Package: bigbrain-client Version: 1776616433-1 Architecture: all Maintainer: Adam Installed-Size: 43 Depends: python3-click, python3-cryptography (>= 43), python3-httpx, python3:any Priority: optional Section: admin Filename: pool/main/b/bigbrain-client/bigbrain-client_1776616433-1_all.deb Size: 6952 SHA256: 9c1fec7ff32c40435fecbd6ef8109804035b31b14e502b58578747e318d3805e SHA1: 4dfa07d4e4202869a35de8bbd9e665d6dd694740 MD5sum: fa13436a06c27169f1f2867b53a2e690 Description: Shared client library and CLI for bigbrain service registration Provides the bigbrain-register CLI tool and bigbrain_client Python library for enrolling MCP services with the bigbrain port assignment service. Handles Ed25519 keypair management, HMAC enrollment signing, and optional ferm firewall rule creation. Package: castmasta-local Source: castmasta Version: 1777272828-1 Architecture: all Maintainer: Adam Installed-Size: 57 Depends: castmasta (>= 1777272828-1), mpv, python3, cec-utils Priority: optional Section: net Filename: pool/main/c/castmasta/castmasta-local_1777272828-1_all.deb Size: 13744 SHA256: 762c6e7d8d7d33f365521dfe8490b0afdd808ccbda1bcce3126297a1ab2b05a9 SHA1: c5a80ed873a2227efaaa06118c5eda04f6ea3400 MD5sum: 19edfbba9da06dff41c2227c1c6af26b Description: Local HDMI backend for castmasta Enables direct video playback via mpv on the local display. Requires CASTMASTA_LOCAL_DEVICE_NAME to be set in /etc/default/castmasta. Package: debrepo Version: 0.1.1774891657 Architecture: all Maintainer: Adam Depends: reprepro, gnupg, nginx, certbot, python3-certbot-nginx, rsync, curl, jq Priority: optional Section: admin Filename: pool/main/d/debrepo/debrepo_0.1.1774891657_all.deb Size: 5322 SHA256: 0d585981a74e6d99f0d58141974f4b3943c29cb066e8d159aa09f6b70d37abac SHA1: 786e6ccc4961562fc2bdc70b1b6110a810dd4ecb MD5sum: abf62ce2de4bb6ed62fb5a371ae45107 Description: Debian APT repository managed by reprepro Configuration and scripts for the mysticflounder APT repository at debrepo.mysticflounder.com. Installs reprepro config, nginx site config, and package management scripts. Package: demacia Version: 0.1.1776223512-1 Architecture: amd64 Homepage: https://github.com/flound1129/demacia Maintainer: Adam Installed-Size: 8073 Depends: libc6, libssl3t64, libsystemd0 Priority: optional Section: admin Filename: pool/main/d/demacia/demacia_0.1.1776223512-1_amd64.deb Size: 2660036 SHA256: fffe8034510123c6e605c0ca3d33009a92a5614245236ae3f072dbe58b339087 SHA1: 7c0fb3ce1cae1e8efcdf3153addc0e4009cde4dc MD5sum: a1ffa786afb6a2590a8177bbf1bb08e9 Description: Lightweight Linux security monitoring daemon # Demacia . Lightweight Linux security monitoring daemon. Uses eBPF for real-time kernel instrumentation with /proc polling fallback. Detection only -- no blocking or prevention. . Built for Debian 12 / kernel 6.1+. . ## Architecture . ``` eBPF (kprobes/tracepoints) | /proc polling ──┐ ring buffer fanotify ───────┤ | journald ───────┤ v └──> Subsystems ──> Detection Engine ──> Dispatcher ──> Outputs | | | Tier 1 Tier 2 Tier 3 Rules Anomaly Correlation ``` . Single-process, single-threaded async event loop (tokio). All subsystems feed SecurityEvents through an mpsc channel to the detection engine, which produces Alerts routed to output backends. . ## What It Monitors . ### Process Monitoring - Process execution, fork, and exit via eBPF tracepoints (sched_process_exec, sched_process_fork, sched_process_exit) - Credential changes via kprobe on commit_creds - /proc deep scan for deleted executables, name/exe mismatches, environment variables, memory maps, namespaces . ### Network Monitoring - TCP connect/accept via kprobes (tcp_v4_connect, inet_csk_accept) - /proc/net/tcp polling for listening ports and established connections - Raw socket detection . ### File Integrity Monitoring - Real-time file change notifications via fanotify (FAN_REPORT_DFID_NAME) - SHA-256 integrity verification of critical binaries (sudo, su, ssh, sshd, passwd, login, crontab, at) - Watches 13 critical system files and 12 directories (/etc/passwd, /etc/shadow, /etc/sudoers, /etc/pam.d/, etc.) . ### Authentication Monitoring - SSH login attempts (success/failure, user, source IP, method) from systemd journal - sudo and su invocations - User/group creation, deletion, password changes - Brute force detection (configurable threshold and window) . ### Kernel Module Monitoring - Module load detection via kprobes (__do_sys_init_module, __do_sys_finit_module) - /proc/modules polling as fallback - Optional allowlist enforcement . ### Scheduled Task Monitoring - Hash-based change detection for cron, at, and systemd timer files - Watches /etc/crontab, /etc/cron.d/, /var/spool/cron/crontabs/, /var/spool/at/, systemd timer units - Detects creation, modification, and deletion . ### Advanced Indicators - LD_PRELOAD injection (process environments + /etc/ld.so.preload) - memfd_create usage (fileless malware) - Linux namespace inode changes (container escape indicator) - Suspicious shared libraries loaded from /tmp, /dev/shm, /var/tmp - SSH authorized_keys modifications - Docker socket access by non-Docker processes . ## Detection Engine . Three-tier pipeline. Every event passes through all tiers sequentially. . ### Tier 1: Static Rules . Fast pattern matching with immediate alerting. . | Rule | Severity | Description | |------|----------|-------------| | PROC-001 | High | Executable running from /tmp, /dev/shm, /var/tmp | | PROC-002 | High | Process with deleted executable | | PROC-003 | Medium | Process comm/exe name mismatch | | PROC-004 | High | Process being ptraced | | PROC-005 | Critical | Privilege escalation to root (UID 0) | | PROC-006 | Critical | Known attack tool by name (ncat, socat, meterpreter, chisel, ligolo, mimipenguin, linpeas, pspy, dirtycow) | | NET-001 | Medium | New TCP/UDP listening port | | NET-002 | High | Outbound connection on suspicious port (4444, 5555, 8888, 1337, 31337, 9001) | | NET-003 | High | Raw socket created | | FILE-001 | Medium | Watched system file modified | | FILE-002 | Critical | File integrity hash mismatch | | FILE-003 | High | SUID/SGID bit change | | AUTH-001 | High | SSH root login | | AUTH-003 | High | User/group creation or deletion | | MOD-001 | Critical | Unauthorized kernel module loaded | | MOD-002 | Medium | Kernel module loaded (no allowlist) | | SCHED-001 | High | Scheduled task created or deleted | | ADV-001 | Critical | LD_PRELOAD detected | | ADV-002 | High | memfd file descriptor detected | | ADV-003 | High | SSH authorized_keys modified | | ADV-004 | High | Namespace inode change | | ADV-005 | High | Linux capability change | | ADV-006 | High | Library loaded from suspicious path | . ### Tier 2: Anomaly Detection . Baseline learning with deviation alerting. Events are recorded to a SQLite database during a configurable learning period (default 168 hours). After the learning period, deviations generate alerts. . | Rule | Severity | Description | |------|----------|-------------| | ANOMALY-001 | Medium | Previously unseen executable | | ANOMALY-002 | High | SSH login from previously unseen IP | . ### Tier 3: Cross-Domain Correlation . Sliding window correlation (default 60 seconds) detects multi-stage attacks spanning multiple subsystems. . | Rule | Severity | Description | |------|----------|-------------| | CORR-001 | Critical | SSH key modified shortly after user creation | | CORR-002 | Critical | Successful SSH login after brute force attempts | | CORR-003 | Critical | /tmp process makes outbound network connection | | CORR-004 | Critical | Privilege escalation after kernel module load | | CORR-005 | Critical | Scheduled task modified after user creation | . ### Advanced Detection Heuristics . The advanced monitoring subsystem tracks all LD_PRELOAD usage, memfd file descriptors, loaded libraries, namespace changes, and container indicators -- but only generates alerts for genuinely suspicious activity. Benign detections are logged at debug level for forensic visibility. . Detection behavior adapts to the `environment` setting in `[daemon]`: . | Setting | Suspicious directories | Use case | |---------|----------------------|----------| | `server` (default) | `/tmp/`, `/dev/shm/`, `/var/tmp/`, `/home/` | Production servers where no libraries should load from user directories | | `workstation` | `/tmp/`, `/dev/shm/`, `/var/tmp/` | Developer machines where conda, virtualenvs, cargo, npm, AI frameworks, etc. routinely load libraries from `/home/` | . #### LD_PRELOAD Evaluation . Each LD_PRELOAD value (colon or space separated) is evaluated individually: . 1. **Full path from a suspicious directory** -- always suspicious (see table above for which directories apply per environment). 2. **Full path from a system directory** (`/usr/lib/`, `/lib/`, `/opt/`, `/snap/`, etc.) -- not suspicious. 3. **Full path elsewhere** -- suspicious only if the file does not exist on disk (deleted after injection). 4. **Bare filename** (no path, resolved by the dynamic linker) -- checked against a built-in list of known legitimate libraries: - Browser sandboxes: `libmozsandbox.so`, `libsandbox.so` - Memory allocators: `libjemalloc.so`, `libtcmalloc.so` - Sanitizers: `libasan.so`, `libtsan.so`, `libmsan.so`, `libubsan.so` - Debug/diagnostic: `libSegFault.so` - Build tools: `libfakeroot*` - Gaming/desktop: `libgamemodeauto.so`, `libgtk3-nocsd.so`, `libsteam*` - GPU/graphics: `libGL.so`, `libnvidia*`, `libvulkan*` 5. **Unknown bare filename** -- searched for in standard library paths (including `x86_64-linux-gnu/` arch subdirs). If found on disk, not suspicious. If not found anywhere, suspicious. . The `/etc/ld.so.preload` file is tracked separately via SHA-256 hash. Any modification to this system-wide injection point always generates an alert. . #### memfd Evaluation . The memfd name is extracted from the fd symlink path (e.g., `/memfd:pulseaudio (deleted)` yields `pulseaudio`): . 1. **Empty name** -- always suspicious. A common evasion technique to avoid identification. 2. **Known pattern match** -- not suspicious. Recognized names include: - Audio: `pulseaudio`, `pipewire`, `jack` - Graphics/display: `wayland`, `xshmfence`, `mesa`, `gdk-pixbuf`, `vk` (Vulkan) - GPU drivers: `i915`, `amdgpu` - IPC/system: `dbus`, `gdbus`, `glib-`, `shm-`, `wl-buffer`, `mozilla-ipc` - Generic: `memfd_create` 3. **Unknown name** -- suspicious. Fileless malware commonly uses memfd_create to execute code entirely from memory without touching disk. . #### Suspicious Library Loading . Every process's memory maps (`/proc/[pid]/maps`) are scanned for shared libraries loaded from suspicious directories (see environment table above). Libraries from standard system paths are ignored. This check runs unconditionally -- there is no legitimate reason to load shared libraries from temporary directories. On workstation mode, libraries from `/home/` are permitted since developer toolchains commonly install there. . #### Namespace Change Detection . Each process's Linux namespace inodes (`mnt`, `pid`, `net`, `user`, `ipc`, `uts`) are tracked across scan cycles. If a namespace inode changes between scans, the process has moved between namespaces -- a strong indicator of container escape or namespace manipulation. Stale entries for exited processes are automatically cleaned up. . #### Container Escape Indicators . Processes with open file descriptors to `docker.sock` are flagged unless they are known Docker components (`dockerd`, `containerd`, `docker`). Non-Docker processes accessing the Docker socket can execute arbitrary containers, effectively providing root access to the host. . ## Output Backends . Alerts are JSON objects with timestamp, severity, domain, rule ID, summary, and detail fields. The dispatcher deduplicates alerts (60-second window) and rate-limits per rule (100/minute default). . - **File** -- JSON Lines to /var/log/demacia/alerts.jsonl. Supports SIGUSR1 log rotation. - **Journald** -- Structured log entries via tracing. Native systemd integration. - **Syslog** -- RFC 5424 over UDP or TCP. Configurable facility and severity mapping. - **Unix Socket** -- JSON Lines broadcast to connected clients. Real-time streaming. - **Webhook** -- Batched JSON array POST to an HTTPS endpoint. Configurable severity filter and batch interval. . ## Security Model . ### How It Runs . The daemon runs as root. eBPF program loading, fanotify, and /proc access all require elevated privileges that cannot be dropped. . ### Seccomp-BPF Filter . After initialization, a seccomp-BPF filter blocks 23 syscalls the daemon should never need: . - **Filesystem**: mount, umount2, pivot_root, chroot - **Kernel**: reboot, kexec_load, init_module, finit_module, delete_module - **Debugging**: ptrace, userfaultfd - **Key management**: request_key, keyctl, add_key - **System config**: acct, swapon, swapoff, sethostname, setdomainname, settimeofday, clock_settime, adjtimex, personality . Blocked syscalls return EPERM. The filter validates x86_64 architecture to prevent x32 ABI bypass. . ### Systemd Hardening . The systemd unit applies defense-in-depth restrictions: . - `ProtectSystem=strict` -- read-only filesystem except explicit write paths - `ProtectHome=read-only` -- home directories read-only - `PrivateTmp=true` -- isolated /tmp - `ProtectKernelTunables=true` -- /proc/sys read-only - `ProtectKernelModules=true` -- deny module loading from within the service - `ProtectControlGroups=true` -- cgroup filesystem read-only - `RestrictNamespaces=true` -- deny namespace creation - `MemoryDenyWriteExecute=true` -- deny W+X memory mappings - `LockPersonality=true` -- lock execution domain - `RestrictSUIDSGID=true` -- deny SUID/SGID file creation - `MemoryMax=100M` -- hard memory limit - `CPUQuota=5%` -- CPU usage cap - `LimitMEMLOCK=64M` -- locked memory limit for eBPF maps . ### Self-Protection Watchdog . Every 10 seconds, the watchdog verifies: . 1. **Binary integrity** -- SHA-256 of the running executable against startup baseline 2. **Ptrace detection** -- checks TracerPid in /proc/self/status 3. **Capability verification** -- detects changes to effective capabilities 4. **FD injection** -- alerts if open file descriptor count grows unexpectedly (threshold: +50) 5. **Memory usage** -- warns if RSS exceeds configured limit . ### eBPF Graceful Degradation . If eBPF programs fail to load (missing kernel support, insufficient capabilities), the daemon falls back to polling-only mode. All /proc-based and journal-based monitoring continues. Individual kprobe attachment failures are logged as warnings without stopping the daemon. . ## Configuration . TOML file at `/etc/demacia/config.toml`. Live reload via SIGHUP (lock-free swap with ArcSwap). . ```toml [daemon] environment = "server" # or "workstation" for dev machines log_dir = "/var/log/demacia" state_dir = "/var/lib/demacia" log_level = "info" max_memory_mb = 50 . [scanning] proc_scan_interval_secs = 10 network_scan_interval_secs = 15 integrity_check_interval_secs = 3600 baseline_learning_hours = 168 . [process] enabled = true watch_tmp_exec = true watch_deleted_exe = true watch_ptrace = true watch_privilege_escalation = true known_bad_names = ["ncat", "socat", "meterpreter", "chisel", "ligolo"] . [network] enabled = true baseline_listening_ports = [22] suspicious_outbound_ports = [4444, 5555, 8888, 1337, 31337, 9001] . [files] enabled = true integrity_check_enabled = true watch_suid_changes = true extra_watch_paths = [] . [auth] enabled = true brute_force_threshold = 5 brute_force_window_secs = 300 . [modules] enabled = true allowed_modules = [] # empty = alert on all, populated = allowlist . [scheduled] enabled = true . [alerting] outputs = ["file", "journald"] dedup_window_secs = 60 rate_limit_per_minute = 100 . # [alerting.syslog] # address = "127.0.0.1:514" # protocol = "udp" # facility = "authpriv" . # socket_path = "/var/run/demacia/alerts.sock" . # [alerting.webhook] # url = "https://example.com/webhook" # batch_interval_secs = 30 # min_severity = "high" . [advanced] enable_container_monitoring = true enable_namespace_monitoring = true enable_ld_preload_monitoring = true enable_memfd_monitoring = true enable_ssh_key_monitoring = true ``` . ## Installation . ### From .deb package . ```bash sudo dpkg -i demacia_0.1.0-1_amd64.deb sudo systemctl enable --now demacia ``` . ### Usage . ```bash # Service management sudo systemctl status demacia sudo systemctl reload demacia # live config reload sudo systemctl stop demacia . # View alerts sudo tail -f /var/log/demacia/alerts.jsonl sudo journalctl -u demacia -f . # Stream via Unix socket (if configured) socat UNIX-CONNECT:/var/run/demacia/alerts.sock - . # Validate config demacia --check -c /etc/demacia/config.toml . # Log rotation sudo kill -USR1 $(cat /var/run/demacia/demacia.pid) ``` . ## Building . All builds run inside Docker. No local Rust toolchain required. . ```bash # First time: build the Docker image docker build --network=host -t demacia-builder . . # Build everything ./build-all.sh . # Build .deb package ./build-deb.sh . # Run tests docker run --rm --network=host -v $(pwd):/workspace demacia-builder cargo test --workspace ``` . ## Project Structure . ``` src/ Main daemon main.rs Entry point, signal handling, tokio runtime config.rs TOML config with serde defaults ebpf.rs eBPF program loading and kprobe attachment privilege.rs Seccomp-BPF filter watchdog.rs Self-protection checks procfs.rs /proc parsing utilities daemon.rs PID file, systemd notify detection/ engine.rs 3-tier detection pipeline rules.rs Tier 1: 23 static rules anomaly.rs Tier 2: baseline deviation correlator.rs Tier 3: cross-domain correlation types.rs SecurityEvent, Alert, Severity, Domain output/ dispatcher.rs Dedup, rate limiting, output routing file.rs JSON Lines file output syslog.rs RFC 5424 syslog socket.rs Unix domain socket broadcast webhook.rs HTTPS webhook with batching subsystems/ process.rs eBPF ring buffer + /proc deep scan network.rs /proc/net/tcp polling files.rs fanotify + integrity checking auth.rs systemd journal reader modules.rs /proc/modules polling scheduled.rs Cron/at/timer change detection advanced.rs LD_PRELOAD, memfd, namespaces, libraries baseline/ store.rs SQLite baseline with in-memory fallback demacia-common/ Shared repr(C) types (no_std) demacia-ebpf/ eBPF programs (bpfel-unknown-none target) config/ Default TOML configuration deploy/ systemd unit, logrotate, maintainer scripts ``` . ## License . MIT Package: demacia-api Version: 0.1.1777253037 Architecture: all Maintainer: Adam Depends: python3 (>= 3.11), python3-venv, nginx Recommends: demacia Priority: optional Section: admin Filename: pool/main/d/demacia-api/demacia-api_0.1.1777253037_all.deb Size: 20600 SHA256: 1e25903194b4744bb5c091f7ab1339a599ce268d273457d365bf1e515cac33c0 SHA1: dbfc073186b0389d25aae4eaa1f4fbe213be3338 MD5sum: b6f5240ff55cf09ed6600f037dc91c3e Description: Demacia Security Monitoring REST API REST API server for the demacia security monitoring daemon. Indexes alerts from the daemon's JSONL output into SQLite, provides filtering/search/pagination, baseline management, config editing, and SSE streaming. Includes an MCP server for AI assistant connectivity. Package: demacia-deb13 Version: 0.1.1771826949-1 Architecture: amd64 Homepage: https://github.com/flound1129/demacia Maintainer: Adam Installed-Size: 7982 Depends: libc6, libssl3t64, libsystemd0 Priority: optional Section: admin Filename: pool/main/d/demacia-deb13/demacia-deb13_0.1.1771826949-1_amd64.deb Size: 2632688 SHA256: 22ca5eb153f18f83ae7d3d98a29e29a3bcf020170ee326bc7874e44b7ba12b04 SHA1: ee6e1c9e55130fc9ddab0bf5489310108bd935d6 MD5sum: 8222a5082f1e056fa7e93abf576314ac Description: Lightweight Linux security monitoring daemon # Demacia . Lightweight Linux security monitoring daemon. Uses eBPF for real-time kernel instrumentation with /proc polling fallback. Detection only -- no blocking or prevention. . Built for Debian 12 / kernel 6.1+. . ## Architecture . ``` eBPF (kprobes/tracepoints) | /proc polling ──┐ ring buffer fanotify ───────┤ | journald ───────┤ v └──> Subsystems ──> Detection Engine ──> Dispatcher ──> Outputs | | | Tier 1 Tier 2 Tier 3 Rules Anomaly Correlation ``` . Single-process, single-threaded async event loop (tokio). All subsystems feed SecurityEvents through an mpsc channel to the detection engine, which produces Alerts routed to output backends. . ## What It Monitors . ### Process Monitoring - Process execution, fork, and exit via eBPF tracepoints (sched_process_exec, sched_process_fork, sched_process_exit) - Credential changes via kprobe on commit_creds - /proc deep scan for deleted executables, name/exe mismatches, environment variables, memory maps, namespaces . ### Network Monitoring - TCP connect/accept via kprobes (tcp_v4_connect, inet_csk_accept) - /proc/net/tcp polling for listening ports and established connections - Raw socket detection . ### File Integrity Monitoring - Real-time file change notifications via fanotify (FAN_REPORT_DFID_NAME) - SHA-256 integrity verification of critical binaries (sudo, su, ssh, sshd, passwd, login, crontab, at) - Watches 13 critical system files and 12 directories (/etc/passwd, /etc/shadow, /etc/sudoers, /etc/pam.d/, etc.) . ### Authentication Monitoring - SSH login attempts (success/failure, user, source IP, method) from systemd journal - sudo and su invocations - User/group creation, deletion, password changes - Brute force detection (configurable threshold and window) . ### Kernel Module Monitoring - Module load detection via kprobes (__do_sys_init_module, __do_sys_finit_module) - /proc/modules polling as fallback - Optional allowlist enforcement . ### Scheduled Task Monitoring - Hash-based change detection for cron, at, and systemd timer files - Watches /etc/crontab, /etc/cron.d/, /var/spool/cron/crontabs/, /var/spool/at/, systemd timer units - Detects creation, modification, and deletion . ### Advanced Indicators - LD_PRELOAD injection (process environments + /etc/ld.so.preload) - memfd_create usage (fileless malware) - Linux namespace inode changes (container escape indicator) - Suspicious shared libraries loaded from /tmp, /dev/shm, /var/tmp - SSH authorized_keys modifications - Docker socket access by non-Docker processes . ## Detection Engine . Three-tier pipeline. Every event passes through all tiers sequentially. . ### Tier 1: Static Rules . Fast pattern matching with immediate alerting. . | Rule | Severity | Description | |------|----------|-------------| | PROC-001 | High | Executable running from /tmp, /dev/shm, /var/tmp | | PROC-002 | High | Process with deleted executable | | PROC-003 | Medium | Process comm/exe name mismatch | | PROC-004 | High | Process being ptraced | | PROC-005 | Critical | Privilege escalation to root (UID 0) | | PROC-006 | Critical | Known attack tool by name (ncat, socat, meterpreter, chisel, ligolo, mimipenguin, linpeas, pspy, dirtycow) | | NET-001 | Medium | New TCP/UDP listening port | | NET-002 | High | Outbound connection on suspicious port (4444, 5555, 8888, 1337, 31337, 9001) | | NET-003 | High | Raw socket created | | FILE-001 | Medium | Watched system file modified | | FILE-002 | Critical | File integrity hash mismatch | | FILE-003 | High | SUID/SGID bit change | | AUTH-001 | High | SSH root login | | AUTH-003 | High | User/group creation or deletion | | MOD-001 | Critical | Unauthorized kernel module loaded | | MOD-002 | Medium | Kernel module loaded (no allowlist) | | SCHED-001 | High | Scheduled task created or deleted | | ADV-001 | Critical | LD_PRELOAD detected | | ADV-002 | High | memfd file descriptor detected | | ADV-003 | High | SSH authorized_keys modified | | ADV-004 | High | Namespace inode change | | ADV-005 | High | Linux capability change | | ADV-006 | High | Library loaded from suspicious path | . ### Tier 2: Anomaly Detection . Baseline learning with deviation alerting. Events are recorded to a SQLite database during a configurable learning period (default 168 hours). After the learning period, deviations generate alerts. . | Rule | Severity | Description | |------|----------|-------------| | ANOMALY-001 | Medium | Previously unseen executable | | ANOMALY-002 | High | SSH login from previously unseen IP | . ### Tier 3: Cross-Domain Correlation . Sliding window correlation (default 60 seconds) detects multi-stage attacks spanning multiple subsystems. . | Rule | Severity | Description | |------|----------|-------------| | CORR-001 | Critical | SSH key modified shortly after user creation | | CORR-002 | Critical | Successful SSH login after brute force attempts | | CORR-003 | Critical | /tmp process makes outbound network connection | | CORR-004 | Critical | Privilege escalation after kernel module load | | CORR-005 | Critical | Scheduled task modified after user creation | . ### Advanced Detection Heuristics . The advanced monitoring subsystem tracks all LD_PRELOAD usage, memfd file descriptors, loaded libraries, namespace changes, and container indicators -- but only generates alerts for genuinely suspicious activity. Benign detections are logged at debug level for forensic visibility. . Detection behavior adapts to the `environment` setting in `[daemon]`: . | Setting | Suspicious directories | Use case | |---------|----------------------|----------| | `server` (default) | `/tmp/`, `/dev/shm/`, `/var/tmp/`, `/home/` | Production servers where no libraries should load from user directories | | `workstation` | `/tmp/`, `/dev/shm/`, `/var/tmp/` | Developer machines where conda, virtualenvs, cargo, npm, AI frameworks, etc. routinely load libraries from `/home/` | . #### LD_PRELOAD Evaluation . Each LD_PRELOAD value (colon or space separated) is evaluated individually: . 1. **Full path from a suspicious directory** -- always suspicious (see table above for which directories apply per environment). 2. **Full path from a system directory** (`/usr/lib/`, `/lib/`, `/opt/`, `/snap/`, etc.) -- not suspicious. 3. **Full path elsewhere** -- suspicious only if the file does not exist on disk (deleted after injection). 4. **Bare filename** (no path, resolved by the dynamic linker) -- checked against a built-in list of known legitimate libraries: - Browser sandboxes: `libmozsandbox.so`, `libsandbox.so` - Memory allocators: `libjemalloc.so`, `libtcmalloc.so` - Sanitizers: `libasan.so`, `libtsan.so`, `libmsan.so`, `libubsan.so` - Debug/diagnostic: `libSegFault.so` - Build tools: `libfakeroot*` - Gaming/desktop: `libgamemodeauto.so`, `libgtk3-nocsd.so`, `libsteam*` - GPU/graphics: `libGL.so`, `libnvidia*`, `libvulkan*` 5. **Unknown bare filename** -- searched for in standard library paths (including `x86_64-linux-gnu/` arch subdirs). If found on disk, not suspicious. If not found anywhere, suspicious. . The `/etc/ld.so.preload` file is tracked separately via SHA-256 hash. Any modification to this system-wide injection point always generates an alert. . #### memfd Evaluation . The memfd name is extracted from the fd symlink path (e.g., `/memfd:pulseaudio (deleted)` yields `pulseaudio`): . 1. **Empty name** -- always suspicious. A common evasion technique to avoid identification. 2. **Known pattern match** -- not suspicious. Recognized names include: - Audio: `pulseaudio`, `pipewire`, `jack` - Graphics/display: `wayland`, `xshmfence`, `mesa`, `gdk-pixbuf`, `vk` (Vulkan) - GPU drivers: `i915`, `amdgpu` - IPC/system: `dbus`, `gdbus`, `glib-`, `shm-`, `wl-buffer`, `mozilla-ipc` - Generic: `memfd_create` 3. **Unknown name** -- suspicious. Fileless malware commonly uses memfd_create to execute code entirely from memory without touching disk. . #### Suspicious Library Loading . Every process's memory maps (`/proc/[pid]/maps`) are scanned for shared libraries loaded from suspicious directories (see environment table above). Libraries from standard system paths are ignored. This check runs unconditionally -- there is no legitimate reason to load shared libraries from temporary directories. On workstation mode, libraries from `/home/` are permitted since developer toolchains commonly install there. . #### Namespace Change Detection . Each process's Linux namespace inodes (`mnt`, `pid`, `net`, `user`, `ipc`, `uts`) are tracked across scan cycles. If a namespace inode changes between scans, the process has moved between namespaces -- a strong indicator of container escape or namespace manipulation. Stale entries for exited processes are automatically cleaned up. . #### Container Escape Indicators . Processes with open file descriptors to `docker.sock` are flagged unless they are known Docker components (`dockerd`, `containerd`, `docker`). Non-Docker processes accessing the Docker socket can execute arbitrary containers, effectively providing root access to the host. . ## Output Backends . Alerts are JSON objects with timestamp, severity, domain, rule ID, summary, and detail fields. The dispatcher deduplicates alerts (60-second window) and rate-limits per rule (100/minute default). . - **File** -- JSON Lines to /var/log/demacia/alerts.jsonl. Supports SIGUSR1 log rotation. - **Journald** -- Structured log entries via tracing. Native systemd integration. - **Syslog** -- RFC 5424 over UDP or TCP. Configurable facility and severity mapping. - **Unix Socket** -- JSON Lines broadcast to connected clients. Real-time streaming. - **Webhook** -- Batched JSON array POST to an HTTPS endpoint. Configurable severity filter and batch interval. . ## Security Model . ### How It Runs . The daemon runs as root. eBPF program loading, fanotify, and /proc access all require elevated privileges that cannot be dropped. . ### Seccomp-BPF Filter . After initialization, a seccomp-BPF filter blocks 23 syscalls the daemon should never need: . - **Filesystem**: mount, umount2, pivot_root, chroot - **Kernel**: reboot, kexec_load, init_module, finit_module, delete_module - **Debugging**: ptrace, userfaultfd - **Key management**: request_key, keyctl, add_key - **System config**: acct, swapon, swapoff, sethostname, setdomainname, settimeofday, clock_settime, adjtimex, personality . Blocked syscalls return EPERM. The filter validates x86_64 architecture to prevent x32 ABI bypass. . ### Systemd Hardening . The systemd unit applies defense-in-depth restrictions: . - `ProtectSystem=strict` -- read-only filesystem except explicit write paths - `ProtectHome=read-only` -- home directories read-only - `PrivateTmp=true` -- isolated /tmp - `ProtectKernelTunables=true` -- /proc/sys read-only - `ProtectKernelModules=true` -- deny module loading from within the service - `ProtectControlGroups=true` -- cgroup filesystem read-only - `RestrictNamespaces=true` -- deny namespace creation - `MemoryDenyWriteExecute=true` -- deny W+X memory mappings - `LockPersonality=true` -- lock execution domain - `RestrictSUIDSGID=true` -- deny SUID/SGID file creation - `MemoryMax=100M` -- hard memory limit - `CPUQuota=5%` -- CPU usage cap - `LimitMEMLOCK=64M` -- locked memory limit for eBPF maps . ### Self-Protection Watchdog . Every 10 seconds, the watchdog verifies: . 1. **Binary integrity** -- SHA-256 of the running executable against startup baseline 2. **Ptrace detection** -- checks TracerPid in /proc/self/status 3. **Capability verification** -- detects changes to effective capabilities 4. **FD injection** -- alerts if open file descriptor count grows unexpectedly (threshold: +50) 5. **Memory usage** -- warns if RSS exceeds configured limit . ### eBPF Graceful Degradation . If eBPF programs fail to load (missing kernel support, insufficient capabilities), the daemon falls back to polling-only mode. All /proc-based and journal-based monitoring continues. Individual kprobe attachment failures are logged as warnings without stopping the daemon. . ## Configuration . TOML file at `/etc/demacia/config.toml`. Live reload via SIGHUP (lock-free swap with ArcSwap). . ```toml [daemon] environment = "server" # or "workstation" for dev machines log_dir = "/var/log/demacia" state_dir = "/var/lib/demacia" log_level = "info" max_memory_mb = 50 . [scanning] proc_scan_interval_secs = 10 network_scan_interval_secs = 15 integrity_check_interval_secs = 3600 baseline_learning_hours = 168 . [process] enabled = true watch_tmp_exec = true watch_deleted_exe = true watch_ptrace = true watch_privilege_escalation = true known_bad_names = ["ncat", "socat", "meterpreter", "chisel", "ligolo"] . [network] enabled = true baseline_listening_ports = [22] suspicious_outbound_ports = [4444, 5555, 8888, 1337, 31337, 9001] . [files] enabled = true integrity_check_enabled = true watch_suid_changes = true extra_watch_paths = [] . [auth] enabled = true brute_force_threshold = 5 brute_force_window_secs = 300 . [modules] enabled = true allowed_modules = [] # empty = alert on all, populated = allowlist . [scheduled] enabled = true . [alerting] outputs = ["file", "journald"] dedup_window_secs = 60 rate_limit_per_minute = 100 . # [alerting.syslog] # address = "127.0.0.1:514" # protocol = "udp" # facility = "authpriv" . # socket_path = "/var/run/demacia/alerts.sock" . # [alerting.webhook] # url = "https://example.com/webhook" # batch_interval_secs = 30 # min_severity = "high" . [advanced] enable_container_monitoring = true enable_namespace_monitoring = true enable_ld_preload_monitoring = true enable_memfd_monitoring = true enable_ssh_key_monitoring = true ``` . ## Installation . ### From .deb package . ```bash sudo dpkg -i demacia_0.1.0-1_amd64.deb sudo systemctl enable --now demacia ``` . ### Usage . ```bash # Service management sudo systemctl status demacia sudo systemctl reload demacia # live config reload sudo systemctl stop demacia . # View alerts sudo tail -f /var/log/demacia/alerts.jsonl sudo journalctl -u demacia -f . # Stream via Unix socket (if configured) socat UNIX-CONNECT:/var/run/demacia/alerts.sock - . # Validate config demacia --check -c /etc/demacia/config.toml . # Log rotation sudo kill -USR1 $(cat /var/run/demacia/demacia.pid) ``` . ## Building . All builds run inside Docker. No local Rust toolchain required. . ```bash # First time: build the Docker image docker build --network=host -t demacia-builder . . # Build everything ./build-all.sh . # Build .deb package ./build-deb.sh . # Run tests docker run --rm --network=host -v $(pwd):/workspace demacia-builder cargo test --workspace ``` . ## Project Structure . ``` src/ Main daemon main.rs Entry point, signal handling, tokio runtime config.rs TOML config with serde defaults ebpf.rs eBPF program loading and kprobe attachment privilege.rs Seccomp-BPF filter watchdog.rs Self-protection checks procfs.rs /proc parsing utilities daemon.rs PID file, systemd notify detection/ engine.rs 3-tier detection pipeline rules.rs Tier 1: 23 static rules anomaly.rs Tier 2: baseline deviation correlator.rs Tier 3: cross-domain correlation types.rs SecurityEvent, Alert, Severity, Domain output/ dispatcher.rs Dedup, rate limiting, output routing file.rs JSON Lines file output syslog.rs RFC 5424 syslog socket.rs Unix domain socket broadcast webhook.rs HTTPS webhook with batching subsystems/ process.rs eBPF ring buffer + /proc deep scan network.rs /proc/net/tcp polling files.rs fanotify + integrity checking auth.rs systemd journal reader modules.rs /proc/modules polling scheduled.rs Cron/at/timer change detection advanced.rs LD_PRELOAD, memfd, namespaces, libraries baseline/ store.rs SQLite baseline with in-memory fallback demacia-common/ Shared repr(C) types (no_std) demacia-ebpf/ eBPF programs (bpfel-unknown-none target) config/ Default TOML configuration deploy/ systemd unit, logrotate, maintainer scripts ``` . ## License . MIT Package: demacia-web Version: 0.1.1776223550 Architecture: all Maintainer: Adam Depends: python3 (>= 3.11), python3-venv, nginx Recommends: demacia-api Priority: optional Section: admin Filename: pool/main/d/demacia-web/demacia-web_0.1.1776223550_all.deb Size: 46360 SHA256: 5e6b6b618caf2751de8a2f2e3d55f22bc6839079f3162e68b5de75ad7e089ace SHA1: 1fe5d6f583cef63f9a20a4168721b27e86f551bc MD5sum: db526f0d9afa18dc3cd3c61c33635aa0 Description: Demacia Security Monitoring Web UI Web interface for the demacia security monitoring daemon. Provides a dark-themed dashboard with charts, alert triage, baseline management, config editing, and user management. Connects to the demacia-api REST API. Package: ferm-nftables Version: 2.9~1778049152 Architecture: all Depends: python3, nftables Conflicts: ferm Replaces: ferm Maintainer: Adam McKenna Priority: optional Section: admin Filename: pool/main/f/ferm-nftables/ferm-nftables_2.9~1778049152_all.deb Size: 15604 SHA256: 500a9331028593c13cedd34371f25cd4c79f5cbf91f83f6078a9aa202b65589c SHA1: 4ef89dfd54e5eb1f89356395ffc2c8a83b01fbc3 MD5sum: f09dd051e3dffab8b814fb54eb00c273 Description: ferm syntax parser for nftables ferm-nftables is a Python implementation that parses firewall rules in ferm syntax and generates native nftables rules. It provides the same configuration syntax as the original ferm tool but targets nftables directly. Package: gitrepo Version: 0.1.1774891656 Architecture: all Maintainer: Adam Depends: git, python3, python3-yaml, python3-click Priority: optional Section: admin Filename: pool/main/g/gitrepo/gitrepo_0.1.1774891656_all.deb Size: 5948 SHA256: 1536e16ef7cb5f286529bfa737aa4deadb4a7d1982f4f4ce023e15f9495e9fd2 SHA1: d59c741728d50409ae1734c6652bae39a011ea32 MD5sum: e9ef4862a72e063285b48578dde5dcae Description: Private git repository management CLI tool for managing private git repos with SSH access control. Manages bare repos, SSH keys, and per-repo read/write permissions. Hosted at git.mysticflounder.com. Package: mitnick Version: 1772426936.0.0 Architecture: amd64 License: MIT Maintainer: Adam Installed-Size: 17560 Depends: docker.io Homepage: https://github.com/flound1129/hackmasta Priority: optional Section: utils Filename: pool/main/m/mitnick/mitnick_1772426936.0.0_amd64.deb Size: 7278660 SHA256: 053899e482f99ac4acff143dc90f68701e41e1ba6a637828f64470944400c068 SHA1: 281a834a2e33d01fcb8af360a3b4d88c84385d37 MD5sum: 96eb7d30555968df2ced63b41d504187 Description: Pentest engagement management tool with AI agent Package: shover Version: 1774891657-1 Architecture: amd64 Maintainer: Adam McKenna Installed-Size: 151078 Depends: python3 Priority: optional Section: net Filename: pool/main/s/shover/shover_1774891657-1_amd64.deb Size: 32628400 SHA256: c3948e21e8dfa2a2418d2edc91e404ea9661724c9c5747a77d7f4c11d206c125 SHA1: 6633cba86dcea936baa39b2c38bda8ae6db44f4c MD5sum: 736d1b1321fa6150df79125f86ea6979 Description: NaCl-encrypted push notification service Shover sends NaCl-encrypted push notifications to iOS and Android devices via Firebase Cloud Messaging. Google never sees plaintext. . Provides a FastAPI REST API for device registration and notification delivery, plus an MCP stdio server for LLM integration. Package: squall Version: 0.1.0+trixie.1776837671-1 Architecture: all Maintainer: Adam McKenna Installed-Size: 49 Depends: squall-gtk (= 0.1.0+trixie.1776837671-1) Conflicts: deluge Replaces: deluge Homepage: https://deluge-torrent.org Priority: optional Section: net Filename: pool/main/s/squall/squall_0.1.0+trixie.1776837671-1_all.deb Size: 17152 SHA256: 71e5d7be86ff3e4323076f5b66a5da2c6991f67338ec26589211cb666006e90e SHA1: 72e94324075b6db5deecd1c958c4b014c292fe51 MD5sum: ffe0322b5ca02711eb4f5a1d4af8c627 Description: lightweight, lean BitTorrent client (metapackage) Squall is a lightweight, lean BitTorrent client written in Python. It uses a client-server model supporting multiple user-interfaces that can connect to a (headless) daemon running on a server: . * squall-gtk: graphical UI using GTK * squall-console: text UI using ncurses * squall-web: web frontend . This package is a metapackage depending on the graphical UI and the daemon for running Squall on a single machine. Package: squall-common Source: squall Version: 0.1.0+trixie.1776837671-1 Architecture: all Maintainer: Adam McKenna Installed-Size: 74669 Depends: python3-gi, python3-gi-cairo Conflicts: deluge-common Replaces: deluge-common Homepage: https://deluge-torrent.org Priority: optional Section: net Filename: pool/main/s/squall/squall-common_0.1.0+trixie.1776837671-1_all.deb Size: 16817524 SHA256: 6b5976e08868ce7d7db19c52d1f13fe7833e32b9586bb80abf7afa23e62c9990 SHA1: 08769127e13f7d19753514753309b4234a0acbc0 MD5sum: 4695af94248f32f97178c785b39ffc30 Description: lightweight, lean BitTorrent client (common) Squall is a lightweight, lean BitTorrent client written in Python. It uses a client-server model supporting multiple user-interfaces that can connect to a (headless) squall-daemon running on a server. . This package contains the shared virtualenv and files between the clients and the server. Package: squall-console Source: squall Version: 0.1.0+trixie.1776837671-1 Architecture: all Maintainer: Adam McKenna Installed-Size: 51 Depends: squall-common (= 0.1.0+trixie.1776837671-1), python3-libtorrent Conflicts: deluge-console Replaces: deluge-console Homepage: https://deluge-torrent.org Priority: optional Section: net Filename: pool/main/s/squall/squall-console_0.1.0+trixie.1776837671-1_all.deb Size: 17152 SHA256: 81f0860e8ed56ad14aec95d27ae5ec830c865e73665c9fc4cc0bb24b78f7b26f SHA1: 0dab5bd9af5728da289390f3c8b87a3e3ec7fca2 MD5sum: a15fb8ef124cf9a779ebaac9eff52e78 Description: lightweight, lean BitTorrent client (text UI) Squall is a lightweight, lean BitTorrent client written in Python. It uses a client-server model supporting multiple user-interfaces that can connect to a (headless) squall-daemon running on a server. . This package contains the text user-interface (ncurses). Package: squall-daemon Source: squall Version: 0.1.0+trixie.1776837671-1 Architecture: all Maintainer: Adam McKenna Installed-Size: 78 Depends: squall-common (= 0.1.0+trixie.1776837671-1), passwd, python3-libtorrent, init-system-helpers (>= 1.52) Conflicts: deluged Replaces: deluged Homepage: https://deluge-torrent.org Priority: optional Section: net Filename: pool/main/s/squall/squall-daemon_0.1.0+trixie.1776837671-1_all.deb Size: 19484 SHA256: ecf5aae3d19be0533d3b336b09cc6a1c85ba6fc5c9d7ec64af899ae090f8e05b SHA1: fb84119c58849b382889380c68e4c714c7cd8568 MD5sum: 284d0c18762e7fdb48047103a442e6ed Description: lightweight, lean BitTorrent client (server) Squall is a lightweight, lean BitTorrent client written in Python. It uses a client-server model supporting multiple user-interfaces that can connect to a (headless) squall-daemon running on a server. . This package contains the server. Package: squall-gtk Source: squall Version: 0.1.0+trixie.1776837671-1 Architecture: all Maintainer: Adam McKenna Installed-Size: 864 Depends: squall-common (= 0.1.0+trixie.1776837671-1), gir1.2-gtk-3.0, libnotify4, librsvg2-common, python3-gi, python3-gi-cairo, xdg-utils Conflicts: deluge-gtk Replaces: deluge-gtk Homepage: https://deluge-torrent.org Priority: optional Section: net Filename: pool/main/s/squall/squall-gtk_0.1.0+trixie.1776837671-1_all.deb Size: 686108 SHA256: b90eda054243c59ee4cdc7db53458017e23a89d048bb6ea3b2b508487d953d59 SHA1: 61f068c314db6158821534bcd1ff2b59c41e0482 MD5sum: 82ae1c00ef72e3ae82e64df720e058f4 Description: lightweight, lean BitTorrent client (graphical UI) Squall is a lightweight, lean BitTorrent client written in Python. It uses a client-server model supporting multiple user-interfaces that can connect to a (headless) squall-daemon running on a server. . This package contains the graphical user-interface (GTK). Package: squall-spectravr Source: squall Version: 0.1.0+trixie.1776837671-1 Architecture: all Maintainer: Adam McKenna Installed-Size: 51 Depends: squall-common (= 0.1.0+trixie.1776837671-1), squall-daemon (= 0.1.0+trixie.1776837671-1), squall-web (= 0.1.0+trixie.1776837671-1) Homepage: https://deluge-torrent.org Priority: optional Section: net Filename: pool/main/s/squall/squall-spectravr_0.1.0+trixie.1776837671-1_all.deb Size: 17576 SHA256: 9cbd1f50983a4038cb55fe6dc6d255101ec94becd10f169bad766af086cd5999 SHA1: e04abb0dde17b23df9aeda3c176cdab38d0d153d MD5sum: b5eac70cfb8ade98ffcedb108dbefcb7 Description: SpectraVR plugin for Squall Adds a REST API to the Squall daemon for torrent management and video streaming, used by the SpectraVR VR media player app. . Provides endpoints for adding/removing torrents, file management, VR projection tagging, and byte-range HTTP streaming. Includes a token reveal button in the Squall web preferences. Package: squall-web Source: squall Version: 0.1.0+trixie.1776837671-1 Architecture: all Maintainer: Adam McKenna Installed-Size: 75 Depends: squall-common (= 0.1.0+trixie.1776837671-1), passwd, init-system-helpers (>= 1.52) Conflicts: deluge-web Replaces: deluge-web Homepage: https://deluge-torrent.org Priority: optional Section: net Filename: pool/main/s/squall/squall-web_0.1.0+trixie.1776837671-1_all.deb Size: 19104 SHA256: 8c812368372c28c5d6d64cb9787b9e9194b1b9f74b729a2a72e9bec4953b0e4b SHA1: 22c1d8a7c70efef716c08479ddff9e1204c8aedf MD5sum: 692b0e9effbb399815e8aae89fd82f79 Description: lightweight, lean BitTorrent client (web frontend) Squall is a lightweight, lean BitTorrent client written in Python. It uses a client-server model supporting multiple user-interfaces that can connect to a (headless) squall-daemon running on a server. . This package contains the web frontend. Package: windex Version: 1775018547-1 Architecture: amd64 Maintainer: Adam Installed-Size: 59124 Depends: init-system-helpers (>= 1.52), python3 Priority: optional Section: web Filename: pool/main/w/windex/windex_1775018547-1_amd64.deb Size: 12728432 SHA256: 634b28d23a01999fd857a6a59822c7133774e16be78b040ad7a273c2f9e0a524 SHA1: 2e4863cdef6da17b4906b2e9e7c3d9ee9fe5ee85 MD5sum: 7b258529299a5dbd4d3d8632be1deff9 Description: Self-hosted file server with auth Windex is a self-hosted file browser and media server with password authentication, CSRF protection, file metadata, favorites, and Range-based streaming.