Palo Alto Networks Prisma Cloud Compute STIG
Palo Alto Networks Prisma Cloud Compute Security Technical Implementation Guide. Version v1 r1, released Aug. 10, 2022.
CNTR-PC-001470: Prisma Cloud Compute's Intelligence Stream must be kept up to date.
Navigate to Prisma Cloud Compute Console's >> Manage >> System >> Intelligence tab. If the "Last streams update" date is older than 36 hours, this is a finding.
Discussion
The Prisma Cloud Compute Console pulls the latest vulnerability and threat information from the Intelligence Stream (intelligence.twistlock.com). The Prisma Cloud Intelligence Stream provides timely vulnerability data collected and processed from a variety of certified upstream sources.
Fix
Prisma Cloud Compute Console's ability to communicate with the Intelligence Stream endpoint (https://intelligence.twistlock.com) dictates the method of vulnerability updates. If the Console is able to communicate with the internet, ensure that intelligence.twistlock.com is resolvable, routable, and can establish a TLS session on TCP port 443. If the Console is in an isolated environment and is unable to communicate with the internet, configure the Console to receive Intelligence Stream updates using one of the following methods: - Manual import. - Central console. - HTTP/S distribution point. https://docs.paloaltonetworks.com/prisma/prisma-cloud/22-01/prisma-cloud-compute-edition-admin/tools/update_intel_stream_offline.html
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
CNTR-PC-001490: Configuration of Prisma Cloud Compute must be continuously verified.
Navigate to Prisma Cloud Compute Console's >> Manage >> Defenders. Select the "Manage" tab. Select the "Defenders" tab. Determine the deployment status of the Defenders. If a Defender is not deployed to intended workload(s) to be protected, this is a finding.
Discussion
Prisma Cloud Compute's configuration of Defender deployment must be monitored to ensure monitoring and protection of the environment is in accordance with organizational policy.
Fix
Navigate to Prisma Cloud Compute Console's >> Manage >> Defenders. Select the "Manage" tab. Select the "Defenders" tab. Deploy Defender to containerization node. Select the method of Defender deployment. https://docs.paloaltonetworks.com/prisma/prisma-cloud/22-01/prisma-cloud-compute-edition-admin/install/defender_types.html
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
CNTR-PC-000510: All Prisma Cloud Compute users must have a unique, individual account.
Confirm there is only one "break glass" local administrative account. Navigate to Prisma Cloud Compute Console's Manage >> Authentication >> Users tab. Only the administrative break glass account is allowed to have Authentication Method = Local. For all other accounts, Authentication Method = SAML. If any local account, except the administrative break glass account, has Authentication Method set to other than "SAML", this is a finding.
Discussion
Prisma Cloud Compute does not have a default account. During installation, the installer creates an administrator. This account can be removed once other accounts have been added. To ensure accountability and prevent unauthenticated access, users must be identified and authenticated to prevent potential misuse and compromise of the system.
Fix
Navigate to Prisma Cloud Compute Console's >> Manage >> Authentication >> Users tab. Ensure only the break glass administrator account is a "local" account. Delete all other local accounts and use the SAML identity provider for all authentication and authorization to the Prisma Cloud Compute Console.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
CNTR-PC-000450: The configuration integrity of the container platform must be ensured and compliance policies must be configured.
Verify compliance policies are enabled. Navigate to Prisma Cloud Compute Console's Defend >> Compliance. Select the "Code repositories" tab. Select the "Repositories" and "CI" tab. - If "Default – alert all components" does not exist, this is a finding. - Click the three dots in the "Actions" column for rule "Default - alert all components". - If the policy is disabled, this is a finding. - Click the "Default – alert all components" policy row. - If the "Default - alert on critical and high" policy is not scoped to "All", this is a finding. Select the "Containers and images" tab. For the "Deployed" and "CI" tab: - If the "Default - alert on critical and high" does not exist, this is a finding. - Click the three dots in the "Actions" column for rule "Default - alert on critical and high". - If the policy is disabled, this is a finding. - Click the "Default - alert on critical and high" policy row. - If the "Default - alert on critical and high" policy is not scoped to "All", this is a finding. Select the "Hosts" tab. For the "Running hosts" and "VM images" tab: - If the "Default - alert on critical and high" does not exist, this is a finding. - Click the three dots in the "Actions" column for rule "Default - alert on critical and high". - If the policy is disabled, this is a finding. - Click the "Default - alert on critical and high" policy row. - If the "Default - alert on critical and high" policy is not scoped to "All", this is a finding. Select the "Functions" tab. For the "Functions" and "CI" tab: - If the "Default – alert all components" does not exist, this is a finding. - Click the three dots in the "Actions" column for rule "Default -alert all components". - If the policy is disabled, this is a finding. - Click the "Default - alert all components" policy row. - If the "Default - alert on critical and high" policy is not scoped to "All", this is a finding.
Discussion
Consistent application of Prisma Cloud Compute compliance policies ensures the continual application of policies and the associated effects. Prisma Cloud Compute's configurations must be monitored for configuration drift and addressed according to organizational policy. Satisfies: SRG-APP-000133-CTR-000305, SRG-APP-000384-CTR-000915, SRG-APP-000435-CTR-001070, SRG-APP-000472-CTR-001170
Fix
Enable compliance policies. Navigate to Prisma Cloud Compute Console's Defend >> Compliance and click tab to be edited. To add rule: - Click "Add rule." - Enter rule name. Scope = All - Accept the defaults and click "Save". Click the rule's three-dot menu. Set to "Enable". Click the rule row. - Change the policy scope to "All". - Click "Save".
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None
CNTR-PC-000850: Prisma Cloud Compute must prevent unauthorized and unintended information transfer.
Navigate to Prisma Cloud Compute Console's Defend >> Compliance >> Containers and images tab >> Deployed tab. For each rule name, click the rule and confirm the following checks: (Filter on ID) ID = 54: Do not use privileged container ID = 5525: Restrict container from acquiring additional privileges are not configured ID = 59: Do not share the host's network namespace ID = 515: Do not share the host's process namespace ID = 516: Do not share the host's IPC namespace ID = 517: Do not directly expose host devices to containers ID = 520: Do not share the host's UTS namespace ID = 530: Do not share the host's user namespaces ID = 55: Do not mount sensitive host system directories on containers ID = 57: Do not map privileged ports within containers ID = 5510: Limit memory usage for container ID = 5511: Set container CPU priority appropriately ID = 599: Container is running as root ID = 41 Image should be created with a non-root user If the action for each rule is set to "Ignore", this is a finding.
Discussion
Prisma Cloud Compute Compliance policies must be enabled to ensure running containers do not access privileged resources. Satisfies: SRG-APP-000243-CTR-000595, SRG-APP-000243-CTR-000600, SRG-APP-000246-CTR-000605, SRG-APP-000342-CTR-000775
Fix
Navigate to Prisma Cloud Compute Console's Defend >> Compliance >> Containers and images tab >> Deployed tab. Change action: (Click the rule name) <Filter on Rule ID> ID = 54 - Description (Do not use privileged container) Change Action to "Alert" or "Block" (based on organizational needs). Click "Save". ID = 5525 - Description (Restrict container from acquiring additional privileges are not configured) Change Action to "Alert" or "Block" (based on organizational needs). Click "Save". ID = 59 - Description (Do not share the host's network namespace) Change Action to "Alert" or "Block" (based on organizational needs). Click "Save". ID = 515 - Description (Do not share the host's process namespace) Change Action to "Alert" or "Block" (based on organizational needs). Click "Save". ID = 516 - Description (Do not share the host's IPC namespace) Change Action to "Alert" or "Block" (based on organizational needs). Click "Save". ID = 517 - Description (Do not directly expose host devices to containers) Change Action to "Alert" or "Block" (based on organizational needs). Click "Save". ID = 520 - Description (Do not share the host's UTS namespace) Change Action to "Alert" or "Block" (based on organizational needs). Click "Save". ID = 530 - Description (Do not share the host's user namespaces) Change Action to "Alert" or "Block" (based on organizational needs). Click "Save". ID = 55 - Description (Do not mount sensitive host system directories on containers) Change Action to "Alert" or "Block" (based on organizational needs). Click "Save". ID = 57 - Description (Do not map privileged ports within containers) Change Action to "Alert" or "Block" (based on organizational needs). Click "Save". ID = 5510 - Description (Limit memory usage for container) Change Action to "Alert" or "Block" (based on organizational needs). Click "Save". ID = 5511 - Description (Set container CPU priority appropriately) Change Action to "Alert" or "Block" (based on organizational needs). Click "Save". ID = 599 - Description (Container is running as root) Change Action to "Alert" or "Block" (based on organizational needs). Click "Save". ID = 41 - Description (Image should be created with a non-root user) Change Action to "Alert" or "Block" (based on organizational needs). Click "Save".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
CNTR-PC-000130: Prisma Cloud Compute Collections must be used to partition views and enforce organizational-defined need-to-know access.
Navigate to Prisma Cloud Compute Console's >> Manage >> Collections and Tags >> Collections tab. Review the Collections according to organizational policy. If no organizational-specific Collections are defined, this is a finding.
Discussion
Prisma Cloud Compute Collections are used to scope rules to target specific resources in an environment, partition views, and enforce which views specific users and groups can access. Collections can control access to data on a need-to-know basis.
Fix
Navigate to Prisma Cloud Compute Console's >> Manage >> Collections and Tags >> Collections tab. Create a collection: - Click "Add Collection". - Enter a name and description and then specify a filter to target specific resources. - Click "Save".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
CNTR-PC-000120: Users requiring access to Prisma Cloud Compute's Credential Store must be assigned and accessed by the appropriate role holders.
Navigate to Prisma Cloud Compute Console's >> Manage >> Authentication >> Users tab. Inspect the users' role assignments: - Review role assigned to users. If role and/or the Collection assignment is incorrect, this is a finding. - If a user is not assigned a role, this is a finding. - Review users assigned the administrator role. If a user has the administrator role and does not require access, this is a finding. Navigate to Prisma Cloud Compute Console's >> Manage >> Authentication >> Groups tab. (Only the Administrator, Operator Prisma Cloud Compute roles have the ability to create/modify policy that could affect runtime behaviors.) Inspect the groups' role assignments: - If any users or groups are assigned the Auditor or higher role and do not require access to audit information, this is a finding. - If a group is not assigned a role, this is a finding. - If role and/or Collection assignment is incorrect, this is a finding. - Review groups assigned the Administrator or Operator role. If a group has the Administrator or Operator role and does not require access to Prisma Cloud Compute's Credential Store, this is a finding.
Discussion
The container platform keystore is used to store credentials that are used to build a trust between the container platform and an external source. This trust relationship is authorized by the organization. If a malicious user were to have access to the container platform keystore, two negative scenarios could develop: 1. Keys not approved could be introduced. 2. Approved keys could be deleted, leading to the introduction of container images from sources the organization never approved. To thwart this threat, it is important to protect the container platform keystore and give access to only individuals and roles approved by the organization. Satisfies: SRG-APP-000033-CTR-000100, SRG-APP-000118-CTR-000240, SRG-APP-000121-CTR-000255, SRG-APP-000133-CTR-000300, SRG-APP-000211-CTR-000530, SRG-APP-000233-CTR-000585, SRG-APP-000340-CTR-000770, SRG-APP-000380-CTR-000900
Fix
Navigate to Prisma Cloud Compute Console's >> Manage >> Authentication >> Users tab. - Set the users' role assignments to the ones who have the authority to review the audit data. - Assign roles to all users and groups. - Assign administrator and operator roles only to the users requiring the rights to modify the Prisma Cloud Compute's Credential Store. - Remove the Administrator or Operator role for users who do not require access. Navigate to Prisma Cloud Compute Console's >> Manage >> Authentication >> Groups tab. - Set the groups' role assignments to the ones who have the authority to review audit data. - Assign roles to all users and groups. - Set the groups' Administrator and Operator role assignments to only to the groups requiring the rights to modify the Prisma Cloud Compute's Credential Store. Adjust user, group, and Collection assignments to align with organizational policies.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
CNTR-PC-001220: Prisma Cloud Compute must be configured to scan images that have not been instantiated as containers.
Navigate to Prisma Cloud Compute Console's >> Manage >> System >> Scan tab. Verify that for Running images, For Running images, "Only scan images with running containers" is set to "Off". If "Only scan images with running containers" is set to "On", this is a finding.
Discussion
Prisma Cloud Compute ships with "only scan images with running containers" set to "on". To meet the requirements, "only scan images with running containers" must be set to "off" to disable or remove components that are not required.
Fix
Navigate to Prisma Cloud Compute Console's >> Manage >> System >> Scan tab. For Running images: - Set "Only scan images with running containers" = "Off". - Click "Save".
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None
CNTR-PC-000140: Prisma Cloud Compute Cloud Native Network Firewall (CNNF) automatically monitors layer 4 (TCP) intercontainer communications. Enforcement policies must be created.
Navigate to Prisma Cloud Compute Console's >> Radars >> Settings. If Container network monitoring is disabled, this is a finding. If Host network monitoring is disabled, this is a finding.
Discussion
Network segmentation and compartmentalization are important parts of a comprehensive defense-in-depth strategy. CNNF works as an east-west firewall for containers. It limits damage by preventing attackers from moving laterally through the environment when they have already compromised the perimeter. Satisfies: SRG-APP-000039-CTR-000110, SRG-APP-000384-CTR-000915
Fix
Navigate to Prisma Cloud Compute Console's >> Radars >> Settings. Set Container network monitoring to "enabled". Set Host network monitoring to "enabled".
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None
CNTR-PC-001250: Prisma Cloud Compute Defender must reestablish communication to the Console via mutual TLS v1.2 WebSocket session.
Navigate to Prisma Cloud Compute Console's >> Manage >> Defenders. Select the "Manage" tab. Select the "Defenders" tab. Click "Advanced Settings". If "Automatically remove disconnected Defenders after (days)" is not configured to the organization's policies, this is a finding.
Discussion
When the secure WebSocket session between the Prisma Cloud Compute Console and Defenders is disconnected, the Defender will continually attempt to reestablish the session. Without reauthentication, unidentified or unknown devices may be introduced; thereby facilitating malicious activity. The Console must be configured to remove a Defender that has not established a connection in a specified period of days.
Fix
Navigate to Prisma Cloud Compute's Manage >> Defenders. Select the "Manage" tab. Select the "Defenders" tab. Click "Advanced Settings". Set the "Automatically remove disconnected Defenders after (days)" value to the organization's defined period.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
CNTR-PC-001030: The node that runs Prisma Cloud Compute containers must have sufficient disk space to allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.
When deploying Prisma Cloud Compute within a Kubernetes cluster, the Console's persistent value is by default 100GB. The logs are stored within this persistent volume. Within the Kubernetes cluster, issue the command "kubectl get pv". If the twistlock/twistlock-console claim's capacity is not 100GB or greater, this is a finding.
Discussion
To ensure sufficient storage capacity in which to write the audit logs, Prisma Cloud compute must be able to allocate audit record storage capacity.
Fix
When deploying the Prisma Cloud Console, specify the size of the persistent volume with the "—persistent-volume-storage" parameter.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
CNTR-PC-000430: Prisma Cloud Compute host compliance baseline policies must be set.
Navigate to Prisma Cloud Compute Console's >> Defend >> Compliance >> Hosts tab >> Running hosts tab. If a "Default - alert on critical and high" rule does not exist, this is a finding. Check all the rules to verify the following Actions are not set to "Ignore". (Click "Rule name".) <Filter on Rule ID> ID = 8112 - Verify the --anonymous-auth argument is set to false (kube-apiserver) - master node. ID = 8212 - Verify the --anonymous-auth argument is set to false (kubelet) - worker node. ID = 8311 - Verify the --anonymous-auth argument is set to false (federation-apiserver). ID = 81427 - Verify the Kubernetes PKI directory and file ownership are set to root:root. ID = 81428 - Verify the Kubernetes PKI certificate file permissions are set to 644 or more restrictive. ID = 8214 - Verify the --client-ca-file argument is set as appropriate (kubelet). ID = 8227 - Verify the certificate authorities file permissions are set to 644 or more restrictive (kubelet). ID = 8115 - Verify the --kubelet-https argument is set to true (kube-apiserver). ID = 8116 - Verify the --insecure-bind-address argument is not set (kube-apiserver). ID = 8117 - Verify the --insecure-port argument is set to 0 (kube-apiserver) can determine if the Kubernetes API is configured to only listen on the TLS-enabled port (TCP 6443). ID = 8118 - Verify the --secure-port argument is not set to 0 (kube-apiserver). ID = 81122 - Verify the --kubelet-certificate-authority argument is set as appropriate (kube-apiserver). ID = 81123 - Verify the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (kube-apiserver). ID = 81129 - Verify the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (kube-apiserver). ID = 82112 - Verify the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (kubelet). ID = 81141 - Verify the --authorization-mode argument includes RBAC (kube-apiserver). If any of these checks are set to "Ignore", to all host nodes within the intended monitored environment, this is a finding.
Discussion
Consistent application of Prisma Cloud Compute compliance policies ensures the continual application of policies and the associated effects. Satisfies: SRG-APP-000133-CTR-000295, SRG-APP-000133-CTR-000310, SRG-APP-000141-CTR-000315, SRG-APP-000384-CTR-000915
Fix
Navigate to Prisma Cloud Compute Console's >> Defend >> Compliance >> Hosts tab >> Running hosts tab. Add Rule: - Click "Add rule". Name = "Default - alert on critical and high" Scope = "All" - Change Action to the values shown below (Change Action). - Accept the other defaults and click "Save". Change Action: - Click "Rule name". <Filter on Rule ID> ID = 8112 - Description (--anonymous-auth argument is set to false (kube-apiserver) - master node) - Change Action to "Alert" or "Block" (based on organizational needs). - Click "Save". ID = 8212 - Description (--anonymous-auth argument is set to false (kubelet) - worker node) - Change Action to "Alert" or "Block" (based on organizational needs). - Click "Save". ID = 8311 - Description (--anonymous-auth argument is set to false (federation-apiserver)). - Change Action to "Alert" or "Block" (based on organizational needs). - Click "Save". ID = 81427 - Description (Kubernetes PKI directory and file ownership is set to root:root). - Change Action to "Alert" or "Block" (based on organizational needs). - Click "Save". ID = 81428 - Description (Kubernetes PKI certificate file permissions are set to 644 or more restrictive). - Change Action to "Alert" or "Block" (based on organizational needs). - Click "Save". ID = 8214 - Description (--client-ca-file argument is set as appropriate (kubelet)). - Change Action to "Alert" or "Block" (based on organizational needs). - Click "Save". ID = 8227 - Description (certificate authorities file permissions are set to 644 or more restrictive (kubelet)). - Change Action to "Alert" or "Block" (based on organizational needs). - Click "Save". ID = 8115 - Description (--kubelet-https argument is set to true (kube-apiserver)) - Change Action to "Alert" or "Block" (based on organizational needs). - Click "Save". ID = 8116 - Description (--insecure-bind-address argument is not set (kube-apiserver)). - Change Action to "Alert" or "Block" (based on organizational needs). - Click "Save". ID = 8117 - Description (--insecure-port argument is set to 0 (kube-apiserver) can determine if the Kubernetes API is configured to only listen on the TLS enabled port (TCP 6443)). - Change Action to "Alert" or "Block" (based on organizational needs). - Click "Save". ID = 8118 - Description (--secure-port argument is not set to 0 (kube-apiserver)). - Change Action to "Alert" or "Block" (based on organizational needs). - Click "Save". ID = 81122 - Description (--kubelet-certificate-authority argument is set as appropriate (kube-apiserver)). - Change Action to "Alert" or "Block" (based on organizational needs). - Click "Save". ID = 81123 - Description (--kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (kube-apiserver)). ID = 81129 - Description (--tls-cert-file and --tls-private-key-file arguments are set as appropriate (kube-apiserver)). - Change Action to "Alert" or "Block" (based on organizational needs). - Click "Save". ID = 82112 - Description (--tls-cert-file and --tls-private-key-file arguments are set as appropriate (kubelet)). - Change Action to "Alert" or "Block" (based on organizational needs). - Click "Save". ID = 81141 - Description (--authorization-mode argument includes RBAC (kube-apiserver)). - Change Action to "Alert" or "Block" (based on organizational needs). - Click "Save".
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None
CNTR-PC-000260: Prisma Cloud Compute must be configured for forensic data collection.
Navigate to Prisma Cloud Compute Console's >> Manage >> System >> Forensics tab. If "Forensics data collection" is disabled, this is a finding.
Discussion
Prisma Cloud Compute correlates raw audit data to actionable security intelligence, enabling a more rapid and effective response to incidents. This reduces the manual, time-consuming task of correlating data. Prisma Cloud Forensics is a lightweight distributed data recorder that runs alongside all containers in the environment. Prisma Cloud continuously collects detailed runtime information to help incident response teams understand what happened before, during, and after a breach. Forensic data consists of additional supplemental runtime events that complement the data (audits) already captured by Prisma Cloud's runtime sensors. It provides additional context when trying to identify the root cause of an incident. Satisfies: SRG-APP-000099-CTR-000190, SRG-APP-000409-CTR-000990
Fix
Navigate to Prisma Cloud Compute Console's >> Manage >> System >> Forensics tab. Set "Forensics data collection" to "enabled".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
CNTR-PC-001380: Prisma Cloud Compute must run within a defined/separate namespace (e.g., Twistlock).
Inspect the Kubernetes namespace in which Prisma Cloud Compute is deployed: $ kubectl get pods -n twistlock NAME READY STATUS RESTARTS AGE twistlock-console-855744b66b-xs9cm 1/1 Running 0 4d6h twistlock-defender-ds-99zj7 1/1 Running 0 58d twistlock-defender-ds-drsh8 1/1 Running 0 58d Inspect the list of pods. If a non-Prisma Cloud Compute (does not start with "twistlock") pod is running in the same namespace, this is a finding.
Discussion
Namespaces are a key boundary for network policies, orchestrator access control restrictions, and other important security controls. Prisma Cloud Compute containers running within a separate and exclusive namespace will inherit the namespace's security features. Separating workloads into namespaces can help contain attacks and limit the impact of mistakes or destructive actions by authorized users.
Fix
Deploy the Prisma Cloud Compute Console and Defender containers within a distinct namespace.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
CNTR-PC-000310: Prisma Cloud Compute must be configured to send events to the hosts' syslog.
Navigate to Prisma Cloud Compute Console's >> Manage >> Alerts >> Logging tab. If the Syslog setting is "disabled", this is a finding. Select the "Manage" tab. If no Alert Providers are configured, this is a finding.
Discussion
Event log collection is critical in ensuring the security of a containerized environment due to the ephemeral nature of the workloads. In an environment that is continually in flux, audit logs must be properly collected and secured. Prisma Cloud Compute can be configured to send audit events to the host node's syslog in RFC5424-compliant format. Satisfies: SRG-APP-000111-CTR-000220, SRG-APP-000181-CTR-000485, SRG-APP-000358-CTR-000805, SRG-APP-000474-CTR-001180, SRG-APP-000516-CTR-000790
Fix
Navigate to Prisma Cloud Compute Console's >> Manage >> Alerts >> Logging tab. Set Syslog to "enabled". Select the "Manage" tab. Click "Add profile". Complete the form based on the organization. At a minimum, the following Alert triggers must be selected: - Host vulnerabilities. - Image vulnerabilities. Click "Save".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
CNTR-PC-000640: Prisma Cloud Compute local accounts must enforce strong password requirements.
Navigate to Prisma Cloud Compute Console's >> Manage >> Authentication >> Logon tab. - If "Token validity period" is greater than 15, this is a finding. - If "Enable context sensitive help and single sign on to the Prisma Cloud Support site" is set to "on", this is a finding. - If "Disable basic authentication for the API" is set to "off", this is a finding. - If "Require strong passwords for local accounts" is set to "off", this is a finding. - If "Require strict certificate validation in Defender installation links" is set to "on", this is a finding.
Discussion
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password is, the greater the number of possible combinations that must be tested before the password is compromised. Satisfies: SRG-APP-000164-CTR-000400, SRG-APP-000166-CTR-000410, SRG-APP-000167-CTR-000415, SRG-APP-000168-CTR-000420, SRG-APP-000169-CTR-000425, SRG-APP-000389-CTR-000925, SRG-APP-000391-CTR-000935, SRG-APP-000400-CTR-000960
Fix
Navigate to Prisma Cloud Compute Console's >> Manage >> Authentication >> Logon tab. - Set "Token validity period" to 15 or less. - Set "Enable context sensitive help and single sign on to the Prisma Cloud Support site" to "off". - Set "Disable basic authentication for the API" to "on". - Set "Require strong passwords for local accounts" to "on". - Set "Require strict certificate validation in Defender installation links" to "off". - Click "Save" and "Restart".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
CNTR-PC-000480: Images stored within the container registry must contain only images to be run as containers within the container platform.
Navigate to Prisma Cloud Compute Console's >> Defend >> Compliance Trusted Images tab. Select the "Trust groups" tab. If there is no Group, this is a finding. Select the "Policy" tab. If the Trusted Images Rules is set to "off", this is a finding. If a rule does not exist, this is a finding. Click the three dots in the "Actions" column for rule. If the policy is disabled, this is a finding. Click the policy row. If the policy is not scoped to "All", this is a finding.
Discussion
The Prisma Cloud Compute Trusted Images feature allows the declaration, by policy, of which registries, repositories, and images to trust and how to respond when untrusted images are started in the organization's environment. Satisfies: SRG-APP-000141-CTR-000320, SRG-APP-000386-CTR-000920
Fix
Navigate to Prisma Cloud Compute Console's >> Defend >> Compliance >> Trusted Images tab. Select the "Trust groups" tab. Create a trusted group: - Click "Add Group". Name: "IronBank" - Specify a registry or repository: https://ironbank.dso.mil - Click "Add to group". - Specify a registry or repository: https://registry1.dso.mil/ (There are two group images total.) - Click "Save". Select the "Policy" tab. Set the Trusted Images Rules to "on". If a rule does not exist: - Click "Add rule". Rule name = "IronBank" Scope = "All" Allowed: - Click "Select groups". - Select "IronBank". - Click "Apply". - Keep all defaults and click "Save". Enable policy: - Click the "Default - alert all components" policy three-dot menu. - Set to "Enable". Policy row scope: - Click the policy rows. - Change the policy scope to all images and containers within the intended monitored environment. - Click "Save".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
CNTR-PC-000530: Prisma Cloud Compute Console must run as nonroot user (uid 2674).
Locate the node in which the Prisma Cloud Compute Console container is running. Determine the process owner for "app/server". Execute: "ps -aux | grep "/app/server" If the process is owned by root, this is a finding.
Discussion
Containers not requiring root-level permissions must run as a unique user account. To ensure accountability and prevent unauthenticated access to containers, the user the container is using to execute must be uniquely identified and authenticated to prevent potential misuse and compromise of the system.
Fix
In the root directory of the extracted release tar file, modify the twistlock.cfg file's line: RUN_CONSOLE_AS_ROOT=false For Kubernetes deployment, perform these additional steps: When generating the twistlock_console.yaml deployment file, supply the --run-as-user flag. Linux/twistcli console export kubernetes --service-type ClusterIP --run-as-user 2674 Modify the resulting twistlock_console.yaml file to include fsGroup: 2674 within the Deployment pod specification's securityContext: securityContext: fsGroup: 2674 Add runAsGroup: 2674 to the container specification's securityContext: securityContext: runAsUser: 2674 runAsGroup: 2674
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
CNTR-PC-000590: Prisma Cloud Compute must be configured with unique user accounts.
Navigate to Prisma Cloud Compute Console's >> Manage >> Authentication >> Users tab. Review the accounts for uniqueness. If there are shared local accounts, this is a finding.
Discussion
Sharing accounts, such as group accounts, reduces the accountability and integrity of Prisma Cloud Compute.
Fix
Navigate to Prisma Cloud Compute Console's Manage >> Authentication >> Users tab. Delete shared accounts and create a unique account for every Prisma Cloud Compute user. Delete shared accounts: - Click the three-dot menu. - Click "Delete" and confirm "Delete User". Create a local user account where the local user account is unique: - Click "+Add user". - Complete the form and click "Save".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
CNTR-PC-000290: The configuration integrity of the container platform must be ensured and runtime policies must be configured.
Verify runtime policies are enabled. Navigate to Prisma Cloud Compute Console's Defend >> Runtime. Select "Container policy". - If a rule does not exist, this is a finding. - If "Enable automatic runtime learning" is set to "off", this is a finding. - Click the three dots in the "Actions" column for the rule. - If the policy is disabled, this is a finding. - Click the Container runtime policy. - If the policy is not scoped to "All", this is a finding. Select the "App-Embedded policy" tab. - If a rule does not exist, this is a finding. - Click the three dots in the "Actions" column for rule "Default - alert on suspicious runtime behavior". - If the policy is disabled, this is a finding. - Click the "Default - alert on suspicious runtime behavior" policy row. - If the "Default - alert on suspicious runtime behavior" policy is not scoped to "All", this is a finding. Select the "Host policy" tab. - If a rule does not exist, this is a finding. - Click the three dots in the "Actions" column for the rule. - If the policy is disabled, this is a finding. - Click the Host runtime policy. - If the policy is not scoped to "All", this is a finding.
Discussion
Prisma Cloud Compute's runtime defense is the set of features that provides both predictive and threat-based active protection for running containers. Consistent application of Prisma Cloud Compute runtime policies ensures the continual application of policies and the associated effects. Prisma Cloud Compute's configurations must be monitored for configuration drift and addressed according to organizational policy. Satisfies: SRG-APP-000101-CTR-000205, SRG-APP-000384-CTR-000915, SRG-APP-000447-CTR-001100, SRG-APP-000450-CTR-001105, SRG-APP-000507-CTR-001295, SRG-APP-000508-CTR-001300
Fix
Enable runtime policies. Navigate to Prisma Cloud Compute Console's Defend >> Runtime. Click the tab to be edited. To add policy (for Host or App-Embedded policy): - Click "Add rule". - Enter rule name. Scope = All - Accept the defaults and click "Save". To enable policy: - Click the rule's three-dot menu. - Set to "Enable". To change scope, click the rule row: - Change the policy scope to "All". - Click "Save". To add container policy: - Select the "Container policy" tab. - Set "Enable automatic runtime learning" to "On". To create a new runtime rule: - Click "Add rule". - Configure the following settings: Enter rule name Scope = All Select the "Anti-malware" tab. Set the following: - Prisma Cloud advanced threat protection = on - Kubernetes attacks = on - Suspicious queries to cloud provider APIs = on Select the "Process" tab. Set the following: Process monitoring = enabled Select the "Network" tab. Set the following: IP connectivity = enabled Select the "File system" tab. Set the following: - File system monitoring = enabled - Accept the defaults and click "Save". Select the "App-Embedded policy" tab. - Click the rule's three-dot menu. Set to "Enable". - Click the rule name row. - Change the scope to "All". - Click "Save". Create a new runtime rule: - Click "add rule." - Enter rule name. - Scope = All - Accept the defaults and click "Save". Select the "Host policy" tab. - Click the rule's three-dot menu. Set to "Enable". - Click the rule name row. - Change the scope to "All". - Click "Save". - Click "Add rule". - Enter rule name. - Scope = All - Select the "Activities" tab. - Set the following: Host activity monitoring ="Enabled" Docker commands = "On" New sessions spawned by sshd = "On" Commands run with sudo or su = "On" Log activity from background apps = "On" Track SSH events = "On" - Accept the defaults and click "Save".
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None
CNTR-PC-000240: Prisma Cloud Compute Defender must be deployed to containerization nodes that are to be monitored.
Navigate to Prisma Cloud Compute Console's >> Manage >> Defenders >> Manage tab. Verify Prisma Cloud Compute Defenders have been deployed to all container runtime nodes to be monitored. Review the list of deployed Defenders. If a Defender is missing, this is a finding.
Discussion
Container platforms distribute workloads across several nodes. The ability to uniquely identify an event within an environment is critical. Prisma Cloud Compute Container Runtime audits record the time, container, corresponding image, and node where the event occurred. Satisfies: SRG-APP-000097-CTR-000180, SRG-APP-000100-CTR-000200
Fix
Navigate to Prisma Cloud Compute Console's >> Manage >> Defenders >> Manage tab. Deploy Defender to containerization node: - Select the method of Defender deployment. - Configure the Defender policy.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
CNTR-PC-001440: Prisma Cloud Compute must be running the latest release.
Navigate to the Prisma Cloud Compute Console. In the top right corner, click the bell icon. A banner with the version will display. If there is a newer version, this is a finding.
Discussion
Prisma Cloud Compute releases are distributed as Docker images. Each release updates or removes components as needed based on the vulnerabilities associated with the component or the functional need of the component.
Fix
Upgrade the Prisma Cloud Compute Console and Defenders according to published procedures. https://docs.twistlock.com/docs/compute_edition/upgrade/upgrade_process_self_hosted.html
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
CNTR-PC-001390: Prisma Cloud Compute must protect the confidentiality and integrity of transmitted information.
Navigate to Prisma Cloud Compute Console's >> Manage >> System >> General tab. Inspect the Telemetry section. If "Share telemetry on product usage with Palo Alto Networks" is "On", this is a finding. If "Allow admins and operators to upload logs to Customer Support directly from Console UI" is "On", this is a finding.
Discussion
Without protection of the transmitted information, confidentiality and integrity may be compromised since unprotected communications can be intercepted and either read or altered. Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa.
Fix
Navigate to Prisma Cloud Compute Console's >> Manage >> System >> General tab. In the Telemetry section: Set "Share telemetry on product usage with Palo Alto Networks" to "Off". Set "Allow admins and operators to upload logs to Customer Support directly from Console UI" to "Off". Click "Save".
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None
CNTR-PC-000030: Access to Prisma Cloud Compute must be managed based on user need and least privileged using external identity providers for authentication and grouping to role-based assignments when possible.
Confirm the Prisma Cloud Console has been configured from SAML-based authentication. Navigate to Prisma Cloud Compute Console's Manage >> Authentication >> Identity Providers tab. Verify SAML settings are "Enabled" and an identity provider has been configured. If SAML settings are not enabled and an identity provider has not been configured, this is a finding.
Discussion
Integration with an organization's existing identity management policies technologies reduces the threat of account compromise and misuse. Centralized authentication services provide additional functionality to fulfill security requirements: - Multifactor authentication, which is compatible with Rancher MCM. - Disabling users after a period of time. - Encrypted storage and transmission of secure information. - Secure authentication protocols such as LDAP over TLS or LDAPS using FIPS 140-2 approved encryption modules. - PKI-based authentication. Satisfies: SRG-APP-000023-CTR-000055, SRG-APP-000024-CTR-000060, SRG-APP-000025-CTR-000065, SRG-APP-000033-CTR-000095, SRG-APP-000065-CTR-000115, SRG-APP-000068-CTR-000120, SRG-APP-000069-CTR-000125, SRG-APP-000149-CTR-000355, SRG-APP-000150-CTR-000360, SRG-APP-000151-CTR-000365, SRG-APP-000152-CTR-000370, SRG-APP-000163-CTR-000395, SRG-APP-000165-CTR-000405, SRG-APP-000170-CTR-000430, SRG-APP-000173-CTR-000445, SRG-APP-000174-CTR-000450, SRG-APP-000291-CTR-000675, SRG-APP-000292-CTR-000680, SRG-APP-000293-CTR-000685, SRG-APP-000294-CTR-000690, SRG-APP-000317-CTR-000735, SRG-APP-000318-CTR-000740, SRG-APP-000345-CTR-000785, SRG-APP-000397-CTR-000955
Fix
Configure Prisma Cloud Console for SAML-based authentication in which the SAML IdP enforces multifactor authentication (e.g., x509/smartcard authentication). Navigate to Prisma Cloud Compute Console's Manage >> Authentication >> Identity Providers: - Click "Add provider". - For Protocol, select "SAML". - For Identity provider, select provider. - Configure the settings and click "Save". SAML settings = Enabled Configure an SAML identity provider that enforces privileged account multifactor authentication for the Prisma Cloud Compute service provider.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
CNTR-PC-000020: Prisma Cloud Compute Console must use TLS 1.2 for user interface and API access. Communication TCP ports must adhere to the Ports, Protocols, and Services Management Category Assurance Levels (PSSM CAL).
For Kubernetes deployment: Query the ports used by the twistlock-console service: $ kubectl describe svc twistlock-console -n twistlock If the TargetPort management-port-http exists and has a port assignment, this is a finding. Port: management-port-http 8081/TCP TargetPort: 8081/TCP For Docker deployment: Determine the name of the Console container: docker ps|grep console For example, the Console container is: ad8b41a2fec9 twistlock/private:console_22_01_840 Inspect the container's PortBindings: docker inspect ad8b41a2fec9|grep PortBindings -A 20 If port 8081 is listed, this is a finding.
Discussion
Communication to Prisma Cloud Compute Console's User Interface (UI) and API is protected by TLS v1.2+ (HTTPS). By default, only HTTPS communication to the Console's UI and API endpoints is enabled. Prisma Cloud Compute TCP port usage is configurable. Default configuration: TCP 8081 Console user interface and API (HTTP) - disabled by default. TCP 8083 Console user interface and API TLS v1.2 (HTTPS) TCP 8084 Console-to-Defender communication via mutual TLS v1.2 WebSocket session. Satisfies: SRG-APP-000014-CTR-000040, SRG-APP-000142-CTR-000325, SRG-APP-000185-CTR-000490, SRG-APP-000645-CTR-001410
Fix
For Kubernetes deployment: Edit the deployment.apps/twistlock-console. Find the - name: MANAGEMENT_PORT_HTTP setting Remove the value assignment (e.g., 8081): - name: MANAGEMENT_PORT_HTTP value: "8081" Save and exit the editing session. The Console will restart automatically. For Docker deployment: Modify the twistlock.cfg located in the extracted release tar directory. Remove the value assignment for the MANAGEMENT_PORT_HTTP= variable. Redeploy the Console using the twistlock.sh script located in the extracted release tar directory. $ sudo ./twisltock.sh -sy onebox
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None
CNTR-PC-000750: Prisma Cloud Compute must be configured to require local user accounts to use x.509 multifactor authentication.
Navigate to Prisma Cloud Compute Console's >> Manage >> Authentication >> System Certificate tab. If not performing direct smart card authentication to the console, this is not a finding. If performing direct smart card authentication to the console: Revocation block: If "Enable certificate revocation checking" is set to "Off", this is a finding. Show Advanced certificate configuration: - In the "Certificate-based authentication to Console" block, verify the issuing CA(s) of the end users' certificates are within the Console CA certificate(s) field. - If there is no users' certificates, this is a finding. Click the "Users" tab. Review accounts with Authentication method "Local". If the local user account's name does not match the user's x.509 certificate's subjectName or the subject alternative name's PrincipalName value, this is a finding.
Discussion
Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. Multifactor authentication requires using two or more factors to achieve authentication. Factors include: (i) something a user knows (e.g., password/PIN); (ii) something a user has (e.g., cryptographic identification device, token); or (iii) something a user is (e.g., biometric). User access to Prisma Cloud Compute must use multifactor (x.509 based) authentication. Satisfies: SRG-APP-000177-CTR-000465, SRG-APP-000391-CTR-000935, SRG-APP-000401-CTR-000965, SRG-APP-000402-CTR-000970, SRG-APP-000605-CTR-001380
Fix
Navigate to Prisma Cloud Compute Console's >> Manage >> Authentication >> System Certificate tab. Revocation block: Set "Enable certificate revocation checking" to "On" and click "Save". In the "Certificate-based authentication to Console" block, import the smart card's issuing CA's chain of trust to the Console CA certificate(s) field. Click "Save". Click the "Users" tab. (Accounts cannot be edited. They must be removed and recreated correctly.) Delete account: - Click the three-dot menu. - Click "Delete" and confirm "Delete User". Create a local user account where the local user account name matches the user's x.509 certificate's subjectName or subject alternative name's PrincipalName value: - Click "+Add user". Authentication Source = Local Username = subject alternative name's PrincipalName value Password = random password that is not given to the user - Assign Role. - Click "Save".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
CNTR-PC-000880: Prisma Cloud Compute must not write sensitive data to event logs.
Navigate to Prisma Cloud Compute Console's >> Manage >> System >> General tab. Inspect the Log Scrubbing section. If "Automatically scrub secrets from runtime events" is "off", this is a finding.
Discussion
The determination of what is sensitive data varies from organization to organization. The organization must ensure the recipients for the event log information have a need to know and the log is sanitized based on the audience.
Fix
Navigate to Prisma Cloud Compute Console's >> Manage >> System >> General tab. In the Log Scrubbing section, set "Automatically scrub secrets from runtime events" to "on" and click "Save".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
CNTR-PC-000500: Prisma Cloud Compute must use TCP ports above 1024.
For Kubernetes deployment: Query the ports used by the twistlock-console service: $ kubectl describe svc twistlock-console -n twistlock If any port number is below 1024, this is a finding. For Docker deployment: Determine the name of the Console container: docker ps|grep console For example, the Console container is: ad8b41a2fec9 ad8b41a2fec9 twistlock/private:console_22_01_840 Inspect the container's PortBindings: docker inspect ad8b41a2fec9|grep PortBindings -A 20 If the port is below 1024, this is a finding.
Discussion
Privileged ports are ports below 1024 that require system privileges for their use. If containers are able to use these ports, the container must be run as a privileged user. The container platform must stop containers that try to map to these ports directly. Allowing nonprivileged ports to be mapped to the container-privileged port is the allowable method when a certain port is needed. Prisma Cloud Compute default TCP ports are 8083 (Console UI and API) and 8084 (Console-to-Defender communication). To use TCP ports below 1024, the Console would have to be configured to use privileged ports.
Fix
For Kubernetes deployment: Edit the deployment.apps/twistlock-console. Find the - name: TargetPorts below 1024. Change to port number above 1024. Save and exit the editing session. The Console will restart automatically. For Docker deployment: Modify the twistlock.cfg located in the extracted release tar directory. Change any port assignment below 1024 to above 1024: MANAGEMENT_PORT_HTTP= MANAGEMENT_PORT_HTTPS=8083 COMMUNICATION_PORT=8084 Redeploy the Console using the twistlock.sh script in the extracted release tar directory: $ sudo ./twisltock.sh -sy onebox
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
CNTR-PC-001770: Prisma Cloud Compute release tar distributions must have an associated SHA-256 digest.
Offline Intelligence Stream: If using Iron Bank distribution of Prisma Cloud Compute Console and Defenders, verify the Console and Defender imageID SHA256 values match the Palo Alto Networks published release values. For the Console and Defender images, perform the following command: $ docker inspect twistlock/private:console_22_01_839 | grep '"Image":' "Image": "sha256:dcd881fe9c796ed08867c242389737c4f2e8ab463377a90deddc0add4c3e8524", If the imageID values do not match the published release SHA256 for the version of the image release, this is a finding. Note: Image tag will be the release number, e.g., console_22_01_839. Published release image sha values are published here: https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-compute-edition-public-sector/isolated_upgrades/releases.html
Discussion
Each Prisma Cloud Compute release's tar file has an associated SHA-256 digest hash value to ensure the components have not been modified.
Fix
Deploy the latest version from https://support.paloaltonetworks.com.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
CNTR-PC-001350: Prisma Cloud Compute Defender containers must run as root.
Verify that when deploying the Defender via daemonSet, "Run Defenders as privileged" is set to "On". Verify the Defender containers were deployed using the daemonSet.yaml in which the securityContext is privileged. If "Run Defenders as privileged" is not set to "On" or the Defender containers were not deployed using the daemonSet.yaml in which the securityContext - privileged = "on", this is a finding.
Discussion
In certain situations, the nature of the vulnerability scanning may be more intrusive, or the container platform component that is the subject of the scanning may contain highly sensitive information. To protect the sensitive nature of such scanning, Prisma Cloud Compute Defenders perform the vulnerability scanning function. The Defender container must run as root and not privileged.
Fix
Redeploy the Defender with appropriate rights by setting Run Defenders as privileged = off. Delete old twistlock-defender-ds daemonSet and redeploy daemonSet with the new yaml.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
CNTR-PC-001170: The configuration integrity of the container platform must be ensured and vulnerabilities policies must be configured.
To verify that vulnerabilities policies are enabled, navigate to Prisma Cloud Compute Console's Defend >> Vulnerabilities. Select the "Code repositories" tab. For the "Repositories" and "CI" tab: - If "Default - alert all components" does not exist, this is a finding. - Click the three dots in the "Actions" column for rule "Default - alert all components". - If the policy is disabled, this is a finding. - Click the "Default - alert all components" policy row. - If "Default - alert all components" is not scoped to "All", this is a finding. Select the "Images" tab. For the "CI" and "Deployed" tab: - If "Default - alert all components" does not exist, this is a finding. - Click the three dots in the "Actions" column for rule "Default - alert all components". - If the policy is disabled, this is a finding. - Click the "Default - alert all components" policy row. - If "Default - alert all components" is not scoped to "All", this is a finding. Select the "Hosts" tab. For the "Running hosts" and "VM images" tab: - If the "Default - alert all components" does not exist, this is a finding. - Click the three dots in the "Actions" column for rule "Default - alert all components". - If the policy is disabled, this is a finding. - Click the "Default - alert all components" policy row. - If "Default - alert all components" is not scoped to "All", this is a finding. Select the "Functions" tab. For the "Functions" and "CI" tab: - If the "Default - alert all components" does not exist, this is a finding. - Click the three dots in the "Actions" column for rule "Default - alert all components". - If the policy is disabled, this is a finding. - Click the "Default - alert all components" policy row. - If "Default - alert all components" is not scoped to "All", this is a finding.
Discussion
Prisma Cloud Compute's vulnerabilities defense is the set of features that provides both predictive and threat-based active protection for running containers. Consistent application of Prisma Cloud Compute vulnerabilities policies ensures the continual application of policies and the associated effects. Prisma Cloud Compute's configurations must be monitored for configuration drift and addressed according to organizational policy. Satisfies: SRG-APP-000384-CTR-000915, SRG-APP-000384-CTR-000915, SRG-APP-000456-CTR-001125, SRG-APP-000516-CTR-001335
Fix
To enable vulnerabilities policies, navigate to Prisma Cloud Compute Console's Defend >> Vulnerabilities. Click tab to be edited. To add rule: - Click "Add rule". - Enter rule name. Scope = All - Accept the defaults and click "Save". Click the rule three-dot menu. Set to "Enable". Click the rule row: - Change the policy scope to "All". - Click "Save".
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None