SELinux / AppArmor Security Logs

Location

Description

Mandatory Access Control (MAC) framework logs from SELinux (AVC denial messages in audit.log) or AppArmor (DENIED messages in kern.log/syslog). Record policy violations where processes attempted operations beyond their confined permissions.

Forensic Value

MAC denial logs detect processes attempting to break out of their security confines, which is a hallmark of exploitation and privilege escalation. SELinux AVC denials record the exact operation blocked, the source process, and the target resource. A sudden increase in denials or denials for critical system processes indicates active exploitation. Checking the current enforcement mode (getenforce/aa-status) reveals if an attacker disabled MAC protections.

Tools Required

Collection Commands

ausearch -m AVC -ts recent > /forensics/output/selinux_avc.txt

grep "apparmor.*DENIED" /var/log/syslog > /forensics/output/apparmor_denied.log

aa-status > /forensics/output/apparmor_status.txt

cp /etc/selinux/config /forensics/output/selinux_config.txt

Collection Constraints

• •Paths and log sources vary by distribution, init system, logging stack, and installed packages. Validate the active distro and service set before treating absence as meaningful.
• •Centralized log copies may normalize, truncate, or drop fields relative to the original on-host artifact. Preserve the local source when scope and access permit.

MITRE ATT&CK Techniques

References