Detect Disable or Modify Linux Audit System in Splunk
Adversaries may disable or modify the Linux audit system to hide malicious activity and avoid detection. Linux admins use the Linux Audit system to track security-relevant information on a system. The Linux Audit system operates at the kernel-level and maintains event logs on application and system activity such as process, network, file, and login events based on pre-configured rules. Often referred to as auditd, this is the name of the daemon used to write events to disk and is governed by the parameters set in the audit.conf configuration file. Two primary ways to configure the log generation rules are through the command line auditctl utility and the file /etc/audit/audit.rules. With root privileges, adversaries may disable the Audit system service, edit the configuration/rule files, or hook the Audit system library functions. This technique was used by the Ebury malware and the SkidMap cryptominer variant.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1562 Impair Defenses
- Sub-technique
- T1562.012 Disable or Modify Linux Audit System
- Canonical reference
- https://attack.mitre.org/techniques/T1562/012/
SPL Detection Query
index=linux sourcetype="linux_audit" OR sourcetype="syslog" OR sourcetype="linux_secure"
("auditd" AND ("stop" OR "disable" OR "killed" OR "signal"))
OR ("auditctl" AND ("-e 0" OR "-D" OR "-a never" OR "-a exclude"))
OR ("audit.rules" AND ("modified" OR "deleted" OR "truncated"))
| eval CommandLine=coalesce(a0." ".a1." ".a2." ".a3, msg, _raw)
| eval IsServiceStop=if(match(CommandLine, "(systemctl\s+stop\s+auditd|service\s+auditd\s+stop|killall\s+auditd|pkill\s+auditd)"), 1, 0)
| eval IsAuditDisable=if(match(CommandLine, "auditctl\s+-e\s+0"), 1, 0)
| eval IsRuleFlush=if(match(CommandLine, "auditctl\s+-D"), 1, 0)
| eval IsConfigTamper=if(match(CommandLine, "(audit\.rules|auditd\.conf)"), 1, 0)
| eval SeverityScore=IsServiceStop*3 + IsAuditDisable*3 + IsRuleFlush*2 + IsConfigTamper*2
| where SeverityScore > 0
| table _time, host, user, CommandLine, IsServiceStop, IsAuditDisable, IsRuleFlush, IsConfigTamper, SeverityScore
| sort - SeverityScore, - _timeDetects Linux audit system tampering using Linux audit logs, syslog, and linux_secure sourcetypes. Identifies auditd service stop/disable commands, auditctl commands that disable auditing (-e 0) or flush rules (-D), and modifications to audit configuration files. Assigns a severity score based on the destructiveness of each action — complete audit disable and service stop score highest.
Data Sources
Required Sourcetypes
False Positives & Tuning
- System administrators performing legitimate auditd maintenance such as rule updates followed by service restarts
- Configuration management tools (Ansible, Puppet, Chef) deploying updated audit rules as part of security hardening automation
- OS package updates that modify auditd configuration files during audit package upgrades
- Auditd log rotation that triggers a service HUP signal (kill -HUP) for log file reopening — this is normal operation, not a stop
Other platforms for T1562.012
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Stop auditd Service via systemctl
Expected signal: Syslog entry for auditd service stopping. Systemd journal entry for the unit state change. If Sysmon for Linux is installed, a process creation event for systemctl with the 'stop auditd' arguments. The audit.log will show a final DAEMON_END event before stopping.
- Test 2Disable Audit Subsystem via auditctl
Expected signal: The audit log will show an AUDIT_ENABLED record with enabled=0. A CONFIG_CHANGE event is generated immediately before auditing stops. Syslog may capture the auditctl process execution. After -e 0, NO further audit events will be generated until re-enabled.
- Test 3Flush All Audit Rules via auditctl
Expected signal: The audit log will show a CONFIG_CHANGE event with op=remove_rule for each deleted rule. A final entry shows 'audit_enabled=1 ... rules=0' confirming all rules were flushed. The auditd service remains running (systemctl status auditd shows active).
- Test 4Modify audit.rules Configuration File
Expected signal: File modification event for /etc/audit/audit.rules (Sysmon for Linux file create/modify or audit SYSCALL event for open/write on the file). Process creation events for cp, tee, and augenrules. CONFIG_CHANGE audit events when new (empty) rules are loaded.
References (7)
- https://attack.mitre.org/techniques/T1562/012/
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing
- https://izyknows.medium.com/linux-auditd-for-threat-detection-d06c8b941505
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-new-variant-of-skidmap-targeting-redis/
- https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.012/T1562.012.md
- https://man7.org/linux/man-pages/man8/auditctl.8.html
Unlock Pro Content
Get the full detection package for T1562.012 including response playbook, investigation guide, and atomic red team tests.