Config changes are already monitorable by watching eventcode 0 for unexpected settings and agent restarts. However, self-defense could be further improved, perhaps by:
- Including hashes of configuration file in eventcode 0 events
- Logging writes to configuration, binary, control utility, log files
Having said that, an attacker with escalated privileges will always be able to disrupt or disable xnumon.
Config changes are already monitorable by watching eventcode 0 for unexpected settings and agent restarts. However, self-defense could be further improved, perhaps by:
Having said that, an attacker with escalated privileges will always be able to disrupt or disable xnumon.