nmap Execution
No violationsstackroxhighruntimeAlerts when the nmap process launches in a container during run time
- Rationale
- Nmap can be used to probe a running container's network to enumerate open ports and perform other actions such as OS version detection and launching over-the-network scripted attacks
- Remediation
- Consider removing package managers during the build process that could be used to download such software. Check that exposed ports don't allow for remote code execution
CategoriesNetwork Tools
Compliance mappingsView coverage →
- DORA EU 2022/2554
- Art. 9.4(b)
- ISO/IEC 27001 2022
- A.8.20
- NIST SP 800-53 rev. 5
- CM-7
- PCI DSS 4.0
- 2.2.4
Generated artifacts
1 of 5 targets supportednmap-execution.yaml
- rule: nmap-execution
desc: Alerts when the nmap process launches in a container during run time
condition: proc.name in ("nmap")
output: Process %proc.name executed by user %user.name (uid=%user.uid) in container %container.id image=%container.image.repository (policy=nmap Execution)
priority: ERROR
source: syscall
tags:
- stackrox-import
- policy
IR (canonical)
{
"id": "f0bacecd-87be-4f51-89a5-8f86ad523620",
"name": "nmap Execution",
"description": "Alerts when the nmap process launches in a container during run time",
"rationale": "Nmap can be used to probe a running container's network to enumerate open ports and perform other actions such as OS version detection and launching over-the-network scripted attacks",
"remediation": "Consider removing package managers during the build process that could be used to download such software. Check that exposed ports don't allow for remote code execution",
"severity": "high",
"categories": [
"Network Tools"
],
"lifecycle": [
"runtime"
],
"eventSource": "deployment",
"scope": [],
"exclusions": [],
"enforcement": {
"failBuild": false
},
"expression": {
"op": "criterion",
"field": "process-name",
"values": [
"nmap"
],
"valuesOp": "or",
"negate": false
},
"disabled": false
}Original StackRox JSON
{
"id": "f0bacecd-87be-4f51-89a5-8f86ad523620",
"name": "nmap Execution",
"description": "Alerts when the nmap process launches in a container during run time",
"rationale": "Nmap can be used to probe a running container's network to enumerate open ports and perform other actions such as OS version detection and launching over-the-network scripted attacks",
"remediation": "Consider removing package managers during the build process that could be used to download such software. Check that exposed ports don't allow for remote code execution",
"disabled": false,
"categories": [
"Network Tools"
],
"lifecycleStages": [
"RUNTIME"
],
"eventSource": "DEPLOYMENT_EVENT",
"exclusions": [],
"scope": [],
"severity": "HIGH_SEVERITY",
"enforcementActions": [],
"policySections": [
{
"sectionName": "",
"policyGroups": [
{
"fieldName": "Process Name",
"booleanOperator": "OR",
"negate": false,
"values": [
{
"value": "nmap"
}
]
}
]
}
],
"notifiers": [],
"lastUpdated": null,
"SORTName": "",
"SORTLifecycleStage": "",
"SORTEnforcement": false,
"policyVersion": "1.1",
"mitreAttackVectors": [
{
"tactic": "TA0007",
"techniques": [
"T1046"
]
}
],
"criteriaLocked": true,
"mitreVectorsLocked": true,
"isDefault": true,
"source": "IMPERATIVE"
}