Monitor Processes with Listening Ports
My suggestion would be to monitor all Open / Listening ports (ss -tulpn) and processes.
Afterwards upon service discover it should show the services and processes with listening ports.
Now the User should accept all listening applications, if something is not accepted it should also alert. This could alert in case of unwanted stuff got exposed or a reverse shell was spawned on a system. A new sensor in Linux/Windows agent with ability to enumerate and list active (tcp/udp) listening ports in checkmk upon service discovery,
That triggers a hard state for the sensor when the list of known and visible listening ports is changed