systemctl Execution
No violationsstackroxlowruntimeDetected usage of the systemctl service manager
- Rationale
- The systemctl service manager is generally not used in containers, and its use could indicate suspicious activity
- Remediation
- Remove systemctl from the image before deploying, or consider using a base image that doesn't bundle systemctl
CategoriesSystem Modification
Compliance mappingsView coverage →
- NIST SP 800-53 rev. 5
- SI-4
Generated artifacts
1 of 5 targets supportedsystemctl-execution.yaml
- rule: systemctl-execution
desc: Detected usage of the systemctl service manager
condition: proc.name in ("systemctl") and not (proc.cmdline contains "--version")
output: Process %proc.name executed by user %user.name (uid=%user.uid) in container %container.id image=%container.image.repository (policy=systemctl Execution)
priority: NOTICE
source: syscall
tags:
- stackrox-import
- policy
IR (canonical)
{
"id": "f2183906-4577-47de-9bf4-270d09e0a93c",
"name": "systemctl Execution",
"description": "Detected usage of the systemctl service manager",
"rationale": "The systemctl service manager is generally not used in containers, and its use could indicate suspicious activity",
"remediation": "Remove systemctl from the image before deploying, or consider using a base image that doesn't bundle systemctl",
"severity": "low",
"categories": [
"System Modification"
],
"lifecycle": [
"runtime"
],
"eventSource": "deployment",
"scope": [],
"exclusions": [
{
"name": "Don't alert on StackRox namespace",
"namespace": "stackrox"
}
],
"enforcement": {
"failBuild": false
},
"expression": {
"op": "and",
"children": [
{
"op": "criterion",
"field": "process-name",
"values": [
"systemctl"
],
"valuesOp": "or",
"negate": false
},
{
"op": "criterion",
"field": "process-arguments",
"values": [
"--version"
],
"valuesOp": "or",
"negate": true
}
]
},
"disabled": false
}Original StackRox JSON
{
"id": "f2183906-4577-47de-9bf4-270d09e0a93c",
"name": "systemctl Execution",
"description": "Detected usage of the systemctl service manager",
"rationale": "The systemctl service manager is generally not used in containers, and its use could indicate suspicious activity",
"remediation": "Remove systemctl from the image before deploying, or consider using a base image that doesn't bundle systemctl",
"disabled": false,
"categories": [
"System Modification"
],
"lifecycleStages": [
"RUNTIME"
],
"eventSource": "DEPLOYMENT_EVENT",
"exclusions": [
{
"name": "Don't alert on StackRox namespace",
"deployment": {
"name": "",
"scope": {
"cluster": "",
"namespace": "stackrox",
"label": null
}
},
"image": null
}
],
"scope": [],
"severity": "LOW_SEVERITY",
"enforcementActions": [],
"policySections": [
{
"sectionName": "",
"policyGroups": [
{
"fieldName": "Process Name",
"booleanOperator": "OR",
"negate": false,
"values": [
{
"value": "systemctl"
}
]
},
{
"fieldName": "Process Arguments",
"booleanOperator": "OR",
"negate": true,
"values": [
{
"value": "--version"
}
]
}
]
}
],
"notifiers": [],
"lastUpdated": null,
"SORTName": "",
"SORTLifecycleStage": "",
"SORTEnforcement": false,
"policyVersion": "1.1",
"mitreAttackVectors": [
{
"tactic": "TA0003",
"techniques": [
"T1543.002"
]
},
{
"tactic": "TA0004",
"techniques": [
"T1543.002"
]
}
],
"criteriaLocked": true,
"mitreVectorsLocked": true,
"isDefault": true,
"source": "IMPERATIVE"
}