AUDIT_PROCESS_ON_PORT

The “AUDIT_PROCESS_PORT” check allows users to verify whether the process running on a port is indeed an authorized process and not a backdoor process hiding in plain sight. More than one allowed process can be separated by a “|” (pipe) character.

Tip: For information about the parameters commonly found in Unix custom items, see Unix Configuration Keywords.

<custom_item>

type: AUDIT_PROCESS_ON_PORT

description: "Make sure 'sshd' is running on port 22"

port_type: TCP

ports: "22"

name: "sshd|launchd"

</custom_item>

Copyright © 2025 Tenable, Inc. All rights reserved. Tenable, Tenable Nessus, Tenable Lumin, Assure, and the Tenable logo are registered trademarks of Tenable, Inc. or its affiliates. All other products or services are trademarks of their respective owners.