Back to catalog

Shell Management

No violationsstackroxlowruntime

Commands that are used to add/remove a shell

Rationale
Shell management is not usually done at runtime
Remediation
Ensure that the base image used to create the Dockerfile doesn't have shell binaries packaged with it.
CategoriesSystem Modification
Compliance mappingsView coverage →
NIST SP 800-53 rev. 5
SI-4

Generated artifacts

1 of 5 targets supported
shell-management.yaml
- rule: shell-management
  desc: Commands that are used to add/remove a shell
  condition: proc.name in ("add-shell|remove-shell")
  output: Process %proc.name executed by user %user.name (uid=%user.uid) in container %container.id image=%container.image.repository (policy=Shell Management)
  priority: NOTICE
  source: syscall
  tags:
    - stackrox-import
    - policy
IR (canonical)
{
  "id": "1037940a-fc22-4f64-8784-b8f5bd1cc93f",
  "name": "Shell Management",
  "description": "Commands that are used to add/remove a shell",
  "rationale": "Shell management is not usually done at runtime",
  "remediation": "Ensure that the base image used to create the Dockerfile doesn't have shell binaries packaged with it.",
  "severity": "low",
  "categories": [
    "System Modification"
  ],
  "lifecycle": [
    "runtime"
  ],
  "eventSource": "deployment",
  "scope": [],
  "exclusions": [],
  "enforcement": {
    "failBuild": false
  },
  "expression": {
    "op": "criterion",
    "field": "process-name",
    "values": [
      "add-shell|remove-shell"
    ],
    "valuesOp": "or",
    "negate": false
  },
  "disabled": true
}
Original StackRox JSON
{
  "id": "1037940a-fc22-4f64-8784-b8f5bd1cc93f",
  "name": "Shell Management",
  "description": "Commands that are used to add/remove a shell",
  "rationale": "Shell management is not usually done at runtime",
  "remediation": "Ensure that the base image used to create the Dockerfile doesn't have shell binaries packaged with it.",
  "disabled": true,
  "categories": [
    "System Modification"
  ],
  "lifecycleStages": [
    "RUNTIME"
  ],
  "eventSource": "DEPLOYMENT_EVENT",
  "exclusions": [],
  "scope": [],
  "severity": "LOW_SEVERITY",
  "enforcementActions": [],
  "policySections": [
    {
      "sectionName": "",
      "policyGroups": [
        {
          "fieldName": "Process Name",
          "booleanOperator": "OR",
          "negate": false,
          "values": [
            {
              "value": "add-shell|remove-shell"
            }
          ]
        }
      ]
    }
  ],
  "notifiers": [],
  "lastUpdated": null,
  "SORTName": "",
  "SORTLifecycleStage": "",
  "SORTEnforcement": false,
  "policyVersion": "1.1",
  "mitreAttackVectors": [
    {
      "tactic": "TA0002",
      "techniques": [
        "T1059.004"
      ]
    }
  ],
  "criteriaLocked": true,
  "mitreVectorsLocked": true,
  "isDefault": true,
  "source": "IMPERATIVE"
}