PCI DSS (v3) Linux: Invalid logical access attempts (10.2.4)

PCI describes in control 10.2.4 to monitor for “invalid logical access attempts”. Another way of saying to monitor attempts which are not allowed, like accessing a file you are not supposed to. Another indication might be brute force attempts to log in, which result in several failed logins.

To monitor for invalid access attempts, we can use the Linux audit framework. This framework has been created and maintained by Red Hat over the years. It is a great tool for auditing and to help with PCI DSS compliance on Linux based systems.

Monitoring access attempts

To filter out invalid access attempts, we can monitor all system calls which return an “access denied” error. We can translate this into the following audit rules:

-a always,exit -F arch=b32 -S all -F exit=-13 -k access-denied
-a always,exit -F arch=b64 -S all -F exit=-13 -k access-denied

-S all = All system calls.

-F exit=-13 = Exit code of -13, , which equals access denied.

These rules can be added to the /etc/audit/audit.rules file or directly via auditctl.

By defining a key, we can quickly find it later with ausearch.

Testing the rule

Now try to access a file as a non-privileged user (e.g. cat /etc/shadow). It should log the access attempt by creating a new event in the audit log.

By using the ausearch utility, we can search events in this category.

ausearch -k access-denied

This should show the event, similar to the output on our system:

The Linux audit framework provides great ways to monitor files, directories and processes. With the right filters, it is a great addition for companies who would like to become PCI compliant.

Checking for failed logins

By default, the audit framework can also gather failed logins using the ausearch utility.

# ausearch -message USER_LOGIN -success no -interpret

type=USER_LOGIN msg=audit(12/05/2014 10:16:25.133:372) : pid=2594 uid=root auid=unset ses=unset subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg=‘op=login acct=(unknown user) exe=/usr/sbin/sshd hostname=? addr=192.168.1.2 terminal=ssh res=failed’

Most of the rules we share on this blog are also being used for automated testing in our auditing tool Lynis and related compliance plugins. If you want to automate your PCI DSS security audits, start with the free Lynis tool.

Happy auditing!

Feedback

Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!

Mastodon icon