Practical Linux Forensics by Bruce Nikkel

Author:Bruce Nikkel [Bruce Nikkel]
Language: eng
Format: epub
Publisher: No Starch Press
Published: 2021-10-11T16:00:00+00:00

Path-Based Activation

Path-based activation uses a kernel feature called inotify that allows the monitoring of files and directories. The *.path unit files define which files to monitor (see the systemd.path(5) man page). A *.service file with the same name is activated when the path unit file’s conditions are met. In this example, a canary.txt file is monitored to detect possible ransomware. The canary file, path unit, and service unit are shown here:

$ cat /home/sam/canary.txt If this file is encrypted by Ransomware, I will know! $ cat /home/sam/.config/systemd/user/canary.path [Unit] Description=Ransomware Canary File Monitoring [Path] PathModified=/home/sam/canary.txt $ cat /home/sam/.config/systemd/user/canary.service [Unit] Description=Ransomware Canary File Service [Service] Type=simple ExecStart=logger "The canary.txt file changed!"

Two unit files, canary.path and canary.service, are located in the user’s ~/.config/systemd/user/ directory and define the path-activated service. If the file is modified, the service is started and the command executed, which is shown in the journal:

Dec 13 10:14:39 pc1 systemd[13161]: Started Ransomware Canary File Service. Dec 13 10:14:39 pc1 sam[415374]: The canary.txt file changed! Dec 13 10:14:39 pc1 systemd[13161]: canary.service: Succeeded.

Here, the logs show the canary service starting, executing (the logger command output), and finishing (Succeeded). A user must be logged in for their own unit files to be active.

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.