跳至主要内容

Install — Linux (Phase 2)

Prerequisites

  • Linux kernel ≥ 5.8 for eBPF mode (older kernels run the procfs fallback automatically — no install difference).
  • root / sudo on the target host.
  • A state-machine slug (Settings → "Spin up a state machine").
  • A zsm_* API key with write scope (Settings → API keys → "Create").

One-liner (interactive)

curl -fsSL https://zeq.dev/install/av | sudo bash

You'll be prompted for the machine and the zsm_* key.

One-liner (CI / non-interactive)

curl -fsSL https://zeq.dev/install/av | \
  sudo ZEQ_SLUG=<your-slug> ZEQ_AV_KEY=zsm_... bash

What gets installed

PathPurpose
/usr/local/bin/zeq-avThe agent binary (Rust, ≈ 5 MB stripped).
/etc/zeq/av/credentialsslug=... + key=zsm_... (mode 0600).
/etc/systemd/system/zeq-av.servicesystemd unit, auto-restart on failure.
/var/lib/zeq-av/local queue spool (1000 claim max, drop-oldest).

What the agent does

  1. On boot, optionally registers the device (if ZEQ_AV_AUTO_REGISTER=1).
  2. Every Zeqond (0.777 s) drains the eBPF / procfs ring, classifies events into security CLAIMS (process_spawn, network_exfil, persistence_install, privesc_attempt, lateral_move, self_tamper).
  3. Runs the primary HF locally on each claim's features.
  4. POSTs /api/av/claim with {claim_type, claim_payload, device_id, captured_at_zeqond, hf_scores}.
  5. Server runs the composite + trigger gate, writes an audit row, fans out av.threat.detected if fired.

Capabilities (eBPF mode)

The systemd unit requests:

  • CAP_BPF
  • CAP_PERFMON
  • CAP_SYS_RESOURCE

Without these the agent silently falls back to procfs (still useful — catches new process spawns + tracks proc-count baseline, just less rich than eBPF).

Build from source

git clone https://github.com/zeqos/zeq-framework
cd zeq-framework/apps/packages/zeq-av-agent-linux
cargo build --release                       # procfs fallback path
cargo build --release --features ebpf       # eBPF probes (requires aya toolchain)

The binary lands at target/release/zeq-av.

Uninstall

sudo systemctl disable --now zeq-av
sudo rm /etc/systemd/system/zeq-av.service /usr/local/bin/zeq-av
sudo rm -rf /etc/zeq/av /var/lib/zeq-av
sudo systemctl daemon-reload