Policies
Catalog
Showing 88 of 88
| Policy | Source | Severity | Lifecycle | Targets | Apply |
|---|---|---|---|---|---|
| 30-Day Scan Age Alert on deployments with images that haven't been scanned in 30 days | stackrox | medium | deploy | kyvernogatekeeperregofalcotrivy | |
| 90-Day Image Age Alert on deployments with images that haven't been updated in 90 days | stackrox | low | builddeploy | kyvernogatekeeperregofalcotrivy | |
| ADD Command used instead of COPY Alert on deployments using an ADD command | stackrox | low | builddeploy | kyvernogatekeeperregofalcotrivy | |
| Alpine Linux Package Manager (apk) in Image Alert on deployments with the Alpine Linux package manager (apk) present | stackrox | low | builddeploy | kyvernogatekeeperregofalcotrivy | |
| Alpine Linux Package Manager Execution Alert when the Alpine Linux package manager (apk) is executed at runtime | stackrox | low | runtime | kyvernogatekeeperregofalcotrivy | |
| Apache Struts: CVE-2017-5638 Alert on deployments with images containing Apache Struts vulnerability CVE-2017-5638 | stackrox | critical | builddeploy | kyvernogatekeeperregofalcotrivy | |
| CAP_SYS_ADMIN capability added Alert on deployments with containers escalating with CAP_SYS_ADMIN | stackrox | medium | deploy | kyvernogatekeeperregofalcotrivy | |
| chkconfig Execution Detected usage of the chkconfig service manager; typically this is not used within a container | stackrox | low | runtime | kyvernogatekeeperregofalcotrivy | |
| Compiler Tool Execution Alert when binaries used to compile software are executed at runtime | stackrox | low | runtime | kyvernogatekeeperregofalcotrivy | |
| Container using read-write root filesystem Alert on deployments with containers with read-write root filesystem | stackrox | medium | deploy | kyvernogatekeeperregofalcotrivy | |
| Container with privilege escalation allowed Alerts if a deployment has containers with allowPrivilegeEscalation set to true in its security context. | stackrox | medium | deploy | kyvernogatekeeperregofalcotrivy | |
| crontab Execution Detects the usage of the crontab scheduled jobs editor | stackrox | medium | runtime | kyvernogatekeeperregofalcotrivy | |
| Cryptocurrency Mining Process Execution Cryptocurrency mining process spawned | stackrox | high | runtime | kyvernogatekeeperregofalcotrivy | |
| Curl in Image Alert on deployments with curl present | stackrox | low | builddeploy | kyvernogatekeeperregofalcotrivy | |
| Deployments should have at least one ingress Network Policy Alerts if deployments are missing an ingress Network Policy | stackrox | medium | deploy | kyvernogatekeeperregofalcotrivy | |
| Deployments with externally exposed endpoints Deployments with externally exposed endpoints represent a higher risk | stackrox | medium | deploy | kyvernogatekeeperregofalcotrivy | |
| Docker CIS 4.1: Ensure That a User for the Container Has Been Created Containers should run as a non-root user | stackrox | low | builddeploy | kyvernogatekeeperregofalcotrivy | |
| Docker CIS 4.4: Ensure images are scanned and rebuilt to include security patches Images should be scanned frequently for any vulnerabilities. You should rebuild all images to include these patches and then instantiate new containers from them. | stackrox | medium | build | kyvernogatekeeperregofalcotrivy | |
| Docker CIS 4.7: Alert on Update Instruction Ensure update instructions are not used alone in the Dockerfile | stackrox | low | builddeploy | kyvernogatekeeperregofalcotrivy | |
| Docker CIS 5.1 Ensure that, if applicable, an AppArmor Profile is enabled AppArmor is an effective and easy-to-use Linux application security system. It is available on some Linux distributions by default, for example, on Debian and Ubuntu. | stackrox | medium | deploy | kyvernogatekeeperregofalcotrivy | |
| Docker CIS 5.15: Ensure that the host's process namespace is not shared The Process ID (PID) namespace isolates the process ID space, meaning that processes in different PID namespaces can have the same PID. This creates process level isolation between the containers and the host. | stackrox | medium | deploy | kyvernogatekeeperregofalcotrivy | |
| Docker CIS 5.16: Ensure that the host's IPC namespace is not shared IPC (POSIX/SysV IPC) namespace provides separation of named shared memory segments, semaphores and message queues. The IPC namespace on the host should therefore not be shared with containers and should remain isolated. | stackrox | medium | deploy | kyvernogatekeeperregofalcotrivy | |
| Docker CIS 5.19: Ensure mount propagation mode is not enabled Mount propagation mode allows mounting container volumes in Bidirectional, Host to Container, and None modes. Do not use Bidirectional mount propagation mode unless explicitly needed. | stackrox | medium | deploy | kyvernogatekeeperregofalcotrivy | |
| Docker CIS 5.21: Ensure the default seccomp profile is not disabled Seccomp filtering provides a means to filter incoming system calls. The default seccomp profile uses an allow list to permit a large number of common system calls, and block all others. | stackrox | medium | deploy | kyvernogatekeeperregofalcotrivy | |
| Docker CIS 5.7: Ensure privileged ports are not mapped within containers The TCP/IP port numbers below 1024 are considered privileged ports. Normal users and processes are not allowed to use them for various security reasons. Containers are, however, allowed to map their ports to privileged ports. | stackrox | medium | deploy | kyvernogatekeeperregofalcotrivy | |
| Docker CIS 5.9 and 5.20: Ensure that the host's network namespace is not shared When HostNetwork is enabled the container is not placed inside a separate network stack. The container's networking is not containerized when this option is applied. The consequence of this is that the container has full access to the host's network interfaces. It also enables a shared UTS namespace. The UTS namespace provides isolation between two system identifiers: the hostname and the NIS domain name. It is used to set the hostname and the domain which are visible to running processes in that namespace. Processes running within containers do not typically require to know either the hostname or the domain name. The UTS namespace should therefore not be shared with the host. | stackrox | medium | deploy | kyvernogatekeeperregofalcotrivy | |
| Drop All Capabilities Alert when a deployment does not drop all capabilities. | stackrox | low | deploy | kyvernogatekeeperregofalcotrivy | |
| Emergency Deployment Annotation Alert on deployments that use the emergency annotation (e.g. "admission.stackrox.io/break-glass": "ticket-1234") to circumvent StackRox Admission Controller checks | stackrox | high | deploy | kyvernogatekeeperregofalcotrivy | |
| Environment Variable Contains Secret Alert on deployments with environment variables that contain 'SECRET' | stackrox | high | deploy | kyvernogatekeeperregofalcotrivy | |
| Fixable CVSS >= 6 and Privileged Alert on deployments running in privileged mode with fixable vulnerabilities with a CVSS of at least 6 | stackrox | high | deploy | kyvernogatekeeperregofalcotrivy | |
| Fixable CVSS >= 7 Alert on deployments with fixable vulnerabilities with a CVSS of at least 7 | stackrox | high | builddeploy | kyvernogatekeeperregofalcotrivy | |
| Fixable Severity at least Important Alert on deployments with fixable vulnerabilities with a Severity Rating at least Important | stackrox | high | builddeploy | kyvernogatekeeperregofalcotrivy | |
| Images with no scans Alert on deployments with images that have not been scanned | stackrox | medium | deploy | kyvernogatekeeperregofalcotrivy | |
| Improper Usage of Orchestrator Secrets Volume Alert on deployments that use a Dockerfile with 'VOLUME /run/secrets' | stackrox | low | deploy | kyvernogatekeeperregofalcotrivy | |
| Insecure specified in CMD Alert on deployments using 'insecure' in the command | stackrox | low | builddeploy | kyvernogatekeeperregofalcotrivy | |
| iptables Execution Detects execution of iptables; iptables is a deprecated way of managing network state in containers | stackrox | high | runtime | kyvernogatekeeperregofalcotrivy | |
| Iptables or nftables Executed in Privileged Container Alert on privileged pods that execute iptables or nftables | stackrox | critical | runtime | kyvernogatekeeperregofalcotrivy | |
| Kubernetes Actions: Exec into Pod Alerts when Kubernetes API receives request to execute command in container | stackrox | high | runtime | kyvernogatekeeperregofalcotrivy | |
| Kubernetes Actions: Port Forward to Pod Alerts when Kubernetes API receives port forward request | stackrox | medium | runtime | kyvernogatekeeperregofalcotrivy | |
| Kubernetes Dashboard Deployed Alert on the presence of the Kubernetes dashboard service | stackrox | low | deploy | kyvernogatekeeperregofalcotrivy | |
| Latest tag Alert on deployments with images using tag 'latest' | stackrox | low | builddeploy | kyvernogatekeeperregofalcotrivy | |
| Linux Group Add Execution Detects when the 'addgroup' or 'groupadd' binary is executed, which can be used to add a new linux group. | stackrox | high | runtime | kyvernogatekeeperregofalcotrivy | |
| Linux User Add Execution Detects when the 'useradd', 'adduser' or 'usermod' binary is executed, which can be used to add a new linux user. | stackrox | high | runtime | kyvernogatekeeperregofalcotrivy | |
| Log4Shell: log4j Remote Code Execution vulnerability Alert on deployments with images containing the Log4Shell vulnerabilities (CVE-2021-44228 and CVE-2021-45046). There are flaws in the Java logging library Apache Log4j in versions from 2.0-beta9 to 2.15.0, excluding 2.12.2. | stackrox | critical | builddeploy | kyvernogatekeeperregofalcotrivy | |
| Login Binaries Processes that indicate login attempts | stackrox | high | runtime | kyvernogatekeeperregofalcotrivy | |
| Mount Container Runtime Socket Alert on deployments with a volume mount on the container runtime socket | stackrox | medium | deploy | kyvernogatekeeperregofalcotrivy | |
| Mounting Sensitive Host Directories Alert on deployments mounting sensitive host directories | stackrox | medium | deploy | kyvernogatekeeperregofalcotrivy | |
| Netcat Execution Detected Detects execution of netcat in a container | stackrox | medium | runtime | kyvernogatekeeperregofalcotrivy | |
| Network Management Execution Detects execution of binaries that can be used to manipulate network configuration and management. | stackrox | high | runtime | kyvernogatekeeperregofalcotrivy | |
| nmap Execution Alerts when the nmap process launches in a container during run time | stackrox | high | runtime | kyvernogatekeeperregofalcotrivy | |
| No CPU request or memory limit specified Alert on deployments that have containers without CPU request or memory limit | stackrox | medium | deploy | kyvernogatekeeperregofalcotrivy | |
| OpenShift: Central Admin Secret Accessed Alert when the Central secret is accessed. | stackrox | medium | runtime | kyvernogatekeeperregofalcotrivy | |
| OpenShift: Kubeadmin Secret Accessed Alert when the kubeadmin secret is accessed | stackrox | high | runtime | kyvernogatekeeperregofalcotrivy | |
| OpenShift: Kubernetes Secret Accessed by an Impersonated User Alert when user impersonation is used to access a secret within the cluster. | stackrox | medium | runtime | kyvernogatekeeperregofalcotrivy | |
| Password Binaries Processes that indicate attempts to change passwd | stackrox | high | runtime | kyvernogatekeeperregofalcotrivy | |
| Pod Service Account Token Automatically Mounted Protect pod default service account tokens from compromise by minimizing the mounting of the default service account token to only those pods whose application requires interaction with the Kubernetes API. | stackrox | medium | deploy | kyvernogatekeeperregofalcotrivy | |
| Privileged Container Alert on deployments with containers running in privileged mode | stackrox | medium | deploy | kyvernogatekeeperregofalcotrivy | |
| Privileged Containers with Important and Critical Fixable CVEs Alert on containers running in privileged mode with important or critical fixable vulnerabilities | stackrox | high | deploy | kyvernogatekeeperregofalcotrivy | |
| Process Targeting Cluster Kubelet Endpoint Detects misuse of the healthz/kubelet API/heapster endpoint | stackrox | high | runtime | kyvernogatekeeperregofalcotrivy | |
| Process Targeting Cluster Kubernetes Docker Stats Endpoint Detects misuse of the Kubernetes docker stats endpoint | stackrox | high | runtime | kyvernogatekeeperregofalcotrivy | |
| Process Targeting Kubernetes Service Endpoint Detects misuse of the Kubernetes Service API endpoint | stackrox | high | runtime | kyvernogatekeeperregofalcotrivy | |
| Process with UID 0 Alert on deployments that contain processes running with UID 0 | stackrox | high | runtime | kyvernogatekeeperregofalcotrivy | |
| Rapid Reset: Denial of Service Vulnerability in HTTP/2 Protocol Alert on deployments with images containing components that are susceptible to a Denial of Service (DoS) vulnerability for HTTP/2 servers. | stackrox | high | builddeploy | kyvernogatekeeperregofalcotrivy | |
| Red Hat images must be signed by a Red Hat release key Alert when Red Hat images are not digitally signed by Red Hat | stackrox | high | builddeploy | kyvernogatekeeperregofalcotrivy | |
| Red Hat Package Manager Execution Alert when Red Hat/Fedora/CentOS package manager programs are executed at runtime. | stackrox | low | runtime | kyvernogatekeeperregofalcotrivy | |
| Red Hat Package Manager in Image Alert on deployments with components of the Red Hat/Fedora/CentOS package management system. | stackrox | low | builddeploy | kyvernogatekeeperregofalcotrivy | |
| Remote File Copy Binary Execution Alert on deployments that execute a remote file copy tool | stackrox | medium | runtime | kyvernogatekeeperregofalcotrivy | |
| Required Annotation: Email Alert on deployments missing the 'email' annotation | stackrox | low | deploy | kyvernogatekeeperregofalcotrivy | |
| Required Annotation: Owner/Team Alert on deployments missing the 'owner' or 'team' annotation | stackrox | low | deploy | kyvernogatekeeperregofalcotrivy | |
| Required Image Label Alert on deployments with images missing the specified label. | stackrox | low | builddeploy | kyvernogatekeeperregofalcotrivy | |
| Required Label: Owner/Team Alert on deployments missing the 'owner' or 'team' label | stackrox | low | deploy | kyvernogatekeeperregofalcotrivy | |
| Secret Mounted as Environment Variable Alert on deployments with Kubernetes secret mounted as environment variable | stackrox | high | deploy | kyvernogatekeeperregofalcotrivy | |
| Secure Shell (ssh) Port Exposed Alert on deployments exposing port 22, commonly reserved for SSH access. | stackrox | high | deploy | kyvernogatekeeperregofalcotrivy | |
| Secure Shell (ssh) Port Exposed in Image Alert on deployments exposing port 22, commonly reserved for SSH access. | stackrox | high | builddeploy | kyvernogatekeeperregofalcotrivy | |
| Secure Shell Server (sshd) Execution Detects container running the SSH daemon | stackrox | high | runtime | kyvernogatekeeperregofalcotrivy | |
| SetUID Processes Processes that are known to use setuid binaries | stackrox | high | runtime | kyvernogatekeeperregofalcotrivy | |
| Shadow File Modification Processes that indicate attempts to modify shadow files | stackrox | high | runtime | kyvernogatekeeperregofalcotrivy | |
| Shell Management Commands that are used to add/remove a shell | stackrox | low | runtime | kyvernogatekeeperregofalcotrivy | |
| Shell Spawned by Java Application Detects execution of shell (bash/csh/sh/zsh) as a subprocess of a java application | stackrox | high | runtime | kyvernogatekeeperregofalcotrivy | |
| Spring4Shell (Spring Framework Remote Code Execution) and Spring Cloud Function vulnerabilities Alert on deployments with images containing Spring4Shell vulnerability CVE-2022-22965 which affects the Spring MVC component and vulnerability CVE-2022-22963 which affects the Spring Cloud component. There are flaws in Spring Cloud Function (versions 3.1.6, 3.2.2 and older unsupported versions) and in Spring Framework (5.3.0 to 5.3.17, 5.2.0 to 5.2.19 and older unsupported versions). | stackrox | critical | builddeploy | kyvernogatekeeperregofalcotrivy | |
| systemctl Execution Detected usage of the systemctl service manager | stackrox | low | runtime | kyvernogatekeeperregofalcotrivy | |
| systemd Execution Detected usage of the systemd service manager | stackrox | low | runtime | kyvernogatekeeperregofalcotrivy | |
| Ubuntu Package Manager Execution Alert when Debian/Ubuntu package manager programs are executed at runtime | stackrox | low | runtime | kyvernogatekeeperregofalcotrivy | |
| Ubuntu Package Manager in Image Alert on deployments with components of the Debian/Ubuntu package management system in the image. | stackrox | low | builddeploy | kyvernogatekeeperregofalcotrivy | |
| Unauthorized Network Flow This policy generates a violation for the network flows that fall outside baselines for which 'alert on anomalous violations' is set. | stackrox | high | runtime | kyvernogatekeeperregofalcotrivy | |
| Unauthorized Process Execution This policy generates a violation for any process execution that is not explicitly allowed by a locked process baseline for a given container specification within a Kubernetes deployment. | stackrox | high | runtime | kyvernogatekeeperregofalcotrivy | |
| Wget in Image Alert on deployments with wget present | stackrox | low | builddeploy | kyvernogatekeeperregofalcotrivy | |
| Require Signed Images All container images must carry a valid cosign signature. | custom | high | deploy | kyvernogatekeeperregofalcotrivy |