"Response Actions" are capabilities of Capsule8 to automatically respond to a triggered detection. Different detections support different capabilities; for example, it's not possible to quarantine a process or kill a file.
The available response actions are:
- Delete a file
- Quarantine a file
- Kill a container (Unsafe)
- Kill a process (Unsafe)
- Stop a process (Unsafe)
- Alert (Default)
Detailed information is available here.
There is a duration measured in milliseconds between triggering a detection and applying response actions. Processes that execute very quickly may terminate before Capsule8 completes the response actions. This means that kill and stop actions may be attempted after a process has already exited; and that delete and quarantine actions may be performed after a process has already read bytes of a file.
Unsafe response actions
Capsule8 has identified a set of configurations that we have flagged as "unsafe". These include:
- kprobe policies
- uprobe policies
- the "kill" response action.
We consider these configurations high risk due to their significant impact if misused. Whether due to accident or malice, a Console user could construct a Policy Set with harmful configurations and serve it to those sensors. For example:
- A kprobe policy that hooks SSH sessions and opens a backdoor to a third party.
- A uprobe policy that steals TLS certificates
- A kill response policy that kills the
This set of functionality is disabled by default. It is available for expert users whose threat models determine that the benefits of these capabilities outweigh their risks. If in doubt, Capsule8 recommends keeping these unsafe features disabled on both your Console and Sensors.
Enabling "unsafe" features
Both Console and Sensor must have unsafe features enabled in order for an unsafe policy to be successfully applied to the Sensor.
The configuration to enable unsafe features in your capsule8-console.yaml file is:
The configuration to enable unsafe features in your capsule8-sensor.yaml file is: