Capsule8 is used to monitor your Linux production infrastructure by deploying detection strategies. This quickstart guides shows you how to get your first alerts from Capsule8. Follow the sections below:
- Install the Sensor
- Strategy setup
Install the Sensor
Install the sensor using the instructions based on where you are deploying it. Then, configure your alert output to be logged to a file by setting the
CAPSULE8_ALERT_FILE environment variable (or
capsule8-analytics.yaml) with the absolute path to the file in which you would like your Alerts to be stored.
capsule8-analytics.yaml file, which defines your strategies.
In this example, we will create a strategy that looks for developers debugging in production – a dangerous practice. The strategy below specifically looks for use of debug functions such as
`Debugging Tools Monitoring: policy: ptrace enabled: false alertMessage: Ptrace Invoked priority: High rules:
- default match comments: Alerts upon use of debug functions such as ptrace and process_vm_writev`
Triggering the alert
To trigger the alert, run the ptrace function in the target environment.
View your alert output file you created in the first section. You should see the following output: