{ "schemaVersion": "1.0", "item": { "slug": "sys-guard-linux-remediator", "name": "Linux Incident Remediator", "source": "tencent", "type": "skill", "category": "安全合规", "sourceUrl": "https://clawhub.ai/kiaraho/sys-guard-linux-remediator", "canonicalUrl": "https://clawhub.ai/kiaraho/sys-guard-linux-remediator", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/sys-guard-linux-remediator", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=sys-guard-linux-remediator", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "SKILL.md" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-23T16:43:11.935Z", "expiresAt": "2026-04-30T16:43:11.935Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentDisposition": "attachment; filename=\"4claw-imageboard-1.0.1.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/sys-guard-linux-remediator" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/sys-guard-linux-remediator", "agentPageUrl": "https://openagent3.xyz/skills/sys-guard-linux-remediator/agent", "manifestUrl": "https://openagent3.xyz/skills/sys-guard-linux-remediator/agent.json", "briefUrl": "https://openagent3.xyz/skills/sys-guard-linux-remediator/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "Linux Threat Mitigation and Incident Remediation (Hardened Edition)", "body": "This skill provides a structured, forensically-aware framework for analyzing and securing a Linux host during or after a security event.\n\nIt emphasizes:\n\nNon-destructive evidence collection\nAccurate threat detection\nFirewall-aware containment\nIntegrity verification\nControlled, reversible remediation\nDistribution-aware command usage" }, { "title": "Supported Systems", "body": "Debian / Ubuntu\nRHEL / CentOS / Rocky / Alma\nFedora\nArch Linux (limited package guidance)" }, { "title": "Execution Assumptions", "body": "Shell: bash or POSIX sh\nPrivilege: Root or sudo\nHost-level access (NOT container-restricted environments)\nsystemd-based systems preferred\n\n⚠️ If running inside Docker, Kubernetes, LXC, or other containers, firewall, audit, and service commands may not reflect the host system." }, { "title": "Firewall Architecture Awareness", "body": "Modern Linux systems may use:\n\niptables-legacy\niptables-nft (compatibility wrapper)\nNative nftables\nfirewalld (RHEL-family default)" }, { "title": "Identify Firewall Backend", "body": "iptables --version\nwhich nft\nsystemctl status firewalld\n\nIf nftables is active:\n\nnft list ruleset\n\nDo NOT assume iptables -L represents the full firewall state." }, { "title": "Logging Differences by Distribution", "body": "DistributionPrimary Log FileUbuntu/Debian/var/log/syslogRHEL/CentOS/Fedora/var/log/messagesAll modern systemdjournalctl\n\nAlways prefer:\n\njournalctl -xe" }, { "title": "Listening Services", "body": "ss -tulpn" }, { "title": "Active Connections", "body": "ss -antp | grep ESTABLISHED" }, { "title": "Firewall State", "body": "iptables\n\niptables -L -n -v --line-numbers\niptables -S\n\nnftables\n\nnft list ruleset" }, { "title": "Local Service Enumeration (Low Noise)", "body": "ss -lntup\n\nAvoid unnecessary full scans of localhost unless required." }, { "title": "Conservative Network Scan", "body": "nmap -sV -T3 -p- localhost" }, { "title": "Packet Capture (Short Snapshot)", "body": "tcpdump -i any -nn -c 100" }, { "title": "Process Tree", "body": "ps auxww --forest" }, { "title": "High CPU / Memory", "body": "top" }, { "title": "Open File Handles", "body": "lsof -p " }, { "title": "System Call Trace (Caution: Alters Timing)", "body": "strace -p \n\n⚠️ strace may change process behavior. Use carefully during live compromise." }, { "title": "Kernel Modules", "body": "lsmod" }, { "title": "Kernel Messages", "body": "dmesg | tail -50" }, { "title": "Rootkit Scanners", "body": "rkhunter --check\nchkrootkit\n\nMay produce false positives. Validate findings manually." }, { "title": "Antivirus Scan (Targeted)", "body": "clamscan -r /home\n\nUse selectively; large scans increase I/O and may alter access timestamps." }, { "title": "Lynis System Audit", "body": "lynis audit system" }, { "title": "AIDE (After Initialization)", "body": "Install:\n\napt install aide\n# or\ndnf install aide\n\nInitialize:\n\naideinit\nmv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz\n\nRun Check:\n\naide --check" }, { "title": "RHEL Package Verification", "body": "rpm -Va" }, { "title": "Debian Package Verification", "body": "apt install debsums\ndebsums -s" }, { "title": "5. Forensic Analysis (Didier Stevens Suite)", "body": "Install:\n\nsudo mkdir -p /opt/forensics\nsudo wget -P /opt/forensics https://raw.githubusercontent.com/DidierStevens/DidierStevensSuite/master/base64dump.py\nsudo wget -P /opt/forensics https://raw.githubusercontent.com/DidierStevens/DidierStevensSuite/master/re-search.py\nsudo wget -P /opt/forensics https://raw.githubusercontent.com/DidierStevens/DidierStevensSuite/master/zipdump.py\nsudo wget -P /opt/forensics https://raw.githubusercontent.com/DidierStevens/DidierStevensSuite/master/1768.py\nsudo wget -P /opt/forensics https://raw.githubusercontent.com/DidierStevens/DidierStevensSuite/master/pdf-parser.py\nsudo wget -P /opt/forensics https://raw.githubusercontent.com/DidierStevens/DidierStevensSuite/master/oledump.py\nsudo chmod +x /opt/forensics/*.py" }, { "title": "Decode Base64", "body": "python3 /opt/forensics/base64dump.py file.txt" }, { "title": "IOC Search", "body": "python3 /opt/forensics/re-search.py -n ipv4 logfile" }, { "title": "Inspect ZIP (No Extraction)", "body": "python3 /opt/forensics/zipdump.py suspicious.zip" }, { "title": "Extract Cobalt Strike Beacon Config", "body": "python3 /opt/forensics/1768.py payload.bin" }, { "title": "Inspect Office/PDF Documents", "body": "python3 /opt/forensics/pdf-parser.py file.pdf\npython3 /opt/forensics/oledump.py file.doc\n\nStatic inspection only. Never execute suspicious files." }, { "title": "Current Sessions", "body": "who -a" }, { "title": "Login History", "body": "last -a" }, { "title": "Failed SSH Logins", "body": "Ubuntu/Debian:\n\njournalctl -u ssh.service | grep \"Failed password\"\n\nRHEL/Fedora:\n\njournalctl -u sshd.service | grep \"Failed password\"" }, { "title": "Sudo Activity", "body": "journalctl _COMM=sudo" }, { "title": "Audit Logs", "body": "ausearch -m USER_AUTH,USER_LOGIN,USER_CHAUTHTOK" }, { "title": "iptables (Immediate)", "body": "iptables -I INPUT 1 -s -j DROP" }, { "title": "nftables", "body": "nft add rule inet filter input ip saddr drop\n\nIf firewalld is active:\n\nfirewall-cmd --add-rich-rule='rule family=\"ipv4\" source address=\"\" drop'" }, { "title": "Persisting Firewall Rules", "body": "iptables (Debian):\n\nnetfilter-persistent save\n\niptables (manual save):\n\niptables-save > /etc/iptables/rules.v4\n\nfirewalld:\n\nfirewall-cmd --runtime-to-permanent\n\nnftables:\n\nnft list ruleset > /etc/nftables.conf" }, { "title": "Process Containment Strategy", "body": "Preferred escalation:\n\nObserve\nkill -TERM \nIf required: kill -STOP for analysis\nUse kill -KILL only if necessary\n\nAvoid killall or broad pkill." }, { "title": "Service Isolation", "body": "systemctl stop \nsystemctl disable \nsystemctl mask " }, { "title": "Cron Jobs", "body": "crontab -l\nls -lah /etc/cron*" }, { "title": "Systemd Persistence", "body": "ls -lah /etc/systemd/system/" }, { "title": "Startup Scripts", "body": "cat /etc/rc.local" }, { "title": "SELinux Awareness (RHEL/Fedora)", "body": "Check status:\n\ngetenforce\n\nReview denials:\n\nausearch -m AVC" }, { "title": "Forensic Hygiene", "body": "Never execute suspicious binaries.\nPreserve evidence before deletion:\n\nsha256sum file\nmkdir -p /root/quarantine\nmv file /root/quarantine/file.vir\n\nLog every remediation step:\n\ndate -u\n\nDocument:\n\nTimestamp\nCommand executed\nObserved outcome" }, { "title": "Routine Audit", "body": "Run lynis audit system\nVerify no unknown listening services\nCheck for modified system binaries" }, { "title": "Active Threat", "body": "Identify high CPU process\nCapture short tcpdump\nExtract file hash\nContain IP via firewall\nPreserve malicious artifact" }, { "title": "Suspicious File", "body": "Use zipdump\nExtract hash\nMove to quarantine\nSearch logs for execution attempts" }, { "title": "Safety Guardrails", "body": "These guardrails are mandatory and apply to all remediation activity. Their purpose is to prevent self-inflicted outages, preserve forensic integrity, and ensure reversible, controlled incident response." }, { "title": "1. State Verification (Pre- and Post-Change Validation)", "body": "Before executing any remediation command:\n\nRecord timestamp (UTC):\ndate -u\n\n\n\nRun a discovery command to capture current state:\n\nNetwork: ss -tulpn\nActive connections: ss -antp\nFirewall (iptables): iptables -L -n -v\nFirewall (nftables): nft list ruleset\nfirewalld: firewall-cmd --list-all\n\nAfter remediation:\n\nRe-run the same discovery command.\nCompare state change and confirm:\n\nIntended effect achieved\nNo unintended service disruption\nNo management lockout (e.g., SSH access intact)\n\nNever assume a command succeeded without verifying its effect." }, { "title": "2. No Wildcards or Broad Termination", "body": "To prevent catastrophic system damage:\n\nNEVER use:\n\nrm -rf *\nrm -rf /\nkillall\nBroad pkill patterns\nUnbounded globbing in sensitive directories\n\n\n\nAlways:\n\nUse absolute file paths (e.g., /tmp/malware.bin)\nTarget explicit PIDs (kill -TERM )\nConfirm file existence with ls -lah \nHash suspicious files before modification:\nsha256sum \n\nWildcard deletions and pattern-based termination are prohibited during incident response." }, { "title": "3. Persistence & Re-Spawn Inspection", "body": "After containment of a malicious process or service, immediately inspect for persistence mechanisms." }, { "title": "Check:", "body": "Cron Jobs\n\ncrontab -l\nls -lah /etc/cron*\n\nsystemd Services & Timers\n\nsystemctl list-unit-files --type=service\nsystemctl list-timers --all\nls -lah /etc/systemd/system/\n\nInit Scripts\n\nls -lah /etc/init.d/\ncat /etc/rc.local\n\nUser-Level Persistence\n\nls -lah ~/.config/systemd/user/\n\nSSH Backdoors\n\ncat ~/.ssh/authorized_keys\n\nAfter removal of malicious artifacts:\n\nRun integrity verification:\naide --check\n\n\nOn RHEL-based systems:\nrpm -Va\n\n\nOn Debian-based systems:\ndebsums -s\n\nDo not consider a threat eradicated until persistence mechanisms are eliminated." }, { "title": "A. Anti-Lockout Requirement", "body": "Before modifying firewall rules:\n\nConfirm SSH listening port:\nss -tulpn | grep ssh\n\n\n\nConfirm an explicit ACCEPT rule exists for:\n\nCurrent management IP\nSSH port\n\nNEVER:\n\niptables -F\n\nNEVER set a default DROP policy without verifying SSH access rule exists." }, { "title": "B. Immediate vs Persistent Rules", "body": "Firewall rule changes are runtime by default and may not survive reboot.\n\niptables (Debian/Ubuntu)\n\nRuntime only until saved:\n\niptables-save > /etc/iptables/rules.v4\n\nIf using netfilter-persistent:\n\nnetfilter-persistent save\n\nRHEL (legacy iptables service)\n\nservice iptables save\n\nfirewalld\n\nRuntime-to-permanent:\n\nfirewall-cmd --runtime-to-permanent\n\nnftables\n\nPersist ruleset:\n\nnft list ruleset > /etc/nftables.conf\n\nDocument:\n\nWhether rule is temporary or permanent\nLocation of saved configuration\nVerification after reboot (if applicable)" }, { "title": "5. Forensic Preservation Before Destruction", "body": "Before deleting or killing:\n\nHash the artifact:\nsha256sum \n\n\n\nMove to quarantine:\nmkdir -p /root/quarantine\nmv /root/quarantine/.vir\n\n\n\nRecord:\n\nTimestamp (UTC)\nOriginal path\nHash value\nReason for containment\n\nAvoid kill -9 unless absolutely required. Prefer:\n\nkill -TERM \nkill -STOP (if forensic inspection needed)\nkill -KILL only as last resort" }, { "title": "6. Change Logging Requirement", "body": "Every remediation action must include:\n\ndate -u\nCommand executed\nJustification\nObserved outcome\nUpdated risk level (if applicable)\n\nRemediation without documentation is non-compliant." }, { "title": "7. Minimal-Impact Principle", "body": "All actions must follow:\n\nSmallest necessary change\nReversible where possible\nNo broad configuration resets\nNo service restarts without justification\nNo system-wide scans during active compromise unless scoped\n\nContain first. Eradicate methodically. Recover cautiously." } ], "body": "Linux Threat Mitigation and Incident Remediation (Hardened Edition)\n\nThis skill provides a structured, forensically-aware framework for analyzing and securing a Linux host during or after a security event.\n\nIt emphasizes:\n\nNon-destructive evidence collection\nAccurate threat detection\nFirewall-aware containment\nIntegrity verification\nControlled, reversible remediation\nDistribution-aware command usage\nEnvironment Context\nSupported Systems\nDebian / Ubuntu\nRHEL / CentOS / Rocky / Alma\nFedora\nArch Linux (limited package guidance)\nExecution Assumptions\nShell: bash or POSIX sh\nPrivilege: Root or sudo\nHost-level access (NOT container-restricted environments)\nsystemd-based systems preferred\n\n⚠️ If running inside Docker, Kubernetes, LXC, or other containers, firewall, audit, and service commands may not reflect the host system.\n\nFirewall Architecture Awareness\n\nModern Linux systems may use:\n\niptables-legacy\niptables-nft (compatibility wrapper)\nNative nftables\nfirewalld (RHEL-family default)\nIdentify Firewall Backend\niptables --version\nwhich nft\nsystemctl status firewalld\n\n\nIf nftables is active:\n\nnft list ruleset\n\n\nDo NOT assume iptables -L represents the full firewall state.\n\nLogging Differences by Distribution\nDistribution\tPrimary Log File\nUbuntu/Debian\t/var/log/syslog\nRHEL/CentOS/Fedora\t/var/log/messages\nAll modern systemd\tjournalctl\n\nAlways prefer:\n\njournalctl -xe\n\nOperational Toolkit (Hardened)\n1. Network Inspection\nListening Services\nss -tulpn\n\nActive Connections\nss -antp | grep ESTABLISHED\n\nFirewall State\niptables\niptables -L -n -v --line-numbers\niptables -S\n\nnftables\nnft list ruleset\n\nLocal Service Enumeration (Low Noise)\nss -lntup\n\n\nAvoid unnecessary full scans of localhost unless required.\n\nConservative Network Scan\nnmap -sV -T3 -p- localhost\n\nPacket Capture (Short Snapshot)\ntcpdump -i any -nn -c 100\n\n2. Process & Runtime Analysis\nProcess Tree\nps auxww --forest\n\nHigh CPU / Memory\ntop\n\nOpen File Handles\nlsof -p \n\nSystem Call Trace (Caution: Alters Timing)\nstrace -p \n\n\n⚠️ strace may change process behavior. Use carefully during live compromise.\n\nKernel Modules\nlsmod\n\nKernel Messages\ndmesg | tail -50\n\n3. Rootkit & Malware Scanning\nRootkit Scanners\nrkhunter --check\nchkrootkit\n\n\nMay produce false positives. Validate findings manually.\n\nAntivirus Scan (Targeted)\nclamscan -r /home\n\n\nUse selectively; large scans increase I/O and may alter access timestamps.\n\nLynis System Audit\nlynis audit system\n\n4. File Integrity & Package Verification\nAIDE (After Initialization)\n\nInstall:\n\napt install aide\n# or\ndnf install aide\n\n\nInitialize:\n\naideinit\nmv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz\n\n\nRun Check:\n\naide --check\n\nRHEL Package Verification\nrpm -Va\n\nDebian Package Verification\napt install debsums\ndebsums -s\n\n5. Forensic Analysis (Didier Stevens Suite)\n\nInstall:\n\nsudo mkdir -p /opt/forensics\nsudo wget -P /opt/forensics https://raw.githubusercontent.com/DidierStevens/DidierStevensSuite/master/base64dump.py\nsudo wget -P /opt/forensics https://raw.githubusercontent.com/DidierStevens/DidierStevensSuite/master/re-search.py\nsudo wget -P /opt/forensics https://raw.githubusercontent.com/DidierStevens/DidierStevensSuite/master/zipdump.py\nsudo wget -P /opt/forensics https://raw.githubusercontent.com/DidierStevens/DidierStevensSuite/master/1768.py\nsudo wget -P /opt/forensics https://raw.githubusercontent.com/DidierStevens/DidierStevensSuite/master/pdf-parser.py\nsudo wget -P /opt/forensics https://raw.githubusercontent.com/DidierStevens/DidierStevensSuite/master/oledump.py\nsudo chmod +x /opt/forensics/*.py\n\nDecode Base64\npython3 /opt/forensics/base64dump.py file.txt\n\nIOC Search\npython3 /opt/forensics/re-search.py -n ipv4 logfile\n\nInspect ZIP (No Extraction)\npython3 /opt/forensics/zipdump.py suspicious.zip\n\nExtract Cobalt Strike Beacon Config\npython3 /opt/forensics/1768.py payload.bin\n\nInspect Office/PDF Documents\npython3 /opt/forensics/pdf-parser.py file.pdf\npython3 /opt/forensics/oledump.py file.doc\n\n\nStatic inspection only. Never execute suspicious files.\n\n6. Authentication & User Activity\nCurrent Sessions\nwho -a\n\nLogin History\nlast -a\n\nFailed SSH Logins\n\nUbuntu/Debian:\n\njournalctl -u ssh.service | grep \"Failed password\"\n\n\nRHEL/Fedora:\n\njournalctl -u sshd.service | grep \"Failed password\"\n\nSudo Activity\njournalctl _COMM=sudo\n\nAudit Logs\nausearch -m USER_AUTH,USER_LOGIN,USER_CHAUTHTOK\n\nControlled Remediation\nBlocking an IP\niptables (Immediate)\niptables -I INPUT 1 -s -j DROP\n\nnftables\nnft add rule inet filter input ip saddr drop\n\n\nIf firewalld is active:\n\nfirewall-cmd --add-rich-rule='rule family=\"ipv4\" source address=\"\" drop'\n\nPersisting Firewall Rules\n\niptables (Debian):\n\nnetfilter-persistent save\n\n\niptables (manual save):\n\niptables-save > /etc/iptables/rules.v4\n\n\nfirewalld:\n\nfirewall-cmd --runtime-to-permanent\n\n\nnftables:\n\nnft list ruleset > /etc/nftables.conf\n\nProcess Containment Strategy\n\nPreferred escalation:\n\nObserve\nkill -TERM \nIf required: kill -STOP for analysis\nUse kill -KILL only if necessary\n\nAvoid killall or broad pkill.\n\nService Isolation\nsystemctl stop \nsystemctl disable \nsystemctl mask \n\nPersistence & Backdoor Checks\nCron Jobs\ncrontab -l\nls -lah /etc/cron*\n\nSystemd Persistence\nls -lah /etc/systemd/system/\n\nStartup Scripts\ncat /etc/rc.local\n\nSELinux Awareness (RHEL/Fedora)\n\nCheck status:\n\ngetenforce\n\n\nReview denials:\n\nausearch -m AVC\n\nForensic Hygiene\nNever execute suspicious binaries.\nPreserve evidence before deletion:\nsha256sum file\nmkdir -p /root/quarantine\nmv file /root/quarantine/file.vir\n\nLog every remediation step:\ndate -u\n\n\nDocument:\n\nTimestamp\nCommand executed\nObserved outcome\nUsage Examples\nRoutine Audit\nRun lynis audit system\nVerify no unknown listening services\nCheck for modified system binaries\nActive Threat\nIdentify high CPU process\nCapture short tcpdump\nExtract file hash\nContain IP via firewall\nPreserve malicious artifact\nSuspicious File\nUse zipdump\nExtract hash\nMove to quarantine\nSearch logs for execution attempts\nSafety Guardrails\n\nThese guardrails are mandatory and apply to all remediation activity. Their purpose is to prevent self-inflicted outages, preserve forensic integrity, and ensure reversible, controlled incident response.\n\n1. State Verification (Pre- and Post-Change Validation)\n\nBefore executing any remediation command:\n\nRecord timestamp (UTC):\n\ndate -u\n\n\nRun a discovery command to capture current state:\n\nNetwork: ss -tulpn\nActive connections: ss -antp\nFirewall (iptables): iptables -L -n -v\nFirewall (nftables): nft list ruleset\nfirewalld: firewall-cmd --list-all\n\nAfter remediation:\n\nRe-run the same discovery command.\nCompare state change and confirm:\nIntended effect achieved\nNo unintended service disruption\nNo management lockout (e.g., SSH access intact)\n\nNever assume a command succeeded without verifying its effect.\n\n2. No Wildcards or Broad Termination\n\nTo prevent catastrophic system damage:\n\nNEVER use:\n\nrm -rf *\nrm -rf /\nkillall\nBroad pkill patterns\nUnbounded globbing in sensitive directories\n\nAlways:\n\nUse absolute file paths (e.g., /tmp/malware.bin)\nTarget explicit PIDs (kill -TERM )\nConfirm file existence with ls -lah \nHash suspicious files before modification:\nsha256sum \n\n\nWildcard deletions and pattern-based termination are prohibited during incident response.\n\n3. Persistence & Re-Spawn Inspection\n\nAfter containment of a malicious process or service, immediately inspect for persistence mechanisms.\n\nCheck:\nCron Jobs\ncrontab -l\nls -lah /etc/cron*\n\nsystemd Services & Timers\nsystemctl list-unit-files --type=service\nsystemctl list-timers --all\nls -lah /etc/systemd/system/\n\nInit Scripts\nls -lah /etc/init.d/\ncat /etc/rc.local\n\nUser-Level Persistence\nls -lah ~/.config/systemd/user/\n\nSSH Backdoors\ncat ~/.ssh/authorized_keys\n\n\nAfter removal of malicious artifacts:\n\nRun integrity verification:\naide --check\n\nOn RHEL-based systems:\nrpm -Va\n\nOn Debian-based systems:\ndebsums -s\n\n\nDo not consider a threat eradicated until persistence mechanisms are eliminated.\n\n4. Firewall Rule Safety & Persistence\nA. Anti-Lockout Requirement\n\nBefore modifying firewall rules:\n\nConfirm SSH listening port:\n\nss -tulpn | grep ssh\n\n\nConfirm an explicit ACCEPT rule exists for:\n\nCurrent management IP\nSSH port\n\nNEVER:\n\niptables -F\n\n\nNEVER set a default DROP policy without verifying SSH access rule exists.\n\nB. Immediate vs Persistent Rules\n\nFirewall rule changes are runtime by default and may not survive reboot.\n\niptables (Debian/Ubuntu)\n\nRuntime only until saved:\n\niptables-save > /etc/iptables/rules.v4\n\n\nIf using netfilter-persistent:\n\nnetfilter-persistent save\n\nRHEL (legacy iptables service)\nservice iptables save\n\nfirewalld\n\nRuntime-to-permanent:\n\nfirewall-cmd --runtime-to-permanent\n\nnftables\n\nPersist ruleset:\n\nnft list ruleset > /etc/nftables.conf\n\n\nDocument:\n\nWhether rule is temporary or permanent\nLocation of saved configuration\nVerification after reboot (if applicable)\n5. Forensic Preservation Before Destruction\n\nBefore deleting or killing:\n\nHash the artifact:\n\nsha256sum \n\n\nMove to quarantine:\n\nmkdir -p /root/quarantine\nmv /root/quarantine/.vir\n\n\nRecord:\n\nTimestamp (UTC)\nOriginal path\nHash value\nReason for containment\n\nAvoid kill -9 unless absolutely required. Prefer:\n\nkill -TERM \nkill -STOP (if forensic inspection needed)\nkill -KILL only as last resort\n6. Change Logging Requirement\n\nEvery remediation action must include:\n\ndate -u\nCommand executed\nJustification\nObserved outcome\nUpdated risk level (if applicable)\n\nRemediation without documentation is non-compliant.\n\n7. Minimal-Impact Principle\n\nAll actions must follow:\n\nSmallest necessary change\nReversible where possible\nNo broad configuration resets\nNo service restarts without justification\nNo system-wide scans during active compromise unless scoped\n\nContain first. Eradicate methodically. Recover cautiously." }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/kiaraho/sys-guard-linux-remediator", "publisherUrl": "https://clawhub.ai/kiaraho/sys-guard-linux-remediator", "owner": "kiaraho", "version": "1.0.0", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/sys-guard-linux-remediator", "downloadUrl": "https://openagent3.xyz/downloads/sys-guard-linux-remediator", "agentUrl": "https://openagent3.xyz/skills/sys-guard-linux-remediator/agent", "manifestUrl": "https://openagent3.xyz/skills/sys-guard-linux-remediator/agent.json", "briefUrl": "https://openagent3.xyz/skills/sys-guard-linux-remediator/agent.md" } }