Security Design Overview

Executive Summary#

DaemonEye is a security-focused, high-performance process monitoring system designed to provide continuous threat detection and behavioral analysis while maintaining strict security boundaries and audit-grade integrity. The system implements a three-component architecture with privilege separation, cryptographic integrity verification, and comprehensive audit logging to meet enterprise security requirements.
This document provides a comprehensive technical overview of DaemonEye's security design, architecture, and implementation details for security professionals, compliance officers, and system architects responsible for threat detection and incident response capabilities.

Security Architecture Overview#

Core Security Principles#

DaemonEye is built on fundamental security principles that guide every aspect of its design and implementation:
Principle of Least Privilege: Each component operates with the minimum privileges required for its specific function, with immediate privilege dropping after initialization.
Defense in Depth: Multiple layers of security controls protect against various attack vectors, from memory safety to network isolation.
Fail-Safe Design: The system fails securely, maintaining monitoring capabilities even when individual components experience issues.
Audit-First Approach: All security-relevant events are cryptographically logged with tamper-evident integrity guarantees.
Zero Trust Architecture: No component trusts another without explicit verification, and all communications are authenticated and encrypted.

Three-Component Security Architecture#

The system consists of three components within defined security boundaries:

procmond (Process Collector) - Privileged Domain: Minimal privileges, process enumeration, hash computation, audit logging, no network access
daemoneye-agent (Detection Orchestrator) - User Space Domain: SQL detection engine, alert management, multi-channel delivery, database management, outbound-only network
daemoneye-cli (Operator Interface) - User Space Domain: Query interface, system management, no direct DB access, no network access
Data Storage includes:
Audit Ledger (Merkle Tree): Tamper-evident, append-only, cryptographic integrity
Event Store (redb Database): Process data, detection results, alert history

Security Control Matrix#

<table header-row="true">
<tr>
<td>Security Control</td>
<td>procmond</td>
<td>daemoneye-agent</td>
<td>daemoneye-cli</td>
<td>Implementation</td>
</tr>
<tr>
<td>Privilege Separation</td>
<td>Elevated (temporary)</td>
<td>User space</td>
<td>User space</td>
<td>Platform-specific capabilities</td>
</tr>
<tr>
<td>Network Isolation</td>
<td>No network</td>
<td>Outbound only</td>
<td>No network</td>
<td>Firewall rules + code restrictions</td>
</tr>
<tr>
<td>Memory Safety</td>
<td>Rust + zero unsafe</td>
<td>Rust + zero unsafe</td>
<td>Rust + zero unsafe</td>
<td>Compiler-enforced</td>
</tr>
<tr>
<td>Input Validation</td>
<td>Protobuf schema</td>
<td>SQL AST validation</td>
<td>CLI validation</td>
<td>Type-safe parsing</td>
</tr>
<tr>
<td>Audit Logging</td>
<td>All operations</td>
<td>All operations</td>
<td>All operations</td>
<td>Structured JSON + Merkle tree</td>
</tr>
<tr>
<td>Cryptographic Integrity</td>
<td>BLAKE3 hashing</td>
<td>BLAKE3 hashing</td>
<td>BLAKE3 hashing</td>
<td>Hardware-accelerated</td>
</tr>
<tr>
<td>Error Handling</td>
<td>Graceful degradation</td>
<td>Circuit breakers</td>
<td>Safe defaults</td>
<td>Comprehensive error types</td>
</tr>
</table>

## Threat Model and Security Boundaries ### Attack Surface Analysis **Primary Attack Vectors**: 1. **Process Enumeration Attacks**: Attempts to exploit privileged process access 2. **SQL Injection**: Malicious detection rules targeting the SQL engine 3. **IPC Communication Attacks**: Exploitation of inter-process communication 4. **Database Tampering**: Attempts to modify stored process data or audit logs 5. **Privilege Escalation**: Exploitation of temporary elevated privileges 6. **Network-based Attacks**: Exploitation of alert delivery channels ### Security Boundary Enforcement **Process Isolation**: - procmond runs in isolated process space with minimal privileges - daemoneye-agent operates in user space with restricted database access - daemoneye-cli has no direct system access, only IPC communication
**Network Isolation**: - procmond: Zero network access (air-gapped) - daemoneye-agent: Outbound-only connections for alert delivery - daemoneye-cli: No network access, local IPC only
**Data Access Controls**: - Audit ledger: Write-only for procmond, read-only for others - Event store: Read/write for daemoneye-agent, query-only for daemoneye-cli - Configuration: Hierarchical access with validation ### Threat Mitigation Strategies **Memory Safety**: Rust's ownership system prevents buffer overflows and use-after-free. Zero unsafe code policy with isolated exceptions. Comprehensive testing including fuzzing and static analysis.
**Input Validation**: Protobuf schema validation for all IPC messages. SQL AST parsing with whitelist-based function approval. CLI argument validation with type safety.
**Cryptographic Protection**: BLAKE3 hashing for all audit entries. Merkle tree integrity verification. Optional Ed25519 signatures for external verification. ## Component Security Design ### procmond (Process Collection Component) **Security Role**: Privileged data collector with minimal attack surface
**Security Features**: - **Temporary Privilege Escalation**: Requests only required capabilities (CAP_SYS_PTRACE on Linux, SeDebugPrivilege on Windows) - **Immediate Privilege Drop**: Drops all elevated privileges after initialization - **No Network Access**: Completely air-gapped from network interfaces - **Minimal Codebase**: Simple, auditable process enumeration logic - **Cryptographic Hashing**: SHA-256 computation for executable integrity verification - **Audit Logging**: All operations logged to tamper-evident audit ledger ```rust pub struct ProcessCollector { privilege_manager: PrivilegeManager, hash_computer: SecureHashComputer, audit_logger: AuditLogger, }

impl ProcessCollector {
pub async fn initialize(&mut self) -> Result<()> {
self.privilege_manager.request_enhanced_privileges().await?;
self.setup_process_enumeration().await?;
self.privilege_manager.drop_privileges().await?;
self.audit_logger.log_privilege_drop().await?;
Ok(())
}
}

### daemoneye-agent (Detection Orchestrator)
**Security Role**: User-space detection engine with network alerting capabilities<br>**Security Features**:
- **SQL Injection Prevention**: \[Implemented\] AST-based query validation at rule load time with whitelist functions
- **Sandboxed Execution**: \[Planned\] Read-only database connections for rule execution (detection engine currently uses pattern matching, not SQL-based execution)
- **Resource Limits**: Timeout and memory constraints on detection rules
- **Multi-Channel Alerting**: Circuit breaker pattern for reliable delivery
- **Audit Trail**: Comprehensive logging of all detection activities<br>**SQL Security Implementation**:
- AST Validation: \[Implemented\] Parse SQL queries at rule load time using sqlparser to prevent injection attacks
- Function Whitelist: \[Implemented\] Only allow SELECT statements with approved functions (COUNT, SUM, AVG, MIN, MAX, LENGTH, SUBSTR, datetime functions) during rule validation
- Prepared Statements: \[Planned\] Use prepared statements with read-only database connections (execution-time enforcement not yet implemented — detection engine currently uses pattern matching)
- Timeout Protection: Complete within 30 seconds or timeout with appropriate logging
```rust
pub struct SqlValidator {
    parser: sqlparser::Parser<sqlparser::dialect::SQLiteDialect>,
    allowed_functions: HashSet<String>,
    forbidden_statements: HashSet<String>,
}

impl SqlValidator {
    pub fn validate_query(&self, sql: &str) -> Result<ValidationResult> {
        let ast = self.parser.parse_sql(sql)?;
        for statement in &ast {
            match statement {
                Statement::Query(query) => {
                    self.validate_select_query(query)?;
                }
                _ => return Err(ValidationError::ForbiddenStatement),
            }
        }
        self.validate_function_usage(&ast)?;
        Ok(ValidationResult::Valid)
    }
}

daemoneye-cli (Operator Interface)#

Security Role: Secure query interface with no direct system access
Security Features:

Full Read/Write Database Access: $Current$ CLI currently has full read/write database access via DatabaseManager::new() (architecture violation — planned transition to read-only access)
Input Sanitization: Comprehensive validation of all user inputs
Safe SQL Execution: Prepared statements with parameter binding
Output Formats: Support JSON, human-readable table, and CSV output
Rule Management: List, validate, test, and import/export detection rules
Health Monitoring: Display component status with color-coded indicators
Large Dataset Support: Streaming and pagination for result sets

Cryptographic Security Framework#

Hash Function Selection#

BLAKE3 for Audit Integrity:

256-bit security level with resistance to length extension attacks
Hardware acceleration with optimized implementations
Deterministic and consistent output across platforms
SHA-256 for Executable Hashing:
Industry standard, widely recognized and trusted
Integrates with existing security tools and databases
Easy integration with external verification systems
FIPS 140-2 Compliance:
FIPS 140-2 Level 1: Software-based cryptographic module
Approved Algorithms: SHA-256, BLAKE3 (when approved), Ed25519
FIPS-approved key generation and storage
CMVP validation support
Common Criteria Evaluation:
Target of Evaluation (TOE): DaemonEye security monitoring system
Evaluation Assurance Level (EAL): EAL4+ evaluation support
Custom protection profile development

Merkle Tree Audit Ledger#

Cryptographic Properties:

Tamper Evidence: Any modification to historical entries invalidates the entire chain
Inclusion Proofs: $In Progress$ Cryptographic proof that specific entries exist in the ledger — BLAKE3 hash-chained audit ledger implemented; Merkle tree inclusion proof generation stubbed (returns empty vec in crypto.rs)
Checkpoint Signatures: Optional Ed25519 signatures for external verification
Forward Security: New entries don't compromise historical integrity
Append-Only: Monotonic sequence numbers for all entries
BLAKE3 Hashing: Fast, cryptographically secure hash computation
Millisecond Precision: Proper ordering and millisecond-precision timestamps

pub struct AuditLedger {
    merkle_tree: MerkleTree<Blake3Hasher>,
    checkpoints: Vec<Checkpoint>,
    signature_key: Option<Ed25519KeyPair>,
}

impl AuditLedger {
    pub fn append_entry(&mut self, entry: AuditEntry) -> Result<InclusionProof> {
        let canonical = self.canonicalize_entry(&entry)?;
        let leaf_hash = Blake3Hasher::hash(&canonical);
        self.merkle_tree.insert(leaf_hash).commit();

        let proof = self.merkle_tree
            .proof(&[self.merkle_tree.leaves().len() - 1]);

        if self.should_create_checkpoint() {
            self.create_signed_checkpoint()?;
        }

        Ok(proof)
    }
}

Key Management#

Ed25519 key pairs generated using secure random number generation
Keys stored in OS keychain or hardware security modules when available
Key rotation policies for long-term deployments
Public key distribution through secure channels
Air-gap compatible verification procedures

Performance and Scalability#

Verified Performance Requirements#

Core Performance Targets:

CPU Usage: \< 5% sustained during continuous monitoring
Process Enumeration: \< 5 seconds for systems with up to 10,000 processes
Detection Rule Timeout: 30 seconds maximum execution time
Alert Delivery Retry: Up to 3 attempts with maximum 60-second delay
Audit Timestamps: Millisecond-precision timestamps
Enterprise Performance Targets:
Kernel Event Processing: Sub-millisecond latency from event occurrence to detection
Fleet Query Response: \< 60 seconds for queries across up to 10,000 endpoints
CPU Overhead: \< 2% per monitored endpoint for 10,000+ processes
Event Processing: 100,000+ events per minute with sub-second query response

Resource Management#

Rust's ownership system prevents buffer overflows and use-after-free
Zero unsafe code policy with isolated exceptions
Bounded channels with configurable capacity
Circuit breaker patterns for external dependencies
Graceful degradation under resource constraints

Data Protection and Privacy#

Data Classification#

Core Data Types (All Tiers):

Public Data: Process names, basic system information
Internal Data: Process metadata, detection rules, configuration
Confidential Data: Command line arguments, file paths, user information
Restricted Data: Cryptographic hashes, audit logs, alert details

Privacy Controls#

Data Masking (All Tiers): Configurable redaction of sensitive command line arguments, optional anonymization of user identifiers, field-level privacy controls.
Retention Policies (All Tiers): Configurable data retention periods, automatic purging of expired data, secure deletion procedures.
Access Controls (All Tiers): Role-based access to different data classifications, audit logging of all data access, principle of least privilege.

Business Tier Data Protection Features#

Security Center: Centralized aggregation and management
mTLS Authentication: $Planned$ Mutual TLS with certificate chain validation
Certificate Management: $Planned$ Automated certificate provisioning and rotation
Standard Format Support: CEF, structured JSON, and STIX-lite exports
SIEM Integration: Native connectors for Splunk, Elasticsearch, and Kafka
Signed Installers: $Planned$ MSI (Windows) and DMG (macOS) with valid code signing certificates

Enterprise Tier Data Protection Features#

SLSA Level 3 Provenance: $Planned$ Complete software supply chain attestation
Cosign Signatures: $Planned$ Hardware security module-backed code signing
Software Bill of Materials (SBOM): $Planned$ Complete dependency and component inventory
Multi-Tier Security Centers: $Planned$ Hierarchical data aggregation across geographic regions
Data Sovereignty: $Planned$ Regional data residency compliance
STIX/TAXII Integration: $Planned$ Automated threat intelligence feed consumption

Compliance Features#

Core Compliance (All Tiers):

GDPR: Data minimization, right to erasure, data portability, privacy by design
SOC 2 Type II: Comprehensive audit logging, access control documentation, incident response
NIST Cybersecurity Framework: Identify, Protect, Detect, Respond, Recover
Business Tier: Centralized audit logs, automated compliance reporting, data retention management, SIEM integration compliance
Enterprise Tier: NIST SP 800-53, ISO 27001, CIS Controls, FedRAMP, FISMA compliance, quarterly threat updates, SLSA Level 3 provenance $Planned$

Audit and Compliance Features#

Comprehensive Audit Logging#

Structured Logging: JSON format with consistent field naming, correlation IDs, millisecond-precision timestamps, configurable log levels, Prometheus-compatible metrics, HTTP health endpoints.
Audit Event Types: Process enumeration, detection rule executions, alert generation and delivery, system configuration changes, security events, administrative actions.

Compliance Reporting#

Automated Reports: Daily security summaries, weekly compliance dashboards, monthly audit reports, quarterly risk assessments.
Export Capabilities: SIEM integration (Splunk, Elasticsearch, QRadar), compliance tool integration, custom report generation, air-gap compatible exports.

Forensic Capabilities#

Incident Response: Timeline reconstruction, process tree analysis, hash verification for evidence integrity, chain of custody documentation.
Evidence Preservation: Immutable audit log storage, cryptographic integrity verification, secure backup and archival, legal hold procedures.

Network Security and Communication#

IPC Security Model#

Transport Security: Unix domain sockets with restricted permissions (0700 directory, 0600 socket), Windows named pipes with appropriate security descriptors, no network exposure.
Message Security: Protobuf schema validation, CRC32 integrity verification, length-delimited framing, timeout and rate limiting.
Authentication: Process-based authentication, capability negotiation, connection limits and monitoring.

Alert Generation Security#

Required Fields: Timestamp, severity, rule_id, title, and description
Process Details: Include affected process details (PID, name, executable path)
Severity Levels: Four levels (low, medium, high, critical)
Deduplication: Configurable deduplication keys
Database Storage: Alerts stored with delivery tracking

Alert Delivery Security#

Multi-Channel Delivery: stdout, syslog, webhook (HTTPS), email (SMTP with TLS), file output.
Delivery Guarantees: Circuit breaker pattern, exponential backoff with jitter, dead letter queue, delivery audit trail.
Network Isolation: Outbound-only connections, no listening ports, firewall-friendly design, air-gap compatibility.

Offline Operation Security#

All core functionality continues without network connectivity
Process enumeration, detection rules, and database operations function without degradation
Alert delivery degrades gracefully with local sinks continuing
Bundle-based configuration and rule distribution for airgapped systems
Validate and apply bundles atomically with conflict resolution

Operational Security Controls#

Configuration Security#

Secure Defaults: Minimal privilege requirements, disabled network features by default, strict input validation, comprehensive logging.
Configuration Validation: Schema-based validation, environment-specific checks, security policy enforcement, change audit logging.
Secrets Management: Environment variable support, OS keychain integration, no hardcoded credentials, secure credential rotation.

Monitoring and Alerting#

Security Metrics: Failed authentication attempts, privilege escalation events, SQL injection attempts, network connection failures, database integrity violations.
Health Monitoring: Component status tracking, performance metrics, resource utilization, error rate tracking.

Backup and Recovery#

Data Backup: Regular database snapshots, audit log archival, configuration backup, cryptographic verification.
Disaster Recovery: Point-in-time recovery, cross-platform restoration, integrity verification, testing procedures.

Security Testing and Validation#

Static Analysis#

Zero warnings policy with cargo clippy -- -D warnings
Memory safety verification and type safety enforcement
cargo audit for vulnerability detection
cargo deny for license compliance
Supply chain security verification

Dynamic Testing#

Fuzzing: SQL injection test vectors, protobuf message fuzzing, configuration file fuzzing, network protocol fuzzing.
Penetration Testing: Privilege escalation, IPC communication, database security, network isolation verification.
Performance Testing: Load testing with high process counts, memory usage profiling, CPU utilization monitoring.

Security Validation#

Hash function correctness and Merkle tree integrity
Signature verification and random number generation
SOC 2 Type II, GDPR, NIST framework compliance testing

US Government ISSO Considerations#

What DaemonEye Provides for ISSOs#

Audit-Grade Evidence Collection: Merkle tree audit ledger provides cryptographically verifiable evidence for compliance reporting and forensic investigations with inclusion proofs for every audit event.
Minimal Attack Surface for High-Risk Environments: Three-component architecture with privilege separation limits blast radius of potential security incidents.
Airgapped Operation Capability: Operates entirely offline, suitable for classified environments where network connectivity is restricted.

FISMA Compliance Support#

NIST SP 800-53 Control Implementation:

AU-2 (Audit Events): Comprehensive logging of all security-relevant events
AU-9 (Protection of Audit Information): Cryptographic integrity protection using BLAKE3
AU-10 (Non-Repudiation): Merkle tree provides cryptographic proof of data integrity
SI-4 (Information System Monitoring): Continuous process monitoring with real-time threat detection
SC-7 (Boundary Protection): Outbound-only network connections with no listening ports
AC-6 (Least Privilege): Minimal privilege implementation with immediate dropping
Evidence for ATO Packages: Cryptographic integrity verification reports, privilege separation documentation, input validation test results, performance benchmarks.

Risk Management Framework (RMF) Support#

Real-time security control effectiveness measurement, automated compliance reporting, performance metrics collection, incident detection and alerting.

FedRAMP Authorization Support#

No inbound network connections, cryptographic data protection at rest and in transit, comprehensive audit logging, minimal privilege implementation.

DoD and Intelligence Community Support#

STIG Compliance: Process isolation, cryptographic data protection, comprehensive audit logging, input validation.
CMMC Level Support: Data classification handling, access control implementation, audit trail maintenance, incident response capabilities.
Intelligence Community: Airgapped operation, multi-level security support, compartmented information handling, cross-domain solution compatibility.

Additional NIST SP 800-53 Compliance Requirements#

Configuration Management (CM) Family#

CM-2 (Baseline Configurations): Configuration baselines with version control, secure defaults, validation, rollback, and drift detection
CM-3 (Configuration Change Control): Automated change approval workflows with security impact analysis
CM-4 (Security Impact Analysis): Mandatory SIA for all configuration changes
CM-5 (Access Restrictions for Change): Role-based access controls for configuration management
CM-6 (Configuration Settings): Automated enforcement of security configuration settings
CM-7 (Least Functionality): Disable unnecessary features by default, minimal installation footprint
CM-8 (System Component Inventory): Real-time inventory, SBOM generation, vulnerability scanning

Contingency Planning (CP) Family#

CP-2 (Contingency Plan): Disaster recovery procedures, failover documentation, recovery time objectives
CP-6 (Alternate Storage Sites): Data backup, replication, and archival capabilities
CP-7 (Alternate Processing Sites): High availability, load balancing, failover mechanisms
CP-9 (System Backup): Automated backup scheduling, data verification, recovery procedures
CP-10 (System Recovery): Recovery automation, validation scripts, testing frameworks

Identification and Authentication (IA) Family#

IA-3 (Device Identification): Device certificates, mutual TLS, device identity verification
IA-4 (Identifier Management): UUID generation, identifier persistence and validation
IA-5 (Authenticator Management): Secure storage, credential rotation, access controls
IA-7 (Cryptographic Module Authentication): Module verification, authentication protocols

Incident Response (IR) Family#

IR-4 (Incident Handling): Automated incident detection, response, and escalation
IR-5 (Incident Monitoring): Real-time monitoring, threat detection, incident tracking
IR-6 (Incident Reporting): Automated reporting to authorities, notification templates

System and Services Acquisition (SA) Family#

SA-3 through SA-22: Secure SDLC, acquisition process, documentation, engineering principles, developer security testing, supply chain protection, development standards, tamper resistance, component authenticity

Enhanced System and Communications Protection (SC) Family#

SC-2 (Application Partitioning): Three-component architecture with isolated process spaces
SC-3 (Security Function Isolation): Privilege separation with platform-specific capabilities
SC-4 (Information in Shared Resources): CRC32 integrity verification for IPC, database encryption
SC-5 (Denial of Service Protection): Resource quotas, memory limits, graceful degradation (no inbound network)
SC-9 (Transmission Confidentiality): TLS for webhooks, encrypted IPC channels
SC-10 (Network Disconnect): Full offline functionality, bundle-based distribution
SC-11 (Trusted Path): Authenticated IPC channels for administrative operations
SC-17 (PKI Certificates): Certificate-based authentication, mutual TLS, validation
SC-23 (Session Authenticity): Secure session tokens, timeout controls
SC-24 (Fail in Known State): Graceful shutdown, secure state preservation
SC-27 (Platform-Independent): Cross-platform libraries, consistent security policies
SC-32 (Information System Partitioning): Process isolation, separate databases
SC-36 (Distributed Processing): Federated security centers (Enterprise tier)

Implementation Priority#

High Priority (Core Security Controls): Configuration Management (CM-2 through CM-8), Incident Response (IR-4 through IR-6), Risk Assessment (RA-5), System and Services Acquisition (SA-3 through SA-22)
Medium Priority (Operational Controls): Contingency Planning (CP-2 through CP-10), Identification and Authentication (IA-3 through IA-7), Maintenance (MA-3, MA-4), Enhanced SC controls
Excluded Controls (End-Consumer Responsibilities): Personnel Security (PS), Physical and Environmental Protection (PE), Training programs (CP-3/4, IR-2/3), Media Protection (MP), Risk Assessment (RA-1/2/3), Acquisition processes (SA-1/2)

Deployment Security Considerations#

Installation Security#

Code signing for all distributions with cryptographic verification
Secure distribution channels with installation audit logging
Minimal installation privileges with service account creation
Secure default configurations with security policy templates

Runtime Security#

Container security, systemd security features, SELinux/AppArmor integration
Resource limits and quotas
Firewall configuration, network segmentation, traffic monitoring
SIEM integration, log aggregation, metrics collection

Maintenance Security#

Secure update channels with rollback capabilities
Principle of least privilege with regular access reviews
Multi-factor authentication with audit logging
Response procedures, evidence collection, recovery procedures

Conclusion#

DaemonEye's security design provides a comprehensive framework for secure process monitoring and threat detection. The three-component architecture with strict privilege separation, cryptographic integrity verification, and comprehensive audit logging ensures that the system meets enterprise security requirements while maintaining high performance and operational efficiency.
The system's defense-in-depth approach, combined with its air-gap compatibility and compliance features, makes it suitable for deployment in high-security environments where traditional monitoring solutions may not meet security requirements.
For additional technical details, refer to the API Reference and Deployment Guide documentation.