Capsule8 Docs
Capsule8 Docs
Help

Deleting a File

For the policies that support delete responses specify responseAction: delete.

A delete response action is performed deleting the target file from the operating system entirely.

The following example demonstrates this applied to a File Policy:

File Policy Example:
  policy: fileMonitor
  responseAction: delete
  enabled: true
  alertMessage: Blocklisted File Created
  comments: Example using the file policy
  priority: High
  rules:
    - match filePath == "/etc/*"
    - default ignore
  timeout: 10

Deleting a file can fail. For example, the file may no longer be available on the file system by the time the Capsule8 Sensor processes the event. The following JSON is a truncated example alert for this configuration in a case where the file could not be deleted:

"notifications": [
    {
      "timestamp": "2019-04-17T20:28:55.76044691Z",
      "name": "File Policy Example",
      "uuid": "8d0cce07-6aa0-4ec0-ba8b-3e8498907f79",
      "message": "The program \"/usr/bin/touch\" created the file \"/etc/pwn\", which violated the \"File Policy Example\" File Policy. The delete response action was not successful.",
      "message_fields": {
        "file_path": "/etc/pwn"
      }
    },
    {
      "timestamp": "2019-04-17T20:28:55.76044691Z",
      "name": "File Policy Example",
      "uuid": "8d0cce07-6aa0-4ec0-ba8b-3e8498907f79",
      "message": "unable to delete /etc/pwn: remove /etc/pwn: no such file or directory",
      "message_fields": {
        "action_type": "delete",
        "action_target_type": "file",
        "action_result": "not successful",
        "action_result_details": "remove /etc/pwn: no such file or directory"
      }
    }
  ],