PCI DSS (v3) Linux: Invalid logical access attempts (10.2.4)

PCI DSS (v3) Linux: Invalid logical access attempts (10.2.4)

PCI describes in control 10.2.4 to monitor for “invalid logical access attempts”. Another way of saying to monitor attempts which are not allowed, like accessing a file you are not supposed to. Another indication might be brute force attempts to log in, which result in several failed logins.

To monitor for invalid access attempts, we can use the Linux audit framework. This framework has been created and maintained by Red Hat over the years. It is a great tool for auditing and to help with PCI DSS compliance on Linux based systems.

Monitoring access attempts

To filter out invalid access attempts, we can monitor all system calls which return an “access denied” error. We can translate this into the following audit rules:

-a always,exit -F arch=b32 -S all -F exit=-13 -k access-denied
-a always,exit -F arch=b64 -S all -F exit=-13 -k access-denied

-S all = All system calls.

-F exit=-13 = Exit code of -13, , which equals access denied.

These rules can be added to the /etc/audit/audit.rules file or directly via auditctl.

By defining a key, we can quickly find it later with ausearch.

Testing the rule

Now try to access a file as a non-privileged user (e.g. cat /etc/shadow). It should log the access attempt by creating a new event in the audit log.

By using the ausearch utility, we can search events in this category.

ausearch -k access-denied

This should show the event, similar to the output on our system:

Screenshot of ausearch searching on specific key

Searching access-denied key with ausearch

The Linux audit framework provides great ways to monitor files, directories and processes. With the right filters, it is a great addition for companies who would like to become PCI compliant.

Checking for failed logins

By default, the audit framework can also gather failed logins using the ausearch utility.

# ausearch –message USER_LOGIN –success no –interpret
type=USER_LOGIN msg=audit(12/05/2014 10:16:25.133:372) : pid=2594 uid=root auid=unset ses=unset subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg=’op=login acct=(unknown user) exe=/usr/sbin/sshd hostname=? addr= terminal=ssh res=failed’


Most of the rules we share on this blog are also being used for automated testing in our auditing tool Lynis and related compliance plugins. If you want to automate your PCI DSS security audits, start with the free Lynis tool.

Happy auditing!



Automate security audits with Lynis and Lynis Enterprise
Lynis Enterprise screenshot to help with system hardening

This blog post is part of our Linux security series to get Linux (and Unix-based) systems more secure.

Daily security checks

Want to go to the next level of security scanning and system hardening? Start with automated security scans for Linux: Lynis and Lynis Enterprise.

Automate Scanning »

Leave a Reply

Your email address will not be published. Required fields are marked *