Back to catalog

Secure Shell Server (sshd) Execution

No violationsstackroxhighruntime

Detects container running the SSH daemon

Rationale
The secure shell server allows shell access to a container, which can be dangerous.
Remediation
If ssh is absolutely required, ensure that it is not using default authentication. Otherwise, consider removing it from the container altogether.
CategoriesDocker CISNetwork Tools
Compliance mappingsView coverage →
DORA EU 2022/2554
Art. 9.2Art. 9.4(b)
ISO/IEC 27001 2022
A.8.20A.8.9
NIST SP 800-53 rev. 5
CM-2CM-7
PCI DSS 4.0
2.2.12.2.4

Generated artifacts

1 of 5 targets supported
secure-shell-server-sshd-execution.yaml
- rule: secure-shell-server-sshd-execution
  desc: Detects container running the SSH daemon
  condition: proc.name in ("sshd")
  output: Process %proc.name executed by user %user.name (uid=%user.uid) in container %container.id image=%container.image.repository (policy=Secure Shell Server (sshd) Execution)
  priority: ERROR
  source: syscall
  tags:
    - stackrox-import
    - policy
    - n
IR (canonical)
{
  "id": "618e65ca-737b-4fec-bb42-57a04e7dfc28",
  "name": "Secure Shell Server (sshd) Execution",
  "description": "Detects container running the SSH daemon",
  "rationale": "The secure shell server allows shell access to a container, which can be dangerous.",
  "remediation": "If ssh is absolutely required, ensure that it is not using default authentication. Otherwise, consider removing it from the container altogether.",
  "severity": "high",
  "categories": [
    "Docker CIS",
    "Network Tools"
  ],
  "lifecycle": [
    "runtime"
  ],
  "eventSource": "deployment",
  "scope": [],
  "exclusions": [],
  "enforcement": {
    "failBuild": false
  },
  "expression": {
    "op": "criterion",
    "field": "process-name",
    "values": [
      "sshd"
    ],
    "valuesOp": "or",
    "negate": false
  },
  "disabled": false
}
Original StackRox JSON
{
  "id": "618e65ca-737b-4fec-bb42-57a04e7dfc28",
  "name": "Secure Shell Server (sshd) Execution",
  "description": "Detects container running the SSH daemon",
  "rationale": "The secure shell server allows shell access to a container, which can be dangerous.",
  "remediation": "If ssh is absolutely required, ensure that it is not using default authentication. Otherwise, consider removing it from the container altogether.",
  "disabled": false,
  "categories": [
    "Docker CIS",
    "Network Tools"
  ],
  "lifecycleStages": [
    "RUNTIME"
  ],
  "eventSource": "DEPLOYMENT_EVENT",
  "exclusions": [],
  "scope": [],
  "severity": "HIGH_SEVERITY",
  "enforcementActions": [],
  "policySections": [
    {
      "sectionName": "",
      "policyGroups": [
        {
          "fieldName": "Process Name",
          "booleanOperator": "OR",
          "negate": false,
          "values": [
            {
              "value": "sshd"
            }
          ]
        }
      ]
    }
  ],
  "notifiers": [],
  "lastUpdated": null,
  "SORTName": "",
  "SORTLifecycleStage": "",
  "SORTEnforcement": false,
  "policyVersion": "1.1",
  "mitreAttackVectors": [
    {
      "tactic": "TA0001",
      "techniques": [
        "T1078"
      ]
    },
    {
      "tactic": "TA0002",
      "techniques": [
        "T1059.004"
      ]
    },
    {
      "tactic": "TA0008",
      "techniques": [
        "T1021.004"
      ]
    }
  ],
  "criteriaLocked": true,
  "mitreVectorsLocked": true,
  "isDefault": true,
  "source": "IMPERATIVE"
}