System Services (sec-services)
Monitors system services for changes, unexpected new services, and failed auto-start services.
Configuration
| Parameter | Type | Default | Description |
|---|
enabled | bool | true | Enable/disable module |
ignore_service_patterns | list | ["user@*", "session-*"] | Ignore services matching these patterns |
check_failed | bool | true | Report failed auto-start services |
YAML Example
sec_services:
enabled: true
ignore_service_patterns:
- "user@*"
- "session-*"
- "snap.*"
check_failed: true
Diagnostic Codes
Linux
| Code | Severity | Meaning | Recommendation |
|---|
| 7200 | 0 | No issues with systemd services | — |
| 7201 | 1 | New service file (not from package) | Verify origin |
| 7202 | 1 | Service file modified | Verify change |
| 7204 | 2 | Auto-start service failed | Check systemctl status |
Windows
| Code | Severity | Meaning | Recommendation |
|---|
| 8200 | 0 | No issues with services | — |
| 8201 | 1 | New auto-start service detected | Verify origin |
| 8202 | 1 | Auto-start service stopped | Start or disable the service |
| 8203 | 1 | Service running under unusual account | Review service account |
| 8204 | 1 | Service removed from baseline | Verify removal |
- Linux: Analyzes systemd unit files, compares with package manager origin.
- Windows: Checks Windows services via
sc query and WMI.