PCI DSS (v3) Linux: Invalid logical access attempts (10.2.4)
This article has last been updated at .
PCI describes in control 10.2.4 to monitor for “invalid logical access attempts”. Another way of saying to monitor attempts which are not allowed, like accessing a file you are not supposed to. Another indication might be brute force attempts to log in, which result in several failed logins.
To monitor for invalid access attempts, we can use the Linux Auditing Framework. This framework has been created and maintained by Red Hat over the years. It is a great tool for auditing and to help with PCI DSS compliance on Linux based systems.
Monitoring access attempts
To filter out invalid access attempts, we can monitor all system calls which return an “access denied” error. We can translate this into the following audit rules:
-a always,exit -F arch=b32 -S all -F exit=-13 -k access-denied
-a always,exit -F arch=b64 -S all -F exit=-13 -k access-denied
-S all = All system calls.
-F exit=-13 = Exit code of -13, , which equals access denied.
These rules can be added to the /etc/audit/audit.rules file or directly via auditctl.
By defining a key, we can quickly find it later with ausearch.
Testing the rule
Now try to access a file as a non-privileged user (e.g. cat /etc/shadow). It should log the access attempt by creating a new event in the audit log.
By using the ausearch utility, we can search events in this category.
ausearch -k access-denied
The Linux audit framework provides great ways to monitor files, directories and processes. With the right filters, it is a great addition for companies who would like to become PCI compliant.
Checking for failed logins
By default, the audit framework can also gather failed logins using the ausearch utility.
# ausearch -message USER_LOGIN -success no -interpret
type=USER_LOGIN msg=audit(12/05/2014 10:16:25.133:372) : pid=2594 uid=root auid=unset ses=unset subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg=‘op=login acct=(unknown user) exe=/usr/sbin/sshd hostname=? addr=192.168.1.2 terminal=ssh res=failed’
Most of the rules we share on this blog are also being used for automated testing in our auditing tool Lynis and related compliance plugins. If you want to automate your PCI DSS security audits, start with the free Lynis tool .
Happy auditing!