Skip to content

Automated Response: stopping a process

Warning

Configuring automated response lets Sophos Linux Sensor dynamically respond to attacks. This includes options to perform preventative actions such as suspending or killing processes and containers, which can impact host functionality. Sophos strongly recommends testing automated responses using dry runs before turning them on in a production environment. See dry runs.

For the policies that support stop responses specify responseAction: stop. Sophos Linux Sensor performs a stop response action by sending the SIGSTOP signal to a process.

The following example demonstrates this applied to a program policy:

Enforced Wget Blocklist:
  policy: program
  responseAction: stop
  alertMessage: Unauthorized execution of wget
  comments: This policy detects and kills instances of wget running
  priority: High
  enabled: true
  rules:
  - match programName == "/usr/bin/wget"
  - default ignore

Stop responses can fail. For example, the process in question may no longer be running by the time the signal is sent to it. The following JSON is a truncated example alert for this configuration in a case where the process couldn't be stopped:

"notifications": [
    {
      "timestamp": "2019-04-17T01:58:30.272044949-04:00",
      "name": "Enforced Wget Blocklist",
      "uuid": "25fc84c4-be3f-4159-a55e-1c31f85a29cb",
      "message": "The program \"/usr/bin/wget\" was executed, which violated the \"Enforced Wget Blocklist\" Program Policy. The stop response action was not successful.",
      "message_fields": {}
    },
    {
      "timestamp": "2019-04-17T01:58:30.272044949-04:00",
      "name": "Enforced Wget Blocklist",
      "uuid": "25fc84c4-be3f-4159-a55e-1c31f85a29cb",
      "message": "unable to stop process 2745: no such process",
      "message_fields": {
        "action_type": "stop",
        "action_target_type": "process",
        "action_result": "not successful",
        "action_result_details": "no such process"
      }
    }
  ],