Compiler Tool Execution
No violationsstackroxlowruntimeAlert when binaries used to compile software are executed at runtime
- Rationale
- Use of compilation tools during runtime indicates that new software may be being introduced into containers while they are running.
- Remediation
- Compile all necessary application code during the image build process. Avoid packaging software build tools in container images. Use your distribution's package manager to remove compilers and other build tools from images.
CategoriesPackage Management
Compliance mappingsView coverage →
- NIST SP 800-53 rev. 5
- CM-7
- PCI DSS 4.0
- 2.2.4
- SOC 2 2017 TSC
- CC6.8
Generated artifacts
1 of 5 targets supportedcompiler-tool-execution.yaml
- rule: compiler-tool-execution
desc: Alert when binaries used to compile software are executed at runtime
condition: proc.name in ("make|gcc|llc|llvm-.*")
output: Process %proc.name executed by user %user.name (uid=%user.uid) in container %container.id image=%container.image.repository (policy=Compiler Tool Execution)
priority: NOTICE
source: syscall
tags:
- stackrox-import
- policy
IR (canonical)
{
"id": "101952d3-ec69-4ebe-bfa3-ff26b6e4c29d",
"name": "Compiler Tool Execution",
"description": "Alert when binaries used to compile software are executed at runtime",
"rationale": "Use of compilation tools during runtime indicates that new software may be being introduced into containers while they are running.",
"remediation": "Compile all necessary application code during the image build process. Avoid packaging software build tools in container images. Use your distribution's package manager to remove compilers and other build tools from images.",
"severity": "low",
"categories": [
"Package Management"
],
"lifecycle": [
"runtime"
],
"eventSource": "deployment",
"scope": [],
"exclusions": [],
"enforcement": {
"failBuild": false
},
"expression": {
"op": "criterion",
"field": "process-name",
"values": [
"make|gcc|llc|llvm-.*"
],
"valuesOp": "or",
"negate": false
},
"disabled": false
}Original StackRox JSON
{
"id": "101952d3-ec69-4ebe-bfa3-ff26b6e4c29d",
"name": "Compiler Tool Execution",
"description": "Alert when binaries used to compile software are executed at runtime",
"rationale": "Use of compilation tools during runtime indicates that new software may be being introduced into containers while they are running.",
"remediation": "Compile all necessary application code during the image build process. Avoid packaging software build tools in container images. Use your distribution's package manager to remove compilers and other build tools from images.",
"disabled": false,
"categories": [
"Package Management"
],
"lifecycleStages": [
"RUNTIME"
],
"eventSource": "DEPLOYMENT_EVENT",
"exclusions": [],
"scope": [],
"severity": "LOW_SEVERITY",
"enforcementActions": [],
"policySections": [
{
"sectionName": "",
"policyGroups": [
{
"fieldName": "Process Name",
"booleanOperator": "OR",
"negate": false,
"values": [
{
"value": "make|gcc|llc|llvm-.*"
}
]
}
]
}
],
"notifiers": [],
"lastUpdated": null,
"SORTName": "",
"SORTLifecycleStage": "",
"SORTEnforcement": false,
"policyVersion": "1.1",
"mitreAttackVectors": [
{
"tactic": "TA0008",
"techniques": [
"T1570"
]
},
{
"tactic": "TA0011",
"techniques": [
"T1105"
]
}
],
"criteriaLocked": true,
"mitreVectorsLocked": true,
"isDefault": true,
"source": "IMPERATIVE"
}