Back to catalog

nmap Execution

No violationsstackroxhighruntime

Alerts when the nmap process launches in a container during run time

Rationale
Nmap can be used to probe a running container's network to enumerate open ports and perform other actions such as OS version detection and launching over-the-network scripted attacks
Remediation
Consider removing package managers during the build process that could be used to download such software. Check that exposed ports don't allow for remote code execution
CategoriesNetwork Tools
Compliance mappingsView coverage →
DORA EU 2022/2554
Art. 9.4(b)
ISO/IEC 27001 2022
A.8.20
NIST SP 800-53 rev. 5
CM-7
PCI DSS 4.0
2.2.4

Generated artifacts

1 of 5 targets supported
nmap-execution.yaml
- rule: nmap-execution
  desc: Alerts when the nmap process launches in a container during run time
  condition: proc.name in ("nmap")
  output: Process %proc.name executed by user %user.name (uid=%user.uid) in container %container.id image=%container.image.repository (policy=nmap Execution)
  priority: ERROR
  source: syscall
  tags:
    - stackrox-import
    - policy
IR (canonical)
{
  "id": "f0bacecd-87be-4f51-89a5-8f86ad523620",
  "name": "nmap Execution",
  "description": "Alerts when the nmap process launches in a container during run time",
  "rationale": "Nmap can be used to probe a running container's network to enumerate open ports and perform other actions such as OS version detection and launching over-the-network scripted attacks",
  "remediation": "Consider removing package managers during the build process that could be used to download such software. Check that exposed ports don't allow for remote code execution",
  "severity": "high",
  "categories": [
    "Network Tools"
  ],
  "lifecycle": [
    "runtime"
  ],
  "eventSource": "deployment",
  "scope": [],
  "exclusions": [],
  "enforcement": {
    "failBuild": false
  },
  "expression": {
    "op": "criterion",
    "field": "process-name",
    "values": [
      "nmap"
    ],
    "valuesOp": "or",
    "negate": false
  },
  "disabled": false
}
Original StackRox JSON
{
  "id": "f0bacecd-87be-4f51-89a5-8f86ad523620",
  "name": "nmap Execution",
  "description": "Alerts when the nmap process launches in a container during run time",
  "rationale": "Nmap can be used to probe a running container's network to enumerate open ports and perform other actions such as OS version detection and launching over-the-network scripted attacks",
  "remediation": "Consider removing package managers during the build process that could be used to download such software. Check that exposed ports don't allow for remote code execution",
  "disabled": false,
  "categories": [
    "Network Tools"
  ],
  "lifecycleStages": [
    "RUNTIME"
  ],
  "eventSource": "DEPLOYMENT_EVENT",
  "exclusions": [],
  "scope": [],
  "severity": "HIGH_SEVERITY",
  "enforcementActions": [],
  "policySections": [
    {
      "sectionName": "",
      "policyGroups": [
        {
          "fieldName": "Process Name",
          "booleanOperator": "OR",
          "negate": false,
          "values": [
            {
              "value": "nmap"
            }
          ]
        }
      ]
    }
  ],
  "notifiers": [],
  "lastUpdated": null,
  "SORTName": "",
  "SORTLifecycleStage": "",
  "SORTEnforcement": false,
  "policyVersion": "1.1",
  "mitreAttackVectors": [
    {
      "tactic": "TA0007",
      "techniques": [
        "T1046"
      ]
    }
  ],
  "criteriaLocked": true,
  "mitreVectorsLocked": true,
  "isDefault": true,
  "source": "IMPERATIVE"
}