Root CA certificate monitoring
The ESA Activity Monitoring rules for monitoring changes to root CA certificates are vast limits vendor rules. They are stored in the configuration file uberAgent-ESA-am-vastlimits.conf
.
The rules detect certificate chain cloning and cloned root trust attacks by monitoring writes to user and machine registry keys. For details, check the following rules:
Detect AuthRoot, CA and Root certificate changes per machine
Detect AuthRoot, CA and Root certificate changes per user