Prerequisites
Instructions for acquiring and applying default detections for your environment and sensor version can be found in the sensor installation guide here.
Testing that Capsule8 Detections are deployed
Once the sensor and content are installed, test to ensure that the content is properly deployed and that the generated alerts are going to the right place. The quickest way to test this is to cause an alert for a suspicious interactive shell:
- Ensure the sensor is started on the host that you wish to test.
- If on a node:
systemctl status capsule8-sensor
- If using Kubernetes:
kubectl get pods --all-namespaces | grep capsule8-sensor
- If on a node:
- Start a new interactive shell on the test host. This could be via SSH or a kubectl exec. This shell should not create an alert, as SSH and kubectl are not suspicious methods for starting an interactive shell.
- In your new shell, create a new shell with the command:
sh -i
- Specifying interactivity with the -i flag is common for illegitimate interactive shells, and one of the ways that Capsule8 detects unauthorized shell access.
- Look for a Suspicious Interactive Shell alert in the alert output you configured.
Keeping Capsule8 Detections Up to Date
If you have installed Capsule8 content using a standard package manager, updates will be made available in the Capsule8 package repository, much the same as the sensor - and will adhere to the system update management programs you have in place (e.g. weekly apt
updates).
Comments
0 comments
Please sign in to leave a comment.