T1562.012
Impair Defenses: Disable or Modify Linux Audit System
Description from ATT&CK
Adversaries may disable or modify the Linux audit system to hide malicious activity and avoid detection. Linux admins use the Linux Audit system to track security-relevant information on a system. The Linux Audit system operates at the kernel-level and maintains event logs on application and system activity such as process, network, file, and login events based on pre-configured rules.
Often referred to as
, this is the name of the daemon used to write events to disk and is governed by the parameters set in the 1
auditd
configuration file. Two primary ways to configure the log generation rules are through the command line 1
audit.conf
utility and the file 1
auditctl
, containing a sequence of 1
/etc/audit/audit.rules
commands loaded at boot time.(Citation: Red Hat System Auditing)(Citation: IzyKnows auditd threat detection 2022)1
auditctl
With root privileges, adversaries may be able to ensure their activity is not logged through disabling the Audit system service, editing the configuration/rule files, or by hooking the Audit system library functions. Using the command line, adversaries can disable the Audit system service through killing processes associated with
daemon or use 1
auditd
to stop the Audit service. Adversaries can also hook Audit system functions to disable logging or modify the rules contained in the 1
systemctl
or 1
/etc/audit/audit.rules
files to ignore malicious activity.(Citation: Trustwave Honeypot SkidMap 2023)(Citation: ESET Ebury Feb 2014)1
audit.conf
Atomic Tests
Atomic Test #1 - Delete all auditd rules using auditctl
Using 'auditctl -D' deletes all existing audit rules, resulting in the loss of previously configured monitoring settings and the audit trail. This action reduces visibility into system activities, potentially leading to compliance concerns and hampering security monitoring efforts. Additionally, it poses a risk of covering unauthorized activities by erasing evidence from audit logs.
Supported Platforms: linux
auto_generated_guid: 33a29ab1-cabb-407f-9448-269041bf2856
Inputs:
None
Attack Commands: Run with sh! Elevation Required (e.g. root or admin)
1
auditctl -D
Cleanup Commands:
1
service auditd restart
Dependencies: Run with sh!
Description: Check if auditd is installed.
Check Prereq Commands:
1
if [ $(command -v auditctl) ]; then exit 0; else exit 1; fi
Get Prereq Commands:
1
(yum install auditd -y) || (apt-get install auditd -y) || (dnf install auditd -y)
Atomic Test #2 - Disable auditd using auditctl
The command
disables the audit system. By setting the parameter to 1
auditctl -e 0
, auditing is deactivated, halting the monitoring and recording of security-related events. This action stops the generation of audit logs, ceasing the collection of data regarding system activities. Disabling auditing may be done for various reasons, such as troubleshooting, performance optimization, or temporarily suspending auditing requirements, but it reduces visibility into system events and can impact security monitoring and compliance efforts.1
0
Supported Platforms: linux
auto_generated_guid: 7906f0a6-b527-46ee-9026-6e81a9184e08
Inputs:
None
Attack Commands: Run with sh! Elevation Required (e.g. root or admin)
1
auditctl -e 0
Cleanup Commands:
1
auditctl -e 1
Dependencies: Run with sh!
Description: Check if auditd is installed.
Check Prereq Commands:
1
if [ $(command -v auditctl) ]; then exit 0; else exit 1; fi
Get Prereq Commands:
1
(yum install auditd -y) || (apt-get install auditd -y) || (dnf install auditd -y)