Linux User Add Execution
No violationsstackroxhighruntimeDetects when the 'useradd', 'adduser' or 'usermod' binary is executed, which can be used to add a new linux user.
- Rationale
- Users or groups added in run time can be used to take ownership of files and processes.
- Remediation
- Consider using a base image that doesn't have a shell such as SCRATCH or gcr.io/distroless. If not, modify your Dockerfile to use the exec form of CMD/ENTRYPOINT (["using braces"]) instead of the shell form (no braces)
CategoriesPrivilegesSystem Modification
Compliance mappingsView coverage →
- DORA EU 2022/2554
- Art. 9.2
- ISO/IEC 27001 2022
- A.8.2
- NIST SP 800-53 rev. 5
- AC-6SI-4
- PCI DSS 4.0
- 7.2.1
- SOC 2 2017 TSC
- CC6.1
Generated artifacts
1 of 5 targets supportedlinux-user-add-execution.yaml
- rule: linux-user-add-execution
desc: Detects when the 'useradd', 'adduser' or 'usermod' binary is executed, which can be used to add a new linux user.
condition: proc.name in ("useradd|adduser|usermod")
output: Process %proc.name executed by user %user.name (uid=%user.uid) in container %container.id image=%container.image.repository (policy=Linux User Add Execution)
priority: ERROR
source: syscall
tags:
- stackrox-import
- policy
- s
IR (canonical)
{
"id": "32081d8e-84cd-4d67-b016-fe481c55b93a",
"name": "Linux User Add Execution",
"description": "Detects when the 'useradd', 'adduser' or 'usermod' binary is executed, which can be used to add a new linux user.",
"rationale": "Users or groups added in run time can be used to take ownership of files and processes.",
"remediation": "Consider using a base image that doesn't have a shell such as SCRATCH or gcr.io/distroless. If not, modify your Dockerfile to use the exec form of CMD/ENTRYPOINT ([\"using braces\"]) instead of the shell form (no braces)",
"severity": "high",
"categories": [
"Privileges",
"System Modification"
],
"lifecycle": [
"runtime"
],
"eventSource": "deployment",
"scope": [],
"exclusions": [
{
"name": "machine-config-daemon",
"namespace": "openshift-machine-config-operator"
}
],
"enforcement": {
"failBuild": false
},
"expression": {
"op": "criterion",
"field": "process-name",
"values": [
"useradd|adduser|usermod"
],
"valuesOp": "or",
"negate": false
},
"disabled": false
}Original StackRox JSON
{
"id": "32081d8e-84cd-4d67-b016-fe481c55b93a",
"name": "Linux User Add Execution",
"description": "Detects when the 'useradd', 'adduser' or 'usermod' binary is executed, which can be used to add a new linux user.",
"rationale": "Users or groups added in run time can be used to take ownership of files and processes.",
"remediation": "Consider using a base image that doesn't have a shell such as SCRATCH or gcr.io/distroless. If not, modify your Dockerfile to use the exec form of CMD/ENTRYPOINT ([\"using braces\"]) instead of the shell form (no braces)",
"disabled": false,
"categories": [
"Privileges",
"System Modification"
],
"lifecycleStages": [
"RUNTIME"
],
"eventSource": "DEPLOYMENT_EVENT",
"exclusions": [
{
"name": "Don't alert on deployment machine-config-daemon in openshift-machine-config-operator namespace",
"deployment": {
"name": "machine-config-daemon",
"scope": {
"cluster": "",
"namespace": "openshift-machine-config-operator",
"label": null
}
},
"image": null
}
],
"scope": [],
"severity": "HIGH_SEVERITY",
"enforcementActions": [],
"policySections": [
{
"sectionName": "",
"policyGroups": [
{
"fieldName": "Process Name",
"booleanOperator": "OR",
"negate": false,
"values": [
{
"value": "useradd|adduser|usermod"
}
]
}
]
}
],
"notifiers": [],
"lastUpdated": null,
"SORTName": "",
"SORTLifecycleStage": "",
"SORTEnforcement": false,
"policyVersion": "1.1",
"mitreAttackVectors": [
{
"tactic": "TA0003",
"techniques": [
"T1098",
"T1136"
]
}
],
"criteriaLocked": true,
"mitreVectorsLocked": true,
"isDefault": true,
"source": "IMPERATIVE"
}