Check: CNTR-PC-000850
Palo Alto Networks Prisma Cloud Compute STIG:
CNTR-PC-000850
(in versions v1 r3 through v1 r1)
Title
Prisma Cloud Compute must prevent unauthorized and unintended information transfer. (Cat II impact)
Discussion
Prisma Cloud Compute Compliance policies must be enabled to ensure running containers do not access privileged resources. Satisfies: SRG-APP-000243-CTR-000595, SRG-APP-000243-CTR-000600, SRG-APP-000246-CTR-000605, SRG-APP-000342-CTR-000775
Check Content
Navigate to Prisma Cloud Compute Console's Defend >> Compliance >> Containers and images tab >> Deployed tab. For each rule name, click the rule and confirm the following checks: (Filter on ID) ID = 54: Do not use privileged container ID = 5525: Restrict container from acquiring additional privileges are not configured ID = 59: Do not share the host's network namespace ID = 515: Do not share the host's process namespace ID = 516: Do not share the host's IPC namespace ID = 517: Do not directly expose host devices to containers ID = 520: Do not share the host's UTS namespace ID = 530: Do not share the host's user namespaces ID = 55: Do not mount sensitive host system directories on containers ID = 57: Do not map privileged ports within containers ID = 5510: Limit memory usage for container ID = 5511: Set container CPU priority appropriately ID = 599: Container is running as root ID = 41 Image should be created with a non-root user If the action for each rule is set to "Ignore", this is a finding.
Fix Text
Navigate to Prisma Cloud Compute Console's Defend >> Compliance >> Containers and images tab >> Deployed tab. Change action: (Click the rule name) <Filter on Rule ID> ID = 54 - Description (Do not use privileged container) Change Action to "Alert" or "Block" (based on organizational needs). Click "Save". ID = 5525 - Description (Restrict container from acquiring additional privileges are not configured) Change Action to "Alert" or "Block" (based on organizational needs). Click "Save". ID = 59 - Description (Do not share the host's network namespace) Change Action to "Alert" or "Block" (based on organizational needs). Click "Save". ID = 515 - Description (Do not share the host's process namespace) Change Action to "Alert" or "Block" (based on organizational needs). Click "Save". ID = 516 - Description (Do not share the host's IPC namespace) Change Action to "Alert" or "Block" (based on organizational needs). Click "Save". ID = 517 - Description (Do not directly expose host devices to containers) Change Action to "Alert" or "Block" (based on organizational needs). Click "Save". ID = 520 - Description (Do not share the host's UTS namespace) Change Action to "Alert" or "Block" (based on organizational needs). Click "Save". ID = 530 - Description (Do not share the host's user namespaces) Change Action to "Alert" or "Block" (based on organizational needs). Click "Save". ID = 55 - Description (Do not mount sensitive host system directories on containers) Change Action to "Alert" or "Block" (based on organizational needs). Click "Save". ID = 57 - Description (Do not map privileged ports within containers) Change Action to "Alert" or "Block" (based on organizational needs). Click "Save". ID = 5510 - Description (Limit memory usage for container) Change Action to "Alert" or "Block" (based on organizational needs). Click "Save". ID = 5511 - Description (Set container CPU priority appropriately) Change Action to "Alert" or "Block" (based on organizational needs). Click "Save". ID = 599 - Description (Container is running as root) Change Action to "Alert" or "Block" (based on organizational needs). Click "Save". ID = 41 - Description (Image should be created with a non-root user) Change Action to "Alert" or "Block" (based on organizational needs). Click "Save".
Additional Identifiers
Rule ID: SV-253540r879649_rule
Vulnerability ID: V-253540
Group Title: SRG-APP-000243-CTR-000595
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001090 |
The information system prevents unauthorized and unintended information transfer via shared system resources. |
CCI-001094 |
The information system restricts the ability of individuals to launch organization-defined denial of service attacks against other information systems. |
CCI-002203 |
The organization defines the unsanctioned information the information system is to examine when transferring information between different security domains. |
CCI-002233 |
The information system prevents organization-defined software from executing at higher privilege levels than users executing the software. |