Check: CNTR-PC-001770
Palo Alto Networks Prisma Cloud Compute STIG:
CNTR-PC-001770
(in versions v1 r3 through v1 r1)
Title
Prisma Cloud Compute release tar distributions must have an associated SHA-256 digest. (Cat II impact)
Discussion
Each Prisma Cloud Compute release's tar file has an associated SHA-256 digest hash value to ensure the components have not been modified.
Check Content
Offline Intelligence Stream: If using Iron Bank distribution of Prisma Cloud Compute Console and Defenders, verify the Console and Defender imageID SHA256 values match the Palo Alto Networks published release values. For the Console and Defender images, perform the following command: $ docker inspect twistlock/private:console_22_01_839 | grep '"Image":' "Image": "sha256:dcd881fe9c796ed08867c242389737c4f2e8ab463377a90deddc0add4c3e8524", If the imageID values do not match the published release SHA256 for the version of the image release, this is a finding. Note: Image tag will be the release number, e.g., console_22_01_839. Published release image sha values are published here: https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-compute-edition-public-sector/isolated_upgrades/releases.html
Fix Text
Deploy the latest version from https://support.paloaltonetworks.com.
Additional Identifiers
Rule ID: SV-253552r879898_rule
Vulnerability ID: V-253552
Group Title: SRG-APP-000610-CTR-001385
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000803 |
The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. |
Controls
Number | Title |
---|---|
IA-7 |
Cryptographic Module Authentication |