Skip to main content

Automated Responses in the Capsule8 Console

  • Updated

Overview

"Response Actions" are capabilities of Capsule8 to automatically respond to a triggered detection. Different detections support different capabilities; for example, it's not possible to quarantine a process or kill a file.

The available response actions are:

  • Delete a file
  • Quarantine a file
  • Kill a container (Unsafe)
  • Kill a process (Unsafe)
  • Stop a process (Unsafe)
  • Alert (Default)
  • Audit

Detailed information is available here.

Limitations

There is a duration measured in milliseconds between triggering a detection and applying response actions. Processes that execute very quickly may terminate before Capsule8 completes the response actions. This means that kill and stop actions may be attempted after a process has already exited; and that delete and quarantine actions may be performed after a process has already read bytes of a file.

Unsafe response actions

Capsule8 has identified a set of configurations that we have flagged as "unsafe". These include:

We consider these configurations high risk due to their significant impact if misused.  Whether due to accident or malice, a Console user could construct a Policy Set with harmful configurations and serve it to those sensors. For example:

  • A kprobe policy that hooks SSH sessions and opens a backdoor to a third party.
  • A uprobe policy that steals TLS certificates
  • A kill response policy that kills the capsule8-sensor process.

This set of functionality is disabled by default. It is available for expert users whose threat models determine that the benefits of these capabilities outweigh their risks. If in doubt, Capsule8 recommends keeping these unsafe features disabled on both your Console and Sensors.

Enabling "unsafe" features

To enable unsafe features on the Capsule8 Console, set console.allow_unsafe_features: true in the console configuration file.

To enable unsafe features on the Capsule8 Sensor, set policy_input.allow_unsafe_features: true in /etc/capsule8/capsule8-sensor.yaml.

Both Console and Sensor must have unsafe features enabled in order for an unsafe policy to be successfully applied to the Sensor.

Was this article helpful?
0 out of 0 found this helpful
Return to top

Related articles

Comments

0 comments

Please sign in to leave a comment.