Glossary

This glossary defines key concepts used throughout LinuxGuard documentation.

Access Pattern

Recurring behavior profile for a user or service account, built from login times, source locations, and accessed resources. LinuxGuard establishes access pattern baselines over an observation period and surfaces deviations that may indicate compromised credentials or insider threat. See Identity Intelligence.

Active Response

Automated containment action executed by LinuxGuard when a playbook's trigger conditions are met. Active responses require triple opt-in (playbook enabled, scope confirmed, blast radius set) and produce an audited action history with automatic timeout-based rollback. See Active Response.

Attribution Confidence

Reliability level for process attribution showing how LinuxGuard identified the process behind a security event. HIGH confidence uses eBPF kernel-level tracing, MEDIUM uses /proc filesystem parsing, LOW uses fallback methods when primary sources unavailable. See Console Overview.

Authentication Event

A record of a login attempt (success or failure) with method, source IP, username, and timestamp. LinuxGuard collects authentication events from syslog, journald, and utmp/wtmp/btmp logs. See Console Overview.

Authentication Method

Login mechanism used for system access: password, publickey, keyboard-interactive, or GSSAPI. Captured during authentication event collection and displayed in the console. See Console Overview.

Behavioral Baseline

Statistical model of normal activity for a user or service account, derived from observed login times, source IPs, and command patterns over a learning period. LinuxGuard uses behavioral baselines to identify anomalous access that deviates from established norms. See Identity Intelligence.

Blast Radius

System-enforced limit on how many servers a playbook's containment action can affect in a single trigger event. Blast radius is configured as a hard cap during playbook setup and cannot be exceeded at runtime, even if more servers match the trigger condition. See Active Response.

Brute Force Detection

Automated detection of credential stuffing and targeted attack patterns in authentication events. LinuxGuard analyzes login attempts to identify suspicious patterns like many users from few IPs or one user from many IPs. See Console Overview.

Compliance Score

Measure of adherence to security compliance frameworks with pass/fail/not-applicable check counts. LinuxGuard evaluates compliance at both fleet-wide and per-server levels against enabled frameworks. See Console Overview.

Config Drift

Unexpected changes to server configurations detected by comparing against baselines. Tracked across six component types: Accounts, Groups, Sudo, SSH, SSHD, and SSH Keys. See Console Overview.

Configuration File Write Detection

eBPF-based monitoring of writes to security-critical files including sudoers, sshd_config, passwd, shadow, and authorized_keys. This feature may not be visible until enabled by your LinuxGuard administrator. See Security Architecture.

Containment Action

Specific automated response step executed by a playbook: lock account, kill sessions, disable SSH key, or revoke sudo. Each containment action is reversible (except kill sessions) via automatic timeout rollback or manual console rollback. See Active Response.

Credential Stuffing

Brute force pattern where attacker tries many usernames from one or few source IPs. Indicates the attacker is testing credential lists against the system. See Console Overview.

Cron Job

Scheduled task defined in user or system crontab files, executed at specified intervals. LinuxGuard inventories cron jobs as part of NHI automation monitoring. See Console Overview.

Delivery Channel

Mechanism through which LinuxGuard sends alert notifications: webhook (HTTP POST to a custom endpoint), syslog (RFC 3164 or RFC 5424 UDP/TCP/TLS forwarding), or Splunk HEC (native Splunk HTTP Event Collector integration). Each notification rule specifies one delivery channel. See Alerting & SIEM Integration.

Detractor

Risk factor that increases a posture score, such as no password expiry, unencrypted SSH key, or weak authentication configuration. Detractors have configurable weights affecting overall score calculation. See Console Overview.

eBPF Access Monitoring

Kernel-level tracing of openat syscalls to track file read/write access with process attribution. LinuxGuard uses eBPF to capture file access events at the kernel layer without requiring kernel modules. See Security Architecture.

Environment

Named server grouping (e.g., production, staging, development) assigned during enrollment using the --environment flag. Environments help organize servers and filter console views by deployment stage. See Agent Commands.

Exfiltration Detection

Pattern recognition for data theft via local copy or network transfer. LinuxGuard analyzes file system events to identify potential data exfiltration activities. See Console Overview.

Factor Weight

Configurable importance assigned to individual detractors and mitigators in posture scoring. Administrators can adjust weights for 127 factors across five object types to match organizational priorities. See Console Overview.

File Baseline

Known-good state of a file including hash, permissions, and ownership used to detect changes. LinuxGuard compares current file state against baselines to identify configuration drift. See Console Overview.

File Monitoring

Real-time tracking of file system changes (create, modify, delete, rename) and access events. Administrators configure which files and folders the agent monitors via console settings. See Console Overview.

Fleet Aggregation

Method for combining server scores into fleet-level scores: weighted average, worst case, or percentile. Configurable in posture scoring settings to match organizational risk tolerance. See Console Overview.

GeoIP Enrichment

Agent-side IP geolocation identifying source country and region for authentication events. LinuxGuard enriches login events with geographic information to help identify suspicious access patterns. See Console Overview.

Identity

Unified representation of a user or service account aggregated across all enrolled servers. LinuxGuard builds an identity by linking authentication events, SSH keys, sudo rules, and NHI automation entries from every server where the account appears. See Identity Intelligence.

LoginUID

Original login user identity surviving sudo/su privilege escalation for non-repudiation. LinuxGuard captures loginUID from the kernel to attribute actions to actual users even when running as root. See Security Architecture.

Mitigator

Positive factor that decreases a posture score, such as strong authentication or encrypted SSH keys. Mitigators have configurable weights reducing risk scores for servers with good security practices. See Console Overview.

NHI Automation

Non-Human Identity scheduled tasks (cron jobs, systemd timers) that run without direct user interaction. LinuxGuard inventories NHI automation to provide visibility into automated system activities. See Console Overview.

Non-Human Identity (NHI)

Service account, API credential, or automated process that accesses systems without direct user interaction. LinuxGuard classifies NHIs into three tiers: System Default (OS-created accounts such as www-data or postgres), Application Service (accounts created by installed software), and Custom Service (administrator-created service accounts). See Identity Intelligence.

Notification Rule

Console-configured rule that sends an alert through a delivery channel when specified trigger conditions are met. Notification rules support severity filters, throttle windows, quiet hours, and scope filters; a rule with no conditions forwards all signals. See Alerting & SIEM Integration.

Orphaned Key

SSH public key that remains authorized on a server after the associated user account has been deleted or disabled. LinuxGuard detects orphaned keys by cross-referencing authorized_keys entries against active account lists. See Identity Intelligence.

Playbook

Console-configured automation rule that defines trigger conditions and one or more containment actions to execute when a security signal matches. Playbooks require explicit opt-in at three levels (playbook enabled, scope defined, blast radius set) before they become active. See Active Response.

Posture Score

Composite score (0-100, lower is better) evaluating security posture across accounts, groups, sudo, SSHD configuration, and SSH keys. Posture scores use configurable detractors, mitigators, and weights. See Console Overview.

Process Attribution

Identifying which process, user, and command caused a security event. LinuxGuard uses eBPF and kernel data to provide reliable attribution with confidence levels (HIGH/MEDIUM/LOW). See Console Overview and Security Architecture.

Score Band

Configurable threshold ranges (Good, Attention, Poor) for interpreting posture scores. Administrators define score band boundaries in posture scoring configuration to match organizational risk appetite. See Console Overview.

Signal Deduplication

Grouping identical security signals within a time window, preserving occurrence counts. LinuxGuard deduplicates signals to reduce noise while maintaining visibility into repeated events. See Console Overview.

Systemd Timer

Modern systemd-based scheduling mechanism as an alternative to cron for automated tasks. LinuxGuard inventories systemd timers as part of NHI automation monitoring. See Console Overview.

Targeted Attack

Brute force pattern where attacker targets one username from many source IPs. Indicates a distributed attack on a single account. See Console Overview.

Webhook

HTTP endpoint that receives LinuxGuard alert payloads as JSON POST requests. Webhooks include an HMAC-SHA256 signature in the X-LinuxGuard-Signature header for payload verification. See Alerting & SIEM Integration.

Zero Trust Enforcement

Console pillar that surfaces security signals enriched with identity context and tracks configuration drift with who-changed-it attribution. Zero Trust Enforcement connects behavioral anomalies to the specific identities involved, enabling identity-aware incident response. See Console Overview.

PreviousSupported Distributions NextExplanation

Last updated 2 months ago

Was this helpful?

Good morning

hashtagAccess Pattern

hashtagActive Response

hashtagAttribution Confidence

hashtagAuthentication Event

hashtagAuthentication Method

hashtagBehavioral Baseline

hashtagBlast Radius

hashtagBrute Force Detection

hashtagCompliance Score

hashtagConfig Drift

hashtagConfiguration File Write Detection

hashtagContainment Action

hashtagCredential Stuffing

hashtagCron Job

hashtagDelivery Channel

hashtagDetractor

hashtageBPF Access Monitoring

hashtagEnvironment

hashtagExfiltration Detection

hashtagFactor Weight

hashtagFile Baseline

hashtagFile Monitoring

hashtagFleet Aggregation

hashtagGeoIP Enrichment

hashtagIdentity

hashtagLoginUID

hashtagMitigator

hashtagNHI Automation

hashtagNon-Human Identity (NHI)

hashtagNotification Rule

hashtagOrphaned Key

hashtagPlaybook

hashtagPosture Score

hashtagProcess Attribution

hashtagScore Band

hashtagSignal Deduplication

hashtagSystemd Timer

hashtagTargeted Attack

hashtagWebhook

hashtagZero Trust Enforcement