Back to catalog

SetUID Processes

No violationsstackroxhighruntime

Processes that are known to use setuid binaries

Rationale
setuid permits users to run certain programs with escalated privileges
Remediation
Ensure that the base image used to create the Dockerfile doesn't have setuid software packaged with it.
CategoriesSystem Modification
Compliance mappingsView coverage →
NIST SP 800-53 rev. 5
SI-4

Generated artifacts

1 of 5 targets supported
setuid-processes.yaml
- rule: setuid-processes
  desc: Processes that are known to use setuid binaries
  condition: proc.name in ("sshd|dbus-daemon-lau|ping|ping6|critical-stack-|pmmcli|filemng|PassengerAgent|bwrap|osdetect|nginxmng|sw-engine-fpm|start-stop-daem")
  output: Process %proc.name executed by user %user.name (uid=%user.uid) in container %container.id image=%container.image.repository (policy=SetUID Processes)
  priority: ERROR
  source: syscall
  tags:
    - stackrox-import
    - policy
IR (canonical)
{
  "id": "98c8396e-3541-48b9-a30a-371c86a8f0ef",
  "name": "SetUID Processes",
  "description": "Processes that are known to use setuid binaries",
  "rationale": "setuid permits users to run certain programs with escalated privileges",
  "remediation": "Ensure that the base image used to create the Dockerfile doesn't have setuid software packaged with it.",
  "severity": "high",
  "categories": [
    "System Modification"
  ],
  "lifecycle": [
    "runtime"
  ],
  "eventSource": "deployment",
  "scope": [],
  "exclusions": [],
  "enforcement": {
    "failBuild": false
  },
  "expression": {
    "op": "criterion",
    "field": "process-name",
    "values": [
      "sshd|dbus-daemon-lau|ping|ping6|critical-stack-|pmmcli|filemng|PassengerAgent|bwrap|osdetect|nginxmng|sw-engine-fpm|start-stop-daem"
    ],
    "valuesOp": "or",
    "negate": false
  },
  "disabled": true
}
Original StackRox JSON
{
  "id": "98c8396e-3541-48b9-a30a-371c86a8f0ef",
  "name": "SetUID Processes",
  "description": "Processes that are known to use setuid binaries",
  "rationale": "setuid permits users to run certain programs with escalated privileges",
  "remediation": "Ensure that the base image used to create the Dockerfile doesn't have setuid software packaged with it.",
  "disabled": true,
  "categories": [
    "System Modification"
  ],
  "lifecycleStages": [
    "RUNTIME"
  ],
  "eventSource": "DEPLOYMENT_EVENT",
  "exclusions": [],
  "scope": [],
  "severity": "HIGH_SEVERITY",
  "enforcementActions": [],
  "policySections": [
    {
      "sectionName": "",
      "policyGroups": [
        {
          "fieldName": "Process Name",
          "booleanOperator": "OR",
          "negate": false,
          "values": [
            {
              "value": "sshd|dbus-daemon-lau|ping|ping6|critical-stack-|pmmcli|filemng|PassengerAgent|bwrap|osdetect|nginxmng|sw-engine-fpm|start-stop-daem"
            }
          ]
        }
      ]
    }
  ],
  "notifiers": [],
  "lastUpdated": null,
  "SORTName": "",
  "SORTLifecycleStage": "",
  "SORTEnforcement": false,
  "policyVersion": "1.1",
  "mitreAttackVectors": [
    {
      "tactic": "TA0004",
      "techniques": [
        "T1548.001"
      ]
    },
    {
      "tactic": "TA0005",
      "techniques": [
        "T1548.001"
      ]
    }
  ],
  "criteriaLocked": true,
  "mitreVectorsLocked": true,
  "isDefault": true,
  "source": "IMPERATIVE"
}