Altered binary
Table of Contents
Altered binary
An altered binary incident indicates that a binary that during image scanning was found with different metadata than what is specified by its package was executed. This binary might have been maliciously replaced or altered.
Investigation
The following incident shows that the process python2.7 was launched, but it seems to be altered or corrupted.
Your investigation should focus on locating the source of the affected image.
If the image was pulled from a remote repository, you should confirm the image hash is as expected given the repository image metadata. You should make sure the image repository and the author are valid.
If the image was built locally, you must examine the build process. Inspect your supply chain to understand if any binary from signed sources (such as a package manager) is changed or modified throughout the build.
Mitigation
A full mitigation strategy for this incident begins by resolving the issues that allowed to pull or build an image including an altered binary.
Ensure that compliance benchmarks are appropriately applied to the affected images and containers. Use Trusted Images, to avoid image pulls from untrusted sources.
For additional protection, Enable the block action in the applicable compliance check to take action when altered binaries are found in an image during a scan.
