OpenClaw Security Hardening: The Complete Checklist for Enterprise Deployments

Why Does a Default OpenClaw Install Fail Every Enterprise Security Audit?

Answer capsule. A stock OpenClaw installation binds its gateway to all network interfaces (0.0.0.0), ships with AUTH_ENABLED=false, mounts the Docker socket into the agent container, runs processes without capability restrictions, and writes zero structured audit logs. It fails NIST 800-53 access controls, CIS Docker Benchmark v1.7.0, and OWASP’s Top 10 for AI Applications before you even connect it to a single tool. That’s not a criticism of OpenClaw — it’s a criticism of shipping developer defaults to production without a hardening pass.

Jensen Huang compared OpenClaw to Linux, HTML, and Kubernetes at CES 2025, and the comparison is apt for a specific reason: nobody ships a fresh Linux install to production either. You run through a hardening pass — disable unused services, configure the firewall, set up log forwarding, pin package versions, enable SELinux or AppArmor — and then you ship. OpenClaw needs the same treatment. The framework itself is excellent. NVIDIA contributes engineers directly to OpenClaw security advisories. The Apache Software Foundation governance keeps the core project accountable. The community is active and the CVE response time is measured in hours. None of that protects a deployment that ships with developer defaults.

We’ve hardened 40+ OpenClaw deployments at beeeowl, and every single one needed the same seven layers. According to the Verizon 2025 Data Breach Investigations Report, 68% of breaches involved a human element — misconfigurations, skipped steps, “we’ll fix it later” shortcuts that never got fixed later. This checklist eliminates those gaps by making every layer explicit, standardized, and testable. See our one-day deployment walkthrough for the full end-to-end sequence that includes this hardening.

What follows is the exact playbook — commands, configuration, standard references, and the specific mistakes we see DIY deployments make. If you’re a CTO deciding whether to harden in-house or outsource, this post tells you exactly what’s involved. If you’re already hardening in-house, you can use it as a checklist to verify you haven’t missed a layer.

How Do You Lock Down the OpenClaw Gateway to Localhost Only?

Answer capsule. Bind the OpenClaw gateway to 127.0.0.1 so it only accepts connections from the local machine, then place a reverse proxy (Caddy, Nginx, or Traefik) in front of it to handle TLS termination, external routing, and a second layer of authentication if needed. This is CIS Docker Benchmark section 5.13 and NIST 800-53 SC-8 compliance, and it is the single most overlooked step in DIY OpenClaw deployments. Default OpenClaw binds to 0.0.0.0, which means any device that can route packets to the machine can reach the gateway directly — on a VPS, that’s the entire public internet.

The scale of the problem. Censys completed an internet-wide scan in March 2026 and found 30,247 OpenClaw instances discoverable on the public internet, most running without authentication because the operators never changed the default 0.0.0.0 binding. Shodan’s 2025 Exposure Report tracked a similar pattern for AI agent frameworks as a category — the median exposure timeline from “first deployed” to “first unauthenticated scan attempt” was 47 minutes. On a fresh VPS, the clock is running the moment the service comes up.

Here’s how to fix it:

# Set the gateway to listen on localhost only
export OPENCLAW_GATEWAY_HOST=127.0.0.1
export OPENCLAW_GATEWAY_PORT=8080

# Or in docker-compose.yml:
services:
  gateway:
    image: openclaw/gateway@sha256:a1b2c3d4e5f6...
    ports:
      - "127.0.0.1:8080:8080"   # IP prefix binds to localhost only
    environment:
      - OPENCLAW_GATEWAY_HOST=127.0.0.1

Then configure a reverse proxy. We prefer Caddy for our Mac Mini deployments because it handles automatic HTTPS certificate provisioning via Let’s Encrypt without any manual renewal management — one less thing for the client to forget about six months later. Caddy config is one file:

# /etc/caddy/Caddyfile
openclaw.internal.yourcompany.com {
    reverse_proxy 127.0.0.1:8080 {
        header_up X-Real-IP {remote_host}
        header_up X-Forwarded-For {remote_host}
    }

    tls {
        protocols tls1.3
    }

    # Rate limit per source IP
    rate_limit {
        zone dynamic 60r/m
    }

    # Log every request for audit trail
    log {
        output file /var/log/caddy/openclaw-access.log
        format json
    }
}

For Hosted Setup deployments or clients already running Nginx, the equivalent config is:

# /etc/nginx/sites-available/openclaw
server {
    listen 443 ssl http2;
    server_name openclaw.internal.yourcompany.com;

    ssl_certificate /etc/ssl/certs/openclaw.pem;
    ssl_certificate_key /etc/ssl/private/openclaw.key;

    # TLS 1.3 only — disable older protocols explicitly
    ssl_protocols TLSv1.3;
    ssl_ciphers TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256;
    ssl_prefer_server_ciphers off;

    # HSTS to prevent protocol downgrade
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

    location / {
        proxy_pass http://127.0.0.1:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

The most common DIY mistake we see. Setting OPENCLAW_GATEWAY_HOST=127.0.0.1 in a .env file but forgetting to change the Docker port mapping from 8080:8080 to 127.0.0.1:8080:8080. Docker’s port forwarding takes precedence, so the gateway is still reachable externally even though the environment variable says localhost. Always verify with curl http://YOUR_PUBLIC_IP:8080/api/v1/health from a device on a different network — your phone on cellular works. If you get a response, you’re still exposed.

How Should You Configure Token Authentication for OpenClaw?

Answer capsule. Generate a 256-bit token with openssl rand -hex 32, store it in a file with 600 permissions owned by root in a directory the agent process cannot read, and configure OpenClaw to load it via a file path rather than an environment variable (which leaks through docker inspect and process listings). Add rate limiting at 60 requests per minute per client to slow down brute force and anomaly patterns. OWASP ranks broken authentication as the #2 risk in their 2025 AI Application Security Top 10, and NIST Cybersecurity Framework 2.0 (February 2024) lists authentication as Protect function control PR.AA-01 — your auditor will ask about this specifically.

Generate a token and configure OpenClaw to require it:

# Generate a 256-bit random token
openssl rand -hex 32 > /etc/openclaw/auth_token

# Lock down permissions — root only
chown root:root /etc/openclaw/auth_token
chmod 600 /etc/openclaw/auth_token

# Verify
ls -la /etc/openclaw/auth_token
# -rw------- 1 root root 65 Apr 10 14:32 /etc/openclaw/auth_token

Then configure OpenClaw to read the token from the file:

# /etc/openclaw/openclaw-config.yaml
gateway:
  host: 127.0.0.1
  port: 8080
  auth:
    enabled: true
    token_file: /etc/openclaw/auth_token
    algorithm: hmac-sha256
    rate_limit: 60         # requests per minute per client IP
    lockout_threshold: 5   # lock out after 5 failed attempts
    lockout_duration: 900  # 15 minutes
  cors:
    allowed_origins:
      - https://openclaw.internal.yourcompany.com
    allow_credentials: true

Never store the auth token in an environment variable. Environment variables leak through docker inspect, /proc/[pid]/environ, the output of docker-compose config, and anywhere Docker serializes container state. They also show up in ps auxe output on the host. Use Docker secrets (mounted as files inside the container) or a file path on the host filesystem — but not an environment variable.

The DIY mistake that makes auth worthless. We’ve audited deployments where the auth token was stored in the same YAML file the agent loads at startup, meaning the agent process could read its own credentials. If an attacker compromises the agent through prompt injection or a malicious skill, they now have the auth token and can issue new requests as the gateway’s own authenticated client. The agent should never have read access to its own credentials. The correct pattern is: the gateway reads the token and validates incoming requests against it; the agent never touches the token at all.

What Docker Sandboxing Configuration Does a Production OpenClaw Need?

Answer capsule. Run the agent container with --read-only for an immutable root filesystem, --no-new-privileges to block privilege escalation, --cap-drop=ALL to strip all Linux capabilities, --pids-limit=100 to prevent fork bombs, memory and CPU caps with --memory and --cpus, and an ephemeral tmpfs mount at /tmp with noexec,nosuid so the agent cannot write and execute arbitrary binaries. Mount only the specific directories the agent needs — never the Docker socket, never the host root filesystem. This is your blast radius control: if the agent gets prompt-injected or a skill misbehaves, the damage stays inside the container and the attacker cannot escape to the host.

According to NIST SP 800-190 (Application Container Security Guide), properly configured container isolation reduces the application attack surface by 73% compared to running directly on the host. The CIS Docker Benchmark v1.7.0 specifies 89 configuration checks — here are the nine that matter most for OpenClaw, consolidated into a single docker run command:

docker run -d \
  --name openclaw-agent \
  --read-only \
  --no-new-privileges \
  --cap-drop=ALL \
  --cap-add=NET_BIND_SERVICE \
  --security-opt=no-new-privileges:true \
  --security-opt=seccomp=/etc/openclaw/seccomp-profile.json \
  --memory=4g \
  --memory-swap=4g \
  --cpus=2.0 \
  --pids-limit=100 \
  --ulimit nofile=1024:2048 \
  --tmpfs /tmp:rw,noexec,nosuid,size=256m \
  --tmpfs /var/run:rw,noexec,nosuid,size=32m \
  -v /var/log/openclaw:/var/log/openclaw:rw \
  -v /etc/openclaw/config:/config:ro \
  --network=openclaw-isolated \
  --restart=unless-stopped \
  openclaw/agent@sha256:e5f6a7b8c9d0...

Here’s what each flag does and why it matters — this is the walkthrough we give every client during handoff:

• --read-only makes the root filesystem immutable. The agent cannot modify its own code, install packages at runtime, write to /etc, or drop files anywhere on disk except the explicitly declared tmpfs mounts. This blocks a whole class of prompt injection attacks where the attacker tries to rewrite the agent’s system prompt or install a backdoor for persistence.

• --no-new-privileges and --cap-drop=ALL prevent privilege escalation inside the container. Even if an attacker finds a container escape vulnerability or a setuid binary, they cannot gain root on the host because the kernel refuses to grant any new privileges to the process.

• --cap-add=NET_BIND_SERVICE adds back only the single capability the agent actually needs — binding to network sockets. Everything else stays dropped. This is the “default deny, explicit allow” pattern at the Linux kernel level.

• --security-opt=seccomp loads a custom seccomp profile that restricts which system calls the agent process is allowed to make. The OpenClaw-specific profile we ship blocks ptrace, mount, reboot, kexec, and about 40 other syscalls that no legitimate agent workload needs but every exploit chain relies on.

• --memory=4g and --cpus=2.0 cap resource consumption. A runaway or compromised agent cannot starve the host of CPU or memory. Without these limits, a single misbehaving skill can consume an entire server — and cryptomining malware specifically targets AI containers because they typically have abundant unconstrained resources.

• --pids-limit=100 prevents fork bombs. A misbehaving skill cannot spawn unlimited subprocesses. 100 is generous for a single-agent deployment; we sometimes drop it to 50 for clients who want stricter controls.

• --tmpfs /tmp:rw,noexec,nosuid gives the agent a writable scratch space that is wiped on container restart and, crucially, cannot execute binaries (noexec) or use setuid (nosuid). Classic privilege escalation moves rely on writing a binary to /tmp and then executing it — this flag closes that path.

• The only persistent writable volume is the log directory, and it’s mounted from a separate host directory the agent user has append-only access to. The read-only config mount ensures the agent can read its configuration but cannot modify it.

Sysdig’s 2025 Cloud-Native Security Report found that 76% of containers in production run with excessive privileges, usually because somebody added a capability or a volume mount during debugging and never removed it. Don’t be in that 76%. See our deeper walkthrough of why the agent should never run on the host directly.

How Do You Set Up Firewall Allowlists for OpenClaw Outbound Traffic?

Answer capsule. Configure an explicit outbound allowlist so the agent can only reach the specific API endpoints it actually needs — Google Workspace APIs, Slack, Salesforce, Composio’s OAuth proxy, whatever tools the deployment uses. Default-deny everything else. No wildcard rules, no “allow all on port 443.” Palo Alto Networks Unit 42’s 2025 Cloud Threat Report found that misconfigured outbound rules were the number-one cause of unauthorized data exfiltration in AI deployments — 82% of self-managed AI installations had at least one overly permissive firewall rule, usually added during debugging and never removed.

Use Docker’s internal network with iptables rules on Linux hosts:

# Create an isolated Docker network that has no external connectivity by default
docker network create --internal openclaw-isolated
docker network create openclaw-egress

# Allow only specific outbound CIDRs through the DOCKER-USER chain
# Google Workspace APIs (Gmail, Drive, Calendar, Docs)
iptables -A DOCKER-USER -d 142.250.0.0/15 -p tcp --dport 443 -j ACCEPT
iptables -A DOCKER-USER -d 172.217.0.0/16 -p tcp --dport 443 -j ACCEPT
iptables -A DOCKER-USER -d 216.58.192.0/19 -p tcp --dport 443 -j ACCEPT

# Slack API (AWS-hosted Slack infrastructure)
iptables -A DOCKER-USER -d 54.192.0.0/12 -p tcp --dport 443 -j ACCEPT

# Salesforce API (per client — these ranges vary by Salesforce org)
iptables -A DOCKER-USER -d 13.108.0.0/14 -p tcp --dport 443 -j ACCEPT

# Composio OAuth middleware (our credential proxy)
iptables -A DOCKER-USER -d 100.20.0.0/16 -p tcp --dport 443 -j ACCEPT

# Explicit drop for everything else from the agent container
iptables -A DOCKER-USER -i docker0 -j DROP

# Log dropped packets at a low rate for monitoring
iptables -A DOCKER-USER -m limit --limit 5/min -j LOG \
    --log-prefix "openclaw-egress-drop: " --log-level 7

# Save rules to survive reboots
netfilter-persistent save

For macOS deployments (our Mac Mini and MacBook Air setups), we use the built-in pf firewall instead of iptables:

# /etc/pf.anchors/openclaw
# Default deny outbound
block out all

# Allow only approved API endpoints
pass out proto tcp to 142.250.0.0/15 port 443   # Google
pass out proto tcp to 54.192.0.0/12 port 443    # Slack
pass out proto tcp to 13.108.0.0/14 port 443    # Salesforce
pass out proto tcp to 100.20.0.0/16 port 443    # Composio

# Allow DNS only to the local resolver, which has its own allowlist
pass out proto udp to 127.0.0.1 port 53

# Log drops for monitoring
block drop log out all

Enable the anchor and load it:

echo 'anchor "openclaw"' | sudo tee -a /etc/pf.conf
echo 'load anchor "openclaw" from "/etc/pf.anchors/openclaw"' | sudo tee -a /etc/pf.conf
sudo pfctl -f /etc/pf.conf -e

At beeeowl, we build a custom allowlist for each client based on their specific Composio integrations and the tools they actually use. A CEO running Gmail, Google Calendar, Slack, and Notion gets a different firewall profile than a VC running HubSpot, Airtable, LinkedIn, and PitchBook. We maintain a lookup table of CIDR blocks for each major SaaS API endpoint and regenerate the firewall rules whenever a client’s integration list changes.

The DIY mistake we see most. Someone adds iptables -A OUTPUT -j ACCEPT at the top of the rules to debug a connection issue, then forgets to remove it. The rule stays in place for months, the default-deny is effectively disabled, and the first anyone notices is when a compromised skill starts exfiltrating data to a destination that isn’t on the allowlist. Always verify your firewall state with iptables -L -n -v and compare against the expected policy before deploying to production.

What File Permissions Should You Set on an OpenClaw Deployment?

Answer capsule. Agent code and configuration files should be read-only to the agent process (chmod 444, owned by root). The auth token should be chmod 600 owned by root and never readable by the agent user. Log directories should be append-only via chattr +a so even root cannot delete or modify existing log entries without first removing the attribute. The agent’s runtime user should have zero write access to anything except designated output paths. NIST SP 800-123 and CIS Benchmark Level 2 both require least-privilege file access as a baseline.

Here’s the permission structure we use on every deployment:

# Agent code — read-only, owned by root
chown -R root:root /opt/openclaw/
chmod -R 444 /opt/openclaw/
find /opt/openclaw/ -type d -exec chmod 555 {} \;

# Configuration — read-only, restricted group
chown root:openclaw /etc/openclaw/config/*.yaml
chmod 440 /etc/openclaw/config/*.yaml

# Auth token — root only
chown root:root /etc/openclaw/auth_token
chmod 600 /etc/openclaw/auth_token

# Log directory — writable by agent user
chown openclaw:openclaw /var/log/openclaw/
chmod 750 /var/log/openclaw/

# Individual log files — append-only via chattr
for logfile in /var/log/openclaw/*.log; do
  touch "$logfile"
  chown openclaw:openclaw "$logfile"
  chmod 640 "$logfile"
  chattr +a "$logfile"   # append-only at filesystem level
done

# Verify
lsattr /var/log/openclaw/*.log
# ----a-------- /var/log/openclaw/agent-audit.log

The chattr +a flag is the critical bit. It makes log files append-only at the filesystem level. Even root cannot delete or modify existing entries without first removing the attribute — and removing the attribute is itself a logged operation that anomaly detection can alert on. This is your tamper-evident audit trail: if an attacker compromises the host and tries to clean up their tracks by deleting the audit log, the attempt fails and leaves a signature.

The DIY mistake that defeats the whole model. We’ve audited deployments where the agent process ran as the root user inside the container (a common mistake when copy-pasting from development tutorials). The agent could read its own auth token, modify its configuration, rewrite its system prompt at runtime, and delete its own logs. That’s not an AI agent — that’s an unmonitored superuser with internet access. The agent should run as a dedicated non-root user with the minimum set of permissions needed to do its job, and nothing more. See our audit logging and monitoring walkthrough for the full logging and alerting pipeline.

How Should You Vet Skills from ClawHub Before Installing Them?

Answer capsule. Treat every ClawHub skill like a third-party npm package or a Docker Hub image from an unknown publisher. Clone the source. Grep for dangerous system access patterns. Check the publisher’s GitHub history and other contributions. Run the skill in a sandboxed test environment with network disabled, filesystem restricted, and environment variables blocked before approving it for any production deployment. OWASP lists “Insecure Plugin/Skill Design” as risk #7 in their 2025 AI Top 10, and Snyk’s 2025 Open Source Security Report found that 41% of open-source packages contain at least one known vulnerability. ClawHub skills are community-contributed code running inside your agent process — they deserve the same scrutiny.

Here’s our skill vetting checklist, in the order we run it:

# 1. Clone the skill repo — do NOT install directly
git clone https://github.com/clawhub/skill-name.git /tmp/skill-review
cd /tmp/skill-review

# 2. Grep for dangerous system access
grep -rn "os\." . --include="*.py"
grep -rn "subprocess" . --include="*.py"
grep -rn "Popen\|system\|exec" . --include="*.py"
grep -rn "urllib\|requests\." . --include="*.py"
grep -rn "eval\|compile\|__import__" . --include="*.py"

# 3. Look for hardcoded endpoints or suspicious URLs
grep -rEn "https?://[^\"' ]+" . --include="*.py" | \
  grep -v "https://api.composio" | \
  grep -v "https://docs.openclaw"

# 4. Check if it reads environment variables (credential exfil vector)
grep -rn "os.environ" . --include="*.py"
grep -rn "os.getenv" . --include="*.py"

# 5. Check the manifest for requested permissions
cat skill.yaml | grep -A 20 "permissions:"

# 6. Verify the publisher
gh api users/PUBLISHER_NAME
gh api users/PUBLISHER_NAME/repos
# Look at: account age, contribution count, other projects,
# whether they've published skills that have been audited before

# 7. Check for open issues mentioning security concerns
gh issue list --repo clawhub/skill-name --search "security OR vulnerability OR CVE"

# 8. Look up any existing CVEs
curl -s "https://nvd.nist.gov/rest/json/cves/2.0?keywordSearch=skill-name"

Beyond code review, run the skill in a sandboxed test environment before approving it for any client deployment:

# /etc/openclaw/skill-review-config.yaml
skills:
  - name: skill-under-review
    source: /tmp/skill-review
    sandbox: strict        # no network, no filesystem outside /tmp, no env vars
    test_mode: true
    max_execution_time: 30s
    max_memory: 256MB
    allowed_tools: []      # no tool access during review
    capture_syscalls: true # log every syscall for post-hoc analysis

At beeeowl, we maintain an internal allowlist of vetted ClawHub skills. If a client needs a skill that isn’t on our list, we run the full review before deploying it — no exceptions, no exceptions requested by clients ever granted. The review adds roughly 2 to 4 hours per new skill, which is a meaningful cost but still dramatically lower than the cost of a compromised agent. NVIDIA’s own guidance on the OpenClaw GitHub repository recommends reviewing skills before installation; we’ve just formalized that recommendation into a repeatable process with a documented checklist. For the full story on what can go wrong, see our walkthrough of malicious ClawHub skills and how to vet agent runs and our audit guide for avoiding malicious code.

How Do You Configure Audit Logging That Satisfies Compliance Requirements?

Answer capsule. Log every action the agent takes in structured JSON: what tool it accessed, what data it read or modified, the timestamp in UTC, the user who initiated the session, the session ID, and the result. Store logs locally on hardware the agent cannot access, make them append-only with chattr +a, rotate on a 90-day retention cycle, and configure export paths for the client’s SIEM (Splunk, Datadog, Elastic) and regulatory reporting. Gartner’s 2025 AI Governance Report found that only 14% of organizations deploying AI agents have implemented audit logging that meets regulatory standards — which means if you do this right, you are already ahead of 86% of the market.

The EU AI Act (effective August 2025) requires audit trails for AI systems processing business data under Article 12 transparency requirements. The SEC’s 2024 cybersecurity disclosure rules require public companies to disclose material cybersecurity incidents within four business days — and “material” is determined in part by whether you can produce evidence of what happened. In the US, California’s CCPA amendments and Colorado’s AI Act (effective 2026) are moving in the same direction. NIST AI RMF specifically calls out audit logging under the Measure and Manage functions.

Here’s the logging configuration:

# /etc/openclaw/openclaw-logging.yaml
logging:
  level: INFO
  format: json
  timezone: UTC

  output:
    - type: file
      path: /var/log/openclaw/agent-audit.log
      rotation:
        max_size: 100MB
        max_files: 90        # 90 days retention
        compress: true
        compress_algorithm: gzip

    - type: syslog
      facility: local0
      tag: openclaw-agent
      host: logs.internal.yourcompany.com
      port: 6514
      protocol: tls          # encrypted syslog

  capture:
    - agent_actions          # every tool call with full request context
    - data_access            # every read/write with object identifiers
    - auth_events            # login/logout/failures with source IP
    - skill_execution        # which skill ran, inputs, outputs, duration
    - error_events           # all errors and exceptions with stack traces
    - config_changes         # any change to agent config
    - credential_use         # every OAuth token use (through Composio)

  schema:
    version: "1.0"
    required_fields:
      - timestamp_utc
      - event_type
      - actor
      - session_id
      - tool_name
      - result
      - duration_ms

Set up anomaly detection as a cron job that runs every 15 minutes:

# /etc/cron.d/openclaw-audit
*/15 * * * * root /opt/openclaw/scripts/audit-check.sh

#!/bin/bash
# /opt/openclaw/scripts/audit-check.sh
# Flags unusual patterns that warrant investigation

TODAY=$(date -u +%Y-%m-%d)
LOG=/var/log/openclaw/agent-audit.log
ALERTS=/var/log/openclaw/alerts.log

# 1. Activity outside business hours
grep "$TODAY" "$LOG" | \
  jq -r 'select(.timestamp_utc | strptime("%Y-%m-%dT%H:%M:%SZ") | .hours < 6 or .hours > 22)' \
  >> "$ALERTS"

# 2. High action volume (possible exfiltration)
ACTION_COUNT=$(grep "$TODAY" "$LOG" | wc -l)
if [ "$ACTION_COUNT" -gt 1000 ]; then
  echo "$(date -u): HIGH volume - $ACTION_COUNT actions today" >> "$ALERTS"
fi

# 3. New tool seen for the first time
TODAY_TOOLS=$(grep "$TODAY" "$LOG" | jq -r '.tool_name' | sort -u)
KNOWN_TOOLS=$(cat /etc/openclaw/known-tools.txt)
for tool in $TODAY_TOOLS; do
  if ! grep -q "^$tool$" /etc/openclaw/known-tools.txt; then
    echo "$(date -u): NEW tool detected - $tool" >> "$ALERTS"
  fi
done

# 4. Failed auth attempts
FAILED_AUTH=$(grep "$TODAY" "$LOG" | jq -r 'select(.event_type=="auth_failed")' | wc -l)
if [ "$FAILED_AUTH" -gt 5 ]; then
  echo "$(date -u): AUTH failures - $FAILED_AUTH attempts" >> "$ALERTS"
fi

# 5. Log file size anomaly (tamper signal)
CURRENT_SIZE=$(stat -c%s "$LOG")
LAST_SIZE=$(cat /var/log/openclaw/.last-size 2>/dev/null || echo 0)
if [ "$CURRENT_SIZE" -lt "$LAST_SIZE" ]; then
  echo "$(date -u): LOG size DECREASED - possible tamper" >> "$ALERTS"
fi
echo "$CURRENT_SIZE" > /var/log/openclaw/.last-size

Logs stay on the physical hardware, never in any cloud service by default. On our Mac Mini deployments, the audit log lives on the local SSD, writable only by the agent user (append-only via chattr +a), and readable only by root. The agent process runs as a restricted user that can append but cannot read, modify, or delete the log. For clients in regulated industries — finance, healthcare, legal — we configure log forwarding to their existing SIEM (Splunk, Datadog, Elastic, Sumo Logic) using encrypted syslog over TLS. That way the client’s existing incident response tooling sees the agent’s activity the same way it sees every other production system.

What Does the Complete Hardening Checklist Look Like?

Answer capsule. Here’s every step in one table. We use this exact checklist on every beeeowl deployment, whether it’s a $2,000 Hosted Setup, a $5,000 Mac Mini with hardware included, or a $6,000 MacBook Air for traveling executives. Skip any one and you have a gap an auditor or an attacker will find.

That’s just the build time. Add 25 to 35 more hours for testing against actual exploit code (we run the published CVE-2026-25253 PoC against every Mac Mini before it ships), documentation for the client, handoff training, and the post-deployment audit. Realistic total: 80 to 120 hours for an engineer who already knows this stack. For an engineer learning it on the job, double that.

In our experience hardening 40+ deployments, the two most commonly skipped layers in DIY setups are gateway binding (step 1) and skill vetting (step 6). Gateway binding because developers assume the internal network is trusted, which is true until the day it isn’t. Skill vetting because ClawHub feels like an app store, and nobody expects the apps in an app store to be audited one line at a time — but ClawHub is not curated the way the Apple App Store or Google Play is.

How Long Does This Take to Do In-House vs Through beeeowl?

Answer capsule. A senior DevOps engineer who already knows Docker, iptables, Nginx, seccomp, and container security can implement this checklist in 80 to 120 hours spread over 2 to 3 weeks. At Glassdoor’s 2025 US average loaded cost of $150/hour for senior DevOps, that’s $12,000 to $18,000 in labor — before you factor in the engineer’s opportunity cost being pulled off product work. A beeeowl Mac Mini deployment is $5,000 one-time, shipped within a week, with all seven layers pre-configured, tested against published CVE exploit code, and documented before the hardware leaves our office. Hosted is $2,000 one-time if you already have a VPS.

The real risk of in-house hardening isn’t cost. It’s the gaps your team doesn’t know about yet. We’ve seen Docker containers running as root, agents with write access to their own config files, iptables rules that allow all outbound on port 443 because somebody added it during debugging and forgot, auth tokens stored in environment variables that leaked through docker inspect, and ClawHub skills installed in production without reading a single line of source code. Every one of those is a serious finding that would have been caught in a week of hardening work — but none of them were caught because the deployment was shipped by someone who was simultaneously managing three other projects.

Every beeeowl deployment includes all seven layers — configured, tested, and documented — before the hardware ships. The Mac Mini package ($5,000) includes a current-generation Mac Mini, the full security stack, one configured agent with Composio OAuth integration to the tools of your choice, and one year of monthly mastermind access for ongoing Q&A and best-practice updates. The Hosted option starts at $2,000 if you already run a VPS and want us to deploy on your existing infrastructure. The MacBook Air tier ($6,000) is the same hardening on a portable machine, built for executives who travel. The In-Person Setup add-on is an additional $2,000 — we come to your office and set it up on-site, walk your team through the audit log dashboards, and answer questions for as long as it takes. The Private On-Device LLM add-on is $1,000 and configures a local language model so your data never leaves the machine — not even to the OpenAI or Anthropic APIs.

We don’t offer an unhardened option. There is no “lite” tier that skips security. If you’re deploying OpenClaw for executives handling board decks, investor updates, M&A discussions, and financial decisions, the security stack is the product. Request your deployment at beeeowl.com.

Related reading — if you want the broader context, see the story of 30,000 exposed OpenClaw instances and how to avoid being one of them, the six-layer security hardening walkthrough from a different angle, why AI agents need to be treated as privileged service accounts, and the case for private AI in 2026.