UCF STIG Viewer Logo

Prisma Cloud Compute Console must use TLS 1.2 for user interface and API access. Communication TCP ports must adhere to the Ports, Protocols, and Services Management Category Assurance Levels (PSSM CAL).


Overview

Finding ID Version Rule ID IA Controls Severity
V-253522 CNTR-PC-000020 SV-253522r840404_rule High
Description
Communication to Prisma Cloud Compute Console's User Interface (UI) and API is protected by TLS v1.2+ (HTTPS). By default, only HTTPS communication to the Console's UI and API endpoints is enabled. Prisma Cloud Compute TCP port usage is configurable. Default configuration: TCP 8081 Console user interface and API (HTTP) - disabled by default. TCP 8083 Console user interface and API TLS v1.2 (HTTPS) TCP 8084 Console-to-Defender communication via mutual TLS v1.2 WebSocket session. Satisfies: SRG-APP-000014-CTR-000040, SRG-APP-000142-CTR-000325, SRG-APP-000185-CTR-000490, SRG-APP-000645-CTR-001410
STIG Date
Palo Alto Networks Prisma Cloud Compute Security Technical Implementation Guide 2022-08-24

Details

Check Text ( C-56974r840402_chk )
For Kubernetes deployment:

Query the ports used by the twistlock-console service:
$ kubectl describe svc twistlock-console -n twistlock

If the TargetPort management-port-http exists and has a port assignment, this is a finding.
Port: management-port-http 8081/TCP
TargetPort: 8081/TCP

For Docker deployment:

Determine the name of the Console container:
docker ps|grep console

For example, the Console container is: ad8b41a2fec9
twistlock/private:console_22_01_840

Inspect the container's PortBindings:
docker inspect ad8b41a2fec9|grep PortBindings -A 20

If port 8081 is listed, this is a finding.
Fix Text (F-56925r840403_fix)
For Kubernetes deployment:

Edit the deployment.apps/twistlock-console.

Find the - name: MANAGEMENT_PORT_HTTP setting

Remove the value assignment (e.g., 8081):
- name: MANAGEMENT_PORT_HTTP
value: "8081"

Save and exit the editing session. The Console will restart automatically.

For Docker deployment:

Modify the twistlock.cfg located in the extracted release tar directory.

Remove the value assignment for the MANAGEMENT_PORT_HTTP= variable.

Redeploy the Console using the twistlock.sh script located in the extracted release tar directory.

$ sudo ./twisltock.sh -sy onebox