Clear or Disable Kernel Ring Buffer Logs via Syslog Syscall

Original Source: [Sigma source]
Title: Clear or Disable Kernel Ring Buffer Logs via Syslog Syscall
Status: experimental
Description:Detects the use of the `syslog` syscall with action code 5 (SYSLOG_ACTION_CLEAR), (4 is SYSLOG_ACTION_READ_CLEAR and 6 is SYSLOG_ACTION_CONSOLE_OFF) which clears the kernel ring buffer (dmesg logs). This can be used by attackers to hide traces after exploitation or privilege escalation. A common technique is running `dmesg -c`, which triggers this syscall internally.
References:
  -https://man7.org/linux/man-pages/man2/syslog.2.html
   -https://man7.org/linux/man-pages/man1/dmesg.1.html
 Author: Milad Cheraghi
Date: 2025-05-27
modified:2025-06-05
Tags:
  • -'attack.defense-evasion'
  • -'attack.t1070.002'
Logsource:
  • product: linux
  • service: auditd
  • definition: Required auditd configuration: -a always,exit -F arch=b64 -S syslog -F a0=4 -k clear_dmesg_logs -a always,exit -F arch=b64 -S syslog -F a0=5 -k clear_dmesg_logs -a always,exit -F arch=b64 -S syslog -F a0=6 -k disable_dmesg_logs -a always,exit -F arch=b32 -S syslog -F a0=4 -k clear_dmesg_logs -a always,exit -F arch=b32 -S syslog -F a0=5 -k clear_dmesg_logs -a always,exit -F arch=b32 -S syslog -F a0=6 -k disable_dmesg_logs
Detection:
  selection:
    type: 'SYSCALL'
    syscall: 'syslog'
    a0:
      -'4'
      -'5'
      -'6'

  condition:selection
Falsepositives:
  -System administrators or scripts that intentionally clear logs
  -Debugging scripts
Level: medium

© 2024 DetectionCode Website. All Rights Reserved.