Response Actions
Spyderbat’s Policy Response Actions provide a powerful mechanism for responding to security events and deviations within your environment. These actions allow you to automate responses, enforce security policies, and maintain operational integrity. Response actions fall under two main categories, Agent and Standard.
Categories of Response Actions
Agent Response Actions:
Purpose: These actions are executed directly on machines where the Spyderbat Nano Agent is installed.
Targeted Scope: They allow for machine-specific responses.
Examples:
Kill a process.
Kill a pod.
Kill a process tree.
Renice a process.
Standard Response Actions:
Purpose: These actions generate security and operations flags.
Insights: They provide visibility into policy violations or anomalies. They serve as alerts that can be further processed by other systems or personnel.
Examples:
Creating red flags. (Security focused, can trigger Spydertraces)
Creating operations flags. (Operations focused, highlight potential problems with infrastructure)
Actions
Response actions are defined within the spec field of policies.
For Example:
The default section contains global actions that apply to the entire policy. Whenever a deviation occurs, default actions are taken if applicable.
The actions section allows you to define more specific actions with selectors that narrow the scope of when the action should be executed.
makeRedFlag Action
This action makes a security flag. The ultimate consumer of these types of flags are security personnel investigating an anomaly. They can trigger spydertraces and/or be used to trigger notifications.
Cluster
Machine
Namespace
Pod
Container
Service
Process
Fields
severity: The priority level of the red flag. Can be
critical
,high
,medium
,low
, orinfo
.impact: [Optional] A string describing the security impact should the flag be generated.
content: [Optional] A string containing markdown that can detail next steps or who to contact.
Example:
makeOpsFlag Action
This action makes an operations flag. The ultimate consumer of these types of flags are operations personnel responsible for maintaining infrastructure.
Cluster
Machine
Namespace
Pod
Container
Service
Process
Fields
severity: The priority level of the operations flag. Can be
critical
,high
,medium
,low
, orinfo
.impact: [Optional] A string describing the operations impact should the flag be generated.
content: [Optional] A string containing markdown that can detail next steps or who to contact.
Example:
agentKillPod
This action tells the Spyderbat Nano Agent to kill a deviant process.
Cluster
Machine
Namespace
Pod
Container
Process
Examples:
Kill pods running deviant netcat processes.
Kill all pods with deviations
agentKillProcess
This action tells the Spyderbat Nano Agent to kill a deviant process.
Cluster
Machine
Namespace
Pod
Container
Service
Process
Examples:
Kill deviant processes running the /bin/bash executable.
Kill all deviant processes
agentKillProcessGroup
This action kills a process an any other processes within the same process group (pgid).
Cluster
Machine
Namespace
Pod
Container
Service
Process
Examples:
Kill process group of deviant processes running the /bin/bash executable.
Kill all deviant processes and their associated groups.
agentKillProcessTree
This action instructs the Spyderbat Nano Agent to kill a deviant process along with its descendants (child processes). It is used to terminate a process tree, ensuring that both the specified parent process and all its child processes are killed.
Cluster
Machine
Namespace
Pod
Container
Service
Process
Examples:
Kill a deviant process and all its descendants:
This example demonstrates how to use the agentKillProcessTree
action to kill a deviant process along with its child processes. In this case, the process to be killed is the one running /bin/bash
, and all descendant processes are also terminated.
Kill all deviant processes and their descendants:
This configuration will kill all deviant processes and their child processes without specifying any selectors.
agentReniceProcess
This action allows the Spyderbat Nano Agent to adjust the priority of deviant processes by "renicing" them. The process's priority (or "nice value") can be changed to either increase or decrease its CPU scheduling priority.
Cluster
Machine
Namespace
Pod
Container
Service
Process
Priority Range: The priority
value is an string that specifies the new priority (or "nice value") for the process. The valid range for priority is -20 to 19, where:
-20 is the highest priority (more CPU time),
19 is the lowest priority (less CPU time).
Note: The default nice value for a process in Linux is 0.
Examples:
Renice a deviant process by changing its priority:
To adjust the priority of a specific deviant process, use the agentReniceProcess
action. In this example, the priority of a deviant process running the /bin/bash
executable is set to 20, which is a lower priority.
Renice a specific process by name:
This example shows how to renice a process running the ping command. The priority is set to -1.
Renice all deviant processes:
To renice all deviant processes to a specific priority you can configure the action as follows:
Related Pages
Last updated