Skip to main content

Agent Configuration

The agent is configured via a YAML file (typically /etc/sielum/agent.yaml) and/or CLI flags. CLI flags override YAML values.

Full configuration reference

# /etc/sielum/agent.yaml

# gRPC server address — host:port, no https://
# CLI flag: --server
server: "sielum-server.example.com:9090"

# CA certificate to verify the server's TLS certificate
# CLI flag: --ca
ca: "/etc/sielum/certs/ca.crt"

# Agent TLS certificate (client cert for mTLS)
# CLI flag: --cert
cert: "/etc/sielum/certs/device.crt"

# Agent TLS private key
# CLI flag: --key
key: "/etc/sielum/certs/device.key"

# Operating mode:
#   auto       — detect capabilities at startup (default)
#   privileged — enable firewall enforcement (requires CAP_NET_ADMIN on Linux)
#   user       — monitoring only, no firewall enforcement
# CLI flag: --mode
mode: auto

# Enable Docker container scanning.
# Requires read access to /var/run/docker.sock.
# Default: false (opt-in for security — docker.sock has broad access)
# CLI flag: --docker
docker: false

CLI commands

# Show available commands
sielum-agent --help

# Start the agent
sielum-agent start --config /etc/sielum/agent.yaml

# Start with individual flags (override config file)
sielum-agent start \
  --server sielum.example.com:9090 \
  --ca /etc/sielum/certs/ca.crt \
  --cert /etc/sielum/certs/device.crt \
  --key /etc/sielum/certs/device.key \
  --mode privileged

# Enroll a new device (obtain signed certificate)
sielum-agent enroll \
  --server https://sielum.example.com \
  --token "$ENROLLMENT_TOKEN" \
  --out /etc/sielum/certs/

# Print version
sielum-agent version

Development configuration

For local development against a Docker Compose server:

# deploy/agent-dev.yaml (included in repository)
server: "localhost:9090"
ca:     "deploy/certs/ca.crt"
cert:   "deploy/certs/agent.crt"
key:    "deploy/certs/agent.key"
mode:   auto
docker: false
go run ./agent/... start --config deploy/agent-dev.yaml

systemd EnvironmentFile

When installed via install-linux.sh, the agent reads configuration from:

  • YAML: /etc/sielum/agent.yaml
  • systemd unit: /etc/systemd/system/sielum-agent.service

The systemd unit supports two variants:

  • sielum-agent.service — privileged mode with AmbientCapabilities=CAP_NET_ADMIN
  • sielum-agent-user.service — user mode without any capabilities