UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Prisma Cloud Compute must prevent unauthorized and unintended information transfer.


Overview

Finding ID Version Rule ID IA Controls Severity
V-253540 CNTR-PC-000850 SV-253540r840458_rule Medium
Description
Prisma Cloud Compute Compliance policies must be enabled to ensure running containers do not access privileged resources. Satisfies: SRG-APP-000243-CTR-000595, SRG-APP-000243-CTR-000600, SRG-APP-000246-CTR-000605, SRG-APP-000342-CTR-000775
STIG Date
Palo Alto Networks Prisma Cloud Compute Security Technical Implementation Guide 2022-08-24

Details

Check Text ( C-56992r840456_chk )
Navigate to Prisma Cloud Compute Console's Defend >> Compliance >> Containers and images tab >> Deployed tab.

For each rule name, click the rule and confirm the following checks:
(Filter on ID)
ID = 54: Do not use privileged container
ID = 5525: Restrict container from acquiring additional privileges are not configured
ID = 59: Do not share the host's network namespace
ID = 515: Do not share the host's process namespace
ID = 516: Do not share the host's IPC namespace
ID = 517: Do not directly expose host devices to containers
ID = 520: Do not share the host's UTS namespace
ID = 530: Do not share the host's user namespaces
ID = 55: Do not mount sensitive host system directories on containers
ID = 57: Do not map privileged ports within containers
ID = 5510: Limit memory usage for container
ID = 5511: Set container CPU priority appropriately
ID = 599: Container is running as root
ID = 41 Image should be created with a non-root user

If the action for each rule is set to "Ignore", this is a finding.
Fix Text (F-56943r840457_fix)
Navigate to Prisma Cloud Compute Console's Defend >> Compliance >> Containers and images tab >> Deployed tab.

Change action:
(Click the rule name)


ID = 54 - Description (Do not use privileged container)
Change Action to "Alert" or "Block" (based on organizational needs).
Click "Save".

ID = 5525 - Description (Restrict container from acquiring additional privileges are not configured)
Change Action to "Alert" or "Block" (based on organizational needs).
Click "Save".

ID = 59 - Description (Do not share the host's network namespace)
Change Action to "Alert" or "Block" (based on organizational needs).
Click "Save".

ID = 515 - Description (Do not share the host's process namespace)
Change Action to "Alert" or "Block" (based on organizational needs).
Click "Save".

ID = 516 - Description (Do not share the host's IPC namespace)
Change Action to "Alert" or "Block" (based on organizational needs).
Click "Save".

ID = 517 - Description (Do not directly expose host devices to containers)
Change Action to "Alert" or "Block" (based on organizational needs).
Click "Save".

ID = 520 - Description (Do not share the host's UTS namespace)
Change Action to "Alert" or "Block" (based on organizational needs).
Click "Save".

ID = 530 - Description (Do not share the host's user namespaces)
Change Action to "Alert" or "Block" (based on organizational needs).
Click "Save".

ID = 55 - Description (Do not mount sensitive host system directories on containers)
Change Action to "Alert" or "Block" (based on organizational needs).
Click "Save".

ID = 57 - Description (Do not map privileged ports within containers)
Change Action to "Alert" or "Block" (based on organizational needs).
Click "Save".

ID = 5510 - Description (Limit memory usage for container)
Change Action to "Alert" or "Block" (based on organizational needs).
Click "Save".

ID = 5511 - Description (Set container CPU priority appropriately)
Change Action to "Alert" or "Block" (based on organizational needs).
Click "Save".

ID = 599 - Description (Container is running as root)
Change Action to "Alert" or "Block" (based on organizational needs).
Click "Save".

ID = 41 - Description (Image should be created with a non-root user)
Change Action to "Alert" or "Block" (based on organizational needs).
Click "Save".