Capsule8 is used to monitor your Linux production infrastructure by deploying detections. This quickstart guides shows you how to get your first alerts from Capsule8. Follow the sections below:
- Install the Sensor
- Detection setup
Install the Sensor
Install the sensor using the instructions based on where you are deploying it. Then, configure your alert output to be logged to a file by setting the
CAPSULE8_ALERT_FILE environment variable (or
capsule8-analytics.yaml) with the absolute path to the file in which you would like your Alerts to be stored.
capsule8-analytics.yaml file, which defines your detections.
In this example, we will create a policy that looks for developers debugging in production – a dangerous practice. The policy below specifically looks for use of debug functions such as
Debugging Tools Monitoring: policy: ptrace enabled: false alertMessage: Ptrace Invoked priority: High rules: - default match comments: Alerts upon use of debug functions such as ptrace and process_vm_writev
Triggering the alert
To trigger the alert, run the ptrace function in the target environment.
View your alert output file you created in the first section. You should see the following output: