PCI DSS (v3) Linux: Invalid logical access attempts (10.2.4)

PCI DSS (v3) Linux: Invalid logical access attempts (10.2.4)

PCI describes in control 10.2.4 to monitor for “invalid logical access attempts”. Another way of saying to monitor attempts which are not allowed, like accessing a file you are not supposed to. Another indication might be brute force attempts to log in, which result in several failed logins.

To monitor for invalid access attempts, we can use the Linux audit framework. This framework has been created and maintained by Red Hat over the years. It is a great tool for auditing and to help with PCI DSS compliance on Linux based systems.

Monitoring access attempts

To filter out invalid access attempts, we can monitor all system calls which return an “access denied” error. We can translate this into the following audit rules:

-a always,exit -F arch=b32 -S all -F exit=-13 -k access-denied
-a always,exit -F arch=b64 -S all -F exit=-13 -k access-denied

-S all = All system calls.

-F exit=-13 = Exit code of -13, , which equals access denied.

These rules can be added to the /etc/audit/audit.rules file or directly via auditctl.

By defining a key, we can quickly find it later with ausearch.

Testing the rule

Now try to access a file as a non-privileged user (e.g. cat /etc/shadow). It should log the access attempt by creating a new event in the audit log.

By using the ausearch utility, we can search events in this category.

ausearch -k access-denied

This should show the event, similar to the output on our system:

Screenshot of ausearch searching on specific key

Searching access-denied key with ausearch

The Linux audit framework provides great ways to monitor files, directories and processes. With the right filters, it is a great addition for companies who would like to become PCI compliant.

Checking for failed logins

By default, the audit framework can also gather failed logins using the ausearch utility.

# ausearch –message USER_LOGIN –success no –interpret
type=USER_LOGIN msg=audit(12/05/2014 10:16:25.133:372) : pid=2594 uid=root auid=unset ses=unset subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg=’op=login acct=(unknown user) exe=/usr/sbin/sshd hostname=? addr= terminal=ssh res=failed’


Most of the rules we share on this blog are also being used for automated testing in our auditing tool Lynis and related compliance plugins. If you want to automate your PCI DSS security audits, start with the free Lynis tool.

Happy auditing!



One more thing...

Keep learning

So you are interested in Linux security? Join the Linux Security Expert training program, a practical and lab-based training ground. For those who want to become (or stay) a Linux security expert.

See training package

Lynis Enterprise screenshot to help with system hardeningSecurity scanning with Lynis and Lynis Enterprise

Run automated security scans and increase your defenses. Lynis is an open source security tool to perform in-depth audits. It helps with system hardening, vulnerability discovery, and compliance.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.