| Determine if /etc/passwd, /etc/shadow, /etc/group, and /etc/gshadow are audited for appending. |
# auditctl -l | egrep '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow)' | grep perm=a
If any of these are not listed with a permissions filter of at least "a", this is a finding.
LIST_RULES: exit,always watch=/etc/passwd perm=a key=passwd
LIST_RULES: exit,always watch=/etc/shadow perm=a key=shadow
LIST_RULES: exit,always watch=/etc/group perm=a key=group
LIST_RULES: exit,always watch=/etc/gshadow perm=a key=gshadow