Check: CNTR-PC-000030
Palo Alto Networks Prisma Cloud Compute STIG:
CNTR-PC-000030
(in versions v1 r3 through v1 r1)
Title
Access to Prisma Cloud Compute must be managed based on user need and least privileged using external identity providers for authentication and grouping to role-based assignments when possible. (Cat II impact)
Discussion
Integration with an organization's existing identity management policies technologies reduces the threat of account compromise and misuse. Centralized authentication services provide additional functionality to fulfill security requirements: - Multifactor authentication, which is compatible with Rancher MCM. - Disabling users after a period of time. - Encrypted storage and transmission of secure information. - Secure authentication protocols such as LDAP over TLS or LDAPS using FIPS 140-2 approved encryption modules. - PKI-based authentication. Satisfies: SRG-APP-000023-CTR-000055, SRG-APP-000024-CTR-000060, SRG-APP-000025-CTR-000065, SRG-APP-000033-CTR-000095, SRG-APP-000065-CTR-000115, SRG-APP-000068-CTR-000120, SRG-APP-000069-CTR-000125, SRG-APP-000149-CTR-000355, SRG-APP-000150-CTR-000360, SRG-APP-000151-CTR-000365, SRG-APP-000152-CTR-000370, SRG-APP-000163-CTR-000395, SRG-APP-000165-CTR-000405, SRG-APP-000170-CTR-000430, SRG-APP-000173-CTR-000445, SRG-APP-000174-CTR-000450, SRG-APP-000291-CTR-000675, SRG-APP-000292-CTR-000680, SRG-APP-000293-CTR-000685, SRG-APP-000294-CTR-000690, SRG-APP-000317-CTR-000735, SRG-APP-000318-CTR-000740, SRG-APP-000345-CTR-000785, SRG-APP-000397-CTR-000955
Check Content
Confirm the Prisma Cloud Console has been configured from SAML-based authentication. Navigate to Prisma Cloud Compute Console's Manage >> Authentication >> Identity Providers tab. Verify SAML settings are "Enabled" and an identity provider has been configured. If SAML settings are not enabled and an identity provider has not been configured, this is a finding.
Fix Text
Configure Prisma Cloud Console for SAML-based authentication in which the SAML IdP enforces multifactor authentication (e.g., x509/smartcard authentication). Navigate to Prisma Cloud Compute Console's Manage >> Authentication >> Identity Providers: - Click "Add provider". - For Protocol, select "SAML". - For Identity provider, select provider. - Configure the settings and click "Save". SAML settings = Enabled Configure an SAML identity provider that enforces privileged account multifactor authentication for the Prisma Cloud Compute service provider.
Additional Identifiers
Rule ID: SV-253523r879522_rule
Vulnerability ID: V-253523
Group Title: SRG-APP-000023-CTR-000055
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000015 |
The organization employs automated mechanisms to support the information system account management functions. |
CCI-000016 |
The information system automatically removes or disables temporary accounts after an organization-defined time period for each type of account. |
CCI-000017 |
The information system automatically disables inactive accounts after an organization-defined time period. |
CCI-000044 |
The information system enforces the organization-defined limit of consecutive invalid logon attempts by a user during the organization-defined time period. |
CCI-000048 |
The information system displays an organization-defined system use notification message or banner before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. |
CCI-000050 |
The information system retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system. |
CCI-000195 |
The information system, for password-based authentication, when new passwords are created, enforces that at least an organization-defined number of characters are changed. |
CCI-000198 |
The information system enforces minimum password lifetime restrictions. |
CCI-000199 |
The information system enforces maximum password lifetime restrictions. |
CCI-000200 |
The information system prohibits password reuse for the organization-defined number of generations. |
CCI-000213 |
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
CCI-000765 |
The information system implements multifactor authentication for network access to privileged accounts. |
CCI-000766 |
The information system implements multifactor authentication for network access to non-privileged accounts. |
CCI-000767 |
The information system implements multifactor authentication for local access to privileged accounts. |
CCI-000768 |
The information system implements multifactor authentication for local access to non-privileged accounts. |
CCI-000795 |
The organization manages information system identifiers by disabling the identifier after an organization-defined time period of inactivity. |
CCI-001683 |
The information system notifies organization-defined personnel or roles for account creation actions. |
CCI-001684 |
The information system notifies organization-defined personnel or roles for account modification actions. |
CCI-001685 |
The information system notifies organization-defined personnel or roles for account disabling actions. |
CCI-001686 |
The information system notifies organization-defined personnel or roles for account removal actions. |
CCI-002011 |
The information system accepts FICAM-approved third-party credentials. |
CCI-002041 |
The information system allows the use of a temporary password for system logons with an immediate change to a permanent password. |
CCI-002112 |
The organization assigns account managers for information system accounts. |
CCI-002115 |
The organization specifies authorized users of the information system. |
CCI-002142 |
The information system terminates shared/group account credentials when members leave the group. |
CCI-002145 |
The information system enforces organization-defined circumstances and/or usage conditions for organization-defined information system accounts. |
CCI-002208 |
The information system uniquely authenticates destination by organization, system, application, and/or individual for information transfer. |
CCI-002238 |
The information system automatically locks the account or node for either an organization-defined time period, until the locked account or node is released by an administrator, or delays the next logon prompt according to the organization-defined delay algorithm when the maximum number of unsuccessful logon attempts is exceeded. |
Controls
Number | Title |
---|---|
AC-2 |
Account Management |
AC-2 (1) |
Automated System Account Management |
AC-2 (2) |
Removal Of Temporary / Emergency Accounts |
AC-2 (3) |
Disable Inactive Accounts |
AC-2 (4) |
Automated Audit Actions |
AC-2 (10) |
Shared / Group Account Credential Termination |
AC-2 (11) |
Usage Conditions |
AC-3 |
Access Enforcement |
AC-4 (17) |
Domain Authentication |
AC-7 |
Unsuccessful Logon Attempts |
AC-8 |
System Use Notification |
IA-2 (1) |
Network Access To Privileged Accounts |
IA-2 (2) |
Network Access To Non-Privileged Accounts |
IA-2 (3) |
Local Access To Privileged Accounts |
IA-2 (4) |
Local Access To Non-Privileged Accounts |
IA-4 |
Identifier Management |
IA-5 (1) |
Password-Based Authentication |
IA-8 (2) |
Acceptance Of Third-Party Credentials |