Clear or Disable Kernel Ring Buffer Logs via Syslog Syscall
Detects the use of the `syslog` syscall with action code 5 (SYSLOG_ACTION_CLEAR), (4 is SYSLOG_ACTION_READ_CLEAR and 6 is SYSLOG_ACTION_CONSOLE_OFF) which clears the kernel ring buffer (dmesg logs). This can be used by attackers to hide traces after exploitation or privilege escalation. A common technique is running `dmesg -c`, which triggers this syscall internally.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Definition
Required auditd configuration: -a always,exit -F arch=b64 -S syslog -F a0=4 -k clear_dmesg_logs -a always,exit -F arch=b64 -S syslog -F a0=5 -k clear_dmesg_logs -a always,exit -F arch=b64 -S syslog -F a0=6 -k disable_dmesg_logs -a always,exit -F arch=b32 -S syslog -F a0=4 -k clear_dmesg_logs -a always,exit -F arch=b32 -S syslog -F a0=5 -k clear_dmesg_logs -a always,exit -F arch=b32 -S syslog -F a0=6 -k disable_dmesg_logs
detection:
selection:
type: 'SYSCALL'
SYSCALL: 'syslog'
a0:
- 4 # SYSLOG_ACTION_READ_CLEAR : Read and clear log
- 5 # SYSLOG_ACTION_CLEAR: Clear kernel ring buffer (without reading)
- 6 # SYSLOG_ACTION_CONSOLE_OFF: Disable logging to console
condition: selectionSystem administrators or scripts that intentionally clear logs
Debugging scripts
Tactics
Sub-techniques