DaemonEye is a security-focused, high-performance process monitoring system built for cybersecurity professionals, threat hunters, and security operations centers. This is a complete Rust rewrite of the proven Python prototype, delivering enterprise-grade performance with audit-grade integrity.
DaemonEye is a three-component security package designed for robust, secure, and auditable system monitoring:
DaemonEye/
βββ procmond/ # :lock: Privileged Process Collector
βββ daemoneye-cli/ # :computer: Command-Line Interface
βββ daemoneye-agent/ # :satellite: User-Space Orchestrator
βββ daemoneye-lib/ # :gear: Shared Library Components
- π ProcMonD (Collector): Runs with elevated privileges, focused solely on process monitoring with minimal attack surface. Writes to Certificate Transparency-style audit ledger and communicates via protobuf IPC with daemoneye-agent.
- π‘ DaemonEye Agent (Orchestrator): Operates in user space with minimal privileges. Manages procmond lifecycle, executes SQL detection rules, and handles alert delivery. Translates complex SQL rules into simple protobuf tasks for procmond.
- π» DaemonEye CLI: Local command-line interface for data queries, result exports, and service configuration. Communicates with daemoneye-agent for all operations.
This separation ensures robust security: ProcMonD remains isolated and hardened, while orchestration/network tasks are delegated to low-privilege processes.
| Feature | Description |
|---|---|
| π¦ Rust Performance | Memory-safe, high-performance rewrite with <5% CPU overhead |
| π Cross-Platform | Linux, macOS, and Windows support with native OS integration |
| π SQL Detection Engine | Flexible anomaly detection using standard SQL queries |
| ποΈ Audit-Grade Integrity | Certificate Transparency-style Merkle tree with inclusion proofs |
| π‘ Multi-Channel Alerting | stdout, syslog, webhooks, email with delivery guarantees |
| β‘ High-Performance | Handle 10k+ processes with bounded queues and backpressure |
| π Security-First Design | Principle of least privilege, sandboxed rule execution |
| π Offline-Capable | No external dependencies for core functionality |
The Free Tier of DaemonEye is completely free forever with no time limits or feature restrictions. This includes:
- Full process monitoring and detection capabilities
- All built-in detection rules and SQL-based custom rules
- Complete alerting system (stdout, syslog, webhooks, email)
- Local data storage and querying
- Cross-platform support (Linux, macOS, Windows)
- Offline operation with no external dependencies
Future Business and Enterprise tiers will add centralized management, advanced integrations, and kernel-level monitoring for organizations that need these capabilities, but the core functionality will always remain free.
- Rust 1.85+ (2024 Edition support)
- Just task runner
# Build all components
just build
# Run linting and tests
just lint && just test
# Start orchestrator agent (manages procmond automatically)
just run-daemoneye-agent
# Launch CLI interface
just run-daemoneye-cli --help
# Run single-shot collection (for testing)
just run-daemoneye-agent --once# Start the orchestrator (manages procmond automatically)
daemoneye-agent --config /etc/daemoneye/config.yaml
# Query historical process data through orchestrator
daemoneye-cli query --sql "SELECT * FROM processes WHERE name = 'suspicious_proc'"
# Test alert delivery
daemoneye-cli alerts send-test
# Check system health
daemoneye-cli health-check --verbose
# Export data for analysis
daemoneye-cli export --format json --output /tmp/process_data.jsonBuilt-in Detection Rules:
- Process hollowing detection (processes without executables)
- Executable integrity violations (file modifications during runtime)
- Suspicious process name duplications
- Unusual parent-child process relationships
- Anomalous resource consumption patterns
Custom Rule Support:
- SQL-based detection logic with sandboxed execution
- Hot-reloadable rules with metadata and versioning
- Performance monitoring and optimization hints
| Channel | Format | Use Case |
|---|---|---|
| stdout/stderr | JSON, Plain Text | Development, debugging |
| Syslog | RFC5424, JSON | SIEM integration |
| Webhooks | JSON POST | Security orchestration |
| HTML, Plain Text | Incident notifications | |
| File Output | JSON, CEF | Log aggregation, archival |
- Language: Rust 2024 Edition (MSRV: 1.70+)
- Async Runtime: Tokio for I/O and task management
- Database: redb pure Rust embedded database for optimal performance and security
- CLI Framework: clap v4 with derive macros and shell completions
- Process Enumeration: sysinfo crate with platform-specific optimizations
- Logging: tracing ecosystem with structured JSON output
This project follows strict Rust coding standards:
- Linting:
cargo clippy -- -D warnings(zero warnings policy) - Formatting:
rustfmtwith consistent code style - Testing: Comprehensive unit and integration test coverage
- Safety:
unsafe_code = "forbid"in workspace lints - Performance: <100MB memory, <5% CPU, <5s for 10k+ processes
# Development workflow
just fmt # Format code
just lint # Run clippy with strict warnings
just test # Run all tests
just build # Build workspace
# Component execution
just run-procmond --once --verbose # Run process monitor with flags
just run-daemoneye-cli --help # Run CLI interface
just run-daemoneye-agent --config /path # Run orchestrator agent- SOC Analysts monitoring fleet infrastructure for process anomalies
- Incident Responders investigating compromised systems
- Red Team Operators detecting defensive monitoring
- Security Engineers integrating with SIEM platforms
- System Administrators maintaining security visibility
- DevSecOps Teams embedding security monitoring in deployments
For comprehensive documentation, see:
- Project Overview - High-level overview and getting started
- System Architecture - Three-component architecture details
- User Guides - Configuration and operator guides
- API Reference - Core API documentation
- Deployment Guide - Installation and deployment options
Licensed under the Apache License, Version 2.0. See LICENSE for details.
DaemonEye β When your process monitoring actually matters. π‘οΈ