Capsule8 Docs
Capsule8 Docs

Getting Started


Capsule8 is used to monitor your Linux production infrastructure by deploying detection strategies. This quickstart guides shows you how to get your first alerts from Capsule8. Follow the sections below:

  • Install the Sensor
  • Strategy setup

Install the Sensor

Install the sensor using the instructions based on where you are deploying it. Then, configure your alert output to be logged to a file by setting the CAPSULE8_ALERT_FILE environment variable (or alert_file in capsule8-analytics.yaml) with the absolute path to the file in which you would like your Alerts to be stored.

Strategy setup

Open your capsule8-analytics.yaml file, which defines your strategies.

In this example, we will create a strategy that looks for developers debugging in production – a dangerous practice. The strategy below specifically looks for use of debug functions such as ptrace and process_vm_writev.

`Debugging Tools Monitoring: policy: ptrace enabled: false alertMessage: Ptrace Invoked priority: High rules:

  • default match comments: Alerts upon use of debug functions such as ptrace and process_vm_writev`

Triggering the alert

To trigger the alert, run the ptrace function in the target environment.

View your alert output file you created in the first section. You should see the following output: