PCI DSS Linux: Logging of administrative actions with root privileges

Companies who need to comply with the PCI DSS standard need to log all actions which are executed by the root user or those accounts with similar administrative privileges.

10.2.2 Verify all actions taken by any individual with root or administrative privileges are logged.

The Linux kernel allows the monitoring of executed commands. This monitoring and logging can be done with the Linux audit framework. Using this framework, we can monitor the right system calls and create an audit trail. It is also called Linux accounting. Such accounting is similar to the call history on your mobile phone bill.

Configure logging

To capture executed commands, we can monitor the execve system call. Use auditctl to add a rule, or by defining in /etc/audit/audit.rules.

auditctl -a exit,always -F arch=b64 -S execve -k root-commands

auditctl -a exit,always -F arch=b32 -S execve -k root-commands

Note: this captures the 32-bit and 64-bit requests.

Confirm the rules are loaded with the auditctl command.

auditctl -l

The output will be looking something like this:

LIST_RULES: exit,always arch=3221225534 (0xc000003e) key=root-commands syscall=execve
LIST_RULES: exit,always arch=1073741827 (0x40000003) key=root-commands syscall=execve

If this works, we can improve the audit rule, by limiting it only the root user. This is done by adding the euid or effective user ID.

auditctl -a exit,always -F arch=b64 -F euid=0 -S execve -k root-commands

auditctl -a exit,always -F arch=b32 -F euid=0 -S execve -k root-commands

Another alternative is to filter by the execve system call, is using a permissions filter. In this option, we look at all calls, but only log those that perform write, change to attributes or execute an action. We still will restrict this only to what the root user or its equivalent.

auditctl -a exit,always -S all -F euid=0 -F perm=awx -k root-commands

It’s up to you what you prefer. We suggest testing in your environment to decide what gives a proper amount of accounting without overloading your system.

Note: use the euid filter, as auid will not account for sudo related commands.

Testing

Now we have defined the rules, it is time for testing them. To emulate this, we run the echo command.

Running echo command with sudo:

time->Wed Dec 24 02:56:21 2014  
type=PATH msg=audit(1419386181.134:340876): item=1 name=(null) inode=1967930 dev=08:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL  
type=PATH msg=audit(1419386181.134:340876): item=0 name="**/usr/bin/sudo**" inode=149160 dev=08:02 mode=0104755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL  
type=CWD msg=audit(1419386181.134:340876):  cwd="/home/michael"  
type=EXECVE msg=audit(1419386181.134:340876): argc=3 a0="**sudo**" a1="**echo**" a2="**test**"  
type=BPRM\_FCAPS msg=audit(1419386181.134:340876): fver=0 fp=0000000000000000 fi=0000000000000000 fe=0 old\_pp=0000000000000000 old\_pi=0000000000000000 old\_pe=0000000000000000 new\_pp=ffffffffffffffff new\_pi=0000000000000000 new_pe=ffffffffffffffff  
type=SYSCALL msg=audit(1419386181.134:340876): arch=c000003e syscall=59 success=yes exit=0 a0=1082568 a1=ec8a08 a2=10dd008 a3=7fffb8fa1e50 items=2 ppid=15400 pid=15535 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=pts5 ses=221 comm="sudo" exe="**/usr/bin/sudo**" key="root-commands"

Running the same command as root, by evoking the /bin/echo command:

time->Wed Dec 24 02:57:41 2014  
type=PATH msg=audit(1419386261.026:340974): item=1 name=(null) inode=1967930 dev=08:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL  
type=PATH msg=audit(1419386261.026:340974): item=0 name="**/bin/echo**" inode=135948 dev=08:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL  
type=CWD msg=audit(1419386261.026:340974):  cwd="/root"  
type=EXECVE msg=audit(1419386261.026:340974): argc=2 a0="**/bin/echo**" a1="**test**"  
type=SYSCALL msg=audit(1419386261.026:340974): arch=c000003e syscall=59 success=yes exit=0 a0=18f1648 a1=18f2a48 a2=1af8008 a3=7fff98be9820 items=2 ppid=15610 pid=15632 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts7 ses=223 comm="echo" exe="**/bin/echo**" key="root-commands"

Note: Keep in mind that not all commands are logged. All built-in shell functions will NOT use the execve system call, therefore they are not logged.

This guide is supporting documentation for our Lynis Enterprise solution. It helps companies getting compliant with PCI DSS. We help to automate the hardening and auditing process, so you don’t have to check everything manually.

Feedback

Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!

Mastodon icon