How CrowdStrike Protects Linux Hosts


CrowdStrike provides proven endpoint security through a cloud delivered platform via a single lightweight agent that supports all workloads and platforms including Windows, Mac, Linux and mobile devices. In this article and demonstration, we will look at a sample of the preventions available specifically for your Linux platform.


How to use CrowdStrike Prevention Policies for Linux

Under Configuration – Prevention Policies, you will see an option to define policies for Windows, Mac and Linux. Once configured, those policies can be assigned to defined groups of systems.

linux policies

To quickly view detections for Linux, you can go to Activities – Detections, and filter by “Platform” to show only Linux detections. The color of the icon shows the criticality of each detection while the green badge highlights those events that were prevented.

linux filtered detections

This detection illustrates a file that was prevented by CrowdStrike’s cloud machine learning engine. That engine is constantly tuned and improved to provide timely and reliable malware detection without the need to manage and update signature files. The “Execution Details” include key information about the file including the process ID, file path, hash and prevalence.

linux ml detection

How to Define Custom Hash Preventions with CrowdStrike

In addition to the built-in protections, CrowdStrike gives customers the ability to define their own preventions by hash. Under Configuration – Prevention Hashes, there is an option to upload individual hashes or lists of hashes. The new list is assigned a name and applicable operating system.

linux blacklist hash

For each list, there is a prompt to specify the action to be taken including “Always Block” or “Never Block”. This provides both white and black listing capabilities.

Detections associated with hash preventions are identified as “Custom Intelligence via Indicator of Compromise”.

linux hash IOC detection

How to Define Custom Behavioral Preventions with CrowdStrike

Customers can also define their own behavioral indicators. This allows customers to create prevention rules tailored to their applications and environment. Under Configuration – Custom IOA Rule Groups, these groups are defined by platform to allow for granular control over how these behavioral  rules are applied to your endpoints.

linux ioa groups

For each new rule, there are options for action, severity, name and description.  For this example, we have defined the details of the rule using regex syntax to block users from accessing or changing the etc password file from the command line.

linux custom rule

These behavioral preventions are identified as “Custom Intelligence via Indicator of Attack”.

linux custom IOA prevention

How to Protect Linux Containers with CrowdStrike

All of the prevention capabilities reviewed in this article were shown on a Linux server. However, the same prevention capabilities are also supported with container workloads. In the case of a container, the execution details include the specific container ID along with the same detailed information about the host and executable.

linux container prevention


CrowdStrike’s Linux protection offers industry leading machine learning capabilities while providing organizations with the flexibility to customize their own detections based on both hashes and behaviors to meet even the most specific environmental requirements.

More resources

CrowdStrike Falcon Free Trial

Try CrowdStrike Free for 15 Days Get Started with A Free Trial