Skip to content

Run Jibril Using a Configuration File

Configuration File

Due to the large number of flags, it is recommended to use a configuration file to run Jibril. The user may create a yaml config file to configure how Jibril should run, such as:

When installing Jibril as a systemd service, the configuration file is automatically created at /etc/jibril/config.yaml. But, if you are running Jibril as a standalone application, you can create a configuration file like the one below:

#
# Jibril Configuration File.
#

# Pick one from quiet, fatal, error, warn, info, debug.
log-level: info

# Pick "stdout", "stderr" or a file path for logging.
stdout: stdout
stderr: stderr

# Chop long lines when output is a terminal.
chop-lines: false

# Disable health checks (http://127.0.0.1:8082/health).
no-health: false

# Enable profiling (http://127.0.0.1:8082/debug/pprof).
profiler: false

# Enable hard-coded cardinal filters.
cardinal: true

# Run as a daemon.
daemon: false

# Notify systemd after startup (.service Type=notify).
notify: false

# Extensions.
#
# Config: configures loader flags needed by eBPF programs (log-level, run-mode, ...).
# Jibril: the main "Jibril" software extension with multiple plugins.
# Data: data storage and retrieval (implements ebpf virtual maps, nested vmaps and trie).
# Example: used as an example and for tests.
#
extension:
  - jibril
  - config
  - data
  # - example

# Plugins.
#
# Example:
# - helloworld: simple demo purpose plugin.
#
# Jibril:
# - hold: holds the execution until ctrl+c or SIGTERM.
# - procfs: reads /proc files during startup (populates with existing data).
# - printers: prints data to stdout, stderr, files, etc.
# - net: captures network flows.
# - netpolicy: enforces network policies for CIDRs and domains.
#   - file: path to the netpolicy file.
# - detect: detects suspicious activities.
# - github: interacts with GitHub repositories.
#
plugin:
  # - example:helloworld
  - jibril:hold
  - jibril:procfs
  - jibril:printers
  - jibril:net
  - jibril:netpolicy:file=/etc/jibril/netpolicy.yaml
  - jibril:detect
  # - jibril:github

# Printers.
#
# Jibril -> Printers: generic printers.
# - datakeeper: keeps printed events for near-future reference.
# - stdout: prints to stdout.
# - varlog: prints to /var/log/{loader,jibril}.log.
#
# Jibril -> Github: GitHub related printers (metadata encapsulated).
# - listendev: listen.dev backend for the dashboard (needs an account, a token).
# - listendevdebug: debug file for listendev printer.
#
printer:
  # - jibril:printers:datakeeper
  # - jibril:printers:stdout
  - jibril:printers:varlog
  # - jibril:github:listendev
  # - jibril:github:listendevdebug

# Events.
#
# Jibril -> Net:
# - flow: captures network flows.
#
# Jibril -> NetPolicy:
# - dropip: drops traffic based on IP addresses.
# - dropdomain: drops traffic based on domain names.
#
# Jibril -> Github:
# - pull_summary: summarizes pull requests.
# - change_summary: summarizes changes.
# - flows_summary: summarizes network flows.
# - detections_summary: summarizes detections.
# - summary: summarizes all events.
#
# Jibril -> Detect:
#
# Jibril -> Detect -> File Access:
# - capabilities_modification: detects file access.
# - code_modification_through_procfs: detects code modification through /proc.
# - core_pattern_access: detects core pattern access.
# - cpu_fingerprint: detects CPU fingerprint.
# - credentials_files_access: detects credentials files access.
# - filesystem_fingerprint: detects filesystem fingerprint.
# - java_debug_wire_proto_load: detects Java debug wire protocol load.
# - java_libinstrument_load: detects Java libinstrument load.
# - machine_fingerprint: detects machine fingerprint.
# - os_fingerprint: detects OS fingerprint.
# - os_network_fingerprint: detects OS network fingerprint.
# - os_status_fingerprint: detects OS status fingerprint.
# - package_repo_config_modification: detects package repository configuration modification.
# - pam_config_modification: detects PAM configuration modification.
# - sched_debug_access: detects sched debug access.
# - shell_config_modification: detects shell configuration modification.
# - ssl_certificate_access: detects SSL certificate access.
# - sudoers_modification: detects sudoers modification.
# - sysrq_access: detects sysrq access.
# - unprivileged_bpf_config_access: detects unprivileged BPF configuration access.
# - global_shlib_modification: detects global shared library modification.
#
# Jibril -> Detect -> Execution:
# - binary_executed_by_loader: detects binary executed by ELF loader.
# - code_on_the_fly: detects code on the fly.
# - denial_of_service_tools: detects denial of service tools.
# - exec_from_unusual_dir: detects execution from unusual directory.
# - file_attribute_change: detects file attribute change.
# - hidden_elf_exec: detects hidden ELF execution.
# - interpreter_shell_spawn: detects interpreter shell spawn.
# - net_filecopy_tool_exec: detects network file copy tool execution.
# - net_mitm_tool_exec: detects network MITM tool execution.
# - net_scan_tool_exec: detects network scan tool execution.
# - net_sniff_tool_exec: detects network sniff tool execution.
# - net_suspicious_tool_exec: detects network suspicious tool execution.
# - net_suspicious_tool_shell: detects network suspicious tool shell.
# - passwd_usage: detects passwd usage.
# - runc_suspicious_exec: detects runc suspicious execution
#
event:
  # Flows.
  # - jibril:net:flow
  # - jibril:netpolicy:dropip
  # - jibril:netpolicy:dropdomain
  # Summaries.
  # - jibril:github:pull_summary
  # - jibril:github:change_summary
  # - jibril:github:flows_summary
  # - jibril:github:detections_summary
  # - jibril:github:summary
  # Method: file access.
  - jibril:detect:capabilities_modification
  - jibril:detect:code_modification_through_procfs
  - jibril:detect:core_pattern_access
  - jibril:detect:cpu_fingerprint
  - jibril:detect:credentials_files_access
  # - jibril:detect:file_example
  - jibril:detect:filesystem_fingerprint
  - jibril:detect:java_debug_lib_load
  - jibril:detect:java_instrument_lib_load
  - jibril:detect:machine_fingerprint
  - jibril:detect:os_fingerprint
  - jibril:detect:os_network_fingerprint
  - jibril:detect:os_status_fingerprint
  - jibril:detect:package_repo_config_modification
  - jibril:detect:pam_config_modification
  - jibril:detect:sched_debug_access
  - jibril:detect:shell_config_modification
  - jibril:detect:ssl_certificate_access
  - jibril:detect:sudoers_modification
  - jibril:detect:sysrq_access
  - jibril:detect:unprivileged_bpf_config_access
  - jibril:detect:global_shlib_modification
  # Method: execution.
  - jibril:detect:binary_executed_by_loader
  - jibril:detect:code_on_the_fly
  - jibril:detect:denial_of_service_tools
  # - jibril:detect:exec_example
  - jibril:detect:exec_from_unusual_dir
  - jibril:detect:file_attribute_change
  - jibril:detect:hidden_elf_exec
  - jibril:detect:interpreter_shell_spawn
  - jibril:detect:net_filecopy_tool_exec
  - jibril:detect:net_mitm_tool_exec
  - jibril:detect:net_scan_tool_exec
  - jibril:detect:net_sniff_tool_exec
  - jibril:detect:net_suspicious_tool_exec
  - jibril:detect:net_suspicious_tool_shell
  - jibril:detect:passwd_usage
  - jibril:detect:runc_suspicious_exec

and run jibril with:

sudo -E ./build/loader --config ~/config/default.yaml

The events are printed in JSON format. This example only enables the varlog printer, which prints the events to /var/log/jibril/events.log. To print the events to the stdout, enable the stdout printer.