sshd is disabled in containers
Set up the docker integration.
Description
The SSH daemon should not be running within the container. You should SSH into the Docker host, and use docker exec to enter a container.
Rationale
Running SSH within the container increases the complexity of security management by making it difficult to manage:
- Access policies and security compliance for SSH server
- Keys and passwords across various containers
- Security upgrades for SSH server It is possible to have shell access to a container without using SSH, the needlessly increasing the complexity of security management should be avoided.
Audit
- List all the running instances of containers by executing this command:
docker ps --quiet - For each container instance, execute this command:
docker exec $INSTANCE_ID ps -el - Ensure that there is no process for the SSH server.
Uninstall the SSH daemon from the container and use and use docker exec to enter a container on the remote host. docker exec --interactive --tty $INSTANCE_ID sh OR docker attach $INSTANCE_ID
Impact
None
Default value
By default, SSH server is not running inside the container. Only one process per container is allowed.
References
- http://blog.docker.com/2014/06/why-you-dont-need-to-run-sshd-in-docker/
CIS controls
Version 6
9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system.
Version 7
9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.
