1. Home
  2. ATT&CK Techniques
  3. T1562.012 Disable or Modify Linux Audit System

T1562.012 Disable or Modify Linux Audit System

Adversaries may disable or modify the Linux audit system to hide malicious activity and avoid detection. Linux admins use the Linux Audit system to track security-relevant information on a system. The Linux Audit system operates at the kernel-level and maintains event logs on application and system activity such as process, network, file, and login events based on pre-configured rules.

Often referred to as auditd, this is the name of the daemon used to write events to disk and is governed by the parameters set in the audit.conf configuration file. Two primary ways to configure the log generation rules are through the command line auditctl utility and the file /etc/audit/audit.rules, containing a sequence of auditctl commands loaded at boot time.(Citation: Red Hat System Auditing)(Citation: IzyKnows auditd threat detection 2022)

With root privileges, adversaries may be able to ensure their activity is not logged through disabling the Audit system service, editing the configuration/rule files, or by hooking the Audit system library functions. Using the command line, adversaries can disable the Audit system service through killing processes associated with auditd daemon or use systemctl to stop the Audit service. Adversaries can also hook Audit system functions to disable logging or modify the rules contained in the /etc/audit/audit.rules or audit.conf files to ignore malicious activity.(Citation: Trustwave Honeypot SkidMap 2023)(Citation: ESET Ebury Feb 2014)

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.AA-05.01 Access privilege limitation Mitigates T1562.012 Disable or Modify Linux Audit System
Comments
This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. An adversary must already have high-level, admin or root level access on a local system to make full use of these ATT&CK techniques. Restrict users and accounts to the least privileges they require can help mitigate these techniques.
References
    PR.AA-01.01 Identity and credential management Mitigates T1562.012 Disable or Modify Linux Audit System
    Comments
    This diagnostic statement protects against Disable or Modify Linux Audit System through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
    References

      NIST 800-53 Mappings

      Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
      CM-06 Configuration Settings mitigates T1562.012 Disable or Modify Linux Audit System
      CM-05 Access Restrictions for Change mitigates T1562.012 Disable or Modify Linux Audit System
      SI-07 Software, Firmware, and Information Integrity mitigates T1562.012 Disable or Modify Linux Audit System
      SI-04 System Monitoring mitigates T1562.012 Disable or Modify Linux Audit System
      AC-06 Least Privilege mitigates T1562.012 Disable or Modify Linux Audit System
      AC-03 Access Enforcement mitigates T1562.012 Disable or Modify Linux Audit System
      AC-02 Account Management mitigates T1562.012 Disable or Modify Linux Audit System
      CM-03 Configuration Change Control mitigates T1562.012 Disable or Modify Linux Audit System

      VERIS Mappings

      Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
      action.hacking.variety.Disable controls Disable or interfere with security controls related-to T1562.012 Disable or Modify Linux Audit System
      action.malware.variety.Disable controls Disable or interfere with security controls related-to T1562.012 Disable or Modify Linux Audit System

      Azure Mappings

      Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
      alerts_for_linux_machines Alerts for Linux Machines technique_scores T1562.012 Disable or Modify Linux Audit System
      Comments
      This control may alert on activity which disables auditd logging on Linux endpoints. The auditd package may not be the only logging system being utilized and this control may not alert on activity that disables other logging software.
      References
      1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-reference#alerts-linux

      GCP Mappings

      Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
      google_secops Google Security Operations technique_scores T1562.012 Disable or Modify Linux Audit System
      Comments
      Google Security Operations is able to trigger alerts based off inovcation of utilities (like auditctl).
      References
      1. https://cloud.google.com/security/products/security-operations
      2. https://cloud.google.com/chronicle/docs/secops/secops-overview
      3. https://github.com/chronicle/detection-rules