Appearance
Kubernetes Deployment
Deploy Jibril to Kubernetes using a ConfigMap and DaemonSet.
First Steps
- Check the Requirements
- Obtain your API Token
Prerequisites
- Kubernetes cluster with
kubectlconfigured - Namespace created for Jibril (default:
security)
bash
kubectl create namespace securityStep 1: Create the config.yaml file
See Configuration for more details.
yaml
#### Jibril Standalone Config File.
run-time:
log-level: info
profiler: false
health: true
metrics: false
cardinal: true
stdout: stdout
stderr: stderr
#### Cadences.
cadences:
env-vars: 6
file-access: 6
network-peers: 9
network-flows: 15
#### Caches.
caches:
rec-tasks: 32
tasks: 64
cmds: 32
args: 32
files: 32
dirs: 16
bases: 32
task-file: 32
file-task: 32
task-ref: 32
flows: 32
task-flow: 32
flow-task: 32
flow-ref: 32
#### Functionalities.
functionalities:
- jibril
#### Features.
features:
- hold
- procfs
- detect
- enricher
- netpolicy
feature_options:
netpolicy:
file: /etc/jibril/netpolicy.yaml
github:
detect:
attenuator:
enabled: true
url: https://api.openai.com/v1/chat/completions
port: 443
model: gpt-4o
temp: 0.3
mode: amend
alchemies:
builtin:
enabled: true
public:
enabled: false
paths:
- /etc/jibril/alchemies/public
#### Printers.
printers:
- stdout
- varlog
printer_options:
stdout:
raw: false
varlog:
raw: true
file: /var/log/jibril.out
garnet:
error_log_rate: 2m
#### Events.
events:
# Informational events about network policy applied.
- dropip
# Informational events about network flows.
# - flow
# Detection recipes for file access patterns.
# - file_example
- auth_logs_tamper
- binary_self_deletion
- capabilities_modification
- code_modification_through_procfs
- core_pattern_access
# - cpu_fingerprint
- credentials_files_access
- crypto_miner_files
- environ_read_from_procfs
# - filesystem_fingerprint
- global_shlib_modification
- java_debug_lib_load
- java_instrument_lib_load
# - machine_fingerprint
# - os_fingerprint
# - os_network_fingerprint
# - os_status_fingerprint
- package_repo_config_modification
- pam_config_modification
- sched_debug_access
- shell_config_modification
- ssl_certificate_access
- sudoers_modification
- sysrq_access
- unprivileged_bpf_config_access
# Detection recipes for execution patterns.
# - exec_example
- binary_executed_by_loader
- code_on_the_fly
- credentials_text_lookup
- crypto_miner_execution
- data_encoder_exec
- denial_of_service_tools
- exec_from_unusual_dir
- file_attribute_change
- hidden_elf_exec
- interpreter_shell_spawn
- net_filecopy_tool_exec
- net_mitm_tool_exec
- net_scan_tool_exec
- net_sniff_tool_exec
- net_suspicious_tool_exec
- passwd_usage
- runc_suspicious_exec
- webserver_exec
- webserver_shell_exec
# Detection recipes for environment variables patterns.
- dynamic_linker_attacks
# Detection recipes for network peers patterns.
# - peer_example
- adult_domain_access
# - algorithmic_domains
- algorithmic_domains_light
- badware_domain_access
- cloud_metadata_access
- dyndns_domain_access
- fake_domain_access
# - gambling_domain_access
- gambling_domain_access_light
# - general_new_domains
- general_new_domains_light
# - phishing_domains
- phishing_domains_light
- piracy_domain_access
- plaintext_communication
# - threat_domain_access
- threat_domain_access_light
# - threat_domain_access_medium
- tracking_domain_access
- vpnlike_domain_accessStep 2: Create the netpolicy.yaml file
See Network Policy for more details.
yaml
# Network policy settings.
network_policy:
# Policy: use "allow" or "deny".
policy: allow
# Allow rules: CIDRs, IPs or domains to always allow.
allow:
- 127.0.0.0/8
- ::1/128
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- 8.8.8.8/32
- 8.8.4.4/32
- 1.1.1.1/32
- google.com
# Deny rules: CIDRs, IPs or domains to always deny.
deny:
- 2.2.2.2
- 3.3.3.3/32
- example.com
- uol.com.brStep 3: Create the ConfigMap
bash
kubectl create configmap jibril-config \
--from-file=config.yaml \
--from-file=netpolicy.yaml \
--namespace=securityStep 4: Deploy the DaemonSet
Save the following as jibril-daemonset.yaml:
yaml
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: jibril
namespace: security
labels:
app: jibril
component: security-agent
spec:
selector:
matchLabels:
app: jibril
template:
metadata:
labels:
app: jibril
component: security-agent
spec:
hostPID: true
hostNetwork: true
dnsPolicy: ClusterFirstWithHostNet
hostIPC: true
containers:
- name: jibril
image: garnetlabs/jibril:v2.9.1
imagePullPolicy: Always
securityContext:
privileged: true
capabilities:
add:
- SYS_ADMIN
- NET_ADMIN
- SYS_PTRACE
- SYS_RESOURCE
runAsUser: 0
resources:
requests:
memory: "512Mi"
cpu: "500m"
limits:
memory: "1024Mi"
cpu: "2000m"
env:
- name: GOGC
value: "20"
- name: LOG_LEVEL
value: "info"
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
volumeMounts:
- name: bpffs
mountPath: /sys/fs/bpf
- name: debugfs
mountPath: /sys/kernel/debug
- name: sysfs
mountPath: /sys
readOnly: true
- name: procfs
mountPath: /proc
readOnly: true
- name: log-volume
mountPath: /var/log/jibril
- name: jibril-config
mountPath: /etc/jibril
command:
- "/bin/sh"
- "-c"
- |
ulimit -l unlimited
rm -f /sys/fs/bpf/jb_*
mkdir -p /var/log/jibril
exec /usr/bin/jibril --config /etc/jibril/config.yaml
volumes:
- name: bpffs
hostPath:
path: /sys/fs/bpf
type: Directory
- name: debugfs
hostPath:
path: /sys/kernel/debug
type: Directory
- name: sysfs
hostPath:
path: /sys
type: Directory
- name: procfs
hostPath:
path: /proc
type: Directory
- name: log-volume
hostPath:
path: /var/log/jibril
type: DirectoryOrCreate
- name: jibril-config
configMap:
name: jibril-configApply the DaemonSet
bash
kubectl apply -f jibril-daemonset.yamlVerify the Deployment
Check pod status:
bash
kubectl get pods -n security -l app=jibrilView logs
bash
kubectl logs -n security -l app=jibril --tail=100Cleanup
bash
kubectl delete daemonset jibril -n security
kubectl delete configmap jibril-config -n security