Back to catalog

Compiler Tool Execution

No violationsstackroxlowruntime

Alert when binaries used to compile software are executed at runtime

Rationale
Use of compilation tools during runtime indicates that new software may be being introduced into containers while they are running.
Remediation
Compile all necessary application code during the image build process. Avoid packaging software build tools in container images. Use your distribution's package manager to remove compilers and other build tools from images.
CategoriesPackage Management
Compliance mappingsView coverage →
NIST SP 800-53 rev. 5
CM-7
PCI DSS 4.0
2.2.4
SOC 2 2017 TSC
CC6.8

Generated artifacts

1 of 5 targets supported
compiler-tool-execution.yaml
- rule: compiler-tool-execution
  desc: Alert when binaries used to compile software are executed at runtime
  condition: proc.name in ("make|gcc|llc|llvm-.*")
  output: Process %proc.name executed by user %user.name (uid=%user.uid) in container %container.id image=%container.image.repository (policy=Compiler Tool Execution)
  priority: NOTICE
  source: syscall
  tags:
    - stackrox-import
    - policy
IR (canonical)
{
  "id": "101952d3-ec69-4ebe-bfa3-ff26b6e4c29d",
  "name": "Compiler Tool Execution",
  "description": "Alert when binaries used to compile software are executed at runtime",
  "rationale": "Use of compilation tools during runtime indicates that new software may be being introduced into containers while they are running.",
  "remediation": "Compile all necessary application code during the image build process. Avoid packaging software build tools in container images. Use your distribution's package manager to remove compilers and other build tools from images.",
  "severity": "low",
  "categories": [
    "Package Management"
  ],
  "lifecycle": [
    "runtime"
  ],
  "eventSource": "deployment",
  "scope": [],
  "exclusions": [],
  "enforcement": {
    "failBuild": false
  },
  "expression": {
    "op": "criterion",
    "field": "process-name",
    "values": [
      "make|gcc|llc|llvm-.*"
    ],
    "valuesOp": "or",
    "negate": false
  },
  "disabled": false
}
Original StackRox JSON
{
  "id": "101952d3-ec69-4ebe-bfa3-ff26b6e4c29d",
  "name": "Compiler Tool Execution",
  "description": "Alert when binaries used to compile software are executed at runtime",
  "rationale": "Use of compilation tools during runtime indicates that new software may be being introduced into containers while they are running.",
  "remediation": "Compile all necessary application code during the image build process. Avoid packaging software build tools in container images. Use your distribution's package manager to remove compilers and other build tools from images.",
  "disabled": false,
  "categories": [
    "Package Management"
  ],
  "lifecycleStages": [
    "RUNTIME"
  ],
  "eventSource": "DEPLOYMENT_EVENT",
  "exclusions": [],
  "scope": [],
  "severity": "LOW_SEVERITY",
  "enforcementActions": [],
  "policySections": [
    {
      "sectionName": "",
      "policyGroups": [
        {
          "fieldName": "Process Name",
          "booleanOperator": "OR",
          "negate": false,
          "values": [
            {
              "value": "make|gcc|llc|llvm-.*"
            }
          ]
        }
      ]
    }
  ],
  "notifiers": [],
  "lastUpdated": null,
  "SORTName": "",
  "SORTLifecycleStage": "",
  "SORTEnforcement": false,
  "policyVersion": "1.1",
  "mitreAttackVectors": [
    {
      "tactic": "TA0008",
      "techniques": [
        "T1570"
      ]
    },
    {
      "tactic": "TA0011",
      "techniques": [
        "T1105"
      ]
    }
  ],
  "criteriaLocked": true,
  "mitreVectorsLocked": true,
  "isDefault": true,
  "source": "IMPERATIVE"
}