Back to catalog

Ubuntu Package Manager Execution

No violationsstackroxlowruntime

Alert when Debian/Ubuntu package manager programs are executed at runtime

Rationale
Use of package managers at runtime indicates that new software may be being introduced into containers while they are running.
Remediation
Run `dpkg -r --force-all apt && dpkg -r --force-all debconf dpkg` in the image build for production containers. Change applications to no longer use package managers at runtime, if applicable.
CategoriesPackage Management
Compliance mappingsView coverage →
NIST SP 800-53 rev. 5
CM-7
PCI DSS 4.0
2.2.4
SOC 2 2017 TSC
CC6.8

Generated artifacts

1 of 5 targets supported
ubuntu-package-manager-execution.yaml
- rule: ubuntu-package-manager-execution
  desc: Alert when Debian/Ubuntu package manager programs are executed at runtime
  condition: proc.name in ("apt-get|apt|dpkg")
  output: Process %proc.name executed by user %user.name (uid=%user.uid) in container %container.id image=%container.image.repository (policy=Ubuntu Package Manager Execution)
  priority: NOTICE
  source: syscall
  tags:
    - stackrox-import
    - policy
IR (canonical)
{
  "id": "d7a275e1-1bba-47e7-92a1-42340c759883",
  "name": "Ubuntu Package Manager Execution",
  "description": "Alert when Debian/Ubuntu package manager programs are executed at runtime",
  "rationale": "Use of package managers at runtime indicates that new software may be being introduced into containers while they are running.",
  "remediation": "Run `dpkg -r --force-all apt && dpkg -r --force-all debconf dpkg` in the image build for production containers. Change applications to no longer use package managers at runtime, if applicable.",
  "severity": "low",
  "categories": [
    "Package Management"
  ],
  "lifecycle": [
    "runtime"
  ],
  "eventSource": "deployment",
  "scope": [],
  "exclusions": [],
  "enforcement": {
    "failBuild": false
  },
  "expression": {
    "op": "criterion",
    "field": "process-name",
    "values": [
      "apt-get|apt|dpkg"
    ],
    "valuesOp": "or",
    "negate": false
  },
  "disabled": false
}
Original StackRox JSON
{
  "id": "d7a275e1-1bba-47e7-92a1-42340c759883",
  "name": "Ubuntu Package Manager Execution",
  "description": "Alert when Debian/Ubuntu package manager programs are executed at runtime",
  "rationale": "Use of package managers at runtime indicates that new software may be being introduced into containers while they are running.",
  "remediation": "Run `dpkg -r --force-all apt && dpkg -r --force-all debconf dpkg` in the image build for production containers. Change applications to no longer use package managers at runtime, if applicable.",
  "disabled": false,
  "categories": [
    "Package Management"
  ],
  "lifecycleStages": [
    "RUNTIME"
  ],
  "eventSource": "DEPLOYMENT_EVENT",
  "exclusions": [],
  "scope": [],
  "severity": "LOW_SEVERITY",
  "enforcementActions": [],
  "policySections": [
    {
      "sectionName": "",
      "policyGroups": [
        {
          "fieldName": "Process Name",
          "booleanOperator": "OR",
          "negate": false,
          "values": [
            {
              "value": "apt-get|apt|dpkg"
            }
          ]
        }
      ]
    }
  ],
  "notifiers": [],
  "lastUpdated": null,
  "SORTName": "",
  "SORTLifecycleStage": "",
  "SORTEnforcement": false,
  "policyVersion": "1.1",
  "mitreAttackVectors": [
    {
      "tactic": "TA0011",
      "techniques": [
        "T1105"
      ]
    }
  ],
  "criteriaLocked": true,
  "mitreVectorsLocked": true,
  "isDefault": true,
  "source": "IMPERATIVE"
}