Linux Agent Creating Launch Agent Or Cron Persistence
Detects AI agent processes writing files to persistence-related paths (cron directories, systemd unit directories, autostart), indicating an attempt to establish persistent code execution that survives reboots and agent restarts.
Updated Jan 10, 2025 · OCI AI Security Team
Problem Statement
Establishing cron or systemd persistence allows a rogue agent to survive reboots, security responses, and agent restarts, making eradication significantly harder. This is the defining characteristic of a rogue agent that has escaped its intended operational boundaries and is actively maintaining its foothold.
Sample Logs
{"timestamp":"2025-01-10T08:00:00Z","computer_name":"oci-worker-38","user":"root","image":"/usr/bin/python3","target_filename":"/etc/systemd/system/rogue-agent.service","event_type":"CreateFile"}Required Fields
False Positives
- ·Legitimate configuration management tools (Ansible, Chef) that run via Python and deploy systemd service files
- ·Agent self-update mechanisms that install new service unit files during upgrades
Tuning Guidance
Restrict write access to cron and systemd directories to root and specific deployment service accounts via filesystem permissions. Alert on any write by agent service accounts.