βοΈ Configuration File
Customize Jibril's behavior through its YAML configuration file. Control logging, performance, detection rules, and output options.
π Default Locationβ
/etc/jibril/config.yaml
Created automatically during installation, or you can create it manually.
π Quick Startβ
π Create Configurationβ
# Create config directory
sudo mkdir -p /etc/jibril
# Create configuration file
sudo vi /etc/jibril/config.yaml
β Validate Configurationβ
# Test with config file
sudo jibril --config /etc/jibril/config.yaml
# Check for errors (systemd)
sudo journalctl -u jibril -n 50
π Configuration Structureβ
β‘ Run-time Settingsβ
- Log level configuration
- Profiler options
- Health check settings
- Output destinations
β±οΈ Cadence Configurationβ
- Detection evaluation intervals
- Pattern matching frequency
- Performance tuning
πΎ Cache Configurationβ
- Memory allocation
- Resource optimization
- Detection accuracy tuning
β‘ Run-time Settingsβ
Control Jibril's basic operational behavior:
run-time:
log-level: simple # Possible values: quiet, fatal, error, warn, info, debug
profiler: false # Enable performance profiling (pprof)
health: true # Enable health check endpoint (/health)
metrics: false # Enable metrics collection
cardinal: true # Enable cardinal filters (skips known OS resources)
stdout: stdout # stdout destination (stdout, stderr, or file path)
stderr: stderr # stderr destination (stdout, stderr, or file path)
π Log Levelsβ
Available logging verbosity levels:
quiet- Suppress most outputfatal- Only fatal errorserror- Errors onlywarn- Warnings and errorsinfo- Informational messagessimple- Similar to info, without timestamps and location infodebug- Detailed debugging information
π Profiler & Metricsβ
Performance and monitoring options:
profiler- Performance profiling via pprof (for analyzing resource usage)metrics- Enable metric collection for monitoring systemshealth- Health check endpoint at/health(for orchestration tools like Kubernetes)
π― Cardinal Filtersβ
Noise reduction for known system resources:
cardinal: true- Skips monitoring of well-known OS resources to reduce noisecardinal: false- Monitor everything (may generate more events)
Recommended: Enabled (true) for production environments
Cardinal works like detection recipes arbitraries, but globally. They'll be customizable in a near future.
β±οΈ Cadencesβ
Cadences control how frequently Jibril evaluates behavioral patterns. Lower values = more frequent checks = higher CPU usage.
cadences:
file-access: 9 # File system pattern evaluation (seconds)
network-peers: 9 # Network peer pattern evaluation
network-flows: 9 # Network flow pattern evaluation
env-vars: 9 # Environment variable pattern evaluation
π Learn more: Cadence Configuration Guide for detailed tuning options.
πΎ Cachesβ
Caches store transient data about tasks, files, and network flows. Larger caches reduce missed detections but consume more memory.
caches:
# Task-related caches
rec-tasks: 32 # Recent tasks
tasks: 64 # Active tasks
cmds: 32 # Command lines
args: 32 # Command arguments
# File-related caches
files: 32 # Accessed files
dirs: 8 # Accessed directories
bases: 16 # Base paths
task-file: 512 # Task-to-file mapping
file-task: 512 # File-to-task mapping
task-ref: 512 # Task references
# Network flow caches
flows: 128 # Network flows
task-flow: 128 # Task-to-flow mapping
flow-task: 128 # Flow-to-task mapping
flow-ref: 128 # Flow references
π Learn more: Cache Configuration for sizing recommendations.
π§ Features & Functionalitiesβ
Jibril uses a modular architecture with features and functionalities:
#### Functionalities (Core Extensions)
functionalities:
- jibril # Core jibril functionality (required)
# - tests # Test functionality
#### Features (Components)
features:
- hold # Hold execution until ctrl+c or SIGINT
- procfs # Read procfs during startup
- detect # Built-in detection recipes
# - netpolicy # Network policy enforcement
# - alchemies # Custom detection recipes
# - attenuator # AI-powered event analysis
π Core Featuresβ
hold - Keeps Jibril running until terminated
procfs - Reads process information at startup
detect - Enables built-in detection recipes
π Optional Featuresβ
netpolicy - Network traffic control
alchemies - Custom YAML-based recipes
attenuator - LLM-powered analysis
βοΈ Feature Optionsβ
Some features require additional configuration:
feature_options:
netpolicy:
# The file path to the network policy configuration file.
file: /etc/jibril/netpolicy.yaml
attenuator:
enabled: true
# The URL of the AI service.
url: https://api.openai.com/v1/chat/completions
# The port of the AI service.
port: 443
# The model of the AI service.
model: gpt-4o
# The temperature of the AI service.
temp: 0.3
# The mode of the AI service.
# Possible values: amend (default), reason, block
mode: amend
alchemies:
builtin:
# Whether to enable the builtin alchemies.
enabled: true
public:
# Whether to enable external alchemies.
enabled: false
# The paths to the external alchemies.
- /etc/jibril/alchemies/public
π¨οΈ Printersβ
Configure output destinations for detection events:
printers:
- stdout # Standard output
- varlog # File output
# - void # Discard (testing only)
# - garnet # Garnet cloud platform
printer_options:
stdout:
raw: false # false = JSON, true = raw text
varlog:
raw: true # Output format
file: /var/log/jibril.out # Output file path
garnet:
error_log_rate: 2m # Error logging rate limit
πΊ Stdout Printerβ
Prints events to standard output (captured by Docker/systemd).
Options:
raw: false- JSON format (default, machine-readable)raw: true- JSON-like human-readable text format
Best for: Docker containers, systemd services, container orchestration platforms
π Varlog Printerβ
Writes events to a file on disk.
Options:
file- Output file path (e.g.,/var/log/jibril.out)raw- Output format (truefor text,falsefor JSON)
Best for: Persistent logging, file-based log collectors, custom log rotation
βοΈ Garnet Printerβ
Sends events to Garnet cloud platform for centralized analysis.
Options:
error_log_rate- Rate limit for error logs (e.g.,2mfor 2 minutes)
Best for: Cloud-based security monitoring, centralized threat intelligence
This feature is managed by Garnet Security.
π― Detection Eventsβ
Enable specific detection recipes by listing them in the events section:
events:
# Informational events about network policy applied.
- dropip
# Informational events about network flows.
- flow
# Detection recipes for file access patterns.
- file_example
- auth_logs_tamper
- binary_self_deletion
- capabilities_modification
- code_modification_through_procfs
- core_pattern_access
- cpu_fingerprint
- credentials_files_access
- crypto_miner_files
- environ_read_from_procfs
- filesystem_fingerprint
- global_shlib_modification
- java_debug_lib_load
- java_instrument_lib_load
- machine_fingerprint
- os_fingerprint
- os_network_fingerprint
- os_status_fingerprint
- package_repo_config_modification
- pam_config_modification
- sched_debug_access
- shell_config_modification
- ssl_certificate_access
- sudoers_modification
- sysrq_access
- unprivileged_bpf_config_access
# Detection recipes for execution patterns.
- exec_example
- binary_executed_by_loader
- code_on_the_fly
- credentials_text_lookup
- crypto_miner_execution
- data_encoder_exec
- denial_of_service_tools
- exec_from_unusual_dir
- file_attribute_change
- hidden_elf_exec
- interpreter_shell_spawn
- net_filecopy_tool_exec
- net_mitm_tool_exec
- net_scan_tool_exec
- net_sniff_tool_exec
- net_suspicious_tool_exec
- passwd_usage
- runc_suspicious_exec
- webserver_exec
- webserver_shell_exec
# Detection recipes for environment variables patterns.
- dynamic_linker_attacks
# Detection recipes for network peers patterns.
- peer_example
- adult_domain_access
# - algorithmic_domains
- algorithmic_domains_light
- badware_domain_access
- cloud_metadata_access
- dyndns_domain_access
- fake_domain_access
# - gambling_domain_access
- gambling_domain_access_light
# - general_new_domains
- general_new_domains_light
# - phishing_domains
- phishing_domains_light
- piracy_domain_access
- plaintext_communication
# - threat_domain_access
- threat_domain_access_light
# - threat_domain_access_medium
- tracking_domain_access
- vpnlike_domain_access
π‘ Tip: Many detection recipes have both "light" and full versions. Light versions use smaller domain lists and consume less memory. Start with light versions and enable full versions only if needed.
π See all detections: Detection Reference
π§ Event Optionsβ
Some events support additional configuration:
event_options:
file_example:
# Options for file_example event
exec_example:
# Options for exec_example event
peer_example:
# Options for peer_example event
π Full Example Configurationβ
View complete standalone.yaml configuration
#### Jibril Standalone Config File
run-time:
log-level: simple
profiler: false
health: true
metrics: false
cardinal: true
stdout: stdout
stderr: stderr
#### Cadences
cadences:
file-access: 3
network-peers: 3
network-flows: 3
env-vars: 3
#### Caches
caches:
rec-tasks: 32
tasks: 64
cmds: 32
args: 32
files: 32
dirs: 16
bases: 32
task-file: 32
file-task: 32
task-ref: 32
flows: 32
task-flow: 32
flow-task: 32
flow-ref: 32
#### Functionalities
functionalities:
- jibril
#### Features
features:
- hold
- procfs
- netpolicy
- detect
feature_options:
netpolicy:
file: /etc/jibril/netpolicy.yaml
detect:
attenuator:
enabled: true
url: https://api.openai.com/v1/chat/completions
port: 443
model: gpt-4o
temp: 0.3
mode: amend
alchemies:
builtin:
enabled: true
private:
enabled: false
paths:
- /etc/jibril/alchemies/private
public:
enabled: false
paths:
- /etc/jibril/alchemies/public
#### Printers
printers:
- stdout
- varlog
printer_options:
stdout:
raw: false
varlog:
raw: true
file: /var/log/jibril.out
#### Events
events:
- dropip
- file_example
- auth_logs_tamper
- binary_self_deletion
- capabilities_modification
- credentials_files_access
- pam_config_modification
- shell_config_modification
- sudoers_modification
- exec_example
- binary_executed_by_loader
- code_on_the_fly
- crypto_miner_execution
- hidden_elf_exec
- webserver_exec
- webserver_shell_exec
- dynamic_linker_attacks
- peer_example
- algorithmic_domains_light
- cloud_metadata_access
- plaintext_communication
- threat_domain_access_light
- phishing_domains_light
event_options:
file_example:
exec_example:
peer_example:
π Network Policy: For network traffic control, see the Network Policy Configuration guide.
π Best Practicesβ
β Recommendedβ
- π Start with default config
- π§ Enable only needed detections
- π Monitor resource usage
- π§ͺ Test changes in non-production
- πΎ Backup config before updates
- π Document customizations
β οΈ Common Pitfallsβ
- β Enabling all detections on production
- β Setting cadences too low (< 9 seconds)
- β 1 CPU 100% busy loop: increase cadences.
- β Using debug logs in production
- β Insufficient cache sizes for workload
- β Ignoring resource warnings
- β Not validating after changes
π Applying Configuration Changesβ
π¦ Binary/Command Lineβ
# Restart with new config
sudo killall jibril
sudo jibril --config /etc/jibril/config.yaml
βοΈ Systemd Serviceβ
# Restart service
sudo systemctl restart jibril
# View logs
sudo journalctl -u jibril -f
π³ Docker Containerβ
# Restart container
docker restart jibril
# View logs
docker logs -f jibril
Changes to alchemies do not require a restart.