Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0171: Analytic 0171

Disabling or modifying the Linux Audit system through process termination (auditd killed), service management (systemctl stop auditd), or tampering with rule/configuration files (/etc/audit/audit.rules, audit.conf). Defender view: suspicious execution of auditctl/systemctl commands, file modifications to audit rules, or sudden absence of audit logs correlated with privileged execution.

EnterpriseAN0171AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic matters because Linux audit logging is often part of the evidence trail for privileged activity, incident response, and compliance. If auditd is stopped, audit rules are changed, or audit configuration files are tampered with, defenders may lose visibility exactly when they need it most. For leaders, the key question is not just whether auditd is deployed, but whether the organization can quickly prove when Linux audit visibility has been weakened or removed.

Executive priority

Prioritize this as a resilience and evidence-integrity concern for Linux environments. Security leaders should ask whether critical Linux systems have monitored audit service health, protected audit configuration, and alerting for sudden audit-log absence after privileged activity. This supports incident decision-making, compliance readiness, and confidence that investigations are based on complete telemetry rather than silently degraded logging.

Technical view

Validate coverage for Linux activity involving auditd process termination, service-management actions such as stopping auditd with systemctl, and modification of audit rule or configuration files including /etc/audit/audit.rules and audit.conf. Because the ATT&CK object does not provide a formal detection query, SOC and detection engineering teams should build environment-specific logic around suspicious execution of auditctl or systemctl, privileged context, file modifications to audit configuration, and unexpected gaps in audit log generation.

Likely telemetry

  • Linux process execution telemetry for auditctl, systemctl, and auditd-related activity
  • Service status or service-management events for auditd
  • File integrity or file modification telemetry for /etc/audit/audit.rules and audit.conf
  • Linux audit log presence, volume, and continuity indicators
  • Privilege context for commands or processes associated with audit configuration changes

Detection direction

  • Correlate auditd service stop or process termination with privileged execution context.
  • Alert on modification of Linux audit rule or configuration files, while allowing for approved administrative maintenance windows.
  • Monitor for sudden absence or sharp reduction of audit logs, especially after privileged activity.
  • Tune false positives for legitimate audit policy updates, operating system maintenance, and authorized service restarts.
  • Because no relationship context or official detection logic is supplied, validate detections against local Linux baselines rather than assuming one generic rule will fit all systems.

Mitigation priorities

  • Define approved procedures for changing Linux audit rules and stopping auditd, including change records and administrative accountability.
  • Restrict privileged access required to manage auditd, auditctl, and audit configuration files.
  • Monitor integrity of audit configuration files and service state on Linux systems where audit logging is relied upon.
  • Ensure SOC and IR playbooks treat audit-log disappearance as a visibility-loss event requiring investigation, not merely a logging failure.
  • Periodically test whether audit tampering or service stoppage generates timely alerts in the organization’s monitoring stack.
Analyst notes and limits

This object is a detection analytic for Linux focused on disabling or modifying the Linux Audit system through auditd termination, service management, or tampering with audit rules/configuration. The strongest defensive value is in validating the integrity and continuity of audit telemetry, especially for privileged activity.

The supplied ATT&CK fields do not specify tactics, relationships, adversary use, impact, or an official detection query. Recommendations are therefore limited to conservative validation and monitoring directions derived from the official description and Linux platform scope. Local system roles, administrative workflows, and logging architecture are required to determine alert severity and tuning.

Official MITRE ATT&CK definition

Analytic 0171

Disabling or modifying the Linux Audit system through process termination (auditd killed), service management (systemctl stop auditd), or tampering with rule/configuration files (/etc/audit/audit.rules, audit.conf). Defender view: suspicious execution of auditctl/systemctl commands, file modifications to audit rules, or sudden absence of audit logs correlated with privileged execution.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
07ffecde099653f5...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 07ffecde0996…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0171
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use