feat(ssh): add ping/nmap/ca-certificates to base image

A lived-in Linux box ships with iputils-ping, ca-certificates, and nmap available. Their absence is a cheap tell, and they're handy for letting the attacker move laterally in ways we want to observe. iproute2 (ip a) was already installed for attribution — noted here for completeness.
2026-04-18 01:53:33 -04:00
parent f462835373
commit 766eeb3d83
2 changed files with 10 additions and 0 deletions
--- a/templates/ssh/Dockerfile
+++ b/templates/ssh/Dockerfile
@@ -16,6 +16,9 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
    inotify-tools \
    psmisc \
    iproute2 \
+    iputils-ping \
+    ca-certificates \
+    nmap \
    jq \
    && rm -rf /var/lib/apt/lists/*

--- a/tests/test_ssh.py
+++ b/tests/test_ssh.py
@@ -210,6 +210,13 @@ def test_dockerfile_installs_attribution_tools():
        assert pkg in df, f"missing {pkg} in Dockerfile"


+def test_dockerfile_installs_default_recon_tools():
+    df = _dockerfile_text()
+    # Attacker-facing baseline: a lived-in box has these.
+    for pkg in ("iputils-ping", "ca-certificates", "nmap"):
+        assert pkg in df, f"missing {pkg} in Dockerfile"
+
+
 def test_dockerfile_copies_capture_script():
    df = _dockerfile_text()
    # Installed under plausible udev path to hide from casual `ps` inspection.