For the policies that support stop responses specify responseAction: stop. A stop response action is performed by sending the SIGSTOP signal to a process.
The following example demonstrates this applied to a program policy:
Enforced Wget Blocklist:
policy: program
responseAction: stop
alertMessage: Unauthorized execution of wget
comments: This policy detects and kills instances of wget running
priority: High
enabled: true
rules:
- match programName == "/usr/bin/wget"
- default ignore
Stop responses can fail. For example, the process in question may no longer be running by the time the signal is sent to it. The following JSON is a truncated example alert for this configuration in a case where the process could not be stopped:
"notifications": [
{
"timestamp": "2019-04-17T01:58:30.272044949-04:00",
"name": "Enforced Wget Blocklist",
"uuid": "25fc84c4-be3f-4159-a55e-1c31f85a29cb",
"message": "The program \"/usr/bin/wget\" was executed, which violated the \"Enforced Wget Blocklist\" Program Policy. The stop response action was not successful.",
"message_fields": {}
},
{
"timestamp": "2019-04-17T01:58:30.272044949-04:00",
"name": "Enforced Wget Blocklist",
"uuid": "25fc84c4-be3f-4159-a55e-1c31f85a29cb",
"message": "unable to stop process 2745: no such process",
"message_fields": {
"action_type": "stop",
"action_target_type": "process",
"action_result": "not successful",
"action_result_details": "no such process"
}
}
],
Comments
0 comments
Please sign in to leave a comment.