Persistence
Diffs LaunchDaemons, LaunchAgents, and login items, and re-checks the instant anything writes to those folders. That is how malware survives a reboot, and how you catch it.
TierOne Sentinel baselines your Mac, watches for drift around the clock, and shows you exactly how it does it. Every detection is a page of commented shell mapped to the exam objectives you are studying. Protect your machine and learn the craft from the same tool.
$ bin/watch_check.sh
TierOne Sentinel digest · max severity: WARN
## launch_items
[WARN] NEW launch item: com.updater.helper.plist
[WARN] AUTO-FIX: disabled and quarantined
bin/revert.sh to undo
## network
[OK] listener set matches baseline
## posture
[OK] filevault · firewall · sip · gatekeeper all on
Three scheduled jobs: a morning quick check, a nightly deep scan, and a continuous watch that reacts within seconds when anything touches the persistence directories.
Diffs LaunchDaemons, LaunchAgents, and login items, and re-checks the instant anything writes to those folders. That is how malware survives a reboot, and how you catch it.
Every process listening for connections, compared against the baseline you approved. New unexpected listeners are how backdoors expose themselves.
FileVault, Firewall, SIP, and Gatekeeper. If a protection regresses after baseline, that is a critical finding, because attackers disable defenses before acting.
SHA-256 hashes over /etc, launch directories, and your user folders. A changed hash on a file you did not touch is a classic indicator of compromise.
Nightly ClamAV signature scans of Downloads and Desktop, plus XProtect freshness checks. Validate it yourself with an EICAR test file, like a professional would.
Pulls the NVD CVE feed, filters by CVSS against the apps actually on your Mac, and dedupes what you have already seen. Vulnerability management in miniature.
Sentinel is about 1,500 lines of commented shell you can read in an afternoon. The included study guide walks module by module, with hands-on exercises: trip the file monitor, simulate persistence, validate the malware scanner, beat fast mode like a timestomping attacker.
You cannot spot abnormal until you define normal. The idea behind Tripwire, OSSEC, and every EDR agent.
Security+ 4.1, CISSP Domain 7
Hashing, timestomping, and why serious FIM tools re-hash content instead of trusting timestamps.
Security+ 4.4, ATT&CK T1070.006
Launch agents and daemons as an attack surface, plus event-driven detection with WatchPaths.
Security+ 2.4, ATT&CK T1543
The naive version of the auth check reported 298 failed logins where there were 3. Read how the noise got filtered.
Security+ 4.4, CISSP Domain 7
CVE, CVSS scoring, and relevance filtering against a real software inventory: yours.
Security+ 4.3, CISA/CISM risk
Reversible, rate-limited, fail-closed. SOAR thinking at laptop scale, off by default and opt-in by design.
Security+ 4.7 and 4.8
A security tool earns trust by how carefully it fails. These are the rules Sentinel is built on, and you can verify every one of them in the source.
Study for your certification, and let the concepts guard the machine you study on. Sentinel comes with Pro Monthly, Annual, and Lifetime, next to the full question banks, mock exams, and the AI tutor.