Skip to main content

Host security

The agent watches a few security-relevant signals on the host, all read-only.

SSH brute-force rate

On systemd hosts the journal probe reads new auth entries by cursor (no shell, and the log identifiers are validated against injection) and counts failed and accepted logins into rate metrics such as svc.ssh.auth_fail_rate and svc.ssh.accepted_rate. On non-systemd hosts the same numbers come from logtail over the auth log. A brute-force attack shows up as a spike in the failure rate.

File integrity monitoring

The file probe can hash a file's content and the agent diffs that hash across runs. When it changes, the agent raises a kind=integrity event. The default set covers /etc/passwd, /etc/shadow, /etc/group, /etc/sudoers, and service configs such as sshd_config. A useradd or an edited sudoers file surfaces as an integrity event.

Open ports

Listening ports are already discovery facts (kind=port) with the owning process, so the open-port surface of a host is visible in inventory without a separate scan.

Anomaly detection

The on-agent anomaly scorer (see Overview) also applies here: an unusual sustained change in these rates can raise an anomaly event on its own, locally, with no server cost.

Hardening scan

Planned

A CIS and Lynis style hardening scan (host security posture as findings, feeding compliance reporting) is planned. The definitions would be signed and exec stays allow-listed with no raw shell, as everywhere else. The SSH-rate, FIM, and open-port signals above are live today.