Check: CNTR-PC-000450
Palo Alto Networks Prisma Cloud Compute STIG:
CNTR-PC-000450
(in versions v1 r3 through v1 r1)
Title
The configuration integrity of the container platform must be ensured and compliance policies must be configured. (Cat I impact)
Discussion
Consistent application of Prisma Cloud Compute compliance policies ensures the continual application of policies and the associated effects. Prisma Cloud Compute's configurations must be monitored for configuration drift and addressed according to organizational policy. Satisfies: SRG-APP-000133-CTR-000305, SRG-APP-000384-CTR-000915, SRG-APP-000435-CTR-001070, SRG-APP-000472-CTR-001170
Check Content
Verify compliance policies are enabled. Navigate to Prisma Cloud Compute Console's Defend >> Compliance. Select the "Code repositories" tab. Select the "Repositories" and "CI" tab. - If "Default – alert all components" does not exist, this is a finding. - Click the three dots in the "Actions" column for rule "Default - alert all components". - If the policy is disabled, this is a finding. - Click the "Default – alert all components" policy row. - If the "Default - alert on critical and high" policy is not scoped to "All", this is a finding. Select the "Containers and images" tab. For the "Deployed" and "CI" tab: - If the "Default - alert on critical and high" does not exist, this is a finding. - Click the three dots in the "Actions" column for rule "Default - alert on critical and high". - If the policy is disabled, this is a finding. - Click the "Default - alert on critical and high" policy row. - If the "Default - alert on critical and high" policy is not scoped to "All", this is a finding. Select the "Hosts" tab. For the "Running hosts" and "VM images" tab: - If the "Default - alert on critical and high" does not exist, this is a finding. - Click the three dots in the "Actions" column for rule "Default - alert on critical and high". - If the policy is disabled, this is a finding. - Click the "Default - alert on critical and high" policy row. - If the "Default - alert on critical and high" policy is not scoped to "All", this is a finding. Select the "Functions" tab. For the "Functions" and "CI" tab: - If the "Default – alert all components" does not exist, this is a finding. - Click the three dots in the "Actions" column for rule "Default -alert all components". - If the policy is disabled, this is a finding. - Click the "Default - alert all components" policy row. - If the "Default - alert on critical and high" policy is not scoped to "All", this is a finding.
Fix Text
Enable compliance policies. Navigate to Prisma Cloud Compute Console's Defend >> Compliance and click tab to be edited. To add rule: - Click "Add rule." - Enter rule name. Scope = All - Accept the defaults and click "Save". Click the rule's three-dot menu. Set to "Enable". Click the rule row. - Change the policy scope to "All". - Click "Save".
Additional Identifiers
Rule ID: SV-253532r879586_rule
Vulnerability ID: V-253532
Group Title: SRG-APP-000133-CTR-000305
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001499 |
The organization limits privileges to change software resident within software libraries. |
CCI-001734 |
The organization defines the restrictions to be followed on the use of open source software. |
CCI-001764 |
The information system prevents program execution in accordance with organization-defined policies regarding software program usage and restrictions, and/or rules authorizing the terms and conditions of software program usage. |
CCI-002355 |
The information system enforces access control decisions based on organization-defined security attributes that do not include the identity of the user or process acting on behalf of the user. |
CCI-002385 |
The information system protects against or limits the effects of organization-defined types of denial of service attacks by employing organization-defined security safeguards. |
CCI-002666 |
The organization defines the information system monitoring tools that will have visibility into organization-defined encrypted communications traffic. |
CCI-002696 |
The information system verifies correct operation of organization-defined security functions. |
Controls
Number | Title |
---|---|
AC-24 (2) |
No User Or Process Identity |
CM-5 (6) |
Limit Library Privileges |
CM-7 (2) |
Prevent Program Execution |
CM-10 (1) |
Open Source Software |
SC-5 |
Denial Of Service Protection |
SI-4 (10) |
Visibility Of Encrypted Communications |
SI-6 |
Security Function Verification |