Back to catalog

Shadow File Modification

No violationsstackroxhighruntime

Processes that indicate attempts to modify shadow files

Rationale
Attempts to change shadow file during runtime in containers is unusual
Remediation
Ensure that the base image used to create the Dockerfile doesn't have shadow utils packaged with it.
CategoriesSystem Modification
Compliance mappingsView coverage →
NIST SP 800-53 rev. 5
SI-4

Generated artifacts

1 of 5 targets supported
shadow-file-modification.yaml
- rule: shadow-file-modification
  desc: Processes that indicate attempts to modify shadow files
  condition: proc.name in ("chage|gpasswd|lastlog|newgrp|sg|adduser|deluser|chpasswd|groupadd|groupdel|addgroup|delgroup|groupmems|groupmod|grpck|grpconv|grpunconv|newusers|pwck|pwconv|pwunconv|useradd|userdel|usermod|vigr|vipw|unix_chkpwd")
  output: Process %proc.name executed by user %user.name (uid=%user.uid) in container %container.id image=%container.image.repository (policy=Shadow File Modification)
  priority: ERROR
  source: syscall
  tags:
    - stackrox-import
    - policy
IR (canonical)
{
  "id": "6e0239e1-f4ca-43d0-ad3f-79ec683db811",
  "name": "Shadow File Modification",
  "description": "Processes that indicate attempts to modify shadow files",
  "rationale": "Attempts to change shadow file during runtime in containers is unusual",
  "remediation": "Ensure that the base image used to create the Dockerfile doesn't have shadow utils packaged with it.",
  "severity": "high",
  "categories": [
    "System Modification"
  ],
  "lifecycle": [
    "runtime"
  ],
  "eventSource": "deployment",
  "scope": [],
  "exclusions": [],
  "enforcement": {
    "failBuild": false
  },
  "expression": {
    "op": "criterion",
    "field": "process-name",
    "values": [
      "chage|gpasswd|lastlog|newgrp|sg|adduser|deluser|chpasswd|groupadd|groupdel|addgroup|delgroup|groupmems|groupmod|grpck|grpconv|grpunconv|newusers|pwck|pwconv|pwunconv|useradd|userdel|usermod|vigr|vipw|unix_chkpwd"
    ],
    "valuesOp": "or",
    "negate": false
  },
  "disabled": true
}
Original StackRox JSON
{
  "id": "6e0239e1-f4ca-43d0-ad3f-79ec683db811",
  "name": "Shadow File Modification",
  "description": "Processes that indicate attempts to modify shadow files",
  "rationale": "Attempts to change shadow file during runtime in containers is unusual",
  "remediation": "Ensure that the base image used to create the Dockerfile doesn't have shadow utils packaged with it.",
  "disabled": true,
  "categories": [
    "System Modification"
  ],
  "lifecycleStages": [
    "RUNTIME"
  ],
  "eventSource": "DEPLOYMENT_EVENT",
  "exclusions": [],
  "scope": [],
  "severity": "HIGH_SEVERITY",
  "enforcementActions": [],
  "policySections": [
    {
      "sectionName": "",
      "policyGroups": [
        {
          "fieldName": "Process Name",
          "booleanOperator": "OR",
          "negate": false,
          "values": [
            {
              "value": "chage|gpasswd|lastlog|newgrp|sg|adduser|deluser|chpasswd|groupadd|groupdel|addgroup|delgroup|groupmems|groupmod|grpck|grpconv|grpunconv|newusers|pwck|pwconv|pwunconv|useradd|userdel|usermod|vigr|vipw|unix_chkpwd"
            }
          ]
        }
      ]
    }
  ],
  "notifiers": [],
  "lastUpdated": null,
  "SORTName": "",
  "SORTLifecycleStage": "",
  "SORTEnforcement": false,
  "policyVersion": "1.1",
  "mitreAttackVectors": [
    {
      "tactic": "TA0003",
      "techniques": [
        "T1098"
      ]
    }
  ],
  "criteriaLocked": true,
  "mitreVectorsLocked": true,
  "isDefault": true,
  "source": "IMPERATIVE"
}