Technique on mitre.org

T1070.002: Clear Linux or Mac System Logs

Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the /var/log/ directory. Subfolders in this directory categorize logs by their related functions, such as:

/var/log/messages:: General and system-related messages
/var/log/secure or /var/log/auth.log: Authentication logs
/var/log/utmp or /var/log/wtmp: Login records
/var/log/kern.log: Kernel logs
/var/log/cron.log: Crond logs
/var/log/maillog: Mail server logs
/var/log/httpd/: Web server access and error logs

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

unix_mitre_attck_defense_evasion: PT-CR-440: Unix_Log_Config_Modify: Audit daemon configuration file change

Detection

ID	DS0022	Data source and component	File: File Deletion	Description	Monitor for unexpected deletion of a system log file, typically stored in /var/logs or /Library/Logs.

ID	DS0022	Data source and component	File: File Modification	Description	Monitor for changes made to system log files, typically stored in /var/log or /Library/Logs, for unexpected modifications to access permissions and attributes

ID	DS0017	Data source and component	Command: Command Execution	Description	Monitor executed commands and arguments for actions that could be taken to remove or overwrite system logs.

ID	Data source and component	Description
DS0022	File: File Deletion	Monitor for unexpected deletion of a system log file, typically stored in /var/logs or /Library/Logs.
DS0022	File: File Modification	Monitor for changes made to system log files, typically stored in /var/log or /Library/Logs, for unexpected modifications to access permissions and attributes
DS0017	Command: Command Execution	Monitor executed commands and arguments for actions that could be taken to remove or overwrite system logs.

Mitigation

ID	M1029	Name	Remote Data Storage	Description	Automatically forward events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system.

ID	M1022	Name	Restrict File and Directory Permissions	Description	Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities.

ID	M1041	Name	Encrypt Sensitive Information	Description	Obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary.

ID	Name	Description
M1029	Remote Data Storage	Automatically forward events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system.
M1022	Restrict File and Directory Permissions	Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities.
M1041	Encrypt Sensitive Information	Obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary.