Prisma Cloud Compute must use TCP ports above 1024.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-253534	CNTR-PC-000500	SV-253534r840440_rule		Medium

Description
Privileged ports are ports below 1024 that require system privileges for their use. If containers are able to use these ports, the container must be run as a privileged user. The container platform must stop containers that try to map to these ports directly. Allowing nonprivileged ports to be mapped to the container-privileged port is the allowable method when a certain port is needed. Prisma Cloud Compute default TCP ports are 8083 (Console UI and API) and 8084 (Console-to-Defender communication). To use TCP ports below 1024, the Console would have to be configured to use privileged ports.

Description

Privileged ports are ports below 1024 that require system privileges for their use. If containers are able to use these ports, the container must be run as a privileged user. The container platform must stop containers that try to map to these ports directly. Allowing nonprivileged ports to be mapped to the container-privileged port is the allowable method when a certain port is needed. Prisma Cloud Compute default TCP ports are 8083 (Console UI and API) and 8084 (Console-to-Defender communication). To use TCP ports below 1024, the Console would have to be configured to use privileged ports.

STIG	Date
Palo Alto Networks Prisma Cloud Compute Security Technical Implementation Guide	2022-08-24

Details

Check Text ( C-56986r840438_chk )
For Kubernetes deployment: Query the ports used by the twistlock-console service: $ kubectl describe svc twistlock-console -n twistlock If any port number is below 1024, this is a finding. For Docker deployment: Determine the name of the Console container: docker ps\|grep console For example, the Console container is: ad8b41a2fec9 ad8b41a2fec9 twistlock/private:console_22_01_840 Inspect the container's PortBindings: docker inspect ad8b41a2fec9\|grep PortBindings -A 20 If the port is below 1024, this is a finding.

Check Text ( C-56986r840438_chk )

For Kubernetes deployment:

Query the ports used by the twistlock-console service:
$ kubectl describe svc twistlock-console -n twistlock

If any port number is below 1024, this is a finding.

For Docker deployment:

Determine the name of the Console container:
docker ps|grep console

For example, the Console container is: ad8b41a2fec9
ad8b41a2fec9
twistlock/private:console_22_01_840

Inspect the container's PortBindings:
docker inspect ad8b41a2fec9|grep PortBindings -A 20

If the port is below 1024, this is a finding.

Fix Text (F-56937r840439_fix)
For Kubernetes deployment: Edit the deployment.apps/twistlock-console. Find the - name: TargetPorts below 1024. Change to port number above 1024. Save and exit the editing session. The Console will restart automatically. For Docker deployment: Modify the twistlock.cfg located in the extracted release tar directory. Change any port assignment below 1024 to above 1024: MANAGEMENT_PORT_HTTP= MANAGEMENT_PORT_HTTPS=8083 COMMUNICATION_PORT=8084 Redeploy the Console using the twistlock.sh script in the extracted release tar directory: $ sudo ./twisltock.sh -sy onebox

Fix Text (F-56937r840439_fix)

For Kubernetes deployment:

Edit the deployment.apps/twistlock-console.

Find the - name: TargetPorts below 1024.

Change to port number above 1024.

Save and exit the editing session. The Console will restart automatically.

For Docker deployment:

Modify the twistlock.cfg located in the extracted release tar directory.

Change any port assignment below 1024 to above 1024:
MANAGEMENT_PORT_HTTP=
MANAGEMENT_PORT_HTTPS=8083
COMMUNICATION_PORT=8084

Redeploy the Console using the twistlock.sh script in the extracted release tar directory:
$ sudo ./twisltock.sh -sy onebox