Linux

The LimaCharlie Linux sensor interfaces with the kernel to acquire deep visibility into the host's activity while taking measures to preserve the host's performance. We make full use of eBPF, which requires Linux 4.4 or above.

The Sensor current supports all Linux distributions (including ARM and MIPS).

Installation Instructions

Sensor installation instructions can be found here.

Supported Events

• AUTORUN_CHANGE
• CLOUD_NOTIFICATION
• CODE_IDENTITY
• CONNECTED
• DATA_DROPPED
• DNS_REQUEST
• EXEC_OOB
• FIM_HIT
• HIDDEN_MODULE_DETECTED
• MODULE_LOAD
• MODULE_MEM_DISK_MISMATCH
• NETWORK_CONNECTIONS
• NETWORK_SUMMARY
• NEW_PROCESS
• NEW_TCP4_CONNECTION
• NEW_UDP4_CONNECTION
• NEW_TCP6_CONNECTION
• NEW_UDP6_CONNECTION
• PROCESS_ENVIRONMENT
• RECEIPT
• SERVICE_CHANGE
• SHUTTING_DOWN
• STARTING_UP
• TERMINATE_PROCESS
• TERMINATE_TCP4_CONNECTION
• TERMINATE_UDP4_CONNECTION
• TERMINATE_TCP6_CONNECTION
• TERMINATE_UDP6_CONNECTION
• USER_OBSERVED
• YARA_DETECTION

Supported Commands

• artifact_get
• deny_tree
• dir_find_hash
• dir_list
• dns_resolve
• exfil_add
• exfil_del
• exfil_get
• file_del
• file_get
• file_hash
• file_info
• file_mov
• fim_add
• fim_del
• fim_get
• hidden_module_scan
• history_dump
• mem_find_string
• mem_map
• mem_read
• mem_strings
• netstat
• os_kill_process
• os_processes
• os_resume
• os_suspend
• os_services
• os_version
• pcap_ifaces
• put
• rejoin_network
• restart
• run
• segregate_network
• set_performance_mode
• yara_scan
• yara_update

Artifacts

Given configured paths to collect from, the Linux sensor can batch upload logs / artifacts directly from the host.

Learn more about collecting Artifacts here.

Payloads

For more complex needs not supported by Events, Artifacts, or Commands, it's possible to execute payloads on hosts via the Linux sensor.

Learn more about executing Payloads here.