PCI DSS (v3) Linux: Invalid logical access attempts (10.2.4)

This article has last been updated at .

PCI describes in control 10.2.4 to monitor for “invalid logical access attempts”. Another way of saying to monitor attempts which are not allowed, like accessing a file you are not supposed to. Another indication might be brute force attempts to log in, which result in several failed logins.

To monitor for invalid access attempts, we can use the Linux Auditing Framework. This framework has been created and maintained by Red Hat over the years. It is a great tool for auditing and to help with PCI DSS compliance on Linux based systems.

Monitoring access attempts

To filter out invalid access attempts, we can monitor all system calls which return an “access denied” error. We can translate this into the following audit rules:

-a always,exit -F arch=b32 -S all -F exit=-13 -k access-denied
-a always,exit -F arch=b64 -S all -F exit=-13 -k access-denied

-S all = All system calls.

-F exit=-13 = Exit code of -13, , which equals access denied.

These rules can be added to the /etc/audit/audit.rules file or directly via auditctl.

By defining a key, we can quickly find it later with ausearch.

Testing the rule

Now try to access a file as a non-privileged user (e.g. cat /etc/shadow). It should log the access attempt by creating a new event in the audit log.

By using the ausearch utility, we can search events in this category.

ausearch -k access-denied

The Linux audit framework provides great ways to monitor files, directories and processes. With the right filters, it is a great addition for companies who would like to become PCI compliant.

Checking for failed logins

By default, the audit framework can also gather failed logins using the ausearch utility.

# ausearch -message USER_LOGIN -success no -interpret

type=USER_LOGIN msg=audit(12/05/2014 10:16:25.133:372) : pid=2594 uid=root auid=unset ses=unset subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg=‘op=login acct=(unknown user) exe=/usr/sbin/sshd hostname=? addr=192.168.1.2 terminal=ssh res=failed’

Most of the rules we share on this blog are also being used for automated testing in our auditing tool Lynis and related compliance plugins. If you want to automate your PCI DSS security audits, start with the free Lynis toolExternal link .

Happy auditing!

Relevant commands in this article

Like to learn more about the commands that were used in this article? Have a look, for some there is also a cheat sheet available.

  • auditctl
  • ausearch

See the full list of Linux commands for additional system administration tools.

Feedback

Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!

Mastodon icon

Related articles

Like to learn more? Here is a list of articles within the same category or having similar tags.