1. Home
  2. ATT&CK Techniques
  3. T1070.002 Clear Linux or Mac System Logs

T1070.002 Clear Linux or Mac System Logs Mappings

Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the <code>/var/log/</code> directory. Subfolders in this directory categorize logs by their related functions, such as:(Citation: Linux Logs)

  • <code>/var/log/messages:</code>: General and system-related messages
  • <code>/var/log/secure</code> or <code>/var/log/auth.log</code>: Authentication logs
  • <code>/var/log/utmp</code> or <code>/var/log/wtmp</code>: Login records
  • <code>/var/log/kern.log</code>: Kernel logs
  • <code>/var/log/cron.log</code>: Crond logs
  • <code>/var/log/maillog</code>: Mail server logs
  • <code>/var/log/httpd/</code>: Web server access and error logs
View in MITRE ATT&CK®

NIST 800-53 Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
CA-07 Continuous Monitoring mitigates T1070.002 Clear Linux or Mac System Logs
CM-06 Configuration Settings mitigates T1070.002 Clear Linux or Mac System Logs
AC-17 Remote Access mitigates T1070.002 Clear Linux or Mac System Logs
CP-07 Alternate Processing Site mitigates T1070.002 Clear Linux or Mac System Logs
CP-06 Alternate Storage Site mitigates T1070.002 Clear Linux or Mac System Logs
SC-36 Distributed Processing and Storage mitigates T1070.002 Clear Linux or Mac System Logs
SI-23 Information Fragmentation mitigates T1070.002 Clear Linux or Mac System Logs
CP-09 System Backup mitigates T1070.002 Clear Linux or Mac System Logs
AC-19 Access Control for Mobile Devices mitigates T1070.002 Clear Linux or Mac System Logs
SC-04 Information in Shared System Resources mitigates T1070.002 Clear Linux or Mac System Logs
SI-12 Information Management and Retention mitigates T1070.002 Clear Linux or Mac System Logs
SI-03 Malicious Code Protection mitigates T1070.002 Clear Linux or Mac System Logs
SI-07 Software, Firmware, and Information Integrity mitigates T1070.002 Clear Linux or Mac System Logs
AC-16 Security and Privacy Attributes mitigates T1070.002 Clear Linux or Mac System Logs
AC-18 Wireless Access mitigates T1070.002 Clear Linux or Mac System Logs
CM-02 Baseline Configuration mitigates T1070.002 Clear Linux or Mac System Logs
SI-04 System Monitoring mitigates T1070.002 Clear Linux or Mac System Logs
AC-02 Account Management mitigates T1070.002 Clear Linux or Mac System Logs
AC-03 Access Enforcement mitigates T1070.002 Clear Linux or Mac System Logs
AC-05 Separation of Duties mitigates T1070.002 Clear Linux or Mac System Logs
AC-06 Least Privilege mitigates T1070.002 Clear Linux or Mac System Logs

VERIS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
attribute.integrity.variety.Log tampering Log tampering or modification related-to T1070.002 Clear Linux or Mac System Logs

GCP Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
google_secops Google Security Operations technique_scores T1070.002 Clear Linux or Mac System Logs
Comments
Google Security Ops is able to trigger an alert based on system events, such as deletion of cloud audit logs. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/main/gcp_cloudaudit/gcp_log_deletion.yaral
References
  1. ['https://cloud.google.com/security/products/security-operations'
  2. 'https://cloud.google.com/chronicle/docs/secops/secops-overview'
  3. 'https://github.com/chronicle/detection-rules']

AWS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
amazon_inspector Amazon Inspector technique_scores T1070.002 Clear Linux or Mac System Logs
Comments
The Amazon Inspector Best Practices assessment package can assess security control "Configure permissions for system directories" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal.
References