Check: CNTR-PC-001380
Palo Alto Networks Prisma Cloud Compute STIG:
CNTR-PC-001380
(in versions v1 r3 through v1 r1)
Title
Prisma Cloud Compute must run within a defined/separate namespace (e.g., Twistlock). (Cat II impact)
Discussion
Namespaces are a key boundary for network policies, orchestrator access control restrictions, and other important security controls. Prisma Cloud Compute containers running within a separate and exclusive namespace will inherit the namespace's security features. Separating workloads into namespaces can help contain attacks and limit the impact of mistakes or destructive actions by authorized users.
Check Content
Inspect the Kubernetes namespace in which Prisma Cloud Compute is deployed: $ kubectl get pods -n twistlock NAME READY STATUS RESTARTS AGE twistlock-console-855744b66b-xs9cm 1/1 Running 0 4d6h twistlock-defender-ds-99zj7 1/1 Running 0 58d twistlock-defender-ds-drsh8 1/1 Running 0 58d Inspect the list of pods. If a non-Prisma Cloud Compute (does not start with "twistlock") pod is running in the same namespace, this is a finding.
Fix Text
Deploy the Prisma Cloud Compute Console and Defender containers within a distinct namespace.
Additional Identifiers
Rule ID: SV-253547r879802_rule
Vulnerability ID: V-253547
Group Title: SRG-APP-000431-CTR-001065
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-002500 |
The organization defines the maximum bandwidth values to which covert storage and/or timing channels are to be reduced. |
CCI-002530 |
The information system maintains a separate execution domain for each executing process. |