UCF STIG Viewer Logo

Access to Prisma Cloud Compute must be managed based on user need and least privileged  using external identity providers for authentication and grouping to role-based assignments when possible.


Overview

Finding ID Version Rule ID IA Controls Severity
V-253523 CNTR-PC-000030 SV-253523r840407_rule Medium
Description
Integration with an organization's existing identity management policies technologies reduces the threat of account compromise and misuse. Centralized authentication services provide additional functionality to fulfill security requirements: - Multifactor authentication, which is compatible with Rancher MCM. - Disabling users after a period of time. - Encrypted storage and transmission of secure information. - Secure authentication protocols such as LDAP over TLS or LDAPS using FIPS 140-2 approved encryption modules. - PKI-based authentication. Satisfies: SRG-APP-000023-CTR-000055, SRG-APP-000024-CTR-000060, SRG-APP-000025-CTR-000065, SRG-APP-000033-CTR-000095, SRG-APP-000065-CTR-000115, SRG-APP-000068-CTR-000120, SRG-APP-000069-CTR-000125, SRG-APP-000149-CTR-000355, SRG-APP-000150-CTR-000360, SRG-APP-000151-CTR-000365, SRG-APP-000152-CTR-000370, SRG-APP-000163-CTR-000395, SRG-APP-000165-CTR-000405, SRG-APP-000170-CTR-000430, SRG-APP-000173-CTR-000445, SRG-APP-000174-CTR-000450, SRG-APP-000291-CTR-000675, SRG-APP-000292-CTR-000680, SRG-APP-000293-CTR-000685, SRG-APP-000294-CTR-000690, SRG-APP-000317-CTR-000735, SRG-APP-000318-CTR-000740, SRG-APP-000345-CTR-000785, SRG-APP-000397-CTR-000955
STIG Date
Palo Alto Networks Prisma Cloud Compute Security Technical Implementation Guide 2022-08-24

Details

Check Text ( C-56975r840405_chk )
Confirm the Prisma Cloud Console has been configured from SAML-based authentication.

Navigate to Prisma Cloud Compute Console's Manage >> Authentication >> Identity Providers tab.

Verify SAML settings are "Enabled" and an identity provider has been configured.

If SAML settings are not enabled and an identity provider has not been configured, this is a finding.
Fix Text (F-56926r840406_fix)
Configure Prisma Cloud Console for SAML-based authentication in which the SAML IdP enforces multifactor authentication (e.g., x509/smartcard authentication).

Navigate to Prisma Cloud Compute Console's Manage >> Authentication >> Identity Providers:
- Click "Add provider".
- For Protocol, select "SAML".
- For Identity provider, select provider.
- Configure the settings and click "Save".
SAML settings = Enabled
 
Configure an SAML identity provider that enforces privileged account multifactor authentication for the Prisma Cloud Compute service provider.