Prisma Cloud Compute host compliance baseline policies must be set.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-253531 | CNTR-PC-000430 | SV-253531r840431_rule | High |
| Description |
|---|
| Consistent application of Prisma Cloud Compute compliance policies ensures the continual application of policies and the associated effects. Satisfies: SRG-APP-000133-CTR-000295, SRG-APP-000133-CTR-000310, SRG-APP-000141-CTR-000315, SRG-APP-000384-CTR-000915 |
| STIG | Date |
|---|---|
| Palo Alto Networks Prisma Cloud Compute Security Technical Implementation Guide | 2022-08-24 |
Details
| Check Text ( C-56983r840429_chk ) |
|---|
| Navigate to Prisma Cloud Compute Console's >> Defend >> Compliance >> Hosts tab >> Running hosts tab. If a "Default - alert on critical and high" rule does not exist, this is a finding. Check all the rules to verify the following Actions are not set to "Ignore". (Click "Rule name".) ID = 8112 - Verify the --anonymous-auth argument is set to false (kube-apiserver) - master node. ID = 8212 - Verify the --anonymous-auth argument is set to false (kubelet) - worker node. ID = 8311 - Verify the --anonymous-auth argument is set to false (federation-apiserver). ID = 81427 - Verify the Kubernetes PKI directory and file ownership are set to root:root. ID = 81428 - Verify the Kubernetes PKI certificate file permissions are set to 644 or more restrictive. ID = 8214 - Verify the --client-ca-file argument is set as appropriate (kubelet). ID = 8227 - Verify the certificate authorities file permissions are set to 644 or more restrictive (kubelet). ID = 8115 - Verify the --kubelet-https argument is set to true (kube-apiserver). ID = 8116 - Verify the --insecure-bind-address argument is not set (kube-apiserver). ID = 8117 - Verify the --insecure-port argument is set to 0 (kube-apiserver) can determine if the Kubernetes API is configured to only listen on the TLS-enabled port (TCP 6443). ID = 8118 - Verify the --secure-port argument is not set to 0 (kube-apiserver). ID = 81122 - Verify the --kubelet-certificate-authority argument is set as appropriate (kube-apiserver). ID = 81123 - Verify the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (kube-apiserver). ID = 81129 - Verify the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (kube-apiserver). ID = 82112 - Verify the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (kubelet). ID = 81141 - Verify the --authorization-mode argument includes RBAC (kube-apiserver). If any of these checks are set to "Ignore", to all host nodes within the intended monitored environment, this is a finding. |
| Fix Text (F-56934r840430_fix) |
|---|
| Navigate to Prisma Cloud Compute Console's >> Defend >> Compliance >> Hosts tab >> Running hosts tab. Add Rule: - Click "Add rule". Name = "Default - alert on critical and high" Scope = "All" - Change Action to the values shown below (Change Action). - Accept the other defaults and click "Save". Change Action: - Click "Rule name". ID = 8112 - Description (--anonymous-auth argument is set to false (kube-apiserver) - master node) - Change Action to "Alert" or "Block" (based on organizational needs). - Click "Save". ID = 8212 - Description (--anonymous-auth argument is set to false (kubelet) - worker node) - Change Action to "Alert" or "Block" (based on organizational needs). - Click "Save". ID = 8311 - Description (--anonymous-auth argument is set to false (federation-apiserver)). - Change Action to "Alert" or "Block" (based on organizational needs). - Click "Save". ID = 81427 - Description (Kubernetes PKI directory and file ownership is set to root:root). - Change Action to "Alert" or "Block" (based on organizational needs). - Click "Save". ID = 81428 - Description (Kubernetes PKI certificate file permissions are set to 644 or more restrictive). - Change Action to "Alert" or "Block" (based on organizational needs). - Click "Save". ID = 8214 - Description (--client-ca-file argument is set as appropriate (kubelet)). - Change Action to "Alert" or "Block" (based on organizational needs). - Click "Save". ID = 8227 - Description (certificate authorities file permissions are set to 644 or more restrictive (kubelet)). - Change Action to "Alert" or "Block" (based on organizational needs). - Click "Save". ID = 8115 - Description (--kubelet-https argument is set to true (kube-apiserver)) - Change Action to "Alert" or "Block" (based on organizational needs). - Click "Save". ID = 8116 - Description (--insecure-bind-address argument is not set (kube-apiserver)). - Change Action to "Alert" or "Block" (based on organizational needs). - Click "Save". ID = 8117 - Description (--insecure-port argument is set to 0 (kube-apiserver) can determine if the Kubernetes API is configured to only listen on the TLS enabled port (TCP 6443)). - Change Action to "Alert" or "Block" (based on organizational needs). - Click "Save". ID = 8118 - Description (--secure-port argument is not set to 0 (kube-apiserver)). - Change Action to "Alert" or "Block" (based on organizational needs). - Click "Save". ID = 81122 - Description (--kubelet-certificate-authority argument is set as appropriate (kube-apiserver)). - Change Action to "Alert" or "Block" (based on organizational needs). - Click "Save". ID = 81123 - Description (--kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (kube-apiserver)). ID = 81129 - Description (--tls-cert-file and --tls-private-key-file arguments are set as appropriate (kube-apiserver)). - Change Action to "Alert" or "Block" (based on organizational needs). - Click "Save". ID = 82112 - Description (--tls-cert-file and --tls-private-key-file arguments are set as appropriate (kubelet)). - Change Action to "Alert" or "Block" (based on organizational needs). - Click "Save". ID = 81141 - Description (--authorization-mode argument includes RBAC (kube-apiserver)). - Change Action to "Alert" or "Block" (based on organizational needs). - Click "Save". |