A multi-platform EDR (Endpoint Detection & Response) agent that collects security events and streams them to the SecureExec server over gRPC/mTLS.
| Platform | Technology | Crate |
|---|---|---|
| Linux | eBPF (tracepoints + kprobes) | linux/agent |
| macOS | Endpoint Security + Network Extension | macos/agent |
| Windows | ETW / WMI | windows/agent |
Shared transport, pipeline, and event types live in generic/.
| Event | Linux | macOS | Windows |
|---|---|---|---|
| Process create / fork / exit | x | x | planned |
| File create / modify / delete | x | x | planned |
| File rename | x | x | |
| File permission change (chmod/chown) | x | ||
| File link / symlink | x | ||
| Network connect | x | x | planned |
| Network listen (accept / bind) | x | x | |
| DNS query | x | ||
| Registry write | planned | ||
| Privilege change (setuid/setgid) | x | ||
| Process access (ptrace) | x | ||
| Process VM read/write | x | ||
| Process signal (kill) | x | ||
| Memory map (exec/write) | x | ||
| memfd_create | x | ||
| Kernel module load | x | ||
| BPF program load | x | ||
| Capability change | x | ||
| Namespace change (unshare/setns) | x | ||
| Mount / unmount | x | ||
| keyctl | x | ||
| io_uring setup | x | ||
| Agent lifecycle / heartbeat | x | x | x |
agent/
├── generic/ # Shared: EventKind, gRPC transport, pipeline, filter
├── proto/ # secureexec.proto (gRPC schema)
├── linux/
│ ├── agent/ # Userspace eBPF consumer
│ ├── ebpf/ # Kernel eBPF programs (tracepoints / kprobes)
│ ├── ebpf-common/ # Shared kernel↔userspace types
│ └── kmod/ # Optional kernel module (firewall)
├── macos/
│ ├── agent/ # Endpoint Security sensor (Rust)
│ ├── app/ # Menu bar app (Swift/SwiftUI)
│ ├── activator/ # System extension activator (Swift)
│ └── network-ext/ # Network Extension (Swift)
└── windows/
└── agent/ # ETW/WMI sensor (Rust)
- Rust 1.81+ (
rustup update stable) - For Linux eBPF:
bpf-linker, LLVM 18+, nightly Rust toolchain - For macOS app: Xcode 15+
- Proto compiler:
protoc(needed bytonic-buildingeneric/build.rs) - Docker (for cross-compiling Linux agent from macOS)
Build from any host (macOS / Linux) without installing LLVM or bpf-linker locally. First run takes ~5–10 min (builds the toolchain image); subsequent runs ~30–60 s.
make linux-build-dockerThe static musl binary is written to ./target/x86_64-unknown-linux-musl/release/secureexec-agent-linux.
To wipe the Docker build cache and start fresh:
make linux-build-docker-cleanRequires musl toolchain, LLVM 18+, and bpf-linker on the host.
make linux-buildmake macos-buildThe binary is written to ./target/release/secureexec-agent-macos.
make windows-buildThe agent reads a JSON config file (default: /opt/secureexec/var/secureexec-agent.json):
{
"backend_url": "https://your-server:50051",
"tls_ca": "/opt/secureexec/etc/certs/ca.crt",
"tls_client_cert": "/opt/secureexec/etc/certs/agent.crt",
"tls_client_key": "/opt/secureexec/etc/certs/agent.key",
"auth_token": "your-org-token"
}The Linux eBPF kernel programs (linux/ebpf/) embed a "Dual MIT/GPL" license tag in the compiled binary. This is a technical requirement of the Linux kernel's BPF verifier for access to GPL-only BPF helpers, and is distinct from the Apache 2.0 license that governs the source code of this repository. See NOTICE for details.
Apache 2.0 — see LICENSE.
This agent is part of the SecureExec platform.
