Check: CNTR-PC-000120
Palo Alto Networks Prisma Cloud Compute STIG:
CNTR-PC-000120
(in versions v1 r3 through v1 r1)
Title
Users requiring access to Prisma Cloud Compute's Credential Store must be assigned and accessed by the appropriate role holders. (Cat II impact)
Discussion
The container platform keystore is used to store credentials that are used to build a trust between the container platform and an external source. This trust relationship is authorized by the organization. If a malicious user were to have access to the container platform keystore, two negative scenarios could develop: 1. Keys not approved could be introduced. 2. Approved keys could be deleted, leading to the introduction of container images from sources the organization never approved. To thwart this threat, it is important to protect the container platform keystore and give access to only individuals and roles approved by the organization. Satisfies: SRG-APP-000033-CTR-000100, SRG-APP-000118-CTR-000240, SRG-APP-000121-CTR-000255, SRG-APP-000133-CTR-000300, SRG-APP-000211-CTR-000530, SRG-APP-000233-CTR-000585, SRG-APP-000340-CTR-000770, SRG-APP-000380-CTR-000900
Check Content
Navigate to Prisma Cloud Compute Console's >> Manage >> Authentication >> Users tab. Inspect the users' role assignments: - Review role assigned to users. If role and/or the Collection assignment is incorrect, this is a finding. - If a user is not assigned a role, this is a finding. - Review users assigned the administrator role. If a user has the administrator role and does not require access, this is a finding. Navigate to Prisma Cloud Compute Console's >> Manage >> Authentication >> Groups tab. (Only the Administrator, Operator Prisma Cloud Compute roles have the ability to create/modify policy that could affect runtime behaviors.) Inspect the groups' role assignments: - If any users or groups are assigned the Auditor or higher role and do not require access to audit information, this is a finding. - If a group is not assigned a role, this is a finding. - If role and/or Collection assignment is incorrect, this is a finding. - Review groups assigned the Administrator or Operator role. If a group has the Administrator or Operator role and does not require access to Prisma Cloud Compute's Credential Store, this is a finding.
Fix Text
Navigate to Prisma Cloud Compute Console's >> Manage >> Authentication >> Users tab. - Set the users' role assignments to the ones who have the authority to review the audit data. - Assign roles to all users and groups. - Assign administrator and operator roles only to the users requiring the rights to modify the Prisma Cloud Compute's Credential Store. - Remove the Administrator or Operator role for users who do not require access. Navigate to Prisma Cloud Compute Console's >> Manage >> Authentication >> Groups tab. - Set the groups' role assignments to the ones who have the authority to review audit data. - Assign roles to all users and groups. - Set the groups' Administrator and Operator role assignments to only to the groups requiring the rights to modify the Prisma Cloud Compute's Credential Store. Adjust user, group, and Collection assignments to align with organizational policies.
Additional Identifiers
Rule ID: SV-253524r879530_rule
Vulnerability ID: V-253524
Group Title: SRG-APP-000033-CTR-000100
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000162 |
The information system protects audit information from unauthorized access. |
CCI-000213 |
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
CCI-001082 |
The information system separates user functionality (including user interface services) from information system management functionality. |
CCI-001084 |
The information system isolates security functions from nonsecurity functions. |
CCI-001493 |
The information system protects audit tools from unauthorized access. |
CCI-001499 |
The organization limits privileges to change software resident within software libraries. |
CCI-001783 |
The organization defines the personnel or roles to be notified when unauthorized hardware, software, and firmware components are detected within the information system. |
CCI-001813 |
The information system enforces access restrictions. |
CCI-002205 |
The information system uniquely identifies and authenticates source by organization, system, application, and/or individual for information transfer. |
CCI-002235 |
The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. |
Controls
Number | Title |
---|---|
AC-3 |
Access Enforcement |
AC-4 (17) |
Domain Authentication |
AC-6 (10) |
Prohibit Non-Privileged Users From Executing Privileged Functions |
AU-9 |
Protection Of Audit Information |
CM-5 (1) |
Automated Access Enforcement / Auditing |
CM-5 (6) |
Limit Library Privileges |
CM-8 (3) |
Automated Unauthorized Component Detection |
SC-2 |
Application Partitioning |
SC-3 |
Security Function Isolation |