-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathdocumented-example.yaml
More file actions
185 lines (170 loc) · 7.45 KB
/
documented-example.yaml
File metadata and controls
185 lines (170 loc) · 7.45 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
---
# Two basic modes are supported: audit and scanner.
#
# Audit mode is recommended: it sets audit rules to the kernel and keep a
# netlink connection open so that as soon as a rule is matched the process can
# be moved to a control group. This mode supports detection of running
# applications by path, writing or reading specific files (or directories).
# This mode consumes few resources, since program is just listening.
#
# Scanner mode only works for 'execute' actions. The running processes will be
# scanned every second, and matches, if any, will be distributed on groups.
# Scanning is more expensive than listening to a netlink socket. This mode is
# recommended for those scenarios where audit rules are locked by administrator
# (once locked, they cannot be unlocked without rebooting the machine), or the
# Linux kernel is ancient and does not support multicast for Netlink.
#
# Notice that scanner mode does not work for triggering action neither detecting
# writes/reads.
#
# Default is audit
mode: audit
audit:
# There are three audit modes (meaningless in scanner mode) that dictates how
# to setup the audit rules in the kernel: override, preserve and reuse
#
# * When override is used, program will delete any existing rules and leave
# only the ones configured
#
# * When preserve is used, program will add its rules over whatever rule
# already configured. This is useful for coexisting with auditd. However,
# if a lot of rule rewriting rules is done, old rules are not removed. and
# that can lead to surprises.
#
# * When reuse is used, no rules will be set up. The use case if for those
# scenarios where you want to configure the rules in separate runs of this
# program (one run to configure rules, other to run as daemon)
mode: override
logging:
# File name where logs will be written
file: /tmp/fetter.log
# Standard error levels available. Debug shows interesting info and it is not
# too verbose.
level: info
# This is the name of the cgroup path used by application (all cgroups created
# by this program will belong to it). Default is 'fetter'; there is no reason
# to change it other than doing experiments or using several fetter applications
# in parallel.
name: fetter
# These are the rules. By default there is none; the ones below are just
# examples.
rules:
# Following rule will use a cgroup named browser for firefox and chromium.
# Notice that you need to know the name of the firefox executable (if in
# doubt, you can figure it out by doing `ls -l /proc/PID/exe` to know the
# path, and 'ps -u | grep firefox' to know the PID).
#
# You can use directory names here: all executables in that directory
# (recursively) will be covered by the rule.
#
# Name of the rule (browsers, in this example) is arbitrary and does not need
# to match with cgroups or triggers names
browsers:
paths:
- /usr/lib/firefox/firefox
- /usr/lib/chromium-browser/chromium-browser
# Supported actions are execute (the most useful one: the process executing
# a file will be moved to a control group), read, and write.
action: execute
# Name of the group should match one of the groups defined in their section.
group: browsers
ides:
paths: [/usr/bin/emacs]
action: execute
group: work
audit:
paths: [/usr/bin/sudo]
action: execute
# Whenever sudo is executed (from a shell or any other process), trigger
# 'send-mail' (defined in trigger sections) will be executed.
trigger: send-mail
deaths:
paths: [/my/forbidden/file]
action: write
# KILL is not a real trigger, but a way to say to fetter: kill whatever
# process doing that action. In this case, whenever a process writes to the
# file in path, process will be instantly killed
trigger: KILL
freezes:
# This is an example where a process reading a file will be frozen in place by
# the operating system (group honeypot has "freeze: true"). Process execution
# will not continue, and it cannot be killed unless removed from cgroup, or
# cgroup is manually thawed. This will allow you to detect what processes
# read/write to a file and examine them.
paths: [/my/secret/password]
action: read
group: honeypot
# These control groups will be created by the application, with the limits
# specified for any of them. By default there is none; the ones below are just
# examples.
#
# Note that while it is safe to cap CPU to any application, capping pids and or
# RAM might make those applications malfunction. That would depend on how the
# applications manage error codes of operations that are denied by operating
# system. Those operations would be the ones related to asking more RAM we
# allow them to use, or trying to spawn more children. Think of a browser that
# uses a process-per-tab approach: if we cap processes to 20, the tab 21st would
# fail to display correctly
groups:
browsers:
# Max RAM, in Mbs, that all the processes in the group together can use.
ram: 2000
# Max number of processes that can be spawned simultaneously by processes in
# the group. A process spawned by a process of a group will remain in the
# group.
pids: 30
# Max CPU %-age that processes in the group will be able to use. For
# instance, if you want to make sure your massively heavy parallel local
# compilations do not make your UI unusable, you can create a group for
# 'make' with a CPU limit. Note that values above 100 make no sense since
# %-age refers to all available CPU cores. So, if you have 4 CPUs, a 25%
# will allow a control group to use 100% of one of the cores (you would keep
# 75% of your processing power for other activities).
cpu: 75
# Default is false. true means that the group is a freezer: processes
# cannot continue execution or be killed by their owners (unless they are
# root and familiar with the freeze subsystem). Use of this feature is to
# allow to detect and examine processes that do some action. Use with
# caution.
freeze: false
# Default is false. true means that instead of moving the process to a
# cgroup the process will be killed. It is a way of making sure (or
# enforcing) some actions are never done. Use with caution.
kill: false
work:
ram: 3000
pids: 50
cpu: 80
email:
ram: 1000
pids: 5
cpu: 40
music:
ram: 500
pids: 5
cpu: 40
# This example has unlimited ram, as it is not specified
shell:
cpu: 85
pids: 100
# Example of a group to freeze processes
honeypot:
freeze: true
# These are the trigger actions. By default there is none; the one below are
# just an example.
triggers:
# This is the name used in the rules section
send-mail:
# This is the tool that will be executed, in background, when rule is
# triggered. Results will be logged.
run: /opt/utils/send-mail.sh
# These are the arguments for tools above. The tool can find additional
# info about the process that triggered the action by looking at the
# environment variables the type 'FETTER_X'. For example, FETTER_PID will
# have the pid of the process that triggered the action. See docs to see
# the values of X supported.
args: ['audit@mycompany.org', 'cto@mycompany.org']
# By default, the process defined by trigger will be ran as user nobody,
# since it has little privileges. If you want to use any other user,
# including root, this would be the place to declare that.
user: nobody