Check: CNTR-PC-000530
Palo Alto Networks Prisma Cloud Compute STIG:
CNTR-PC-000530
(in versions v1 r3 through v1 r1)
Title
Prisma Cloud Compute Console must run as nonroot user (uid 2674). (Cat II impact)
Discussion
Containers not requiring root-level permissions must run as a unique user account. To ensure accountability and prevent unauthenticated access to containers, the user the container is using to execute must be uniquely identified and authenticated to prevent potential misuse and compromise of the system.
Check Content
Locate the node in which the Prisma Cloud Compute Console container is running. Determine the process owner for "app/server". Execute: "ps -aux | grep "/app/server" If the process is owned by root, this is a finding.
Fix Text
In the root directory of the extracted release tar file, modify the twistlock.cfg file's line: RUN_CONSOLE_AS_ROOT=false For Kubernetes deployment, perform these additional steps: When generating the twistlock_console.yaml deployment file, supply the --run-as-user flag. Linux/twistcli console export kubernetes --service-type ClusterIP --run-as-user 2674 Modify the resulting twistlock_console.yaml file to include fsGroup: 2674 within the Deployment pod specification's securityContext: securityContext: fsGroup: 2674 Add runAsGroup: 2674 to the container specification's securityContext: securityContext: runAsUser: 2674 runAsGroup: 2674
Additional Identifiers
Rule ID: SV-253536r879589_rule
Vulnerability ID: V-253536
Group Title: SRG-APP-000148-CTR-000345
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000764 |
The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users). |
Controls
Number | Title |
---|---|
IA-2 |
Identification And Authentication (Organizational Users) |