Logira: eBPF Runtime Auditing for AI Agent Runs
Logira is an eBPF-based runtime auditing tool for Linux that tracks what AI agents and automation actually do at the OS level. It records process execution, file activity, and network activity using cgroup v2 run-scoped tracking, attributing events to single audited runs.
Key Features
The tool provides per-run local storage in both JSONL and SQLite formats for timeline review and querying. It includes default detection rules focused on AI agent auditing, with optional custom YAML rules. Logira is observe-only by design—it records and detects but never blocks or enforces.
Default Detections
- Credential and secrets writes:
~/.ssh,~/.aws, kube/gcloud/docker config,.netrc,.git-credentials, registry creds - Sensitive credential reads: SSH private keys, AWS credentials/config, kubeconfig, docker config,
.netrc,.git-credentials - Persistence and config changes: writes under
/etc, systemd units, cron, user autostart entries, shell startup files - Temp droppers: executable files created under
/tmp,/dev/shm,/var/tmp - Suspicious exec patterns:
curl|sh,wget|sh, tunneling/reverse shell tools and flags, base64 decode with shell hints - Agent safety destructive patterns:
rm -rf,git clean -fdx,find -delete,mkfs,terraform destroy, and similar commands - Network egress: suspicious destination ports and cloud metadata endpoint access
Installation
Recommended installation via script:
curl -fsSL https://raw.githubusercontent.com/melonattacker/logira/main/install.sh | sudo bashOr manual install from release tarball:
tar -xzf logira_vX.Y.Z_linux-<arch>.tar.gz
cd logira_vX.Y.Z_linux-<arch>
sudo ./install-local.shAfter installation or upgrade, restart the daemon:
sudo systemctl daemon-reload
sudo systemctl restart logirad.service
sudo systemctl status logirad.service --no-pagerHow to Run
The root daemon logirad runs via systemd. Installation steps include:
# 1) Generate eBPF objects (only needed if missing)
make generate
2) Install the systemd unit
sudo install -D -m 0644 packaging/systemd/logirad.service /etc/systemd/system/logirad.service
3) Install the daemon binary (unit defaults to /usr/local/bin/logirad)
sudo install -m 0755 ./logirad /usr/local/bin/logirad
4) (Recommended) Point systemd at the eBPF .o files via an environment file
sudo mkdir -p /etc/logira
sudo tee /etc/logira/logirad.env > /dev/null << 'EOF'
LOGIRA_EXEC_BPF_OBJ=/absolute/path/to/collector/linux
Custom rules can be appended per-run with logira run --rules <file>.
📖 Read the full source: HN AI Agents
👀 See Also
Claude Code Workflow Visual Details Memory Hierarchy and Skills System
A Reddit user shared a visual diagram showing how Claude Code organizes memory through layered CLAUDE.md files and implements reusable skills via SKILL.md files. The workflow loop suggests using Plan mode with auto-accept and frequent commits.
Open-Source Benchmark Runner for Testing OpenClaw Agents on Real Workflows
A new open-source project lets you benchmark OpenClaw agents against your own private, real-world tasks defined in YAML, with support for importing actual agent workspaces.
Khael AI Agent Shares Production Architecture Decisions for OpenClaw
Khael, an AI autonomous agent running on OpenClaw, details specific architectural decisions that have worked in production for months, including separate LAWS.md files, mode files, self-audit cron jobs, and specialized bot types.
Agent Browser Protocol: Open-source Chrome fork for AI agents achieves 90% on Mind2Web benchmark
Agent Browser Protocol (ABP) is an open-source Chrome fork that freezes JavaScript and time after each action to convert web browsing into multimodal chat for AI agents. It achieved 90.53% on the Online Mind2Web Benchmark and can be added to Claude Code with a single command.