← Script House
Tier 5: Operator
CLH-023 of 030

Service Management

Control daemons. Establish persistence. Manage system services.

CLASSIFIED SCENARIO

You've gained access to a target system. To maintain persistent access, you must install your implant as a systemd service that survives reboots. Learn to manage services, read logs, and ensure your presence remains undetected while appearing as a legitimate system process.

Why Service Management Matters

Modern Linux systems use systemd to manage all services. Understanding service management enables:

Persistence via Services

Core Service Commands

systemctl

Primary service control. Start, stop, enable, disable, status.

journalctl

View systemd logs. Filter by service, time, priority.

service (legacy)

Older service management. Still works, wraps systemctl.

Command Deep Dive

systemctl status - Service Inspection

$ systemctl status sshd ● sshd.service - OpenSSH server daemon Loaded: loaded (/lib/systemd/system/sshd.service; enabled; vendor preset: enabled) Active: active (running) since Mon 2024-01-15 00:00:00 UTC; 4h ago Main PID: 1234 (sshd) Tasks: 1 (limit: 4915) Memory: 5.2M CPU: 156ms CGroup: /system.slice/sshd.service └─1234 sshd: /usr/sbin/sshd -D [STATUS] Service running, enabled (starts on boot) [INTEL] PID 1234, Memory 5.2M - normal for SSH daemon

systemctl list-units - All Running Services

$ systemctl list-units --type=service --state=running UNIT LOAD ACTIVE SUB DESCRIPTION cron.service loaded active running Regular background program processing dbus.service loaded active running D-Bus System Message Bus system-monitor.service loaded active running System Performance Monitor ssh.service loaded active running OpenSSH server daemon systemd-journald.service loaded active running Journal Service [SUSPICIOUS] "system-monitor" - not a standard service! [INVESTIGATE] Check unit file: /etc/systemd/system/system-monitor.service

journalctl - Log Analysis

$ journalctl -u sshd --since "1 hour ago" Jan 15 03:47:12 target sshd[2341]: Accepted publickey for mole from 192.168.1.99 Jan 15 03:47:12 target sshd[2341]: pam_unix(sshd:session): session opened Jan 15 04:02:33 target sshd[2341]: pam_unix(sshd:session): session closed [ALERT] SSH login from 192.168.1.99 at 03:47! [INTEL] User "mole" authenticated via public key [TIMELINE] Session: 03:47 - 04:02 (15 minutes)

systemctl enable/disable - Boot Persistence

$ sudo systemctl enable implant.service Created symlink /etc/systemd/system/multi-user.target.wants/implant.service [PERSISTENCE] Service will start automatically on boot [OPSEC] Symlink created in multi-user.target.wants/

Quick Reference

CommandPurposeKey Flags
systemctl status serviceService statusShows PID, memory, logs
systemctl start/stop serviceControl serviceImmediate effect
systemctl enable/disable serviceBoot persistenceCreates/removes symlinks
systemctl list-unitsList services--type=service --state=running
journalctl -u serviceService logs--since, --until, -f (follow)
journalctl -p errError logsPriority filter

Service Operations Workflow

# === SERVICE INVESTIGATION === $ systemctl list-units --type=service --state=running # 1. List all services $ systemctl status suspicious.service # 2. Inspect specific $ journalctl -u suspicious.service # 3. Check logs $ cat /etc/systemd/system/suspicious.service # 4. Read unit file # === PERSISTENCE SETUP === $ sudo systemctl start implant.service # Start now $ sudo systemctl enable implant.service # Enable on boot

Ready to Manage Services?

Test your systemd skills, then investigate the compromised system.

Take the Quiz → Back to Script House
Tier 5: OPERATOR - Remote Operations