Prisma Cloud Compute must prevent unauthorized and unintended information transfer.

An XCCDF Rule

Description

<VulnDiscussion>Prisma Cloud Compute Compliance policies must be enabled to ensure running containers do not access privileged resources. Satisfies: SRG-APP-000243-CTR-000595, SRG-APP-000243-CTR-000600, SRG-APP-000246-CTR-000605, SRG-APP-000342-CTR-000775</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-253540r879649_rule
Severity: Medium
References: CCI-001090 CCI-001094 CCI-002233
Updated: about 1 year ago

Navigate to Prisma Cloud Compute Console's Defend >> Compliance >> Containers and images tab >> Deployed tab. 

Change action:
(Click the rule name)
<Filter on Rule ID>
ID = 54 - Description (Do not use privileged container)
Change Action to "Alert" or "Block" (based on organizational needs).
Click "Save".

ID = 5525 - Description (Restrict container from acquiring additional privileges are not configured)
Change Action to "Alert" or "Block" (based on organizational needs).
Click "Save".

ID = 59 - Description (Do not share the host's network namespace)
Change Action to "Alert" or "Block" (based on organizational needs).
Click "Save".

ID = 515 - Description (Do not share the host's process namespace)
Change Action to "Alert" or "Block" (based on organizational needs).
Click "Save".

ID = 516 - Description (Do not share the host's IPC namespace)
Change Action to "Alert" or "Block" (based on organizational needs).
Click "Save".

ID = 517 - Description (Do not directly expose host devices to containers)
Change Action to "Alert" or "Block" (based on organizational needs).
Click "Save".

ID = 520 - Description (Do not share the host's UTS namespace)
Change Action to "Alert" or "Block" (based on organizational needs).
Click "Save".

ID = 530 - Description (Do not share the host's user namespaces)
Change Action to "Alert" or "Block" (based on organizational needs).
Click "Save".

ID = 55 - Description (Do not mount sensitive host system directories on containers)
Change Action to "Alert" or "Block" (based on organizational needs).
Click "Save".

ID = 57 - Description (Do not map privileged ports within containers)
Change Action to "Alert" or "Block" (based on organizational needs).
Click "Save".

ID = 5510 - Description (Limit memory usage for container)
Change Action to "Alert" or "Block" (based on organizational needs).
Click "Save".

ID = 5511 - Description (Set container CPU priority appropriately)
Change Action to "Alert" or "Block" (based on organizational needs).
Click "Save".

ID = 599 - Description (Container is running as root)
Change Action to "Alert" or "Block" (based on organizational needs).
Click "Save".

ID = 41 - Description (Image should be created with a non-root user)
Change Action to "Alert" or "Block" (based on organizational needs).
Click "Save".

Prisma Cloud Compute must prevent unauthorized and unintended information transfer.

Description

Remediation - Manual Procedure