Configuration Files

After you successfully install Quantum IoT Nano Agent on the IoT device, it is enabled by default and is configured to work when the system starts.

The Nano Agent has these configuration files:

Nano Agent configuration file:
- cp-nano-orchestration-conf.json
File path - /etc/cp/conf/
Workload Protection (WLP) configuration file:
- wlp.conf
File path - /etc/cp/workloadProtection/

Important - Contact your Check Point representative before making changes to the Nano Agent configuration file.

Nano Agent Configuration File

The main configuration file in the Nano Agent is cp-nano-orchestration-conf.json. This file uses the JSON format and contains modifications to the default configuration.

To change the configuration to include comma delimiters between log records:

Connect to the command line interface on the IoT device.
Edit the configuration file cp-nano-orchestration-conf.json

Restart the Nano Agent processes with these commands:

cpnano -q

cpnano -r

$ cpnano -q

Check Point Nano Agent stopped successfully

$ cpnano -r

Check Point Nano Agent watchdog started successfully

To configure the agent to use comma separators between JSON log entries:

Add the following JSON object under Logging:

"Log file line separator": [

{

"value": ","

}

Workload Protection (WLP) Configuration File

The main configuration file is wlp.conf.

This file uses INI format and contains the configuration flags.

To change the configuration:

Connect to the command line interface on the IoT device.
Edit the wlp.conf configuration file.

The table below lists the key configuration flags:

Category	Flag	Type	Default Value	Description
General	`AMSHOOKS`	Boolean	False	True - Enable the CFI hooks False - Disable the CFI hooks
General	`DELAYED_INIT_SECONDS`	Float	2	Sleep period at init before hardening starts.
Features	`RELRO`	Boolean	True	True - Enable the Import Table Protection False - Disable the Import Table Protection
Features	`CFI_SNIPPETS_ERROR`	Multiple Choice: EXIT, REBOOT, SKIP	EXIT	Choose fail behavior if CFI fails to initialize due to insufficient memory for trampolines: EXIT – Exits the faulty process REBOOT – Calls reboot command to reboot the device SKIP – Continues the execution
Features	`PREVENTION`	Boolean	False	True - Protection in prevent mode False - Protection in detect mode
Logging	`FOLDER`	String	/var/log	Path to the directory with internal logs for the Workload Protection
Logging	`OFFLINE`	Boolean	False	True - Disable the Nano Agent logs False - Enable the Nano Agent logs
Plugins	`GLOBAL_ENABLE`	Boolean	True	True - When injecting WLP into a process, do not check whether the hashfile for the process exists. False - When injecting WLP into a process, only allow the injection to happen if the process’s corresponding hashfile is found under `/etc/cp/workloadProtection/hashes/`
Plugins	`PLUGINS`	String	antisi3, filemon, sshd, memtrack2	Comma-separated list of plugins. The plugins are: `filemon` - File Monitor `antisi3` - Anti-Shell Injection `sshd` – SSH login Protection `memtrack2` – Dynamic Memory Protection
Plugins	`PATH`	String	/usr/lib/	Path to the directory with the plugin files `(libwlp-plugin-*.so`)
Hashes	`PATH`	String	/etc/cp/workload Protection/hashes/	Path to the CFI hash files
Debug	`SILENT`	Boolean	True	True - Disable the debug prints to stderr / log file False - Enable the debug prints to stderr / log file
Debug	`LEVEL`	Integer (1-4)	3	Log level: 1 - Verbose ELF hooking 2 - Clean ELF hooking data 3 - CFI runtime prints 4 - CFI startup hooking prints

Allow-List and Block-List Files

The main directory with the configuration files has these two sub-directories:

filemon for File Monitor
antisi for Anti-Shell Injection / Remote Code Execution

Each of these sub-directories contains two files:

whitelist file - Configures the protection plugins to allow files.
blacklist file - Configures the protection plugins to deny files.

In each of these files, you configure a path to a file (one path per line). Each file supports wildcards (*).

For example, to allow all files to be written in the /tmp/ directory on the IoT device, add this path in the whitelist file inside the sub-directory: /tmp/*.

You can also use the whitelist/blacklist files with filemon to protect writing to non-executable files, as described below:

File Type	Action
Executable file	Block by default To Allow, write it in the `whitelist` file
Non-executable file	Allow by default To Block, write it in the `blacklist` file

If you get the following messages in {BASEDIR}/var/log/wlp_log.txt indicating invalid permissions or unauthorized access, you can add the file path mentioned in those messages to the filemon whitelist.

[FILEMON] Invalid permission set to file [Filename]

[FILEMON] Unauthorized access to file [Filename]

Global Switch File (killswitch)

The Global Switch file, also called as killswitch, is a unique file located in the directory with the configuration files. You can use this file to kill any process the Nano Agent runs on the IoT device. This file globally enables or disables all Workload Protection plugins and Control Flow Integrity (CFI).

To activate the kill switch and completely disable Workload Protection (after reboot), run:

echo 2 > /etc/cp/workloadProtection/killswitch

The system displays this log message:

Workload Protection Zero-Day Protection :: Cyber Protection Disabled. You must restart your system for changes to be applied successfully.

After the reboot, the Nano Agent stops running on the device.

To activate the killswitch (to disable all Workload Protection plugins and CFI), run:

echo 1 > /etc/cp/workloadProtection/killswitch

To deactivate the killswitch (to enable all Workload Protection plugins and CFI again), run:

echo 0 > /etc/cp/workloadProtection/killswitch