Series draft — Part 6 of 15 in Hardened Agentic Stack. Outline only; expand before un-drafting.
Phase 2: Runtime Integrity — The Local Threat Model
The Problem
Agents may try to read /etc/shadow, ~/.ssh/id_rsa, or kubeconfig to escalate.
The Infrastructure Fix
Wazuh or Tetragon FIM on sensitive paths — block open/read and alert.
The Architecture Pattern
Immutable Host Boundary — filesystem no-go zones enforced on the host.
Planned sections
- The “Oh No” moment — concrete incident or near-miss that makes the risk visceral.
- ClawQL context — how this control protects a high-privilege local/edge agent.
- Technical how-to — concrete configs, policies, or snippets a builder can apply.
- Safety check — what “trusted enough” looks like once this layer is in place.
Key visuals
- Watched-path map for agent UID
Source modules (docs.clawql.com)
Rule of Three (keep on publish)
| Layer | Takeaway |
|---|---|
| Problem | Agents may try to read /etc/shadow, ~/.ssh/id_rsa, or kubeconfig to escalate. |
| Infrastructure fix | Wazuh or Tetragon FIM on sensitive paths — block open/read and alert. |
| Architecture pattern | Immutable Host Boundary — filesystem no-go zones enforced on the host. |