Intermediate Service Auditing
Author(s): Matthias Lee (ml2322)
Last Updated: 7-17-2025
Details
Recommended Prerequisites (click to expand)
Introduction to Service AuditingMore robust service auditing techniques
Directly interact with systemd
A better way to look for unauthorized services is to look at all enabled services on the system, and see
which ones are not supposed to be there. You can do this with systemctl:
user@system:~$ systemctl list-unit-files | less
UNIT FILE STATE VENDOR PRESET
proc-sys-fs-binfmt_misc.automount static enabled
-.mount generated enabled
boot-efi.mount generated enabled
dev-hugepages.mount static enabled
....
nginx.service enabled enabled
Here, we can see that I have nginx enabled.
Baselines
The one problem with the above solution is that it's tedious to look through every enabled service and see which aren't supposed to be there. The solution to this is to, on a clean machine of the same OS, export the systemctl services to a baseline:
user@clean-system:~$ systemctl list-unit-files > baseline.txt
You can then copy this file onto the machine you're working with. Now, on that machine, do the same command to export the current services to a list too:
user@system:~$ systemctl list-unit-files > services.txt
Now, you can use diff to compare them:
user@system:~$ diff baseline.txt services.txt
329a330
> nginx.service enabled enabled
380c381
< 377 unit files listed.
---
> 378 unit files listed.
And we see here that nginx is, again, enabled, and should be removed.