Adversaries may disable or modify the Linux audit system to hide malicious activity and avoid detection. Linux admins use the Linux Audit system to track security-relevant information on a system. The Linux Audit system operates at the kernel-level and maintains event logs on application and system activity such as process, network, file, and login events based on pre-configured rules.
Often referred to as auditd, this is the name of the daemon used to write events to disk and is governed by the parameters set in the audit.conf configuration file. Two primary ways to configure the log generation rules are through the command line auditctl utility and the file /etc/audit/audit.rules, containing a sequence of auditctl commands loaded at boot time.(Citation: Red Hat System Auditing)(Citation: IzyKnows auditd threat detection 2022)
With root privileges, adversaries may be able to ensure their activity is not logged through disabling the Audit system service, editing the configuration/rule files, or by hooking the Audit system library functions. Using the command line, adversaries can disable the Audit system service through killing processes associated with auditd daemon or use systemctl to stop the Audit service. Adversaries can also hook Audit system functions to disable logging or modify the rules contained in the /etc/audit/audit.rules or audit.conf files to ignore malicious activity.(Citation: Trustwave Honeypot SkidMap 2023)(Citation: ESET Ebury Feb 2014)
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| LOG-10 | Audit Records Protection | mitigates | T1562.012 | Disable or Modify Linux Audit System |
Comments
This control requires both CSP and CSC to independently protect audit logs by enforcing strict access controls, encryption, isolated log environments, continuous monitoring, vulnerability management, and so forth for investigations or legal proceedings.
References
|
| LOG-04 | Audit Logs Access and Accountability | mitigates | T1562.012 | Disable or Modify Linux Audit System |
Comments
This control requires both CSP and CSC to restrict audit log access using RBAC, MFA, least privilege, and separation of duties, so that only authorized personnel can access sensitive logs and any access is traceable and secure. These set of controls are in place to ensure that proper user permissions are in place to prevent adversaries from disabling or interfering with security/logging services.
References
|
| LOG-02 | Audit Logs Protection | mitigates | T1562.012 | Disable or Modify Linux Audit System |
Comments
This control requires both CSP and CSC to independently protect and retain audit logs by implementing controls such as, centralized logging, secure and tamper-evident storage, access restrictions, regular monitoring and review ensuring logs remain available and trustworthy for investigations and protected against any improper modification and tampering.
References
|