SELinux / AppArmor Security Logs

linuxSystem ConfigurationDisk ImageSIEM / Log Aggregator

Location

/var/log/audit/audit.log (SELinux AVC messages) or /var/log/kern.log, /var/log/syslog (AppArmor messages)

Description

Mandatory Access Control (MAC) framework logs from SELinux (AVC denial messages in audit.log) or AppArmor (DENIED messages in kern.log/syslog). Record policy violations where processes attempted operations beyond their confined permissions.

Forensic Value

MAC denial logs detect processes attempting to break out of their security confines, which is a hallmark of exploitation and privilege escalation. SELinux AVC denials record the exact operation blocked, the source process, and the target resource. A sudden increase in denials or denials for critical system processes indicates active exploitation. Checking the current enforcement mode (getenforce/aa-status) reveals if an attacker disabled MAC protections.

Tools Required

ausearch -m AVCsealertaa-statusgrepjournalctl

Acquisition Methods

dd / dc3dd Raw Disk Image

linux — physical

dcfldd Forensic Disk Image

linux — physical

ewfacquire E01 Disk Image

linux — physical

Guymager Full Disk Image

linux — physical

tar Logical Collection

linux — logical