LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Logging file access - PCI DSS (http://www.linuxquestions.org/questions/linux-security-4/logging-file-access-pci-dss-585231/)

koobi 09-17-2007 03:26 AM
Logging file access - PCI DSS
 
Hi,
We are trying to implement the PCI DSS standards to one of our servers and one of the requirements read:

Quote:
When the user accesses the database, the file system, the logging per each user is to be implemented.
we have the db access logging covered but do you know how we can log file system access? i.e., when a file on the system is accessed, for example, we want the name of the file, the name of the user and the time, etc to be logged to a text file.

Is this possible and if it is, is it feasible?


Thanks.

unSpawn 09-17-2007 03:30 PM
Quote:
Originally Posted by koobi (Post 2894353)
we have the db access logging covered
Care to share steps how?


Quote:
Originally Posted by koobi (Post 2894353)
but do you know how we can log file system access? i.e., when a file on the system is accessed, for example, we want the name of the file, the name of the user and the time, etc to be logged to a text file. Is this possible and if it is, is it feasible?
Look for comments related to Rootsh / Sudosh:
http://www.linuxquestions.org/questi...93&postcount=4
http://www.linuxquestions.org/questi...51&postcount=3
http://www.linuxquestions.org/questi...74&postcount=2

koobi 09-18-2007 01:33 AM
Hi,
Thanks for the reply.

Regarding the steps for database access, I believe the DBA enabled auditing in Oracle and Postgres for our systems. If you want the details, I'll get them for you. Let me know.


Regarding rootsh and sudosh, they only log activities by users under root permission, right?
My scenario is that we have our web files which have the same permission/user/group privileges as the HTTPD daemon. Therefore, we'd like to be able to log the activities of any given user. Does such a tool exist?

Let me know, thanks.

win32sux 09-18-2007 04:49 AM
According to the web page, Rootsh can be wrapped around any user's shell.

farslayer 09-18-2007 03:13 PM
Could take a look at the auditing features of SNARE http://sourceforge.net/projects/snare/

from the website..

Code:
Snare is currently used by hundreds of thousands of individuals,
and organisations worldwide. Snare for Linux is used by many large
Financial, Insurance, Healthcare, Defence, AeroSpace, and
Intelligence organisations to meet elements of local and federal
security requirements, such as:

    * ACSI 33 / PSM
    * GLBA (Gramm-Leach-Bliley Act)
    * Sarbanes Oxley (SOX)
    * C2 / CAPP
    * DCID 6/3
    * DIAM 50-4
    * DDS-2600-5502-87 Chapter 4
    * NISPOM Chapter 8
    * HIPAA
    * PCIDSS
    * California Senate Bill 1386/AB 1950
    * USA Patriot Act
    * CISP
    * Danish Standard DS-484:2005
    * British Standard BS7799/ISO 17799
an interesting resource that indirectly led me to snare was this site.. pcianswers.com
http://pcianswers.com/2006/07/31/tra...rdholder-data/
Looks like there may be some good info here once I dig farther into the site.

I need to go look at both of these resources closer now..

As for your web files.. if this is a web frontend to access cardholder data I would think at the very least the users would have to login to the website, so you should have already identified the user....

koobi 09-20-2007 01:03 AM
Quote:
Originally Posted by win32sux (Post 2895571)
According to the web page, Rootsh can be wrapped around any user's shell.
So I could use rootsh on any users shell to log their activities?
How would I do this? Make some changes to my .bash_profile?




Quote:
Originally Posted by farslayer (Post 2896121)
Could take a look at the auditing features of SNARE http://sourceforge.net/projects/snare/

[message truncated]

an interesting resource that indirectly led me to snare was this site.. pcianswers.com
http://pcianswers.com/2006/07/31/tra...rdholder-data/
Looks like there may be some good info here once I dig farther into the site.

I need to go look at both of these resources closer now..

As for your web files.. if this is a web frontend to access cardholder data I would think at the very least the users would have to login to the website, so you should have already identified the user....
oh this is not the web frontend i'm talking about. the frontend has been secured, i just need to know how to log file access via the filesystem, all other aspects of the PCI requirements have been met, i believe.

koobi 09-21-2007 04:08 AM
farslayer,
I've decided to go with SNARE to monitor file/folder access.
It has all the features I require.

Neat little tool. Thanks for recommending it :)


All times are GMT -5. The time now is 11:45 PM.