-
Notifications
You must be signed in to change notification settings - Fork 0
Configuration
Stephen edited this page Feb 27, 2026
·
1 revision
All LABYRINTH layers are configured via labyrinth.yaml. Copy the example config and customize:
cp configs/labyrinth.example.yaml labyrinth.yaml# ─── Layer 0: BEDROCK ──────────────────────────────────────────
layer0:
encryption:
algorithm: AES-256-GCM # Encryption algorithm for forensic data
key_source: vault # vault | env | file
network:
honeypot_vlan: 100 # VLAN ID for portal trap network
production_route: deny # deny = no route to production
proxy:
validate_scope_on_startup: true # Validate proxy scope before starting
fail_mode: closed # closed = refuse to start on failure
retention:
credentials_days: 7 # Days to retain captured credentials
fingerprints_days: 90 # Days to retain agent fingerprints
decision_logs: indefinite # Retention for operational logs
# ─── Layer 1: THRESHOLD ────────────────────────────────────────
layer1:
honeypot_services:
- type: ssh # Service type
port: 22 # Internal port
template: ubuntu-22.04-staged # Container template
- type: http
port: 8080
template: nginx-vulnerable
container:
runtime: docker # docker | podman
network_mode: bridge # Container network mode
egress_proxy: true # Route egress through L4 proxy
# ─── Layer 2: MINOTAUR ─────────────────────────────────────────
layer2:
adaptive: true # Enable adaptive contradiction selection
contradiction_density: medium # low (3) | medium (6) | high (10)
max_container_depth: 5 # Maximum nested container depth
# ─── Layer 3: BLINDFOLD ────────────────────────────────────────
layer3:
activation: on_escalation # on_connect | on_escalation | manual
corruption_method: bashrc_payload # Corruption delivery method
# ─── Layer 4: PUPPETEER ────────────────────────────────────────
layer4:
mode: auto # auto | manual (Burp-style intercept)
default_swap: passive # passive | extract | double_agent
log_original_prompts: true # Capture original prompts to forensics
# ─── SIEM Integration (Optional) ───────────────────────────────
siem:
enabled: true # Enable SIEM event push
endpoint: https://siem.internal/api/events # SIEM endpoint URL
alert_prefix: LABYRINTH # Prefix for SIEM alerts| Key | Type | Default | Description |
|---|---|---|---|
encryption.algorithm |
string | AES-256-GCM |
Encryption algorithm |
encryption.key_source |
string | vault |
Key source: vault, env, file
|
network.honeypot_vlan |
int | 100 |
VLAN ID |
network.production_route |
string | deny |
Route to production |
proxy.validate_scope_on_startup |
bool | true |
Validate scope on start |
proxy.fail_mode |
string | closed |
Fail mode: closed, open
|
retention.credentials_days |
int | 7 |
Credential retention (days) |
retention.fingerprints_days |
int | 90 |
Fingerprint retention (days) |
retention.decision_logs |
string | indefinite |
Decision log retention |
| Key | Type | Default | Description |
|---|---|---|---|
honeypot_services[].type |
string | — | Service type: ssh, http
|
honeypot_services[].port |
int | — | Internal port number |
honeypot_services[].template |
string | — | Container template name |
container.runtime |
string | docker |
Container runtime: docker, podman
|
container.network_mode |
string | bridge |
Network mode |
container.egress_proxy |
bool | true |
Route egress through proxy |
| Key | Type | Default | Description |
|---|---|---|---|
adaptive |
bool | true |
Enable adaptive contradiction selection |
contradiction_density |
string | medium |
Density: low (3), medium (6), high (10) |
max_container_depth |
int | 5 |
Maximum nested containers |
| Key | Type | Default | Description |
|---|---|---|---|
activation |
string | on_escalation |
Trigger: on_connect, on_escalation, manual
|
corruption_method |
string | bashrc_payload |
Corruption delivery method |
| Key | Type | Default | Description |
|---|---|---|---|
mode |
string | auto |
Intercept mode: auto, manual
|
default_swap |
string | passive |
Swap mode: passive, extract, double_agent
|
log_original_prompts |
bool | true |
Log original prompts |
| Key | Type | Default | Description |
|---|---|---|---|
enabled |
bool | false |
Enable SIEM integration |
endpoint |
string | — | SIEM API endpoint URL |
alert_prefix |
string | LABYRINTH |
Alert prefix string |
The CLI looks for labyrinth.yaml in the project root directory. The Go config parser (cli/internal/config/config.go) uses gopkg.in/yaml.v3 for parsing.
- Layer-0-BEDROCK — Foundation layer details
- Deployment-Topology — How config affects deployment
- Forensics-and-API — SIEM integration details
Getting Started
Architecture
Layers
Operations