Detect modifications to system services.
Especially in production, systems should be generated based on standard images such as AMIs for Amazon EC2, VM images in Azure, or GCP images. Systemd is the default service manager in many Linux distributions. It manages the lifecycle of background processes and services, and can be used by an attacker to establish persistence in the system. Attackers can do this by injecting code into existing systemd services, or by creating new ones. Systemd services can be started on system boot, and therefore attacker code can persist through system reboots.