Deprecation warning: for sensor versions prior to 4.3.0, only a single response action can be specified, and this is defined with the use of the responseAction directive. In this case, alerts are automatically created, regardless of the response action. To enable a kill response using this directive, specify responseAction: kill. This directive is deprecated and cannot be used together with the more flexible responseActions directive introduced in sensor version 4.3.0. The remainder of this article applies to the use of responseActions with sensor version 4.3.0 and above.
If you are changing the response action for one of Capsule8's detections, please refer to Adjusting default detections for instructions. If you're editing a custom policy or writing a new one, keep reading below.
A kill response action is performed by sending the SIGKILL signal to a process. This causes the process to exit immediately. It does not wait until the process has exited. This does not kill any other processes the target process may have started.
The following example demonstrates this applied to a program:
Enforced Wget Blocklist: policy: program responseActions:
- alert
- kill alertMessage: Unauthorized execution of wget comments: This policy detects and kills instances of wget running priority: High enabled: true rules: - match programName == "/usr/bin/wget" - default ignore
Kill responses can fail. For example, the process in question may no longer be running by the time the signal is sent to it. The following JSON is a truncated example alert for this configuration in a case where the process could not be killed:
"notifications": [
{
"timestamp": "2019-04-17T01:58:30.272044949-04:00",
"name": "Enforced Wget Blocklist",
"uuid": "25fc84c4-be3f-4159-a55e-1c31f85a29cb",
"message": "The program \"/usr/bin/wget\" was executed, which violated the \"Enforced Wget Blocklist\" Program Policy.",
"message_fields": {}
},
{
"timestamp": "2019-04-17T01:58:30.272044949-04:00",
"name": "Enforced Wget Blocklist",
"uuid": "25fc84c4-be3f-4159-a55e-1c31f85a29cb",
"message": "unable to stop process 2745: no such process",
"message_fields": {
"action_type": "kill",
"action_target_type": "process",
"action_result": "not successful",
"action_result_details": "no such process"
}
}
],
Comments
0 comments
Please sign in to leave a comment.