PCI DSS compliance

10.2.4 Invalid logical access attempts

Brute force and logon attempts might be a first indication of a possible break-in. This is the reason such attempts should be properly logged and reviewed on a regular basis. On Linux this PCI DSS control might be configured by using the Linux audit system.

Linux systems have a great of auditing events, with the help of the Linux audit framework. The kernel has a built-in auditing mechanism, which allows system calls and file access to be monitored. Besides the access request to a resource itself, the success or failure is logged as well. Especially failed requests are interesting, as they might indicate a brute force attempt.

More resources

• Linux audit system
• PCI DSS (v3) Linux: Invalid logical access attempts (10.2.4)

Related tools

• aureport
• ausearch

Commands

• aureport -l --failed
• ausearch --message USER_LOGIN --success no --interpret