Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the <code>/var/log/</code> directory. Subfolders in this directory categorize logs by their related functions, such as:(Citation: Linux Logs)
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
action.malware.variety.Destroy data | Destroy or corrupt stored data | related-to | T1070.002 | Indicator Removal on Host: Clear Linux or Mac System Logs | |
attribute.integrity.variety.Log tampering | Log tampering or modification | related-to | T1070.002 | Indicator Removal on Host: Clear Linux or Mac System Logs |
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
amazon_inspector | Amazon Inspector | technique_scores | T1070.002 | Clear Linux or Mac System Logs |
Comments
The Amazon Inspector Best Practices assessment package can assess security control "Configure permissions for system directories" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal.
References
|