For the policies that support delete responses specify responseAction: delete.
A delete response action is performed deleting the target file from the operating system entirely.
The following example demonstrates this applied to a File Policy:
File Policy Example:
policy: fileMonitor
responseAction: delete
enabled: true
alertMessage: Blocklisted File Created
comments: Example using the file policy
priority: High
rules:
- match filePath == "/etc/*"
- default ignore
timeout: 10
Deleting a file can fail. For example, the file may no longer be available on the file system by the time the Capsule8 Sensor processes the event. The following JSON is a truncated example alert for this configuration in a case where the file could not be deleted:
"notifications": [
{
"timestamp": "2019-04-17T20:28:55.76044691Z",
"name": "File Policy Example",
"uuid": "8d0cce07-6aa0-4ec0-ba8b-3e8498907f79",
"message": "The program \"/usr/bin/touch\" created the file \"/etc/pwn\", which violated the \"File Policy Example\" File Policy. The delete response action was not successful.",
"message_fields": {
"file_path": "/etc/pwn"
}
},
{
"timestamp": "2019-04-17T20:28:55.76044691Z",
"name": "File Policy Example",
"uuid": "8d0cce07-6aa0-4ec0-ba8b-3e8498907f79",
"message": "unable to delete /etc/pwn: remove /etc/pwn: no such file or directory",
"message_fields": {
"action_type": "delete",
"action_target_type": "file",
"action_result": "not successful",
"action_result_details": "remove /etc/pwn: no such file or directory"
}
}
],
Comments
0 comments
Please sign in to leave a comment.