McAfee Enterprise Enterprise Security triggers on Auditbeat in /etc/passwd.xx

We are using Elasticsearch 7.16.2 on RHEL with McAfee Enterprise. Apparently an alarm has gone off, namely the PREVENT_MODIFICATION_PASSWORDFILES_LINUX rule because of Auditbeat supposedly attempting to modify /etc/passwd and a few derivatives, /etc/passwd.xx .

Searches here and on Google have returned nothing, so we're concerned whether this is a false positive with McAfee or if we have a serious issue with Auditbeat actually attempting to modify the files. We're currently waiting to see if McAfe can give us any more detailed information on why the block happened.

There's nothing in Auditbeat's modules that would be writing. There are parts of Auditbeat that monitor /etc/passwd and /etc/shadow. So there can be some read activity (like with the system/user module).

Yes, I know that Auditbeat shouldn't be writing to any files like that, so I just want to clarify that this is a false positive so that we as a community can know about it! At least this has just happened in one of our environments with a total of 9 machines overall, so we're inclined to think it's something specific to how something might be set up on this specific system.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.