{"id":48888438,"url":"https://github.com/lousclues-labs/vigil","last_synced_at":"2026-05-03T05:03:15.006Z","repository":{"id":351697555,"uuid":"1198502233","full_name":"lousclues-labs/vigil","owner":"lousclues-labs","description":"Linux file integrity monitor. Kernel-level filesystem watching, BLAKE3 hashing, HMAC-chained audit trail. Silent by default, local by design, deeply paranoid.","archived":false,"fork":false,"pushed_at":"2026-04-24T18:23:00.000Z","size":66430,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-24T19:30:20.973Z","etag":null,"topics":["audit-trail","baseline","blake3","file-integrity-monitoring","filesystem-monitor","intrusion-detection","linux-security"],"latest_commit_sha":null,"homepage":"https://vigilbaseline.com","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/lousclues-labs.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"docs/SECURITY.md","support":null,"governance":"GOVERNANCE.md","roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":"NOTICE","maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-04-01T13:38:16.000Z","updated_at":"2026-04-24T18:22:55.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/lousclues-labs/vigil","commit_stats":null,"previous_names":["lousclues-labs/vigil"],"tags_count":5,"template":false,"template_full_name":null,"purl":"pkg:github/lousclues-labs/vigil","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lousclues-labs%2Fvigil","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lousclues-labs%2Fvigil/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lousclues-labs%2Fvigil/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lousclues-labs%2Fvigil/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/lousclues-labs","download_url":"https://codeload.github.com/lousclues-labs/vigil/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lousclues-labs%2Fvigil/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32557698,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-03T03:21:47.309Z","status":"ssl_error","status_checked_at":"2026-05-03T03:21:43.884Z","response_time":103,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["audit-trail","baseline","blake3","file-integrity-monitoring","filesystem-monitor","intrusion-detection","linux-security"],"created_at":"2026-04-16T06:03:54.000Z","updated_at":"2026-05-03T05:03:14.945Z","avatar_url":"https://github.com/lousclues-labs.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Vigil Baseline\n\n[![CI](https://img.shields.io/badge/CI-GitHub_Actions-success)](.github/workflows/ci.yml)\n[![Security Audit](https://img.shields.io/badge/Security-Audit-success)](.github/workflows/scheduled.yml)\n[![Version](https://img.shields.io/badge/version-1.8.3-blue)](CHANGELOG.md)\n[![Rust](https://img.shields.io/badge/rust-edition%202021-orange.svg)](https://www.rust-lang.org/)\n[![License: GPL v3](https://img.shields.io/badge/License-GPL%20v3-blue.svg)](LICENSE)\n\n**Your filesystem. Your baseline. Your witness.**\n\n\u003e *No one tiptoes through your system without leaving footprints behind.*\n\n---\n\nA file integrity monitor for Linux. You tell it what to watch.\nIt records exactly what those files look like. Then it watches\nthem. When something changes, it tells you.\n\nThat's all it does. No machine learning. No risk score. No\nthreat feed. No opinion about whether a change is \"suspicious.\"\nHashes match or they don't. Permissions changed or they didn't.\nThere is no \"maybe.\"\n\n```\n$ vigil check\nVigil Baseline — Integrity Check\n═════════════════════════════════\n\n  Baseline   5a7b·6009·f26f·e08c   established 24 Apr 18:52 (44m ago)\n  Scanned    7,624 files in 0.1s    mode: incremental · HMAC ● signed\n  Coverage   7,624 baseline entries · 0 scan errors\n\n  ╭──────────────────────────────────────────────╮\n  │  ● Boundaries intact                       │\n  ╰──────────────────────────────────────────────╯\n```\n\nThat's a healthy system. When files change, the box fills with\none square per change, severity-colored, and the changed files\nare listed below.\n\n## Try it\n\n```bash\nsudo vigil welcome                    # configure (about 90s, idempotent)\nsudo vigil init                       # establish baseline\nsudo vigil check                      # verify\nsudo systemctl enable --now vigild    # run continuously\n```\n\nIf you'd rather configure by hand, see\n[Installation](docs/INSTALL.md) and\n[Configuration](docs/CONFIGURATION.md).\n\n## What it is\n\nVigil records a known-good snapshot of every watched file: hash,\npermissions, ownership, inode, capabilities, xattrs, and\nSELinux/AppArmor context. The daemon watches via fanotify\n(falling back to inotify) and compares every event against that\nsnapshot. Deviations are written to a crash-safe WAL and an\nHMAC-chained audit log. Notifications are storm-suppressed,\nper-path-cooldowned, and written once.\n\nOn FID-capable kernels (Linux 5.1+), real-time coverage spans all\nevent classes: creates, deletes, moves, attribute changes, and\ncontent modifications. On pre-FID kernels, the daemon monitors\ncontent modifications in real time and relies on scheduled scans to\ndetect creates, deletes, moves, and attribute changes. Run\n`vigil doctor` to see which tier your kernel supports.\n\nThe principles that drive every design decision are in\n[PRINCIPLES.md](docs/PRINCIPLES.md). Worth reading before you\ndecide whether vigil is the right tool for your situation.\n\n## CVE-2026-31431 (copy.fail) detection\n\nVigil hashes file content through the kernel page cache. That means it\nobserves what readers observe, including page-cache-layer tampering.\n\nIn `v1.8.1`, `vigil check --disambiguate-cause` adds mismatch\nclassification to help triage copy.fail-class signatures:\n\n- `page_cache_only` — cached view changed, on-disk view re-hashes to baseline\n- `disk_modification` — cached and on-disk views match each other, both differ from baseline\n- `active_modification` — baseline, cached, and post-eviction views all differ\n- `inconclusive` — cache eviction did not complete\n\nFor end-to-end reproducible evidence, see:\n\n- `tests/exploits/copy_fail/` (Tier 1 and optional Tier 2 harness)\n- `docs/COPY_FAIL_VERIFICATION_REPORT.md`\n- `docs/COPY_FAIL_EXECUTIVE_SUMMARY.md`\n\n## What it isn't\n\nIt isn't an EDR. It doesn't kill processes, quarantine files,\nor block execution. There is no web UI, no plugin system, no\ntelemetry, no auto-updates, no network calls of any kind. The\nsignal socket and webhook are the only integration points; both\nare off by default and outbound-only when enabled.\n\nIf you need more, vigil is probably not the right fit.\n\n## How it's built\n\nEvery release was driven by a written prompt that named the\nproblem, the principle being applied, and the constraints. The\n[CHANGELOG](CHANGELOG.md) records each architectural decision,\neach correction, and the reasoning behind both. Vigil is built\nwith AI assistance; the changelog is the honest record of that\nwork.\n\nIf you want to see how vigil came to be the way it is, that's\nwhere to start.\n\n## Documentation\n\n| Document | What's Inside |\n|----------|---------------|\n| [Docs Index](docs/README.md) | Documentation map by topic |\n| [Quickstart](docs/QUICKSTART.md) | From install to monitoring in 5 minutes |\n| [Cookbook](docs/COOKBOOK.md) | Common scenarios with exact commands |\n| [Installation](docs/INSTALL.md) | Building, dependencies, systemd setup |\n| [CLI Reference](docs/CLI.md) | Every command, every flag |\n| [Configuration](docs/CONFIGURATION.md) | The config file explained |\n| [Notifications](docs/NOTIFICATIONS.md) | Routing policy, coalescing, storm suppression, webhook |\n| [Architecture](docs/ARCHITECTURE.md) | How it's built |\n| [Security](docs/SECURITY.md) | Security model, dependency justification |\n| [Vulnerabilities](docs/VULNERABILITIES.md) | All remediated vulnerabilities with tracking IDs |\n| [Attestation](docs/ATTEST.md) | Portable signed attestations and offline verification |\n| [Threat Model](docs/THREAT_MODEL.md) | What Vigil Baseline detects and what it doesn't |\n| [Testing](docs/TESTING.md) | Test suite, fuzz targets, coverage |\n| [Development](docs/DEVELOPMENT.md) | Dev setup, building, debugging |\n| [Troubleshooting](docs/TROUBLESHOOTING.md) | When things go wrong |\n| [FAQ](docs/FAQ.md) | Common questions answered |\n| [Resilience](docs/RESILIENCE.md) | Failure modes and recovery |\n| [Minimum Viable Trust](docs/MINIMUM_VIABLE.md) | Smallest deployment, what it provides |\n| [Forensics](docs/FORENSICS.md) | Offline comparison workflows |\n| [Principles](docs/PRINCIPLES.md) | Why it's built this way |\n| [Releasing](docs/RELEASING.md) | Release process and versioning |\n| [Licensing Guide](licenses/LICENSING.md) | File-level license coverage and policy |\n| [Dependency Audit](licenses/DEPENDENCY-AUDIT.md) | Dependency license compatibility framework |\n| [Third-Party Licenses](licenses/THIRD-PARTY-LICENSES) | Direct dependency attributions |\n| [Documentation License](licenses/LICENSE-DOCS.md) | License terms for project docs |\n| [Commercial Licensing](licenses/LICENSE-COMMERCIAL.md) | Commercial license terms |\n| [NOTICE](NOTICE) | Project identity and attribution |\n| [Trademarks](TRADEMARKS.md) | Trademark usage policy |\n| [Contributing](CONTRIBUTING.md) | How to help |\n\n## Requirements\n\nLinux. Optional `CAP_SYS_ADMIN` for fanotify (inotify fallback\notherwise). Optional `notify-send` for desktop notifications.\nSQLite is bundled.\n\n## License\n\nCopyright (C) 2026 **Louis Nelson Jr.** — a [lousclues](https://lousclues.com) project.\n\nVigil Baseline is dual-licensed:\n\n| Component | License | File |\n|-----------|---------|------|\n| Source Code | GNU GPL v3.0 only **or** Commercial License | [LICENSE](LICENSE), [LICENSE-COMMERCIAL.md](licenses/LICENSE-COMMERCIAL.md) |\n| Documentation | Creative Commons Attribution 4.0 (CC BY 4.0) | [LICENSE-DOCS.md](licenses/LICENSE-DOCS.md) |\n| Third-Party Dependencies | MIT, Apache-2.0, and other permissive licenses | [THIRD-PARTY-LICENSES](licenses/THIRD-PARTY-LICENSES) |\n\n**For most users:** The GPL covers you completely. Use Vigil Baseline, monitor your files, run the daemon. No restrictions beyond the GPL.\n\n**For proprietary/commercial use:** If you need to embed Vigil Baseline in closed-source products or redistribute without GPL obligations, a [commercial license](licenses/LICENSE-COMMERCIAL.md) is available.\n\n**For contributors:** By submitting a pull request, you agree to the [Contributor License Agreement](licenses/CONTRIBUTOR-LICENSE.md). You keep your copyright. You grant the project permission to use the contribution under both licenses.\n\n**Trademarks:** \"Vigil Baseline\" and \"lousclues\" are the project name and publisher mark respectively. See [TRADEMARKS.md](TRADEMARKS.md). Neither \"Vigil\" nor \"Baseline\" is individually claimed as a trademark.\n\nFor the complete licensing framework, see [LICENSING.md](licenses/LICENSING.md). For project governance and succession planning, see [GOVERNANCE.md](GOVERNANCE.md).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flousclues-labs%2Fvigil","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Flousclues-labs%2Fvigil","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flousclues-labs%2Fvigil/lists"}