Explore top 10 tips to secure your open-source projects now. Read More
×
When an attacker breaks into a Linux system, their work is rarely done. Usually, the real work starts after the initial exploit: hiding their tracks. If you’re a Linux admin or security analyst, there is nothing worse than logging in, running a few commands, and realizing the logs aren't telling the whole story.
When logs are missing or look "off," your primary source of truth is compromised. This guide covers how to handle that situation. We’ll walk through the workflow you need to determine if you’re looking at an attacker’s handiwork or just a system glitch.
Think of this as anti-forensics. Attackers don't just delete logs; they try to make the system look normal. They might truncate a file, change timestamps (timestomping) to hide recent activity, or just kill the auditd service to stop the system from recording their next move. Sometimes, they rotate logs prematurely just to bury their activity in a compressed archive they plan to delete later. They often target the Linux Audit System directly to create a blind spot in your monitoring.
Don't restart services or reboot the server yet. If you do, you risk blowing away volatile evidence stored in memory. Always grab a forensic snapshot first.
If you’re in the middle of an incident, the logs are your map. They show the entry point, the lateral movement, and the data exfiltration. If you can’t trust them, you’re flying blind. You shouldn't assume the local logs are accurate until you have specifically verified their integrity. This is where professional-grade log analysis becomes the difference between catching the actor and missing them entirely.
Before diving into the "meat" of the investigation, make sure the logging services are actually up. You can't analyze what isn't being recorded.
Logs don't just "take a break." If you see a jump in time, someone likely messed with the files.
Run journalctl to look at your timeline. If you see a gap from 10:00 AM to 2:00 PM, ask yourself why. Use journalctl --verify to check for corrupted journal objects. If it complains about corruption, it could be a sign of tampering.
Note: Don't jump to conclusions. Sometimes logs just break due to bad disk sectors or weird rotation configs. Always verify with other sources. Finally, last reboot is your best friend—if the server restarted at a time you didn't authorize, you’ve found your "when."
Attackers love to disable the audit system. Run auditctl -s. A healthy system will report that auditing is enabled. If it says enabled 0, that’s not an accident—that’s an intent. Use auditctl -l to see what rules are active. If you get back an empty list, the attacker stripped your rules. This is a common tactic to keep their commands from showing up in the audit logs, often involving interference with the audit subsystem.
This is the core of log analysis. Never rely on just one file. Attackers are often lazy; they’ll clean up /var/log/auth.log but forget about bash_history, cron, or even systemd journals.
Compare what you see in the logs against each other. If auth.log shows an SSH session, but you see zero activity for that user in the audit logs, something is wrong. Use ausearch to track specific user activity. If the tool returns nothing for a period where you know activity happened, you’ve confirmed the logs were purged.
When you think a file was messed with, get forensic with it:
When detecting Linux audit log tampering, look for files that have been truncated or archives that have been deleted.
If the local logs look fake, stop looking at them. Log into your SIEM, your remote syslog server, or your firewall logs. If the firewall shows 10GB of outbound traffic from that server, but the server's local logs show zero activity, you don't need to guess anymore. The server is compromised, and the local logs are lying.
If you find proof of tampering, stop your investigation on that live host immediately.
Consistent log analysis only works if you're sending logs off-box before an incident happens. Follow a Security Hardening Guide to establish a strong baseline. This includes configuring your systems to forward logs to a central server, and making sure those logs are read-only for everyone except your security team.
Successful log analysis isn't just about finding the one log file an attacker deleted. It’s about being able to tell the story of the incident despite the gaps. If you follow this process, you’ll find the inconsistencies they left behind, and you’ll have the proof you need to respond effectively.