Check: CNTR-PC-000640
Palo Alto Networks Prisma Cloud Compute STIG:
CNTR-PC-000640
(in versions v1 r3 through v1 r1)
Title
Prisma Cloud Compute local accounts must enforce strong password requirements. (Cat II impact)
Discussion
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password is, the greater the number of possible combinations that must be tested before the password is compromised. Satisfies: SRG-APP-000164-CTR-000400, SRG-APP-000166-CTR-000410, SRG-APP-000167-CTR-000415, SRG-APP-000168-CTR-000420, SRG-APP-000169-CTR-000425, SRG-APP-000389-CTR-000925, SRG-APP-000391-CTR-000935, SRG-APP-000400-CTR-000960
Check Content
Navigate to Prisma Cloud Compute Console's >> Manage >> Authentication >> Logon tab. - If "Token validity period" is greater than 15, this is a finding. - If "Enable context sensitive help and single sign on to the Prisma Cloud Support site" is set to "on", this is a finding. - If "Disable basic authentication for the API" is set to "off", this is a finding. - If "Require strong passwords for local accounts" is set to "off", this is a finding. - If "Require strict certificate validation in Defender installation links" is set to "on", this is a finding.
Fix Text
Navigate to Prisma Cloud Compute Console's >> Manage >> Authentication >> Logon tab. - Set "Token validity period" to 15 or less. - Set "Enable context sensitive help and single sign on to the Prisma Cloud Support site" to "off". - Set "Disable basic authentication for the API" to "on". - Set "Require strong passwords for local accounts" to "on". - Set "Require strict certificate validation in Defender installation links" to "off". - Click "Save" and "Restart".
Additional Identifiers
Rule ID: SV-253538r879601_rule
Vulnerability ID: V-253538
Group Title: SRG-APP-000164-CTR-000400
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000192 |
The information system enforces password complexity by the minimum number of upper case characters used. |
CCI-000193 |
The information system enforces password complexity by the minimum number of lower case characters used. |
CCI-000194 |
The information system enforces password complexity by the minimum number of numeric characters used. |
CCI-000205 |
The information system enforces minimum password length. |
CCI-001619 |
The information system enforces password complexity by the minimum number of special characters used. |
CCI-001923 |
The organization defines the audit information to be coordinated among external organizations when audit information is transmitted across organizational boundaries. |
CCI-001953 |
The information system accepts Personal Identity Verification (PIV) credentials. |
CCI-001977 |
The organization defines the external organizations with which it will coordinate for cross-management of identifiers. |
CCI-002007 |
The information system prohibits the use of cached authenticators after an organization-defined time period. |
CCI-002008 |
The organization, for PKI-based authentication, employs a deliberate organization-wide methodology for managing the content of PKI trust stores installed across all platforms including networks, operating systems, browsers, and applications. |
CCI-002038 |
The organization requires users to reauthenticate upon organization-defined circumstances or situations requiring reauthentication. |
Controls
Number | Title |
---|---|
AU-16 |
Cross-Organizational Auditing |
IA-2 (12) |
Acceptance Of Piv Credentials |
IA-4 (6) |
Cross-Organization Management |
IA-5 (1) |
Password-Based Authentication |
IA-5 (13) |
Expiration Of Cached Authenticators |
IA-5 (14) |
Managing Content Of Pki Trust Stores |
IA-11 |
Re-Authentication |