Title

SSH must not run within Linux containers. (Cat II impact)

Discussion

To limit the attack surface of MKE, it is important that the nonessential services are not installed. Containers are designed to be lightweight and isolated, and introducing SSH can add attack vectors. Unauthorized access or exploitation of SSH vulnerabilities would compromise the security of the container and the host system. SSH is not necessary for process management within containers, as container orchestration platforms provide mechanisms for starting, stopping, and monitoring containerized processes. SSH access within containers may bypass auditing mechanisms, making it harder to track and audit user activities.

Check Content

This check must be executed on all nodes in a Docker Enterprise cluster. Verify no running containers have a process for SSH server. Using CLI, execute the following: for i in $(docker container ls --format "{{.ID}}"); do pid=$(docker inspect -f '{{.State.Pid}}' "$i") ps -h --ppid "$pid" -o cmd done | grep sshd If a container is output, it has a process for SSH server, this is a finding.

Fix Text

Containers found with SSH server must be removed by executing the following: docker rm [container name] Then, a new image must be added with SSH server removed.

Additional Identifiers

Rule ID: SV-260910r966087_rule

Vulnerability ID: V-260910

Group Title: SRG-APP-000033-CTR-000095

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.