إنتقل إلى المحتوى الرئيسي

Host isolation

What this page is

The response action that quarantines a Linux endpoint at the operator's command. Covers the nftables ruleset the sensor installs, the exceptions it preserves, and the contract the isolation can be undone idempotently.

Why it exists this way

Architecture Section 7.5 specifies host isolation as the first response action because it is reversible, well-bounded, and does not require the analyst to ssh into the host. Existing production responders (osquery, Carbon Black) use the same posture; the AuroraSOC sensor matches it so operators see familiar behaviour.

nftables was chosen over iptables because it is the modern Linux firewall surface, supports atomic transactions on the table level, and is the only path that works on hosts where the iptables shim is missing.

How it works

The implementation lives in edr_linux::isolation. The module wraps the nft CLI, creating an aurorasoc inet table with one input chain that drops by default. Exception rules preserve:

  • Loopback traffic (iif lo) so local diagnostics keep working.
  • Established or related flows so the Collector connection itself survives the isolation switch and the operator can unisolate over the same channel.
  • Outbound traffic to the Collector IP (allow-listed).
  • Optionally DNS (UDP 53) and DHCP (UDP 67/68) so the host can still acquire an address and resolve the Collector hostname.

isolation::isolate() is idempotent: running it twice in a row produces the same final ruleset. isolation::unisolate() deletes the table in one atomic nft delete table which removes every rule the sensor installed without affecting any other ruleset on the host. isolation::is_isolated() is the probe operators use to query state.

What goes wrong

  • IsolationError::NftCommand, nft not on PATH, or it returned non-zero. The sensor logs the stderr verbatim and returns a typed error to the operator console. Common fix: install nftables on the host.
  • IsolationError::ParseError, unexpected nft output during is_isolated. The table either exists or does not; parser failures are rare and indicate an nft version drift worth filing against ADR 007.