Back to catalog

crontab Execution

No violationsstackroxmediumruntime

Detects the usage of the crontab scheduled jobs editor

Rationale
Crontab running in a container with access to a shell makes it easier to 'clandestinely' schedule processes to run in order to better evade detection
Remediation
In Kubernetes, consider replacing your crontab with an orchestrator-native CronJob as part of Kube workload
CategoriesSystem Modification
Compliance mappingsView coverage →
NIST SP 800-53 rev. 5
SI-4

Generated artifacts

1 of 5 targets supported
crontab-execution.yaml
- rule: crontab-execution
  desc: Detects the usage of the crontab scheduled jobs editor
  condition: proc.name in ("anacron|cron|crond|crontab")
  output: Process %proc.name executed by user %user.name (uid=%user.uid) in container %container.id image=%container.image.repository (policy=crontab Execution)
  priority: WARNING
  source: syscall
  tags:
    - stackrox-import
    - policy
IR (canonical)
{
  "id": "28f833df-eb14-4265-a4fe-4e5e8ce9d959",
  "name": "crontab Execution",
  "description": "Detects the usage of the crontab scheduled jobs editor",
  "rationale": "Crontab running in a container with access to a shell makes it easier to 'clandestinely' schedule processes to run in order to better evade detection",
  "remediation": "In Kubernetes, consider replacing your crontab with an orchestrator-native CronJob as part of Kube workload",
  "severity": "medium",
  "categories": [
    "System Modification"
  ],
  "lifecycle": [
    "runtime"
  ],
  "eventSource": "deployment",
  "scope": [],
  "exclusions": [],
  "enforcement": {
    "failBuild": false
  },
  "expression": {
    "op": "criterion",
    "field": "process-name",
    "values": [
      "anacron|cron|crond|crontab"
    ],
    "valuesOp": "or",
    "negate": false
  },
  "disabled": false
}
Original StackRox JSON
{
  "id": "28f833df-eb14-4265-a4fe-4e5e8ce9d959",
  "name": "crontab Execution",
  "description": "Detects the usage of the crontab scheduled jobs editor",
  "rationale": "Crontab running in a container with access to a shell makes it easier to 'clandestinely' schedule processes to run in order to better evade detection",
  "remediation": "In Kubernetes, consider replacing your crontab with an orchestrator-native CronJob as part of Kube workload",
  "disabled": false,
  "categories": [
    "System Modification"
  ],
  "lifecycleStages": [
    "RUNTIME"
  ],
  "eventSource": "DEPLOYMENT_EVENT",
  "exclusions": [],
  "scope": [],
  "severity": "MEDIUM_SEVERITY",
  "enforcementActions": [],
  "policySections": [
    {
      "sectionName": "",
      "policyGroups": [
        {
          "fieldName": "Process Name",
          "booleanOperator": "OR",
          "negate": false,
          "values": [
            {
              "value": "anacron|cron|crond|crontab"
            }
          ]
        }
      ]
    }
  ],
  "notifiers": [],
  "lastUpdated": null,
  "SORTName": "",
  "SORTLifecycleStage": "",
  "SORTEnforcement": false,
  "policyVersion": "1.1",
  "mitreAttackVectors": [
    {
      "tactic": "TA0003",
      "techniques": [
        "T1053.003"
      ]
    }
  ],
  "criteriaLocked": true,
  "mitreVectorsLocked": true,
  "isDefault": true,
  "source": "IMPERATIVE"
}