Dosu Logo
Home
Documents
Security
Security
Type
External
Status
Published
Created
Mar 8, 2026
Updated
Apr 3, 2026
Updated by
Dosu Bot

This document provides comprehensive security information for DaemonEye, including threat model, security considerations, and best practices.

Threat Model#

Attack Vectors#

DaemonEye is designed to protect against various attack vectors:

  1. Process Injection: Monitoring for code injection techniques
  2. Privilege Escalation: Detecting unauthorized privilege changes
  3. Persistence Mechanisms: Identifying malicious persistence techniques
  4. Lateral Movement: Monitoring for lateral movement indicators
  5. Data Exfiltration: Detecting suspicious data access patterns

Security Boundaries#

DaemonEye implements strict security boundaries:

  • Process Isolation: Components run in separate processes
  • Privilege Separation: Minimal required privileges per component
  • Network Isolation: No listening ports by default
  • Data Encryption: Sensitive data encrypted at rest and in transit
  • Audit Logging: Comprehensive audit trail for all operations

Security Architecture#

Three-Component Security Model#

The three-component architecture provides defense in depth:

Privilege Management#

ProcMonD (Privileged):

  • Requires CAP_SYS_PTRACE capability
  • Runs with minimal required privileges
  • Drops privileges after initialization
  • Isolated from network operations
    daemoneye-agent (User Space):
  • Runs as non-privileged user
  • Handles network operations
  • No direct system access
  • Communicates via IPC only
    daemoneye-cli (Management):
  • Runs as regular user
  • Read-only access to data
  • No system modification capabilities
  • Audit all operations

Security Features#

Memory Safety#

DaemonEye is built in Rust with memory safety guarantees:

// No unsafe code allowed
#![forbid(unsafe_code)]

// Safe memory management
fn create_process_info(process: &Process) -> ProcessInfo {
    ProcessInfo {
        pid: process.pid().as_u32(),
        name: process.name().to_string(),
        executable_path: process.exe().map(|p| p.to_string_lossy().to_string()),
        // ... other fields
    }
}

Input Validation#

Comprehensive input validation prevents injection attacks:

use validator::{Validate, ValidationError};

#[derive(Validate)]
pub struct DetectionRule {
    #[validate(length(min = 1, max = 1000))]
    pub name: String,
    #[validate(custom = "validate_sql")]
    pub sql_query: String,
    #[validate(range(min = 1, max = 1000))]
    pub priority: u32,
}

fn validate_sql(sql: &str) -> Result<(), ValidationError> {
    let ast = sqlparser::parse(sql)?;
    validate_ast(&ast)?;
    Ok(())
}

Cryptographic Integrity#

BLAKE3 hashing and Ed25519 signatures ensure data integrity:

use blake3::Hasher;
use ed25519_dalek::{Keypair, Signature};

pub struct IntegrityChecker {
    hasher: Hasher,
    keypair: Keypair,
}

impl IntegrityChecker {
    pub fn hash_data(&self, data: &[u8]) -> [u8; 32] {
        self.hasher.update(data).finalize().into()
    }
    pub fn sign_data(&self, data: &[u8]) -> Signature {
        self.keypair.sign(data)
    }
    pub fn verify_signature(&self, data: &[u8], signature: &Signature) -> bool {
        self.keypair.verify(data, signature).is_ok()
    }
}

SQL Injection Prevention#

Multiple layers of SQL injection prevention:

  1. AST Validation: Parse and validate SQL queries
  2. Prepared Statements: Use parameterized queries
  3. Sandboxed Execution: Isolated query execution
  4. Input Sanitization: Clean and validate all inputs

Security Configuration#

Authentication and Authorization#

security:
  authentication:
    enable_auth: true
    auth_method: jwt
    jwt_secret: ${JWT_SECRET}
    token_expiry: 3600
  authorization:
    enable_rbac: true
    roles:
      - name: admin
        permissions: [read, write, delete, configure]
      - name: operator
        permissions: [read, write]
      - name: viewer
        permissions: [read]

Network Security#

security:
  network:
    enable_tls: true
    cert_file: /etc/daemoneye/cert.pem
    key_file: /etc/daemoneye/key.pem
    ca_file: /etc/daemoneye/ca.pem
    verify_peer: true
    cipher_suites: [TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256]
  firewall:
    enable_firewall: true
    allowed_ports: [8080, 9090]
    allowed_ips: [10.0.0.0/8, 192.168.0.0/16]
    block_unknown: true

Data Protection#

security:
  encryption:
    enable_encryption: true
    algorithm: AES-256-GCM
    key_rotation_days: 30
  data_protection:
    enable_field_masking: true
    masked_fields: [command_line, environment_variables]
    enable_data_retention: true
    retention_days: 30
  audit:
    enable_audit_logging: true
    audit_log_path: /var/log/daemoneye/audit.log
    log_level: info
    include_sensitive_data: false

Security Best Practices#

Deployment Security#

  • Principle of Least Privilege: Run components with minimal required privileges, use dedicated users and groups, drop privileges after initialization
  • Network Security: Use TLS for all network communications, implement firewall rules, monitor network traffic
  • Data Protection: Encrypt sensitive data at rest, use secure key management, implement data retention policies
  • Access Control: Implement role-based access control, use strong authentication, monitor access patterns

Configuration Security#

  • Secure Defaults: Disable unnecessary features, use secure default settings, require explicit configuration for sensitive features
  • Secret Management: Use environment variables for secrets, implement secret rotation, never hardcode credentials
  • Input Validation: Validate all inputs, sanitize user data, use parameterized queries

Operational Security#

  • Monitoring: Monitor system health, track security events, implement alerting
  • Logging: Enable comprehensive logging, use structured logging, implement log rotation
  • Updates: Keep software updated, monitor security advisories, test updates in staging

Compliance#

Security Standards#

DaemonEye helps meet various security standards:

  • NIST Cybersecurity Framework: Identify, Protect, Detect, Respond, Recover
  • ISO 27001: Information security management, risk assessment, continuous improvement
  • SOC 2: Security controls, availability monitoring, processing integrity, confidentiality protection

Audit Requirements#

  • Audit Logging: Comprehensive event logging, Certificate Transparency-style audit ledger, long-term retention
  • Access Controls: User authentication, role-based authorization, access monitoring
  • Data Protection: Encryption at rest and in transit, data classification, retention policies

Security Testing#

Vulnerability Assessment#

  • Static Analysis: Code review, dependency scanning, configuration validation
  • Dynamic Analysis: Penetration testing, fuzzing, runtime monitoring
  • Security Scanning: Container image scanning, network vulnerability scanning, application security testing

Security Updates#

Update Process#

  • Security Advisories: Monitor security mailing lists, track CVE databases, subscribe to vendor notifications
  • Patch Management: Test patches in staging, deploy during maintenance windows, verify patch effectiveness
  • Vulnerability Response: Assess vulnerability impact, implement temporary mitigations, deploy permanent fixes
    This security documentation provides comprehensive guidance for securing DaemonEye deployments. For additional security information, consult the specific security guides or contact the security team.