OpenEdge operations can be audited effectively because of how the root install path service is set up internally. Administrators can use audit logs to find out if OpenEdge operations are following the ESAM security policies or whether the root install path validation has been compromised. From OpenEdge 12.6 onwards, ESAM policy expects all OpenEdge operations to run within the hierarchy of an installation itself. Operations that run outside this hierarchy are in violation and may be considered an administrative exception. This policy helps prevent an attacker from injecting code onto the runtime stack from outside the root install path <DLC>.
Note: You may also want to consider further assurances of object integrity within the <DLC> path space by applying supplementary security layers such as code signing and restricted file permissions independent of policy safeguards.

Validate root install path using command line script

ESAM provides seamless security within the ABL Virtual Machine (AVM) and among OpenEdge components that validate the OpenEdge root install path <DLC> automatically when it is referenced internally. Validation is performed continuously at runtime, assuming ESAM is functional. A command line script called valdlc is also available for application environments that want to ensure the integrity of the OpenEdge root install path <DLC>.

After the OpenEdge root install path <DLC> is set up, you can check if it is valid by running the valdlc script in the bin sub-directory of ESAM directory path.

On Windows, you can locate the valdlc.bat script at C:\Windows\System32\openedge.d\bin\valdlc. On Linux, it is located at /etc/openedge.d/bin/valdlc.

On Windows, run the following script at the command prompt: 

valdlc.bat -DLC <absolute-path-to-DLC>
On UNIX, run the following script at the command prompt: 
valdlc -DLC <absolute-path-to-DLC>
The valdlc script verifies the provided <DLC> path and returns SUCCESS or FAILURE as a response.
Note: To ensure that unauthorized users are not able to modify the calls to valdlc, you can use write protections or code signing for your scripts.