MaxPatrol SIEM

Detects cyberincidents that undermine cyber resilience of a company

T1562.012: Disable or Modify Linux Audit System

Adversaries may disable or modify the Linux audit system to hide malicious activity and avoid detection. Linux admins use the Linux Audit system to track security-relevant information on a system. The Linux Audit system operates at the kernel-level and maintains event logs on application and system activity such as process, network, file, and login events based on pre-configured rules.

Often referred to as auditd, this is the name of the daemon used to write events to disk and is governed by the parameters set in the audit.conf configuration file. Two primary ways to configure the log generation rules are through the command line auditctl utility and the file /etc/audit/audit.rules, containing a sequence of auditctl commands loaded at boot time.

With root privileges, adversaries may be able to ensure their activity is not logged through disabling the Audit system service, editing the configuration/rule files, or by hooking the Audit system library functions. Using the command line, adversaries can disable the Audit system service through killing processes associated with auditd daemon or use systemctl to stop the Audit service. Adversaries can also hook Audit system functions to disable logging or modify the rules contained in the /etc/audit/audit.rules or audit.conf files to ignore malicious activity.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

unix_mitre_attck_defense_evasion: PT-CR-1654: Unix_Disable_Auditd: Audit services on a host were disabled. This could be done by attackers to hide their activity.
unix_mitre_attck_defense_evasion: PT-CR-440: Unix_Log_Config_Modify: Audit daemon configuration file change

Detection

IDDS0022Data source and componentFile: File DeletionDescription

Monitor for missing log files from machines with known active periods.

IDDS0009Data source and componentProcess: Process ModificationDescription

Using another process or third-party tools, monitor for potentially malicious modifications or access to the auditd system process.

IDDS0009Data source and componentProcess: OS API ExecutionDescription

Monitor for abnormal execution of syslog and other functions associated with system logging.

IDDS0017Data source and componentCommand: Command ExecutionDescription

Command-line invocation of the auditctl utility may be unusual, depending on how systems are typically used in a particular environment. At runtime, look for commands to modify or create rules using the auditctl utility.

IDDS0022Data source and componentFile: File ModificationDescription

Monitor changes made to the /etc/audit/audit.rules file containing the sequence of auditctl commands loaded at boot time.

Mitigation

IDM1047NameAuditDescription

Routinely check account role permissions to ensure only expected users and roles have permission to modify logging settings.

To ensure Audit rules can not be modified at runtime, add the auditctl -e 2 as the last command in the audit.rules files. Once started, any attempt to change the configuration in this mode will be audited and denied. The configuration can only be changed by rebooting the machine.

IDM1018NameUser Account ManagementDescription

An adversary must already have root level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require.