Red Hat Package Manager Execution
No violationsstackroxlowruntimeAlert when Red Hat/Fedora/CentOS package manager programs are executed at runtime.
- Rationale
- Use of package managers at runtime indicates that new software may be being introduced into containers while they are running.
- Remediation
- Run `rpm -e --nodeps $(rpm -qa '*rpm*' '*dnf*' '*libsolv*' '*hawkey*' 'yum*')` in the image build for production containers. Change applications to no longer use package managers at runtime, if applicable.
CategoriesSecurity Best Practices
Compliance mappingsView coverage →
- DORA EU 2022/2554
- Art. 9.2
- ISO/IEC 27001 2022
- A.8.9
- NIST SP 800-53 rev. 5
- CM-2
- PCI DSS 4.0
- 2.2.1
Generated artifacts
1 of 5 targets supportedred-hat-package-manager-execution.yaml
- rule: red-hat-package-manager-execution
desc: Alert when Red Hat/Fedora/CentOS package manager programs are executed at runtime.
condition: proc.name in ("rpm|microdnf|dnf|yum")
output: Process %proc.name executed by user %user.name (uid=%user.uid) in container %container.id image=%container.image.repository (policy=Red Hat Package Manager Execution)
priority: NOTICE
source: syscall
tags:
- stackrox-import
- policy
IR (canonical)
{
"id": "ddb7af9c-5ec1-45e1-a0cf-c36e3ef2b2ce",
"name": "Red Hat Package Manager Execution",
"description": "Alert when Red Hat/Fedora/CentOS package manager programs are executed at runtime.",
"rationale": "Use of package managers at runtime indicates that new software may be being introduced into containers while they are running.",
"remediation": "Run `rpm -e --nodeps $(rpm -qa '*rpm*' '*dnf*' '*libsolv*' '*hawkey*' 'yum*')` in the image build for production containers. Change applications to no longer use package managers at runtime, if applicable.",
"severity": "low",
"categories": [
"Security Best Practices"
],
"lifecycle": [
"runtime"
],
"eventSource": "deployment",
"scope": [],
"exclusions": [
{
"name": "scanner",
"labelKey": "app.kubernetes.io/name",
"labelValue": "stackrox"
},
{
"name": "collector",
"labelKey": "app.kubernetes.io/name",
"labelValue": "stackrox"
},
{
"name": "Don't alert on openshift-compliance namespace",
"namespace": "openshift-compliance"
}
],
"enforcement": {
"failBuild": false
},
"expression": {
"op": "criterion",
"field": "process-name",
"values": [
"rpm|microdnf|dnf|yum"
],
"valuesOp": "or",
"negate": false
},
"disabled": false
}Original StackRox JSON
{
"id": "ddb7af9c-5ec1-45e1-a0cf-c36e3ef2b2ce",
"name": "Red Hat Package Manager Execution",
"description": "Alert when Red Hat/Fedora/CentOS package manager programs are executed at runtime.",
"rationale": "Use of package managers at runtime indicates that new software may be being introduced into containers while they are running.",
"remediation": "Run `rpm -e --nodeps $(rpm -qa '*rpm*' '*dnf*' '*libsolv*' '*hawkey*' 'yum*')` in the image build for production containers. Change applications to no longer use package managers at runtime, if applicable.",
"disabled": false,
"categories": [
"Security Best Practices"
],
"lifecycleStages": [
"RUNTIME"
],
"eventSource": "DEPLOYMENT_EVENT",
"exclusions": [
{
"name": "Don't alert on StackRox scanner",
"deployment": {
"name": "scanner",
"scope": {
"cluster": "",
"namespace": "",
"label": {
"key": "app.kubernetes.io/name",
"value": "stackrox"
}
}
},
"image": null
},
{
"name": "Don't alert on StackRox collector",
"deployment": {
"name": "collector",
"scope": {
"cluster": "",
"namespace": "",
"label": {
"key": "app.kubernetes.io/name",
"value": "stackrox"
}
}
},
"image": null
},
{
"name": "Don't alert on openshift-compliance namespace",
"deployment": {
"name": "",
"scope": {
"cluster": "",
"namespace": "openshift-compliance",
"label": null
}
},
"image": null
}
],
"scope": [],
"severity": "LOW_SEVERITY",
"enforcementActions": [],
"policySections": [
{
"sectionName": "",
"policyGroups": [
{
"fieldName": "Process Name",
"booleanOperator": "OR",
"negate": false,
"values": [
{
"value": "rpm|microdnf|dnf|yum"
}
]
}
]
}
],
"notifiers": [],
"lastUpdated": null,
"SORTName": "",
"SORTLifecycleStage": "",
"SORTEnforcement": false,
"policyVersion": "1.1",
"mitreAttackVectors": [
{
"tactic": "TA0011",
"techniques": [
"T1105"
]
}
],
"criteriaLocked": true,
"mitreVectorsLocked": true,
"isDefault": true,
"source": "IMPERATIVE"
}