runlayer-aiwatch .deb / .rpm) that installs the aiwatch binary and a cron entry. Every 15 minutes it scans all users on the machine for shadow AI — MCP servers, connectors/plugins, skills, and agents — and reports findings to your Runlayer tenant.
What you get
Linux is Detect-only:- Cron-scheduled shadow-AI scans across all users on the machine (root and service accounts included).
- No hooks, no Enforce, no Sessions, and no browser extension on Linux.
- In the dashboard, a Linux device shows Detect = Active and Enforce / Sessions = Disabled. That is the expected state, not an error.
Supported distributions
Packages are x86_64 and built on Ubuntu 22.04, so they require glibc 2.35 or newer:| Supported | Not supported |
|---|---|
| Ubuntu 22.04+ | Ubuntu 20.04 |
| Debian 12+ | Debian 11 |
| RHEL / Rocky / Alma 9+ | RHEL 8 |
| Amazon Linux 2023 | Amazon Linux 2 |
| Current Fedora | Alpine / musl-based distros |
.deb depends on cron | cron-daemon | cronie and the .rpm depends on cronie, so a provider is pulled in automatically on install if missing.
Install
Download theaiwatch-<version>-linux-x86_64.zip deployment bundle from your Runlayer downloads access. It contains the .deb, the .rpm, SHA256SUMS, and the config templates. Contact your Runlayer account team if you don’t have the bundle yet.
Install the package
| Path | Purpose |
|---|---|
/usr/lib/runlayer/aiwatch/ | The self-contained aiwatch bundle (plus a /usr/bin/aiwatch symlink) |
/usr/lib/runlayer/run-aiwatch-scan.sh | Root scan wrapper — enumerates users and runs per-user scans |
/etc/cron.d/runlayer-aiwatch | Cron entry: every 15 minutes as root |
/etc/runlayer/aiwatch/config.json | Managed config template (world-readable, non-secret) |
/etc/runlayer/aiwatch/credentials | Credentials template (root-only, 0600) |
Configure
Configuration is two files under/etc/runlayer/aiwatch/. The split matters: per-user scan children run unprivileged and read config.json, so that file is world-readable by design — the org API key must never go in it.
1. /etc/runlayer/aiwatch/config.json (world-readable, non-secret)
Set Host to your tenant URL and keep Sessions and Enforcement at false — that is the Detect-only contract on Linux:
| Key | Default | Purpose |
|---|---|---|
ProjectDepth | 7 | Directory depth Detect scans walk under each user home (max 20) |
ProjectTimeout | 60 | Per-scan time budget in seconds (max 300) |
Username | OS username | Override for backend user attribution |
DeviceName | hostname | Override for the device name |
2. /etc/runlayer/aiwatch/credentials (root-only, 0600)
Set the organization API key — the same rl_org_... key used by your macOS and Windows deployments, minted in Settings → Organization API keys with the Shadow AI Scan role:
RUNLAYER_API_KEY is set, the scan wrapper exits quietly without scanning — an unconfigured device produces no errors and no data.
How it runs
/etc/cron.d/runlayer-aiwatch runs /usr/lib/runlayer/run-aiwatch-scan.sh as root every 15 minutes (the same cadence as the macOS LaunchAgent and the Windows AIWatchScan task). The wrapper:
- Enumerates all passwd users with an existing home directory — root and service accounts included; shared home directories are scanned once.
- Runs
aiwatch scanfor each user in its own child process with privileges dropped to that user, so one user’s failure never aborts the others. - Skips overlapping runs via a lock file — concurrent cron ticks never queue up.
- Routes all output to syslog, tagged
runlayer-aiwatch(cron never emails root).
Verify
On a test machine after configuring both files:Updates
There is no auto-update on Linux. Upgrade through your configuration management (Ansible, Salt, Puppet, etc.) by installing the newer.deb / .rpm — the same install commands upgrade in place. Your edited /etc/runlayer/aiwatch/config.json and credentials files are preserved across upgrades (they are packaged as config files with noreplace semantics). Point your automation at your Runlayer downloads access to pick up the latest version.
Uninstall
/etc/cron.d/runlayer-aiwatch immediately, so no stale schedule keeps firing. Edited config files under /etc/runlayer/aiwatch/ remain unless you purge (sudo apt-get purge runlayer-aiwatch on Debian/Ubuntu).
Troubleshooting
No device appears in the dashboard
No device appears in the dashboard
- The wrapper exits quietly when
RUNLAYER_API_KEYis missing from/etc/runlayer/aiwatch/credentials— confirm the key is set and the file is readable by root. - Confirm a cron daemon is running (
systemctl status cronorsystemctl status crond). - Run
sudo /usr/lib/runlayer/run-aiwatch-scan.sh; echo $?and checkjournalctl -t runlayer-aiwatchfor per-user errors. - Verify the device can reach your tenant host over HTTPS (443).
Manual wrapper run exits 0 instantly with no output
Manual wrapper run exits 0 instantly with no output
Either
RUNLAYER_API_KEY is not configured (the unconfigured-device gate), or another scan run currently holds the lock — overlapping runs skip instead of queueing. Wait for the running scan to finish and retry.Device shows Enforce / Sessions as Disabled
Device shows Enforce / Sessions as Disabled
Expected. Linux is Detect-only: there are no hooks, no Enforce, no Sessions, and no browser extension. Only macOS and Windows support those features.