Check: CNTR-PC-000750
Palo Alto Networks Prisma Cloud Compute STIG:
CNTR-PC-000750
(in versions v1 r3 through v1 r1)
Title
Prisma Cloud Compute must be configured to require local user accounts to use x.509 multifactor authentication. (Cat II impact)
Discussion
Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. Multifactor authentication requires using two or more factors to achieve authentication. Factors include: (i) something a user knows (e.g., password/PIN); (ii) something a user has (e.g., cryptographic identification device, token); or (iii) something a user is (e.g., biometric). User access to Prisma Cloud Compute must use multifactor (x.509 based) authentication. Satisfies: SRG-APP-000177-CTR-000465, SRG-APP-000391-CTR-000935, SRG-APP-000401-CTR-000965, SRG-APP-000402-CTR-000970, SRG-APP-000605-CTR-001380
Check Content
Navigate to Prisma Cloud Compute Console's >> Manage >> Authentication >> System Certificate tab. If not performing direct smart card authentication to the console, this is not a finding. If performing direct smart card authentication to the console: Revocation block: If "Enable certificate revocation checking" is set to "Off", this is a finding. Show Advanced certificate configuration: - In the "Certificate-based authentication to Console" block, verify the issuing CA(s) of the end users' certificates are within the Console CA certificate(s) field. - If there is no users' certificates, this is a finding. Click the "Users" tab. Review accounts with Authentication method "Local". If the local user account's name does not match the user's x.509 certificate's subjectName or the subject alternative name's PrincipalName value, this is a finding.
Fix Text
Navigate to Prisma Cloud Compute Console's >> Manage >> Authentication >> System Certificate tab. Revocation block: Set "Enable certificate revocation checking" to "On" and click "Save". In the "Certificate-based authentication to Console" block, import the smart card's issuing CA's chain of trust to the Console CA certificate(s) field. Click "Save". Click the "Users" tab. (Accounts cannot be edited. They must be removed and recreated correctly.) Delete account: - Click the three-dot menu. - Click "Delete" and confirm "Delete User". Create a local user account where the local user account name matches the user's x.509 certificate's subjectName or subject alternative name's PrincipalName value: - Click "+Add user". Authentication Source = Local Username = subject alternative name's PrincipalName value Password = random password that is not given to the user - Assign Role. - Click "Save".
Additional Identifiers
Rule ID: SV-253539r879614_rule
Vulnerability ID: V-253539
Group Title: SRG-APP-000177-CTR-000465
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000187 |
The information system, for PKI-based authentication, maps the authenticated identity to the account of the individual or group. |
CCI-001827 |
The organization defines the frequency with which to review information system privileges. |
CCI-001857 |
The organization defines the personnel, roles, and/or locations to receive alerts when organization-defined audit failure events occur. |
CCI-001923 |
The organization defines the audit information to be coordinated among external organizations when audit information is transmitted across organizational boundaries. |
CCI-001953 |
The information system accepts Personal Identity Verification (PIV) credentials. |
CCI-001961 |
The organization defines the lease duration to be assigned to devices. |
CCI-001979 |
The organization requires the registration process to receive an individual identifier be conducted in person before a designated registration authority. |
CCI-001991 |
The information system, for PKI-based authentication, implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network. |
CCI-002009 |
The information system accepts Personal Identity Verification (PIV) credentials from other federal agencies. |
Controls
Number | Title |
---|---|
AU-5 (2) |
Real-Time Alerts |
AU-16 |
Cross-Organizational Auditing |
CM-5 (5) |
Limit Production / Operational Privileges |
IA-2 (12) |
Acceptance Of Piv Credentials |
IA-3 (3) |
Dynamic Address Allocation |
IA-4 (7) |
In-Person Registration |
IA-5 (2) |
Pki-Based Authentication |
IA-8 (1) |
Acceptance Of Piv Credentials From Other Agencies |