RepoMirrors
/
osquery-defense-kit
mirror of https://github.com/chainguard-dev/osquery-defense-kit
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

More tuning, quiet deaths

This commit is contained in:
Thomas Stromberg 2022-09-21 13:34:10 -04:00
parent 0c54748749
commit 3dfda437ab
Failed to extract signature
10 changed files with 100 additions and 69 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
fd/unexpected-dev-opener-linux.sql
View File

@ -33,13 +33,15 @@ WHERE pof.path LIKE '/dev/%'
'/dev/rfkill',
'/dev/snd/seq',
'/dev/urandom',
'/dev/vga_arbiter'
'/dev/vga_arbiter',
'/dev/video10' -- workaround for poor regex management (ffmpeg)
)
AND pof.path NOT LIKE "/dev/pts/%"
AND pof.path NOT LIKE "/dev/snd/%"
AND pof.path NOT LIKE "/dev/tty%"
AND pof.path NOT LIKE "/dev/hidraw%"
AND pof.path NOT LIKE "/dev/shm/.com.google.Chrome.%"
AND pof.path NOT LIKE "/dev/shm/.org.chromium.Chromium.%"
AND NOT dir_exception IN (
'/dev/bus/usb,pcscd',
'/dev/bus/usb/001,pcscd',
@ -56,6 +58,7 @@ WHERE pof.path LIKE '/dev/%'
'/dev/shm,chrome',
'/dev/shm,code',
'/dev/shm,electron',
'/dev/shm,Brackets',
'/dev/shm,firefox',
'/dev/shm,gopls',
'/dev/shm,java',
@ -83,7 +86,9 @@ WHERE pof.path LIKE '/dev/%'
'/dev/tty,agetty',
'/dev/tty,gdm-wayland-session',
'/dev/tty,gdm-x-session',
'/dev/usb/hiddev,apcupsd',
'/dev/tty,systemd-logind',
'/dev/usb/hiddev,upowerd',
'/dev/tty,Xorg',
'/dev/uinput,bluetoothd',
'/dev/video,chrome',
@ -93,8 +98,8 @@ WHERE pof.path LIKE '/dev/%'
'/dev/video,obs',
'/dev/video,vlc',
'/dev/zfs,zed',
"/dev/zfs,zfs"
'/dev/zfs,zfs'
)
-- shows up as python
AND NOT (program_name IN ('streamdeck') AND device LIKE "/dev/bus/usb/%")
AND NOT (device LIKE "/dev/bus/usb/%" AND program_name IN ('streamdeck', 'gphoto2'))
GROUP BY pof.pid

4
fs/unexpected-ld-so-files-linux.sql
View File

@ -23,14 +23,16 @@ WHERE (
'/etc/ld.so.conf,0644,117,dad04a370e488aa85fb0a813a5c83cf6fd981ce01883fc59685447b092de84b5',
'/etc/ld.so.conf,0644,28,239c865e4c0746a01f82b03d38d620853bab2a2ba8e81d6f5606c503e0ea379f',
'/etc/ld.so.conf,0644,34,d4b198c463418b493208485def26a6f4c57279467b9dfa491b70433cedb602e8',
'/etc/ld.so.conf.d/cuda.conf,0644,66,a65f7d96e2447eb40b1be9586b90eb0bd776a8938c93d21f9606d2880b548b28',
'/etc/ld.so.conf.d/dyninst-x86_64.conf,0644,19,a4c740c1f59176d816ba18d429ba823317d3db416accf6d79a9cb0ac845d9d50',
'/etc/ld.so.conf.d/fakeroot.conf,0644,21,564c4c4d369d005702d825d34edc5e5568cb1ab6ee1b19fa03d0d672fb8b3aee',
'/etc/ld.so.conf.d/fakeroot-x86_64-linux-gnu.conf,0644,38,af7edc777dd224bade078ba540538444db69856533c02e18a7f9fbbdd23bd181',
'/etc/ld.so.conf.d/fakeroot.conf,0644,21,564c4c4d369d005702d825d34edc5e5568cb1ab6ee1b19fa03d0d672fb8b3aee',
'/etc/ld.so.conf.d/i386-linux-gnu.conf,0644,168,023231b8d6d21a7f4b1a59b875576604395041c814c0fd640d4a1d3d29455e6a',
'/etc/ld.so.conf.d/lib32-glibc.conf,0644,11,c27424154a6096ae32c0824b785e05de6acef33d9224fd6147d1936be9b4962b',
'/etc/ld.so.conf.d/libc.conf,0644,44,90d4c7e43e7661cd116010eb9f50ad5817e43162df344bd1ad10898851b15d41',
'/etc/ld.so.conf.d/libiscsi-x86_64.conf,0644,17,fa3839c3cb893d3a589a020a0a9a010de1332b8385ee8139660e2da8bcc932a3',
'/etc/ld.so.conf.d/llvm13-x86_64.conf,0644,22,4da62e9ec76b030c527e2ea87ccfab1baeff7d0f9092f980231e49961bb97de0',
'/etc/ld.so.conf.d/opencollada.conf,0644,21,2fc9656a2b881ca4528416daa91fc525adaa97d73e96a18b41aa7856270eba1f',
'/etc/ld.so.conf.d/pipewire-jack-x86_64.conf,0644,30,cf4cb69feaa8ec8b99558c4e1123518831b3c56488981cbc34a662fe218ef221',
'/etc/ld.so.conf.d/tix-x86_64.conf,0644,18,b2ef4843990ded5fd96e417fc08027a785fac59bd70eca6a26dd7b057542273a',
'/etc/ld.so.conf.d/x86_64-linux-gnu.conf,0644,100,f03e4740e6922b4f4a1181cd696b52f62f9f10d003740a8940f7121795c59c98'

2
net/unexpected-listening-port-linux.sql
View File

@ -22,6 +22,7 @@ WHERE port != 0
"10256,6,0,kube-proxy",
"17,255,500,dhcpcd",
"1716,6,500,kdeconnectd",
"3551,6,0,apcupsd",
"22,6,0,sshd",
"22000,6,500,syncthing",
"3000,6,0,docker-proxy",
@ -34,6 +35,7 @@ WHERE port != 0
"5000,6,500,ControlCenter",
"5001,6,0,registry",
"53,17,0,coredns",
"8123,6,500,Brackets-node",
"53,6,0,coredns",
"53,6,500,dnsmasq",
"5355,6,193,systemd-resolve",

29
net/unexpected-talkers-linux.sql
View File

@ -33,6 +33,7 @@ AND NOT (
'chrome',
'chrome',
'chronyd',
'systemd-resolve',
'cloud_sql_proxy',
'code',
'containerd',
@ -46,6 +47,7 @@ AND NOT (
'gh',
'git-remote-http',
'gitsign',
'systemd-resolve',
'gnome-software',
'go',
'grafana-server',
@ -95,21 +97,21 @@ AND NOT (
)
AND NOT exception_key IN (
'123,17,500,chronyd',
'22,6,,', -- shortlived SSH (git push)
'22,6,500,ssh',
'22067,6,500,syncthing',
'22,6,500,ssh',
'22,6,,', -- shortlived SSH (git push)
'27024,6,500,steam',
'3307,6,500,cloud_sql_proxy',
'4070,6,500,spotify',
'443,17,500,chrome',
'443,17,500,jcef_helper',
'443,17,500,spotify',
'443,6,0,.tailscaled-wra',
'443,6,0,dnf',
'443,6,0,launcher',
'443,6,0,pacman',
'443,6,0,tailscaled',
'443,6,0,.tailscaled-wra',
'443,6,472,grafana-server',
'443,6,500,.firefox-wrappe',
'443,6,500,1password',
'443,6,500,chainctl',
'443,6,500,chrome',
@ -119,10 +121,9 @@ AND NOT exception_key IN (
'443,6,500,controlplane',
'443,6,500,crc',
'443,6,500,electron',
'443,6,500,Socket Process',
'443,6,500,firefox',
'443,6,500,.firefox-wrappe',
'443,6,500,gh',
'443,17,500,jcef_helper',
'443,6,500,git-remote-http',
'443,6,500,gitsign',
'443,6,500,gnome-software',
@ -137,35 +138,41 @@ AND NOT exception_key IN (
'443,6,500,ngrok',
'443,6,500,nix',
'443,6,500,node',
'443,6,500,flameshot',
'443,6,500,obs',
'443,6,500,obs-browser-page',
'443,6,500,obs-ffmpeg-mux',
'443,6,500,obs',
'443,6,500,obsidian',
'443,6,500,signal-desktop',
'443,6,500,slack',
'443,6,500,snap-store',
'443,6,500,Socket Process',
'443,6,500,spotify',
'443,6,500,steamwebhelper',
'443,6,500,terraform-provi',
'443,6,500,terraform',
'443,6,500,terraform-provi',
'443,6,500,tkn',
'443,6,500,vcluster',
'443,6,500,xmobar',
'443,6,500,yay',
'443,6,500,Brackets',
'8801,17,500,zoom',
'443,6,500,zoom',
'5228,6,500,chrome',
'80,6,0,.tailscaled-wra',
'80,6,0,tailscaled',
'80,6,0,dnf',
'80,6,0,NetworkManager',
'80,6,0,tailscaled',
'80,6,0,.tailscaled-wra',
'80,6,500,firefox',
'80,6,500,.firefox-wrappe',
'80,6,500,steam',
'80,6,500,steamwebhelper',
'80,6,500,syncthing'
)
AND NOT (p.name = 'syncthing' AND (remote_port IN (53,80,88,110,443,587,993,3306,7451) OR remote_port > 8000))
AND NOT (p.name IN ('chrome', 'Google Chrome Helper','Brave Browser Helper', 'Chromium Helper', 'Opera Helper') AND remote_port IN (53,443,80,8009,8080,8888,8443,5228,32211,53,10001,3478,19305,19306,19307,19308,19309))
AND NOT (p.name IN ('chrome', 'Google Chrome Helper','Brave Browser Helper', 'Chromium Helper', 'Opera Helper') AND remote_port IN (53,443,80,9000,5004,8009,8080,8888,8443,5228,32211,53,10001,3478,19305,19306,19307,19308,19309))
AND NOT (p.name IN ('Mail', 'thunderbird', 'Spark', 'Notes') AND remote_port IN (53,143,443,587,465,585,993))
AND NOT (p.name IN ('spotify', 'Spotify Helper', 'Spotify') AND remote_port IN (53,443,8009,4070,32211))
AND NOT (remote_port IN (443,53) AND p.name LIKE 'terraform-provider-%')

13
net/unexpected-talkers-macos.sql
View File

@ -92,6 +92,7 @@ AND NOT (
)
AND NOT exception_key IN (
'22,6,500,ssh,,',
'22,6,500,ssh,com.apple.openssh,Software Signing',
'22,6,500,ssh,ssh-55554944fbf65684ab9b37c2bad3a27ef78b23f4,',
'43,6,500,DropboxMacUpdate,com.dropbox.DropboxMacUpdate,Developer ID Application: Dropbox, Inc. (G7HH3F8CAK)',
@ -100,13 +101,18 @@ AND NOT exception_key IN (
'443,17,500,Reflect Helper,app.reflect.ReflectDesktop,Developer ID Application: Reflect App, LLC (789ULN5MZB)',
'443,6,0,com.apple.MobileSoftwareUpdate.UpdateBrainService,com.apple.MobileSoftwareUpdate.UpdateBrainService,Software Signing',
'443,6,0,launcher,launcher,Developer ID Application: Kolide Inc (YZ3EM74M78)',
'443,6,0,nessusd,nessusd,Developer ID Application: Tenable, Inc. (4B8J598M7U)',
'443,6,500,Acrobat Update Helper,com.adobe.ARMDCHelper,Developer ID Application: Adobe Inc. (JQ525L2MZD)',
'443,6,500,bash,bash,',
'443,6,500,gitsign,,',
'443,6,500,chainctl,,',
'443,6,500,gh,gh,',
'443,6,500,chainctl,a.out,',
'443,6,500,python3.10,python3.10,',
'443,6,500,cloud_sql_proxy,a.out,',
'443,6,500,Code Helper,com.microsoft.VSCode.helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
'443,6,500,Code Helper (Renderer),com.github.Electron.helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
'443,6,500,cosign,a.out,',
'443,6,500,curl,com.apple.curl,Software Signing',
'443,6,500,Electron,com.microsoft.VSCode,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
'443,6,500,Evernote Helper,com.evernote.Evernote.helper,Apple Mac OS Application Signing',
'443,6,500,figma_agent,com.figma.agent,Developer ID Application: Figma, Inc. (T8RA8NE3B7)',
@ -116,6 +122,7 @@ AND NOT exception_key IN (
'443,6,500,istioctl,a.out,',
'443,6,500,ko,a.out,',
'443,6,500,kubectl,a.out,',
'443,6,500,python3.10,python3.10,',
'443,6,500,Python,org.python.python,',
'443,6,500,Reflect,app.reflect.ReflectDesktop,Developer ID Application: Reflect App, LLC (789ULN5MZB)',
'443,6,500,Reflect Helper,app.reflect.ReflectDesktop,Developer ID Application: Reflect App, LLC (789ULN5MZB)',
@ -123,13 +130,13 @@ AND NOT exception_key IN (
'443,6,500,steam_osx,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)',
'443,6,500,terraform,terraform,Developer ID Application: Hashicorp, Inc. (D38WU7D763)',
'443,6,500,vim,vim,',
'443,6,0,nessusd,nessusd,Developer ID Application: Tenable, Inc. (4B8J598M7U)',
'443,6,500,zsh,com.apple.zsh,Software Signing',
'80,6,0,com.apple.MobileSoftwareUpdate.UpdateBrainService,com.apple.MobileSoftwareUpdate.UpdateBrainService,Software Signing'
)
AND NOT (p.name = 'syncthing' AND (remote_port IN (53,80,88,110,443,587,993,3306,7451) OR remote_port > 8000))
AND NOT (p.name IN ('Google Chrome Helper','Brave Browser Helper', 'Chromium Helper', 'Opera Helper') AND remote_port IN (53,443,80,8009,8080,8888,8443,5228,32211,53,10001,3478,19305,19306,19307,19308,19309))
AND NOT (p.name IN ('Google Chrome Helper','Brave Browser Helper', 'Chromium Helper', 'Opera Helper') AND remote_port IN (53,443,80,8009,8080,8888,8443,5228,32211,53,10001,3478,19305,19306,5004,9000,19307,19308,19309))
AND NOT (p.name IN ('Mail', 'thunderbird', 'Spark', 'Notes') AND remote_port IN (53,143,443,587,465,585,993))
AND NOT (p.name IN ('Spotify Helper', 'Spotify') AND remote_port IN (53,443,8009,4070,32211))
AND NOT (remote_port IN (53,443) AND p.name LIKE 'terraform-provider-%')

1
process/low_start_time_ctime_delta.sql
View File

@ -32,6 +32,7 @@ WHERE p.start_time > 0
'/usr/sbin/tailscaled'
)
AND NOT p.path LIKE "/Applications/%.app/%"
AND NOT p.path LIKE "/private/var/folders/%/bin/istioctl"
AND NOT p.path LIKE "/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd"
AND NOT p.path LIKE "/private/var/folders/%/go-build%/exe/%"
AND NOT p.path LIKE "/nix/store/%/bin/%"

1
process/missing-from-disk-linux.sql
View File

@ -24,6 +24,7 @@ AND p.path NOT IN (
"/usr/bin/fusermount3",
"/usr/bin/gjs-console",
"/usr/bin/gnome-shell",
'/usr/lib/gnome-shell-calendar-server',
"/usr/bin/kded5",
"/usr/bin/pipewire-pulse",
"/usr/bin/tailscaled",

14
process/name_path_mismatch.sql
View File

@ -27,25 +27,38 @@ FROM processes p
LEFT JOIN hash AS phash ON pp.path = phash.path
WHERE short_filename != short_name
AND NOT cmd LIKE "/nix/store/%/bin/bash%"
-- Serial masqueraders
AND NOT short_filename IN (
'bash',
'ruby',
'python',
'python3'
)
AND exception_key NOT IN (
'name=(sd-pam),file=systemd,500',
'name=chrome-gnome-s,file=python3,500',
'name=code-oss,file=electron,500',
'name=firefox-wrappe,file=firefox,500',
'name=blueman-tray,file=python3,500',
'name=firewalld,file=python3,0',
'name=gjs,file=gjs-console,500',
'name=gnome-tweak-to,file=python3,500',
'name=gsettings-hel,file=gsettings-help,500',
'name=Isolated,file=firefox,500',
'name=sd_espeak-ng-m,file=sd_espeak-ng,500',
'name=mysqld,file=mariadbd,500',
'name=networkd-dispa,file=python3,0',
'name=nix-daemon,file=nix,0',
'name=npm,file=node,500',
'name=osqueryi,file=osqueryd,500',
'name=blueman-applet,file=python3,500',
'name=phpstorm,file=dash,500',
'name=Privileged,file=firefox,500',
'name=RDD,file=firefox,500',
'name=sh,file=dash,0',
'name=zoom,file=ZoomLauncher,500',
'name=sh,file=dash,500',
'name=Socket,file=firefox,500',
'name=streamdeck,file=python3,500',
@ -53,6 +66,7 @@ AND exception_key NOT IN (
'name=terminator,file=python3,500',
'name=unattended-upg,file=python3,0',
'name=Utility,file=firefox,500',
'name=zfs-auto-snaps,file=ruby,0',
'name=Web,file=firefox,500',
'name=WebExtensions,file=firefox,500',
'name=X,file=Xorg,0'

30
process_events/exotic-command-events.sql
View File

@ -12,7 +12,7 @@ SELECT p.pid,
p.syscall,
pp.path AS parent_path,
pp.name AS parent_name,
p.cmdline AS parent_cmd,
TRIM(p.cmdline) AS parent_cmd,
pp.euid AS parent_euid,
hash.sha256 AS parent_sha256
FROM uptime, process_events p
@ -39,7 +39,7 @@ WHERE p.time > (strftime('%s', 'now') -15)
-- Known attack scripts
OR basename LIKE '%pwn%'
OR cmd LIKE '%attack%'
OR basename LIKE '%attack%'
-- Unusual behaviors
OR cmd LIKE '%ufw disable%'
OR cmd LIKE '%iptables -P % ACCEPT%'
@ -87,32 +87,18 @@ WHERE p.time > (strftime('%s', 'now') -15)
)
AND NOT (
p.path IN ('/usr/bin/kmod', '/bin/kmod')
AND parent_name IN ('firewalld')
AND parent_name IN ('firewalld','mkinitramfs')
)
AND NOT (
p.path IN ('/usr/bin/kmod', '/bin/kmod')
AND uptime.total_seconds < 15
)
-- gpgtools
AND NOT (
p.path = '/usr/bin/mkfifo'
AND cmd LIKE '%/org.gpgtools.log.%/fifo'
)
-- Dropbox
AND NOT (
parent_name = 'Dropbox'
AND cmd LIKE 'csrutil status'
)
-- Docker, kube-proxy
AND NOT (
p.path IN ('/usr/bin/kmod', '/bin/kmod')
AND parent_name IN ('dockerd', 'kube-proxy')
)
AND NOT (p.path = '/usr/bin/mkfifo' AND cmd LIKE '%/org.gpgtools.log.%/fifo')
AND NOT (cmd LIKE '%csrutil status' AND parent_name IN ('Dropbox'))
AND NOT (cmd='/usr/bin/csrutil status' AND p.parent=-1)
AND NOT (p.path IN ('/usr/bin/kmod', '/bin/kmod') AND parent_name IN ('dockerd', 'kube-proxy'))
AND NOT cmd LIKE 'modprobe -va%'
AND NOT cmd LIKE 'modprobe -ab%'
AND NOT cmd LIKE '%modprobe overlay'
AND NOT cmd LIKE '%modprobe aufs'
AND NOT cmd IN (
'lsmod'
)
AND NOT cmd IN ('lsmod')

64
startup/unexpected-active-systemd-units.sql
View File

@ -19,15 +19,10 @@ WHERE active_state != "inactive"
)
AND (
exception_key IN (
"systemd-hostnamed.service,Hostname Service,uid=,,sz=1205,eb16153c65d8a65fe001071e6270ee76fecb4fc6c19b8a7c0590f6ce9a873a99",
"anacron.service,Run anacron jobs,uid=,,sz=776,87d260ea7cc447dd052c131106749df24f0bdfb746a1ea3b893e107517b629e6",
"NetworkManager-dispatcher.service,Network Manager Script Dispatcher Service,uid=,,sz=637,77f8c9e7b0c5d1cd097454d201cdceaefbcb9fdc2557fb9c1ddef0b4ff02f04e",
"geoclue.service,Location Lookup Service,uid=geoclue,,sz=464,d9e1a7eced6193866f048ce9de97809d5f2896e1e3f15d559710bb87d50a054a",
"fprintd.service,Fingerprint Authentication Daemon,uid=,,sz=896,a30798db998d8f2f9d9b583bb266e23bce083154214b7b78b19fdd33ee6b7e25",
"abrtd.service,ABRT Automated Bug Reporting Tool,uid=,,sz=469,85f5425b015db6b09e8931e290c62428d21159ad6e2d47e3a7cdb3b9dc1e058e",
"abrt-journal-core.service,Creates ABRT problems from coredumpctl messages,uid=,,sz=226,184d8a87f2d47ddece07cde34817c7534068f2afb7cd2d33815b9283d2fd878a",
"abrt-oops.service,ABRT kernel log watcher,uid=,,sz=233,998d6cfa2884de1d94da25b330b5f62dc21b8d77c88eca09299942c735c9f743",
"abrt-xorg.service,ABRT Xorg log watcher,uid=,,sz=231,873cfba658136c028eebe49d0dfaee947c9724baf4e0814486b39c1474d4e058",
"abrtd.service,ABRT Automated Bug Reporting Tool,uid=,,sz=469,85f5425b015db6b09e8931e290c62428d21159ad6e2d47e3a7cdb3b9dc1e058e",
"accounts-daemon.service,Accounts Service,uid=,,sz=1985,71c667ab63b92b0c0cab646310561e7b8c97d8ef23dbeff766419b9b197a9705",
"accounts-daemon.service,Accounts Service,uid=,,sz=1990,5be07366f5df8e91a0da8ca37552f36dfee0c1da8a042fd519b8e6d8d046b3cd",
"accounts-daemon.service,Accounts Service,uid=,,sz=2178,154251d7d41f91bd3b5711a4b130d2531ee87f11551ccad130ff1e22df98b323",
@ -41,14 +36,16 @@ WHERE active_state != "inactive"
"alsa-restore.service,Save/Restore Sound Card State,uid=,,sz=613,ad47562bf39044547594b9cb306804820c0a53ae4dda2d2279bd5de4627fe946",
"alsa-state.service,Manage Sound Card State (restore and store),uid=,,sz=465,f8452094c7ec5b6dc9ed3f00195efd29562af7617b3d2bc02647da70089812d3",
"alsa-store.service,Store Sound Card State,uid=,,sz=1208,47c0875cb666da1a4157bbf18e513c217cbd1d827efd389655a45017b28db935",
"anacron.service,Run anacron jobs,uid=,,sz=776,87d260ea7cc447dd052c131106749df24f0bdfb746a1ea3b893e107517b629e6",
"anacron.timer,Trigger anacron every hour,uid=,,sz=154,13cce6a72c725a65ab440b38241bd8f6683b2a4a38f559ba9cad6ecde56f84a6",
"apcupsd.service,APC UPS Power Control Daemon for Linux,uid=,,sz=304,f850d7b28c52186b351ae89d1ec8f68ccd972155e618a0b23a2e3a1f620c6c37",
"apparmor.service,Load AppArmor profiles,uid=,,sz=1162,02c4d752e9f13dde845cab6c067a790c7af61b3c414b82781d29881a37ec5e19",
"apport.service,LSB: automatic crash report generation,uid=,/etc/init.d/apport,sz=518,8b8d235c366ae9b433af073c5a813e3465e0d6c66e3f398ba73095c9f6d33363",
"apt-daily-upgrade.timer,Daily apt upgrade and clean activities,uid=,,sz=184,b804d7bab8eb41202384f9270e25d5383346ace8b3d7c4f5029c150638d77bcd",
"apt-daily.timer,Daily apt download activities,uid=,,sz=156,0075e974af4e3a94757e219ba50ccb8348d4d1a8834d938f6cc9b1f4fd1db4e5",
"apt-daily-upgrade.timer,Daily apt upgrade and clean activities,uid=,,sz=184,b804d7bab8eb41202384f9270e25d5383346ace8b3d7c4f5029c150638d77bcd",
"archlinux-keyring-wkd-sync.timer,Refresh existing PGP keys of archlinux-keyring regularly,uid=,,sz=176,407a73b906ae0c5f067fa2dc8eb53bdea481e5d47bc09c7dd46acac60792288f",
"audit.service,Kernel Auditing,uid=,,sz=1281,86c98bd2414533f8b12718d04a6aff56dd007443e3928052d815c2341639141b",
"auditd.service,Security Auditing Service,uid=,,sz=1700,de2fd0b124efcd46a077eedefe8e137e6c36b7773aab4194147c7b6fca947299",
"audit.service,Kernel Auditing,uid=,,sz=1281,86c98bd2414533f8b12718d04a6aff56dd007443e3928052d815c2341639141b",
"avahi-daemon.service,Avahi mDNS/DNS-SD Stack,uid=,,sz=1042,24157f554fc3dd760f4b3715345c1385d09ad4b12687cae6cc715c2b2d5222b7",
"avahi-daemon.service,Avahi mDNS/DNS-SD Stack,uid=,,sz=1044,2e8784f74603b0e7b03147eada1f1f8ec190fdef0c3fa1041201ac71ac2c0a7d",
"avahi-daemon.socket,Avahi mDNS/DNS-SD Stack Activation Socket,uid=,,sz=870,53aa111dadc10bba319e0346e399c607a80ae6ffcded55f3cd3102c6d71995b0",
@ -67,8 +64,8 @@ WHERE active_state != "inactive"
"colord.service,Manage, Install and Generate Color Profiles,uid=colord,,sz=295,06e271b1e8bfe1aa89800f1188470ce7a5725e73faf4be877f48785e30766fa9",
"console-setup.service,Set console font and keymap,uid=,,sz=312,50a0af31bcdcd939ad7e3f2ddfcee04e82313c5d6a8d2ed47f23dfdc1f9f2bfd",
"containerd.service,containerd container runtime,uid=,,sz=1264,cd953d771009d8a483a50ce7ccaf2a85375100d616e4491cd2b51e6511ae9a33",
"cron.service,Regular background program processing daemon,uid=,,sz=319,cb16493193f2340eb19705251c90de3b6574b18b77c90a63b0f6326353bbc416",
"cronie.service,Periodic Command Scheduler,uid=,,sz=194,ac3ff3c8a5ce1b6367b06877b4b12ff74e7f18a3c510fb9f80d6ea6b6321e3b1",
"cron.service,Regular background program processing daemon,uid=,,sz=319,cb16493193f2340eb19705251c90de3b6574b18b77c90a63b0f6326353bbc416",
"cryptsetup.target,Local Encrypted Volumes,uid=,,sz=420,a6acf535dd967c951bab7d1df42004405167603ffbbd4cf7bf84cb6b8c868e00",
"cups-browsed.service,Make remote CUPS printers available locally,uid=,,sz=278,325d5f1ca64505de37d9dcee1483c681a9f6d5dc7a093df014e0ec52369978ff",
"cups.path,CUPS Scheduler,uid=,,sz=142,e6af6227af7ce780492e663b74971942c27a0a86a9562b790e9cdcb1e4ae38a4",
@ -98,10 +95,12 @@ WHERE active_state != "inactive"
"dpkg-db-backup.timer,Daily dpkg database backup timer,uid=,,sz=138,53f7ed8aadfaf61d9decda9565b65f68d5b5a66be4ee8f87741e47163839b4a6",
"dracut-shutdown.service,Restore /run/initramfs on shutdown,uid=,,sz=503,b8ba6c13fb9b792280fe8ad0e51009cb93985e5693090021fb37b550f891ef67",
"e2scrub_all.timer,Periodic ext4 Online Metadata Check for All Filesystems,uid=,,sz=251,23f20fb6edc9fd54bf4754ef4311f88cba45ba65c6aecfa1885e8fb99531c211",
"firewall.service,Firewall,uid=,,sz=1537,fada35bd9561ca881bd783193ca24b90777f057ce146d4ff77e5dd4edd9b1d1f",
"firewalld.service,firewalld - dynamic firewall daemon,uid=,,sz=670,99c175aa55489548d4a867bb5119082a502abe8dabe5fdf0f9c00a6d2ed2ecb1",
"firewalld.service,firewalld - dynamic firewall daemon,uid=,,sz=674,60f9f917ff88bd768a0772f0872f039dc8e7790e15442280249a07c30b1bb8bf",
"firewall.service,Firewall,uid=,,sz=1537,fada35bd9561ca881bd783193ca24b90777f057ce146d4ff77e5dd4edd9b1d1f",
"flatpak-system-helper.service,flatpak system helper,uid=,,sz=259,0bb869432de99daa07a86d87513cd0384240c5e5f8f4d855705bb2a2d2b3ac28",
"fprintd.service,Fingerprint Authentication Daemon,uid=,,sz=896,a30798db998d8f2f9d9b583bb266e23bce083154214b7b78b19fdd33ee6b7e25",
"fprintd.service,Fingerprint Authentication Daemon,uid=,,sz=900,75f7d0575d982d37e3e10510688180a5ac6abf64a95aa0e70f25404516214ec7",
"fstrim.timer,Discard unused blocks once a week,uid=,,sz=270,b15bcc0d8fc3698701087264a834bc6c495780ed27b68e0a8e3eb10d02bef74a",
"fwupd-refresh.service,Refresh fwupd metadata and update motd,uid=fwupd-refresh,,sz=404,971a86aa36c9b11c45fc5fb7b2ed17037240d1c2956517e01452262ebb64d080",
"fwupd-refresh.timer,Refresh fwupd metadata regularly,uid=,,sz=194,84597cdd8c589cf5632e7d9a5f04fc122b8678cc1d7e58d8b5cb9b531987f6f9",
@ -110,6 +109,7 @@ WHERE active_state != "inactive"
"gdm.service,GNOME Display Manager,uid=,,sz=855,277ab2f09ac40921a82fd1738a841624a063162f3802fa1ee2ad3d6c7e3828cf",
"gdm.service,GNOME Display Manager,uid=,,sz=919,118a20990ac2a81dbfd41960540c7f687a83357be241423a55cc85893675a11f",
"gdm.service,GNOME Display Manager,uid=,,sz=982,fd99a9bfde5a9034c4048abbe653375f120399a64baa246864117462c1cf8bdb",
"geoclue.service,Location Lookup Service,uid=geoclue,,sz=464,d9e1a7eced6193866f048ce9de97809d5f2896e1e3f15d559710bb87d50a054a",
"geoclue.service,Location Lookup Service,uid=geoclue,,sz=468,7875489641c9bf6cff18e89795770c72c645a856ba662e53cdc324d59d700cbb",
"getty-pre.target,Preparation for Logins,uid=,,sz=517,58bf84c84520850ed138e794f8618b9843d28eb00f58e7094b2ab17b047d69d7",
"getty.target,Login Prompts,uid=,,sz=508,5a6c2e59b3cebc31f3c13e8814b454709de3b4b074c7055afb5de2b8d417764f",
@ -136,12 +136,12 @@ WHERE active_state != "inactive"
"lightdm.service,Light Display Manager,uid=,,sz=340,0db37a14521be729411a767f157fbd07adb738b14006277def53a1efe4dacfb8",
"livesys-late.service,SYSV: Late init script for live image.,uid=,/etc/rc.d/init.d/livesys-late,sz=503,2bcdf96ee5f52cd009050e85a5a01329948d2ce8e22bd9fa2c4febb70d3d7e53",
"livesys.service,LSB: Init script for live image.,uid=,/etc/rc.d/init.d/livesys,sz=564,73ba2baea0e7ad5474021873824b24af51b8980aec7866514e53c6eb563d2a81",
"lm_sensors.service,Initialize hardware monitoring sensors,uid=,,sz=328,be946f218205e4a571510fe3b3757ed3ba7df9390fe7c28fd6d30d94604021b5",
"local-fs-pre.target,Preparation for Local File Systems,uid=,,sz=453,4190c957c05d5b97b3f2f662504b65cbdc7398668850eb82a715af073a57d6e3",
"local-fs.target,Local File Systems,uid=,,sz=555,8e68c22028464594411371ee35f8a17a0f65cbd86a718e789debbddb5b487075",
"logrotate-checkconf.service,Logrotate configuration check,uid=,,sz=1103,b1282b3635284c74f169e69657702db7977064d7e921aefbfe40df2f934567a5",
"logrotate.timer,Daily rotation of log files,uid=,,sz=191,42f723dc5d90247a5fda11a3358d1a67eccceed856192b2264aa222d6aa240f4",
"logrotate.timer,logrotate.timer,uid=,,sz=35,8fb3eea4c97504abd8d07ffdffce20a401ea20f1bde8f950af983d325e60d624",
"systemd-hostnamed.service,Hostname Service,uid=,,sz=1189,8bf6dd3e80f80ca8d2fa5c4fe91ea90e8815d488e8eee22484b342fa9cde8e9e",
"low-memory-monitor.service,Low Memory Monitor,uid=,,sz=688,5f9c54f5c59887c3c880619adfc001e3cc2611bd620618a792f5af9317775fc5",
"lvm2-lvmpolld.socket,LVM2 poll daemon socket,uid=,,sz=205,cd708269dbea00ec075b7f2be6c4fcfa03086f1728e199972d1f9dd63ecad23f",
"lvm2-lvmpolld.socket,LVM2 poll daemon socket,uid=,,sz=239,a9c45602d9bc5f14583d7dfb27c3db6d3f07ae99dbc455e59bceaf401d446bce",
@ -161,17 +161,19 @@ WHERE active_state != "inactive"
"motd-news.timer,Message of the Day,uid=,,sz=161,f18dbd0f64344440d7d6e8f1ff302d26fe383921be2a3f13948a8e2e2545ee58",
"mount-pstore.service,mount-pstore.service,uid=,,sz=1158,d24afb3d403a2196f7da07a655158d13ccd3d2f03baeb09667cd9146f08d2f8a",
"multi-user.target,Multi-User System,uid=,,sz=540,e73d44a251ac878da0ca66ec437e3890345fec9684ff1374c57e012b95266b7f",
"networkd-dispatcher.service,Dispatcher daemon for systemd-networkd,uid=,,sz=258,bf1d13d1ea39069d0d0b87fd4254283b2c3443737d1eeec4f6a908ad2883bd5a",
"network-interfaces.target,All Network Interfaces (deprecated),uid=,,sz=132,e71200dad50e28e5e2fe4e0fd0980a0353401ef5085bf7413748ced7773654d0",
"network-local-commands.service,Extra networking commands.,uid=,,sz=1338,32d01f7dcf0937514754040d6caad04bc82976934bc7a214767cbe97dc165658",
"NetworkManager-dispatcher.service,Network Manager Script Dispatcher Service,uid=,,sz=637,77f8c9e7b0c5d1cd097454d201cdceaefbcb9fdc2557fb9c1ddef0b4ff02f04e",
"NetworkManager-dispatcher.service,Network Manager Script Dispatcher Service,uid=,,sz=652,88abd15e8cfe1f09f7cc4eb23561b86a14b6b56a13ed847f77c7e03cb27b8a39",
"NetworkManager.service,Network Manager,uid=,,sz=1335,5a9ddd4d9e74f83002654342df18c5e0b4da2d3ea14f40354a3cb4963560de2b",
"NetworkManager.service,Network Manager,uid=,,sz=1336,0d96ab7fdbde8be2dec1cf85ec83ac9ca544752eefa0bd9136817bd24b8c4c22",
"NetworkManager.service,Network Manager,uid=,,sz=1351,80774cebda3cd3d513be7629f3fa13e4eaadf17a1c61868b6ec60097e5600c5b",
"NetworkManager-wait-online.service,Network Manager Wait Online,uid=,,sz=1148,766569bd7420fab7af4e601c545311e34f71eb068dde6f94efcab32d8868e183",
"network-online.target,Network is Online,uid=,,sz=513,ab7df736648ba1b6c96841ca1007d657d1a74567b289dc33aae538601cb1454f",
"network-pre.target,Preparation for Network,uid=,,sz=520,01edbbdc0302bddd2ded161737f8cede5c9ec3110f451897658514498e59ea4c",
"network-setup.service,Networking Setup,uid=,,sz=1392,6a9633d2dbb4fd0cb8efc3dd1aec5a02a2f00c824bc7dcaff6cc6eb93ad22ada",
"network.target,Network,uid=,,sz=529,0892f909898180ef5e73eef882b24e74da67bd59bf9083cda1bb2251b6973114",
"networkd-dispatcher.service,Dispatcher daemon for systemd-networkd,uid=,,sz=258,bf1d13d1ea39069d0d0b87fd4254283b2c3443737d1eeec4f6a908ad2883bd5a",
"NetworkManager-wait-online.service,Network Manager Wait Online,uid=,,sz=1148,766569bd7420fab7af4e601c545311e34f71eb068dde6f94efcab32d8868e183",
"NetworkManager.service,Network Manager,uid=,,sz=1335,5a9ddd4d9e74f83002654342df18c5e0b4da2d3ea14f40354a3cb4963560de2b",
"NetworkManager.service,Network Manager,uid=,,sz=1336,0d96ab7fdbde8be2dec1cf85ec83ac9ca544752eefa0bd9136817bd24b8c4c22",
"NetworkManager.service,Network Manager,uid=,,sz=1351,80774cebda3cd3d513be7629f3fa13e4eaadf17a1c61868b6ec60097e5600c5b",
"nfs-client.target,NFS client services,uid=,,sz=433,72fb2c60b15cc958be12528851acfc69314dbe3246dc4044f2d874ab502ac3d3",
"nginx.service,Nginx Web Server,uid=nginx,,sz=2467,a25811687cc1b0370a1c4b75321ac497e6b8b099a0bef96e7a12f83c2aa62655",
"nix-daemon.service,Nix Daemon,uid=,,sz=410,42674a1b26e27fb05212ed2a7a6bc18f81e482f2a58dd1eb71bba84522c04922",
@ -225,6 +227,7 @@ WHERE active_state != "inactive"
"snapd.socket,Socket activation for snappy daemon,uid=,,sz=281,7703ac622bd6d863bfbf1385d4c0bd9c80b97c0a12af92174879b0aa1cfd1ec2",
"sockets.target,Socket Units,uid=,,sz=409,de07df26397e3890db1d52274aa5abeae3ac849aa923fe0d7b4f8652eadb6877",
"sound.target,Sound Card,uid=,,sz=428,52c92b8cc874b85fc6fca72947ef210f9d02d46368ecfc1f98700f59ad529468",
"sshd.service,OpenSSH Daemon,uid=,,sz=250,e40f8b7c8e5e2ecf3084b3511a6c36d5b5c9f9e61f2bb13e3726c71dc7d4fbc7",
"sshd.service,SSH Daemon,uid=,,sz=1609,5b4e6d255fe49f9500b857029ace4d17114c4076e101e1f4f70241071026ceaf",
"sssd-kcm.service,SSSD Kerberos Cache Manager,uid=,,sz=427,3285dc79414d20324f05a26011e1a300f43863d2f459668721fb15d7585c88d5",
"sssd-kcm.socket,SSSD Kerberos Cache Manager responder socket,uid=,,sz=182,b884b8794ad8a0513075eaf09028a17d370dcf6d6a89cbfe6e87f67766dabf77",
@ -234,8 +237,8 @@ WHERE active_state != "inactive"
"sysinit.target,System Initialization,uid=,,sz=566,127cf76cb13ab39dc7150c3f7a3224b7ee15d05cf1a303cd793b1abb294d0120",
"syslog.socket,Syslog Socket,uid=,,sz=1415,78fc9f6b50902378345ffc4d5e2ffd50a5119932625d0c6f5c7324b0c4005bdf",
"sysstat-collect.timer,Run system activity accounting tool every 10 minutes,uid=,,sz=325,488ca93448ac0ed2dc4f90236f436fb26c07a4841648987d730a4c09d57616f5",
"sysstat-summary.timer,Generate summary of yesterday's process accounting,uid=,,sz=356,bf3fc94dd3ae29166cf67c09fa1a860eacaacb085ebea4c23b2dc8dd4690bae6",
"sysstat.service,Resets System Activity Logs,uid=root,,sz=475,f8b3354becd7e66dde0e3d9cf220747b98c792a93be03eada0c6807d9491e345",
"sysstat-summary.timer,Generate summary of yesterday's process accounting,uid=,,sz=356,bf3fc94dd3ae29166cf67c09fa1a860eacaacb085ebea4c23b2dc8dd4690bae6",
"systemd-ask-password-console.path,Dispatch Password Requests to Console Directory Watch,uid=,,sz=727,f3fc9dd4c30df9b806b940061fe79a3d1bfe3781d6a09cebbf1da0401cef52bf",
"systemd-ask-password-plymouth.path,Forward Password Requests to Plymouth Directory Watch,uid=,,sz=454,2462f436adecb860eb11a4dcce6391074b0e0e4bc1b36778692877aea8d7553f",
"systemd-ask-password-plymouth.path,Forward Password Requests to Plymouth Directory Watch,uid=,,sz=525,7c49dcef4bc60b8c921dea86317dda64507132d86937bc017a65d8e80e0f99ef",
@ -247,9 +250,10 @@ WHERE active_state != "inactive"
"systemd-fsckd.socket,fsck to fsckd communication Socket,uid=,,sz=540,5cbce5a8b5f9391f0d774e259e90408459a2a66e82b99dd33ad9bdb52087bf49",
"systemd-homed-activate.service,Home Area Activation,uid=,,sz=645,4f816a2918cc824b4c878e129461db1809f730be2ab337ed052206e35a570c8e",
"systemd-homed.service,Home Area Manager,uid=,,sz=1346,a07b2c38c7f733b97bceebe1c77daab82f98cc5399a0028ff3539e7675628ee6",
"systemd-hostnamed.service,Hostname Service,uid=,,sz=1189,8bf6dd3e80f80ca8d2fa5c4fe91ea90e8815d488e8eee22484b342fa9cde8e9e",
"systemd-hostnamed.service,Hostname Service,uid=,,sz=1205,eb16153c65d8a65fe001071e6270ee76fecb4fc6c19b8a7c0590f6ce9a873a99",
"systemd-initctl.socket,initctl Compatibility Named Pipe,uid=,,sz=553,afcb762f3d2bcf4e1f94ac9712fa25016334c854ffd6815ec08cc9cbabfce118",
"systemd-journal-catalog-update.service,Rebuild Journal Catalog,uid=,,sz=741,c69d69ed349ca6863130a8a9c3bc781f55c974e589f0d8c41fa8a5a17b51aa7c",
"systemd-journal-flush.service,Flush Journal to Persistent Storage,uid=,,sz=819,153bf7052c1ab54f38762102dfae171b801add553364336020a5034102d91149",
"systemd-journald-audit.socket,Journal Audit Socket,uid=,,sz=655,d260e31cb9fe659dd5ba7ffd8981f40f5bcd4dc819d3cf66a4bee2b128b689c4",
"systemd-journald-audit.socket,Journal Audit Socket,uid=,,sz=694,2c6e0f03250c09114aa7a137b513c0c17d4361badaa1f822d87e6c57779e7f44",
"systemd-journald-dev-log.socket,Journal Socket (/dev/log),uid=,,sz=1154,fd449ae03beeebab53ad75f70cba4c4d0080fe52ad5003cae9fb55c7381290e2",
@ -258,6 +262,8 @@ WHERE active_state != "inactive"
"systemd-journald.service,Journal Service,uid=,,sz=1820,42df40d2c4c44c312642542d1cdca697ada2b402baeea8611bde9ec045a2a020",
"systemd-journald.service,Journal Service,uid=,,sz=1869,9afb303d61342e3efaa2527d92fb70d0b32b9584bda92c939647f8468d31246b",
"systemd-journald.socket,Journal Socket,uid=,,sz=906,c17504f4c86653882070215fc089a610f69d8149e1860b92e439b008cce3f1d1",
"systemd-journal-flush.service,Flush Journal to Persistent Storage,uid=,,sz=819,153bf7052c1ab54f38762102dfae171b801add553364336020a5034102d91149",
"systemd-localed.service,Locale Service,uid=,,sz=1209,c15244cfb7f6a967b002653d169b4e63ad332675f16b3a1cabc9cf58fc3b21ee",
"systemd-logind.service,User Login Management,uid=,,sz=2002,32fe4938115583aae1dc7029109dea05baa217e765da49c47d46c953abdd3968",
"systemd-logind.service,User Login Management,uid=,,sz=2018,c4f403fc9d9e047065725650aa460365afc632f6f56a9814f57f412dd0112d02",
"systemd-logind.service,User Login Management,uid=,,sz=2071,d581e6b8a24585e5d4fbb21bd8464abadf9ca473c9d9b3ab0820d182ba1a3e47",
@ -291,30 +297,30 @@ WHERE active_state != "inactive"
"systemd-tmpfiles-setup-dev.service,Create Static Device Nodes in /dev,uid=,,sz=747,eb14a74c287994d145389f25032bcfec8dc7ee610e38c984a43945209bae2ce8",
"systemd-tmpfiles-setup.service,Create Volatile Files and Directories,uid=,,sz=787,e130f6a582f1ef16c6d35e918e6bd1a73a0513b807a918a9c5dcef2e6c9bc45c",
"systemd-tmpfiles-setup.service,Create Volatile Files and Directories,uid=,,sz=814,7987843104d68fd7dec2d7fccd544fdfdff84cb533447d3da633439046bd02f9",
"systemd-udev-settle.service,Wait for udev To Complete Device Initialization,uid=,,sz=863,363f7496d0613fd14f020629e7057f54afe84c9c6d2b4d94153ac09f0aee8f5c",
"systemd-udev-trigger.service,Coldplug All udev Devices,uid=,,sz=752,59e381905530d776758d2ed936342cdc335a7c6ba07a34d2549e0d61da541c85",
"systemd-udev-trigger.service,Coldplug All udev Devices,uid=,,sz=763,62938df7c72dda0015db2747b112f9c9dc3e31b952eecc94f6aae9cbd2631b27",
"systemd-udevd-control.socket,udev Control Socket,uid=,,sz=650,7a5b56d487ff00b50c8e1cd73cdec138136f54da3e333f077e5398b5b61408b5",
"systemd-udevd-kernel.socket,udev Kernel Socket,uid=,,sz=624,42c2c6e0b77dd66b1bd885cd5c2cc82191662738c1e565950fcff3deabdcaa56",
"systemd-udevd.service,Rule-based Manager for Device Events and Files,uid=,,sz=1282,97a2c647997bc43e6200aecdb537d5a33d19ba6efe3e319e63be9706fbf36c0c",
"systemd-udevd.service,Rule-based Manager for Device Events and Files,uid=,,sz=1301,d28df830235ec1060f955502d1631d1816a058dfc8be5e36e1859e9cab13f0a3",
"systemd-udevd.service,Rule-based Manager for Device Events and Files,uid=,,sz=1331,708fe7ee7ceecfae134bbd0dc50b378f9410cbd3cbe562c845db5cc508ac5245",
"systemd-udevd.service,Rule-based Manager for Device Events and Files,uid=,,sz=1384,0ddffa5d779c8872396a1c9d126d6730a013f65464061a37e36c1922b7b241f0",
"systemd-udev-settle.service,Wait for udev To Complete Device Initialization,uid=,,sz=863,363f7496d0613fd14f020629e7057f54afe84c9c6d2b4d94153ac09f0aee8f5c",
"systemd-udev-trigger.service,Coldplug All udev Devices,uid=,,sz=752,59e381905530d776758d2ed936342cdc335a7c6ba07a34d2549e0d61da541c85",
"systemd-udev-trigger.service,Coldplug All udev Devices,uid=,,sz=763,62938df7c72dda0015db2747b112f9c9dc3e31b952eecc94f6aae9cbd2631b27",
"systemd-update-done.service,Update is Completed,uid=,,sz=682,5196e3618c02428ed18585ea31fe44574d421b5663bf12ce4e987697d117df62",
"systemd-update-done.service,Update is Completed,uid=,,sz=735,f87cf6c3cfa851d0515d6a17413b34be75df9617ca75172a5d946d64f2315229",
"systemd-update-utmp.service,Record System Boot/Shutdown in UTMP,uid=,,sz=799,6f5b2af992dc06e0104bfb6129f414b46c9f6b52513ab81f5bf80c8980b8b454",
"systemd-update-utmp.service,Record System Boot/Shutdown in UTMP,uid=,,sz=807,5a0d8833f798d7388c266c26bf36c8413564e70004717742ad6e7e04a66db4c7",
"systemd-update-utmp.service,Record System Boot/Shutdown in UTMP,uid=,,sz=913,6cfb271b6213c4f49e56b90da022d6c463e66a644b3df73c8fb64bc60e797f18",
"systemd-userdbd.service,User Database Manager,uid=,,sz=1171,8245c4c113ac234e412efdb740a662a9db6c67605d65090c878280fd37a51278",
"systemd-userdbd.socket,User Database Manager Socket,uid=,,sz=691,3a81e9864f20bcb4c117bf78a7ecdfdbdd9035577616b83fec4f4d0af1231fa3",
"systemd-user-sessions.service,Permit User Sessions,uid=,,sz=647,d3eacc48c36549ed292d8306bf50a00a68eea875eb906015759f55a8fdec722a",
"systemd-user-sessions.service,Permit User Sessions,uid=,,sz=655,e6680d505aefa23436ede13f05eba3ca7bc41531cc5f56c20efb340804a088de",
"systemd-user-sessions.service,Permit User Sessions,uid=,,sz=761,6413bab69c823859ad2781112bbd8ae29da61a713c5b42ce7a00c0f9686e2ecc",
"systemd-userdbd.service,User Database Manager,uid=,,sz=1171,8245c4c113ac234e412efdb740a662a9db6c67605d65090c878280fd37a51278",
"systemd-userdbd.socket,User Database Manager Socket,uid=,,sz=691,3a81e9864f20bcb4c117bf78a7ecdfdbdd9035577616b83fec4f4d0af1231fa3",
"systemd-vconsole-setup.service,Setup Virtual Console,uid=,,sz=650,75791d21fa1a10d7d60c2eab1704d3e9adc109831819d1fbfaa1807310982015",
"tailscaled.service,Tailscale node agent,uid=,,sz=674,c5fa76fa23a0cd08fcdd447477858feafec2e0ac9bfe5f271d978af818d9ab76",
"tailscaled.service,Tailscale node agent,uid=,,sz=799,23423df7585fe927981664b706993fbf7ffb6d14267f32c5e039f348c6961be7",
"time-set.target,System Time Set,uid=,,sz=434,1dd72c1869b02dd88b836b6d426cc19dafcbc1fd76f6afb8e53ad3e068e4007f",
"timers.target,Timer Units,uid=,,sz=458,c0ef1e24adda9b81ca8439a6a4060aeb730fbc3abf55e07e59852911cf523aa6",
"time-set.target,System Time Set,uid=,,sz=434,1dd72c1869b02dd88b836b6d426cc19dafcbc1fd76f6afb8e53ad3e068e4007f",
"tlp.service,TLP system startup/shutdown,uid=,,sz=501,fb58bcf89c811756aa83af67841bdcf5b6058e8bc4b08a2951ffbd7009218204",
"ua-timer.timer,Ubuntu Advantage Timer for running repeated jobs,uid=,,sz=170,64c6be9cf92d35f31ea5e18f140190f49d7050d95a4225f9c50d25a86e5bdc75",
"udisks2.service,Disk Manager,uid=,,sz=203,bbf204fb935e0e1b2662b971e7dd5b475038097cb338a8075146d5e611473f23",
@ -322,9 +328,9 @@ WHERE active_state != "inactive"
"ufw.service,Uncomplicated firewall,uid=,,sz=333,7b8042cb70b1acd9bbc3a4cf8a08c41700c986d62499b8852113c551cab1082a",
"unattended-upgrades.service,Unattended Upgrades Shutdown,uid=,,sz=377,642331d3861bcc5e41342b9b93ad96b1852447d5b10533b9b2988531cfd2860a",
"unbound-anchor.timer,daily update of the root trust anchor for DNSSEC,uid=,,sz=346,52832bb5a11045ba390f5ea0933faf1b52f23b6ee91bfd47a159ba734f927139",
"updatedb.timer,Daily locate database update,uid=,,sz=113,94520117a4a2e16b5f2311c406904369d72690b8998c39ee4cf758009fdddbcb",
"update-notifier-download.timer,Download data for packages that failed at package install time,uid=,,sz=268,78f01ff5be8b01eee4c438d6a7971dcb9f34687cb75bd0d61f754eb5eb42ad22",
"update-notifier-motd.timer,Check to see whether there is a new version of Ubuntu available,uid=,,sz=301,7e5fa1f167ad72cf1bd0421d72ca3017ccb5a62f98d91ec3f9e25efd46c2a9ef",
"updatedb.timer,Daily locate database update,uid=,,sz=113,94520117a4a2e16b5f2311c406904369d72690b8998c39ee4cf758009fdddbcb",
"upower.service,Daemon for power management,uid=,,sz=990,a5b48717ff682ae1c8c1c23925cb9d37b1eacc4a22a110bc73958225e7215ccc",
"upower.service,Daemon for power management,uid=,,sz=994,c6d300b60a7dd2e9186152b8bc4fd1557ec2977027d0a24b06304d31f6e4124c",
"uresourced.service,User resource assignment daemon,uid=,,sz=388,4c09d9ba4055ec4d065f312c531a2f9d3b434f40024143788ac2fa2539abeab8",
@ -364,13 +370,13 @@ WHERE active_state != "inactive"
"zfs-snapshot-hourly.timer,zfs-snapshot-hourly.timer,uid=,,sz=50,3d876dbf234e09d8ff1525a20f0af9e40014f2828776fab3f8b946eee138cfc0",
"zfs-snapshot-monthly.timer,zfs-snapshot-monthly.timer,uid=,,sz=51,77519e4ae82c232a84437a5e226f65d1bc3fba1b3e5ebf05df33c8eee2d198b0",
"zfs-snapshot-weekly.timer,zfs-snapshot-weekly.timer,uid=,,sz=50,f940747ee60b6003820edacb893bc8595463ddaa47b28de75882e8881388f842",
"zfs-volume-wait.service,Wait for ZFS Volume (zvol) links in /dev,uid=,,sz=291,0a9db1010f54f5f7a8883c75a557e5005b73912d2dd0569142abe9df5da64b45",
"zfs-volumes.target,ZFS volumes are ready,uid=,,sz=135,8d4ad63b2a8aeeb3e01361b0cd22440e13b8ebb796f3e313b5c208f0ce04aabe",
"zfs-zed.service,ZFS Event Daemon (zed),uid=,,sz=266,6b0fd1d60282959f9fc1decc8bd9aae4bb2650eee201b3bc741dbe88ba1cc4b8",
"zfs.target,ZFS startup target,uid=,,sz=76,04bc085198b464b7a77374472374e099593241f59d7ed2676905e58b62c8d301",
"zfs-volumes.target,ZFS volumes are ready,uid=,,sz=135,8d4ad63b2a8aeeb3e01361b0cd22440e13b8ebb796f3e313b5c208f0ce04aabe",
"zfs-volume-wait.service,Wait for ZFS Volume (zvol) links in /dev,uid=,,sz=291,0a9db1010f54f5f7a8883c75a557e5005b73912d2dd0569142abe9df5da64b45",
"zfs-zed.service,ZFS Event Daemon (zed),uid=,,sz=266,6b0fd1d60282959f9fc1decc8bd9aae4bb2650eee201b3bc741dbe88ba1cc4b8",
"znapzend.service,ZnapZend - ZFS Backup System,uid=root,,sz=1723,58e7b27685746368b5bfec27651433c9087b0916531f72f7de1695e0789bdafa",
"zpool-trim.timer,zpool-trim.timer,uid=,,sz=50,f940747ee60b6003820edacb893bc8595463ddaa47b28de75882e8881388f842"
)
)
OR id LIKE 'blockdev@dev-mapper-luks%.target'
OR id LIKE 'blockdev@dev-mapper-nvme%.target'
OR id LIKE 'dbus-:%-org.freedesktop.problems@0.service'