Automated response: quarantining a file
Warning
Configuring automated response lets Sophos Linux Sensor dynamically respond to attacks. This includes options to perform preventative actions such as suspending or killing processes and containers, which can impact host functionality. Sophos strongly recommends testing automated responses using dry runs before turning them on in a production environment. See dry runs.
For the policies that support quarantine responses specify responseAction: quarantine
.
A quarantine response action is performed quarantining the target file into the /.runtimedetections-quarantined/
directory. When the files are moved into the quarantined directory they are renamed $ALERT_UUID-$ORIGINAL_FILENAME
as they are moved in.
The following example demonstrates this applied to a File Policy:
policy: file
responseAction: quarantine
enabled: true
alertMessage: Blocklisted File Created
comments: Example using the file policy
priority: High
rules:
- match filePath == "/etc/*"
- default ignore
timeout: 10
Quarantining a file can fail. For example, the file may no longer be available on the file system by the time Sophos Linux Sensor processes the event. The following JSON is a truncated example alert for this configuration in a case where the file could not be quarantined:
"notifications": [
{
"timestamp": "2019-04-17T20:24:57.721065524Z",
"name": "File Policy Example",
"uuid": "b5659bb6-4aeb-4d03-9a15-deaf506cef6d",
"message": "The program \"/usr/bin/touch\" created the file \"/etc/pwn\", which violated the \"File Policy Example\" File Policy. The quarantine response action was not successful.",
"message_fields": {
"file_path": "/etc/pwn"
}
},
{
"timestamp": "2019-04-17T20:24:57.721065524Z",
"name": "File Policy Example",
"uuid": "b5659bb6-4aeb-4d03-9a15-deaf506cef6d",
"message": "unable to open original path /etc/pwn: open /etc/pwn: no such file or directory",
"message_fields": {
"action_type": "quarantine",
"action_target_type": "file",
"action_result": "not successful",
"action_result_details": "open /etc/pwn: no such file or directory"
}
}
],