How CrowdStrike Protects Linux Hosts
Introduction
CrowdStrike provides proven endpoint security through a cloud delivered platform via a single lightweight agent that supports all workloads and platforms including Windows, Mac, Linux and mobile devices. In this article and demonstration, we will look at a sample of the preventions available specifically for your Linux platform.
CrowdStrike’s Falcon Sensor for Linux supports both kernel mode and user mode to provide a broad range of support and functionality. It does not require specific kernel versions to enable protection.
Video
How to use CrowdStrike Prevention Policies for Linux
Under Configuration – Prevention Policies, you will see an option to define policies for Windows, Mac and Linux. Once configured, those policies can be assigned to defined groups of systems.
To quickly view detections for Linux, you can go to Activities – Detections, and filter by “Platform” to show only Linux detections. The color of the icon shows the criticality of each detection while the green badge highlights those events that were prevented.
This detection illustrates a file that was prevented by CrowdStrike’s cloud machine learning engine. That engine is constantly tuned and improved to provide timely and reliable malware detection without the need to manage and update signature files. The “Execution Details” include key information about the file including the process ID, file path, hash and prevalence.
How to Define Custom Hash Preventions with CrowdStrike
In addition to the built-in protections, CrowdStrike gives customers the ability to define their own preventions by hash. Under Configuration – Prevention Hashes, there is an option to upload individual hashes or lists of hashes. The new list is assigned a name and applicable operating system.
For each list, there is a prompt to specify the action to be taken including “Always Block” or “Never Block”. This provides both white and black listing capabilities.
Detections associated with hash preventions are identified as “Custom Intelligence via Indicator of Compromise”.
How to Define Custom Behavioral Preventions with CrowdStrike
Customers can also define their own behavioral indicators. This allows customers to create prevention rules tailored to their applications and environment. Under Configuration – Custom IOA Rule Groups, these groups are defined by platform to allow for granular control over how these behavioral rules are applied to your endpoints.
For each new rule, there are options for action, severity, name and description. For this example, we have defined the details of the rule using regex syntax to block users from accessing or changing the etc password file from the command line.
These behavioral preventions are identified as “Custom Intelligence via Indicator of Attack”.
How to Protect Linux Containers with CrowdStrike
All of the prevention capabilities reviewed in this article were shown on a Linux server. However, the same prevention capabilities are also supported with container workloads. In the case of a container, the execution details include the specific container ID along with the same detailed information about the host and executable.
Closing
CrowdStrike’s Linux protection offers industry leading machine learning capabilities while providing organizations with the flexibility to customize their own detections based on both hashes and behaviors to meet even the most specific environmental requirements.