Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the/var/log/directory. Subfolders in this directory categorize logs by their related functions, such as:(Citation: Linux Logs)
/var/log/messages:: General and system-related messages/var/log/secureor/var/log/auth.log: Authentication logs/var/log/utmpor/var/log/wtmp: Login records/var/log/kern.log: Kernel logs/var/log/cron.log: Crond logs/var/log/maillog: Mail server logs/var/log/httpd/: Web server access and error logs
Delete system and audit logs
Supported Platforms: macOS, Linux
sudo rm -rf /private/var/log/system.log*
sudo rm -rf /private/var/audit/*This test overwrites the Linux mail spool of a specified user. This technique was used by threat actor Rocke during the exploitation of Linux web servers.
Supported Platforms: Linux
| Name | Description | Type | Default Value |
|---|---|---|---|
| username | Username of mail spool | String | root |
echo 0> /var/spool/mail/#{username}This test overwrites the specified log. This technique was used by threat actor Rocke during the exploitation of Linux web servers.
Supported Platforms: Linux
| Name | Description | Type | Default Value |
|---|---|---|---|
| log_path | Path of specified log | Path | /var/log/secure |
echo 0> #{log_path}