Dosu Logo
Home
Documents
Epic Brief: Complete Procmond Implementation
Epic Brief: Complete Procmond Implementation
Type
External
Status
Published
Created
Apr 18, 2026
Updated
Apr 18, 2026
Source
View

Epic Brief: Complete Procmond Implementation#

Summary#

DaemonEye requires a production-ready process monitoring daemon (procmond) that serves as the foundation for security monitoring across Linux, macOS, Windows, and FreeBSD platforms. While core process enumeration functionality exists for primary platforms, the implementation needs architectural refinement, FreeBSD support, security hardening, performance validation, and integration with the daemoneye-agent service orchestrator. This Epic covers completing the procmond implementation as a Monitor Collector that continuously observes system processes, detects suspicious activity, and triggers analysis collectors through an event-driven architecture. The work includes finishing platform-specific features, implementing IPC communication with daemoneye-agent, hardening security boundaries, validating performance against targets, and achieving comprehensive test coverage to deliver a reliable, secure, and performant process monitoring foundation for the DaemonEye security platform.

Context & Problem#

Who's Affected#

Primary Users:

  • Security Operations Teams: Need reliable, real-time process monitoring to detect threats and investigate incidents across heterogeneous infrastructure
  • System Administrators: Require low-overhead monitoring that works consistently across Linux, macOS, Windows, and FreeBSD environments
  • Compliance Officers: Need tamper-evident audit trails and comprehensive process metadata for regulatory requirements
  • DevOps Engineers: Need monitoring that operates in air-gapped, containerized, and high-security environments
    Secondary Users:
  • Incident Response Teams: Depend on accurate process genealogy and metadata for forensic analysis
  • Threat Hunters: Need rich process context (network connections, file descriptors, security contexts) for proactive threat hunting

Current Pain Points#

Incomplete Platform Coverage

  • FreeBSD support is missing or incomplete, limiting deployment options for security-conscious organizations that standardize on BSD systems
  • Platform-specific metadata collection varies in depth, creating inconsistent detection capabilities across environments
  • Secondary platform support (Solaris, AIX) is undefined, blocking enterprise adoption in heterogeneous data centers
    Architectural Gaps
  • Process collectors exist but lack full integration with the daemoneye-agent service orchestrator, preventing complete lifecycle management and health monitoring
  • Event bus communication between procmond and daemoneye-agent needs refinement for the event-driven architecture
  • Monitor Collector behavior (continuous operation, event generation, triggering other collectors) requires completion
  • Privilege separation between privileged process enumeration and unprivileged detection logic needs validation
    Security Concerns
  • Privilege management is incomplete - unclear when elevated privileges are required and how to drop them safely
  • Data sanitization (command-line arguments, environment variables) is not consistently applied, risking exposure of secrets in logs
  • Security boundaries between procmond (privileged) and daemoneye-agent (unprivileged) are not enforced
  • No validation that the implementation meets least-privilege principles
    Performance Uncertainty
  • Performance benchmarks haven't been validated against targets (e.g., enumerate 1,000 processes in <100ms)
  • No load testing with 10,000+ processes to validate scalability claims
  • Memory usage and CPU overhead under sustained operation are unverified
  • No regression testing to prevent performance degradation
    Testing Gaps
  • Test coverage is below target thresholds (<80% unit, <90% critical paths)
  • Cross-platform integration tests are incomplete or missing
  • Security testing (privilege escalation, injection attacks, DoS) is insufficient
  • No chaos testing for resilience validation

Where in the Product#

This Epic affects the core monitoring foundation of DaemonEye:
Component Hierarchy:

DaemonEye Platform
├── daemoneye-agent (service orchestrator)
│ └── procmond (process monitor) ← THIS EPIC
│ ├── Process Enumeration Engine
│ ├── Platform-Specific Collectors (Linux, macOS, Windows, FreeBSD)
│ ├── Event Detection & Triggering
│ └── Event Bus Integration Layer
├── daemoneye-cli (management interface)
└── Detection Engine (consumes procmond data)

Integration Points:

  • Upstream: Operating system APIs (procfs, WinAPI, BSD sysctl)
  • Downstream: daemoneye-agent (lifecycle management, event bus), detection engine (SQL queries), alert system
  • Lateral: Other collectors (binary hasher, memory analyzer) triggered by procmond events via event bus

Root Cause Analysis#

The current state reflects incremental development without complete architectural integration:

  1. Phase 1 (Complete): Core process enumeration implemented using sysinfo crate with platform-specific enhancements
  2. Phase 2 (Incomplete): Integration with daemoneye-agent architecture and IPC communication
  3. Phase 3 (Not Started): Security hardening, performance validation, comprehensive testing
  4. Phase 4 (Not Started): Production readiness (observability, documentation, deployment)
    The gap exists because:
  • Initial focus was on proving cross-platform enumeration feasibility
  • Architectural decisions for service orchestration (daemoneye-agent) and event bus integration evolved during development
  • Security and performance requirements were deferred to avoid premature optimization
  • Testing infrastructure development lagged behind feature implementation

Business Impact#

Without completing this Epic:

  • ❌ DaemonEye cannot be deployed in production environments (no service lifecycle management)
  • ❌ FreeBSD users cannot adopt DaemonEye (platform gap)
  • ❌ Security-conscious organizations cannot trust the implementation (unvalidated security boundaries)
  • ❌ Performance claims are unverified (risk of production issues)
  • ❌ Detection capabilities are inconsistent across platforms (metadata gaps)
    With this Epic complete:
  • ✅ Production-ready process monitoring across all target platforms
  • ✅ Reliable service lifecycle management through daemoneye-agent
  • ✅ Validated security boundaries and privilege separation
  • ✅ Proven performance characteristics under load
  • ✅ Comprehensive test coverage for confidence in reliability
  • ✅ Foundation for event-driven security monitoring architecture

Scope#

In Scope#

Platform Completion

  • Complete FreeBSD support with basic process enumeration (best-effort, documented limitations)
  • Fill metadata gaps across primary platforms (Linux, macOS, Windows)
    CLI Features (Basic)
  • Health check commands for procmond status
  • Diagnostic commands for troubleshooting
  • Performance metrics display
  • Configuration update commands
  • Validate cross-platform consistency in data models and behavior
    Architectural Integration
  • Complete event bus integration between procmond and daemoneye-agent:
    • Implement missing RPC patterns for lifecycle management (start/stop/restart)
    • Add comprehensive error handling and reconnection logic for event bus failures
    • Implement missing topic subscriptions and publishing patterns
    • Performance optimization and load testing of event bus communication
  • Integrate procmond with daemoneye-agent service lifecycle management
  • Implement Monitor Collector behavior (continuous operation, event generation, triggering)
  • Define and enforce privilege boundaries between components
    Security Hardening
  • Implement privilege detection and management (capabilities, tokens)
  • Add data sanitization for command-line arguments and environment variables
  • Validate security boundaries and least-privilege principles
  • Create security test suite (privilege escalation, injection, DoS)
    Performance Validation
  • Benchmark process enumeration against targets (1,000 processes in <100ms)
  • Load test with 10,000+ processes
  • Validate memory usage (<100MB) and CPU overhead (<5%)
  • Implement performance regression testing
    Testing & Quality
  • Achieve >80% unit test coverage, >90% critical path coverage
  • Create cross-platform integration test suite
  • Implement chaos testing for resilience validation
  • Add property-based testing for edge cases
    Documentation
  • Architecture documentation (component interactions, privilege model)
  • Deployment guides (installation, configuration, troubleshooting)
  • API documentation (ProcessCollector trait, data models)
  • Security documentation (threat model, security controls)

Out of Scope#

Deferred to Future Epics

  • Advanced behavioral analysis and machine learning-based anomaly detection
  • Real-time process monitoring with sub-second event detection
  • Kernel-level monitoring (eBPF on Linux, ETW on Windows)
  • Integration with external threat intelligence feeds
  • Commercial features (Security Center, federated architecture)
  • Support for secondary platforms beyond FreeBSD (Solaris, AIX)
    Explicitly Not Included
  • Detection rule authoring and management (separate Epic)
  • Alert delivery and notification systems (separate Epic)
  • Advanced CLI features (query interface, rule management, advanced diagnostics) (separate Epic)
  • Database schema and storage layer (separate Epic)
  • Enhanced FreeBSD metadata collection (deferred to future work)

Success Criteria#

Functional Completeness

  • ✅ Process enumeration works on Linux, macOS, Windows (full support) and FreeBSD (basic support)
  • ✅ Platform-specific metadata collection is consistent on primary platforms (Linux, macOS, Windows)
  • ✅ Event bus communication with daemoneye-agent is reliable and performant
  • ✅ Service lifecycle (start, stop, restart, health checks) works correctly via RPC patterns
  • ✅ Monitor Collector behavior (event generation, triggering) is functional
  • ✅ Basic CLI commands for health checks and diagnostics are implemented
    Security Validation
  • ✅ Privilege boundaries are enforced and validated
  • ✅ Data sanitization prevents secret exposure
  • ✅ Security test suite passes with no critical vulnerabilities
  • ✅ Least-privilege principles are documented and verified
    Performance Targets
  • ✅ Enumerate 1,000 processes in <100ms (average, primary platforms)
  • ✅ Support 10,000+ processes without degradation
  • ✅ Memory usage <100MB during normal operation
  • ✅ CPU overhead <5% during continuous monitoring
    Quality Metrics
  • ✅ >80% unit test coverage across all modules
  • ✅ >90% critical path coverage:
    • Process enumeration on all platforms
    • Event bus communication (publish/subscribe/reconnection)
    • Core monitoring loop and lifecycle detection
    • All error handling and recovery paths
    • Security boundaries (privilege management, data sanitization)
  • ✅ Cross-platform integration tests pass on all target platforms
  • ✅ Zero regressions in performance benchmarks
    Operational Readiness
  • ✅ Architecture documentation complete and reviewed
  • ✅ Deployment guides tested on all platforms
  • ✅ API documentation generated and published
  • ✅ Security documentation reviewed by security team

Key Assumptions#

  1. Platform Support: FreeBSD 13+ is the only secondary platform in scope; other BSDs and Unix variants are deferred
  2. Performance Targets: Current targets (100ms for 1,000 processes) are based on typical deployment scenarios; extreme edge cases (100,000+ processes) are out of scope
  3. Security Model: Privilege separation between procmond (elevated) and daemoneye-agent (unprivileged) is the correct architectural approach
  4. IPC Technology: The daemoneye-eventbus, as the previous IPC and RPC technologies are not used within procmond.
  5. Testing Infrastructure: Existing CI/CD pipeline (GitHub Actions) is sufficient for cross-platform testing
  6. Timeline Flexibility: Milestone dates are flexible and will be updated based on actual progress

Constraints#

Technical Constraints

  • Must maintain backward compatibility with existing ProcessRecord data model
  • Must use Rust 2024 edition with MSRV 1.91+
  • Must follow workspace-level lints (unsafe_code = "forbid", warnings = "deny")
  • Must integrate with existing collector-core framework and daemoneye-eventbus
    Resource Constraints
  • Single developer (unclesp1d3r) as primary contributor
  • Limited access to FreeBSD testing infrastructure
  • No dedicated security audit team (self-review required)
    Operational Constraints
  • Must support air-gapped deployments (no external dependencies at runtime)
  • Must operate in containerized environments (Docker, Kubernetes)
  • Must respect platform security boundaries (SELinux, AppArmor, SIP)
  • GitHub Issue #39: Cross-platform process enumeration (foundation)
  • GitHub Issue #89: Complete procmond implementation (parent issue)
  • GitHub Issue #40: Binary hashing collector (triggered by procmond)
  • GitHub Issue #103: daemoneye-agent service architecture (integration point)
  • GitHub Issue #64: Core Tier Functionality Epic (broader context)

References#

  • Architecture: .kiro/steering/structure.md (repo)
  • Technical Stack: .kiro/steering/tech.md (repo)
  • Development Guide: AGENTS.md (repo)
  • Existing Implementation: procmond/src/ (repo)
  • Data Models: daemoneye-lib/src/models/process.rs (repo)

Source note: Migrated from the public repo (spec/procmond/specs/Epic_Brief__Complete_Procmond_Implementation.md) on 2026-04-17. The repo copy has been removed.