Advanced Linux threats Monitoring

In this article, we will discuss Unix\Linux’s standard Monitoring capabilities and will present Cyray’s unique developments that expand and upgrade Linux Monitoring Capabilities. These capabilities are being deployed at our customer’s monitored environment.

TrendMicro’s article “A Look at Linux”, discusses how Linux has become an attractive target for attackers, as well as how it is prone to a variety of threats and risks. The authors discuss a few main risks and threats including vulnerabilities, misconfigurations and security gaps, and malware.

The total number of publicly exposed FTP servers according to a Shodan search performed on January 5, 2021

As part of the increasing demand for visibility of the organization systems, some of the most significant black holes are the Linux\Unix activities and the ability to track them.

A large portion of the core components and critical systems in the organization will have a Linux operating system, for example:

Network components – Switches/routers FW \ IPS \ WAF

Virtualization – Vmware \ ESX \ Dockers

At Cyray`s, we have taken the essential data at all levels and developed unique new monitoring capabilities (Linux CLI).

OS Audit :

Change passwords of existing accounts
Unlock or un-expire locked or expired accounts
Create new accounts
Delete accounts
Delete log files
Change log files
Delete or change system configuration files
USB Drive connections
Mount activities

Linux CLI:

We have developed a unique capability of collecting all the user’s commands that run on the operating system and receive them in the SIEM system with a log enriched with a lot of additional information. This allows us to provide our customers with a much more robust defense capability in addition to OS AUDIT:

Each Log will supply the following fields: