5.6 Do not run ssh within containers

Information

SSH server should not be running within the container. You shouldSSH into the Docker host, and use nsenter tool toenter a container from a remote host.Running SSH within the container increases the complexity of security management by making it
* Difficult to manageaccess policies and security compliance for SSH server
* Difficult to manage keys and passwords across various containers
* Difficult to manage security upgrades for SSH server
It is possible to have shell access to a container without using SSH, the needlessly increasing the complexity of security management should be avoided.

Solution

Uninstall SSH server from the container and use nsenter or any other commands such as docker exec or docker attach to interact with the container instance.
docker exec --interactive --tty $INSTANCE_ID sh
OR
docker attach $INSTANCE_ID
Impact-
None.
Default Value-
By default, SSH server is not running inside the container. Only one process per container is allowed.

See Also

https://workbench.cisecurity.org/files/516

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7b.

Plugin: Unix

Control ID: a5c48d10a6c1095c28132a737d91a13d7ad9c93f740f6551ec475a4e6729731c