Palo Alto Networks Prisma Cloud Compute STIG Version Comparison

There are 1 differences between versions v1 r3 (July 26, 2023) (the "left" version) and v2 r2 (Jan. 30, 2025) (the "right" version).

Check CNTR-PC-001350 was changed between these two versions. Green, underlined text was added, red, struck-out text was removed.

The regular view of the left check and right check may be easier to read.

Title

Prisma Cloud Compute Defender containers must run as root.

Check Content

Verify that when deploying the Defender via daemonSet, "Run Defenders as privileged" is set to "On". Verify the Defender containers were deployed using the daemonSet.yaml in which the securityContext is privileged. If privileged (privileged = "on"). If "Run Defenders as privileged" is not set to "On" or the Defender containers were not deployed using the daemonSet.yaml in which the securityContext - privileged = "on", this is a finding.

Discussion

In certain situations, the nature of the vulnerability scanning may be more intrusive, or the container platform component that is the subject of the scanning may contain highly sensitive information. To protect the sensitive nature of such scanning, Prisma Cloud Compute Defenders perform the vulnerability scanning function. The Defender container must run as root and not privileged.

Fix

Redeploy the Defender with appropriate rights by setting Run "Run Defenders as privileged privileged" = off. Delete to "On". Delete the old twistlock-defender-ds daemonSet and redeploy daemonSet with the new yaml. yaml in which the securityContext - privileged = "on".