Skip to content
Tyr

tyrd (agent)

tyrd is the eBPF-powered agent. It runs on every host you want to govern.

Usage

tyrd --server <URL> --name <NAME> [FLAGS]

Flags

FlagEnvDefaultDescription
--server <URL>TYR_SERVERrequiredgRPC URL of tyr-server (http://…:7700 or https://…:7700)
--name <NAME>TYR_AGENT_NAMEhostnameHuman label for this daemon
--enforceoffTurn on deny enforcement (audit-only otherwise)
--tls-captureoffAttach uprobes to TLS libraries for SNI extraction
--config <PATH>/etc/tyr/tyrd.yamlPath to YAML config
--data-dir <DIR>/var/lib/tyrWhere to store identity, cert, event buffer

Additional env vars:

EnvDescription
TYR_ENROLLMENT_TOKENBootstrap token for first-boot enrollment
RUST_LOGLog level: error, warn, info, debug, trace

Config file

/etc/tyr/tyrd.yaml:

unregistered_agents: audit       # audit | quarantine | deny
heartbeat_interval_s: 30
buffer_size_mb: 500
debug_mode: false
enrollment_token: "tyr_et_..."
ca_cert_path: /etc/tyr/ca.pem
data_dir: /var/lib/tyr
KeyDefaultDescription
unregistered_agentsauditBehavior for processes that don’t match a known agent_type
heartbeat_interval_s30gRPC heartbeat interval
buffer_size_mb500On-disk event buffer for offline periods
debug_modefalseVerbose logging (equivalent to RUST_LOG=debug)
enrollment_tokenBootstrap token, consumed once
ca_cert_pathServer CA certificate path
data_dir/var/lib/tyrAgent state dir (cert, key, buffered events)

CLI flags override config file values. Config file values override defaults.

Required capabilities

On Linux:

  • CAP_BPF + CAP_SYS_ADMIN — attach eBPF programs.
  • CAP_NET_ADMIN — socket hooks.
  • CAP_PERFMON — perf ring buffer.
  • CAP_SYS_PTRACE — read /proc/<pid> for process enrichment.
  • CAP_SYS_RESOURCE — RLIMIT_MEMLOCK for BPF maps.

Running as root is simplest; AmbientCapabilities in the systemd unit is the cleanest alternative.

State on disk

/var/lib/tyr/:

├── identity.json         # agent_id, registered_at
├── client.key            # private key (0600)
├── client.crt            # client certificate
├── ca.pem                # server CA (also in /etc/tyr/)
└── events/               # on-disk buffer (offline storage)

Deleting this directory forces re-enrollment on next start.

Logs

Goes to stderr. In systemd: journalctl -u tyr-agent.

Key log events:

  • enrollment succeeded, agent_id=...
  • policy loaded, version=..., rules=...
  • lost connection to server, buffering events
  • reconnected, replayed N events
  • drift hit: kind=..., agent_verdict=..., server_verdict=... (only logged client-side if debug_mode)

Exit codes

CodeMeaning
0Clean shutdown (SIGTERM)
1Fatal startup error (can’t load BPF, bad config)
2Enrollment failed
3Kernel incompatible (missing LSM BPF)

→ Next: Configuration · Environment variables