Rule: A Log Metric Filter and Alarm for Root User Usage
This rule ensures the presence of a log metric filter and alarm for 'root' user usage.
| Rule | A log metric filter and alarm should exist for usage of the 'root' user |
| Framework | PCI v3.2.1 |
| Severity | ✔ Critical |
Rule Description
The rule requires the implementation of a log metric filter and an alarm for tracking and monitoring the usage of the 'root' user in order to comply with the Payment Card Industry Data Security Standard (PCI DSS) version 3.
Troubleshooting Steps (if applicable)
No troubleshooting steps required for this rule.
Necessary Codes (if applicable)
No specific codes are necessary for this rule.
Step-by-Step Guide for Remediation
- 1.
Create a Log Metric Filter:
- Go to the Amazon CloudWatch console.
- From the left-hand navigation pane, select Log groups.
- Choose the appropriate log group where the logs related to the root user are stored.
- Click on Create Metric Filter.
- Enter a suitable filter pattern to capture log entries that specifically indicate 'root' user activity.
- Specify the filter name and set the filter pattern and metric details accordingly.
- Choose a metric namespace and metric name that accurately reflect the purpose of the filter.
- Save the metric filter.
- 2.
Create an Alarm:
- From the left-hand navigation pane in the CloudWatch console, select Alarms.
- Click on Create Alarm.
- Choose the recently created metric filter from the dropdown list under the Select metric section.
- Set the appropriate threshold values for triggering the alarm.
- Configure the actions to be taken when the alarm state is triggered (e.g., sending a notification to the appropriate personnel).
- Give a meaningful name to the alarm and provide a description that includes the purpose of the alarm.
- Save the alarm.
- 3.
Test the Rule:
- Perform actions that involve using the 'root' user account (e.g., logging in as root, executing privileged commands) to generate log entries.
- Monitor the CloudWatch Alarm console to verify that the alarm is triggered for these activities.
- Ensure that the alarm notifications are received by the designated recipients.
- 4.
Remediate Any Unauthorized 'root' User Activity:
- Investigate the triggered alarm and analyze the log entries associated with the 'root' user activity.
- Take appropriate steps to remediate any unauthorized or unusual 'root' user activity, addressing any potential security concerns.
- Document the incident and capture any necessary information for further investigation or auditing purposes.
Conclusion
Implementing a log metric filter and alarm for the usage of the 'root' user helps maintain compliance with the PCI DSS v3 requirements. This proactive monitoring approach enables early detection and response to any unauthorized or potentially malicious activities associated with the 'root' user account.