Check: CNTR-PC-001170
Palo Alto Networks Prisma Cloud Compute STIG:
CNTR-PC-001170
(in versions v1 r3 through v1 r1)
Title
The configuration integrity of the container platform must be ensured and vulnerabilities policies must be configured. (Cat I impact)
Discussion
Prisma Cloud Compute's vulnerabilities defense is the set of features that provides both predictive and threat-based active protection for running containers. Consistent application of Prisma Cloud Compute vulnerabilities policies ensures the continual application of policies and the associated effects. Prisma Cloud Compute's configurations must be monitored for configuration drift and addressed according to organizational policy. Satisfies: SRG-APP-000384-CTR-000915, SRG-APP-000384-CTR-000915, SRG-APP-000456-CTR-001125, SRG-APP-000516-CTR-001335
Check Content
To verify that vulnerabilities policies are enabled, navigate to Prisma Cloud Compute Console's Defend >> Vulnerabilities. Select the "Code repositories" tab. For the "Repositories" and "CI" tab: - If "Default - alert all components" does not exist, this is a finding. - Click the three dots in the "Actions" column for rule "Default - alert all components". - If the policy is disabled, this is a finding. - Click the "Default - alert all components" policy row. - If "Default - alert all components" is not scoped to "All", this is a finding. Select the "Images" tab. For the "CI" and "Deployed" tab: - If "Default - alert all components" does not exist, this is a finding. - Click the three dots in the "Actions" column for rule "Default - alert all components". - If the policy is disabled, this is a finding. - Click the "Default - alert all components" policy row. - If "Default - alert all components" is not scoped to "All", this is a finding. Select the "Hosts" tab. For the "Running hosts" and "VM images" tab: - If the "Default - alert all components" does not exist, this is a finding. - Click the three dots in the "Actions" column for rule "Default - alert all components". - If the policy is disabled, this is a finding. - Click the "Default - alert all components" policy row. - If "Default - alert all components" is not scoped to "All", this is a finding. Select the "Functions" tab. For the "Functions" and "CI" tab: - If the "Default - alert all components" does not exist, this is a finding. - Click the three dots in the "Actions" column for rule "Default - alert all components". - If the policy is disabled, this is a finding. - Click the "Default - alert all components" policy row. - If "Default - alert all components" is not scoped to "All", this is a finding.
Fix Text
To enable vulnerabilities policies, navigate to Prisma Cloud Compute Console's Defend >> Vulnerabilities. Click tab to be edited. To add rule: - Click "Add rule". - Enter rule name. Scope = All - Accept the defaults and click "Save". Click the rule three-dot menu. Set to "Enable". Click the rule row: - Change the policy scope to "All". - Click "Save".
Additional Identifiers
Rule ID: SV-253543r879757_rule
Vulnerability ID: V-253543
Group Title: SRG-APP-000384-CTR-000915
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
CCI-001734 |
The organization defines the restrictions to be followed on the use of open source software. |
CCI-001764 |
The information system prevents program execution in accordance with organization-defined policies regarding software program usage and restrictions, and/or rules authorizing the terms and conditions of software program usage. |
CCI-002575 |
The organization defines information systems, system components, or devices from which information is to be purged/wiped, either remotely or under the organization-defined conditions. |
CCI-002605 |
The organization installs security-relevant software updates within an organization-defined time period of the release of the updates. |