osquery-defense-kit/detection/persistence/unexpected-active-systemd-u...

555 lines
34 KiB
MySQL
Raw Permalink Normal View History

2022-10-14 18:19:13 +00:00
-- Unexpected systemd units, may be evidence of persistence
--
-- references:
2022-10-19 20:56:32 +00:00
-- * https://attack.mitre.org/techniques/T1543/002/ (Create or Modify System Process: Systemd Service)
2022-10-14 18:19:13 +00:00
--
-- false positives:
-- * System updates
--
-- tags: persistent seldom filesystem systemd extra
2023-02-02 20:33:25 +00:00
-- platform: linux
SELECT -- description AS 'desc',
fragment_path,
MAX(user, 'root') AS effective_user,
2023-02-21 00:11:23 +00:00
following,
hash.sha256,
file.ctime,
file.size,
2023-09-01 21:09:47 +00:00
CONCAT (id, ',', description, ',', user) AS exception_key
2023-02-24 21:30:17 +00:00
FROM
systemd_units
LEFT JOIN hash ON systemd_units.fragment_path = hash.path
LEFT JOIN file ON systemd_units.fragment_path = file.path
2023-02-24 21:30:17 +00:00
WHERE
active_state != 'inactive'
AND sub_state != 'plugged'
AND sub_state != 'mounted'
2023-04-27 16:00:08 +00:00
AND file.filename != ''
-- Don't care about logical groupings.
AND NOT file.filename LIKE '%.target'
AND NOT fragment_path = '/usr/lib/systemd/system/systemd-fsck@.service'
2023-04-27 16:00:08 +00:00
-- All of these are known good exceptions in known good paths
AND NOT (
(
-- Only allow fragment paths in known good directories
fragment_path LIKE '/lib/systemd/system/%'
OR fragment_path LIKE '/usr/lib/systemd/system/%'
OR fragment_path LIKE '/etc/systemd/system/%'
OR fragment_path LIKE '/run/systemd/generator/%'
OR fragment_path LIKE '/run/systemd/generator.late/%.service'
OR fragment_path LIKE '/run/systemd/transient/%'
)
AND (
exception_key IN (
'abrtd.service,ABRT Automated Bug Reporting Tool,',
'abrtd.service,ABRT Daemon,',
'abrt-journal-core.service,ABRT coredumpctl message creator,',
'abrt-journal-core.service,Creates ABRT problems from coredumpctl messages,',
'abrt-oops.service,ABRT kernel log watcher,',
'abrt-xorg.service,ABRT Xorg log watcher,',
'accounts-daemon.service,Accounts Service,',
'acpid.path,ACPI Events Check,',
'acpid.service,ACPI Daemon,',
'acpid.service,ACPI event daemon,',
'acpid.socket,ACPID Listen Socket,',
'akmods.service,Builds and install new kmods from akmod packages,',
'alsa-restore.service,Save/Restore Sound Card State,',
'alsa-state.service,Manage Sound Card State (restore and store),',
'alsa-store.service,Store Sound Card State,',
'anacron.service,Run anacron jobs,',
'anacron.timer,Trigger anacron every hour,',
2024-08-27 22:40:43 +00:00
'apache2.service,The Apache HTTP Server,',
'apache-htcacheclean.service,Disk Cache Cleaning Daemon for Apache HTTP Server,www-data',
'apcupsd.service,APC UPS Power Control Daemon for Linux,',
'apparmor.service,Load AppArmor profiles,',
'apport-autoreport.path,Process error reports when automatic reporting is enabled (file watch),',
'apport-autoreport.service,Process error reports when automatic reporting is enabled,',
'apport-autoreport.timer,Process error reports when automatic reporting is enabled (timer based),',
'apport.service,automatic crash report generation,',
'apport.service,LSB: automatic crash report generation,',
'apt-daily.service,Daily apt download activities,',
'apt-daily.timer,Daily apt download activities,',
'apt-daily-upgrade.timer,Daily apt upgrade and clean activities,',
'archlinux-keyring-wkd-sync.service,Refresh existing keys of archlinux-keyring,',
'archlinux-keyring-wkd-sync.timer,Refresh existing PGP keys of archlinux-keyring regularly,',
'atd.service,Deferred execution scheduler,',
'atopacct.service,Atop process accounting daemon,',
'atop-rotate.timer,Daily atop restart,',
'atop.service,Atop advanced performance monitor,',
'auditd.service,Security Auditing Service,',
'auditd.service,Security Audit Logging Service,',
'audit.service,Kernel Auditing,',
'augenrules.service,auditd rules generation,',
'avahi-daemon.service,Avahi mDNS/DNS-SD Stack,',
'avahi-daemon.socket,Avahi mDNS/DNS-SD Stack Activation Socket,',
'backup-rpmdb.timer,Backup of RPM database,',
'backup-sysconfig.timer,Backup of /etc/sysconfig,',
'bazzite-hardware-setup.service,Configure Bazzite for current hardware,',
'binfmt-support.service,Enable support for additional executable binary formats,',
'blk-availability.service,Availability of block devices,',
'bluetooth.service,Bluetooth service,',
'bolt.service,Thunderbolt system service,',
'bootupd.socket,bootupd.socket,',
'brew-update.service,Auto update brew for mutable brew installs,1000',
'brew-update.timer,Timer for brew update for mutable brew,',
'brew-upgrade.service,Upgrade Brew packages,1000',
'brew-upgrade.timer,Timer for brew upgrade for on image brew,',
'btrfs-dedup@var-home.timer,Weekly Btrfs deduplication on /var/home,',
'ca-certificates.path,Watch for changes in CA certificates,',
'check-battery.timer,Check if mainboard battery is Ok,',
'chronyd.service,NTP client/server,',
'chrony.service,chrony, an NTP client/server',
'cloud-config.service,Apply the settings specified in cloud-config,',
'cloud-final.service,Execute cloud user/final scripts,',
'cloud-init-hotplugd.socket,cloud-init hotplug hook socket,',
'cloud-init-local.service,Initial cloud-init job (pre-networking),',
'cloud-init.service,Initial cloud-init job (metadata service crawler),',
'colord.service,Manage, Install and Generate Color Profiles,colord',
'com.system76.PowerDaemon.service,System76 Power Daemon,',
'com.system76.Scheduler.service,Automatically configure CPU scheduler for responsiveness on AC,',
'console-setup.service,Set console font and keymap,',
'containerd.service,containerd container runtime,',
'cpufrequtils.service,LSB: set CPUFreq kernel parameters,',
'crond.service,Command Scheduler,',
'cronie.service,Periodic Command Scheduler,',
'cron.service,Regular background program processing daemon,',
'cups-browsed.service,Make remote CUPS printers available locally,',
'cups-browsed.service,Make remote CUPS printers available locally,cups-browsed',
'cups.path,CUPS Scheduler,',
'cups.service,CUPS Scheduler,',
'cups.socket,CUPS Scheduler,',
'dbus-:1.2-org.pop_os.transition_system@0.service,dbus-:1.2-org.pop_os.transition_system@0.service,0',
'dbus-broker.service,D-Bus System Message Bus,',
'dbus.service,D-Bus System Message Bus,',
'dbus.socket,D-Bus System Message Bus Socket,',
'detect-part-label-duplicates.service,Detect if the system suffers from bsc#1089761,',
'dhcpcd.service,DHCP Client,',
'displaylink.service,DisplayLink Manager Service,',
'display-manager.service,Display Manager,',
'display-manager.service,X11 Server,',
'dkms.service,Builds and install new kernel modules through DKMS,',
'dm-event.socket,Device-mapper event daemon FIFOs,',
'dnf-automatic-install.service,dnf automatic install updates,',
'dnf-automatic-install.timer,dnf-automatic-install timer,',
'dnf-makecache.service,dnf makecache,',
'dnf-makecache.timer,dnf makecache --timer,',
'docker.service,Docker Application Container Engine,',
'docker.socket,Docker Socket for the API,',
'dpkg-db-backup.timer,Daily dpkg database backup timer,',
'dracut-shutdown.service,Restore /run/initramfs on shutdown,',
'e2scrub_all.timer,Periodic ext4 Online Metadata Check for All Filesystems,',
'elastic-agent.service,Elastic Agent is a unified agent to observe, monitor and protect your system.,',
'ElasticEndpoint.service,ElasticEndpoint,',
'finalrd.service,Create final runtime dir for shutdown pivot root,',
'firewalld.service,firewalld - dynamic firewall daemon,',
'firewall.service,Firewall,',
'flatpak-system-helper.service,flatpak system helper,',
'fprintd.service,Fingerprint Authentication Daemon,',
'fstrim.service,Discard unused blocks on filesystems from /etc/fstab,',
'fstrim.timer,Discard unused blocks once a week,',
'fstrim.timer,Discard unused filesystem blocks once a week,',
'fwupd-refresh.service,Refresh fwupd metadata and update motd,fwupd-refresh',
'fwupd-refresh.timer,Refresh fwupd metadata regularly,',
'fwupd.service,Firmware update daemon,',
'gdm.service,GNOME Display Manager,',
'geoclue.service,Location Lookup Service,geoclue',
'geoipupdate.timer,Weekly GeoIP update,',
'gitsign.service,Keyless Git signing with Sigstore!,',
'gnome-remote-desktop.service,GNOME Remote Desktop,gnome-remote-desktop',
'gssproxy.service,GSSAPI Proxy Daemon,',
'haproxy.service,HAProxy Load Balancer,',
'haveged.service,Entropy Daemon based on the HAVEGE algorithm,',
'ifupdown-pre.service,Helper to synchronize boot up for ifupdown,',
'iio-sensor-proxy.service,IIO Sensor Proxy service,',
'import-state.service,Import network configuration from initramfs,',
'incus-lxcfs.service,Incus - LXCFS daemon,',
'incus.service,Incus - Daemon,',
'incus.service,Incus - Main daemon,',
'incus.socket,Incus - Daemon (unix socket),',
'incus-startup.service,Incus - Startup check,',
'incus-user.socket,Incus - Daemon (user unix socket),',
'input-remapper.service,Service to inject keycodes without the GUI application,',
'ir_agent.service,Rapid7 Insight Agent,root',
'irqbalance.service,irqbalance daemon,',
'iscsid.socket,Open-iSCSI iscsid Socket,',
'iscsiuio.socket,Open-iSCSI iscsiuio Socket,',
'issue-generator.path,Watch for changes in issue snippets,',
'iwd.service,Wireless service,',
'jeos-firstboot.service,SUSE JeOS First Boot Wizard,',
'jeos-firstboot-snapshot.service,SUSE JeOS First Boot Wizard - create system snapshot,',
'kbdsettings.service,Apply settings from /etc/sysconfig/keyboard,',
'kde-sysmonitor-workaround.service,Workaround KDE System Monitor not having the correct caps,',
'kdump.service,Crash recovery kernel arming,',
'kerneloops.service,Tool to automatically collect and submit kernel crash signatures,kernoops',
'keyboard-setup.service,Set the console keyboard layout,',
'klog.service,Early Kernel Boot Messages,',
'kmod-static-nodes.service,Create List of Static Device Nodes,',
'kmod-static-nodes.service,Create list of static device nodes for the current kernel,',
'kolide-launcher.service,Kolide launcher,',
'launcher.kolide-k2.service,The Kolide Launcher,',
'launcher,/usr/local/kolide-k2/bin/launcher,0,system.slice,launcher.kolide-k2.service,0755',
'ldconfig.service,Rebuild Dynamic Linker Cache,',
'libvirtd-admin.socket,Libvirt admin socket,',
'libvirtd-ro.socket,Libvirt local read-only socket,',
'libvirtd.service,Virtualization daemon,',
'libvirtd.socket,Libvirt local socket,',
'libvirt-workaround.service,Workaround to relabel libvirt files and directories,',
'lightdm.service,Light Display Manager,',
'lima-guestagent.service,lima-guestagent,',
'livesys-late.service,SYSV: Late init script for live image.,',
'livesys.service,LSB: Init script for live image.,',
'lm_sensors.service,Hardware Monitoring Sensors,',
'lm-sensors.service,Initialize hardware monitoring sensors,',
'lm_sensors.service,Initialize hardware monitoring sensors,',
'loadcpufreq.service,LSB: Load kernel modules needed to enable cpufreq scaling,',
'logrotate-checkconf.service,Logrotate configuration check,',
'logrotate.service,Rotate log files,',
'logrotate.timer,Daily rotation of log files,',
'logrotate.timer,logrotate.timer,',
'low-memory-monitor.service,Low Memory Monitor,',
'lvm2-lvmpolld.socket,LVM2 poll daemon socket,',
'lvm2-monitor.service,Monitoring of LVM2 mirrors, snapshots etc. using dmeventd or progress polling,',
'lxcfs.service,FUSE filesystem for LXC,',
'lxc-monitord.service,LXC Container Monitoring Daemon,',
'lxc-net.service,LXC network bridge setup,',
'lxc.service,LXC Container Initialization and Autoboot Code,',
'lxd-installer.socket,Helper to install lxd snap on demand,',
'machine.slice,Virtual Machine and Container Slice,',
'man-db.service,Daily man-db regeneration,root',
'man-db.timer,Daily man-db regeneration,',
'mcelog.service,Machine Check Exception Logging Daemon,',
'mlocate-updatedb.timer,Updates mlocate database every day,',
'ModemManager.service,Modem Manager,root',
'modprobe@efi_pstore.service,Load Kernel Module efi_pstore,',
'modprobe@pstore_blk.service,Load Kernel Module pstore_blk,',
'modprobe@pstore_zone.service,Load Kernel Module pstore_zone,',
'modprobe@ramoops.service,Load Kernel Module ramoops,',
'monitorix.service,Monitorix,',
'motd-news.timer,Message of the Day,',
'mount-pstore.service,mount-pstore.service,',
'multipathd.service,Device-Mapper Multipath Device Controller,',
'multipathd.socket,multipathd control socket,',
'nessusd.service,The Nessus Vulnerability Scanner,',
'netcf-transaction.service,Rollback uncommitted netcf network config change transactions,',
'networkd-dispatcher.service,Dispatcher daemon for systemd-networkd,',
'networking.service,Raise network interfaces,',
'network-local-commands.service,Extra networking commands.,',
'NetworkManager-dispatcher.service,Network Manager Script Dispatcher Service,',
'NetworkManager.service,Network Manager,',
'NetworkManager-wait-online.service,Network Manager Wait Online,',
'network-setup.service,Networking Setup,',
'nginx.service,A high performance web server and a reverse proxy server,',
'nginx.service,Nginx Web Server,nginx',
'nis-domainname.service,Read and set NIS domainname from /etc/sysconfig/network,',
'nix-daemon.service,Nix Daemon,',
'nix-daemon.socket,Nix Daemon Socket,',
'nix-gc.timer,nix-gc.timer,',
'nscd.service,Name Service Cache Daemon,nscd',
'nscd.service,Name Service Cache Daemon (nsncd),nscd',
'nvidia-fallback.service,Fallback to nouveau as nvidia did not load,',
'nvidia-persistenced.service,NVIDIA Persistence Daemon,',
'nvidia-powerd.service,nvidia-powerd service,',
'nvidia-suspend.service,NVIDIA system suspend actions,',
'openvpn.service,OpenVPN service,',
2023-07-12 19:00:36 +00:00
'orbit,/opt/orbit/bin/orbit/linux/stable/orbit,0',
'orbit.service,Orbit osquery,',
'ostree-finalize-staged-hold.service,Hold /boot Open for OSTree Finalize Staged Deployment,',
'ostree-finalize-staged.path,OSTree Monitor Staged Deployment,',
'ostree-finalize-staged.service,OSTree Finalize Staged Deployment,',
'ostree-remount.service,OSTree Remount OS/ Bind Mounts,',
'packagekit.service,PackageKit Daemon,root',
'passim.service,Local Caching Server,passim',
'pcscd.service,PC/SC Smart Card Daemon,',
'pcscd.socket,PC/SC Smart Card Daemon Activation Socket,',
'phpsessionclean.timer,Clean PHP session files every 30 mins,',
'plocate-updatedb.service,Update the plocate database,',
'plocate-updatedb.timer,Update the plocate database daily,',
'plymouth-quit.service,Terminate Plymouth Boot Screen,',
'plymouth-quit-wait.service,Hold until boot process finishes up,',
'plymouth-read-write.service,Tell Plymouth To Write Out Runtime Data,',
'plymouth-start.service,Show Plymouth Boot Screen,',
'pmcd.service,Performance Metrics Collector Daemon,',
'podman-auto-update.timer,Podman auto-update timer,',
'podman-restart.service,Podman Start All Containers With Restart Policy Set To Always,',
'podman.socket,Podman API Socket,',
'polkit.service,Authorization Manager,',
2023-09-01 21:09:47 +00:00
'polkit.service,Authorization Manager,polkitd',
'postfix@-.service,Postfix Mail Transport Agent (instance -),',
'power-profiles-daemon.service,Power Profiles daemon,',
'proc-sys-fs-binfmt_misc.automount,Arbitrary Executable File Formats File System Automount Point,',
'pulseaudio-enable-autospawn.service,LSB: Enable pulseaudio autospawn,',
'pwrstatd.service,The monitor UPS software.,',
'qemu-kvm.service,QEMU KVM preparation - module, ksm, hugepages,',
'qualys-cloud-agent.service,Qualys cloud agent daemon,',
'raid-check.timer,Weekly RAID setup health check,',
'realmd.service,Realm and Domain Configuration,',
'reflector.service,Refresh Pacman mirrorlist with Reflector.,',
'reflector.timer,Refresh Pacman mirrorlist weekly with Reflector.,',
'reload-systemd-vconsole-setup.service,Reset console on configuration changes,',
'resolvconf-pull-resolved.path,resolvconf-pull-resolved.path,',
'resolvconf.service,Nameserver information manager,',
'resolvconf.service,resolvconf update,',
'rngd.service,Hardware RNG Entropy Gatherer Daemon,',
'rpcbind.service,RPC Bind,',
'rpcbind.socket,RPCbind Server Activation Socket,',
'rpc-statd-notify.service,Notify NFS peers of a restart,',
'rpm-ostree-countme.service,Weekly rpm-ostree Count Me reporting,rpm-ostree',
'rpm-ostree-countme.timer,Weekly rpm-ostree Count Me timer,',
2024-07-12 20:58:31 +00:00
'rpm-ostreed-automatic.service,rpm-ostree Automatic Update,',
'rpm-ostreed-automatic.timer,rpm-ostree Automatic Update Trigger,',
'rpm-ostreed.service,rpm-ostree System Management Daemon,rpm-ostree',
'rsyslog.service,System Logging Service,',
'rtkit-daemon.service,RealtimeKit Scheduling Policy Service,',
'schroot.service,Recover schroot sessions,',
2023-09-01 21:09:47 +00:00
'sddm.service,Simple Desktop Display Manager,',
'serial-getty@hvc0.service,Serial Getty on hvc0,',
'serial-getty@ttyAMA0.service,Serial Getty on ttyAMA0,',
'serial-getty@ttyS0.service,Serial Getty on ttyS0,',
'setroubleshootd.service,SETroubleshoot daemon for processing new SELinux denial logs,setroubleshoot',
'setvtrgb.service,Set console scheme,',
'shadow.service,Verify integrity of password and group files,',
'shadow.timer,Daily verification of password and group files,',
'-.slice,Root Slice,',
'smartd.service,Self Monitoring and Reporting Technology (SMART) Daemon,',
'smartmontools.service,Self Monitoring and Reporting Technology (SMART) Daemon,',
'snap.canonical-livepatch.canonical-livepatchd.service,Service for snap application canonical-livepatch.canonical-livepatchd,',
'snap.cups.cups-browsed.service,Service for snap application cups.cups-browsed,',
'snap.cups.cupsd.service,Service for snap application cups.cupsd,',
'snapd.apparmor.service,Load AppArmor profiles managed internally by snapd,',
'snapd.seeded.service,Wait until snapd is fully seeded,',
'snapd.service,Snap Daemon,',
'snapd.socket,Socket activation for snappy daemon,',
'snap.lxd.daemon.unix.socket,Socket unix for snap application lxd.daemon,',
'snap.lxd.user-daemon.unix.socket,Socket unix for snap application lxd.user-daemon,',
'snap.multipass.multipassd.service,Service for snap application multipass.multipassd,',
'snap.yubioath-desktop.pcscd.service,Service for snap application yubioath-desktop.pcscd,',
'sshd.service,OpenSSH Daemon,',
'sshd.service,OpenSSH server daemon,',
'sshd.service,SSH Daemon,',
'sshd-unix-local.socket,OpenSSH Server Socket (systemd-ssh-generator, AF_UNIX Local),',
'ssh.service,OpenBSD Secure Shell server,',
'ssh.socket,OpenBSD Secure Shell server socket,',
'sssd-kcm.service,SSSD Kerberos Cache Manager,',
'sssd-kcm.service,SSSD Kerberos Cache Manager,sssd',
'sssd-kcm.socket,SSSD Kerberos Cache Manager responder socket,',
'supergfxd.service,SUPERGFX,',
'swapfile.swap,/swapfile,',
'swap.img.swap,/swap.img,',
'switcheroo-control.service,Switcheroo Control Proxy service,',
'swtpm-workaround.service,Workaround swtpm not having the correct label,',
'syslog.socket,Syslog Socket,',
'sysstat-collect.timer,Run system activity accounting tool every 10 minutes,',
'sysstat.service,Resets System Activity Logs,root',
'sysstat-summary.timer,Generate summary of yesterday''s process accounting,',
'system-cups.slice,CUPS Slice,',
'systemd-ask-password-console.path,Dispatch Password Requests to Console Directory Watch,',
'systemd-ask-password-plymouth.path,Forward Password Requests to Plymouth Directory Watch,',
'systemd-ask-password-wall.path,Forward Password Requests to Wall Directory Watch,',
'systemd-binfmt.service,Set Up Additional Binary Formats,',
'systemd-bootctl.socket,Boot Entries Service Socket,',
'systemd-boot-random-seed.service,Update Boot Loader Random Seed,',
'systemd-boot-update.service,Automatic Boot Loader Update,',
'systemd-coredump.socket,Process Core Dump Socket,',
'systemd-creds.socket,Credential Encryption/Decryption,',
'systemd-fsckd.socket,fsck to fsckd communication Socket,',
'systemd-fsck-root.service,File System Check on Root Device,',
'systemd-growfs@-.service,Grow File System on /,',
'systemd-homed-activate.service,Home Area Activation,',
'systemd-homed.service,Home Area Manager,',
'systemd-hostnamed.service,Hostname Service,',
'systemd-hostnamed.socket,Hostname Service Socket,',
'systemd-hwdb-update.service,Rebuild Hardware Database,',
'systemd-initctl.socket,initctl Compatibility Named Pipe,',
'systemd-journal-catalog-update.service,Rebuild Journal Catalog,',
'systemd-journald-audit.socket,Journal Audit Socket,',
'systemd-journald-dev-log.socket,Journal Socket (/dev/log),',
'systemd-journald.service,Journal Service,',
'systemd-journald.socket,Journal Socket,',
'systemd-journald.socket,Journal Sockets,',
'systemd-journal-flush.service,Flush Journal to Persistent Storage,',
'systemd-localed.service,Locale Service,',
'systemd-logind.service,User Login Management,',
'systemd-machined.service,Virtual Machine and Container Registration Service,',
'systemd-machine-id-commit.service,Commit a transient machine-id on disk,',
'systemd-modules-load.service,Load Kernel Modules,',
'systemd-mountfsd.socket,DDI File System Mounter Socket,',
'systemd-networkd.service,Network Configuration,systemd-network',
'systemd-networkd.socket,Network Service Netlink Socket,',
'systemd-networkd-wait-online.service,Wait for Network to be Configured,',
'systemd-network-generator.service,Generate network units from Kernel command line,',
'systemd-nsresourced.service,Namespace Resource Manager,',
'systemd-nsresourced.socket,Namespace Resource Manager Socket,',
'systemd-oomd.service,Userspace Out-Of-Memory (OOM) Killer,systemd-oom',
'systemd-oomd.socket,Userspace Out-Of-Memory (OOM) Killer Socket,',
'systemd-pcrmachine.service,TPM2 PCR Machine ID Measurement,',
'systemd-pcrphase.service,TPM2 PCR Barrier (User),',
'systemd-pcrphase-sysinit.service,TPM2 PCR Barrier (Initialization),',
'systemd-pstore.service,Platform Persistent Storage Archival,',
'systemd-random-seed.service,Load/Save OS Random Seed,',
'systemd-random-seed.service,Load/Save Random Seed,',
'systemd-remount-fs.service,Remount Root and Kernel File Systems,',
'systemd-resolved.service,Network Name Resolution,systemd-resolve',
'systemd-rfkill.socket,Load/Save RF Kill Switch Status /dev/rfkill Watch,',
'systemd-suspend.service,System Suspend,',
'systemd-sysctl.service,Apply Kernel Variables,',
'systemd-sysext.socket,System Extension Image Management,',
'systemd-sysext.socket,System Extension Image Management (Varlink),',
'systemd-sysusers.service,Create System Users,',
'systemd-timedated.service,Time & Date Service,',
'systemd-timesyncd.service,Network Time Synchronization,systemd-timesync',
'systemd-tmpfiles-clean.timer,Daily Cleanup of Temporary Directories,',
'systemd-tmpfiles-setup-dev-early.service,Create Static Device Nodes in /dev gracefully,',
'systemd-tmpfiles-setup-dev.service,Create Static Device Nodes in /dev,',
2024-07-12 20:58:31 +00:00
'systemd-tmpfiles-setup.service,Create System Files and Directories,',
'systemd-tmpfiles-setup.service,Create Volatile Files and Directories,',
'systemd-udevd-control.socket,udev Control Socket,',
'systemd-udevd-kernel.socket,udev Kernel Socket,',
'systemd-udevd.service,Rule-based Manager for Device Events and Files,',
'systemd-udev-load-credentials.service,Load udev Rules from Credentials,',
'systemd-udev-settle.service,Wait for udev To Complete Device Initialization,',
'systemd-udev-trigger.service,Coldplug All udev Devices,',
'systemd-update-done.service,Update is Completed,',
'systemd-update-utmp.service,Record System Boot/Shutdown in UTMP,',
'systemd-update-utmp.service,Update UTMP about System Boot/Shutdown,',
'systemd-userdbd.service,User Database Manager,',
'systemd-userdbd.socket,User Database Manager Socket,',
'systemd-user-sessions.service,Permit User Sessions,',
'systemd-vconsole-setup.service,Setup Virtual Console,',
2023-09-01 21:09:47 +00:00
'systemd-vconsole-setup.service,Virtual Console Setup,',
'system.slice,System Slice,',
'tailscaled.service,Tailscale node agent,',
'thermald.service,Thermal Daemon Service,',
'tlp.service,TLP system startup/shutdown,',
'touchegg.service,Touchégg Daemon,',
'tuned-ppd.service,PPD-to-TuneD API Translation Daemon,',
'tuned.service,Dynamic System Tuning Daemon,',
'ua-timer.timer,Ubuntu Advantage Timer for running repeated jobs,',
'ua-timer.timer,Ubuntu Pro Timer for running repeated jobs,',
'ublue-system-setup.service,Configure system,',
'ublue-update.service,Universal Blue Update Oneshot Service,',
'ublue-update.timer,Auto Update System Timer For Universal Blue,',
'ubuntu-fan.service,Ubuntu FAN network setup,',
'udisks2.service,Disk Manager,',
'ufw.service,Uncomplicated firewall,',
'unattended-upgrades.service,Unattended Upgrades Shutdown,',
'unbound-anchor.timer,daily update of the root trust anchor for DNSSEC,',
'updatedb.timer,Daily locate database update,',
'update-notifier-download.timer,Download data for packages that failed at package install time,',
'update-notifier-motd.timer,Check to see whether there is a new version of Ubuntu available,',
'upower.service,Daemon for power management,',
'uresourced.service,User resource assignment daemon,',
'usbmuxd.service,Socket daemon for the usbmux protocol used by Apple devices,',
'user.slice,User and Session Slice,',
'uuidd.service,Daemon for generating UUIDs,uuidd',
'uuidd.socket,UUID daemon activation socket,',
'v4l2-relayd.service,v4l2-relay daemon service,',
'vboxautostart-service.service,vboxautostart-service.service,',
'vboxballoonctrl-service.service,vboxballoonctrl-service.service,',
'vboxdrv.service,VirtualBox Linux kernel module,',
'vboxweb-service.service,vboxweb-service.service,',
2023-07-12 19:00:36 +00:00
'velociraptor_client.service,Velociraptor linux client,',
'velociraptor_server.service,Velociraptor server,velociraptor',
'virtinterfaced-admin.socket,libvirt interface daemon admin socket,',
'virtinterfaced-ro.socket,libvirt interface daemon read-only socket,',
'virtinterfaced.socket,libvirt interface daemon socket,',
'virtinterfaced.socket,Libvirt interface local socket,',
'virtlockd-admin.socket,libvirt locking daemon admin socket,',
'virtlockd.socket,libvirt locking daemon socket,',
'virtlockd.socket,Virtual machine lock manager socket,',
'virtlogd-admin.socket,libvirt logging daemon admin socket,',
'virtlogd-admin.socket,Virtual machine log manager socket,',
'virtlogd.service,Virtual machine log manager,',
'virtlogd.socket,libvirt logging daemon socket,',
'virtlogd.socket,Virtual machine log manager socket,',
'virtlxcd-admin.socket,libvirt LXC daemon admin socket,',
'virtlxcd-ro.socket,libvirt LXC daemon read-only socket,',
'virtlxcd.socket,libvirt LXC daemon socket,',
'virtnetworkd-admin.socket,libvirt network daemon admin socket,',
'virtnetworkd-ro.socket,libvirt network daemon read-only socket,',
'virtnetworkd.socket,libvirt network daemon socket,',
'virtnetworkd.socket,Libvirt network local socket,',
'virtnodedevd-admin.socket,libvirt nodedev daemon admin socket,',
'virtnodedevd-ro.socket,libvirt nodedev daemon read-only socket,',
'virtnodedevd.socket,libvirt nodedev daemon socket,',
'virtnodedevd.socket,Libvirt nodedev local socket,',
'virtnwfilterd-admin.socket,libvirt nwfilter daemon admin socket,',
'virtnwfilterd-ro.socket,libvirt nwfilter daemon read-only socket,',
'virtnwfilterd.socket,libvirt nwfilter daemon socket,',
'virtnwfilterd.socket,Libvirt nwfilter local socket,',
'virtproxyd-admin.socket,libvirt proxy daemon admin socket,',
'virtproxyd-ro.socket,libvirt proxy daemon read-only socket,',
'virtproxyd.socket,libvirt proxy daemon socket,',
'virtproxyd.socket,Libvirt proxy local socket,',
'virtqemud-admin.socket,Libvirt qemu admin socket,',
'virtqemud-admin.socket,libvirt QEMU daemon admin socket,',
'virtqemud-ro.socket,libvirt QEMU daemon read-only socket,',
'virtqemud-ro.socket,Libvirt qemu local read-only socket,',
'virtqemud.service,Virtualization qemu daemon,',
'virtqemud.socket,libvirt QEMU daemon socket,',
'virtqemud.socket,Libvirt qemu local socket,',
'virtsecretd-admin.socket,libvirt secret daemon admin socket,',
'virtsecretd-ro.socket,libvirt secret daemon read-only socket,',
'virtsecretd.socket,libvirt secret daemon socket,',
'virtsecretd.socket,Libvirt secret local socket,',
'virtstoraged-admin.socket,libvirt storage daemon admin socket,',
'virtstoraged-ro.socket,libvirt storage daemon read-only socket,',
'virtstoraged.socket,libvirt storage daemon socket,',
'virtstoraged.socket,Libvirt storage local socket,',
'virtvboxd-admin.socket,libvirt VirtualBox daemon admin socket,',
'virtvboxd-ro.socket,libvirt VirtualBox daemon read-only socket,',
'virtvboxd.socket,libvirt VirtualBox daemon socket,',
'vnstat.service,vnStat network traffic monitor,vnstat',
'whoopsie.path,Start whoopsie on modification of the /var/crash directory,',
'wickedd-auto4.service,wicked AutoIPv4 supplicant service,',
'wickedd-dhcp4.service,wicked DHCPv4 supplicant service,',
'wickedd-dhcp6.service,wicked DHCPv6 supplicant service,',
'wickedd-nanny.service,wicked network nanny service,',
'wickedd.service,wicked network management service daemon,',
'wicked.service,wicked managed network interfaces,',
'wpa_supplicant.service,WPA supplicant,',
'zfs-import-cache.service,Import ZFS pools by cache file,',
'zfs-load-key-rpool.service,Load ZFS key for rpool,',
'zfs-load-module.service,Install ZFS kernel module,',
'zfs-mount.service,Mount ZFS filesystems,',
'zfs-scrub.service,ZFS pools scrubbing,',
'zfs-scrub.timer,zfs-scrub.timer,',
'zfs-share.service,ZFS file system shares,',
'zfs-snapshot-daily.service,ZFS auto-snapshotting every day,',
'zfs-snapshot-frequent.service,ZFS auto-snapshotting every 15 mins,',
'zfs-snapshot-hourly.service,ZFS auto-snapshotting every hour,',
'zfs-volume-wait.service,Wait for ZFS Volume (zvol) links in /dev,',
'zfs-zed.service,ZFS Event Daemon (zed),',
'znapzend.service,ZnapZend - ZFS Backup System,root',
'zpool-trim.service,ZFS pools trim,',
'zpool-trim.timer,zpool-trim.timer,'
)
2024-08-27 01:10:08 +00:00
OR exception_key LIKE 'boot-sysctl.service,Apply Kernel Variables for % from /boot,'
OR exception_key LIKE 'dbus-:1.%-org.freedesktop.problems@%.service,dbus-:%.%-org.freedesktop.problems@%.service,0'
OR exception_key LIKE 'drkonqi-coredump-processor@%.service,Pass systemd-coredump journal entries to relevant user for potential DrKonqi handling,'
OR exception_key LIKE 'machine-qemu%.scope,Virtual Machine qemu%,'
2024-08-27 01:10:08 +00:00
OR exception_key LIKE 'run-media-%.mount,run-media-%.mount,'
OR exception_key LIKE 'systemd-cryptsetup@%.service,Cryptography Setup for %,'
OR exception_key LIKE 'zfs-snapshot-%.service,zfs-snapshot-%.service,'
2024-08-27 01:10:08 +00:00
OR exception_key LIKE 'zfs-snapshot-%.timer,zfs-snapshot-%.timer,'
OR exception_key LIKE 'snap-aws\x2dcli-%.mount,Mount unit for aws-cli, revision %'
OR id LIKE ''
OR id LIKE 'dev-disk-by%.swap'
OR id LIKE 'dev-mapper-%.swap'
OR id LIKE 'dev-zram%.swap'
OR id LIKE 'docker-%.scope'
OR id LIKE 'getty@tty%.service'
OR id LIKE 'home-manager-%.service'
OR id LIKE 'lvm2-pvscan@%.service'
OR id LIKE 'session-%.scope'
OR id LIKE 'system-systemd%cryptsetup.slice'
OR id LIKE 'systemd-backlight@%.service'
OR id LIKE 'systemd-cryptsetup@luks%.service'
OR id LIKE 'systemd-cryptsetup@nvme%.service'
OR id LIKE 'systemd-fsck@dev-disk-by%service'
OR id LIKE 'systemd-zram-setup@zram%.service'
OR id LIKE 'user-runtime-dir@%.service'
OR id LIKE 'user@%.service'
OR id LIKE 'akmods@%64.service'
)
2023-02-24 21:30:17 +00:00
)