MEDIUM M14: Identity File Access Audit P3

Verified Compare Branch

Overview

Monitors access to critical identity files (/etc/passwd, /etc/shadow, /etc/group, /etc/gshadow) by auditing open, openat, and open_by_handle_at syscalls. Detects unauthorized reads of password hashes and user account data.

Profile: NIST 800-53 Moderate (rhcos4-moderate)

Compliance Checks

Check Description
etc-group-open Audit open() on /etc/group
etc-group-openat Audit openat() on /etc/group
etc-group-open-by-handle-at Audit open_by_handle_at() on /etc/group
etc-gshadow-open Audit open() on /etc/gshadow
etc-gshadow-openat Audit openat() on /etc/gshadow
etc-gshadow-open-by-handle-at Audit open_by_handle_at() on /etc/gshadow
etc-passwd-open Audit open() on /etc/passwd
etc-passwd-openat Audit openat() on /etc/passwd
etc-passwd-open-by-handle-at Audit open_by_handle_at() on /etc/passwd
etc-shadow-open Audit open() on /etc/shadow
etc-shadow-openat Audit openat() on /etc/shadow
etc-shadow-open-by-handle-at Audit open_by_handle_at() on /etc/shadow

Verification

oc debug node/<node> -- chroot /host auditctl -l | grep -E 'passwd|shadow|group|gshadow'
← M13 All Groups M15 →
Legend
Status
🔵 In Progress
🟡 Pending
⚪ On Hold
🟢 Complete
Severity
HIGH
MEDIUM
LOW
MANUAL

Keyboard Shortcuts

Navigation
j / Next row
k / Previous row
Enter Open selected / Expand details
Esc Clear selection / Close modal
Actions
/ Focus search
d Toggle dark mode
? Show this help
g h Go to home
Filters
1 Show all
2 Pending only
3 In Progress only
4 Complete only