Back to catalog

Process with UID 0

No violationsstackroxhighruntime

Alert on deployments that contain processes running with UID 0

Rationale
Processes that are running with UID 0 run as the root user. This can allow for unintended privilege escalation if a container mounts host directories that are owned by the host's root user
Remediation
Specify the USER instruction in the Docker image or the runAsUser field within the Pod Security Context
CategoriesDevOps Best PracticesSecurity Best Practices
Compliance mappingsView coverage →
DORA EU 2022/2554
Art. 9.2
ISO/IEC 27001 2022
A.8.25A.8.9
NIST SP 800-53 rev. 5
CM-2
PCI DSS 4.0
2.2.1
SOC 2 2017 TSC
CC8.1

Generated artifacts

1 of 5 targets supported
process-with-uid-0.yaml
- rule: process-with-uid-0
  desc: Alert on deployments that contain processes running with UID 0
  condition: user.uid in ("0")
  output: Process %proc.name executed by user %user.name (uid=%user.uid) in container %container.id image=%container.image.repository (policy=Process with UID 0)
  priority: ERROR
  source: syscall
  tags:
    - stackrox-import
    - policy
    - s
IR (canonical)
{
  "id": "7760a5f3-bca4-4ca8-94a7-ad89edbc0e2c",
  "name": "Process with UID 0",
  "description": "Alert on deployments that contain processes running with UID 0",
  "rationale": "Processes that are running with UID 0 run as the root user. This can allow for unintended privilege escalation if a container mounts host directories that are owned by the host's root user",
  "remediation": "Specify the USER instruction in the Docker image or the runAsUser field within the Pod Security Context",
  "severity": "high",
  "categories": [
    "DevOps Best Practices",
    "Security Best Practices"
  ],
  "lifecycle": [
    "runtime"
  ],
  "eventSource": "deployment",
  "scope": [],
  "exclusions": [
    {
      "name": "Don't alert on kube-system namespace",
      "namespace": "kube-system"
    },
    {
      "name": "Don't alert on istio-system namespace",
      "namespace": "istio-system"
    },
    {
      "name": "Don't alert on StackRox Namespace",
      "namespace": "stackrox"
    },
    {
      "name": "Don't alert on istio-system namespace",
      "namespace": "istio-system"
    },
    {
      "name": "aide-worker-fileintegrity",
      "namespace": "openshift-file-integrity"
    }
  ],
  "enforcement": {
    "failBuild": false
  },
  "expression": {
    "op": "criterion",
    "field": "process-uid",
    "values": [
      "0"
    ],
    "valuesOp": "or",
    "negate": false
  },
  "disabled": true
}
Original StackRox JSON
{
  "id": "7760a5f3-bca4-4ca8-94a7-ad89edbc0e2c",
  "name": "Process with UID 0",
  "description": "Alert on deployments that contain processes running with UID 0",
  "rationale": "Processes that are running with UID 0 run as the root user. This can allow for unintended privilege escalation if a container mounts host directories that are owned by the host's root user",
  "remediation": "Specify the USER instruction in the Docker image or the runAsUser field within the Pod Security Context",
  "disabled": true,
  "categories": [
    "DevOps Best Practices",
    "Security Best Practices"
  ],
  "lifecycleStages": [
    "RUNTIME"
  ],
  "eventSource": "DEPLOYMENT_EVENT",
  "exclusions": [
    {
      "name": "Don't alert on kube-system namespace",
      "deployment": {
        "name": "",
        "scope": {
          "cluster": "",
          "namespace": "kube-system",
          "label": null
        }
      },
      "image": null
    },
    {
      "name": "Don't alert on istio-system namespace",
      "deployment": {
        "name": "",
        "scope": {
          "cluster": "",
          "namespace": "istio-system",
          "label": null
        }
      },
      "image": null
    },
    {
      "name": "Don't alert on StackRox Namespace",
      "deployment": {
        "name": "",
        "scope": {
          "cluster": "",
          "namespace": "stackrox",
          "label": null
        }
      },
      "image": null
    },
    {
      "name": "Don't alert on istio-system namespace",
      "deployment": {
        "name": "",
        "scope": {
          "cluster": "",
          "namespace": "istio-system",
          "label": null
        }
      },
      "image": null
    },
    {
      "name": "Don't alert on deployment aide-worker-fileintegrity in namespace openshift-file-integrity",
      "deployment": {
        "name": "aide-worker-fileintegrity",
        "scope": {
          "cluster": "",
          "namespace": "openshift-file-integrity",
          "label": null
        }
      },
      "image": null
    }
  ],
  "scope": [],
  "severity": "HIGH_SEVERITY",
  "enforcementActions": [],
  "policySections": [
    {
      "sectionName": "",
      "policyGroups": [
        {
          "fieldName": "Process UID",
          "booleanOperator": "OR",
          "negate": false,
          "values": [
            {
              "value": "0"
            }
          ]
        }
      ]
    }
  ],
  "notifiers": [],
  "lastUpdated": null,
  "SORTName": "",
  "SORTLifecycleStage": "",
  "SORTEnforcement": false,
  "policyVersion": "1.1",
  "mitreAttackVectors": [],
  "criteriaLocked": true,
  "mitreVectorsLocked": true,
  "isDefault": true,
  "source": "IMPERATIVE"
}