Check: CNTR-PC-001350
Palo Alto Networks Prisma Cloud Compute STIG:
CNTR-PC-001350
(in versions v1 r3 through v1 r1)
Title
Prisma Cloud Compute Defender containers must run as root. (Cat II impact)
Discussion
In certain situations, the nature of the vulnerability scanning may be more intrusive, or the container platform component that is the subject of the scanning may contain highly sensitive information. To protect the sensitive nature of such scanning, Prisma Cloud Compute Defenders perform the vulnerability scanning function. The Defender container must run as root and not privileged.
Check Content
Verify that when deploying the Defender via daemonSet, "Run Defenders as privileged" is set to "On". Verify the Defender containers were deployed using the daemonSet.yaml in which the securityContext is privileged. If "Run Defenders as privileged" is not set to "On" or the Defender containers were not deployed using the daemonSet.yaml in which the securityContext - privileged = "on", this is a finding.
Fix Text
Redeploy the Defender with appropriate rights by setting Run Defenders as privileged = off. Delete old twistlock-defender-ds daemonSet and redeploy daemonSet with the new yaml.
Additional Identifiers
Rule ID: SV-253546r879787_rule
Vulnerability ID: V-253546
Group Title: SRG-APP-000414-CTR-001010
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001067 |
The information system implements privileged access authorization to organization-identified information system components for selected organization-defined vulnerability scanning activities. |
Controls
Number | Title |
---|---|
RA-5 (5) |
Privileged Access |