Back to catalog

Password Binaries

No violationsstackroxhighruntime

Processes that indicate attempts to change passwd

Rationale
Attempts to change password during runtime in containers is unusual
Remediation
Ensure that the base image used to create the Dockerfile doesn't have passwd binaries packaged with it.
CategoriesSystem Modification
Compliance mappingsView coverage →
NIST SP 800-53 rev. 5
SI-4

Generated artifacts

1 of 5 targets supported
password-binaries.yaml
- rule: password-binaries
  desc: Processes that indicate attempts to change passwd
  condition: proc.name in ("shadowconfig|grpck|pwunconv|grpconv|pwck|groupmod|vipw|pwconv|useradd|newusers|cppw|chpasswd|usermod|groupadd|groupdel|grpunconv|chgpasswd|userdel|chage|chsh|gpasswd|chfn|expiry|passwd|vigr|cpgr")
  output: Process %proc.name executed by user %user.name (uid=%user.uid) in container %container.id image=%container.image.repository (policy=Password Binaries)
  priority: ERROR
  source: syscall
  tags:
    - stackrox-import
    - policy
IR (canonical)
{
  "id": "1c224010-9e0b-41a8-be9a-a17c7040ce98",
  "name": "Password Binaries",
  "description": "Processes that indicate attempts to change passwd",
  "rationale": "Attempts to change password during runtime in containers is unusual",
  "remediation": "Ensure that the base image used to create the Dockerfile doesn't have passwd binaries packaged with it.",
  "severity": "high",
  "categories": [
    "System Modification"
  ],
  "lifecycle": [
    "runtime"
  ],
  "eventSource": "deployment",
  "scope": [],
  "exclusions": [
    {
      "name": "machine-config-daemon",
      "namespace": "openshift-machine-config-operator"
    }
  ],
  "enforcement": {
    "failBuild": false
  },
  "expression": {
    "op": "criterion",
    "field": "process-name",
    "values": [
      "shadowconfig|grpck|pwunconv|grpconv|pwck|groupmod|vipw|pwconv|useradd|newusers|cppw|chpasswd|usermod|groupadd|groupdel|grpunconv|chgpasswd|userdel|chage|chsh|gpasswd|chfn|expiry|passwd|vigr|cpgr"
    ],
    "valuesOp": "or",
    "negate": false
  },
  "disabled": true
}
Original StackRox JSON
{
  "id": "1c224010-9e0b-41a8-be9a-a17c7040ce98",
  "name": "Password Binaries",
  "description": "Processes that indicate attempts to change passwd",
  "rationale": "Attempts to change password during runtime in containers is unusual",
  "remediation": "Ensure that the base image used to create the Dockerfile doesn't have passwd binaries packaged with it.",
  "disabled": true,
  "categories": [
    "System Modification"
  ],
  "lifecycleStages": [
    "RUNTIME"
  ],
  "eventSource": "DEPLOYMENT_EVENT",
  "exclusions": [
    {
      "name": "Don't alert on deployment machine-config-daemon in openshift-machine-config-operator namespace",
      "deployment": {
        "name": "machine-config-daemon",
        "scope": {
          "cluster": "",
          "namespace": "openshift-machine-config-operator",
          "label": null
        }
      },
      "image": null
    }
  ],
  "scope": [],
  "severity": "HIGH_SEVERITY",
  "enforcementActions": [],
  "policySections": [
    {
      "sectionName": "",
      "policyGroups": [
        {
          "fieldName": "Process Name",
          "booleanOperator": "OR",
          "negate": false,
          "values": [
            {
              "value": "shadowconfig|grpck|pwunconv|grpconv|pwck|groupmod|vipw|pwconv|useradd|newusers|cppw|chpasswd|usermod|groupadd|groupdel|grpunconv|chgpasswd|userdel|chage|chsh|gpasswd|chfn|expiry|passwd|vigr|cpgr"
            }
          ]
        }
      ]
    }
  ],
  "notifiers": [],
  "lastUpdated": null,
  "SORTName": "",
  "SORTLifecycleStage": "",
  "SORTEnforcement": false,
  "policyVersion": "1.1",
  "mitreAttackVectors": [
    {
      "tactic": "TA0003",
      "techniques": [
        "T1098"
      ]
    }
  ],
  "criteriaLocked": true,
  "mitreVectorsLocked": true,
  "isDefault": true,
  "source": "IMPERATIVE"
}