Prisma Cloud Compute must prevent unauthorized and unintended information transfer.

An XCCDF Rule

Description

Prisma Cloud Compute Compliance policies must be enabled to ensure running containers do not access privileged resources. Satisfies: SRG-APP-000243-CTR-000595, SRG-APP-000243-CTR-000600, SRG-APP-000246-CTR-000605, SRG-APP-000342-CTR-000775

ID: SV-253540r961149_rule
Version: CNTR-PC-000850
Severity: Medium
References: CCI-001090 CCI-001094 CCI-002233
Updated: about 2 months ago

Remediation Templates

Navigate to Prisma Cloud Compute Console's Defend >> Compliance >> Containers and images tab >> Deployed tab. 

Change action:
(Click the rule name)
<Filter on Rule ID>
ID = 54 - Description (Do not use privileged container)
Change Action to "Alert" or "Block" (based on organizational needs).
Click "Save".

ID = 5525 - Description (Restrict container from acquiring additional privileges are not configured)
Change Action to "Alert" or "Block" (based on organizational needs).
Click "Save".

ID = 59 - Description (Do not share the host's network namespace)
Change Action to "Alert" or "Block" (based on organizational needs).
Click "Save".

ID = 515 - Description (Do not share the host's process namespace)
Change Action to "Alert" or "Block" (based on organizational needs).
Click "Save".

ID = 516 - Description (Do not share the host's IPC namespace)
Change Action to "Alert" or "Block" (based on organizational needs).
Click "Save".

ID = 517 - Description (Do not directly expose host devices to containers)
Change Action to "Alert" or "Block" (based on organizational needs).
Click "Save".

ID = 520 - Description (Do not share the host's UTS namespace)
Change Action to "Alert" or "Block" (based on organizational needs).
Click "Save".

ID = 530 - Description (Do not share the host's user namespaces)
Change Action to "Alert" or "Block" (based on organizational needs).
Click "Save".

ID = 55 - Description (Do not mount sensitive host system directories on containers)
Change Action to "Alert" or "Block" (based on organizational needs).
Click "Save".

ID = 57 - Description (Do not map privileged ports within containers)
Change Action to "Alert" or "Block" (based on organizational needs).
Click "Save".

ID = 5510 - Description (Limit memory usage for container)
Change Action to "Alert" or "Block" (based on organizational needs).
Click "Save".

ID = 5511 - Description (Set container CPU priority appropriately)
Change Action to "Alert" or "Block" (based on organizational needs).
Click "Save".

ID = 599 - Description (Container is running as root)
Change Action to "Alert" or "Block" (based on organizational needs).
Click "Save".

ID = 41 - Description (Image should be created with a non-root user)
Change Action to "Alert" or "Block" (based on organizational needs).
Click "Save".

Prisma Cloud Compute must prevent unauthorized and unintended information transfer.

Description

Remediation Templates

A Manual Procedure