Ryujin Security
Ryujin Agent is the endpoint component of the Ryujin security platform. It collects host telemetry, watches important files, and communicates with Ryujin Manager for enrollment, identity, and centralized monitoring.
- Monitors file creation, modification, deletion, permissions, ownership, hashes, and optional diffs.
- Collects system inventory including hardware, operating system, network interfaces, packages, ports, and processes.
- Reads file-based logs and systemd journal entries.
- Supports Linux audit-based command execution monitoring.
- Enrolls with Ryujin Manager using password-protected registration and certificate-based identity.
- Runs active response scripts for actions such as quarantine, firewall blocking, account disablement, and webshell analysis.
cmd/ Application entrypoint
configs/ Example agent configurations
docs/ Feature documentation
init/ systemd unit
internal/agent/ Enrollment, identity, and manager communication
internal/fim/ File integrity monitoring
internal/system_inventory/ Host inventory collectors
internal/log_collector/ File and journald log readers
internal/command/ Command execution monitoring
internal/active_response/ Active response execution
scripts/ Active response helper scripts
go build -o ryujin-agent ./cmd
sudo ./ryujin-agentFor service-based deployments, review init/ryujin-agent.service and adjust paths for your environment.
Start from configs/ryujin.yml.
Important fields:
auth.server_manager: Ryujin Manager address.auth.password: enrollment password. ReplaceCHANGE_ME.fim.monitor: paths and options for file monitoring.system_inventory: inventory collectors and interval.log_collector: file and journal log sources.command.enabled: command monitoring toggle.
ryujin-manager: control plane, API, WAF, alerting, and agent enrollment.ryujin-dashboard: web interface for agents, WAF, rules, credentials, and security events.