{"description": "The audit system should collect write events to /etc/gshadow file for all users and root.\nIf the <tt>auditd</tt> daemon is configured\nto use the <tt>augenrules</tt> program to read audit rules during daemon\nstartup (the default), add the following lines to a file with suffix\n<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:\n<pre>-a always,exit -F arch=b32 -S open -F a1&amp;03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify</pre>\nIf the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>\nutility to read audit rules during daemon startup, add the following lines to\n<tt>/etc/audit/audit.rules</tt> file:\n<pre>-a always,exit -F arch=b32 -S open -F a1&amp;03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify</pre>\nIf the system is 64 bit then also add the following line:\n<pre>-a always,exit -F arch=b64 -S open -F a1&amp;03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify</pre>", "rationale": "Creation of users through direct edition of /etc/gshadow could be an indicator of malicious activity on a system.\nAuditing these events could serve as evidence of potential system compromise.", "severity": "medium", "references": {"nerc-cip": ["CIP-004-6 R2.2.2", "CIP-004-6 R2.2.3", "CIP-007-3 R.1.3", "CIP-007-3 R5", "CIP-007-3 R5.1.1", "CIP-007-3 R5.1.3", "CIP-007-3 R5.2.1", "CIP-007-3 R5.2.3"], "nist": ["AC-2(4)", "AU-2(d)", "AU-12(c)", "AC-6(9)", "CM-6(a)"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "no line is returned", "ocil": "To determine if the system is configured to audit calls to the\n<code>open</code> system call, run the following command:\n<pre space=\"preserve\">$ sudo grep \"open\" /etc/audit/audit.*</pre>\nIf the system is configured to audit this activity, it will return a line.\n", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "Note that these rules can be configured in a\nnumber of ways while still achieving the desired effect. Here the system calls\nhave been placed independent of other system calls. Grouping system calls related\nto the same event is more efficient. See the following example:\n<pre>-a always,exit -F arch=b32 -S open -F a1&amp;03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify</pre>"}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": ["not aarch64_arch"], "sce_metadata": {}, "inherited_platforms": ["package[audit]", "system_with_kernel"], "cpe_platform_names": ["not_aarch64_arch"], "inherited_cpe_platform_names": ["system_with_kernel", "package_audit"], "bash_conditional": null, "fixes": {}, "title": "Record Events that Modify User/Group Information via open syscall - /etc/gshadow", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/auditd_configure_rules/audit_rules_etc_gshadow_open/rule.yml", "template": {"name": "audit_rules_path_syscall", "vars": {"path": "/etc/gshadow", "pos": "a1", "syscall": "open"}, "backends": {}}}