Real-time security monitoring for your servers and workstations. Detect threats, monitor changes, and harden your infrastructure automatically.
The agent runs 14 security monitors on your system, checking for threats, misconfigurations, and changes at configurable intervals.
Parses /var/log/auth.log for failed SSH logins and brute force patterns. Checks sshd_config for PermitRootLogin, PasswordAuthentication, and empty password settings. Alerts on root SSH logins and authorized_keys file changes.
Detects known cryptominers (xmrig, minerd, kdevtmpfsi, kinsing) and reverse shell patterns (bash -i, nc -e, python -c). Flags binaries running from suspicious paths like /var/tmp. Reports zombie processes and high CPU usage.
Runs ss -tlnp to track listening ports and alerts when new ports are opened. Monitors ESTABLISHED connections and reports changes to the network state.
Computes checksums for critical files: /etc/passwd, /etc/shadow, /etc/group, /etc/sudoers, /etc/hosts, /etc/crontab, and /etc/ld.so.preload. Alerts when file hashes change. Scans for world-writable files and SUID binaries.
Checks firewall status (ufw, iptables, nftables), disk encryption (LUKS/dm-crypt), AppArmor/SELinux enforcement, and kernel security parameters (ASLR, ip_forward, source routing, ICMP redirects, dmesg_restrict, hardlink/symlink protection). Audits password policies in /etc/login.defs.
Counts running and stopped containers. Inspects containers for privileged mode and reports exposed ports.
Reports usage percentage, free space, and total size for each mounted partition. Tracks changes over time so you can spot filling disks early.
Reads journalctl output for error spikes in the last minute. Detects kernel panics, oops, and bug messages. Alerts when error rates are unusually high.
Scans /sys/bus/usb/devices to inventory connected USB devices. Alerts on new device connections and disconnections.
Lists all installed packages via dpkg or rpm with version and architecture. Checks for available security updates using apt. Alerts when the package cache is stale or when packages are installed/removed.
Monitors /etc/crontab and /var/spool/cron/crontabs for modifications. Alerts when scheduled tasks are added or changed.
Tracks sudo commands with user and command details, su session changes, and PAM authentication failures. Logs failed login attempts across services.
Lists active and failed systemd services via systemctl. Alerts when a service enters a failed state.
Deploy the agent in under 60 seconds. No complex configuration required.
Run a single command to download and install the agent on your server. Supports all major Linux distributions.
Link the agent to your SecurityScanner.ai account with one command. The agent securely authenticates with our API.
View security events, alerts, and system health from your dashboard at securityscanner.ai/endpoint-security.
curl -sSL https://agent.securityscanner.ai/install.sh | sudo bash
Requires root privileges. Supports Ubuntu 20.04+, Debian 11+, CentOS 8+, RHEL 8+, Amazon Linux 2+
Choose your platform and start monitoring in minutes.
Endpoint security monitoring is available across all plans.