Check: CNTR-PC-000020
Palo Alto Networks Prisma Cloud Compute STIG:
CNTR-PC-000020
(in versions v1 r3 through v1 r1)
Title
Prisma Cloud Compute Console must use TLS 1.2 for user interface and API access. Communication TCP ports must adhere to the Ports, Protocols, and Services Management Category Assurance Levels (PSSM CAL). (Cat I impact)
Discussion
Communication to Prisma Cloud Compute Console's User Interface (UI) and API is protected by TLS v1.2+ (HTTPS). By default, only HTTPS communication to the Console's UI and API endpoints is enabled. Prisma Cloud Compute TCP port usage is configurable. Default configuration: TCP 8081 Console user interface and API (HTTP) - disabled by default. TCP 8083 Console user interface and API TLS v1.2 (HTTPS) TCP 8084 Console-to-Defender communication via mutual TLS v1.2 WebSocket session. Satisfies: SRG-APP-000014-CTR-000040, SRG-APP-000142-CTR-000325, SRG-APP-000185-CTR-000490, SRG-APP-000645-CTR-001410
Check Content
For Kubernetes deployment: Query the ports used by the twistlock-console service: $ kubectl describe svc twistlock-console -n twistlock If the TargetPort management-port-http exists and has a port assignment, this is a finding. Port: management-port-http 8081/TCP TargetPort: 8081/TCP For Docker deployment: Determine the name of the Console container: docker ps|grep console For example, the Console container is: ad8b41a2fec9 twistlock/private:console_22_01_840 Inspect the container's PortBindings: docker inspect ad8b41a2fec9|grep PortBindings -A 20 If port 8081 is listed, this is a finding.
Fix Text
For Kubernetes deployment: Edit the deployment.apps/twistlock-console. Find the - name: MANAGEMENT_PORT_HTTP setting Remove the value assignment (e.g., 8081): - name: MANAGEMENT_PORT_HTTP value: "8081" Save and exit the editing session. The Console will restart automatically. For Docker deployment: Modify the twistlock.cfg located in the extracted release tar directory. Remove the value assignment for the MANAGEMENT_PORT_HTTP= variable. Redeploy the Console using the twistlock.sh script located in the extracted release tar directory. $ sudo ./twisltock.sh -sy onebox
Additional Identifiers
Rule ID: SV-253522r879519_rule
Vulnerability ID: V-253522
Group Title: SRG-APP-000014-CTR-000040
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000068 |
The information system implements cryptographic mechanisms to protect the confidentiality of remote access sessions. |
CCI-000382 |
The organization configures the information system to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services. |
CCI-000877 |
The organization employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions. |