Capsule8 Docs
Capsule8 Docs

Getting Started


Capsule8 is used to monitor your Linux production infrastructure by deploying detections. This quickstart guides shows you how to get your first alerts from Capsule8. Follow the sections below:

  • Install the Sensor
  • Detection setup

Install the Sensor

Install the sensor using the instructions based on where you are deploying it. Then, configure your alert output to be logged to a file by setting the CAPSULE8_ALERT_FILE environment variable (or alert_file in capsule8-analytics.yaml) with the absolute path to the file in which you would like your Alerts to be stored.

Detection setup

Open your capsule8-analytics.yaml file, which defines your detections.

In this example, we will create a policy that looks for developers debugging in production – a dangerous practice. The policy below specifically looks for use of debug functions such as ptrace and process_vm_writev.

Debugging Tools Monitoring:
  policy: ptrace
  enabled: false
  alertMessage: Ptrace Invoked
  priority: High
  - default match
comments: Alerts upon use of debug functions such as ptrace and process_vm_writev

Triggering the alert

To trigger the alert, run the ptrace function in the target environment.

View your alert output file you created in the first section. You should see the following output: