Host security
The agent watches a few security-relevant signals on the host, all read-only.
SSH brute-force rate
On systemd hosts the journal probe reads new auth entries by cursor (no shell, and the
log identifiers are validated against injection) and counts failed and accepted logins
into rate metrics such as svc.ssh.auth_fail_rate and svc.ssh.accepted_rate. On
non-systemd hosts the same numbers come from logtail over the auth log. A brute-force
attack shows up as a spike in the failure rate.
File integrity monitoring
The file probe can hash a file's content and the agent diffs that hash across runs. When
it changes, the agent raises a kind=integrity event. The default set covers
/etc/passwd, /etc/shadow, /etc/group, /etc/sudoers, and service configs such as
sshd_config. A useradd or an edited sudoers file surfaces as an integrity event.
Open ports
Listening ports are already discovery facts (kind=port) with the owning process, so the
open-port surface of a host is visible in inventory without a separate scan.
Anomaly detection
The on-agent anomaly scorer (see Overview) also applies here: an unusual sustained change in these rates can raise an anomaly event on its own, locally, with no server cost.
Hardening scan
A CIS and Lynis style hardening scan (host security posture as findings, feeding compliance
reporting) is planned. The definitions would be signed and exec stays allow-listed with
no raw shell, as everywhere else. The SSH-rate, FIM, and open-port signals above are live
today.