Images stored within the container registry must contain only images to be run as containers within the container platform.

An XCCDF Rule

Description

<VulnDiscussion>The Prisma Cloud Compute Trusted Images feature allows the declaration, by policy, of which registries, repositories, and images to trust and how to respond when untrusted images are started in the organization's environment. Satisfies: SRG-APP-000141-CTR-000320, SRG-APP-000386-CTR-000920</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-253533r879587_rule
Severity: Medium
References: CCI-000381 CCI-001774
Updated: about 1 year ago

Navigate to Prisma Cloud Compute Console's >> Defend >> Compliance >> Trusted Images tab.  

Select the "Trust groups" tab.

Create a trusted group:
- Click "Add Group".  Name: "IronBank"
- Specify a registry or repository: https://ironbank.dso.mil
- Click "Add to group".
- Specify a registry or repository: https://registry1.dso.mil/
(There are two group images total.)
- Click "Save".

Select the "Policy" tab.

Set the Trusted Images Rules to "on".

If a rule does not exist:
- Click "Add rule".
  Rule name = "IronBank"
  Scope = "All"

Allowed:
- Click "Select groups".
- Select "IronBank".
- Click "Apply".
- Keep all defaults and click "Save".

Enable policy:
- Click the "Default - alert all components" policy three-dot menu. 
- Set to "Enable".

Policy row scope:
- Click the policy rows.
- Change the policy scope to all images and containers within the intended monitored environment.
- Click "Save".

Images stored within the container registry must contain only images to be run as containers within the container platform.

Description

Remediation - Manual Procedure