UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

SSH must not run within Linux containers.


Overview

Finding ID Version Rule ID IA Controls Severity
V-260910 CNTR-MK-000120 SV-260910r966087_rule Medium
Description
To limit the attack surface of MKE, it is important that the nonessential services are not installed. Containers are designed to be lightweight and isolated, and introducing SSH can add attack vectors. Unauthorized access or exploitation of SSH vulnerabilities would compromise the security of the container and the host system. SSH is not necessary for process management within containers, as container orchestration platforms provide mechanisms for starting, stopping, and monitoring containerized processes. SSH access within containers may bypass auditing mechanisms, making it harder to track and audit user activities.
STIG Date
Mirantis Kubernetes Engine Security Technical Implementation Guide 2024-04-10

Details

Check Text ( C-64639r966085_chk )
This check must be executed on all nodes in a Docker Enterprise cluster.

Verify no running containers have a process for SSH server. Using CLI, execute the following:

for i in $(docker container ls --format "{{.ID}}"); do
pid=$(docker inspect -f '{{.State.Pid}}' "$i")
ps -h --ppid "$pid" -o cmd
done | grep sshd

If a container is output, it has a process for SSH server, this is a finding.
Fix Text (F-64547r966086_fix)
Containers found with SSH server must be removed by executing the following:

docker rm [container name]

Then, a new image must be added with SSH server removed.