diff --git a/docs/configuration/file-access-restriction/configuration.md b/docs/configuration/file-access-restriction/configuration.md
index d9a527a..48d2ee8 100644
--- a/docs/configuration/file-access-restriction/configuration.md
+++ b/docs/configuration/file-access-restriction/configuration.md
@@ -3,6 +3,7 @@
| Config | Type | Description |
|:------:|:----|:-----------:|
+| `enable` | Enum with the following possible values: `true`, `false` | Whether to enable restrictions or not. Default is `true`. |
| `mode` | Enum with the following possible values: `monitor`, `block` | If `monitor` is specified, events are only logged. If `block` is specified, network access is blocked. |
| `target` | Enum with the following possible values: `host`, `container` | Selecting `host` applies the restriction to the host-wide. Selecting `container` will apply the restriction only to containers. |
| `allow` | A list of allow file paths | |
diff --git a/docs/configuration/mount-restriction/configuration.md b/docs/configuration/mount-restriction/configuration.md
index 6455bd8..bd3fe08 100644
--- a/docs/configuration/mount-restriction/configuration.md
+++ b/docs/configuration/mount-restriction/configuration.md
@@ -3,6 +3,7 @@
| Config | Type | Description |
|:------:|:----|:-----------:|
+| `enable` | Enum with the following possible values: `true`, `false` | Whether to enable restrictions or not. Default is `true`. |
| `mode` | Enum with the following possible values: `monitor`, `block` | If `monitor` is specified, events are only logged. If `block` is specified, network access is blocked. |
| `target` | Enum with the following possible values: `host`, `container` | Selecting `host` applies the restriction to the host-wide. Selecting `container` will apply the restriction only to containers. |
| `deny` | A list of allow file paths | |
diff --git a/docs/configuration/network-restriction/configuration.md b/docs/configuration/network-restriction/configuration.md
index 2dfddaa..5a5da4e 100644
--- a/docs/configuration/network-restriction/configuration.md
+++ b/docs/configuration/network-restriction/configuration.md
@@ -2,6 +2,7 @@
| Config | Type | Description |
|:------:|:----|:-----------:|
+| `enable` | Enum with the following possible values: `true`, `false` | Whether to enable restrictions or not. Default is `true`. |
| `mode` | Enum with the following possible values: `monitor`, `block` | If `monitor` is specified, events are only logged. If `block` is specified, network access is blocked. |
| `target` | Enum with the following possible values: `host`, `container` | Selecting `host` applies the restriction to the host-wide. Selecting `container` will apply the restriction only to containers. |
| `cidr` | List containing the following sub-keys:
`allow: [cidr list]``deny: [cidr list]`| Allow or Deny CIDRs. |
diff --git a/pkg/audit/fileaccess/audit.go b/pkg/audit/fileaccess/audit.go
index 19b1d34..b36f961 100644
--- a/pkg/audit/fileaccess/audit.go
+++ b/pkg/audit/fileaccess/audit.go
@@ -55,7 +55,11 @@ func setupBPFProgram() (*libbpfgo.Module, error) {
return mod, nil
}
-func RunAudit(conf *config.Config) {
+func RunAudit(conf *config.Config) error {
+ if !conf.RestrictedFileAccessConfig.Enable {
+ return nil
+ }
+
quit := make(chan os.Signal)
signal.Notify(quit, os.Interrupt)
@@ -96,6 +100,8 @@ func RunAudit(conf *config.Config) {
<-quit
mgr.Stop()
+
+ return nil
}
func newAuditLog(event auditLog) log.RestrictedFileAccessLog {
diff --git a/pkg/audit/fileaccess/audit_test.go b/pkg/audit/fileaccess/audit_test.go
index 8c68168..03e36c6 100644
--- a/pkg/audit/fileaccess/audit_test.go
+++ b/pkg/audit/fileaccess/audit_test.go
@@ -106,6 +106,12 @@ func TestAudit_Container(t *testing.T) {
}
}
+func TestRunAudit_Conf(t *testing.T) {
+ config := config.DefaultConfig()
+ config.RestrictedFileAccessConfig.Enable = false
+ RunAudit(config)
+}
+
type TestAuditManager struct {
manager Manager
cmd *exec.Cmd
diff --git a/pkg/audit/mount/audit.go b/pkg/audit/mount/audit.go
index 72b52c1..dd8b846 100644
--- a/pkg/audit/mount/audit.go
+++ b/pkg/audit/mount/audit.go
@@ -53,7 +53,11 @@ func setupBPFProgram() (*libbpfgo.Module, error) {
return mod, nil
}
-func RunAudit(conf *config.Config) {
+func RunAudit(conf *config.Config) error {
+ if !conf.RestrictedMountConfig.Enable {
+ return nil
+ }
+
quit := make(chan os.Signal)
signal.Notify(quit, os.Interrupt)
@@ -94,6 +98,8 @@ func RunAudit(conf *config.Config) {
<-quit
mgr.Stop()
+
+ return nil
}
func newAuditLog(event auditLog) log.RestrictedMountLog {
diff --git a/pkg/audit/mount/audit_test.go b/pkg/audit/mount/audit_test.go
index 64ddd27..d646e04 100644
--- a/pkg/audit/mount/audit_test.go
+++ b/pkg/audit/mount/audit_test.go
@@ -57,6 +57,12 @@ func TestAudit_Mount(t *testing.T) {
assert.Nil(t, err)
}
+func TestRunAudit_Conf(t *testing.T) {
+ config := config.DefaultConfig()
+ config.RestrictedMountConfig.Enable = false
+ assert.Nil(t, RunAudit(config))
+}
+
type TestAuditManager struct {
manager Manager
cmd *exec.Cmd
diff --git a/pkg/audit/network/audit.go b/pkg/audit/network/audit.go
index 0c4551c..dec6c17 100644
--- a/pkg/audit/network/audit.go
+++ b/pkg/audit/network/audit.go
@@ -125,7 +125,11 @@ func UpdateDomainList(mgr Manager) {
}
}
-func RunAudit(conf *config.Config) {
+func RunAudit(conf *config.Config) error {
+ if !conf.RestrictedNetworkConfig.Enable {
+ return nil
+ }
+
quit := make(chan os.Signal)
signal.Notify(quit, os.Interrupt)
@@ -172,6 +176,8 @@ func RunAudit(conf *config.Config) {
<-quit
mgr.Stop()
+
+ return nil
}
func newAuditLog(header eventHeader, body detectEvent) log.RestrictedNetworkLog {
diff --git a/pkg/audit/network/audit_test.go b/pkg/audit/network/audit_test.go
index cda56b9..bb3b7e1 100644
--- a/pkg/audit/network/audit_test.go
+++ b/pkg/audit/network/audit_test.go
@@ -13,6 +13,7 @@ import (
"time"
"github.com/mrtc0/bouheki/pkg/audit/helpers"
+ "github.com/mrtc0/bouheki/pkg/config"
"github.com/stretchr/testify/assert"
)
@@ -486,6 +487,12 @@ func TestAuditContainerDoNotCaptureHostEvents(t *testing.T) {
mgr.mod.Close()
}
+func TestRunAudit_Conf(t *testing.T) {
+ config := config.DefaultConfig()
+ config.RestrictedNetworkConfig.Enable = false
+ assert.Nil(t, RunAudit(config))
+}
+
func runAuditWithOnce(configPath string, execCmd []string, eventsChannel chan []byte) TestAuditManager {
config := loadFixtureConfig(configPath)
mgr := createManager(config, &SpyIntegrationDNSResolver{})
diff --git a/pkg/config/config.go b/pkg/config/config.go
index fcffefe..d2e56e4 100644
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@@ -7,6 +7,7 @@ import (
)
type RestrictedNetworkConfig struct {
+ Enable bool
Mode string `yaml:"mode"`
Target string `yaml:"target"`
Command CommandConfig `yaml:"command"`
@@ -17,6 +18,7 @@ type RestrictedNetworkConfig struct {
}
type RestrictedFileAccessConfig struct {
+ Enable bool
Mode string `yaml:"mode"`
Target string `yaml:"target"`
Allow []string `yaml:"allow"`
@@ -24,6 +26,7 @@ type RestrictedFileAccessConfig struct {
}
type RestrictedMountConfig struct {
+ Enable bool
Mode string `yaml:"mode"`
Target string `yaml:"target"`
DenySourcePath []string `yaml:"deny"`
@@ -72,6 +75,7 @@ type Config struct {
func DefaultConfig() *Config {
return &Config{
RestrictedNetworkConfig: RestrictedNetworkConfig{
+ Enable: true,
Mode: "monitor",
Target: "host",
Command: CommandConfig{Allow: []string{}, Deny: []string{}},
@@ -81,12 +85,14 @@ func DefaultConfig() *Config {
GID: GIDConfig{Allow: []uint{}, Deny: []uint{}},
},
RestrictedFileAccessConfig: RestrictedFileAccessConfig{
+ Enable: true,
Mode: "monitor",
Target: "host",
Allow: []string{"/"},
Deny: []string{},
},
RestrictedMountConfig: RestrictedMountConfig{
+ Enable: true,
Mode: "monitor",
Target: "host",
DenySourcePath: []string{},