docs · install

Install.

Get from a fresh shell to "oknek is watching" in under 90 seconds. One command, no manual config required, works on every modern Linux distribution we test against.

the one-liner

curl | sh.

$ curl -fsSL https://install.oknek.com | sh

Always inspect curl-pipe-sh before you run it. Pipe to tee /tmp/install.sh, read it, then sh /tmp/install.sh. The installer and binaries are distributed to licensed customers as signed releases.

what install.sh does

Step by step.

  1. 1

    Detect the host

    Reads uname -srm. Verifies kernel ≥ 5.8 (for eBPF) or installs the LD_PRELOAD shim path. Detects amd64 vs arm64.

  2. 2

    Download the signed binaries

    Fetches oknekd and oknek for the detected arch from https://install.oknek.com/v0.1.0/. Verifies the Ed25519 signature against the embedded public key before any binary touches disk.

  3. 3

    Create directories

    /etc/oknek/ (config) · /var/lib/oknek/ (event DB + baseline) · /var/log/oknek/ (rotated logs) · /run/oknek/ (control socket, mode 0750, group oknek).

  4. 4

    Install the systemd unit

    Drops /etc/systemd/system/oknek.service. Type=notify, hardened (ProtectSystem=strict, ReadWritePaths scoped to oknek dirs), Restart=always. systemctl daemon-reload && systemctl enable --now oknek.

  5. 5

    Baseline existing agents

    The daemon scans the process tree for known AI agents (Claude Code, Cursor MCP, Aider, Cline, Continue, AutoGPT, generic MCP servers). Each detected agent is fingerprinted by binary hash, argv, and parent PID. The baseline is written to /var/lib/oknek/baseline.sqlite and used by R7 (drift score).

  6. 6

    Confirm

    Prints the count of watched agents and exits with status 0. Run oknek status at any time to see the same.

platforms we test against

Supported systems.

PlatformHook layerStatus
Linux kernel ≥ 5.8 (Ubuntu 22.04+, Debian 11+, RHEL 9+, Fedora 38+, Arch)eBPF (primary)✓ supported
Linux kernel 4.x–5.7 (Ubuntu 20.04, older)LD_PRELOAD shim (fallback)✓ supported
macOS 13+ (Apple Silicon and Intel)DYLD_INSERT_LIBRARIES (dev only)✓ dev only · not for production
Windows— not planned
Container / Kubernetes (sidecar mode)eBPF on the host— planned for v2

after install

Verify · update · uninstall.

# verify the install is healthy
$ oknek status
oknek 0.1.0 · kernel 6.8.0-111-generic · ebpf-mode
   socket:     /run/oknek/oknek.sock   ok
   db:         /var/lib/oknek/oknek.db (8.2 MiB)   ok
   rule pack:  v1.0.0 (R1–R7)   ok
   agents:     3 watched · 0 blocked · 0 alerted

# pull the latest rule pack (free: monthly · pro+: hourly)
$ oknek update
   rule pack: v1.0.0 → v1.0.4   ok
   signature verified   ok
   reloaded in 12ms

# uninstall (cleanly, leaves event DB intact at /var/lib/oknek/oknek.db)
$ curl -fsSL https://install.oknek.com/uninstall | sh

# wipe everything including events
$ curl -fsSL https://install.oknek.com/uninstall | sh -s -- --purge

Next: the CLI.

Now that oknekd is running, every operational action goes through the oknek CLI.

cli reference → architecture → back to docs index