The configuration integrity of the container platform must be ensured and runtime policies must be configured.

An XCCDF Rule

Description

<VulnDiscussion>Prisma Cloud Compute's runtime defense is the set of features that provides both predictive and threat-based active protection for running containers. Consistent application of Prisma Cloud Compute runtime policies ensures the continual application of policies and the associated effects. Prisma Cloud Compute's configurations must be monitored for configuration drift and addressed according to organizational policy. Satisfies: SRG-APP-000101-CTR-000205, SRG-APP-000384-CTR-000915, SRG-APP-000447-CTR-001100, SRG-APP-000450-CTR-001105, SRG-APP-000507-CTR-001295, SRG-APP-000508-CTR-001300</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-253529r879569_rule
Severity: High
References: CCI-000135 CCI-000172 CCI-001764 CCI-002754 CCI-002824
Updated: about 1 year ago

Enable runtime policies. 

Navigate to Prisma Cloud Compute Console's Defend >> Runtime. 

Click the tab to be edited.
To add policy (for Host or App-Embedded policy):
- Click "Add rule". 
- Enter rule name.
  Scope = All
- Accept the defaults and click "Save".

To enable policy:
- Click the rule's three-dot menu. 
- Set to "Enable".

To change scope, click the rule row:
- Change the policy scope to "All".
- Click "Save".

To add container policy:
- Select the "Container policy" tab. 
- Set "Enable automatic runtime learning" to "On". 

To create a new runtime rule:
- Click "Add rule". 
- Configure the following settings:
  Enter rule name
  Scope = All

Select the "Anti-malware" tab.
Set the following:
- Prisma Cloud advanced threat protection = on
- Kubernetes attacks = on
- Suspicious queries to cloud provider APIs = on

Select the "Process" tab.
Set the following:
Process monitoring = enabled

Select the "Network" tab.
Set the following:
IP connectivity = enabled

Select the "File system" tab.
Set the following:
- File system monitoring = enabled
- Accept the defaults and click "Save".

Select the "App-Embedded policy" tab.
- Click the rule's three-dot menu. Set to "Enable".
- Click the rule name row.
- Change the scope to "All".
- Click "Save".

Create a new runtime rule:
- Click "add rule." 
- Enter rule name.
- Scope = All
- Accept the defaults and click "Save".

Select the "Host policy" tab.
- Click the rule's three-dot menu. Set to "Enable".
- Click the rule name row.
- Change the scope to "All".
- Click "Save".

- Click "Add rule". 
- Enter rule name.
- Scope = All
- Select the "Activities" tab.
- Set the following:
  Host activity monitoring ="Enabled"
  Docker commands = "On"
  New sessions spawned by sshd = "On"
  Commands run with sudo or su = "On"
  Log activity from background apps = "On"
  Track SSH events = "On"
- Accept the defaults and click "Save".

The configuration integrity of the container platform must be ensured and runtime policies must be configured.

Description

Remediation - Manual Procedure