Skip to content

Automated response: Killing a Process

Warning

Configuring automated response lets Sophos Linux Sensor dynamically respond to attacks. This includes options to perform preventative actions, such as suspending or killing processes and containers, which can impact host functionality. We strongly recommend testing automated responses using dry runs before turning them on in a production environment. See Dry runs.

You can configure Sophos Linux Sensor to kill a process as a response action to a detection. To kill a process, SLS sends the SIGKILL signal. This causes the process to exit immediately.

Note

When editing a custom policy or writing a new one, use the information on this page. If you're changing the response action for one of Sophos Linux Sensor's (SLS) default detections, see Adjusting individual detections.

kill

To kill a process associated with a detection, add kill to the responseActions configuration of your detection.

Here's an example, applied to a program:

Enforced Wget Blocklist:
  policy: program
  responseActions:
    - alert
    - kill
  alertMessage: Unauthorized execution of wget
  comments: This policy detects and kills instances of wget running
  priority: High
  enabled: true
  rules:
  - match programName == "/usr/bin/wget"
  - default ignore

kill-tree

The kill response action doesn't kill any other processes the target process starts. If you want to do that, use kill-tree instead. The kill-tree response action kills the process associated with the detection and all its child processes.

Note

You must only use kill-tree for alerts with a very low chance of a false positive. You must not use it for alerts that important processes could trigger. You can use allowlists in your rules to make sure important processes aren't killed.

Here's an example:

Enforced Wget Blocklist:
  policy: program
  responseActions:
    - alert
    - kill-tree
  alertMessage: Unauthorized execution of wget
  comments: This policy detects and kills instances of wget running
  priority: High
  enabled: true
  rules:
  - match programName == "/usr/bin/wget"
  - default ignore

Failed kill response

kill and kill-tree response actions can fail. For example, the process in question may no longer be running by the time the signal is sent. The following JSON is a truncated example alert for this configuration in a case where the process couldn't be killed:

"notifications": [
    {
      "timestamp": "2019-04-17T01:58:30.272044949-04:00",
      "name": "Enforced Wget Blocklist",
      "uuid": "25fc84c4-be3f-4159-a55e-1c31f85a29cb",
      "message": "The program \"/usr/bin/wget\" was executed, which violated the \"Enforced Wget Blocklist\" Program Policy.",
      "message_fields": {}
    },
    {
      "timestamp": "2019-04-17T01:58:30.272044949-04:00",
      "name": "Enforced Wget Blocklist",
      "uuid": "25fc84c4-be3f-4159-a55e-1c31f85a29cb",
      "message": "unable to stop process 2745: no such process",
      "message_fields": {
        "action_type": "kill",
        "action_target_type": "process",
        "action_result": "not successful",
        "action_result_details": "no such process"
      }
    }
  ],