PCI DSS (v3) Linux: Logging of administrative actions with root privileges (10.2.2)

Screenshot of Lynis running PCI DSS audit on Linux

PCI DSS: Logging of administrative actions with root privileges

Companies who need to comply with the PCI DSS standard need to log all actions which are executed by the root user, or similar administrative privileges.

10.2.2 Verify all actions taken by any individual with root or administrative privileges are logged.

The Linux kernel allows to monitor commands. By configuring the Linux audit framework, we can monitor the right system calls and create an audit trail.

Configure logging

To capture executed commands, we can monitor the execve system call. Use auditctl to add a rule, or by defining in /etc/audit/audit.rules.

auditctl -a exit,always -F arch=b64 -S execve -k root-commands
auditctl -a exit,always -F arch=b32 -S execve -k root-commands

Confirm the rules are loaded with auditctl -l:

LIST_RULES: exit,always arch=3221225534 (0xc000003e) key=root-commands syscall=execve
LIST_RULES: exit,always arch=1073741827 (0x40000003) key=root-commands syscall=execve

If this works, we can improve the audit rule, by limiting it only the root user:

auditctl -a exit,always -F arch=b64 -F euid=0 -S execve -k root-commands
auditctl -a exit,always -F arch=b32 -F euid=0 -S execve -k root-commands

Last we have an alternative, to use filtering on all system calls, if the user is root (or equivalent) and performing a write, change to attributes or execute action:

auditctl -a exit,always -S all -F euid=0 -F perm=awx -k root-commands

It’s up to you what you prefer. We suggest testing in your environment to decide what gives a proper amount of accounting with overloading your system.

Note: use the euid filter, as auid will not account for sudo related commands.


Now we have defined the rules, it is time for testing them. To emulate this, we run the echo command.

Running echo command with sudo:

time->Wed Dec 24 02:56:21 2014
type=PATH msg=audit(1419386181.134:340876): item=1 name=(null) inode=1967930 dev=08:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
type=PATH msg=audit(1419386181.134:340876): item=0 name=”/usr/bin/sudo” inode=149160 dev=08:02 mode=0104755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
type=CWD msg=audit(1419386181.134:340876):  cwd=”/home/michael”
type=EXECVE msg=audit(1419386181.134:340876): argc=3 a0=”sudo” a1=”echo” a2=”test
type=BPRM_FCAPS msg=audit(1419386181.134:340876): fver=0 fp=0000000000000000 fi=0000000000000000 fe=0 old_pp=0000000000000000 old_pi=0000000000000000 old_pe=0000000000000000 new_pp=ffffffffffffffff new_pi=0000000000000000 new_pe=ffffffffffffffff
type=SYSCALL msg=audit(1419386181.134:340876): arch=c000003e syscall=59 success=yes exit=0 a0=1082568 a1=ec8a08 a2=10dd008 a3=7fffb8fa1e50 items=2 ppid=15400 pid=15535 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=pts5 ses=221 comm=”sudo” exe=”/usr/bin/sudo” key=”root-commands”

Running the same command as root, by evoking the /bin/echo command:

time->Wed Dec 24 02:57:41 2014
type=PATH msg=audit(1419386261.026:340974): item=1 name=(null) inode=1967930 dev=08:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
type=PATH msg=audit(1419386261.026:340974): item=0 name=”/bin/echo” inode=135948 dev=08:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
type=CWD msg=audit(1419386261.026:340974):  cwd=”/root”
type=EXECVE msg=audit(1419386261.026:340974): argc=2 a0=”/bin/echo” a1=”test
type=SYSCALL msg=audit(1419386261.026:340974): arch=c000003e syscall=59 success=yes exit=0 a0=18f1648 a1=18f2a48 a2=1af8008 a3=7fff98be9820 items=2 ppid=15610 pid=15632 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts7 ses=223 comm=”echo” exe=”/bin/echo” key=”root-commands”

Note: Keep in mind that not all commands are logged. All built-in shell functions will NOT use the execve system call, therefore they are not logged.



This guide is supporting documentation for our Lynis Enterprise solution. It helps companies getting compliant with PCI DSS. We help automating the hardening and auditing process, so you don’t have to check everything manually.

Lynis Enterprise

Lynis Enterprise screenshot to help with system hardening

This blog post is part of our Linux security series and the mission to get Linux and Unix-based systems more secure.

Does system hardening take a lot of time, or do you have any compliance in your company? Have a look at Lynis Enterprise.

Or start today with the open source security scanner Lynis (GitHub)

Leave a Reply

Your email address will not be published. Required fields are marked *