Skip to content

Automated response: killing a container

Warning

Configuring automated response lets Sophos Linux Sensor dynamically respond to attacks. This includes options to perform preventative actions such as suspending or killing processes and containers, which can impact host functionality. Sophos strongly recommends testing automated responses using dry runs before turning them on in a production environment. See dry runs.

For the policies that support kill-container responses specify responseAction: kill-container.

A kill-container response action is performed by sending the SIGKILL signal to the init process of the container. This causes the entire container to exit immediately. If an alert is fired on a process not in a container and the kill-container response action is specified, no action is taken.

Like kill responses, kill container responses can fail (e.g. if the container has already exited).