Overview
The EyeLog Capability System implements centralized policy with local enforcement. This means:
- Centralized Policy - IT/Security teams create and sign all manifests
- Local Enforcement - Agents enforce manifests even if collector is compromised
- Local Consent - Agents can reject manifests (but cannot create custom ones)
- Full Visibility - Collector sees exactly what each agent is running
Trust Model
┌─────────────────────────────────────────────────────────────────────────────┐ │ EYELOG CAPABILITY MODEL (V2) │ ├─────────────────────────────────────────────────────────────────────────────┤ │ │ │ ┌──────────────────────────────────────────────────────────────────────┐ │ │ │ COLLECTOR (Central IT) │ │ │ │ ═════════════════════════════════════════════════════════════════ │ │ │ │ • Creates and signs ALL capability manifests │ │ │ │ • Assigns manifests to enrollment tokens │ │ │ │ • Has full visibility into agent manifest status │ │ │ │ • Can disconnect non-compliant agents │ │ │ └──────────────────────────────────────────────────────────────────────┘ │ │ │ │ │ │ Signed Manifests │ │ ▼ │ │ ┌──────────────────────────────────────────────────────────────────────┐ │ │ │ AGENT (Local Enforcement) │ │ │ │ ═════════════════════════════════════════════════════════════════ │ │ │ │ │ │ │ │ CAN: CANNOT: │ │ │ │ ✓ Choose from allowed manifests ✗ Create custom manifests │ │ │ │ ✓ Reject and stay dormant ✗ Modify collector manifests │ │ │ │ ✓ Enforce chosen manifest ✗ Enable unlisted capabilities │ │ │ │ ✓ Request different manifest ✗ Bypass signature verification │ │ │ │ │ │ │ └──────────────────────────────────────────────────────────────────────┘ │ │ │ └─────────────────────────────────────────────────────────────────────────────┘
Why This Model?
| Problem | Solution |
|---|---|
| Collector compromise = all agents compromised | Agents enforce manifests locally, reject unauthorized commands |
| 1000 agents with 1000 custom configs | Only IT-approved manifests exist (centralized policy) |
| Rogue local admin enables shell access | Cannot create manifests, only choose from allowed list |
| IT can't audit what's actually allowed | Full visibility—collector knows each agent's manifest |
What "Agent Authority" Means
Agent authority is about refusing, not creating:
Agent CAN
- Choose which manifest to accept (from allowed list)
- Reject all manifests and stay dormant
- Enforce the manifest against collector commands
- Request a different manifest from collector
Agent CANNOT
- Create new manifests from scratch
- Modify collector-signed manifests
- Enable capabilities not in any manifest
- Bypass signature verification
Capability Manifest
The Capability Manifest is a signed YAML document that defines exactly what the agent will do:
- INFO: What data the agent will collect and send
- CONTROL: What commands the agent will accept
- META: System-level settings
Manifest Structure
manifest:
id: "standard"
version: "1.0.0"
name: "Standard Monitoring"
# What the agent will SEND
info:
metrics:
enabled: true
categories: [cpu, memory, disk, network]
inventory:
enabled: true
exclude: [user_accounts]
security_monitoring:
enabled: false
# What the agent will ACCEPT
control:
agent_control:
restart: true
upgrade: true
execution:
shell: false # No remote shell!
system_control:
lock_screen: true
reboot: false
# Required signature
signature:
algorithm: "ed25519"
value: "base64-signature..."Predefined Templates
EyeLog ships with 10 predefined templates for common use cases:
| Template | Data Collection | Remote Control | Use Case |
|---|---|---|---|
minimal |
None | Log level only | Presence detection |
monitor-only |
Full | None | Read-only visibility |
standard |
Full | Safe operations | General endpoints |
managed |
Full | Service + system | IT-managed devices |
full |
Full | All | IT/Security teams |
lockdown |
Basic | None | High-security |
compliance |
Full + audit | Forensics only | Regulated industries |
server |
Full | Services | Production servers |
development |
Full | Most | Dev/test |
incident-response |
Maximum | Full IR | Security operations |
Defense in Depth
To compromise an agent, an attacker must bypass ALL THREE layers:
┌─────────────────────────────────────────────────────────────────────────────┐ │ DEFENSE IN DEPTH │ ├─────────────────────────────────────────────────────────────────────────────┤ │ │ │ LAYER 1: mTLS (Transport) │ │ ═════════════════════════════════════════════════════════════════════════ │ │ Agent ↔ Collector connection encrypted and mutually authenticated. │ │ Attacker cannot inject commands into the channel. │ │ │ │ LAYER 2: Manifest Signing (Content) │ │ ═════════════════════════════════════════════════════════════════════════ │ │ All manifests cryptographically signed. Even if attacker compromises │ │ collector, they cannot create valid manifests without signing key. │ │ │ │ LAYER 3: Local Enforcement (Runtime) │ │ ═════════════════════════════════════════════════════════════════════════ │ │ Agent enforces manifest locally. Even with valid signed manifest, │ │ commands outside manifest are rejected. Collector cannot bypass. │ │ │ └─────────────────────────────────────────────────────────────────────────────┘
Attack Scenarios
| Scenario | Outcome |
|---|---|
| Attacker compromises collector | Cannot create valid manifests (no signing key) |
| Attacker has signing key | Must still get agent to accept new manifest |
| Attacker sends unauthorized command | Agent rejects, alerts local admin |
| Rogue collector admin | Agents enforce their approved manifests |
Enrollment Flow
Manifests are assigned during enrollment:
# 1. Admin creates token with manifest
$ eyelog-collector token create \
--name "prod-server-01" \
--manifest "standard" \
--allowed "standard,monitor-only"
Token: ENROLL-7842
# 2. Agent enrolls
$ eyelog-agent enroll --token ENROLL-7842 --collector collector:9443
Status: PENDING_MANIFEST
# 3. Local admin approves
$ sudo eyelog-agent manifests review
Suggested: standard v1.0.0
[A] Accept [L] List others [R] Reject
Choice: A
✓ Agent is now ACTIVEManifest Signing
All manifests must be signed. mTLS protects transport; signing protects content:
| Attack | mTLS | Signing |
|---|---|---|
| Network MITM | ✓ Protected | ✓ Protected |
| Compromised collector | ✗ Vulnerable | ✓ Protected |
| Rogue DB access | ✗ Vulnerable | ✓ Protected |
| Supply chain attack | ✗ Vulnerable | ✓ Protected |
# Initialize signing key (one-time)
$ eyelog-collector manifests init-key
Enter password: ••••••••••••
✓ Ed25519 key pair generated
✓ Private key encrypted (AES-256-GCM)
# Sign a manifest
$ eyelog-collector manifests sign standard
Enter password: ••••••••••••
✓ Manifest signedEnterprise: For maximum security, the signing key can be stored in a Hardware Security Module (HSM). The key never leaves tamper-proof hardware.
CLI Commands
Agent Commands
| Command | Description |
|---|---|
manifests list |
Show allowed manifests (from collector) |
manifests review |
Interactive approval flow |
manifests apply <id> |
Apply specific manifest |
manifests reject |
Reject and stay dormant |
capabilities info |
Show current INFO capabilities |
capabilities control |
Show current CONTROL capabilities |
Collector Commands
| Command | Description |
|---|---|
manifests list |
List all manifests |
manifests sign <id> |
Sign a manifest |
manifests init-key |
Initialize signing key |
token create --manifest |
Create token with manifest |