UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Users requiring access to Prisma Cloud Compute's Credential Store must be assigned and accessed by the appropriate role holders.


Overview

Finding ID Version Rule ID IA Controls Severity
V-253524 CNTR-PC-000120 SV-253524r840410_rule Medium
Description
The container platform keystore is used to store credentials that are used to build a trust between the container platform and an external source. This trust relationship is authorized by the organization. If a malicious user were to have access to the container platform keystore, two negative scenarios could develop: 1. Keys not approved could be introduced. 2. Approved keys could be deleted, leading to the introduction of container images from sources the organization never approved. To thwart this threat, it is important to protect the container platform keystore and give access to only individuals and roles approved by the organization. Satisfies: SRG-APP-000033-CTR-000100, SRG-APP-000118-CTR-000240, SRG-APP-000121-CTR-000255, SRG-APP-000133-CTR-000300, SRG-APP-000211-CTR-000530, SRG-APP-000233-CTR-000585, SRG-APP-000340-CTR-000770, SRG-APP-000380-CTR-000900
STIG Date
Palo Alto Networks Prisma Cloud Compute Security Technical Implementation Guide 2022-08-24

Details

Check Text ( C-56976r840408_chk )
Navigate to Prisma Cloud Compute Console's >> Manage >> Authentication >> Users tab.

Inspect the users' role assignments:
- Review role assigned to users. If role and/or the Collection assignment is incorrect, this is a finding.
- If a user is not assigned a role, this is a finding.
- Review users assigned the administrator role. If a user has the administrator role and does not require access, this is a finding.

Navigate to Prisma Cloud Compute Console's >> Manage >> Authentication >> Groups tab.

(Only the Administrator, Operator Prisma Cloud Compute roles have the ability to create/modify policy that could affect runtime behaviors.)

Inspect the groups' role assignments:
- If any users or groups are assigned the Auditor or higher role and do not require access to audit information, this is a finding.
- If a group is not assigned a role, this is a finding.
- If role and/or Collection assignment is incorrect, this is a finding.
- Review groups assigned the Administrator or Operator role. If a group has the Administrator or Operator role and does not require access to Prisma Cloud Compute's Credential Store, this is a finding.
Fix Text (F-56927r840409_fix)
Navigate to Prisma Cloud Compute Console's >> Manage >> Authentication >> Users tab.

- Set the users' role assignments to the ones who have the authority to review the audit data.
- Assign roles to all users and groups.
- Assign administrator and operator roles only to the users requiring the rights to modify the Prisma Cloud Compute's Credential Store.
- Remove the Administrator or Operator role for users who do not require access.

Navigate to Prisma Cloud Compute Console's >> Manage >> Authentication >> Groups tab.

- Set the groups' role assignments to the ones who have the authority to review audit data.
- Assign roles to all users and groups.
- Set the groups' Administrator and Operator role assignments to only to the groups requiring the rights to modify the Prisma Cloud Compute's Credential Store.

Adjust user, group, and Collection assignments to align with organizational policies.