Login Binaries
No violationsstackroxhighruntimeProcesses that indicate login attempts
- Rationale
- Login processes at runtime are unusual in a container
- Remediation
- Ensure that the base image used to create the Dockerfile doesn't have login binaries packaged with it.
CategoriesSecurity Best Practices
Compliance mappingsView coverage →
- DORA EU 2022/2554
- Art. 9.2
- ISO/IEC 27001 2022
- A.8.9
- NIST SP 800-53 rev. 5
- CM-2
- PCI DSS 4.0
- 2.2.1
Generated artifacts
1 of 5 targets supportedlogin-binaries.yaml
- rule: login-binaries
desc: Processes that indicate login attempts
condition: proc.name in ("login|systemd|systemd|systemd-logind|gosu|su|nologin|faillog|lastlog|newgrp|sg")
output: Process %proc.name executed by user %user.name (uid=%user.uid) in container %container.id image=%container.image.repository (policy=Login Binaries)
priority: ERROR
source: syscall
tags:
- stackrox-import
- policy
IR (canonical)
{
"id": "1c4e2cab-ce24-4e2a-9a66-f61028e79931",
"name": "Login Binaries",
"description": "Processes that indicate login attempts",
"rationale": "Login processes at runtime are unusual in a container",
"remediation": "Ensure that the base image used to create the Dockerfile doesn't have login binaries packaged with it.",
"severity": "high",
"categories": [
"Security Best Practices"
],
"lifecycle": [
"runtime"
],
"eventSource": "deployment",
"scope": [],
"exclusions": [],
"enforcement": {
"failBuild": false
},
"expression": {
"op": "criterion",
"field": "process-name",
"values": [
"login|systemd|systemd|systemd-logind|gosu|su|nologin|faillog|lastlog|newgrp|sg"
],
"valuesOp": "or",
"negate": false
},
"disabled": true
}Original StackRox JSON
{
"id": "1c4e2cab-ce24-4e2a-9a66-f61028e79931",
"name": "Login Binaries",
"description": "Processes that indicate login attempts",
"rationale": "Login processes at runtime are unusual in a container",
"remediation": "Ensure that the base image used to create the Dockerfile doesn't have login binaries packaged with it.",
"disabled": true,
"categories": [
"Security Best Practices"
],
"lifecycleStages": [
"RUNTIME"
],
"eventSource": "DEPLOYMENT_EVENT",
"exclusions": [],
"scope": [],
"severity": "HIGH_SEVERITY",
"enforcementActions": [],
"policySections": [
{
"sectionName": "",
"policyGroups": [
{
"fieldName": "Process Name",
"booleanOperator": "OR",
"negate": false,
"values": [
{
"value": "login|systemd|systemd|systemd-logind|gosu|su|nologin|faillog|lastlog|newgrp|sg"
}
]
}
]
}
],
"notifiers": [],
"lastUpdated": null,
"SORTName": "",
"SORTLifecycleStage": "",
"SORTEnforcement": false,
"policyVersion": "1.1",
"mitreAttackVectors": [
{
"tactic": "TA0004",
"techniques": [
"T1548"
]
}
],
"criteriaLocked": true,
"mitreVectorsLocked": true,
"isDefault": true,
"source": "IMPERATIVE"
}