Jibril Docs

Appearance

Full Example Configuration

Copy and paste this as your default initial configuration file.

Secure the Configuration

Remember to always secure the configuration file.

bash
sudo chmod 600 /etc/jibril/config.yaml
sudo chown root:root /etc/jibril/config.yaml

It contains information such as the API token or LLM API keys.

Complete Configuration

yaml
#### jibril standalone config file.

run-time:
  log-level: info # debug, info, warn, error, fatal, panic, none, quiet, trace
  health: true # enable health check endpoint (:6060/health)
  cardinal: true # enable cardinal filters (skips some well known os resources)
  stdout: stdout # stdout file (stdout, stderr, or a file path)
  stderr: stderr # stderr file (stdout, stderr, or a file path)
  # api:
  #   # Register and get a token at https://dashboard.garnet.ai/.
  #   token: your-token-here

#### cadences.

# cadences are the intervals at which patterns are detected.
# https://jibril.garnet.ai/config/cadences/

cadences:
  file-access: 9
  network-peers: 9
  network-flows: 9
  env-vars: 9

#### caches.

# caches are both the kernel maps and the in-memory caches for os resources.
# https://jibril.garnet.ai/config/caches/

caches:
  rec-tasks: 32
  tasks: 64
  cmds: 32
  args: 32
  files: 32
  dirs: 16
  bases: 32
  task-file: 32
  file-task: 32
  task-ref: 32
  flows: 32
  task-flow: 32
  flow-task: 32
  flow-ref: 32

#### functionalities.

functionalities:
  - jibril # core jibril functionality (required).

#### features.

features:
  - hold # hold agent execution until ctrl+c (or SIGINT).
  - procfs # enrich running tasks with procfs info at startup.
  - detect # enable the detection feature.
  - alchemies # use custom detection recipes (see below).
  - enricher # enrich events with container information.
  # - attenuator # AI-powered event and noise reduction.
  # - netpolicy # enforce network policy using netpolicy.yaml.

feature_options:
  # related feature must be enabled
  netpolicy:
    file: /etc/jibril/netpolicy.yaml
  # attenuator:
  #   enabled: true
  #   url: https://api.openai.com/v1/chat/completions
  #   port: 443
  #   model: gpt-5
  #   temp: 1
  #   mode: reason
  alchemies:
    # enable all built-in detection recipes.
    builtin:
      enabled: true
    # enable all public detection recipes.
    public:
      enabled: false
      paths:
        # path containing yaml detection recipes (so called alchemies).
        - /etc/jibril/alchemies/public

#### printers.

printers:
  # - void # discards all events.
  - stdout # writes events to standard output.
  - varlog # writes events to a file.
  # - garnet # sends events to Garnet dashboard.

printer_options:
  stdout:
    raw: false
  varlog:
    raw: true
    file: /var/log/jibril.out
  garnet:
    error_log_rate: 2m

#### events.

events:
  # informational events about network policy applied.
  # - dropip
  # informational events about network flows.
  # - flow
  # detection recipes for file access patterns.
  # - file_example
  - auth_logs_tamper
  - binary_self_deletion
  - capabilities_modification
  - code_modification_through_procfs
  - core_pattern_access
  # - cpu_fingerprint
  - credentials_files_access
  - crypto_miner_files
  - environ_read_from_procfs
  # - filesystem_fingerprint
  - global_shlib_modification
  # - java_debug_lib_load
  # - java_instrument_lib_load
  # - machine_fingerprint
  # - os_fingerprint
  # - os_network_fingerprint
  # - os_status_fingerprint
  # - package_repo_config_modification
  - pam_config_modification
  # - sched_debug_access
  - shell_config_modification
  # - ssl_certificate_access
  - sudoers_modification
  # - sysrq_access
  - unprivileged_bpf_config_access
  # detection recipes for execution patterns.
  # - exec_example
  # - binary_executed_by_loader
  - code_on_the_fly
  - credentials_text_lookup
  - crypto_miner_execution
  - data_encoder_exec
  - denial_of_service_tools
  - exec_from_unusual_dir
  # - file_attribute_change
  - hidden_elf_exec
  - interpreter_shell_spawn
  - net_filecopy_tool_exec
  - net_mitm_tool_exec
  - net_scan_tool_exec
  - net_sniff_tool_exec
  - net_suspicious_tool_exec
  # - passwd_usage
  - runc_suspicious_exec
  # - webserver_exec
  - webserver_shell_exec
  # detection recipes for environment variables patterns.
  - dynamic_linker_attacks
  # detection recipes for network peers patterns.
  # - peer_example
  # - adult_domain_access
  # - algorithmic_domains
  - algorithmic_domains_light
  # - badware_domain_access
  - cloud_metadata_access
  # - dyndns_domain_access
  - fake_domain_access
  # - gambling_domain_access
  # - gambling_domain_access_light
  - general_new_domains
  # - general_new_domains_light
  # - phishing_domains
  # - phishing_domains_light
  # - piracy_domain_access
  - plaintext_communication
  # - threat_domain_access
  - threat_domain_access_light
  # - threat_domain_access_medium
  # - tracking_domain_access
  - vpnlike_domain_access