Back to catalog

systemctl Execution

No violationsstackroxlowruntime

Detected usage of the systemctl service manager

Rationale
The systemctl service manager is generally not used in containers, and its use could indicate suspicious activity
Remediation
Remove systemctl from the image before deploying, or consider using a base image that doesn't bundle systemctl
CategoriesSystem Modification
Compliance mappingsView coverage →
NIST SP 800-53 rev. 5
SI-4

Generated artifacts

1 of 5 targets supported
systemctl-execution.yaml
- rule: systemctl-execution
  desc: Detected usage of the systemctl service manager
  condition: proc.name in ("systemctl") and not (proc.cmdline contains "--version")
  output: Process %proc.name executed by user %user.name (uid=%user.uid) in container %container.id image=%container.image.repository (policy=systemctl Execution)
  priority: NOTICE
  source: syscall
  tags:
    - stackrox-import
    - policy
IR (canonical)
{
  "id": "f2183906-4577-47de-9bf4-270d09e0a93c",
  "name": "systemctl Execution",
  "description": "Detected usage of the systemctl service manager",
  "rationale": "The systemctl service manager is generally not used in containers, and its use could indicate suspicious activity",
  "remediation": "Remove systemctl from the image before deploying, or consider using a base image that doesn't bundle systemctl",
  "severity": "low",
  "categories": [
    "System Modification"
  ],
  "lifecycle": [
    "runtime"
  ],
  "eventSource": "deployment",
  "scope": [],
  "exclusions": [
    {
      "name": "Don't alert on StackRox namespace",
      "namespace": "stackrox"
    }
  ],
  "enforcement": {
    "failBuild": false
  },
  "expression": {
    "op": "and",
    "children": [
      {
        "op": "criterion",
        "field": "process-name",
        "values": [
          "systemctl"
        ],
        "valuesOp": "or",
        "negate": false
      },
      {
        "op": "criterion",
        "field": "process-arguments",
        "values": [
          "--version"
        ],
        "valuesOp": "or",
        "negate": true
      }
    ]
  },
  "disabled": false
}
Original StackRox JSON
{
  "id": "f2183906-4577-47de-9bf4-270d09e0a93c",
  "name": "systemctl Execution",
  "description": "Detected usage of the systemctl service manager",
  "rationale": "The systemctl service manager is generally not used in containers, and its use could indicate suspicious activity",
  "remediation": "Remove systemctl from the image before deploying, or consider using a base image that doesn't bundle systemctl",
  "disabled": false,
  "categories": [
    "System Modification"
  ],
  "lifecycleStages": [
    "RUNTIME"
  ],
  "eventSource": "DEPLOYMENT_EVENT",
  "exclusions": [
    {
      "name": "Don't alert on StackRox namespace",
      "deployment": {
        "name": "",
        "scope": {
          "cluster": "",
          "namespace": "stackrox",
          "label": null
        }
      },
      "image": null
    }
  ],
  "scope": [],
  "severity": "LOW_SEVERITY",
  "enforcementActions": [],
  "policySections": [
    {
      "sectionName": "",
      "policyGroups": [
        {
          "fieldName": "Process Name",
          "booleanOperator": "OR",
          "negate": false,
          "values": [
            {
              "value": "systemctl"
            }
          ]
        },
        {
          "fieldName": "Process Arguments",
          "booleanOperator": "OR",
          "negate": true,
          "values": [
            {
              "value": "--version"
            }
          ]
        }
      ]
    }
  ],
  "notifiers": [],
  "lastUpdated": null,
  "SORTName": "",
  "SORTLifecycleStage": "",
  "SORTEnforcement": false,
  "policyVersion": "1.1",
  "mitreAttackVectors": [
    {
      "tactic": "TA0003",
      "techniques": [
        "T1543.002"
      ]
    },
    {
      "tactic": "TA0004",
      "techniques": [
        "T1543.002"
      ]
    }
  ],
  "criteriaLocked": true,
  "mitreVectorsLocked": true,
  "isDefault": true,
  "source": "IMPERATIVE"
}