MCP Cybersec Watchdog

---

🎯 What is Chihuaudit?

A portable, single-binary system auditing tool for Linux. Like Lynis but faster and smarter.

No configuration needed. No dependencies. Just run.

sudo ./chihuaudit audit

✨ Features

• 🔒 Security: Firewall, SSH hardening, SSL/TLS, fail2ban, SUID binaries, open ports
• 🚀 Services: Systemd services, web servers, databases, Docker
• 💻 Resources: CPU, RAM, disk usage, top processes
• 💾 Storage: SMART health, inode usage, filesystem errors
• 🗄️ Databases: PostgreSQL, MySQL, Redis health checks
• 🐳 Docker: Container status, resource usage, volumes
• 🌐 Network: DNS resolution, latency, interfaces, connections
• 📦 Backups: Backup detection and freshness checks
• 📝 Logs: Error analysis, SSH attempts, service restarts
• ⏰ Monitoring: Continuous mode with Discord webhook notifications

🤖 Claude Skill Alternative

Don't want to install anything? Use the Claude Skill version instead!

Execute the same comprehensive system audit directly through Claude (Sonnet, Opus, or Haiku) using native shell commands - no binary installation required.

Key Benefits:

• 🚀 Zero Installation - Works immediately with sudo access
• 🔄 Consistent Results - 1+ year of production use with extremely reliable output
• 📊 Same Coverage - All 87 checks, 10 categories, identical methodology
• ⚡ Fast - 30-90 second execution time

Requirements: Linux with systemd, sudo NOPASSWD configured, Claude with shell access

Documentation: docs/skill/chihuaudit-skill.md

---

🚀 Quick Start

Build

make build
# or
./build.sh

Run

# Single audit
sudo ./bin/chihuaudit audit

# JSON output
sudo ./bin/chihuaudit audit --json

# Continuous monitoring
sudo ./bin/chihuaudit monitor --interval=5m

# Generate config
./bin/chihuaudit init-config

📊 Example Output

Terminal Output

=== CHIHUAUDIT REPORT ===
Timestamp: 2026-02-05 12:38:27
Hostname: server.example.com
OS: Ubuntu 24.04.3 LTS

--- 1. SECURITY ---
Firewall: active (ufw) ✓
SSH: active
SSH Port: 2244
SSH Password Auth: disabled ✓
SSH Root Login: no ✓
External Ports: [443, 80, 2244]
Localhost-Only Ports: [5432, 6379]
SSL Certificates: 5 (all valid)

--- 2. SERVICES ---
Total Running: 31
Failed: 0 ✓
Web: caddy (active)
Database: postgresql (active)

[... 8 more categories ...]

Total Checks: 87

🔧 Webhook Notifications

Chihuaudit supports webhook notifications for real-time monitoring alerts. While optimized for Discord, it works with any webhook-compatible service (Slack, Microsoft Teams, Mattermost, custom endpoints, etc.).

Color-coded alerts: 🟢 Green (healthy), 🟡 Yellow (warnings), 🔴 Red (critical)

Setup

# Generate default config
./bin/chihuaudit init-config

# Edit configuration
nano ~/.chihuaudit/config.json

Configuration

{
  "discord_webhook": "https://discord.com/api/webhooks/YOUR_WEBHOOK_ID/YOUR_WEBHOOK_TOKEN",
  "notification_whitelist": {
    "cpu_threshold": 70,
    "memory_threshold": 70,
    "disk_threshold": 85,
    "ignore_changes": ["uptime", "active_connections"]
  }
}

Webhook Compatibility

Discord (native support):

• Rich embeds with color-coded alerts
• Custom avatar and username
• Timestamp and structured fields

Slack (works with minor format differences):

• Use discord_webhook field with your Slack webhook URL
• Embeds translate to Slack attachments
• Colors and formatting preserved

Other services:

• Any service accepting JSON POST with embeds field
• Microsoft Teams incoming webhooks
• Mattermost webhooks
• Custom webhook handlers

Alert Thresholds

CPU Load: Trigger when load average exceeds threshold
Memory Usage: Alert on RAM usage percentage
Disk Space: Warning when disk usage crosses limit
Ignore List: Skip notifications for frequently changing metrics

Monitoring Mode

# Monitor every 5 minutes with webhook alerts
sudo ./bin/chihuaudit monitor --interval=5m

Changes are detected and only significant events trigger notifications, reducing alert fatigue.

🎯 Design Philosophy

• Universal: Works on any Linux distro without configuration
• Portable: Single static binary, zero dependencies
• Safe: Read-only checks, no system modifications
• Fast: Parallel execution, ~1 second for full audit
• Simple: Minimal code, maximum clarity
• Automated: Perfect for CI/CD and monitoring

📖 Documentation

• Installation Guide
• Development Log
• Contributing Guidelines

🏗️ Architecture

chihuaudit/
├── main.go           # CLI entry point
├── checks/           # 10 audit categories
│   ├── security.go   # Firewall, SSH, SSL, ports
│   ├── services.go   # Systemd, web, DB servers
│   ├── resources.go  # CPU, RAM, disk
│   └── ...
├── detect/           # OS/tool detection
├── notify/           # Discord webhooks
├── report/           # Text/JSON formatters
└── state/            # Change tracking

🤝 Contributing

Contributions welcome! See CONTRIBUTING.md for guidelines.

Keep code:

• Simple: Minimal, readable, maintainable
• Portable: Detection-based, no hardcoded paths
• Safe: No shell injection, no user input in commands
• Consistent: Follow existing patterns

📜 License

MIT License - see LICENSE for details

---

Made with ❤️ for sysadmins everywhere