Back to catalog

Linux User Add Execution

No violationsstackroxhighruntime

Detects when the 'useradd', 'adduser' or 'usermod' binary is executed, which can be used to add a new linux user.

Rationale
Users or groups added in run time can be used to take ownership of files and processes.
Remediation
Consider using a base image that doesn't have a shell such as SCRATCH or gcr.io/distroless. If not, modify your Dockerfile to use the exec form of CMD/ENTRYPOINT (["using braces"]) instead of the shell form (no braces)
CategoriesPrivilegesSystem Modification
Compliance mappingsView coverage →
DORA EU 2022/2554
Art. 9.2
ISO/IEC 27001 2022
A.8.2
NIST SP 800-53 rev. 5
AC-6SI-4
PCI DSS 4.0
7.2.1
SOC 2 2017 TSC
CC6.1

Generated artifacts

1 of 5 targets supported
linux-user-add-execution.yaml
- rule: linux-user-add-execution
  desc: Detects when the 'useradd', 'adduser' or 'usermod' binary is executed, which can be used to add a new linux user.
  condition: proc.name in ("useradd|adduser|usermod")
  output: Process %proc.name executed by user %user.name (uid=%user.uid) in container %container.id image=%container.image.repository (policy=Linux User Add Execution)
  priority: ERROR
  source: syscall
  tags:
    - stackrox-import
    - policy
    - s
IR (canonical)
{
  "id": "32081d8e-84cd-4d67-b016-fe481c55b93a",
  "name": "Linux User Add Execution",
  "description": "Detects when the 'useradd', 'adduser' or 'usermod' binary is executed, which can be used to add a new linux user.",
  "rationale": "Users or groups added in run time can be used to take ownership of files and processes.",
  "remediation": "Consider using a base image that doesn't have a shell such as SCRATCH or gcr.io/distroless. If not, modify your Dockerfile to use the exec form of CMD/ENTRYPOINT ([\"using braces\"]) instead of the shell form (no braces)",
  "severity": "high",
  "categories": [
    "Privileges",
    "System Modification"
  ],
  "lifecycle": [
    "runtime"
  ],
  "eventSource": "deployment",
  "scope": [],
  "exclusions": [
    {
      "name": "machine-config-daemon",
      "namespace": "openshift-machine-config-operator"
    }
  ],
  "enforcement": {
    "failBuild": false
  },
  "expression": {
    "op": "criterion",
    "field": "process-name",
    "values": [
      "useradd|adduser|usermod"
    ],
    "valuesOp": "or",
    "negate": false
  },
  "disabled": false
}
Original StackRox JSON
{
  "id": "32081d8e-84cd-4d67-b016-fe481c55b93a",
  "name": "Linux User Add Execution",
  "description": "Detects when the 'useradd', 'adduser' or 'usermod' binary is executed, which can be used to add a new linux user.",
  "rationale": "Users or groups added in run time can be used to take ownership of files and processes.",
  "remediation": "Consider using a base image that doesn't have a shell such as SCRATCH or gcr.io/distroless. If not, modify your Dockerfile to use the exec form of CMD/ENTRYPOINT ([\"using braces\"]) instead of the shell form (no braces)",
  "disabled": false,
  "categories": [
    "Privileges",
    "System Modification"
  ],
  "lifecycleStages": [
    "RUNTIME"
  ],
  "eventSource": "DEPLOYMENT_EVENT",
  "exclusions": [
    {
      "name": "Don't alert on deployment machine-config-daemon in openshift-machine-config-operator namespace",
      "deployment": {
        "name": "machine-config-daemon",
        "scope": {
          "cluster": "",
          "namespace": "openshift-machine-config-operator",
          "label": null
        }
      },
      "image": null
    }
  ],
  "scope": [],
  "severity": "HIGH_SEVERITY",
  "enforcementActions": [],
  "policySections": [
    {
      "sectionName": "",
      "policyGroups": [
        {
          "fieldName": "Process Name",
          "booleanOperator": "OR",
          "negate": false,
          "values": [
            {
              "value": "useradd|adduser|usermod"
            }
          ]
        }
      ]
    }
  ],
  "notifiers": [],
  "lastUpdated": null,
  "SORTName": "",
  "SORTLifecycleStage": "",
  "SORTEnforcement": false,
  "policyVersion": "1.1",
  "mitreAttackVectors": [
    {
      "tactic": "TA0003",
      "techniques": [
        "T1098",
        "T1136"
      ]
    }
  ],
  "criteriaLocked": true,
  "mitreVectorsLocked": true,
  "isDefault": true,
  "source": "IMPERATIVE"
}