Policies

Catalog

Showing 88 of 88

PolicySourceSeverityLifecycleTargetsApply
30-Day Scan Age
Alert on deployments with images that haven't been scanned in 30 days
stackroxmedium
deploy
kyvernogatekeeperregofalcotrivy
90-Day Image Age
Alert on deployments with images that haven't been updated in 90 days
stackroxlow
builddeploy
kyvernogatekeeperregofalcotrivy
ADD Command used instead of COPY
Alert on deployments using an ADD command
stackroxlow
builddeploy
kyvernogatekeeperregofalcotrivy
Alpine Linux Package Manager (apk) in Image
Alert on deployments with the Alpine Linux package manager (apk) present
stackroxlow
builddeploy
kyvernogatekeeperregofalcotrivy
Alpine Linux Package Manager Execution
Alert when the Alpine Linux package manager (apk) is executed at runtime
stackroxlow
runtime
kyvernogatekeeperregofalcotrivy
Apache Struts: CVE-2017-5638
Alert on deployments with images containing Apache Struts vulnerability CVE-2017-5638
stackroxcritical
builddeploy
kyvernogatekeeperregofalcotrivy
CAP_SYS_ADMIN capability added
Alert on deployments with containers escalating with CAP_SYS_ADMIN
stackroxmedium
deploy
kyvernogatekeeperregofalcotrivy
chkconfig Execution
Detected usage of the chkconfig service manager; typically this is not used within a container
stackroxlow
runtime
kyvernogatekeeperregofalcotrivy
Compiler Tool Execution
Alert when binaries used to compile software are executed at runtime
stackroxlow
runtime
kyvernogatekeeperregofalcotrivy
Container using read-write root filesystem
Alert on deployments with containers with read-write root filesystem
stackroxmedium
deploy
kyvernogatekeeperregofalcotrivy
Container with privilege escalation allowed
Alerts if a deployment has containers with allowPrivilegeEscalation set to true in its security context.
stackroxmedium
deploy
kyvernogatekeeperregofalcotrivy
crontab Execution
Detects the usage of the crontab scheduled jobs editor
stackroxmedium
runtime
kyvernogatekeeperregofalcotrivy
Cryptocurrency Mining Process Execution
Cryptocurrency mining process spawned
stackroxhigh
runtime
kyvernogatekeeperregofalcotrivy
Curl in Image
Alert on deployments with curl present
stackroxlow
builddeploy
kyvernogatekeeperregofalcotrivy
Deployments should have at least one ingress Network Policy
Alerts if deployments are missing an ingress Network Policy
stackroxmedium
deploy
kyvernogatekeeperregofalcotrivy
Deployments with externally exposed endpoints
Deployments with externally exposed endpoints represent a higher risk
stackroxmedium
deploy
kyvernogatekeeperregofalcotrivy
Docker CIS 4.1: Ensure That a User for the Container Has Been Created
Containers should run as a non-root user
stackroxlow
builddeploy
kyvernogatekeeperregofalcotrivy
Docker CIS 4.4: Ensure images are scanned and rebuilt to include security patches
Images should be scanned frequently for any vulnerabilities. You should rebuild all images to include these patches and then instantiate new containers from them.
stackroxmedium
build
kyvernogatekeeperregofalcotrivy
Docker CIS 4.7: Alert on Update Instruction
Ensure update instructions are not used alone in the Dockerfile
stackroxlow
builddeploy
kyvernogatekeeperregofalcotrivy
Docker CIS 5.1 Ensure that, if applicable, an AppArmor Profile is enabled
AppArmor is an effective and easy-to-use Linux application security system. It is available on some Linux distributions by default, for example, on Debian and Ubuntu.
stackroxmedium
deploy
kyvernogatekeeperregofalcotrivy
Docker CIS 5.15: Ensure that the host's process namespace is not shared
The Process ID (PID) namespace isolates the process ID space, meaning that processes in different PID namespaces can have the same PID. This creates process level isolation between the containers and the host.
stackroxmedium
deploy
kyvernogatekeeperregofalcotrivy
Docker CIS 5.16: Ensure that the host's IPC namespace is not shared
IPC (POSIX/SysV IPC) namespace provides separation of named shared memory segments, semaphores and message queues. The IPC namespace on the host should therefore not be shared with containers and should remain isolated.
stackroxmedium
deploy
kyvernogatekeeperregofalcotrivy
Docker CIS 5.19: Ensure mount propagation mode is not enabled
Mount propagation mode allows mounting container volumes in Bidirectional, Host to Container, and None modes. Do not use Bidirectional mount propagation mode unless explicitly needed.
stackroxmedium
deploy
kyvernogatekeeperregofalcotrivy
Docker CIS 5.21: Ensure the default seccomp profile is not disabled
Seccomp filtering provides a means to filter incoming system calls. The default seccomp profile uses an allow list to permit a large number of common system calls, and block all others.
stackroxmedium
deploy
kyvernogatekeeperregofalcotrivy
Docker CIS 5.7: Ensure privileged ports are not mapped within containers
The TCP/IP port numbers below 1024 are considered privileged ports. Normal users and processes are not allowed to use them for various security reasons. Containers are, however, allowed to map their ports to privileged ports.
stackroxmedium
deploy
kyvernogatekeeperregofalcotrivy
Docker CIS 5.9 and 5.20: Ensure that the host's network namespace is not shared
When HostNetwork is enabled the container is not placed inside a separate network stack. The container's networking is not containerized when this option is applied. The consequence of this is that the container has full access to the host's network interfaces. It also enables a shared UTS namespace. The UTS namespace provides isolation between two system identifiers: the hostname and the NIS domain name. It is used to set the hostname and the domain which are visible to running processes in that namespace. Processes running within containers do not typically require to know either the hostname or the domain name. The UTS namespace should therefore not be shared with the host.
stackroxmedium
deploy
kyvernogatekeeperregofalcotrivy
Drop All Capabilities
Alert when a deployment does not drop all capabilities.
stackroxlow
deploy
kyvernogatekeeperregofalcotrivy
Emergency Deployment Annotation
Alert on deployments that use the emergency annotation (e.g. "admission.stackrox.io/break-glass": "ticket-1234") to circumvent StackRox Admission Controller checks
stackroxhigh
deploy
kyvernogatekeeperregofalcotrivy
Environment Variable Contains Secret
Alert on deployments with environment variables that contain 'SECRET'
stackroxhigh
deploy
kyvernogatekeeperregofalcotrivy
Fixable CVSS >= 6 and Privileged
Alert on deployments running in privileged mode with fixable vulnerabilities with a CVSS of at least 6
stackroxhigh
deploy
kyvernogatekeeperregofalcotrivy
Fixable CVSS >= 7
Alert on deployments with fixable vulnerabilities with a CVSS of at least 7
stackroxhigh
builddeploy
kyvernogatekeeperregofalcotrivy
Fixable Severity at least Important
Alert on deployments with fixable vulnerabilities with a Severity Rating at least Important
stackroxhigh
builddeploy
kyvernogatekeeperregofalcotrivy
Images with no scans
Alert on deployments with images that have not been scanned
stackroxmedium
deploy
kyvernogatekeeperregofalcotrivy
Improper Usage of Orchestrator Secrets Volume
Alert on deployments that use a Dockerfile with 'VOLUME /run/secrets'
stackroxlow
deploy
kyvernogatekeeperregofalcotrivy
Insecure specified in CMD
Alert on deployments using 'insecure' in the command
stackroxlow
builddeploy
kyvernogatekeeperregofalcotrivy
iptables Execution
Detects execution of iptables; iptables is a deprecated way of managing network state in containers
stackroxhigh
runtime
kyvernogatekeeperregofalcotrivy
Iptables or nftables Executed in Privileged Container
Alert on privileged pods that execute iptables or nftables
stackroxcritical
runtime
kyvernogatekeeperregofalcotrivy
Kubernetes Actions: Exec into Pod
Alerts when Kubernetes API receives request to execute command in container
stackroxhigh
runtime
kyvernogatekeeperregofalcotrivy
Kubernetes Actions: Port Forward to Pod
Alerts when Kubernetes API receives port forward request
stackroxmedium
runtime
kyvernogatekeeperregofalcotrivy
Kubernetes Dashboard Deployed
Alert on the presence of the Kubernetes dashboard service
stackroxlow
deploy
kyvernogatekeeperregofalcotrivy
Latest tag
Alert on deployments with images using tag 'latest'
stackroxlow
builddeploy
kyvernogatekeeperregofalcotrivy
Linux Group Add Execution
Detects when the 'addgroup' or 'groupadd' binary is executed, which can be used to add a new linux group.
stackroxhigh
runtime
kyvernogatekeeperregofalcotrivy
Linux User Add Execution
Detects when the 'useradd', 'adduser' or 'usermod' binary is executed, which can be used to add a new linux user.
stackroxhigh
runtime
kyvernogatekeeperregofalcotrivy
Log4Shell: log4j Remote Code Execution vulnerability
Alert on deployments with images containing the Log4Shell vulnerabilities (CVE-2021-44228 and CVE-2021-45046). There are flaws in the Java logging library Apache Log4j in versions from 2.0-beta9 to 2.15.0, excluding 2.12.2.
stackroxcritical
builddeploy
kyvernogatekeeperregofalcotrivy
Login Binaries
Processes that indicate login attempts
stackroxhigh
runtime
kyvernogatekeeperregofalcotrivy
Mount Container Runtime Socket
Alert on deployments with a volume mount on the container runtime socket
stackroxmedium
deploy
kyvernogatekeeperregofalcotrivy
Mounting Sensitive Host Directories
Alert on deployments mounting sensitive host directories
stackroxmedium
deploy
kyvernogatekeeperregofalcotrivy
Netcat Execution Detected
Detects execution of netcat in a container
stackroxmedium
runtime
kyvernogatekeeperregofalcotrivy
Network Management Execution
Detects execution of binaries that can be used to manipulate network configuration and management.
stackroxhigh
runtime
kyvernogatekeeperregofalcotrivy
nmap Execution
Alerts when the nmap process launches in a container during run time
stackroxhigh
runtime
kyvernogatekeeperregofalcotrivy
No CPU request or memory limit specified
Alert on deployments that have containers without CPU request or memory limit
stackroxmedium
deploy
kyvernogatekeeperregofalcotrivy
OpenShift: Central Admin Secret Accessed
Alert when the Central secret is accessed.
stackroxmedium
runtime
kyvernogatekeeperregofalcotrivy
OpenShift: Kubeadmin Secret Accessed
Alert when the kubeadmin secret is accessed
stackroxhigh
runtime
kyvernogatekeeperregofalcotrivy
OpenShift: Kubernetes Secret Accessed by an Impersonated User
Alert when user impersonation is used to access a secret within the cluster.
stackroxmedium
runtime
kyvernogatekeeperregofalcotrivy
Password Binaries
Processes that indicate attempts to change passwd
stackroxhigh
runtime
kyvernogatekeeperregofalcotrivy
Pod Service Account Token Automatically Mounted
Protect pod default service account tokens from compromise by minimizing the mounting of the default service account token to only those pods whose application requires interaction with the Kubernetes API.
stackroxmedium
deploy
kyvernogatekeeperregofalcotrivy
Privileged Container
Alert on deployments with containers running in privileged mode
stackroxmedium
deploy
kyvernogatekeeperregofalcotrivy
Privileged Containers with Important and Critical Fixable CVEs
Alert on containers running in privileged mode with important or critical fixable vulnerabilities
stackroxhigh
deploy
kyvernogatekeeperregofalcotrivy
Process Targeting Cluster Kubelet Endpoint
Detects misuse of the healthz/kubelet API/heapster endpoint
stackroxhigh
runtime
kyvernogatekeeperregofalcotrivy
Process Targeting Cluster Kubernetes Docker Stats Endpoint
Detects misuse of the Kubernetes docker stats endpoint
stackroxhigh
runtime
kyvernogatekeeperregofalcotrivy
Process Targeting Kubernetes Service Endpoint
Detects misuse of the Kubernetes Service API endpoint
stackroxhigh
runtime
kyvernogatekeeperregofalcotrivy
Process with UID 0
Alert on deployments that contain processes running with UID 0
stackroxhigh
runtime
kyvernogatekeeperregofalcotrivy
Rapid Reset: Denial of Service Vulnerability in HTTP/2 Protocol
Alert on deployments with images containing components that are susceptible to a Denial of Service (DoS) vulnerability for HTTP/2 servers.
stackroxhigh
builddeploy
kyvernogatekeeperregofalcotrivy
Red Hat images must be signed by a Red Hat release key
Alert when Red Hat images are not digitally signed by Red Hat
stackroxhigh
builddeploy
kyvernogatekeeperregofalcotrivy
Red Hat Package Manager Execution
Alert when Red Hat/Fedora/CentOS package manager programs are executed at runtime.
stackroxlow
runtime
kyvernogatekeeperregofalcotrivy
Red Hat Package Manager in Image
Alert on deployments with components of the Red Hat/Fedora/CentOS package management system.
stackroxlow
builddeploy
kyvernogatekeeperregofalcotrivy
Remote File Copy Binary Execution
Alert on deployments that execute a remote file copy tool
stackroxmedium
runtime
kyvernogatekeeperregofalcotrivy
Required Annotation: Email
Alert on deployments missing the 'email' annotation
stackroxlow
deploy
kyvernogatekeeperregofalcotrivy
Required Annotation: Owner/Team
Alert on deployments missing the 'owner' or 'team' annotation
stackroxlow
deploy
kyvernogatekeeperregofalcotrivy
Required Image Label
Alert on deployments with images missing the specified label.
stackroxlow
builddeploy
kyvernogatekeeperregofalcotrivy
Required Label: Owner/Team
Alert on deployments missing the 'owner' or 'team' label
stackroxlow
deploy
kyvernogatekeeperregofalcotrivy
Secret Mounted as Environment Variable
Alert on deployments with Kubernetes secret mounted as environment variable
stackroxhigh
deploy
kyvernogatekeeperregofalcotrivy
Secure Shell (ssh) Port Exposed
Alert on deployments exposing port 22, commonly reserved for SSH access.
stackroxhigh
deploy
kyvernogatekeeperregofalcotrivy
Secure Shell (ssh) Port Exposed in Image
Alert on deployments exposing port 22, commonly reserved for SSH access.
stackroxhigh
builddeploy
kyvernogatekeeperregofalcotrivy
Secure Shell Server (sshd) Execution
Detects container running the SSH daemon
stackroxhigh
runtime
kyvernogatekeeperregofalcotrivy
SetUID Processes
Processes that are known to use setuid binaries
stackroxhigh
runtime
kyvernogatekeeperregofalcotrivy
Shadow File Modification
Processes that indicate attempts to modify shadow files
stackroxhigh
runtime
kyvernogatekeeperregofalcotrivy
Shell Management
Commands that are used to add/remove a shell
stackroxlow
runtime
kyvernogatekeeperregofalcotrivy
Shell Spawned by Java Application
Detects execution of shell (bash/csh/sh/zsh) as a subprocess of a java application
stackroxhigh
runtime
kyvernogatekeeperregofalcotrivy
Spring4Shell (Spring Framework Remote Code Execution) and Spring Cloud Function vulnerabilities
Alert on deployments with images containing Spring4Shell vulnerability CVE-2022-22965 which affects the Spring MVC component and vulnerability CVE-2022-22963 which affects the Spring Cloud component. There are flaws in Spring Cloud Function (versions 3.1.6, 3.2.2 and older unsupported versions) and in Spring Framework (5.3.0 to 5.3.17, 5.2.0 to 5.2.19 and older unsupported versions).
stackroxcritical
builddeploy
kyvernogatekeeperregofalcotrivy
systemctl Execution
Detected usage of the systemctl service manager
stackroxlow
runtime
kyvernogatekeeperregofalcotrivy
systemd Execution
Detected usage of the systemd service manager
stackroxlow
runtime
kyvernogatekeeperregofalcotrivy
Ubuntu Package Manager Execution
Alert when Debian/Ubuntu package manager programs are executed at runtime
stackroxlow
runtime
kyvernogatekeeperregofalcotrivy
Ubuntu Package Manager in Image
Alert on deployments with components of the Debian/Ubuntu package management system in the image.
stackroxlow
builddeploy
kyvernogatekeeperregofalcotrivy
Unauthorized Network Flow
This policy generates a violation for the network flows that fall outside baselines for which 'alert on anomalous violations' is set.
stackroxhigh
runtime
kyvernogatekeeperregofalcotrivy
Unauthorized Process Execution
This policy generates a violation for any process execution that is not explicitly allowed by a locked process baseline for a given container specification within a Kubernetes deployment.
stackroxhigh
runtime
kyvernogatekeeperregofalcotrivy
Wget in Image
Alert on deployments with wget present
stackroxlow
builddeploy
kyvernogatekeeperregofalcotrivy
Require Signed Images
All container images must carry a valid cosign signature.
customhigh
deploy
kyvernogatekeeperregofalcotrivy