Core API Reference

Table of Contents#

Core Data Models
Configuration API
Storage API
Detection API
Alerting API
Crypto API
Telemetry API
Error Types

Core Data Models#

ProcessRecord#

Represents a single process snapshot with comprehensive metadata.

#[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]
pub struct ProcessRecord {
    /// Unique identifier for this process record
    pub id: Uuid,
    /// Scan identifier this record belongs to
    pub scan_id: i64,
    /// Collection timestamp in milliseconds since Unix epoch
    pub collection_time: i64,
    /// Process ID
    pub pid: u32,
    /// Parent process ID
    pub ppid: Option<u32>,
    /// Process name
    pub name: String,
    /// Path to executable file
    pub executable_path: Option<PathBuf>,
    /// Command line arguments
    pub command_line: Vec<String>,
    /// Process start time in milliseconds since Unix epoch
    pub start_time: Option<i64>,
    /// CPU usage percentage
    pub cpu_usage: Option<f64>,
    /// Memory usage in bytes
    pub memory_usage: Option<u64>,
    /// SHA-256 hash of executable file
    pub executable_hash: Option<String>,
    /// Hash algorithm used (always "sha256")
    pub hash_algorithm: Option<String>,
    /// User ID running the process
    pub user_id: Option<String>,
    /// Whether process data was accessible
    pub accessible: bool,
    /// Whether executable file exists
    pub file_exists: bool,
    /// Platform-specific data
    pub platform_data: Option<serde_json::Value>,
}

Alert#

Represents a detection result with full context and metadata.

#[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]
pub struct Alert {
    pub id: Uuid,
    pub alert_time: i64,
    pub rule_id: String,
    pub title: String,
    pub description: String,
    pub severity: AlertSeverity,
    pub scan_id: Option<i64>,
    pub affected_processes: Vec<u32>,
    pub process_count: i32,
    pub alert_data: serde_json::Value,
    pub rule_execution_time_ms: Option<i64>,
    pub dedupe_key: String,
}

#[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]
pub enum AlertSeverity {
    Low,
    Medium,
    High,
    Critical,
}

DetectionRule#

Represents a SQL-based detection rule with metadata and versioning.

#[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]
pub struct DetectionRule {
    pub id: String,
    pub name: String,
    pub description: Option<String>,
    pub version: i32,
    pub sql_query: String,
    pub enabled: bool,
    pub severity: AlertSeverity,
    pub category: Option<String>,
    pub tags: Vec<String>,
    pub author: Option<String>,
    pub created_at: i64,
    pub updated_at: i64,
    pub source_type: RuleSourceType,
    pub source_path: Option<PathBuf>,
}

#[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]
pub enum RuleSourceType {
    Builtin,
    File,
    User,
}

Configuration API#

Hierarchical Configuration#

use daemoneye_lib::config::{Config, ConfigBuilder, ConfigError};

let mut builder = ConfigBuilder::new();
builder
    .add_embedded_defaults()?
    .add_file("/etc/daemoneye/config.yaml")?
    .add_file("~/.config/daemoneye/config.yaml")?
    .add_environment("DaemonEye_")?
    .add_cli_args(args)?;

let config: Config = builder.build()?;
let scan_interval = config.get::<u64>("app.scan_interval_ms")?;

Storage API#

Event Store (redb)#

use daemoneye_lib::storage::{EventStore, EventStoreConfig, ProcessQuery};

let config = EventStoreConfig {
    path: "/var/lib/daemoneye/events.redb".into(),
    max_size_mb: 10240,
    wal_mode: true,
    max_connections: 10,
};

let event_store = EventStore::new(config)?;
event_store.store_processes(&processes).await?;

let query = ProcessQuery::new()
    .with_pid(1234)
    .with_name("chrome")
    .with_time_range(start_time, end_time);
let results = event_store.query_processes(&query).await?;

Audit Ledger (SQLite)#

use daemoneye_lib::storage::{AuditLedger, AuditEntry};

let audit_ledger = AuditLedger::new("/var/lib/daemoneye/audit.sqlite")?;
let entry = AuditEntry {
    actor: "procmond".to_string(),
    action: "process_collection".to_string(),
    payload: serde_json::json!({"process_count": 150, "scan_id": 12345}),
};
let record = audit_ledger.append_entry(&entry).await?;

Detection API#

SQL Validator#

use daemoneye_lib::detection::{SqlValidator, ValidationResult};

let validator = SqlValidator::new()
    .with_allowed_functions(vec!["count", "sum", "avg", "min", "max"])
    .with_read_only_mode(true)
    .with_timeout(Duration::from_secs(30));

let sql = "SELECT pid, name, cpu_usage FROM processes WHERE cpu_usage > 50.0";
let result = validator.validate_query(sql)?;

Detection Engine#

use daemoneye_lib::detection::{DetectionEngine, RuleExecutionConfig};

let detection_engine = DetectionEngine::new(config)?;
let results = detection_engine.execute_rules(&execution_config).await?;

Alerting API#

Alert Manager#

use daemoneye_lib::alerting::{AlertManager, AlertManagerConfig, DeduplicationConfig};

let config = AlertManagerConfig {
    deduplication: DeduplicationConfig {
        enabled: true,
        window_minutes: 60,
        key_fields: vec!["rule_id".to_string(), "process_name".to_string()],
    },
    max_queue_size: 10000,
    delivery_timeout: Duration::from_secs(30),
};
let alert_manager = AlertManager::new(config)?;

Alert Sinks#

Pluggable alert delivery channels: stdout, syslog, webhooks, and more.

Crypto API#

Hash Chain (BLAKE3 + Ed25519)#

use daemoneye_lib::crypto::{HashChain, HashChainConfig};

let config = HashChainConfig {
    algorithm: HashAlgorithm::Blake3,
    enable_signatures: true,
    private_key_path: Some("/etc/daemoneye/private.key".into()),
};
let mut hash_chain = HashChain::new(config)?;
let record = hash_chain.append_entry(&entry).await?;
let verification_result = hash_chain.verify_chain().await?;

Telemetry API#

Prometheus-compatible metrics collection and health monitoring.

Error Types#

Categories: ConfigurationError, DatabaseError, DetectionError, AlertingError, CryptoError, ValidationError, IoError