Prisma Cloud Compute Console must use TLS 1.2 for user interface and API access. Communication TCP ports must adhere to the Ports, Protocols, and Services Management Category Assurance Levels (PSSM CAL).

An XCCDF Rule

Description

Communication to Prisma Cloud Compute Console's User Interface (UI) and API is protected by TLS v1.2+ (HTTPS). By default, only HTTPS communication to the Console's UI and API endpoints is enabled. Prisma Cloud Compute TCP port usage is configurable. Default configuration: TCP 8081 Console user interface and API (HTTP) - disabled by default. TCP 8083 Console user interface and API TLS v1.2 (HTTPS) TCP 8084 Console-to-Defender communication via mutual TLS v1.2 WebSocket session. Satisfies: SRG-APP-000014-CTR-000040, SRG-APP-000142-CTR-000325, SRG-APP-000185-CTR-000490, SRG-APP-000645-CTR-001410

ID: SV-253522r960759_rule
Version: CNTR-PC-000020
Severity: High
References: CCI-000068 CCI-000382 CCI-000877
Updated: about 2 months ago

Remediation Templates

For Kubernetes deployment:

Edit the deployment.apps/twistlock-console.

Find the - name: MANAGEMENT_PORT_HTTP setting
Remove the value assignment (e.g., 8081):
        - name: MANAGEMENT_PORT_HTTP
          value: "8081" 

Save and exit the editing session. The Console will restart automatically.

For Docker deployment:

Modify the twistlock.cfg located in the extracted release tar directory.

Remove the value assignment for the MANAGEMENT_PORT_HTTP= variable.

Redeploy the Console using the twistlock.sh script located in the extracted release tar directory.

$ sudo ./twisltock.sh -sy onebox

Prisma Cloud Compute Console must use TLS 1.2 for user interface and API access. Communication TCP ports must adhere to the Ports, Protocols, and Services Management Category Assurance Levels (PSSM CAL).

Description

Remediation Templates

A Manual Procedure