diff --git a/shared/checks/oval/audit_rules_etc_passwd_open.xml b/shared/checks/oval/audit_rules_etc_passwd_open.xml
new file mode 100644
index 0000000000..fd5c3efb28
--- /dev/null
+++ b/shared/checks/oval/audit_rules_etc_passwd_open.xml
@@ -0,0 +1,96 @@
+
+
+
+ Ensure auditd Collects Write Events to /etc/passwd
+
+ Red Hat Enterprise Linux 7
+ multi_platform_fedora
+
+ Audit rules about the write events to /etc/passwd
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S(?:[\s]+open[\s]+|(?:[\s]+|[,])open(?:[\s]+|[,])))[\S]*[\s]*(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
+
+
+
+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S(?:[\s]+open[\s]+|(?:[\s]+|[,])open(?:[\s]+|[,])))[\S]*[\s]*(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
+
+
+
+
+
+
+
+ /etc/audit/rules\.d/.*\.rules
+
+ 1
+
+
+
+
+
+
+ /etc/audit/rules\.d/.*\.rules
+
+ 1
+
+
+
+
+
+
+
+
+
+ /etc/audit/audit.rules
+
+ 1
+
+
+
+
+
+
+ /etc/audit/audit.rules
+
+ 1
+
+
+
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open.rule
new file mode 100644
index 0000000000..6e4aabcbe8
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open.rule
@@ -0,0 +1,36 @@
+documentation_complete: true
+
+prodtype: rhel7,fedora
+
+title: 'Record Events that Modify User/Group Information via open syscall - /etc/passwd'
+
+description: |-
+ The audit system should collect write events to /etc/passwd file for all users and root.
+ If the auditd daemon is configured
+ to use the augenrules program to read audit rules during daemon
+ startup (the default), add the following lines to a file with suffix
+ .rules in the directory /etc/audit/rules.d:
+ -a always,exit -F arch=b32 -S open -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
+ If the auditd daemon is configured to use the auditctl
+ utility to read audit rules during daemon startup, add the following lines to
+ /etc/audit/audit.rules file:
+ -a always,exit -F arch=b64 -S open -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
+
+rationale: |-
+ Creation of users through direct edition of /etc/passwd could be an indicator of malicious activity on a system.
+ Auditing these events could serve as evidence of potential system compromise.
+
+severity: medium
+
+references:
+ ospp@rhel7: FAU_GEN.1.1.c
+
+{{{ complete_ocil_entry_audit_syscall(syscall="open") }}}
+
+warnings:
+ - general: |-
+ Note that these rules can be configured in a
+ number of ways while still achieving the desired effect. Here the system calls
+ have been placed independent of other system calls. Grouping system calls related
+ to the same event is more efficient. See the following example:
+ -a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
diff --git a/rhel7/profiles/ospp42-draft.profile b/rhel7/profiles/ospp42-draft.profile
index 63b7223731..86fb0ff2fb 100644
--- a/rhel7/profiles/ospp42-draft.profile
+++ b/rhel7/profiles/ospp42-draft.profile
@@ -161,3 +161,4 @@ selections:
- audit_rules_kernel_module_loading_modprobe
- audit_rules_kernel_module_loading_rmmod
- security_patches_up_to_date
+ - audit_rules_etc_passwd_open