Check: CNTR-PC-000310
Palo Alto Networks Prisma Cloud Compute STIG:
CNTR-PC-000310
(in versions v1 r3 through v1 r1)
Title
Prisma Cloud Compute must be configured to send events to the hosts' syslog. (Cat II impact)
Discussion
Event log collection is critical in ensuring the security of a containerized environment due to the ephemeral nature of the workloads. In an environment that is continually in flux, audit logs must be properly collected and secured. Prisma Cloud Compute can be configured to send audit events to the host node's syslog in RFC5424-compliant format. Satisfies: SRG-APP-000111-CTR-000220, SRG-APP-000181-CTR-000485, SRG-APP-000358-CTR-000805, SRG-APP-000474-CTR-001180, SRG-APP-000516-CTR-000790
Check Content
Navigate to Prisma Cloud Compute Console's >> Manage >> Alerts >> Logging tab. If the Syslog setting is "disabled", this is a finding. Select the "Manage" tab. If no Alert Providers are configured, this is a finding.
Fix Text
Navigate to Prisma Cloud Compute Console's >> Manage >> Alerts >> Logging tab. Set Syslog to "enabled". Select the "Manage" tab. Click "Add profile". Complete the form based on the organization. At a minimum, the following Alert triggers must be selected: - Host vulnerabilities. - Image vulnerabilities. Click "Save".
Additional Identifiers
Rule ID: SV-253530r879572_rule
Vulnerability ID: V-253530
Group Title: SRG-APP-000111-CTR-000220
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000154 |
The information system provides the capability to centrally review and analyze audit records from multiple components within the system. |
CCI-000366 |
The organization implements the security configuration settings. |
CCI-001821 |
The organization defines the organizational personnel or roles to whom the configuration management policy is to be disseminated. |
CCI-001846 |
The organization defines information system components that will generate the audit records which are to be captured for centralized management of the content. |
CCI-001851 |
The information system off-loads audit records per organization-defined frequency onto a different system or media than the system being audited. |
CCI-001876 |
The information system provides an audit reduction capability that supports on-demand reporting requirements. |
CCI-002672 |
The organization analyzes outbound communications traffic at organization-defined interior points within the system (e.g., subsystems, subnetworks) to detect covert exfiltration of information. |
CCI-002702 |
The information system shuts the information system down, restarts the information system, and/or initiates organization-defined alternative action(s) when anomalies in the operation of the organization-defined security functions are discovered. |
Controls
Number | Title |
---|---|
AU-3 (2) |
Centralized Management Of Planned Audit Record Content |
AU-4 (1) |
Transfer To Alternate Storage |
AU-6 (4) |
Central Review And Analysis |
AU-7 |
Audit Reduction And Report Generation |
CM-1 |
Configuration Management Policy And Procedures |
CM-6 |
Configuration Settings |
SI-4 (18) |
Analyze Traffic / Covert Exfiltration |
SI-6 |
Security Function Verification |