From f880b13f08b2b3f603e41b87c999600d71a41e78 Mon Sep 17 00:00:00 2001
From: jlmndt <135057436+jlmndt@users.noreply.github.com>
Date: Wed, 30 Oct 2024 11:19:22 -0400
Subject: [PATCH] added detections for reading/writing shadow file, password
 database (#949)

* added detections for reading/writing shadow file, password database
---
 .../get-password-database-entry-on-linux.yml  |  7 ++++++-
 ...et-shadow-password-file-entry-on-linux.yml | 21 +++++++++++++++++++
 ...et-shadow-password-file-entry-on-linux.yml | 16 ++++++++++++++
 3 files changed, 43 insertions(+), 1 deletion(-)
 create mode 100644 nursery/get-shadow-password-file-entry-on-linux.yml
 create mode 100644 nursery/set-shadow-password-file-entry-on-linux.yml

diff --git a/nursery/get-password-database-entry-on-linux.yml b/nursery/get-password-database-entry-on-linux.yml
index bd95e0e1..6e1a17c7 100644
--- a/nursery/get-password-database-entry-on-linux.yml
+++ b/nursery/get-password-database-entry-on-linux.yml
@@ -4,8 +4,9 @@ rule:
     namespace: host-interaction/session
     authors:
       - michael.hunhoff@mandiant.com
+      - jonathanlepore@google.com
     scopes:
-      static: basic block
+      static: instruction
       dynamic: call
   features:
     - and:
@@ -17,3 +18,7 @@ rule:
         - api: getpwuid_r
         - api: getpwnam
         - api: getpwnam_r
+        - api: getpwent
+        - api: fgetpwent
+        - api: getpwent_r
+        - api: fgetpwent_r
diff --git a/nursery/get-shadow-password-file-entry-on-linux.yml b/nursery/get-shadow-password-file-entry-on-linux.yml
new file mode 100644
index 00000000..6a6c2d76
--- /dev/null
+++ b/nursery/get-shadow-password-file-entry-on-linux.yml
@@ -0,0 +1,21 @@
+rule:
+  meta:
+    name: get shadow password file entry on Linux
+    namespace: collection
+    authors:
+      - jonathanlepore@google.com
+    scopes:
+      static: instruction
+      dynamic: call
+    references:
+      - https://manpages.ubuntu.com/manpages/noble/man3/getspent.3.html
+  features:
+    - and:
+      - os: linux
+      - or:
+        - api: getspent
+        - api: getspent_r
+        - api: fgetspent
+        - api: fgetspent_r
+        - api: getspnam
+        - api: getspnam_r
diff --git a/nursery/set-shadow-password-file-entry-on-linux.yml b/nursery/set-shadow-password-file-entry-on-linux.yml
new file mode 100644
index 00000000..604c3992
--- /dev/null
+++ b/nursery/set-shadow-password-file-entry-on-linux.yml
@@ -0,0 +1,16 @@
+rule:
+  meta:
+    name: set shadow password file entry on Linux
+    namespace: host-interaction/file-system/write
+    authors:
+      - jonathanlepore@google.com
+    scopes:
+      static: instruction
+      dynamic: call
+    references:
+      - https://manpages.ubuntu.com/manpages/noble/man3/putspent.3.html
+  features:
+    - and:
+      - os: linux
+      - or:
+        - api: putspent