Process with UID 0
No violationsstackroxhighruntimeAlert on deployments that contain processes running with UID 0
- Rationale
- Processes that are running with UID 0 run as the root user. This can allow for unintended privilege escalation if a container mounts host directories that are owned by the host's root user
- Remediation
- Specify the USER instruction in the Docker image or the runAsUser field within the Pod Security Context
CategoriesDevOps Best PracticesSecurity Best Practices
Compliance mappingsView coverage →
- DORA EU 2022/2554
- Art. 9.2
- ISO/IEC 27001 2022
- A.8.25A.8.9
- NIST SP 800-53 rev. 5
- CM-2
- PCI DSS 4.0
- 2.2.1
- SOC 2 2017 TSC
- CC8.1
Generated artifacts
1 of 5 targets supportedprocess-with-uid-0.yaml
- rule: process-with-uid-0
desc: Alert on deployments that contain processes running with UID 0
condition: user.uid in ("0")
output: Process %proc.name executed by user %user.name (uid=%user.uid) in container %container.id image=%container.image.repository (policy=Process with UID 0)
priority: ERROR
source: syscall
tags:
- stackrox-import
- policy
- s
IR (canonical)
{
"id": "7760a5f3-bca4-4ca8-94a7-ad89edbc0e2c",
"name": "Process with UID 0",
"description": "Alert on deployments that contain processes running with UID 0",
"rationale": "Processes that are running with UID 0 run as the root user. This can allow for unintended privilege escalation if a container mounts host directories that are owned by the host's root user",
"remediation": "Specify the USER instruction in the Docker image or the runAsUser field within the Pod Security Context",
"severity": "high",
"categories": [
"DevOps Best Practices",
"Security Best Practices"
],
"lifecycle": [
"runtime"
],
"eventSource": "deployment",
"scope": [],
"exclusions": [
{
"name": "Don't alert on kube-system namespace",
"namespace": "kube-system"
},
{
"name": "Don't alert on istio-system namespace",
"namespace": "istio-system"
},
{
"name": "Don't alert on StackRox Namespace",
"namespace": "stackrox"
},
{
"name": "Don't alert on istio-system namespace",
"namespace": "istio-system"
},
{
"name": "aide-worker-fileintegrity",
"namespace": "openshift-file-integrity"
}
],
"enforcement": {
"failBuild": false
},
"expression": {
"op": "criterion",
"field": "process-uid",
"values": [
"0"
],
"valuesOp": "or",
"negate": false
},
"disabled": true
}Original StackRox JSON
{
"id": "7760a5f3-bca4-4ca8-94a7-ad89edbc0e2c",
"name": "Process with UID 0",
"description": "Alert on deployments that contain processes running with UID 0",
"rationale": "Processes that are running with UID 0 run as the root user. This can allow for unintended privilege escalation if a container mounts host directories that are owned by the host's root user",
"remediation": "Specify the USER instruction in the Docker image or the runAsUser field within the Pod Security Context",
"disabled": true,
"categories": [
"DevOps Best Practices",
"Security Best Practices"
],
"lifecycleStages": [
"RUNTIME"
],
"eventSource": "DEPLOYMENT_EVENT",
"exclusions": [
{
"name": "Don't alert on kube-system namespace",
"deployment": {
"name": "",
"scope": {
"cluster": "",
"namespace": "kube-system",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on istio-system namespace",
"deployment": {
"name": "",
"scope": {
"cluster": "",
"namespace": "istio-system",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on StackRox Namespace",
"deployment": {
"name": "",
"scope": {
"cluster": "",
"namespace": "stackrox",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on istio-system namespace",
"deployment": {
"name": "",
"scope": {
"cluster": "",
"namespace": "istio-system",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on deployment aide-worker-fileintegrity in namespace openshift-file-integrity",
"deployment": {
"name": "aide-worker-fileintegrity",
"scope": {
"cluster": "",
"namespace": "openshift-file-integrity",
"label": null
}
},
"image": null
}
],
"scope": [],
"severity": "HIGH_SEVERITY",
"enforcementActions": [],
"policySections": [
{
"sectionName": "",
"policyGroups": [
{
"fieldName": "Process UID",
"booleanOperator": "OR",
"negate": false,
"values": [
{
"value": "0"
}
]
}
]
}
],
"notifiers": [],
"lastUpdated": null,
"SORTName": "",
"SORTLifecycleStage": "",
"SORTEnforcement": false,
"policyVersion": "1.1",
"mitreAttackVectors": [],
"criteriaLocked": true,
"mitreVectorsLocked": true,
"isDefault": true,
"source": "IMPERATIVE"
}