The ESA Activity Monitoring rules for permissions (security descriptors and ACLs) are vast limits vendor rules. They are stored in the configuration file uberAgent-ESA-am-vastlimits.conf.
File System ACL Rules
The rules in this section detect suspicious behavior related to file system permissions (ACLs).
Detect processes started from directories that are user-writeable
Detect process starts from directories with a low mandatory integrity label
Security Descriptor Monitoring Capabilities
uberAgent ESA has sophisticated features that make security descriptors, which can be a bit obscure and difficult to work with, much more accessible:
SID to name lookup
Conversion of hex access masks to permission strings
Security Descriptor & ACL Monitoring
In this article
The ESA Activity Monitoring rules for permissions (security descriptors and ACLs) are vast limits vendor rules. They are stored in the configuration file
uberAgent-ESA-am-vastlimits.conf
.File System ACL Rules
The rules in this section detect suspicious behavior related to file system permissions (ACLs).
Security Descriptor Monitoring Capabilities
uberAgent ESA has sophisticated features that make security descriptors, which can be a bit obscure and difficult to work with, much more accessible:
Please see this document for details.