UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Prisma Cloud Compute must run within a defined/separate namespace (e.g., Twistlock).


Overview

Finding ID Version Rule ID IA Controls Severity
V-253547 CNTR-PC-001380 SV-253547r961608_rule Medium
Description
Namespaces are a key boundary for network policies, orchestrator access control restrictions, and other important security controls. Prisma Cloud Compute containers running within a separate and exclusive namespace will inherit the namespace's security features. Separating workloads into namespaces can help contain attacks and limit the impact of mistakes or destructive actions by authorized users.
STIG Date
Palo Alto Networks Prisma Cloud Compute Security Technical Implementation Guide 2024-06-10

Details

Check Text ( C-56999r840477_chk )
Inspect the Kubernetes namespace in which Prisma Cloud Compute is deployed:

$ kubectl get pods -n twistlock
NAME READY STATUS RESTARTS AGE
twistlock-console-855744b66b-xs9cm 1/1 Running 0 4d6h
twistlock-defender-ds-99zj7 1/1 Running 0 58d
twistlock-defender-ds-drsh8 1/1 Running 0 58d

Inspect the list of pods.

If a non-Prisma Cloud Compute (does not start with "twistlock") pod is running in the same namespace, this is a finding.
Fix Text (F-56950r840478_fix)
Deploy the Prisma Cloud Compute Console and Defender containers within a distinct namespace.