diff --git a/fedora/profiles/ospp.profile b/fedora/profiles/ospp.profile
index f13f97a537..877caff01a 100644
--- a/fedora/profiles/ospp.profile
+++ b/fedora/profiles/ospp.profile
@@ -198,6 +198,12 @@ selections:
- audit_rules_etc_group_open
- audit_rules_etc_group_openat
- audit_rules_etc_group_open_by_handle_at
+ - audit_rules_etc_shadow_open
+ - audit_rules_etc_shadow_openat
+ - audit_rules_etc_shadow_open_by_handle_at
+ - audit_rules_etc_gshadow_open
+ - audit_rules_etc_gshadow_openat
+ - audit_rules_etc_gshadow_open_by_handle_at
- package_abrt_removed
- package_sendmail_removed
- mount_option_dev_shm_nodev
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open/rule.yml
index a80c7dab8c..103a445cd3 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open/rule.yml
@@ -14,6 +14,8 @@ description: |-
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
+ -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=modify
+ If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=modify
rationale: |-
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open_by_handle_at/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open_by_handle_at/rule.yml
index 6181ad50f1..bb47451c46 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open_by_handle_at/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open_by_handle_at/rule.yml
@@ -14,6 +14,8 @@ description: |-
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
+ -a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=modify
+ If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=modify
rationale: |-
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_openat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_openat/rule.yml
index 9a69643a34..8d9aa4d97c 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_openat/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_openat/rule.yml
@@ -14,6 +14,8 @@ description: |-
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
+ -a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=modify
+ If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/group -F auid>={{{ auid }}} -F auid!=unset -F key=modify
rationale: |-
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_gshadow_open/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_gshadow_open/rule.yml
new file mode 100644
index 0000000000..a9934fbe7e
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_gshadow_open/rule.yml
@@ -0,0 +1,41 @@
+documentation_complete: true
+
+prodtype: rhel7,rhel8,fedora,ol7,ol8
+
+title: 'Record Events that Modify User/Group Information via open syscall - /etc/gshadow'
+
+description: |-
+ The audit system should collect write events to /etc/gshadow file for all users and root.
+ If the auditd daemon is configured
+ to use the augenrules program to read audit rules during daemon
+ startup (the default), add the following lines to a file with suffix
+ .rules in the directory /etc/audit/rules.d:
+ -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/gshadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
+ If the auditd daemon is configured to use the auditctl
+ utility to read audit rules during daemon startup, add the following lines to
+ /etc/audit/audit.rules file:
+ -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/gshadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
+ If the system is 64 bit then also add the following line:
+ -a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/gshadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
+
+rationale: |-
+ Creation of users through direct edition of /etc/gshadow could be an indicator of malicious activity on a system.
+ Auditing these events could serve as evidence of potential system compromise.
+
+severity: medium
+
+identifiers:
+ cce@rhel8: 80959-0
+
+references:
+ ospp: FAU_GEN.1.1.c
+
+{{{ complete_ocil_entry_audit_syscall(syscall="open") }}}
+
+warnings:
+ - general: |-
+ Note that these rules can be configured in a
+ number of ways while still achieving the desired effect. Here the system calls
+ have been placed independent of other system calls. Grouping system calls related
+ to the same event is more efficient. See the following example:
+ -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/gshadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_gshadow_open_by_handle_at/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_gshadow_open_by_handle_at/rule.yml
new file mode 100644
index 0000000000..7a4861b3fc
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_gshadow_open_by_handle_at/rule.yml
@@ -0,0 +1,41 @@
+documentation_complete: true
+
+prodtype: rhel7,rhel8,fedora,ol7,ol8
+
+title: 'Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/gshadow'
+
+description: |-
+ The audit system should collect write events to /etc/gshadow file for all users and root.
+ If the auditd daemon is configured
+ to use the augenrules program to read audit rules during daemon
+ startup (the default), add the following lines to a file with suffix
+ .rules in the directory /etc/audit/rules.d:
+ -a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
+ If the auditd daemon is configured to use the auditctl
+ utility to read audit rules during daemon startup, add the following lines to
+ /etc/audit/audit.rules file:
+ -a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
+ If the system is 64 bit then also add the following line:
+ -a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
+
+rationale: |-
+ Creation of users through direct edition of /etc/gshadow could be an indicator of malicious activity on a system.
+ Auditing these events could serve as evidence of potential system compromise.
+
+severity: medium
+
+identifiers:
+ cce@rhel8: 80960-8
+
+references:
+ ospp: FAU_GEN.1.1.c
+
+{{{ complete_ocil_entry_audit_syscall(syscall="open_by_handle_at") }}}
+
+warnings:
+ - general: |-
+ Note that these rules can be configured in a
+ number of ways while still achieving the desired effect. Here the system calls
+ have been placed independent of other system calls. Grouping system calls related
+ to the same event is more efficient. See the following example:
+ -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_gshadow_openat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_gshadow_openat/rule.yml
new file mode 100644
index 0000000000..437fb61299
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_gshadow_openat/rule.yml
@@ -0,0 +1,41 @@
+documentation_complete: true
+
+prodtype: rhel7,rhel8,fedora,ol7,ol8
+
+title: 'Record Events that Modify User/Group Information via openat syscall - /etc/gshadow'
+
+description: |-
+ The audit system should collect write events to /etc/gshadow file for all users and root.
+ If the auditd daemon is configured
+ to use the augenrules program to read audit rules during daemon
+ startup (the default), add the following lines to a file with suffix
+ .rules in the directory /etc/audit/rules.d:
+ -a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/gshadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
+ If the auditd daemon is configured to use the auditctl
+ utility to read audit rules during daemon startup, add the following lines to
+ /etc/audit/audit.rules file:
+ -a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/gshadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
+ If the system is 64 bit then also add the following line:
+ -a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/gshadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
+
+rationale: |-
+ Creation of users through direct edition of /etc/gshadow could be an indicator of malicious activity on a system.
+ Auditing these events could serve as evidence of potential system compromise.
+
+severity: medium
+
+identifiers:
+ cce@rhel8: 80961-6
+
+references:
+ ospp: FAU_GEN.1.1.c
+
+{{{ complete_ocil_entry_audit_syscall(syscall="openat") }}}
+
+warnings:
+ - general: |-
+ Note that these rules can be configured in a
+ number of ways while still achieving the desired effect. Here the system calls
+ have been placed independent of other system calls. Grouping system calls related
+ to the same event is more efficient. See the following example:
+ -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open/rule.yml
index 630b03b1b4..acb517fbc0 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open/rule.yml
@@ -14,6 +14,8 @@ description: |-
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
+ -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=modify
+ If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=modify
rationale: |-
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open_by_handle_at/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open_by_handle_at/rule.yml
index f1b9fbcd17..7b7fc43304 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open_by_handle_at/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open_by_handle_at/rule.yml
@@ -14,6 +14,8 @@ description: |-
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
+ -a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=modify
+ If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=modify
rationale: |-
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_openat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_openat/rule.yml
index 5460009264..2275152fd0 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_openat/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_openat/rule.yml
@@ -14,6 +14,8 @@ description: |-
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
+ -a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=modify
+ If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/passwd -F auid>={{{ auid }}} -F auid!=unset -F key=modify
rationale: |-
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_shadow_open/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_shadow_open/rule.yml
new file mode 100644
index 0000000000..0755d2487b
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_shadow_open/rule.yml
@@ -0,0 +1,41 @@
+documentation_complete: true
+
+prodtype: rhel7,rhel8,fedora,ol7,ol8
+
+title: 'Record Events that Modify User/Group Information via open syscall - /etc/shadow'
+
+description: |-
+ The audit system should collect write events to /etc/shadow file for all users and root.
+ If the auditd daemon is configured
+ to use the augenrules program to read audit rules during daemon
+ startup (the default), add the following lines to a file with suffix
+ .rules in the directory /etc/audit/rules.d:
+ -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
+ If the auditd daemon is configured to use the auditctl
+ utility to read audit rules during daemon startup, add the following lines to
+ /etc/audit/audit.rules file:
+ -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
+ If the system is 64 bit then also add the following line:
+ -a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
+
+rationale: |-
+ Creation of users through direct edition of /etc/shadow could be an indicator of malicious activity on a system.
+ Auditing these events could serve as evidence of potential system compromise.
+
+severity: medium
+
+identifiers:
+ cce@rhel8: 80956-6
+
+references:
+ ospp: FAU_GEN.1.1.c
+
+{{{ complete_ocil_entry_audit_syscall(syscall="open") }}}
+
+warnings:
+ - general: |-
+ Note that these rules can be configured in a
+ number of ways while still achieving the desired effect. Here the system calls
+ have been placed independent of other system calls. Grouping system calls related
+ to the same event is more efficient. See the following example:
+ -a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a1&03 -F path=/etc/shadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_shadow_open_by_handle_at/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_shadow_open_by_handle_at/rule.yml
new file mode 100644
index 0000000000..f5446b7c31
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_shadow_open_by_handle_at/rule.yml
@@ -0,0 +1,41 @@
+documentation_complete: true
+
+prodtype: rhel7,rhel8,fedora,ol7,ol8
+
+title: 'Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/shadow'
+
+description: |-
+ The audit system should collect write events to /etc/shadow file for all users and root.
+ If the auditd daemon is configured
+ to use the augenrules program to read audit rules during daemon
+ startup (the default), add the following lines to a file with suffix
+ .rules in the directory /etc/audit/rules.d:
+ -a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
+ If the auditd daemon is configured to use the auditctl
+ utility to read audit rules during daemon startup, add the following lines to
+ /etc/audit/audit.rules file:
+ -a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
+ If the system is 64 bit then also add the following line:
+ -a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
+
+rationale: |-
+ Creation of users through direct edition of /etc/shadow could be an indicator of malicious activity on a system.
+ Auditing these events could serve as evidence of potential system compromise.
+
+severity: medium
+
+identifiers:
+ cce@rhel8: 80957-4
+
+references:
+ ospp: FAU_GEN.1.1.c
+
+{{{ complete_ocil_entry_audit_syscall(syscall="open_by_handle_at") }}}
+
+warnings:
+ - general: |-
+ Note that these rules can be configured in a
+ number of ways while still achieving the desired effect. Here the system calls
+ have been placed independent of other system calls. Grouping system calls related
+ to the same event is more efficient. See the following example:
+ -a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_shadow_openat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_shadow_openat/rule.yml
new file mode 100644
index 0000000000..b68b0ae19a
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_shadow_openat/rule.yml
@@ -0,0 +1,41 @@
+documentation_complete: true
+
+prodtype: rhel7,rhel8,fedora,ol7,ol8
+
+title: 'Record Events that Modify User/Group Information via openat syscall - /etc/shadow'
+
+description: |-
+ The audit system should collect write events to /etc/shadow file for all users and root.
+ If the auditd daemon is configured
+ to use the augenrules program to read audit rules during daemon
+ startup (the default), add the following lines to a file with suffix
+ .rules in the directory /etc/audit/rules.d:
+ -a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/shadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
+ If the auditd daemon is configured to use the auditctl
+ utility to read audit rules during daemon startup, add the following lines to
+ /etc/audit/audit.rules file:
+ -a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/shadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
+ If the system is 64 bit then also add the following line:
+ -a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/shadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
+
+rationale: |-
+ Creation of users through direct edition of /etc/shadow could be an indicator of malicious activity on a system.
+ Auditing these events could serve as evidence of potential system compromise.
+
+severity: medium
+
+identifiers:
+ cce@rhel8: 80958-2
+
+references:
+ ospp: FAU_GEN.1.1.c
+
+{{{ complete_ocil_entry_audit_syscall(syscall="openat") }}}
+
+warnings:
+ - general: |-
+ Note that these rules can be configured in a
+ number of ways while still achieving the desired effect. Here the system calls
+ have been placed independent of other system calls. Grouping system calls related
+ to the same event is more efficient. See the following example:
+ -a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>={{{ auid }}} -F auid!=unset -F key=user-modify
diff --git a/rhel7/profiles/ospp42.profile b/rhel7/profiles/ospp42.profile
index e2173c973b..f3a5072f04 100644
--- a/rhel7/profiles/ospp42.profile
+++ b/rhel7/profiles/ospp42.profile
@@ -197,6 +197,12 @@ selections:
- audit_rules_etc_group_open
- audit_rules_etc_group_openat
- audit_rules_etc_group_open_by_handle_at
+ - audit_rules_etc_shadow_open
+ - audit_rules_etc_shadow_openat
+ - audit_rules_etc_shadow_open_by_handle_at
+ - audit_rules_etc_gshadow_open
+ - audit_rules_etc_gshadow_openat
+ - audit_rules_etc_gshadow_open_by_handle_at
- package_abrt_removed
- package_sendmail_removed
- mount_option_dev_shm_nodev
diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
index 3c6e1931e1..cd9e90e981 100644
--- a/rhel8/profiles/ospp.profile
+++ b/rhel8/profiles/ospp.profile
@@ -170,6 +170,12 @@ selections:
- audit_rules_usergroup_modification_opasswd
- audit_rules_usergroup_modification_passwd
- audit_rules_usergroup_modification_shadow
+ - audit_rules_etc_shadow_open
+ - audit_rules_etc_shadow_openat
+ - audit_rules_etc_shadow_open_by_handle_at
+ - audit_rules_etc_gshadow_open
+ - audit_rules_etc_gshadow_openat
+ - audit_rules_etc_gshadow_open_by_handle_at
- audit_rules_privileged_commands_sudoedit
- audit_rules_privileged_commands_sudo
- audit_rules_privileged_commands_su
diff --git a/shared/templates/csv/audit_rules_path_syscall.csv b/shared/templates/csv/audit_rules_path_syscall.csv
index 3738369e7e..825025e2f7 100644
--- a/shared/templates/csv/audit_rules_path_syscall.csv
+++ b/shared/templates/csv/audit_rules_path_syscall.csv
@@ -10,3 +10,9 @@
/etc/group,open,a1
/etc/group,openat,a2
/etc/group,open_by_handle_at,a2
+/etc/shadow,open,a1
+/etc/shadow,openat,a2
+/etc/shadow,open_by_handle_at,a2
+/etc/gshadow,open,a1
+/etc/gshadow,openat,a2
+/etc/gshadow,open_by_handle_at,a2