Tamper protection ensures that an Endpoint Detection & Response (EDR) sensor cannot be stopped or manipulated by a malicious actor with access to an endpoint. Linux EDR sensors don’t usually contain tamper protection, as this is primarily a Windows functionality. This is complicated to implement on Linux systems for a variety of reasons.
A specific technical example to show the complexities around this is the
<KILL> command in Linux, which sends a signal to a process running on an endpoint. Used with the
<SIGKILL> flag, the kill command can immediately terminate a given process on an endpoint.
<SIGKILL>signals are incredibly destructive and will terminate a process regardless of what the process wishes to do with the signal. There is no way to intercept these situations on Linux endpoints.
You would need root access on a Linux endpoint to interfere with services. Anyone with this access on Linux is essentially “super admin” and can perform any action on the system. Red Canary is designed to detect behavioral activity considerably earlier in the attack chain, well before an attacker gains root access to an endpoint.
We recommend that customers focus on hardening their endpoints based on industry standards to protect root/sudo privileges on their production Linux endpoints.
For more information regarding Linux security, please download: 15 critical tactics for protecting Linux from cyber attacks