Back to catalog

Secure Shell (ssh) Port Exposed

No violationsstackroxhighdeploy

Alert on deployments exposing port 22, commonly reserved for SSH access.

Rationale
Port 22 is reserved for SSH access. SSH should not typically be used within containers.
Remediation
Ensure that non-SSH services are not using port 22. Ensure that any actual SSH servers have been vetted.
CategoriesSecurity Best Practices
Compliance mappingsView coverage →
DORA EU 2022/2554
Art. 9.2
ISO/IEC 27001 2022
A.8.20A.8.9
NIST SP 800-53 rev. 5
CM-2CM-7
PCI DSS 4.0
1.2.52.2.12.2.4
SOC 2 2017 TSC
CC6.6

Generated artifacts

3 of 5 targets supported
secure-shell-ssh-port-exposed.yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: secure-shell-ssh-port-exposed
  annotations:
    policies.kyverno.io/title: Secure Shell (ssh) Port Exposed
    policies.kyverno.io/category: Security Best Practices
    policies.kyverno.io/severity: high
    policies.kyverno.io/description: Alert on deployments exposing port 22, commonly reserved for SSH access.
    policies.kyverno.io/remediation: Ensure that non-SSH services are not using port 22. Ensure that any actual SSH servers have been vetted.
    policies.kyverno.io/rationale: Port 22 is reserved for SSH access. SSH should not typically be used within containers.
    policies.io/source: stackrox
    policies.io/source-id: 3bf3cec3-d3e8-4512-86ca-b306697d4b75
spec:
  validationFailureAction: Enforce
  background: true
  rules:
    - name: secure-shell-ssh-port-exposed
      match:
        any:
          - resources:
              kinds:
                - Pod
      validate:
        message: 'Policy "Secure Shell (ssh) Port Exposed" violated: Alert on deployments exposing port 22, commonly reserved for SSH access.'
        deny:
          conditions:
            all:
              - key: "{{ request.object.spec.containers[].ports[].containerPort || `[]` }}"
                operator: AnyIn
                value:
                  - 22
              - key: "{{ request.object.spec.containers[].ports[].protocol || `[]` }}"
                operator: AnyIn
                value:
                  - TCP
IR (canonical)
{
  "id": "3bf3cec3-d3e8-4512-86ca-b306697d4b75",
  "name": "Secure Shell (ssh) Port Exposed",
  "description": "Alert on deployments exposing port 22, commonly reserved for SSH access.",
  "rationale": "Port 22 is reserved for SSH access. SSH should not typically be used within containers.",
  "remediation": "Ensure that non-SSH services are not using port 22. Ensure that any actual SSH servers have been vetted.",
  "severity": "high",
  "categories": [
    "Security Best Practices"
  ],
  "lifecycle": [
    "deploy"
  ],
  "eventSource": "none",
  "scope": [],
  "exclusions": [],
  "enforcement": {
    "failBuild": false
  },
  "expression": {
    "op": "and",
    "children": [
      {
        "op": "criterion",
        "field": "exposed-port",
        "values": [
          "22"
        ],
        "valuesOp": "or",
        "negate": false
      },
      {
        "op": "criterion",
        "field": "exposed-port-protocol",
        "values": [
          "tcp"
        ],
        "valuesOp": "or",
        "negate": false
      }
    ]
  },
  "disabled": false
}
Original StackRox JSON
{
  "id": "3bf3cec3-d3e8-4512-86ca-b306697d4b75",
  "name": "Secure Shell (ssh) Port Exposed",
  "description": "Alert on deployments exposing port 22, commonly reserved for SSH access.",
  "rationale": "Port 22 is reserved for SSH access. SSH should not typically be used within containers.",
  "remediation": "Ensure that non-SSH services are not using port 22. Ensure that any actual SSH servers have been vetted.",
  "disabled": false,
  "categories": [
    "Security Best Practices"
  ],
  "lifecycleStages": [
    "DEPLOY"
  ],
  "eventSource": "NOT_APPLICABLE",
  "exclusions": [],
  "scope": [],
  "severity": "HIGH_SEVERITY",
  "enforcementActions": [],
  "policySections": [
    {
      "sectionName": "",
      "policyGroups": [
        {
          "fieldName": "Exposed Port",
          "booleanOperator": "OR",
          "negate": false,
          "values": [
            {
              "value": "22"
            }
          ]
        },
        {
          "fieldName": "Exposed Port Protocol",
          "booleanOperator": "OR",
          "negate": false,
          "values": [
            {
              "value": "tcp"
            }
          ]
        }
      ]
    }
  ],
  "notifiers": [],
  "lastUpdated": null,
  "SORTName": "",
  "SORTLifecycleStage": "",
  "SORTEnforcement": false,
  "policyVersion": "1.1",
  "mitreAttackVectors": [],
  "criteriaLocked": true,
  "mitreVectorsLocked": true,
  "isDefault": true,
  "source": "IMPERATIVE"
}