Verify Systemd Service Modified on Host

Documentos > Datadog Security > OOTB Rules > Verify Systemd Service Modified on Host

Esta página aún no está disponible en español. Estamos trabajando en su traducción.
Si tienes alguna pregunta o comentario sobre nuestro actual proyecto de traducción, no dudes en ponerte en contacto con nosotros.

Security recommendation

Impact	Remediation complexity	Severity	Recommended value
4	3	3	No unauthorized modifications

Systemd service files and configurations should remain unchanged unless modifications are part of authorized system administration, package management, or configuration management processes.

Compliance

File Integrity Monitoring requirement, Found in PCI DSS 11.5

Documentation

Systemd is the system and service manager for modern Linux distributions that is responsible for initializing the system and managing services throughout the system’s runtime. Systemd service files typically reside in /etc/systemd/system/, /usr/lib/systemd/system/, and /lib/systemd/system/.

File Integrity Monitoring (FIM) tracks changes to systemd service files by monitoring various file operations including:

chmod: Permission changes that could allow unauthorized users to modify service configurations
chown: Ownership changes that could grant inappropriate access to service management
link: Creation of hard or symbolic links that could redirect service execution to malicious binaries
rename: Moving or renaming service files, potentially to disable security services or enable malicious ones
open: File modifications that alter service behavior, commands, or execution parameters
unlink: Deletion of service files, potentially disabling security controls or legitimate services
utimes: Timestamp modifications that could hide evidence of service tampering

Remediation

Prerequisites

You must have root or administrative privileges
Access to system logs and audit trails
Backup of known-good systemd configurations
Understanding of your organization’s service management policies

Step-by-step guide

Step 1: Identify Modified Service

Review the Finding to determine which systemd service file was modified:

# Check service file details
ls -l /etc/systemd/system/
ls -l /usr/lib/systemd/system/
stat /path/to/modified/service.service

# View service contents
cat /path/to/modified/service.service

Step 2: Check Service Status and Configuration

Examine the current state of the modified service:

# Check service status
systemctl status service-name.service

# Show service unit file
systemctl cat service-name.service

# List all enabled services
systemctl list-unit-files --state=enabled

# Check if service is masked
systemctl is-enabled service-name.service

Step 3: Verify Legitimate Change

Check if the modification was part of authorized system administration:

# Check recent package updates
grep "systemd" /var/log/dpkg.log     # Debian/Ubuntu

# Review systemd journal for service changes
journalctl -u service-name.service --since "1 day ago"

# Check audit logs for file modifications
ausearch -f /etc/systemd/system/service-name.service -ts recent
``