Create rule S6473: Exposing administration services is security-sensi…

…tive (#4347)

rules/S6473/ansible/metadata.json

@@ -0,0 +1,2 @@
+{
+}

rules/S6473/ansible/rule.adoc

@@ -0,0 +1,54 @@
+Exposing administration services can lead to unauthorized access to containers
+or escalation of privilege inside of containers.
+
+Administration services like SSH might contain vulnerabilities, hard-coded
+credentials, or other security issues that increase the attack surface of a
+container deployment. +
+Even if the ports of the services do not get forwarded to the host system, by
+default they are reachable from other containers in the same network. A
+malicious actor that gets access to one container could use such services to
+escalate access and privileges.
+
+== Ask Yourself Whether
+
+* The container starts an administration service.
+
+There is a risk if you answered yes to the question.
+
+
+== Recommended Secure Coding Practices
+
+* Do not start SSH, VNC, RDP or similar administration services in containers.
+
+
+== Sensitive Code Example
+
+[source,yaml]
+----
+- name: Podman tasks
+  hosts: server
+  tasks:
+    - name: Start SSH server
+      containers.podman.podman_container:
+        name: container
+        image: lscr.io/linuxserver/openssh-server:version-9.7_p1-r4
+        publish:
+          - "22:2222" # Sensitive
+----
+
+include::../see.adoc[]
+
+
+ifdef::env-github,rspecator-view[]
+
+'''
+== Implementation Specification
+(visible only on this page)
+
+include::../message.adoc[]
+
+include::../highlighting.adoc[]
+
+'''
+
+endif::env-github,rspecator-view[]

rules/S6473/metadata.json

@@ -1,5 +1,5 @@
 {
-  "title": "Exposing administration services is security-sensitive",
+  "title": "Exposing administration services in containers is security-sensitive",
   "type": "SECURITY_HOTSPOT",
   "code": {
     "impacts": {