Baseline mode
The agent supports a two-speed onboarding. Speed 1 is a safe baseline that clears a security review quickly. Speed 2 is the deep, privileged mode, opt-in per capability.
Speed 1: safe baseline
In baseline mode the agent does only the zero-risk things:
- world-readable
/prochost metrics, - the WebSocket heartbeat (up and down detection),
- read-only auto-discovery (listening ports, package list, service unit names),
- on-agent edge anomaly scoring (local, no server cost).
It does not execute pushed definitions, does not use eBPF, and does not need database or device credentials. This is the honest "one line, a graph in 60 seconds, and we tell you when it is down".
Enable it with a flag:
wakora --baseline
or in wakora.conf:
[agent]
baseline = true
Definitions are still received and verified (held, logged), but no probe activates. Metrics, heartbeat, discovery and anomalies are unaffected.
Speed 2: deep and privileged
Turn baseline off and probes activate per the matched, signed definitions: service checks that use local secrets, eBPF-based RED metrics where the kernel allows it, deep APM through staged activation. Each escalation is a distinct, explicit grant.
An honest caveat about privilege
Baseline is a probe toggle. It stops probes from running. It is not a process-level
privilege drop: the service still runs as root, because Speed 2 features (eBPF, ptrace,
allow-listed exec) need it. The systemd unit is hardened (ProtectSystem=strict,
ReadWritePaths limited to the agent's own directories, ProtectControlGroups), but it
is not an unprivileged process.
A fully unprivileged baseline-only unit variant (User=wakora, dropped capabilities) is
planned as a packaging option for baseline-only fleets. It is not what ships today, and
the docs will not claim the agent "runs without root".