PCI DSS (v3) Linux: Logging of administrative actions with root privileges (10.2.2)

Screenshot of Lynis running PCI DSS audit on Linux

PCI DSS: Logging of administrative actions with root privileges

Companies who need to comply with the PCI DSS standard need to log all actions which are executed by the root user or those accounts with similar administrative privileges.

10.2.2 Verify all actions taken by any individual with root or administrative privileges are logged.

The Linux kernel allows the monitoring of executed commands. This monitoring and logging can be done with the Linux audit framework. Using this framework, we can monitor the right system calls and create an audit trail. It is also called Linux accounting. Such accounting is similar to the call history on your mobile phone bill.

Configure logging

To capture executed commands, we can monitor the execve system call. Use auditctl to add a rule, or by defining in /etc/audit/audit.rules.

auditctl -a exit,always -F arch=b64 -S execve -k root-commands
auditctl -a exit,always -F arch=b32 -S execve -k root-commands

Confirm the rules are loaded with the auditctl command.

auditctl -l

The output will be looking something like this:

LIST_RULES: exit,always arch=3221225534 (0xc000003e) key=root-commands syscall=execve
LIST_RULES: exit,always arch=1073741827 (0x40000003) key=root-commands syscall=execve

If this works, we can improve the audit rule, by limiting it only the root user. This is done by adding the euid or effective user ID.

auditctl -a exit,always -F arch=b64 -F euid=0 -S execve -k root-commands
auditctl -a exit,always -F arch=b32 -F euid=0 -S execve -k root-commands

Another alternative is to filter by the execve system call, is using a permissions filter. In this option, we look at all calls, but only log those that perform write, change to attributes or execute an action. We still will restrict this only to what the root user or its equivalent.

auditctl -a exit,always -S all -F euid=0 -F perm=awx -k root-commands

It’s up to you what you prefer. We suggest testing in your environment to decide what gives a proper amount of accounting without overloading your system.

Note: use the euid filter, as auid will not account for sudo related commands.


Now we have defined the rules, it is time for testing them. To emulate this, we run the echo command.

Running echo command with sudo:

time->Wed Dec 24 02:56:21 2014
type=PATH msg=audit(1419386181.134:340876): item=1 name=(null) inode=1967930 dev=08:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
type=PATH msg=audit(1419386181.134:340876): item=0 name=”/usr/bin/sudo” inode=149160 dev=08:02 mode=0104755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
type=CWD msg=audit(1419386181.134:340876):  cwd=”/home/michael”
type=EXECVE msg=audit(1419386181.134:340876): argc=3 a0=”sudo” a1=”echo” a2=”test
type=BPRM_FCAPS msg=audit(1419386181.134:340876): fver=0 fp=0000000000000000 fi=0000000000000000 fe=0 old_pp=0000000000000000 old_pi=0000000000000000 old_pe=0000000000000000 new_pp=ffffffffffffffff new_pi=0000000000000000 new_pe=ffffffffffffffff
type=SYSCALL msg=audit(1419386181.134:340876): arch=c000003e syscall=59 success=yes exit=0 a0=1082568 a1=ec8a08 a2=10dd008 a3=7fffb8fa1e50 items=2 ppid=15400 pid=15535 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=pts5 ses=221 comm=”sudo” exe=”/usr/bin/sudo” key=”root-commands”

Running the same command as root, by evoking the /bin/echo command:

time->Wed Dec 24 02:57:41 2014
type=PATH msg=audit(1419386261.026:340974): item=1 name=(null) inode=1967930 dev=08:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
type=PATH msg=audit(1419386261.026:340974): item=0 name=”/bin/echo” inode=135948 dev=08:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
type=CWD msg=audit(1419386261.026:340974):  cwd=”/root”
type=EXECVE msg=audit(1419386261.026:340974): argc=2 a0=”/bin/echo” a1=”test
type=SYSCALL msg=audit(1419386261.026:340974): arch=c000003e syscall=59 success=yes exit=0 a0=18f1648 a1=18f2a48 a2=1af8008 a3=7fff98be9820 items=2 ppid=15610 pid=15632 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts7 ses=223 comm=”echo” exe=”/bin/echo” key=”root-commands”

Note: Keep in mind that not all commands are logged. All built-in shell functions will NOT use the execve system call, therefore they are not logged.



This guide is supporting documentation for our Lynis Enterprise solution. It helps companies getting compliant with PCI DSS. We help to automate the hardening and auditing process, so you don’t have to check everything manually.

One more thing...

Keep learning

So you are interested in Linux security? Join the Linux Security Expert training program, a practical and lab-based training ground. For those who want to become (or stay) a Linux security expert.

See training package

Lynis Enterprise screenshot to help with system hardeningSecurity scanning with Lynis and Lynis Enterprise

Run automated security scans and increase your defenses. Lynis is an open source security tool to perform in-depth audits. It helps with system hardening, vulnerability discovery, and compliance.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.