T1070.002 Clear Linux or Mac System Logs Mappings

Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the <code>/var/log/</code> directory. Subfolders in this directory categorize logs by their related functions, such as:(Citation: Linux Logs)

  • <code>/var/log/messages:</code>: General and system-related messages
  • <code>/var/log/secure</code> or <code>/var/log/auth.log</code>: Authentication logs
  • <code>/var/log/utmp</code> or <code>/var/log/wtmp</code>: Login records
  • <code>/var/log/kern.log</code>: Kernel logs
  • <code>/var/log/cron.log</code>: Crond logs
  • <code>/var/log/maillog</code>: Mail server logs
  • <code>/var/log/httpd/</code>: Web server access and error logs
View in MITRE ATT&CK®

NIST 800-53 Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
AC-16 Security and Privacy Attributes Protects T1070.002 Clear Linux or Mac System Logs
AC-17 Remote Access Protects T1070.002 Clear Linux or Mac System Logs
AC-18 Wireless Access Protects T1070.002 Clear Linux or Mac System Logs
AC-19 Access Control for Mobile Devices Protects T1070.002 Clear Linux or Mac System Logs
AC-2 Account Management Protects T1070.002 Clear Linux or Mac System Logs
AC-3 Access Enforcement Protects T1070.002 Clear Linux or Mac System Logs
AC-5 Separation of Duties Protects T1070.002 Clear Linux or Mac System Logs
AC-6 Least Privilege Protects T1070.002 Clear Linux or Mac System Logs
CA-7 Continuous Monitoring Protects T1070.002 Clear Linux or Mac System Logs
CM-2 Baseline Configuration Protects T1070.002 Clear Linux or Mac System Logs
CM-6 Configuration Settings Protects T1070.002 Clear Linux or Mac System Logs
CP-6 Alternate Storage Site Protects T1070.002 Clear Linux or Mac System Logs
CP-7 Alternate Processing Site Protects T1070.002 Clear Linux or Mac System Logs
CP-9 System Backup Protects T1070.002 Clear Linux or Mac System Logs
SC-36 Distributed Processing and Storage Protects T1070.002 Clear Linux or Mac System Logs
SC-4 Information in Shared System Resources Protects T1070.002 Clear Linux or Mac System Logs
SI-12 Information Management and Retention Protects T1070.002 Clear Linux or Mac System Logs
SI-23 Information Fragmentation Protects T1070.002 Clear Linux or Mac System Logs
SI-3 Malicious Code Protection Protects T1070.002 Clear Linux or Mac System Logs
SI-4 System Monitoring Protects T1070.002 Clear Linux or Mac System Logs
SI-7 Software, Firmware, and Information Integrity Protects T1070.002 Clear Linux or Mac System Logs

Azure Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration technique_scores T1070.002 Clear Linux or Mac System Logs
Comments
This control may alert on possible log tampering activity, including deletion of logs. No documentation is provided on which log sources are targeted by this control.
References