Capsule8 Docs
Capsule8 Docs
Help

Stopping a Process

For the strategies that support stop responses specify responseAction: stop. A stop response action is performed by sending the SIGSTOP signal to a process.

The following example demonstrates this applied to a program strategy:

Enforced Wget Blacklist:
  policy: program
  responseAction: stop
  alertMessage: Unauthorized execution of wget
  comments: This strategy detects and kills instances of wget running
  priority: High
  enabled: true
  rules:
  - match programName == "/usr/bin/wget"
  - default ignore

Stop responses can fail. For example, the process in question may no longer be running by the time the signal is sent to it. The following JSON is a truncated example alert for this configuration in a case where the process could not be stopped:

"notifications": [
    {
      "timestamp": "2019-04-17T01:58:30.272044949-04:00",
      "name": "Enforced Wget Blacklist",
      "uuid": "25fc84c4-be3f-4159-a55e-1c31f85a29cb",
      "message": "The program \"/usr/bin/wget\" was executed, which violated the \"Enforced Wget Blacklist\" Program Policy. The stop response action was not successful.",
      "message_fields": {}
    },
    {
      "timestamp": "2019-04-17T01:58:30.272044949-04:00",
      "name": "Enforced Wget Blacklist",
      "uuid": "25fc84c4-be3f-4159-a55e-1c31f85a29cb",
      "message": "unable to stop process 2745: no such process",
      "message_fields": {
        "action_type": "stop",
        "action_target_type": "process",
        "action_result": "not successful",
        "action_result_details": "no such process"
      }
    }
  ],