<VulnDiscussion>Consistent application of Prisma Cloud Compute compliance policies ensures the continual application of policies and the associated effects.
Satisfies: SRG-APP-000133-CTR-000295, SRG-APP-000133-CTR-000310, SRG-APP-000141-CTR-000315, SRG-APP-000384-CTR-000915</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Navigate to Prisma Cloud Compute Console's >> Defend >> Compliance >> Hosts tab >> Running hosts tab.
Add Rule:
- Click "Add rule".
Name = "Default - alert on critical and high"
Scope = "All"
- Change Action to the values shown below (Change Action).
- Accept the other defaults and click "Save".
Change Action:
- Click "Rule name".
<Filter on Rule ID>
ID = 8112 - Description (--anonymous-auth argument is set to false (kube-apiserver) - master node)
- Change Action to "Alert" or "Block" (based on organizational needs).
- Click "Save".
ID = 8212 - Description (--anonymous-auth argument is set to false (kubelet) - worker node)
- Change Action to "Alert" or "Block" (based on organizational needs).
- Click "Save".
ID = 8311 - Description (--anonymous-auth argument is set to false (federation-apiserver)).
- Change Action to "Alert" or "Block" (based on organizational needs).
- Click "Save".
ID = 81427 - Description (Kubernetes PKI directory and file ownership is set to root:root).
- Change Action to "Alert" or "Block" (based on organizational needs).
- Click "Save".
ID = 81428 - Description (Kubernetes PKI certificate file permissions are set to 644 or more restrictive).
- Change Action to "Alert" or "Block" (based on organizational needs).
- Click "Save".
ID = 8214 - Description (--client-ca-file argument is set as appropriate (kubelet)).
- Change Action to "Alert" or "Block" (based on organizational needs).
- Click "Save".
ID = 8227 - Description (certificate authorities file permissions are set to 644 or more restrictive (kubelet)).
- Change Action to "Alert" or "Block" (based on organizational needs).
- Click "Save".
ID = 8115 - Description (--kubelet-https argument is set to true (kube-apiserver))
- Change Action to "Alert" or "Block" (based on organizational needs).
- Click "Save".
ID = 8116 - Description (--insecure-bind-address argument is not set (kube-apiserver)).
- Change Action to "Alert" or "Block" (based on organizational needs).
- Click "Save".
ID = 8117 - Description (--insecure-port argument is set to 0 (kube-apiserver) can determine if the Kubernetes API is configured to only listen on the TLS enabled port (TCP 6443)).
- Change Action to "Alert" or "Block" (based on organizational needs).
- Click "Save".
ID = 8118 - Description (--secure-port argument is not set to 0 (kube-apiserver)).
- Change Action to "Alert" or "Block" (based on organizational needs).
- Click "Save".
ID = 81122 - Description (--kubelet-certificate-authority argument is set as appropriate (kube-apiserver)).
- Change Action to "Alert" or "Block" (based on organizational needs).
- Click "Save".
ID = 81123 - Description (--kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (kube-apiserver)).
ID = 81129 - Description (--tls-cert-file and --tls-private-key-file arguments are set as appropriate (kube-apiserver)).
- Change Action to "Alert" or "Block" (based on organizational needs).
- Click "Save".
ID = 82112 - Description (--tls-cert-file and --tls-private-key-file arguments are set as appropriate (kubelet)).
- Change Action to "Alert" or "Block" (based on organizational needs).
- Click "Save".
ID = 81141 - Description (--authorization-mode argument includes RBAC (kube-apiserver)).
- Change Action to "Alert" or "Block" (based on organizational needs).
- Click "Save".