Rule ID
SV-260910r966087_rule
Version
V2R1
CCIs
To limit the attack surface of MKE, it is important that the nonessential services are not installed. Containers are designed to be lightweight and isolated, and introducing SSH can add attack vectors. Unauthorized access or exploitation of SSH vulnerabilities would compromise the security of the container and the host system. SSH is not necessary for process management within containers, as container orchestration platforms provide mechanisms for starting, stopping, and monitoring containerized processes. SSH access within containers may bypass auditing mechanisms, making it harder to track and audit user activities.
This check must be executed on all nodes in a Docker Enterprise cluster.
Verify no running containers have a process for SSH server. Using CLI, execute the following:
for i in $(docker container ls --format "{{.ID}}"); do
pid=$(docker inspect -f '{{.State.Pid}}' "$i")
ps -h --ppid "$pid" -o cmd
done | grep sshd
If a container is output, it has a process for SSH server, this is a finding.Containers found with SSH server must be removed by executing the following: docker rm [container name] Then, a new image must be added with SSH server removed.