Back to catalog

Unauthorized Process Execution

No violationsstackroxhighruntime

This policy generates a violation for any process execution that is not explicitly allowed by a locked process baseline for a given container specification within a Kubernetes deployment.

Rationale
A locked process baseline communicates high confidence that execution of a process not included in the baseline positively indicates malicious activity.
Remediation
Evaluate this process execution for malicious intent, examine other accessible resources for abnormal activity, then kill the pod in which this process executed.
CategoriesAnomalous Activity
Compliance mappingsView coverage →
DORA EU 2022/2554
Art. 10.1
ISO/IEC 27001 2022
A.8.16
NIST SP 800-53 rev. 5
SI-4
PCI DSS 4.0
5.3.2
SOC 2 2017 TSC
CC7.2

Generated artifacts

1 of 5 targets supported
unauthorized-process-execution.yaml
- rule: unauthorized-process-execution
  desc: This policy generates a violation for any process execution that is not explicitly allowed by a locked process baseline for a given container specification within a Kubernetes deployment.
  condition: spawned_process and not proc.name in (known_processes)
  output: Process %proc.name executed by user %user.name (uid=%user.uid) in container %container.id image=%container.image.repository (policy=Unauthorized Process Execution)
  priority: ERROR
  source: syscall
  tags:
    - stackrox-import
    - policy
IR (canonical)
{
  "id": "89cae2e6-0cb7-4329-8692-c2c3717c1237",
  "name": "Unauthorized Process Execution",
  "description": "This policy generates a violation for any process execution that is not explicitly allowed by a locked process baseline for a given container specification within a Kubernetes deployment.",
  "rationale": "A locked process baseline communicates high confidence that execution of a process not included in the baseline positively indicates malicious activity.",
  "remediation": "Evaluate this process execution for malicious intent, examine other accessible resources for abnormal activity, then kill the pod in which this process executed.",
  "severity": "high",
  "categories": [
    "Anomalous Activity"
  ],
  "lifecycle": [
    "runtime"
  ],
  "eventSource": "deployment",
  "scope": [],
  "exclusions": [],
  "enforcement": {
    "failBuild": false
  },
  "expression": {
    "op": "criterion",
    "field": "unexpected-process-executed",
    "values": [
      "true"
    ],
    "valuesOp": "or",
    "negate": false
  },
  "disabled": false
}
Original StackRox JSON
{
  "id": "89cae2e6-0cb7-4329-8692-c2c3717c1237",
  "name": "Unauthorized Process Execution",
  "description": "This policy generates a violation for any process execution that is not explicitly allowed by a locked process baseline for a given container specification within a Kubernetes deployment.",
  "rationale": "A locked process baseline communicates high confidence that execution of a process not included in the baseline positively indicates malicious activity.",
  "remediation": "Evaluate this process execution for malicious intent, examine other accessible resources for abnormal activity, then kill the pod in which this process executed.",
  "disabled": false,
  "categories": [
    "Anomalous Activity"
  ],
  "lifecycleStages": [
    "RUNTIME"
  ],
  "eventSource": "DEPLOYMENT_EVENT",
  "exclusions": [],
  "scope": [],
  "severity": "HIGH_SEVERITY",
  "enforcementActions": [],
  "policySections": [
    {
      "sectionName": "",
      "policyGroups": [
        {
          "fieldName": "Unexpected Process Executed",
          "booleanOperator": "OR",
          "negate": false,
          "values": [
            {
              "value": "true"
            }
          ]
        }
      ]
    }
  ],
  "notifiers": [],
  "lastUpdated": null,
  "SORTName": "",
  "SORTLifecycleStage": "",
  "SORTEnforcement": false,
  "policyVersion": "1.1",
  "mitreAttackVectors": [],
  "criteriaLocked": true,
  "mitreVectorsLocked": true,
  "isDefault": true,
  "source": "IMPERATIVE"
}