A production-grade, zero-trust Linux monitoring agent written in Go.
AgentInferno follows a zero-trust model:
- HTTPS Only: Agent refuses to start if
backend_urlis nothttps://(unlessdev_mode=truefor local testing). - HMAC-Signed Actions: The backend must cryptographically sign all action commands (e.g., reboot) using HMAC-SHA256. The agent verifies the signature before executing anything.
- Nonce Replay Protection: Each action includes a unique nonce. The agent rejects any nonce it has seen before.
- Action Whitelist: Only explicitly whitelisted actions are accepted. Unknown action names are discarded.
- No os/exec in Metrics: Docker monitoring uses the Unix socket API directly. SSH audit reads
/var/log/auth.logdirectly. Zero shell commands for data collection. - Minimal Exec: The only
os/execcall is a hardcoded/sbin/reboot— and only after passing HMAC + whitelist + nonce checks. - Dedicated User: The systemd service runs as a restricted
agentinfernouser, not root.
- Go 1.21+
- A
.envfile with your configuration (see below)
BACKEND_URL=https://api.yourbackend.com
AGENT_TOKEN=your-registration-token
HMAC_KEY=your-64-char-random-secret
HEARTBEAT_INTERVAL=10
DEV_MODE=falseIMPORTANT: The
.envvalues are baked into the binary at compile time vialdflags. The binary does NOT need a config file at runtime.
On Windows (PowerShell):
.\scripts\build.ps1On Linux/macOS:
make build# 1. Build
make build
# 2. Install binary + create service user + register systemd
sudo make install
# 3. Allow reboot (optional)
echo "agentinferno ALL=(root) NOPASSWD: /sbin/reboot" | sudo tee /etc/sudoers.d/agentinferno
# 4. Start
sudo systemctl enable --now agentinferno| Metric | Description |
|---|---|
| CPU Usage | Current CPU utilization % |
| CPU Cores | Total logical processors |
| RAM Usage | Current memory utilization % |
| Total RAM | Total system memory |
| Disk Usage | Primary partition usage % |
| Total Disk | Primary partition capacity |
| Disk I/O | Read/Write bytes |
| Network RX/TX | Total bytes received/sent |
| Interfaces | Per-interface traffic breakdown |
| Connections | Active TCP connections (ESTABLISHED) |
| Docker | Container names, status, images |
| SSH Logins | Last 5 accepted SSH sessions |
| Processes | Top 10 resource-heavy processes |
| Public IP | Cached, refreshed every 5 minutes |
- ❌ Execute arbitrary commands
- ❌ Open any listening ports
- ❌ Accept inbound connections
- ❌ Read SSH keys, passwords, or environment secrets
- ❌ Provide shell access of any kind
- ❌ Auto-update itself
- ❌ Load plugins or scripts
MIT