| Finding ID |
Severity |
Title |
Description |
|
V-253548
|
High |
Prisma Cloud Compute must protect the confidentiality and integrity of transmitted information. |
Without protection of the transmitted information, confidentiality and integrity may be compromised since unprotected communications can be intercepted and either read or altered.
Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of organizational information... |
|
V-253544
|
High |
Prisma Cloud Compute must be configured to scan images that have not been instantiated as containers. |
Prisma Cloud Compute ships with "only scan images with running containers" set to "on". To meet the requirements, "only scan images with running containers" must be set to "off" to disable or remove components that are not required. |
|
V-253543
|
High |
The configuration integrity of the container platform must be ensured and vulnerabilities policies must be configured. |
Prisma Cloud Compute's vulnerabilities defense is the set of features that provides both predictive and threat-based active protection for running containers.
Consistent application of Prisma Cloud Compute vulnerabilities policies ensures the continual application of policies and the associated effects. Prisma Cloud Compute's configurations must be monitored for configuration drift and... |
|
V-253532
|
High |
The configuration integrity of the container platform must be ensured and compliance policies must be configured. |
Consistent application of Prisma Cloud Compute compliance policies ensures the continual application of policies and the associated effects. Prisma Cloud Compute's configurations must be monitored for configuration drift and addressed according to organizational policy.
Satisfies: SRG-APP-000133-CTR-000305, SRG-APP-000384-CTR-000915, SRG-APP-000435-CTR-001070, SRG-APP-000472-CTR-001170 |
|
V-253531
|
High |
Prisma Cloud Compute host compliance baseline policies must be set. |
Consistent application of Prisma Cloud Compute compliance policies ensures the continual application of policies and the associated effects.
Satisfies: SRG-APP-000133-CTR-000295, SRG-APP-000133-CTR-000310, SRG-APP-000141-CTR-000315, SRG-APP-000384-CTR-000915 |
|
V-253529
|
High |
The configuration integrity of the container platform must be ensured and runtime policies must be configured. |
Prisma Cloud Compute's runtime defense is the set of features that provides both predictive and threat-based active protection for running containers.
Consistent application of Prisma Cloud Compute runtime policies ensures the continual application of policies and the associated effects. Prisma Cloud Compute's configurations must be monitored for configuration drift and... |
|
V-253526
|
High |
Prisma Cloud Compute Cloud Native Network Firewall (CNNF) automatically monitors layer 4 (TCP) intercontainer communications. Enforcement policies must be created. |
Network segmentation and compartmentalization are important parts of a comprehensive defense-in-depth strategy. CNNF works as an east-west firewall for containers. It limits damage by preventing attackers from moving laterally through the environment when they have already compromised the perimeter.
Satisfies: SRG-APP-000039-CTR-000110, SRG-APP-000384-CTR-000915 |
|
V-253522
|
High |
Prisma Cloud Compute Console must use TLS 1.2 for user interface and API access. Communication TCP ports must adhere to the Ports, Protocols, and Services Management Category Assurance Levels (PSSM CAL). |
Communication to Prisma Cloud Compute Console's User Interface (UI) and API is protected by TLS v1.2+ (HTTPS). By default, only HTTPS communication to the Console's UI and API endpoints is enabled.
Prisma Cloud Compute TCP port usage is configurable.
Default configuration: TCP 8081 Console user interface and API (HTTP) -... |
|
V-253552
|
Medium |
Prisma Cloud Compute release tar distributions must have an associated SHA-256 digest. |
Each Prisma Cloud Compute release's tar file has an associated SHA-256 digest hash value to ensure the components have not been modified. |
|
V-253551
|
Medium |
Configuration of Prisma Cloud Compute must be continuously verified. |
Prisma Cloud Compute's configuration of Defender deployment must be monitored to ensure monitoring and protection of the environment is in accordance with organizational policy. |
|
V-253550
|
Medium |
Prisma Cloud Compute's Intelligence Stream must be kept up to date. |
The Prisma Cloud Compute Console pulls the latest vulnerability and threat information from the Intelligence Stream (intelligence.twistlock.com). The Prisma Cloud Intelligence Stream provides timely vulnerability data collected and processed from a variety of certified upstream sources. |
|
V-253549
|
Medium |
Prisma Cloud Compute must be running the latest release. |
Prisma Cloud Compute releases are distributed as Docker images. Each release updates or removes components as needed based on the vulnerabilities associated with the component or the functional need of the component. |
|
V-253547
|
Medium |
Prisma Cloud Compute must run within a defined/separate namespace (e.g., Twistlock). |
Namespaces are a key boundary for network policies, orchestrator access control restrictions, and other important security controls. Prisma Cloud Compute containers running within a separate and exclusive namespace will inherit the namespace's security features. Separating workloads into namespaces can help contain attacks and limit the impact of mistakes or destructive... |
|
V-253546
|
Medium |
Prisma Cloud Compute Defender containers must run as root. |
In certain situations, the nature of the vulnerability scanning may be more intrusive, or the container platform component that is the subject of the scanning may contain highly sensitive information. To protect the sensitive nature of such scanning, Prisma Cloud Compute Defenders perform the vulnerability scanning function. The Defender container... |
|
V-253545
|
Medium |
Prisma Cloud Compute Defender must reestablish communication to the Console via mutual TLS v1.2 WebSocket session. |
When the secure WebSocket session between the Prisma Cloud Compute Console and Defenders is disconnected, the Defender will continually attempt to reestablish the session. Without reauthentication, unidentified or unknown devices may be introduced; thereby facilitating malicious activity.
The Console must be configured to remove a Defender that has not established... |
|
V-253542
|
Medium |
The node that runs Prisma Cloud Compute containers must have sufficient disk space to allocate audit record storage capacity in accordance with organization-defined audit record storage requirements. |
To ensure sufficient storage capacity in which to write the audit logs, Prisma Cloud compute must be able to allocate audit record storage capacity. |
|
V-253541
|
Medium |
Prisma Cloud Compute must not write sensitive data to event logs. |
The determination of what is sensitive data varies from organization to organization. The organization must ensure the recipients for the event log information have a need to know and the log is sanitized based on the audience. |
|
V-253540
|
Medium |
Prisma Cloud Compute must prevent unauthorized and unintended information transfer. |
Prisma Cloud Compute Compliance policies must be enabled to ensure running containers do not access privileged resources.
Satisfies: SRG-APP-000243-CTR-000595, SRG-APP-000243-CTR-000600, SRG-APP-000246-CTR-000605, SRG-APP-000342-CTR-000775 |
|
V-253539
|
Medium |
Prisma Cloud Compute must be configured to require local user accounts to use x.509 multifactor authentication. |
Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased.
Multifactor authentication requires using two or more factors to achieve authentication.
Factors include:
(i) something a user knows (e.g., password/PIN);
(ii) something a user has (e.g., cryptographic identification device, token); or
(iii) something a... |
|
V-253538
|
Medium |
Prisma Cloud Compute local accounts must enforce strong password requirements. |
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Password complexity is one factor of several that determine how long it... |
|
V-253537
|
Medium |
Prisma Cloud Compute must be configured with unique user accounts. |
Sharing accounts, such as group accounts, reduces the accountability and integrity of Prisma Cloud Compute. |
|
V-253536
|
Medium |
Prisma Cloud Compute Console must run as nonroot user (uid 2674). |
Containers not requiring root-level permissions must run as a unique user account. To ensure accountability and prevent unauthenticated access to containers, the user the container is using to execute must be uniquely identified and authenticated to prevent potential misuse and compromise of the system. |
|
V-253535
|
Medium |
All Prisma Cloud Compute users must have a unique, individual account. |
Prisma Cloud Compute does not have a default account. During installation, the installer creates an administrator. This account can be removed once other accounts have been added. To ensure accountability and prevent unauthenticated access, users must be identified and authenticated to prevent potential misuse and compromise of the system. |
|
V-253534
|
Medium |
Prisma Cloud Compute must use TCP ports above 1024. |
Privileged ports are ports below 1024 that require system privileges for their use. If containers are able to use these ports, the container must be run as a privileged user. The container platform must stop containers that try to map to these ports directly. Allowing nonprivileged ports to be mapped... |
|
V-253533
|
Medium |
Images stored within the container registry must contain only images to be run as containers within the container platform. |
The Prisma Cloud Compute Trusted Images feature allows the declaration, by policy, of which registries, repositories, and images to trust and how to respond when untrusted images are started in the organization's environment.
Satisfies: SRG-APP-000141-CTR-000320, SRG-APP-000386-CTR-000920 |
|
V-253530
|
Medium |
Prisma Cloud Compute must be configured to send events to the hosts' syslog. |
Event log collection is critical in ensuring the security of a containerized environment due to the ephemeral nature of the workloads. In an environment that is continually in flux, audit logs must be properly collected and secured. Prisma Cloud Compute can be configured to send audit events to the host... |
|
V-253528
|
Medium |
Prisma Cloud Compute must be configured for forensic data collection. |
Prisma Cloud Compute correlates raw audit data to actionable security intelligence, enabling a more rapid and effective response to incidents. This reduces the manual, time-consuming task of correlating data.
Prisma Cloud Forensics is a lightweight distributed data recorder that runs alongside all containers in the environment. Prisma Cloud continuously collects... |
|
V-253527
|
Medium |
Prisma Cloud Compute Defender must be deployed to containerization nodes that are to be monitored. |
Container platforms distribute workloads across several nodes. The ability to uniquely identify an event within an environment is critical. Prisma Cloud Compute Container Runtime audits record the time, container, corresponding image, and node where the event occurred.
Satisfies: SRG-APP-000097-CTR-000180, SRG-APP-000100-CTR-000200 |
|
V-253525
|
Medium |
Prisma Cloud Compute Collections must be used to partition views and enforce organizational-defined need-to-know access. |
Prisma Cloud Compute Collections are used to scope rules to target specific resources in an environment, partition views, and enforce which views specific users and groups can access. Collections can control access to data on a need-to-know basis. |
|
V-253524
|
Medium |
Users requiring access to Prisma Cloud Compute's Credential Store must be assigned and accessed by the appropriate role holders. |
The container platform keystore is used to store credentials that are used to build a trust between the container platform and an external source. This trust relationship is authorized by the organization. If a malicious user were to have access to the container platform keystore, two negative scenarios could develop:... |
|
V-253523
|
Medium |
Access to Prisma Cloud Compute must be managed based on user need and least privileged using external identity providers for authentication and grouping to role-based assignments when possible. |
Integration with an organization's existing identity management policies technologies reduces the threat of account compromise and misuse.
Centralized authentication services provide additional functionality to fulfill security requirements:
- Multifactor authentication.
- Disabling users after a period of time.
- Encrypted storage and transmission of secure information.
- Secure authentication protocols... |
