts (e.g. after baseline refresh) */
+    updateKnownHosts(hosts) {
+        this.knownHosts = hosts;
+    }
+}

package/dist/osquery.js

@@ -64,7 +64,7 @@ export function generateOsqueryConfig(config, platform) {
     const schedule = {
         logged_in_users: {
             query: "SELECT type, user, host, time, pid FROM logged_in_users;",
-            interval: 60,
+            interval: 10,
             removed: false,
             description: "Currently logged-in users",
         },

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "openclaw-sentinel",
-  "version": "0.1.0",
+  "version": "0.2.0",
   "description": "Real-time endpoint security monitoring plugin for OpenClaw",
   "type": "module",
   "main": "dist/index.js",