lowexperimentalLinuxOCIT1485

Linux Agent Mass File Write (Seed Rule)

Baseline seed rule to detect AI agent processes writing an unusually large number of files in a short time window, which may indicate a runaway file generation loop, ransomware-like behavior, or uncontrolled data staging.

Updated Jan 10, 2025 · OCI AI Security Team

agentic-aicascading-failuremass-writedata-destructionlinuxociowasp-asi08

Problem Statement

Uncontrolled mass file creation by an AI agent can fill disk partitions, causing cascading failures across all services on the OCI instance that depend on available disk space. It may also represent data staging for exfiltration or ransomware-style encryption of existing files.

Sample Logs

{"timestamp":"2025-01-10T12:00:00Z","computer_name":"oci-worker-36","user":"agent_svc","image":"/usr/bin/python3","target_filename":"/tmp/output_00001.json","event_type":"CreateFile","note":"file 1 of 87 created in 60 seconds"}

Required Fields

image

target_filename

user

computer_name

False Positives

·Data generation agents that legitimately produce many output files (e.g., synthetic dataset generators)
·Log rotation scripts that create many new log files during rotation

Tuning Guidance

Calibrate the threshold per agent type. Data processing agents may legitimately write many files. Focus alerts on writes to sensitive directories (/, /etc, /home) regardless of count.