C-0042 - SSH server running inside container


AllControls, MITRE



Description of the the issue

SSH server that is running inside a container may be used by attackers. If attackers gain valid credentials to a container, whether by brute force attempts or by other methods (such as phishing), they can use it to get remote access to the container by SSH.

Related resources

CronJob, DaemonSet, Deployment, Job, Pod, ReplicaSet, Service, StatefulSet

What does this control test

Check if service connected to some workload has an SSH port (22/2222). If so we raise an alert.


Remove SSH from the container image or limit the access to the SSH server using network policies.


No example