Secure Shell (ssh) Port Exposed
No violationsstackroxhighdeployAlert on deployments exposing port 22, commonly reserved for SSH access.
- Rationale
- Port 22 is reserved for SSH access. SSH should not typically be used within containers.
- Remediation
- Ensure that non-SSH services are not using port 22. Ensure that any actual SSH servers have been vetted.
CategoriesSecurity Best Practices
Compliance mappingsView coverage →
- DORA EU 2022/2554
- Art. 9.2
- ISO/IEC 27001 2022
- A.8.20A.8.9
- NIST SP 800-53 rev. 5
- CM-2CM-7
- PCI DSS 4.0
- 1.2.52.2.12.2.4
- SOC 2 2017 TSC
- CC6.6
Generated artifacts
3 of 5 targets supportedsecure-shell-ssh-port-exposed.yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: secure-shell-ssh-port-exposed
annotations:
policies.kyverno.io/title: Secure Shell (ssh) Port Exposed
policies.kyverno.io/category: Security Best Practices
policies.kyverno.io/severity: high
policies.kyverno.io/description: Alert on deployments exposing port 22, commonly reserved for SSH access.
policies.kyverno.io/remediation: Ensure that non-SSH services are not using port 22. Ensure that any actual SSH servers have been vetted.
policies.kyverno.io/rationale: Port 22 is reserved for SSH access. SSH should not typically be used within containers.
policies.io/source: stackrox
policies.io/source-id: 3bf3cec3-d3e8-4512-86ca-b306697d4b75
spec:
validationFailureAction: Enforce
background: true
rules:
- name: secure-shell-ssh-port-exposed
match:
any:
- resources:
kinds:
- Pod
validate:
message: 'Policy "Secure Shell (ssh) Port Exposed" violated: Alert on deployments exposing port 22, commonly reserved for SSH access.'
deny:
conditions:
all:
- key: "{{ request.object.spec.containers[].ports[].containerPort || `[]` }}"
operator: AnyIn
value:
- 22
- key: "{{ request.object.spec.containers[].ports[].protocol || `[]` }}"
operator: AnyIn
value:
- TCP
IR (canonical)
{
"id": "3bf3cec3-d3e8-4512-86ca-b306697d4b75",
"name": "Secure Shell (ssh) Port Exposed",
"description": "Alert on deployments exposing port 22, commonly reserved for SSH access.",
"rationale": "Port 22 is reserved for SSH access. SSH should not typically be used within containers.",
"remediation": "Ensure that non-SSH services are not using port 22. Ensure that any actual SSH servers have been vetted.",
"severity": "high",
"categories": [
"Security Best Practices"
],
"lifecycle": [
"deploy"
],
"eventSource": "none",
"scope": [],
"exclusions": [],
"enforcement": {
"failBuild": false
},
"expression": {
"op": "and",
"children": [
{
"op": "criterion",
"field": "exposed-port",
"values": [
"22"
],
"valuesOp": "or",
"negate": false
},
{
"op": "criterion",
"field": "exposed-port-protocol",
"values": [
"tcp"
],
"valuesOp": "or",
"negate": false
}
]
},
"disabled": false
}Original StackRox JSON
{
"id": "3bf3cec3-d3e8-4512-86ca-b306697d4b75",
"name": "Secure Shell (ssh) Port Exposed",
"description": "Alert on deployments exposing port 22, commonly reserved for SSH access.",
"rationale": "Port 22 is reserved for SSH access. SSH should not typically be used within containers.",
"remediation": "Ensure that non-SSH services are not using port 22. Ensure that any actual SSH servers have been vetted.",
"disabled": false,
"categories": [
"Security Best Practices"
],
"lifecycleStages": [
"DEPLOY"
],
"eventSource": "NOT_APPLICABLE",
"exclusions": [],
"scope": [],
"severity": "HIGH_SEVERITY",
"enforcementActions": [],
"policySections": [
{
"sectionName": "",
"policyGroups": [
{
"fieldName": "Exposed Port",
"booleanOperator": "OR",
"negate": false,
"values": [
{
"value": "22"
}
]
},
{
"fieldName": "Exposed Port Protocol",
"booleanOperator": "OR",
"negate": false,
"values": [
{
"value": "tcp"
}
]
}
]
}
],
"notifiers": [],
"lastUpdated": null,
"SORTName": "",
"SORTLifecycleStage": "",
"SORTEnforcement": false,
"policyVersion": "1.1",
"mitreAttackVectors": [],
"criteriaLocked": true,
"mitreVectorsLocked": true,
"isDefault": true,
"source": "IMPERATIVE"
}