In order to provide customers with resilient defense mechanisms, Capsule8 Policies can be configured with the ability to dynamically respond to attacks in real-time, effectively disrupting exploitation and preventing damage to your production environment.
For policies covering program behavior, a response action can suspend or kill the offending process. For policies covering containers, a response action can kill the container associated with the alert. For policies covering file activity, a response action can quarantine or delete the file associated with the alert. Response actions are not available for every policy type. At this time, only one response action per individual policy is supported.
Response actions are set through the policy’s
responseAction sub-key. When Capsule8 produces an alert where a response action was taken, the alert’s notifications field will include a new alert notification whose
message_fields detail the response action taken and the status of the response action. We highly recommend testing response actions before enabling them by performing dry runs.
Learn more about each response action type in the following sections:
Note: be sure to check the prerequisites before enabling response actions.
In order to enable response actions, the Capsule8 Sensor must be run in the host’s process namespace. If you are running a Capsule8 Sensor outside a container, no further steps are necessary to enable response actions. Inside a container that is not running in the host’s process namespace, not all response actions work or will be available.
hostPID: true in your DaemonSet’s template spec. The following incomplete DaemonSet illustrates how to set this value:
kind: DaemonSet spec: template: spec: hostPID: true
See the complete Pod Security Policy documentation for more information on the
--pid="host" in your
docker run command when starting the Capsule8 Sensor container.
See the complete Docker Run Command documentation for more information on the
pid: "host" in your Docker Compose file. The following incomplete Docker Compose file illustrates how to set this value:
version: "3.7" services: capsule8-sensor: pid: "host"
See the complete Docker Compose documentation for more information on the