Skip to content
Threat Feed
high advisory

Linux Auditd Detects Firewall Modification or Disabling

The analytic detects suspicious disabling or modification of the system firewall on Linux systems, which can indicate unauthorized access or attempts to maintain control over a system by disabling host protections.

This detection identifies attempts to disable or modify system firewalls on Linux systems, a common tactic used by attackers to weaken defenses and maintain unauthorized access. The detection focuses on monitoring auditd logs for SERVICE_STOP events targeting firewalld and ufw, two popular Linux firewall management tools. Successful exploitation can lead to a compromised system, unauthorized access to sensitive data, or a wider breach affecting the entire network. The rule is based on research from Splunk and is intended to identify living-off-the-land techniques used for privilege escalation and persistence within a compromised Linux environment. The affected product is the Splunk platform using the Splunk Add-on for Unix and Linux.

Attack Chain

  1. Attacker gains initial access to a Linux system (e.g., via compromised credentials or vulnerability exploitation).
  2. Attacker attempts to disable the firewalld service using a command-line utility such as systemctl stop firewalld.
  3. The auditd daemon logs the SERVICE_STOP event with unit=firewalld.
  4. Alternatively, the attacker attempts to disable the ufw service using ufw disable.
  5. The auditd daemon logs the SERVICE_STOP event with unit=ufw.
  6. The attacker modifies firewall rules to allow unauthorized access, potentially using iptables or nftables directly.
  7. These rule modifications further weaken the host defenses.
  8. The attacker establishes persistence and maintains unauthorized access to the system, potentially escalating privileges and exfiltrating sensitive data.

Impact

Compromising the system firewall allows attackers to bypass network segmentation and access other systems. A successful attack can result in complete system compromise, data theft, and further lateral movement within the network. Systems that are critical to business operations, such as database servers or application servers, could be severely impacted. This could lead to significant financial losses, reputational damage, and regulatory fines.

Recommendation

  • Ensure auditd is properly configured and ingesting events related to service management on Linux endpoints.
  • Install and configure the Splunk Add-on for Unix and Linux to properly parse auditd logs as described in the “How to Implement” section.
  • Deploy the Sigma rule “Linux Auditd Disable Or Modify System Firewall” to your SIEM and tune based on the filter macros for your environment.
  • Investigate any alerts generated by the Sigma rule to determine the legitimacy of the service stop events.
  • Review and harden Linux firewall configurations across the environment to prevent unauthorized modifications.

Detection coverage 3

Linux Auditd - Firewall Service Stop

high

Detects attempts to stop or disable common firewall services (firewalld, ufw) via auditd logs.

sigma tactics: defense_evasion, privilege_escalation techniques: T1562.004 sources: process_creation, linux

Linux Auditd - Firewall Service Stop (auditd events)

medium

Detects SERVICE_STOP events in auditd logs for common firewall services (firewalld, ufw).

sigma tactics: defense_evasion techniques: T1562.004 sources: file_event, linux

Linux Auditd - Firewall Service Configuration Modify

medium

Detects modification of firewall configuration files

sigma tactics: defense_evasion techniques: T1562.004 sources: file_event, linux

Detection queries are kept inside the platform. Get full rules →