Back to catalog

systemd Execution

No violationsstackroxlowruntime

Detected usage of the systemd service manager

Rationale
The systemd service manager is generally not used in containers, and its use could indicate suspicious activity
Remediation
Remove systemd from the image before deploying, or consider using a base image that doesn't bundle systemd
CategoriesSystem Modification
Compliance mappingsView coverage →
NIST SP 800-53 rev. 5
SI-4

Generated artifacts

1 of 5 targets supported
systemd-execution.yaml
- rule: systemd-execution
  desc: Detected usage of the systemd service manager
  condition: proc.name in ("systemd")
  output: Process %proc.name executed by user %user.name (uid=%user.uid) in container %container.id image=%container.image.repository (policy=systemd Execution)
  priority: NOTICE
  source: syscall
  tags:
    - stackrox-import
    - policy
IR (canonical)
{
  "id": "b3335ee3-6f1e-4c3a-a0ad-7c249c25c750",
  "name": "systemd Execution",
  "description": "Detected usage of the systemd service manager",
  "rationale": "The systemd service manager is generally not used in containers, and its use could indicate suspicious activity",
  "remediation": "Remove systemd from the image before deploying, or consider using a base image that doesn't bundle systemd",
  "severity": "low",
  "categories": [
    "System Modification"
  ],
  "lifecycle": [
    "runtime"
  ],
  "eventSource": "deployment",
  "scope": [],
  "exclusions": [],
  "enforcement": {
    "failBuild": false
  },
  "expression": {
    "op": "criterion",
    "field": "process-name",
    "values": [
      "systemd"
    ],
    "valuesOp": "or",
    "negate": false
  },
  "disabled": false
}
Original StackRox JSON
{
  "id": "b3335ee3-6f1e-4c3a-a0ad-7c249c25c750",
  "name": "systemd Execution",
  "description": "Detected usage of the systemd service manager",
  "rationale": "The systemd service manager is generally not used in containers, and its use could indicate suspicious activity",
  "remediation": "Remove systemd from the image before deploying, or consider using a base image that doesn't bundle systemd",
  "disabled": false,
  "categories": [
    "System Modification"
  ],
  "lifecycleStages": [
    "RUNTIME"
  ],
  "eventSource": "DEPLOYMENT_EVENT",
  "exclusions": [],
  "scope": [],
  "severity": "LOW_SEVERITY",
  "enforcementActions": [],
  "policySections": [
    {
      "sectionName": "",
      "policyGroups": [
        {
          "fieldName": "Process Name",
          "booleanOperator": "OR",
          "negate": false,
          "values": [
            {
              "value": "systemd"
            }
          ]
        }
      ]
    }
  ],
  "notifiers": [],
  "lastUpdated": null,
  "SORTName": "",
  "SORTLifecycleStage": "",
  "SORTEnforcement": false,
  "policyVersion": "1.1",
  "mitreAttackVectors": [
    {
      "tactic": "TA0003",
      "techniques": [
        "T1543.002"
      ]
    },
    {
      "tactic": "TA0004",
      "techniques": [
        "T1543.002"
      ]
    }
  ],
  "criteriaLocked": true,
  "mitreVectorsLocked": true,
  "isDefault": true,
  "source": "IMPERATIVE"
}