Capsule8 Docs
Capsule8 Docs
Help

Quarantining a File

For the policies that support quarantine responses specify responseAction: quarantine.

A quarantine response action is performed quarantining the target file into the /.capsule8-quarantined/ directory. When the files are moved into the quarantined directory they are renamed $ALERT_UUID-$ORIGINAL_FILENAME as they are moved in.

The following example demonstrates this applied to a File Policy:

File Policy Example:
  policy: file
  responseAction: quarantine
  enabled: true
  alertMessage: Blocklisted File Created
  comments: Example using the file policy
  priority: High
  rules:
    - match filePath == "/etc/*"
    - default ignore
  timeout: 10

Quarantining a file can fail. For example, the file may no longer be available on the file system by the time the Capsule8 Sensor processes the event. The following JSON is a truncated example alert for this configuration in a case where the file could not be quarantined:

"notifications": [
    {
      "timestamp": "2019-04-17T20:24:57.721065524Z",
      "name": "File Policy Example",
      "uuid": "b5659bb6-4aeb-4d03-9a15-deaf506cef6d",
      "message": "The program \"/usr/bin/touch\" created the file \"/etc/pwn\", which violated the \"File Policy Example\" File Policy. The quarantine response action was not successful.",
      "message_fields": {
        "file_path": "/etc/pwn"
      }
    },
    {
      "timestamp": "2019-04-17T20:24:57.721065524Z",
      "name": "File Policy Example",
      "uuid": "b5659bb6-4aeb-4d03-9a15-deaf506cef6d",
      "message": "unable to open original path /etc/pwn: open /etc/pwn: no such file or directory",
      "message_fields": {
        "action_type": "quarantine",
        "action_target_type": "file",
        "action_result": "not successful",
        "action_result_details": "open /etc/pwn: no such file or directory"
      }
    }
  ],