Default Preferences
From v2.9.0 of DiscrimiNAT, certain behavioural preferences can be set at global level per deployment. These are defined in JSON format in an SSM Parameter named DiscrimiNAT (case-sensitive) and the default value if not defined or not accessible is:
{
"%default": {
"wildcard_exposure": "prohibit_public_suffix",
"flow_log_verbosity": "full",
"see_thru": null,
"x509_crls": "ignore"
}
}
Preferences you wish to leave at defaults can be excluded. Also, any additional JSON keys will simply be ignored.
Preferences are refreshed once every five minutes from the SSM Parameter.
Preferences​
wildcard_exposure​
Generally, ? represents one character match exactly which isn't a ., and * matches any number of characters except ..
Options​
none: no wildcard characters such as ? or * are allowed at all
prohibit_asterisk: ? is allowed; * is not allowed
prohibit_public_suffix: ? is allowed; * is allowed as long as the possibility of resulting domain names are not publicly registrable (aka Effective TLDs). For example, *.github.com is okay but *.github.io is not. Another example would be *.cloudflare.net being effectively public. This is determined using Mozilla's Public Suffix List (PSL) bundled into DiscrimiNAT. The version of the PSL bundled will be in the Release Notes and will be updated with every release.
If a wildcard pattern is not accepted because it could have led to a Public Suffix List match, a config log message like the following will be emitted:
{addr: "*.github.io", cat: "addr", outcome: "publicsuffix[.]org list matched with `github.io`"}
nuclear: ? is allowed; * is allowed with no public suffix list safeguard
Default​
prohibit_public_suffix
flow_log_verbosity​
This setting only impacts the flow logs. config logs verbosity and behaviour will not be affected.
Options​
full: all allowed and disallowed flows for both the client requests and the server responses are logged in the flow logs
only_disallowed: only disallowed flows will be logged
none: no logs at all
Default​
full
see_thru​
The see_thru non-blocking, monitoring mode can be enabled for an entire deployment rather than per Security Group from this level. This is only the default and does not override a see-thru mode defined at a more granular level – even if the one the granular level may have expired.
See see-thru mode docs for understanding this non-blocking, monitoring mode in detail.
Options​
yyyy-mm-dd formatted date
null to not enable see_thru at the default level. null value to be specified without quotes or this top-level key can be left out completely.
Default​
null
x509_crls​
Options​
auto_allow: Automatically allow plaintext HTTP CRL Endpoints of x509 SSL certificates for all TLS FQDNs allowlisted.
ignore: Do not allow CRL Endpoints automatically.
Default​
ignore
Examples​
It may be useful to turn on the non-blocking, monitoring see_thru mode on until a specified date on a new deployment of DiscrimiNAT. This would ensure apps continue to work while data is captured for building an allowlist from eventually:
{"%default":{"see_thru":"2025-02-19"}}
Ultimately, when allowlists are built and enforced, you may want to turn off flow logs for allowed connections, saving on logging costs:
{"%default":{"flow_log_verbosity":"only_disallowed"}}
To also enable automatic allowing of X509 CRL Endpoints:
{"%default":{"flow_log_verbosity":"only_disallowed","x509_crls":"auto_allow"}}
System​
System-level preferences are passed directly to VM instance creation, are stored as files on the operating system disk, and are only read on start.
These are placed within the instance because they represent critical customer choices that must be respected whether external APIs are accessible or not and the right IAM permissions on the profile are assigned or not.
BYOL​
A licence key supplied by Chaser Support if using the BYOL version from AWS Marketplace. The pay as you go version does not require this.
The value can be passed to the byol variable in our Terraform modules and CloudFormation templates. The contents are Base64 decoded and written to the path /etc/chaser/licence-key.der.
ASHR​
Automated System Health Reporting.
10 minutes after boot and then at around 0200 UTC every day, each instance of DiscrimiNAT collects its OS internals & system logs since instance creation, config changes & traffic flow information from last two hours and uploads it to a Chaser-owned cloud bucket. This information is encrypted at rest with a certain public key so only relevant individuals with access to the corresponding private key can decrypt it. The transfer is encrypted over TLS.
Access to this information is immensely useful to create a faster and more reliable DiscrimiNAT as we add new features. We also get to learn about how users are interacting with the product in order to further improve the usability of it as they embark on a very ambitious journey of fully accounted for and effective egress controls.
We understand if certain environments within your deployment would rather not have this turned on. To disable it, a file at the path /etc/chaser/disable_automated-system-health-reporting should exist.
This can be achieved by setting the ashr variable to false in our Terraform modules.