iCompaas Support

Profile Applicability:

• Level 1
  

Description:

The SSH daemon (sshd) should not be running within containers. Instead, you should SSH into the Docker host and use docker exec to access the container.

Rationale:

Running SSH inside containers adds unnecessary complexity to security management:

• It makes managing access policies and security compliance for the SSH server more difficult.
  

• It complicates the management of SSH keys and passwords across multiple containers.
  

• It creates challenges in applying security updates to the SSH server inside each container.
  

Instead of using SSH, docker exec allows for shell access to containers without introducing the security risks of SSH.

Impact:

Pros:

• Simplifies security management by eliminating the need for SSH in containers.
  

• Reduces attack surface by removing an unnecessary service (sshd) within containers.
  

Cons:

• If containers require SSH for certain use cases (rare), this configuration may require significant changes.
  

Default Value:

By default, SSH is not running within Docker containers. Only one process is typically allowed within a container, and SSH is generally not included unless manually installed.

Pre-requisites:

• Docker must be installed and running on the host system.
  

• Ensure that the container does not have SSH installed or running by default.
  

Remediation:

Test Plan:

Using AWS Console:

1. Navigate to the EC2 instance where Docker is running.
   
2. List all running containers:
   

   docker ps --quiet

3. For each running container, execute the following command:
   

   docker exec <CONTAINER_ID> ps -el

4. Ensure there is no process for SSH (e.g., sshd) listed.
   

Using AWS CLI:

1. Connect to the EC2 instance where Docker is running.
   
2. Run the following command to check for any running SSH daemon inside containers:
   

docker ps --quiet | xargs docker inspect --format '{{ .Id }}: Process={{ .State.Pid }}'

Implementation Plan:

Using AWS Console:

1. Connect to the EC2 instance running Docker.
   
2. For each container, ensure that the SSH daemon is not installed or running:

   docker exec --interactive --tty <CONTAINER_ID> sh

   Verify that SSH is not installed or running inside the container.
   
3. If SSH is installed, remove it by uninstalling the SSH package:
   

docker exec <CONTAINER_ID> apt-get purge openssh-server

Using AWS CLI:

1. Use SSM to remotely connect to the EC2 instance and ensure SSH is not running in containers:

   aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=<instance_id>" --parameters 'commands=["docker exec <CONTAINER_ID> apt-get purge openssh-server"]'

Backout Plan:

Using AWS Console:

1. If SSH is required inside the container for some reason, reinstall it

   docker exec <CONTAINER_ID> apt-get install openssh-server

   Start the SSH service within the container.
   

Using AWS CLI:

1. Use SSM to reinstall SSH inside the container if necessary:
   

aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=<instance_id>" --parameters 'commands=["docker exec <CONTAINER_ID> apt-get install openssh-server"]'

References:

• Docker SSH Considered Evil
  

• CIS Docker Benchmark v1.7