Clear or Disable Kernel Ring Buffer Logs via Syslog Syscall

 1title: Clear or Disable Kernel Ring Buffer Logs via Syslog Syscall
 2id: eca5e022-d368-4043-98e5-9736fb01f72f
 3status: experimental
 4description: |
 5    Detects the use of the `syslog` syscall with action code 5 (SYSLOG_ACTION_CLEAR),
 6    (4 is SYSLOG_ACTION_READ_CLEAR and 6 is SYSLOG_ACTION_CONSOLE_OFF) which clears the kernel
 7    ring buffer (dmesg logs). This can be used by attackers to hide traces after exploitation
 8    or privilege escalation. A common technique is running `dmesg -c`, which triggers this syscall internally.    
 9references:
10    - https://man7.org/linux/man-pages/man2/syslog.2.html
11    - https://man7.org/linux/man-pages/man1/dmesg.1.html
12author: Milad Cheraghi
13date: 2025-05-27
14modified: 2025-06-05
15tags:
16    - attack.defense-evasion
17    - attack.t1070.002
18logsource:
19    product: linux
20    service: auditd
21    definition: |
22        Required auditd configuration:
23        -a always,exit -F arch=b64 -S syslog -F a0=4 -k clear_dmesg_logs
24        -a always,exit -F arch=b64 -S syslog -F a0=5 -k clear_dmesg_logs
25        -a always,exit -F arch=b64 -S syslog -F a0=6 -k disable_dmesg_logs
26        -a always,exit -F arch=b32 -S syslog -F a0=4 -k clear_dmesg_logs
27        -a always,exit -F arch=b32 -S syslog -F a0=5 -k clear_dmesg_logs
28        -a always,exit -F arch=b32 -S syslog -F a0=6 -k disable_dmesg_logs        
29detection:
30    selection:
31        type: 'SYSCALL'
32        syscall: 'syslog'
33        a0:
34            - 4 # SYSLOG_ACTION_READ_CLEAR : Read and clear log
35            - 5 # SYSLOG_ACTION_CLEAR: Clear kernel ring buffer (without reading)
36            - 6 # SYSLOG_ACTION_CONSOLE_OFF: Disable logging to console
37    condition: selection
38falsepositives:
39    - System administrators or scripts that intentionally clear logs
40    - Debugging scripts
41level: medium