Palo Alto Networks Prisma Cloud Compute Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-APP-000014-CTR-000040
Group -
SRG-APP-000023-CTR-000055
Group -
Access to Prisma Cloud Compute must be managed based on user need and least privileged using external identity providers for authentication and grouping to role-based assignments when possible.
Integration with an organization's existing identity management policies technologies reduces the threat of account compromise and misuse. Centralized authentication services provide additional fu...Rule Medium Severity -
SRG-APP-000033-CTR-000100
Group -
Users requiring access to Prisma Cloud Compute's Credential Store must be assigned and accessed by the appropriate role holders.
The container platform keystore is used to store credentials that are used to build a trust between the container platform and an external source. This trust relationship is authorized by the organ...Rule Medium Severity -
SRG-APP-000038-CTR-000105
Group -
SRG-APP-000039-CTR-000110
Group -
SRG-APP-000097-CTR-000180
Group -
Prisma Cloud Compute Defender must be deployed to containerization nodes that are to be monitored.
Container platforms distribute workloads across several nodes. The ability to uniquely identify an event within an environment is critical. Prisma Cloud Compute Container Runtime audits record the ...Rule Medium Severity -
SRG-APP-000099-CTR-000190
Group -
SRG-APP-000101-CTR-000205
Group -
The configuration integrity of the container platform must be ensured and runtime policies must be configured.
Prisma Cloud Compute's runtime defense is the set of features that provides both predictive and threat-based active protection for running containers. Consistent application of Prisma Cloud Comput...Rule High Severity -
SRG-APP-000111-CTR-000220
Group -
Prisma Cloud Compute must be configured to send events to the hosts' syslog.
Event log collection is critical in ensuring the security of a containerized environment due to the ephemeral nature of the workloads. In an environment that is continually in flux, audit logs must...Rule Medium Severity -
SRG-APP-000133-CTR-000295
Group -
Prisma Cloud Compute host compliance baseline policies must be set.
Consistent application of Prisma Cloud Compute compliance policies ensures the continual application of policies and the associated effects. Satisfies: SRG-APP-000133-CTR-000295, SRG-APP-000133-CT...Rule High Severity -
SRG-APP-000133-CTR-000305
Group -
SRG-APP-000141-CTR-000320
Group -
SRG-APP-000142-CTR-000330
Group -
Prisma Cloud Compute must use TCP ports above 1024.
Privileged ports are ports below 1024 that require system privileges for their use. If containers are able to use these ports, the container must be run as a privileged user. The container platform...Rule Medium Severity -
SRG-APP-000148-CTR-000335
Group -
All Prisma Cloud Compute users must have a unique, individual account.
Prisma Cloud Compute does not have a default account. During installation, the installer creates an administrator. This account can be removed once other accounts have been added. To ensure account...Rule Medium Severity -
SRG-APP-000148-CTR-000345
Group -
Prisma Cloud Compute Console must run as nonroot user (uid 2674).
Containers not requiring root-level permissions must run as a unique user account. To ensure accountability and prevent unauthenticated access to containers, the user the container is using to exec...Rule Medium Severity -
SRG-APP-000153-CTR-000375
Group -
SRG-APP-000164-CTR-000400
Group -
SRG-APP-000177-CTR-000465
Group -
Prisma Cloud Compute must be configured to require local user accounts to use x.509 multifactor authentication.
Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. Multifactor authentication requires using two or more factors to achieve authenticat...Rule Medium Severity -
SRG-APP-000243-CTR-000595
Group -
Prisma Cloud Compute must prevent unauthorized and unintended information transfer.
Prisma Cloud Compute Compliance policies must be enabled to ensure running containers do not access privileged resources. Satisfies: SRG-APP-000243-CTR-000595, SRG-APP-000243-CTR-000600, SRG-APP-0...Rule Medium Severity -
SRG-APP-000266-CTR-000625
Group -
SRG-APP-000357-CTR-000800
Group -
SRG-APP-000384-CTR-000915
Group -
SRG-APP-000384-CTR-000915
Group -
Prisma Cloud Compute must be configured to scan images that have not been instantiated as containers.
Prisma Cloud Compute ships with "only scan images with running containers" set to "on". To meet the requirements, "only scan images with running containers" must be set to "off" to disable or remov...Rule High Severity -
SRG-APP-000390-CTR-000930
Group -
Prisma Cloud Compute Defender must reestablish communication to the Console via mutual TLS v1.2 WebSocket session.
When the secure WebSocket session between the Prisma Cloud Compute Console and Defenders is disconnected, the Defender will continually attempt to reestablish the session. Without reauthentication,...Rule Medium Severity -
SRG-APP-000414-CTR-001010
Group -
Prisma Cloud Compute Defender containers must run as root.
In certain situations, the nature of the vulnerability scanning may be more intrusive, or the container platform component that is the subject of the scanning may contain highly sensitive informati...Rule Medium Severity -
SRG-APP-000431-CTR-001065
Group -
Prisma Cloud Compute must run within a defined/separate namespace (e.g., Twistlock).
Namespaces are a key boundary for network policies, orchestrator access control restrictions, and other important security controls. Prisma Cloud Compute containers running within a separate and ex...Rule Medium Severity -
SRG-APP-000439-CTR-001080
Group -
SRG-APP-000454-CTR-001110
Group -
SRG-APP-000456-CTR-001130
Group -
Prisma Cloud Compute's Intelligence Stream must be kept up to date.
The Prisma Cloud Compute Console pulls the latest vulnerability and threat information from the Intelligence Stream (intelligence.twistlock.com). The Prisma Cloud Intelligence Stream provides timel...Rule Medium Severity -
SRG-APP-000473-CTR-001175
Group -
SRG-APP-000610-CTR-001385
Group -
Prisma Cloud Compute Console must use TLS 1.2 for user interface and API access. Communication TCP ports must adhere to the Ports, Protocols, and Services Management Category Assurance Levels (PSSM CAL).
Communication to Prisma Cloud Compute Console's User Interface (UI) and API is protected by TLS v1.2+ (HTTPS). By default, only HTTPS communication to the Console's UI and API endpoints is enabled....Rule High Severity -
Prisma Cloud Compute Collections must be used to partition views and enforce organizational-defined need-to-know access.
Prisma Cloud Compute Collections are used to scope rules to target specific resources in an environment, partition views, and enforce which views specific users and groups can access. Collections c...Rule Medium Severity -
Prisma Cloud Compute Cloud Native Network Firewall (CNNF) automatically monitors layer 4 (TCP) intercontainer communications. Enforcement policies must be created.
Network segmentation and compartmentalization are important parts of a comprehensive defense-in-depth strategy. CNNF works as an east-west firewall for containers. It limits damage by preventing at...Rule High Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.