Skip to main content

Security Descriptor & ACL Monitoring

The ESA Activity Monitoring rules for permissions (security descriptors and ACLs) are vast limits vendor rules. They are stored in the configuration file uberAgent-ESA-am-vastlimits.conf.

File System ACL Rules

The rules in this section detect suspicious behavior related to file system permissions (ACLs).

  • Detect processes started from directories that are user-writeable
  • Detect process starts from directories with a low mandatory integrity label

Security Descriptor Monitoring Capabilities

uberAgent ESA has sophisticated features that make security descriptors, which can be a bit obscure and difficult to work with, much more accessible:

  • SID to name lookup
  • Conversion of hex access masks to permission strings

Please see this document for details.


Your email address will not be published. Required fields are marked *