The ESA Activity Monitoring rules for permissions (security descriptors and ACLs) are vast limits vendor rules. They are stored in the configuration file uberAgent-ESA-am-vastlimits.conf.

File System ACL Rules

The rules in this section detect suspicious behavior related to file system permissions (ACLs).

• Detect processes started from directories that are user-writeable
• Detect process starts from directories with a low mandatory integrity label

Security Descriptor Monitoring Capabilities

uberAgent ESA has sophisticated features that make security descriptors, which can be a bit obscure and difficult to work with, much more accessible:

• SID to name lookup
• Conversion of hex access masks to permission strings

Please see this document for details.