Blob Blame History Raw
diff --git a/fedora/profiles/ospp.profile b/fedora/profiles/ospp.profile
index f13f97a537..877caff01a 100644
--- a/fedora/profiles/ospp.profile
+++ b/fedora/profiles/ospp.profile
@@ -198,6 +198,12 @@ selections:
     - audit_rules_etc_group_open
     - audit_rules_etc_group_openat
     - audit_rules_etc_group_open_by_handle_at
+    - audit_rules_etc_shadow_open
+    - audit_rules_etc_shadow_openat
+    - audit_rules_etc_shadow_open_by_handle_at
+    - audit_rules_etc_gshadow_open
+    - audit_rules_etc_gshadow_openat
+    - audit_rules_etc_gshadow_open_by_handle_at
     - package_abrt_removed
     - package_sendmail_removed
     - mount_option_dev_shm_nodev
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open/rule.yml
index a80c7dab8c..103a445cd3 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open/rule.yml
@@ -14,6 +14,8 @@ description: |-
     If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
     utility to read audit rules during daemon startup, add the following lines to
     <tt>/etc/audit/audit.rules</tt> file:
+    <pre>-a always,exit -F arch=b32 -S open -F a1&amp;03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=modify</pre>
+    If the system is 64 bit then also add the following line:
     <pre>-a always,exit -F arch=b64 -S open -F a1&amp;03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=modify</pre>
 
 rationale: |-
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open_by_handle_at/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open_by_handle_at/rule.yml
index 6181ad50f1..bb47451c46 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open_by_handle_at/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open_by_handle_at/rule.yml
@@ -14,6 +14,8 @@ description: |-
     If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
     utility to read audit rules during daemon startup, add the following lines to
     <tt>/etc/audit/audit.rules</tt> file:
+    <pre>-a always,exit -F arch=b32 -S open_by_handle_at -F a2&amp;03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=modify</pre>
+    If the system is 64 bit then also add the following line:
     <pre>-a always,exit -F arch=b64 -S open_by_handle_at -F a2&amp;03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=modify</pre>
 
 rationale: |-
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_openat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_openat/rule.yml
index 9a69643a34..8d9aa4d97c 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_openat/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_openat/rule.yml
@@ -14,6 +14,8 @@ description: |-
     If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
     utility to read audit rules during daemon startup, add the following lines to
     <tt>/etc/audit/audit.rules</tt> file:
+    <pre>-a always,exit -F arch=b32 -S openat -F a2&amp;03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=modify</pre>
+    If the system is 64 bit then also add the following line:
     <pre>-a always,exit -F arch=b64 -S openat -F a2&amp;03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=modify</pre>
 
 rationale: |-
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_gshadow_open/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_gshadow_open/rule.yml
new file mode 100644
index 0000000000..a9934fbe7e
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_gshadow_open/rule.yml
@@ -0,0 +1,41 @@
+documentation_complete: true
+
+prodtype: rhel7,rhel8,fedora,ol7,ol8
+
+title: 'Record Events that Modify User/Group Information via open syscall - /etc/gshadow'
+
+description: |-
+    The audit system should collect write events to /etc/gshadow file for all users and root.
+    If the <tt>auditd</tt> daemon is configured
+    to use the <tt>augenrules</tt> program to read audit rules during daemon
+    startup (the default), add the following lines to a file with suffix
+    <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
+    <pre>-a always,exit -F arch=b32 -S open -F a1&amp;03 -F path=/etc/gshadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify</pre>
+    If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
+    utility to read audit rules during daemon startup, add the following lines to
+    <tt>/etc/audit/audit.rules</tt> file:
+    <pre>-a always,exit -F arch=b32 -S open -F a1&amp;03 -F path=/etc/gshadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify</pre>
+    If the system is 64 bit then also add the following line:
+    <pre>-a always,exit -F arch=b64 -S open -F a1&amp;03 -F path=/etc/gshadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify</pre>
+
+rationale: |-
+    Creation of users through direct edition of /etc/gshadow could be an indicator of malicious activity on a system.
+    Auditing these events could serve as evidence of potential system compromise.
+
+severity: medium
+
+identifiers:
+    cce@rhel8: 80959-0
+
+references:
+    ospp: FAU_GEN.1.1.c
+
+{{{ complete_ocil_entry_audit_syscall(syscall="open") }}}
+
+warnings:
+    - general: |-
+        Note that these rules can be configured in a
+        number of ways while still achieving the desired effect. Here the system calls
+        have been placed independent of other system calls. Grouping system calls related
+        to the same event is more efficient. See the following example:
+        <pre>-a always,exit -F arch=b32 -S open -F a1&amp;03 -F path=/etc/gshadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify</pre>
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_gshadow_open_by_handle_at/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_gshadow_open_by_handle_at/rule.yml
new file mode 100644
index 0000000000..7a4861b3fc
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_gshadow_open_by_handle_at/rule.yml
@@ -0,0 +1,41 @@
+documentation_complete: true
+
+prodtype: rhel7,rhel8,fedora,ol7,ol8
+
+title: 'Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/gshadow'
+
+description: |-
+    The audit system should collect write events to /etc/gshadow file for all users and root.
+    If the <tt>auditd</tt> daemon is configured
+    to use the <tt>augenrules</tt> program to read audit rules during daemon
+    startup (the default), add the following lines to a file with suffix
+    <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
+    <pre>-a always,exit -F arch=b32 -S open_by_handle_at -F a2&amp;03 -F path=/etc/gshadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify</pre>
+    If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
+    utility to read audit rules during daemon startup, add the following lines to
+    <tt>/etc/audit/audit.rules</tt> file:
+    <pre>-a always,exit -F arch=b32 -S open_by_handle_at -F a2&amp;03 -F path=/etc/gshadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify</pre>
+    If the system is 64 bit then also add the following line:
+    <pre>-a always,exit -F arch=b64 -S open_by_handle_at -F a2&amp;03 -F path=/etc/gshadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify</pre>
+
+rationale: |-
+    Creation of users through direct edition of /etc/gshadow could be an indicator of malicious activity on a system.
+    Auditing these events could serve as evidence of potential system compromise.
+
+severity: medium
+
+identifiers:
+    cce@rhel8: 80960-8
+
+references:
+    ospp: FAU_GEN.1.1.c
+
+{{{ complete_ocil_entry_audit_syscall(syscall="open_by_handle_at") }}}
+
+warnings:
+    - general: |-
+        Note that these rules can be configured in a
+        number of ways while still achieving the desired effect. Here the system calls
+        have been placed independent of other system calls. Grouping system calls related
+        to the same event is more efficient. See the following example:
+        <pre>-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&amp;03 -F path=/etc/gshadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify</pre>
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_gshadow_openat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_gshadow_openat/rule.yml
new file mode 100644
index 0000000000..437fb61299
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_gshadow_openat/rule.yml
@@ -0,0 +1,41 @@
+documentation_complete: true
+
+prodtype: rhel7,rhel8,fedora,ol7,ol8
+
+title: 'Record Events that Modify User/Group Information via openat syscall - /etc/gshadow'
+
+description: |-
+    The audit system should collect write events to /etc/gshadow file for all users and root.
+    If the <tt>auditd</tt> daemon is configured
+    to use the <tt>augenrules</tt> program to read audit rules during daemon
+    startup (the default), add the following lines to a file with suffix
+    <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
+    <pre>-a always,exit -F arch=b32 -S openat -F a2&amp;03 -F path=/etc/gshadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify</pre>
+    If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
+    utility to read audit rules during daemon startup, add the following lines to
+    <tt>/etc/audit/audit.rules</tt> file:
+    <pre>-a always,exit -F arch=b32 -S openat -F a2&amp;03 -F path=/etc/gshadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify</pre>
+    If the system is 64 bit then also add the following line:
+    <pre>-a always,exit -F arch=b64 -S openat -F a2&amp;03 -F path=/etc/gshadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify</pre>
+
+rationale: |-
+    Creation of users through direct edition of /etc/gshadow could be an indicator of malicious activity on a system.
+    Auditing these events could serve as evidence of potential system compromise.
+
+severity: medium
+
+identifiers:
+    cce@rhel8: 80961-6
+
+references:
+    ospp: FAU_GEN.1.1.c
+
+{{{ complete_ocil_entry_audit_syscall(syscall="openat") }}}
+
+warnings:
+    - general: |-
+        Note that these rules can be configured in a
+        number of ways while still achieving the desired effect. Here the system calls
+        have been placed independent of other system calls. Grouping system calls related
+        to the same event is more efficient. See the following example:
+        <pre>-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&amp;03 -F path=/etc/gshadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify</pre>
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open/rule.yml
index 630b03b1b4..acb517fbc0 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open/rule.yml
@@ -14,6 +14,8 @@ description: |-
     If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
     utility to read audit rules during daemon startup, add the following lines to
     <tt>/etc/audit/audit.rules</tt> file:
+    <pre>-a always,exit -F arch=b32 -S open -F a1&amp;03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=modify</pre>
+    If the system is 64 bit then also add the following line:
     <pre>-a always,exit -F arch=b64 -S open -F a1&amp;03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=modify</pre>
 
 rationale: |-
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open_by_handle_at/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open_by_handle_at/rule.yml
index f1b9fbcd17..7b7fc43304 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open_by_handle_at/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open_by_handle_at/rule.yml
@@ -14,6 +14,8 @@ description: |-
     If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
     utility to read audit rules during daemon startup, add the following lines to
     <tt>/etc/audit/audit.rules</tt> file:
+    <pre>-a always,exit -F arch=b32 -S open_by_handle_at -F a2&amp;03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=modify</pre>
+    If the system is 64 bit then also add the following line:
     <pre>-a always,exit -F arch=b64 -S open_by_handle_at -F a2&amp;03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=modify</pre>
 
 rationale: |-
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_openat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_openat/rule.yml
index 5460009264..2275152fd0 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_openat/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_openat/rule.yml
@@ -14,6 +14,8 @@ description: |-
     If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
     utility to read audit rules during daemon startup, add the following lines to
     <tt>/etc/audit/audit.rules</tt> file:
+    <pre>-a always,exit -F arch=b32 -S openat -F a2&amp;03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=modify</pre>
+    If the system is 64 bit then also add the following line:
     <pre>-a always,exit -F arch=b64 -S openat -F a2&amp;03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=modify</pre>
 
 rationale: |-
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_shadow_open/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_shadow_open/rule.yml
new file mode 100644
index 0000000000..0755d2487b
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_shadow_open/rule.yml
@@ -0,0 +1,41 @@
+documentation_complete: true
+
+prodtype: rhel7,rhel8,fedora,ol7,ol8
+
+title: 'Record Events that Modify User/Group Information via open syscall - /etc/shadow'
+
+description: |-
+    The audit system should collect write events to /etc/shadow file for all users and root.
+    If the <tt>auditd</tt> daemon is configured
+    to use the <tt>augenrules</tt> program to read audit rules during daemon
+    startup (the default), add the following lines to a file with suffix
+    <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
+    <pre>-a always,exit -F arch=b32 -S open -F a1&amp;03 -F path=/etc/shadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify</pre>
+    If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
+    utility to read audit rules during daemon startup, add the following lines to
+    <tt>/etc/audit/audit.rules</tt> file:
+    <pre>-a always,exit -F arch=b32 -S open -F a1&amp;03 -F path=/etc/shadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify</pre>
+    If the system is 64 bit then also add the following line:
+    <pre>-a always,exit -F arch=b64 -S open -F a1&amp;03 -F path=/etc/shadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify</pre>
+
+rationale: |-
+    Creation of users through direct edition of /etc/shadow could be an indicator of malicious activity on a system.
+    Auditing these events could serve as evidence of potential system compromise.
+
+severity: medium
+
+identifiers:
+    cce@rhel8: 80956-6
+
+references:
+    ospp: FAU_GEN.1.1.c
+
+{{{ complete_ocil_entry_audit_syscall(syscall="open") }}}
+
+warnings:
+    - general: |-
+        Note that these rules can be configured in a
+        number of ways while still achieving the desired effect. Here the system calls
+        have been placed independent of other system calls. Grouping system calls related
+        to the same event is more efficient. See the following example:
+        <pre>-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a1&amp;03 -F path=/etc/shadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify</pre>
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_shadow_open_by_handle_at/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_shadow_open_by_handle_at/rule.yml
new file mode 100644
index 0000000000..f5446b7c31
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_shadow_open_by_handle_at/rule.yml
@@ -0,0 +1,41 @@
+documentation_complete: true
+
+prodtype: rhel7,rhel8,fedora,ol7,ol8
+
+title: 'Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/shadow'
+
+description: |-
+    The audit system should collect write events to /etc/shadow file for all users and root.
+    If the <tt>auditd</tt> daemon is configured
+    to use the <tt>augenrules</tt> program to read audit rules during daemon
+    startup (the default), add the following lines to a file with suffix
+    <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
+    <pre>-a always,exit -F arch=b32 -S open_by_handle_at -F a2&amp;03 -F path=/etc/shadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify</pre>
+    If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
+    utility to read audit rules during daemon startup, add the following lines to
+    <tt>/etc/audit/audit.rules</tt> file:
+    <pre>-a always,exit -F arch=b32 -S open_by_handle_at -F a2&amp;03 -F path=/etc/shadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify</pre>
+    If the system is 64 bit then also add the following line:
+    <pre>-a always,exit -F arch=b64 -S open_by_handle_at -F a2&amp;03 -F path=/etc/shadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify</pre>
+
+rationale: |-
+    Creation of users through direct edition of /etc/shadow could be an indicator of malicious activity on a system.
+    Auditing these events could serve as evidence of potential system compromise.
+
+severity: medium
+
+identifiers:
+    cce@rhel8: 80957-4
+
+references:
+    ospp: FAU_GEN.1.1.c
+
+{{{ complete_ocil_entry_audit_syscall(syscall="open_by_handle_at") }}}
+
+warnings:
+    - general: |-
+        Note that these rules can be configured in a
+        number of ways while still achieving the desired effect. Here the system calls
+        have been placed independent of other system calls. Grouping system calls related
+        to the same event is more efficient. See the following example:
+        <pre>-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&amp;03 -F path=/etc/shadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify</pre>
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_shadow_openat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_shadow_openat/rule.yml
new file mode 100644
index 0000000000..b68b0ae19a
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_shadow_openat/rule.yml
@@ -0,0 +1,41 @@
+documentation_complete: true
+
+prodtype: rhel7,rhel8,fedora,ol7,ol8
+
+title: 'Record Events that Modify User/Group Information via openat syscall - /etc/shadow'
+
+description: |-
+    The audit system should collect write events to /etc/shadow file for all users and root.
+    If the <tt>auditd</tt> daemon is configured
+    to use the <tt>augenrules</tt> program to read audit rules during daemon
+    startup (the default), add the following lines to a file with suffix
+    <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:
+    <pre>-a always,exit -F arch=b32 -S openat -F a2&amp;03 -F path=/etc/shadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify</pre>
+    If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
+    utility to read audit rules during daemon startup, add the following lines to
+    <tt>/etc/audit/audit.rules</tt> file:
+    <pre>-a always,exit -F arch=b32 -S openat -F a2&amp;03 -F path=/etc/shadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify</pre>
+    If the system is 64 bit then also add the following line:
+    <pre>-a always,exit -F arch=b64 -S openat -F a2&amp;03 -F path=/etc/shadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify</pre>
+
+rationale: |-
+    Creation of users through direct edition of /etc/shadow could be an indicator of malicious activity on a system.
+    Auditing these events could serve as evidence of potential system compromise.
+
+severity: medium
+
+identifiers:
+    cce@rhel8: 80958-2
+
+references:
+    ospp: FAU_GEN.1.1.c
+
+{{{ complete_ocil_entry_audit_syscall(syscall="openat") }}}
+
+warnings:
+    - general: |-
+        Note that these rules can be configured in a
+        number of ways while still achieving the desired effect. Here the system calls
+        have been placed independent of other system calls. Grouping system calls related
+        to the same event is more efficient. See the following example:
+        <pre>-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&amp;03 -F path=/etc/shadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify</pre>
diff --git a/rhel7/profiles/ospp42.profile b/rhel7/profiles/ospp42.profile
index e2173c973b..f3a5072f04 100644
--- a/rhel7/profiles/ospp42.profile
+++ b/rhel7/profiles/ospp42.profile
@@ -197,6 +197,12 @@ selections:
     - audit_rules_etc_group_open
     - audit_rules_etc_group_openat
     - audit_rules_etc_group_open_by_handle_at
+    - audit_rules_etc_shadow_open
+    - audit_rules_etc_shadow_openat
+    - audit_rules_etc_shadow_open_by_handle_at
+    - audit_rules_etc_gshadow_open
+    - audit_rules_etc_gshadow_openat
+    - audit_rules_etc_gshadow_open_by_handle_at
     - package_abrt_removed
     - package_sendmail_removed
     - mount_option_dev_shm_nodev
diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
index 3c6e1931e1..cd9e90e981 100644
--- a/rhel8/profiles/ospp.profile
+++ b/rhel8/profiles/ospp.profile
@@ -170,6 +170,12 @@ selections:
     - audit_rules_usergroup_modification_opasswd
     - audit_rules_usergroup_modification_passwd
     - audit_rules_usergroup_modification_shadow
+    - audit_rules_etc_shadow_open
+    - audit_rules_etc_shadow_openat
+    - audit_rules_etc_shadow_open_by_handle_at
+    - audit_rules_etc_gshadow_open
+    - audit_rules_etc_gshadow_openat
+    - audit_rules_etc_gshadow_open_by_handle_at
     - audit_rules_privileged_commands_sudoedit
     - audit_rules_privileged_commands_sudo
     - audit_rules_privileged_commands_su
diff --git a/shared/templates/csv/audit_rules_path_syscall.csv b/shared/templates/csv/audit_rules_path_syscall.csv
index 3738369e7e..825025e2f7 100644
--- a/shared/templates/csv/audit_rules_path_syscall.csv
+++ b/shared/templates/csv/audit_rules_path_syscall.csv
@@ -10,3 +10,9 @@
 /etc/group,open,a1
 /etc/group,openat,a2
 /etc/group,open_by_handle_at,a2
+/etc/shadow,open,a1
+/etc/shadow,openat,a2
+/etc/shadow,open_by_handle_at,a2
+/etc/gshadow,open,a1
+/etc/gshadow,openat,a2
+/etc/gshadow,open_by_handle_at,a2