Skip to content

The Security Engine is SkyOps’ always-on watcher. Every file that lands on the host — uploads, git clones, package installs — is scanned before the app can read it.

Subsystems

  • YARA rules — signature-based detection. Ships with 400+ rules from the open-source YARA-Rules community, plus SkyOps’ own curated set for common webshells.
  • Signature feeds — daily-refreshed hash lists of known-bad files.
  • Real-time watcher — inotify-driven scans on any write under a watched path.
  • Upload gateway — every HTTP upload through the engine’s reverse proxy lands in a sandbox volume first; released only after the scan clears.
  • Quarantine — anything flagged moves to /var/skyops/quarantine/ with its metadata preserved for forensic review.

Flags

Everything off by default. The master switch is security.engine_enabled in the engine dashboard. Individual subsystems (YARA, upload gateway, real-time watcher) flip independently so you can roll out gradually.

Tuning

  • Allowlist — hosts or paths the watcher should skip (e.g. /var/skyops/backups where the engine itself writes).
  • Quarantine retention — default 30 days; configurable.
  • Scan concurrency — default 2 workers; raise on beefier boxes.

Metrics

Exposed at /api/security/metrics (engine-local) and surfaced on the Security Engine tab of your dashboard:

  • Files scanned per second.
  • Quarantine queue depth.
  • YARA rule-hit counters.
  • Upload gateway release vs block ratio.

See the operator runbook for incident response and rule-update workflow.