Configuration
owLSM has a single config file which controls every aspect of its behavior.
See How to generate a config in the repo.
Full Configuration Structure
{
"features": {
"file_monitoring": {
"enabled": true,
"events": {
"chmod": true,
"chown": true,
"file_create": true,
"unlink": true,
"rename": true,
"write": true,
"read": true, # Due to high volume of read syscalls, we advise to disable.
"mkdir": true,
"rmdir": true
}
},C
"network_monitoring": {
"enabled": true
}
},
"userspace": {
"max_events_queue_size": 10000,
"output_type": "JSON",
"log_level": "LOG_LEVEL_INFO",
"set_limits": true
},
"kernel": {
"log_level": "LOG_LEVEL_WARNING"
},
"rules": [ ... ]
}Configuration Reference
features
Control what security features are enabled.
The following features are always enabled: exec monitoring, fork monitoring, and process exit monitoring.
The following features are always enabled: exec monitoring, fork monitoring, and process exit monitoring.
features.file_monitoring
Controls file system monitoring. When enabled, owLSM hooks into file operations and can detect/prevent malicious file access.
features.file_monitoring.enabled
Master switch for file system monitoring.
features.file_monitoring.events.chmod
Monitor chmod syscall
features.file_monitoring.events.chown
Monitor chown syscall
features.file_monitoring.events.file_create
Monitor regular file creation
features.file_monitoring.events.unlink
Monitor unlink syscall (file deletion)
features.file_monitoring.events.mkdir
Monitor mkdir syscall (directory creation)
features.file_monitoring.events.rmdir
Monitor rmdir syscall (directory deletion)
features.file_monitoring.events.rename
Monitor rename syscall
features.file_monitoring.events.write
Monitor write syscall. Only for regular files and symlinks.
features.file_monitoring.events.read
Monitor read syscall. Only for regular files and symlinks.
Due to high volume of read syscalls, we strongly advise to disable this feature.
Due to high volume of read syscalls, we strongly advise to disable this feature.
features.network_monitoring
Controls network connection monitoring.
Currently, only TCP connections are supported.
Currently, only TCP connections are supported.
features.network_monitoring.enabled
Enable network connection monitoring.
Currently, only TCP connections are supported.
Currently, only TCP connections are supported.
userspace
The `userspace` section configures the userspace component of owLSM.
userspace.max_events_queue_size
Maximum events in the processing queue.
Controls the size of the event buffer. Larger values handle burst traffic better but use more memory.
Controls the size of the event buffer. Larger values handle burst traffic better but use more memory.
userspace.output_type
Output format for events.
"PROTOBUF" will be supported in the future.
"PROTOBUF" will be supported in the future.
userspace.log_level
Logging verbosity for userspace.
userspace.set_limits
Set climits. Should be enabled.
kernel
The `kernel` section configures the kernel component of owLSM.
kernel.log_level
Kernel-side logging verbosity. Keep at `LOG_LEVEL_WARNING` or higher in production for performance.
rules
The `rules` array.
See How to generate a config with rules in the repo.
See How to generate a config with rules in the repo.