Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the /var/log/ directory. Subfolders in this directory categorize logs by their related functions, such as:(Citation: Linux Logs)
/var/log/messages:: General and system-related messages/var/log/secure or /var/log/auth.log: Authentication logs/var/log/utmp or /var/log/wtmp: Login records/var/log/kern.log: Kernel logs/var/log/cron.log: Crond logs/var/log/maillog: Mail server logs/var/log/httpd/: Web server access and error logs| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| attribute.integrity.variety.Log tampering | Log tampering or modification | related-to | T1685.006 | Clear Linux or Mac System Logs | |
| action.hacking.variety.Disable controls | Disable or interfere with security controls | related-to | T1685.006 | Clear Linux or Mac System Logs |