Implement Core Process Monitoring Daemon (procmond) #89
Description
Process Monitoring Daemon Implementation
Overview
This is the parent tracking issue for implementing the core procmond daemon - a critical component of the DaemonEye security monitoring platform responsible for process enumeration, monitoring, and analysis.
🏗️ Architecture Note: procmond, like other collectors based on collector-core, will have its lifecycle managed by daemoneye-agent, which runs as a daemon/service on the host platform. The service behavior will be handled using the proc-daemon crate.
🔄 Collector Type: procmond is implemented as a Monitor Collector - continuously running to detect process lifecycle events and trigger other collectors for deeper analysis when suspicious activity is detected.
Current Status
The procmond component has been scaffolded with basic CLI structure and testing framework, but requires full implementation of its core functionality and integration with the daemoneye-agent lifecycle management system.
Context
DaemonEye is a comprehensive security monitoring platform, and process monitoring forms one of its fundamental pillars. The procmond daemon will serve as a primary Monitor Collector for:
- Process Discovery: Enumerate all running processes on the system
- Continuous Monitoring: Track process lifecycle events (start, stop, modifications)
- Event Detection: Identify suspicious process behavior and emit trigger events
- Collector Orchestration: Trigger other collectors (binary analysis, memory scanning, etc.) based on detected events
Architecture & Deployment Model
Service Management
- Lifecycle Management: procmond instances are managed by daemoneye-agent
- Service Runtime: daemoneye-agent runs as a system daemon/service using proc-daemon crate
- Process Orchestration: daemoneye-agent handles starting, stopping, and monitoring collector processes
- Configuration Management: Central configuration through daemoneye-agent with collector-specific configs
Collector Architecture
- Collector Type: Monitor Collector (continuous operation)
- Event Generation: Emits trigger events for suspicious processes
- Integration: Uses collector-core framework with EventSource trait
- Triggering: Can trigger Binary Hasher (Implement cryptographic integrity verification for executables using SHA-256 hashing #40), Memory Analyzer, and other analysis collectors
Component Relationships
Host System
├── daemoneye-agent (system service/daemon - proc-daemon crate)
│ ├── procmond (Monitor Collector - collector-core based)
│ │ ├── Process Enumeration Engine
│ │ ├── Event Detection Logic
│ │ └── Trigger Event Emission
│ ├── binary_hasher (Triggered Collector - collector-core based)
│ ├── other collectors (netmond, filemond, etc.)
│ └── collector-core (shared foundation + event bus)
└── System APIs (procfs, WinAPI, etc.)
Technical Requirements
Core Functionality
-
Process Enumeration Engine
- Cross-platform process discovery (Linux, Windows, macOS)
- Efficient process tree traversal
- Process metadata collection (PID, PPID, command line, executable path, user context)
-
Real-time Monitoring (Monitor Collector Behavior)
- Process creation/termination event detection
- Process modification monitoring
- Suspicious behavior pattern recognition
- Resource usage tracking
-
Event Generation & Triggering
- Generate trigger events for suspicious processes
- Emit CollectionEvent::TriggerRequest for analysis collectors
- Support configurable trigger conditions
- Priority-based event emission (Critical, High, Normal, Low)
-
Lifecycle Integration
- Integration with daemoneye-agent management interface
- Graceful shutdown and restart handling
- Health monitoring and status reporting
- Configuration reload without restart
-
Data Integration
- Integration with collector-core for data aggregation
- Event bus communication with other collectors
- Structured logging for audit trails
- Performance optimization for minimal system impact
Architecture Considerations
- Performance: Minimal overhead on system resources
- Scalability: Handle high process churn environments
- Reliability: Robust error handling and recovery through daemoneye-agent
- Security: Run with appropriate privileges while maintaining security posture
- Event-Driven: Efficient triggering of analysis collectors only when needed
Proposed Implementation Approach
Phase 1: Foundation & Integration
-
Core Process Enumeration
- Implement cross-platform process discovery using system APIs
- Create process data structures and serialization
- Add comprehensive error handling
-
Monitor Collector Implementation
- Implement EventSource trait with CollectorType::Monitor
- Add event detection and suspicious process identification
- Implement trigger event generation logic
- Add daemoneye-agent integration with collector-core
Phase 2: Event-Driven Architecture
-
Trigger System Integration
- Implement CollectionEvent::TriggerRequest emission
- Add configurable trigger conditions
- Create event priority and filtering system
- Integrate with event bus for collector coordination
-
Service Reliability
- Error recovery and resilience patterns
- Resource management and cleanup
- Performance monitoring and optimization
Phase 3: Advanced Features
-
Security Enhancements
- Advanced behavioral analysis patterns
- Machine learning-based anomaly detection
- Threat intelligence integration
-
Operational Excellence
- Advanced logging and telemetry
- Performance tuning
- Scalability improvements
Dependencies
- collector-core: Base foundation with enhanced two-tier architecture
- daemoneye-agent: Lifecycle management and service orchestration
- proc-daemon: Service/daemon behavior handling (for daemoneye-agent)
- daemoneye-lib: Shared utilities and common functionality
- Event Bus System: Inter-collector communication (new dependency)
- Platform-specific process APIs (procfs on Linux, WinAPI on Windows, etc.)
Acceptance Criteria
Monitor Collector Requirements
-
Continuous Operation
- Runs continuously as Monitor Collector
- Detects process lifecycle events in real-time
- Maintains low resource footprint during monitoring
- Supports both polling and event-driven monitoring modes
-
Event Generation
- Successfully identifies suspicious processes
- Emits appropriate trigger events for analysis collectors
- Supports configurable trigger conditions
- Handles event prioritization correctly
Integration Requirements
-
daemoneye-agent Integration
- Successfully managed by daemoneye-agent lifecycle
- Proper configuration loading from daemoneye-agent
- Health check endpoints responding correctly
- Graceful shutdown on daemoneye-agent signals
-
Collector Coordination
- Successfully triggers binary hasher for suspicious executables
- Coordinates with other analysis collectors
- Handles trigger responses and results
- Maintains event correlation for analysis chains
Core Functionality
-
Cross-platform Compatibility
- Successfully enumerate processes on Linux, Windows, and macOS
- Handle platform-specific nuances gracefully
-
Performance Requirements
- Process enumeration completes within 100ms for systems with <1000 processes
- Memory usage stays under 50MB during normal operation
- CPU usage remains below 5% during continuous monitoring
- Trigger event latency under 10ms for critical events
-
Functional Requirements
- Accurately detect all running processes
- Capture essential process metadata (PID, PPID, name, path, user, etc.)
- Provide real-time process lifecycle event notifications
- Support configuration through daemoneye-agent management
-
Data Integration
- Successfully integrate with collector-core data pipeline
- Generate structured log output
- Support multiple output formats (JSON, structured logs)
- Coordinate with event bus for inter-collector communication
-
Testing Coverage
- Unit tests for core functionality (>90% coverage)
- Integration tests with collector-core and daemoneye-agent
- Cross-platform compatibility tests
- Service lifecycle tests
- Event generation and triggering tests
- Performance benchmarks
Related Issues & Dependencies
- Two-Tier Collector Framework: Core framework enhancement (to be created)
- Event Bus System: Inter-collector communication system (to be created)
- Issue Implement cryptographic integrity verification for executables using SHA-256 hashing #40: Binary hashing collector (Triggered Collector - will be triggered by procmond)
- Issue Epic: Cross-platform daemon/service mode for daemoneye-agent (Unix/macOS/Windows) with process supervision #103: daemoneye-agent service architecture (service context)
- Issue feat(procmond): Implement cross-platform process enumeration with enhanced metadata collection #39: Cross-platform process enumeration (core functionality)
Timeline
Target completion aligned with v0.2.0 milestone (Due: September 22, 2025)
This issue implements procmond as a Monitor Collector that continuously observes system processes and triggers analysis collectors for suspicious activity, forming the foundation of DaemonEye's event-driven security monitoring platform.