Security Documentation

This document is the operator-facing security guide for DaemonEye — threat model, security considerations, configuration, and best practices.

For the in-depth security architecture, formal threat model, and compliance-control mapping (NIST SP 800-53, FISMA/FedRAMP/CMMC, ISSO guidance), see Security Design Overview. This page stays at the operator/deployment level; that one is the deep reference.

Table of Contents

• Threat Model
  • Attack Vectors
  • Security Boundaries
• Security Architecture
  • Three-Component Security Model
  • Privilege Management
• Security Features
  • Memory Safety
  • Input Validation
  • Cryptographic Integrity
  • SQL Injection Prevention
• Security Configuration
  • Local IPC
  • Outbound Alert Delivery
  • Data Protection
• Security Best Practices
  • Deployment Security
  • Configuration Security
  • Operational Security
• Security Considerations
  • Threat Detection
  • Incident Response
• Compliance
  • Security Standards
  • Audit Requirements
• Security Testing
  • Vulnerability Assessment
  • Security Validation
• Security Updates
  • Update Process
  • Security Monitoring

Threat Model

Attack Vectors

DaemonEye is designed to protect against various attack vectors:

1. Process Injection: Monitoring for code injection techniques
2. Privilege Escalation: Detecting unauthorized privilege changes
3. Persistence Mechanisms: Identifying malicious persistence techniques
4. Lateral Movement: Monitoring for lateral movement indicators
5. Data Exfiltration: Detecting suspicious data access patterns

Security Boundaries

DaemonEye implements strict security boundaries:

• Process Isolation: Components run in separate processes
• Privilege Separation: Minimal required privileges per component
• Network Isolation: No listening ports by default
• Data Encryption: Sensitive data encrypted at rest and in transit
• Audit Logging: Comprehensive audit trail for all operations

Security Architecture

Three-Component Security Model

The three-component architecture provides defense in depth:

┌─────────────────┐    ┌─────────────────┐    ┌─────────────────┐
│    ProcMonD     │    │ daemoneye-agent   │    │   daemoneye-cli   │
│  (Privileged)   │◄──►│  (User Space)   │◄──►│  (Management)   │
│                 │    │                 │    │                 │
│ • Process Enum  │    │ • Alerting      │    │ • Queries       │
│ • File Hashing  │    │ • Network Ops   │    │ • Configuration │
│ • Audit Logging │    │ • Rule Engine   │    │ • Monitoring    │
└─────────────────┘    └─────────────────┘    └─────────────────┘

Privilege Management

ProcMonD (Privileged):

• Requires CAP_SYS_PTRACE capability
• Runs with minimal required privileges
• Drops privileges after initialization
• Isolated from network operations

daemoneye-agent (User Space):

• Runs as non-privileged user
• Handles network operations
• No direct system access
• Communicates via IPC only

daemoneye-cli (Management):

• Runs as regular user
• Read-only access to data
• No system modification capabilities
• Audit all operations

Security Features

Memory Safety

DaemonEye is built in Rust with memory safety guarantees:

// No unsafe code allowed
#![forbid(unsafe_code)]

// Safe memory management
fn create_process_info(process: &Process) -> ProcessInfo {
    ProcessInfo {
        pid: process.pid().as_u32(),
        name: process.name().to_string(),
        executable_path: process.exe().map(|p| p.to_string_lossy().to_string()),
        // ... other fields
    }
}

Input Validation

Comprehensive input validation prevents injection attacks:

use validator::{Validate, ValidationError};

#[derive(Validate)]
pub struct DetectionRule {
    #[validate(length(min = 1, max = 1000))]
    pub name: String,

    #[validate(custom = "validate_sql")]
    pub sql_query: String,

    #[validate(range(min = 1, max = 1000))]
    pub priority: u32,
}

fn validate_sql(sql: &str) -> Result<(), ValidationError> {
    // Validate SQL syntax and prevent injection
    let ast = sqlparser::parse(sql)?;
    validate_ast(&ast)?;
    Ok(())
}

Cryptographic Integrity

BLAKE3 hashing and Ed25519 signatures ensure data integrity:

use blake3::Hasher;
use ed25519_dalek::{Keypair, Signature};

pub struct IntegrityChecker {
    hasher: Hasher,
    keypair: Keypair,
}

impl IntegrityChecker {
    pub fn hash_data(&self, data: &[u8]) -> [u8; 32] {
        self.hasher.update(data).finalize().into()
    }

    pub fn sign_data(&self, data: &[u8]) -> Signature {
        self.keypair.sign(data)
    }

    pub fn verify_signature(&self, data: &[u8], signature: &Signature) -> bool {
        self.keypair.verify(data, signature).is_ok()
    }
}

SQL Injection Prevention

Multiple layers of SQL injection prevention:

1. AST Validation: Parse and validate SQL queries [Implemented — sqlparser AST enforced at rule load time; SELECT-only with banned function list]
2. Prepared Statements: Use parameterized queries [Implemented]
3. Sandboxed Execution: Isolated query execution [Planned]
4. Input Sanitization: Clean and validate all inputs [Implemented]

Note

The detection rule execution engine (detection/mod.rs) currently uses category-based pattern matching rather than SQL evaluation. Full SQL-based execution against process data is [Planned].

use rusqlite::Connection;
use sqlparser::ast::Statement;

pub struct SafeQueryExecutor {
    conn: Connection,
    allowed_tables: HashSet<String>,
}

impl SafeQueryExecutor {
    pub fn execute_query(&self, query: &str) -> Result<QueryResult, QueryError> {
        // Parse and validate SQL
        let ast = sqlparser::parse(query)?;
        self.validate_ast(&ast)?;

        // Check table permissions
        self.check_table_access(&ast)?;

        // Execute with prepared statement
        let mut stmt = self.conn.prepare(query)?;
        let rows = stmt.query_map([], |row| {
            // Safe row processing
            Ok(ProcessRecord::from_row(row)?)
        })?;

        Ok(QueryResult::from_rows(rows))
    }
}

Security Configuration

Local IPC

DaemonEye components communicate over local IPC only — Unix domain sockets on Unix-like systems and named pipes on Windows. There is no inbound network surface and no listening TCP ports; access control is enforced by filesystem ownership and permissions on the socket path, not by network authentication.

ipc:
  # Unix domain socket path for procmond <-> daemoneye-agent IPC.
  # Owner-only permissions (0600) restrict access to the service account.
  socket_path: /run/daemoneye/agent.sock
  socket_permissions: '0600'
  # Protobuf frames are length-prefixed and CRC32-validated.
  framing: crc32

DaemonEye exposes no inbound network surface. It does not listen on any TCP port, and it requires no TLS, JWT, or RBAC server for component communication. Mutual TLS between host agents and upstream aggregators is a commercial-tier concern, sold separately, not in this repo.

Outbound Alert Delivery

Network use is outbound-only, for delivering alerts to configured sinks.

alerting:
  sinks:
    - type: stdout
    - type: syslog
    - type: file
      path: /var/log/daemoneye/alerts.log
    - type: webhook
      url: https://siem.example.com/ingest

Data Protection

security:
  encryption:
    enable_encryption: true
    algorithm: AES-256-GCM
    key_rotation_days: 30

  data_protection:
    enable_field_masking: true
    masked_fields: [command_line, environment_variables]
    enable_data_retention: true
    retention_days: 30

  audit:
    enable_audit_logging: true
    audit_log_path: /var/log/daemoneye/audit.log
    log_level: info
    include_sensitive_data: false

Security Best Practices

Deployment Security

1. Principle of Least Privilege:

   • Run components with minimal required privileges
   • Use dedicated users and groups
   • Drop privileges after initialization

2. Network Security:

   • Use TLS for all network communications
   • Implement firewall rules
   • Monitor network traffic

3. Data Protection:

   • Encrypt sensitive data at rest
   • Use secure key management
   • Implement data retention policies

4. Access Control:

   • Implement role-based access control
   • Use strong authentication
   • Monitor access patterns

Configuration Security

1. Secure Defaults:

   • Disable unnecessary features
   • Use secure default settings
   • Require explicit configuration for sensitive features

2. Secret Management:

   • Use environment variables for secrets
   • Implement secret rotation
   • Never hardcode credentials

3. Input Validation:

   • Validate all inputs
   • Sanitize user data
   • Use parameterized queries

Operational Security

1. Monitoring:

   • Monitor system health
   • Track security events
   • Implement alerting

2. Logging:

   • Enable comprehensive logging
   • Use structured logging
   • Implement log rotation

3. Updates:

   • Keep software updated
   • Monitor security advisories
   • Test updates in staging

Security Considerations

Threat Detection

DaemonEye can detect various security threats:

1. Malware Execution:

   • Suspicious process names
   • Unusual execution patterns
   • Code injection attempts

2. Privilege Escalation:

   • Unauthorized privilege changes
   • Setuid/setgid abuse
   • Capability escalation

3. Persistence Mechanisms:

   • Startup modifications
   • Service installations
   • Scheduled task creation

4. Lateral Movement:

   • Network scanning
   • Credential theft
   • Remote execution

Incident Response

1. Detection:

   • Real-time monitoring
   • Automated alerting
   • Threat intelligence integration

2. Analysis:

   • Forensic data collection
   • Timeline reconstruction
   • Root cause analysis

3. Containment:

   • Process isolation
   • Network segmentation
   • Access restrictions

4. Recovery:

   • System restoration
   • Security hardening
   • Monitoring enhancement

Compliance

Security Standards

DaemonEye helps meet various security standards:

1. NIST Cybersecurity Framework:

   • Identify: Asset discovery and classification
   • Protect: Access control and data protection
   • Detect: Continuous monitoring and threat detection
   • Respond: Incident response and automation
   • Recover: Business continuity and restoration

2. ISO 27001:

   • Information security management
   • Risk assessment and treatment
   • Security monitoring and incident management
   • Continuous improvement

3. SOC 2:

   • Security controls
   • Availability monitoring
   • Processing integrity
   • Confidentiality protection

Audit Requirements

1. Audit Logging:

   • Comprehensive event logging
   • BLAKE3 hash-chained audit ledger [Implemented]; Merkle tree inclusion proofs [In Progress — generate_inclusion_proof() is stubbed]
   • Long-term retention

2. Access Controls:

   • User authentication
   • Role-based authorization
   • Access monitoring

3. Data Protection:

   • Encryption at rest and in transit
   • Data classification
   • Retention policies

Security Testing

Vulnerability Assessment

1. Static Analysis:

   • Code review
   • Dependency scanning
   • Configuration validation

2. Dynamic Analysis:

   • Penetration testing
   • Fuzzing
   • Runtime monitoring

3. Security Scanning:

   • Container image scanning
   • Network vulnerability scanning
   • Application security testing

Security Validation

1. Unit Testing:

   • Security function testing
   • Input validation testing
   • Error handling testing

2. Integration Testing:

   • Component interaction testing
   • Security boundary testing
   • End-to-end security testing

3. Performance Testing:

   • Security overhead measurement
   • Load testing with security features
   • Stress testing under attack

Security Updates

Update Process

1. Security Advisories:

   • Monitor security mailing lists
   • Track CVE databases
   • Subscribe to vendor notifications

2. Patch Management:

   • Test patches in staging
   • Deploy during maintenance windows
   • Verify patch effectiveness

3. Vulnerability Response:

   • Assess vulnerability impact
   • Implement temporary mitigations
   • Deploy permanent fixes

Security Monitoring

1. Threat Intelligence:

   • Subscribe to threat feeds
   • Monitor security blogs
   • Participate in security communities

2. Continuous Monitoring:

   • Real-time security monitoring
   • Automated threat detection
   • Incident response automation

3. Security Metrics:

   • Track security KPIs
   • Monitor compliance metrics
   • Report security status

This security documentation provides comprehensive guidance for securing DaemonEye deployments. For additional security information, consult the specific security guides or contact the security team.