Compliance - PCI DSS


10.2.4 Invalid logical access attempts

10.2.4 Invalid logical access attempts

Brute force and logon attempts might be a first indication of a possible break-in. This is the reason such attempts should be properly logged and reviewed on a regular basis. On Linux this PCI DSS control might be configured by using the Linux audit system.

Linux systems have a great of auditing events, with the help of the Linux audit framework. The kernel has a built-in auditing mechanism, which allows system calls and file access to be monitored. Besides the access request to a resource itself, the success or failure is logged as well. Especially failed requests are interesting, as they might indicate a brute force attempt.

More resources

Related tools

  • aureport
  • ausearch

Commands

  • aureport -l --failed
  • ausearch --message USER_LOGIN --success no --interpret