PCI DSS (v3) for Linux: Auditing application processes (A.1.2.a)

A.1.2.a Verify the user ID of any application process is not a privileged user (root/admin).

For Unix and Linux based systems, processes should run as a non-privileged user where possible. However to be able to start, a process is usually started with root permissions (uid 0). This is required to open the required sockets (e.g. bind to port 80).

After the initial start, the process drops its privileges by switching to another user. In some cases there will maintain one master process, which is started with uid 0 as well. This process is responsible for the creation of child processes, not for handling interactions with users or processes. You can consider this as an administrative process. The child processes do handle

To gather a list of application processes running under the context of root, we can query ps and list all related entries.

ps -ef | grep "^root"

Another way is to combine a few commands and only list the interesting processes, like this:

ps -ef | awk '{ if ($1=="root") { print $8 }}' | grep -v "^\[" | sort | uniq | grep -E -v "^(\-su|awk|egrep|grep|ps|sort|uniq|su|sudo)"

With this command we query ps, filter out application processes running under the context of root and hide commands which are not interested.

Usually this will still be a list of several items. Every process which has a master process, which have at least one process running under the root context. This is acceptable behavior as explained before. Other processes have to be analyzed by hand, to see if they are properly configured.

This information is provided as guidance to our PCI plugin for Lynis.

Relevant commands in this article

Like to learn more about the commands that were used in this article? Have a look, for some there is also a cheat sheet available.

  • awk
  • grep
  • ps
  • sort
  • uniq


Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!

Mastodon icon