In many cases, after successfully penetrating target system, attackers install some sort of a back door to be able to return to the system at some later stage without the need to replay the intrusion. A considerable proportion of back doors are set up each time the system is booted or rely in some other sense on programs planted by attackers and executed during the system boot. In order to prevent this type of scenario LinSec introduces the notion of a monitored boot phase. A new, CAP_SYS_BOOTTIME, capability is introduced for the purpose. Every process spawned during the boot phase needs to have the capability in its effective capability set. If this requirement is not fulfilled the offending process is killed4.5.