Configuration
owLSM has a single config file which controls every aspect of its behavior.
See How to generate a config in the repo.
Full Configuration Structure
{
"features": {
"file_monitoring": {
"enabled": true,
"events": {
"chmod": true,
"chown": true,
"file_create": true,
"unlink": true,
"rename": true,
"write": true,
"read": false, # Due to high volume of read syscalls, we advise to disable.
"mkdir": true,
"rmdir": true
}
},
"shell_commands_monitoring": {
"enabled": true
},
"network_monitoring": {
"enabled": true
},
"anti_tampering": {
"enabled": false,
"events": {
"signals": "EXCLUDE_EVENT",
"ptrace": "EXCLUDE_EVENT"
}
}
},
"userspace": {
"max_events_queue_size": 10000,
"output_type": "JSON",
"log_level": "LOG_LEVEL_INFO",
"set_limits": true,
"log_location": "/path/to/file.log"
},
"kernel": {
"log_level": "LOG_LEVEL_WARNING"
},
"rules": [ ... ]
}Configuration Reference
features
Control what security features are enabled.
Features that are always enabled: exec monitoring, fork monitoring, and process exit monitoring.
Features that are always enabled: exec monitoring, fork monitoring, and process exit monitoring.
features.file_monitoring
Controls file system monitoring. When enabled, owLSM hooks into file operations and can detect/prevent malicious file access.
features.file_monitoring.enabled
Master switch for file system monitoring.
features.file_monitoring.events.chmod
Monitor chmod syscall
features.file_monitoring.events.chown
Monitor chown syscall
features.file_monitoring.events.file_create
Monitor regular file creation
features.file_monitoring.events.unlink
Monitor unlink syscall (file deletion)
features.file_monitoring.events.mkdir
Monitor mkdir syscall (directory creation)
features.file_monitoring.events.rmdir
Monitor rmdir syscall (directory deletion)
features.file_monitoring.events.rename
Monitor rename syscall
features.file_monitoring.events.write
Monitor write syscall. Only for regular files and symlinks.
features.file_monitoring.events.read
Monitor read syscall. Only for regular files and symlinks.
Due to high volume of read syscalls, we strongly advise to disable this feature.
Due to high volume of read syscalls, we strongly advise to disable this feature.
features.shell_commands_monitoring
Monitor commands typed in interactive shell sessions (Bash, Zsh, Dash) and the commands to the process context. This allows you to write rules that match based on the shell command that initiated an operation.
features.shell_commands_monitoring.enabled
Enable shell command monitoring.
Supported shells: Bash, Zsh, Dash.
Supported shells: Bash, Zsh, Dash.
features.network_monitoring
Controls network connection monitoring.
Currently, only TCP connections are supported.
Currently, only TCP connections are supported.
features.network_monitoring.enabled
Enable network connection monitoring.
Currently, only TCP connections are supported.
Currently, only TCP connections are supported.
features.anti_tampering
Anti-tampering protects specified processes from being harmed by things like signals and ptrace.
Use the
owLSM is automatically protected when the anti-tampering flags are enabled.
Protection is inherited by child processes — but only for children created after owLSM has started monitoring.
Use the
-p <pid> commandline flag to specify which processes are protected.owLSM is automatically protected when the anti-tampering flags are enabled.
Protection is inherited by child processes — but only for children created after owLSM has started monitoring.
features.anti_tampering.enabled
Master switch for anti-tampering. When
false, all the anti-tampering features are disabled, and their corresponding eBPF probes aren't attached.
features.anti_tampering.events.signals
This feature defends protected processes from signals.
- Signals that are sent to non-protected processes are ignored by owLSM.
- Signals that are sent by the kernel, from pid 0/1, or from a protected process are ignored by owLSM.
- The rest of the signals that are sent to protected processes are handled and a
Options represents the action taken when an unprotected process sends a signal to a protected process.
- Signals that are sent to non-protected processes are ignored by owLSM.
- Signals that are sent by the kernel, from pid 0/1, or from a protected process are ignored by owLSM.
- The rest of the signals that are sent to protected processes are handled and a
SIGNAL event is sent (owLSM action depends on the option you specify).Options represents the action taken when an unprotected process sends a signal to a protected process.
features.anti_tampering.events.ptrace
This feature defends protected processes from ptrace attach (write access).
- ptrace attempts without the
- Ptrace attach attempts against non-protected processes are ignored.
- Ptrace attach attempts from the kernel, from pid 0/1, or from a protected process are ignored.
- Other ptrace attach attempts against protected processes are handled and a
Options represents the action taken when an unprotected process tries to trace a protected process.
- ptrace attempts without the
PTRACE_MODE_ATTACH are ignored.- Ptrace attach attempts against non-protected processes are ignored.
- Ptrace attach attempts from the kernel, from pid 0/1, or from a protected process are ignored.
- Other ptrace attach attempts against protected processes are handled and a
PTRACE event is emitted (action depends on the option you specify).Options represents the action taken when an unprotected process tries to trace a protected process.
userspace
The `userspace` section configures the userspace component of owLSM.
userspace.max_events_queue_size
Maximum events in the processing queue.
Controls the size of the event buffer. Larger values handle burst traffic better but use more memory.
Controls the size of the event buffer. Larger values handle burst traffic better but use more memory.
userspace.output_type
Output format for events and errors.
"JSON" — Newline-delimited JSON (one JSON object per line). Human-readable."FLATBUFFERS" — Size-prefixed FlatBuffers binary. See FlatBuffers output for stream format and schema details.
userspace.log_level
Logging verbosity for userspace.
userspace.set_limits
Set climits. Should be enabled.
userspace.log_location
owLSM log file absolute path.
kernel
The `kernel` section configures the kernel component of owLSM.
kernel.log_level
Kernel-side logging verbosity. Keep at `LOG_LEVEL_WARNING` or higher in production for performance.
rules
The `rules` array.
See How to generate a config with rules in the repo.
See How to generate a config with rules in the repo.