The “AUDIT_PROCESS_PORT” check allows users to verify whether the process running on a port is indeed an authorized process and not a backdoor process hiding in plain sight. More than one allowed process can be separated by a “|” (pipe) character.

Tip: For information about the parameters commonly found in Unix custom items, see Unix Configuration Keywords.



description: "Make sure 'sshd' is running on port 22"

port_type: TCP

ports: "22"

name: "sshd|launchd"