Back to catalog

Ubuntu Package Manager in Image

No violationsstackroxlowbuilddeploy

Alert on deployments with components of the Debian/Ubuntu package management system in the image.

Rationale
Package managers make it easier for attackers to use compromised containers, since they can easily add software.
Remediation
Run `dpkg -r --force-all apt apt-get && dpkg -r --force-all debconf dpkg` in the image build for production containers.
CategoriesSecurity Best Practices
Compliance mappingsView coverage →
DORA EU 2022/2554
Art. 9.2
ISO/IEC 27001 2022
A.8.9
NIST SP 800-53 rev. 5
CM-2
PCI DSS 4.0
2.2.16.3.2

Generated artifacts

1 of 5 targets supported
ubuntu-package-manager-in-image.rego
# Ubuntu Package Manager in Image (trivy)
# severity: low
# source: stackrox/74cfb824-2e65-46b7-b1b4-ba897e53af1f
package trivy.ubuntu_package_manager_in_image

deny[msg] {
  # rule 1
  some p
  p := input.Packages[_]
  p.Name == {"apt|dpkg"}[_]
  msg := "[low] Ubuntu Package Manager in Image: Alert on deployments with components of the Debian/Ubuntu package management system in the image."
}
IR (canonical)
{
  "id": "74cfb824-2e65-46b7-b1b4-ba897e53af1f",
  "name": "Ubuntu Package Manager in Image",
  "description": "Alert on deployments with components of the Debian/Ubuntu package management system in the image.",
  "rationale": "Package managers make it easier for attackers to use compromised containers, since they can easily add software.",
  "remediation": "Run `dpkg -r --force-all apt apt-get && dpkg -r --force-all debconf dpkg` in the image build for production containers.",
  "severity": "low",
  "categories": [
    "Security Best Practices"
  ],
  "lifecycle": [
    "build",
    "deploy"
  ],
  "eventSource": "none",
  "scope": [],
  "exclusions": [
    {
      "name": "csi-azurefile-node-win",
      "namespace": "kube-system"
    }
  ],
  "enforcement": {
    "failBuild": false
  },
  "expression": {
    "op": "criterion",
    "field": "image-component",
    "values": [
      "apt|dpkg="
    ],
    "valuesOp": "or",
    "negate": false
  },
  "disabled": false
}
Original StackRox JSON
{
  "id": "74cfb824-2e65-46b7-b1b4-ba897e53af1f",
  "name": "Ubuntu Package Manager in Image",
  "description": "Alert on deployments with components of the Debian/Ubuntu package management system in the image.",
  "rationale": "Package managers make it easier for attackers to use compromised containers, since they can easily add software.",
  "remediation": "Run `dpkg -r --force-all apt apt-get && dpkg -r --force-all debconf dpkg` in the image build for production containers.",
  "disabled": false,
  "categories": [
    "Security Best Practices"
  ],
  "lifecycleStages": [
    "BUILD",
    "DEPLOY"
  ],
  "eventSource": "NOT_APPLICABLE",
  "exclusions": [
    {
      "name": "Don't alert on deployment csi-azurefile-node-win in kube-system namespace",
      "deployment": {
        "name": "csi-azurefile-node-win",
        "scope": {
          "cluster": "",
          "namespace": "kube-system",
          "label": null
        }
      },
      "image": null
    }
  ],
  "scope": [],
  "severity": "LOW_SEVERITY",
  "enforcementActions": [],
  "policySections": [
    {
      "sectionName": "",
      "policyGroups": [
        {
          "fieldName": "Image Component",
          "booleanOperator": "OR",
          "negate": false,
          "values": [
            {
              "value": "apt|dpkg="
            }
          ]
        }
      ]
    }
  ],
  "notifiers": [],
  "lastUpdated": null,
  "SORTName": "",
  "SORTLifecycleStage": "",
  "SORTEnforcement": false,
  "policyVersion": "1.1",
  "mitreAttackVectors": [],
  "criteriaLocked": true,
  "mitreVectorsLocked": true,
  "isDefault": true,
  "source": "IMPERATIVE"
}