Back to catalog

Red Hat Package Manager Execution

No violationsstackroxlowruntime

Alert when Red Hat/Fedora/CentOS package manager programs are executed at runtime.

Rationale
Use of package managers at runtime indicates that new software may be being introduced into containers while they are running.
Remediation
Run `rpm -e --nodeps $(rpm -qa '*rpm*' '*dnf*' '*libsolv*' '*hawkey*' 'yum*')` in the image build for production containers. Change applications to no longer use package managers at runtime, if applicable.
CategoriesSecurity Best Practices
Compliance mappingsView coverage →
DORA EU 2022/2554
Art. 9.2
ISO/IEC 27001 2022
A.8.9
NIST SP 800-53 rev. 5
CM-2
PCI DSS 4.0
2.2.1

Generated artifacts

1 of 5 targets supported
red-hat-package-manager-execution.yaml
- rule: red-hat-package-manager-execution
  desc: Alert when Red Hat/Fedora/CentOS package manager programs are executed at runtime.
  condition: proc.name in ("rpm|microdnf|dnf|yum")
  output: Process %proc.name executed by user %user.name (uid=%user.uid) in container %container.id image=%container.image.repository (policy=Red Hat Package Manager Execution)
  priority: NOTICE
  source: syscall
  tags:
    - stackrox-import
    - policy
IR (canonical)
{
  "id": "ddb7af9c-5ec1-45e1-a0cf-c36e3ef2b2ce",
  "name": "Red Hat Package Manager Execution",
  "description": "Alert when Red Hat/Fedora/CentOS package manager programs are executed at runtime.",
  "rationale": "Use of package managers at runtime indicates that new software may be being introduced into containers while they are running.",
  "remediation": "Run `rpm -e --nodeps $(rpm -qa '*rpm*' '*dnf*' '*libsolv*' '*hawkey*' 'yum*')` in the image build for production containers. Change applications to no longer use package managers at runtime, if applicable.",
  "severity": "low",
  "categories": [
    "Security Best Practices"
  ],
  "lifecycle": [
    "runtime"
  ],
  "eventSource": "deployment",
  "scope": [],
  "exclusions": [
    {
      "name": "scanner",
      "labelKey": "app.kubernetes.io/name",
      "labelValue": "stackrox"
    },
    {
      "name": "collector",
      "labelKey": "app.kubernetes.io/name",
      "labelValue": "stackrox"
    },
    {
      "name": "Don't alert on openshift-compliance namespace",
      "namespace": "openshift-compliance"
    }
  ],
  "enforcement": {
    "failBuild": false
  },
  "expression": {
    "op": "criterion",
    "field": "process-name",
    "values": [
      "rpm|microdnf|dnf|yum"
    ],
    "valuesOp": "or",
    "negate": false
  },
  "disabled": false
}
Original StackRox JSON
{
  "id": "ddb7af9c-5ec1-45e1-a0cf-c36e3ef2b2ce",
  "name": "Red Hat Package Manager Execution",
  "description": "Alert when Red Hat/Fedora/CentOS package manager programs are executed at runtime.",
  "rationale": "Use of package managers at runtime indicates that new software may be being introduced into containers while they are running.",
  "remediation": "Run `rpm -e --nodeps $(rpm -qa '*rpm*' '*dnf*' '*libsolv*' '*hawkey*' 'yum*')` in the image build for production containers. Change applications to no longer use package managers at runtime, if applicable.",
  "disabled": false,
  "categories": [
    "Security Best Practices"
  ],
  "lifecycleStages": [
    "RUNTIME"
  ],
  "eventSource": "DEPLOYMENT_EVENT",
  "exclusions": [
    {
      "name": "Don't alert on StackRox scanner",
      "deployment": {
        "name": "scanner",
        "scope": {
          "cluster": "",
          "namespace": "",
          "label": {
            "key": "app.kubernetes.io/name",
            "value": "stackrox"
          }
        }
      },
      "image": null
    },
    {
      "name": "Don't alert on StackRox collector",
      "deployment": {
        "name": "collector",
        "scope": {
          "cluster": "",
          "namespace": "",
          "label": {
            "key": "app.kubernetes.io/name",
            "value": "stackrox"
          }
        }
      },
      "image": null
    },
    {
      "name": "Don't alert on openshift-compliance namespace",
      "deployment": {
        "name": "",
        "scope": {
          "cluster": "",
          "namespace": "openshift-compliance",
          "label": null
        }
      },
      "image": null
    }
  ],
  "scope": [],
  "severity": "LOW_SEVERITY",
  "enforcementActions": [],
  "policySections": [
    {
      "sectionName": "",
      "policyGroups": [
        {
          "fieldName": "Process Name",
          "booleanOperator": "OR",
          "negate": false,
          "values": [
            {
              "value": "rpm|microdnf|dnf|yum"
            }
          ]
        }
      ]
    }
  ],
  "notifiers": [],
  "lastUpdated": null,
  "SORTName": "",
  "SORTLifecycleStage": "",
  "SORTEnforcement": false,
  "policyVersion": "1.1",
  "mitreAttackVectors": [
    {
      "tactic": "TA0011",
      "techniques": [
        "T1105"
      ]
    }
  ],
  "criteriaLocked": true,
  "mitreVectorsLocked": true,
  "isDefault": true,
  "source": "IMPERATIVE"
}