HTTP 200 OK
Allow: GET, PUT, PATCH, DELETE, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept
{
"id": 393,
"key": "removing-commands-from-selinux-audit-logs",
"unprotect_id": "U0312",
"name": "Removing Commands from SELinux Audit Logs",
"description": "SELinux audit logs record all executed commands and policy enforcement actions, including commands like `/bin/web`, `setenforce`, `mount`, and `/bin/rm`. Using `sed -i`, attackers delete specific entries from these logs that could reveal the commands they executed. This manipulation ensures that traces of their activity, such as disabling security policies or deleting evidence, are erased from the audit trail.\r\n\r\nSELinux audit logs provide granular visibility into command execution and policy violations. Attackers exploit this by removing traces of commands that could indicate tampering with the system (e.g., mounting file systems to access restricted areas or deleting files to remove evidence). This eliminates key forensic evidence and blinds investigators to critical actions taken during or after exploitation, reducing the likelihood of detection and hindering incident response efforts.",
"windows": "",
"linux": "### How SELinux Audit Log Manipulation Works on Linux\r\n\r\n#### What Are SELinux Audit Logs?\r\nSELinux (Security-Enhanced Linux) audit logs provide detailed records of:\r\n- **Executed Commands:** Logs all commands run on the system (e.g., `/bin/web`, `setenforce`, `mount`, `/bin/rm`).\r\n- **Policy Enforcement:** Tracks SELinux policy actions, including denials, permission changes, and access violations.\r\n- These logs are typically stored in files like `/var/log/audit/audit.log`.\r\n\r\nSELinux audit logs are critical for understanding command execution, policy violations, and system behavior.\r\n\r\n---\r\n\r\n#### How Are SELinux Audit Logs Manipulated?\r\nAttackers use tools like `sed` to remove specific entries from the audit logs. For example:\r\n\r\n```bash\r\n# Remove entries matching specific commands\r\nsed -i '/bin\\/web/d' /data/var/log/audit/audit.log\r\nsed -i '/setenforce/d' /data/var/log/audit/audit.log\r\nsed -i '/mount/d' /data/var/log/audit/audit.log\r\nsed -i '/bin\\/rm/d' /data/var/log/audit/audit.log\r\n```\r\n\r\n### How `sed` Manipulates SELinux Audit Logs\r\n\r\n#### **Pattern Matching**\r\n- The `sed` command searches for log entries containing specific patterns (e.g., `/bin/web` or `setenforce`) and deletes those lines.\r\n\r\n#### **In-Place Editing (`-i`)**\r\n- The `-i` flag rewrites the log file directly, without creating a backup, effectively erasing the selected entries permanently.\r\n\r\n---\r\n\r\n### **How It Works Internally**\r\n1. **Log Parsing:**\r\n - The `sed` command scans the audit log file line by line, looking for patterns defined by the attacker.\r\n2. **Line Deletion:**\r\n - Any line containing the specified command or activity is removed from the output.\r\n3. **File Overwriting:**\r\n - The modified log file is written back to the original file, leaving no visible trace of the tampering.\r\n\r\n---\r\n\r\n### **How It Can Be Abused**\r\n\r\n#### **Erasing Evidence of Malicious Commands**\r\n- **SELinux logs commands** that might reveal attacker activity, such as:\r\n - `/bin/rm` to delete critical files.\r\n - `mount` to gain access to restricted file systems.\r\n- **By removing these entries, attackers conceal their actions**, making it difficult for investigators to detect malicious behavior.\r\n\r\n#### **Concealing Policy Violations**\r\n- SELinux enforces strict access controls. If attackers:\r\n - Bypass or disable policies (e.g., using `setenforce` to change the SELinux mode), the logs would normally record these actions.\r\n- **Manipulating logs erases evidence** of these violations, making it appear as if SELinux policies were never altered.\r\n\r\n#### **Hindering Forensic Analysis**\r\n- SELinux audit logs are a key resource for incident responders. By removing specific entries, attackers:\r\n - Blind investigators to critical activities.\r\n - Make it harder to identify attack vectors or reconstruct the timeline of events.\r\n\r\n#### **Evading Detection**\r\n- Tools or scripts monitoring SELinux logs for suspicious patterns:\r\n - Will not detect tampered activities because the relevant entries have been erased.",
"macos": "",
"resources": "https://cloud.google.com/blog/topics/threat-intelligence/ivanti-connect-secure-vpn-zero-day?hl=en",
"creation_date": "2025-01-16T00:29:15.998621Z",
"tags": "",
"modification_date": "2025-01-16T00:29:15.998663Z",
"category": [
8
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": [
6
]
}
