Pro Lab · v0.9.2 · macOS · 44 KB

The security monitor you can read.

TierOne Sentinel baselines your Mac, watches for drift around the clock, and shows you exactly how it does it. Every detection is a page of commented shell mapped to the exam objectives you are studying. Protect your machine and learn the craft from the same tool.

$ bin/watch_check.sh

TierOne Sentinel digest · max severity: WARN

## launch_items

[WARN] NEW launch item: com.updater.helper.plist

[WARN] AUTO-FIX: disabled and quarantined

bin/revert.sh to undo

## network

[OK] listener set matches baseline

## posture

[OK] filevault · firewall · sip · gatekeeper all on

What it watches

Three scheduled jobs: a morning quick check, a nightly deep scan, and a continuous watch that reacts within seconds when anything touches the persistence directories.

Persistence

Diffs LaunchDaemons, LaunchAgents, and login items, and re-checks the instant anything writes to those folders. That is how malware survives a reboot, and how you catch it.

Open ports

Every process listening for connections, compared against the baseline you approved. New unexpected listeners are how backdoors expose themselves.

Security posture

FileVault, Firewall, SIP, and Gatekeeper. If a protection regresses after baseline, that is a critical finding, because attackers disable defenses before acting.

File integrity

SHA-256 hashes over /etc, launch directories, and your user folders. A changed hash on a file you did not touch is a classic indicator of compromise.

Malware

Nightly ClamAV signature scans of Downloads and Desktop, plus XProtect freshness checks. Validate it yourself with an EICAR test file, like a professional would.

Vulnerabilities

Pulls the NVD CVE feed, filters by CVSS against the apps actually on your Mac, and dedupes what you have already seen. Vulnerability management in miniature.

The lab is the lesson

Built to be read, not just run.

Sentinel is about 1,500 lines of commented shell you can read in an afternoon. The included study guide walks module by module, with hands-on exercises: trip the file monitor, simulate persistence, validate the malware scanner, beat fast mode like a timestomping attacker.

Baseline and diff

You cannot spot abnormal until you define normal. The idea behind Tripwire, OSSEC, and every EDR agent.

Security+ 4.1, CISSP Domain 7

File integrity monitoring

Hashing, timestomping, and why serious FIM tools re-hash content instead of trusting timestamps.

Security+ 4.4, ATT&CK T1070.006

Persistence detection

Launch agents and daemons as an attack surface, plus event-driven detection with WatchPaths.

Security+ 2.4, ATT&CK T1543

Log analysis

The naive version of the auth check reported 298 failed logins where there were 3. Read how the noise got filtered.

Security+ 4.4, CISSP Domain 7

Vulnerability management

CVE, CVSS scoring, and relevance filtering against a real software inventory: yours.

Security+ 4.3, CISA/CISM risk

Auto-remediation

Reversible, rate-limited, fail-closed. SOAR thinking at laptop scale, off by default and opt-in by design.

Security+ 4.7 and 4.8

Safe enough to recommend to a classroom.

A security tool earns trust by how carefully it fails. These are the rules Sentinel is built on, and you can verify every one of them in the source.

  • Alert-only by default. Sentinel changes nothing unless you opt in.
  • Every auto-action is logged with a working undo command.
  • No telemetry. Sentinel never talks to our servers, or anyone's.
  • Uninstalls cleanly in one command, schedule and all.
  • Source you can read: commented shell, PolyForm Noncommercial license.

Included with every Pro plan.

Study for your certification, and let the concepts guard the machine you study on. Sentinel comes with Pro Monthly, Annual, and Lifetime, next to the full question banks, mock exams, and the AI tutor.