|
7 | 7 |
|
8 | 8 | ### Format |
9 | 9 |
|
10 | | -Rules are stored as JSON files inside the `-rule-path` folder, in the simplest case a rule looks like this: |
| 10 | +Rules are stored as JSON files inside the `-rule-path` directory (by default `/etc/opensnitchd/rules`), in the simplest case a rule looks like this: |
11 | 11 |
|
12 | 12 | ```json |
13 | 13 | { |
@@ -159,7 +159,6 @@ Example of a complex rule using the operator _list_, saved from the GUI (Note: v |
159 | 159 | "operator": { |
160 | 160 | "type": "list", |
161 | 161 | "operand": "list", |
162 | | - "data": "[{\"type\": \"simple\", \"operand\": \"dest.ip\", \"data\": \"1.1.0.1\"}, {\"type\": \"simple\", \"operand\": \"dest.port\", \"data\": \"23\"}, {\"type\": \"simple\", \"operand\": \"user.id\", \"data\": \"1000\"}, {\"type\": \"simple\", \"operand\": \"process.path\", \"data\": \"/usr/bin/telnet.netkit\"}]", |
163 | 162 | "list": [ |
164 | 163 | { |
165 | 164 | "type": "simple", |
@@ -206,16 +205,16 @@ Here's a rule to allow localhost connections: |
206 | 205 | { |
207 | 206 | "created": "2023-07-05T10:46:47.904024069+01:00", |
208 | 207 | "updated": "2023-07-05T10:46:47.921828104+01:00", |
209 | | - "name": "000-aallow-localhost", |
| 208 | + "name": "000-allow-localhost", |
210 | 209 | "enabled": true, |
211 | 210 | "precedence": true, |
212 | 211 | "action": "allow", |
213 | 212 | "duration": "always", |
214 | 213 | "operator": { |
215 | | - "type": "regexp", |
216 | | - "operand": "dest.ip", |
| 214 | + "type": "network", |
| 215 | + "operand": "dest.network", |
217 | 216 | "sensitive": false, |
218 | | - "data": "^(127\\.0\\.0\\.1|::1)$", |
| 217 | + "data": "127.0.0.0/8", |
219 | 218 | "list": [] |
220 | 219 | } |
221 | 220 | } |
@@ -267,4 +266,24 @@ If you want to restrict it further, under the `Addresses` tab you can review wha |
267 | 266 | [x] From this executable: ^(/memfd|/tmp/|/var/tmp/|/dev/shm/|/var/run|/var/lock).* |
268 | 267 | ``` |
269 | 268 |
|
| 269 | + /etc/opensnitchd/rules/000-deny-tmp.json: |
| 270 | + ``` |
| 271 | + { |
| 272 | + "created": "2025-04-26T09:58:03.704090244+02:00", |
| 273 | + "updated": "2025-04-26T09:58:03.704216578+02:00", |
| 274 | + "name": "000-deny-tmp", |
| 275 | + "enabled": true, |
| 276 | + "precedence": true, |
| 277 | + "action": "reject", |
| 278 | + "duration": "always", |
| 279 | + "operator": { |
| 280 | + "type": "regexp", |
| 281 | + "operand": "process.path", |
| 282 | + "sensitive": false, |
| 283 | + "data": "^(/var/tmp|/dev|/memfd|/tmp).*", |
| 284 | + "list": [] |
| 285 | + } |
| 286 | + } |
| 287 | + ``` |
| 288 | + |
270 | 289 | **Note** that the default policy should be deny everything unless explicitely allowed. But by creating a rule to deny specifically these directories, you can have a place where to monitor these executions. |
0 commit comments