diff --git a/nursery/get-password-database-entry-on-linux.yml b/nursery/get-password-database-entry-on-linux.yml index bd95e0e1..63d7fbd7 100644 --- a/nursery/get-password-database-entry-on-linux.yml +++ b/nursery/get-password-database-entry-on-linux.yml @@ -4,6 +4,7 @@ rule: namespace: host-interaction/session authors: - michael.hunhoff@mandiant.com + - jonathanlepore@google.com scopes: static: basic block dynamic: call @@ -17,3 +18,8 @@ rule: - api: getpwuid_r - api: getpwnam - api: getpwnam_r + - api: getpwent + - api: fgetpwent + - api: getpwent_r + - api: fgetpwent_r + diff --git a/nursery/get-shadow-password-file-entry-on-linux.yml b/nursery/get-shadow-password-file-entry-on-linux.yml new file mode 100644 index 00000000..0077ebf6 --- /dev/null +++ b/nursery/get-shadow-password-file-entry-on-linux.yml @@ -0,0 +1,21 @@ +rule: + meta: + name: get shadow password file entry on linux + namespace: collection + authors: + - jonathanlepore@google.com + scopes: + static: function + dynamic: call + references: + - https://manpages.ubuntu.com/manpages/noble/man3/getspent.3.html + features: + - and: + - os: linux + - or: + - api: getspent + - api: getspent_r + - api: fgetspent + - api: fgetspent_r + - api: getspnam + - api: getspnam_r diff --git a/nursery/set-shadow-password-file-entry-on-linux.yml b/nursery/set-shadow-password-file-entry-on-linux.yml new file mode 100644 index 00000000..a0f52db3 --- /dev/null +++ b/nursery/set-shadow-password-file-entry-on-linux.yml @@ -0,0 +1,16 @@ +rule: + meta: + name: set shadow password file entry on linux + namespace: host-interaction/file-system/write + authors: + - jonathanlepore@google.com + scopes: + static: function + dynamic: call + references: + - https://manpages.ubuntu.com/manpages/noble/man3/putspent.3.html + features: + - and: + - os: linux + - or: + - api: putspent