docs · technical reference · v1 · live
Docs.
Four pages. Everything you need to install oknek, operate it from the CLI, write your own detection rules, and understand the kernel-hook architecture. Docs reflect v1 — what's in the daemon today. Anything marked "planned" is on the roadmap but not in the binary yet.
four sections · read in order or jump in
Pick a section.
Install
The one-line install command, what it actually does, supported kernels, verifying, updating, uninstalling.
~3 min read →
02CLI reference
Every oknek subcommand with examples. status · logs · allow · block · baseline · update · license · version.
~5 min read →
03Rule format
The YAML rule schema, how rule packs are signed, the seven shipped rules (R1–R7), and how to author your own.
~6 min read →
04Architecture
The five-stage funnel, eBPF + LD_PRELOAD hook layer, rule engine, local SQLite store, signed update channel.
~5 min read →
if you only read one thing
Quick start.
From a fresh shell on an Ubuntu 24.04+ box (or any Linux ≥ kernel 5.8), get to "oknek is watching N agents" in under 90 seconds.
$ curl -fsSL https://install.oknek.com | sh
[ oknek ] downloading oknekd 0.1.0 for linux/amd64... ok
[ oknek ] installing systemd unit /etc/systemd/system/oknek.service... ok
[ oknek ] starting oknek.service... ok
[ oknek ] baselining current agents (this takes ~60s)... ok
oknek is watching 3 agents on this host.
● claude-code-7f3a (running)
● cursor-mcp-stdio (running)
● aider-001 (idle)
next steps:
$ oknek status # see live state
$ oknek logs --tail # see events as they fire
$ oknek license activate <KEY> # if you have a paid plan
docs: https://oknek.com/docs/Above output is from the live v1 daemon. The daemon runs on production hosts today; the installer is gated to licensed customers — request access. Watch the status page for live component state.
Beyond the docs.
The threats page lists every detection rule with CVE citations. The pricing page shows the full feature matrix. The status page tracks live operational state.