Document:Prisma Cloud Compute Edition Administrator’s Guide

Docker Enterprise DISA STIG

Filter

Welcome
- Releases
- Getting started
- Product architecture
- Support lifecycle
- Upcoming support lifecycle changes for Prisma Cloud Compute Edition and modules
- Licensing
- Prisma Cloud Enterprise Edition vs Compute Edition
- Utilities and plugins
Install
- Getting started
- System requirements
- Prisma Cloud container images
- Onebox
- Kubernetes
- OpenShift
- OpenShift
- Console on Fargate
- VMware Tanzu Kubernetes Grid (TKG)
- Docker Swarm
- Amazon ECS
- Windows
- Defender types
- Install Defender
Upgrade
- Upgrade Prisma Cloud
- Upgrade Onebox
- Kubernetes
- OpenShift
- Helm charts
- Docker Swarm
- Amazon ECS
- Manually upgrade single Container Defenders
- Manually upgrade Defender DaemonSets
- Manually upgrade Defender DaemonSets (Helm)
- Manually upgrade Docker Swarm Defenders
Technology overviews
- Prisma Cloud Advanced Threat Protection
- App-specific network intelligence
- Container Runtimes
- Radar
- Serverless Radar
- Prisma Cloud Rules Guide - Docker
- Defender architecture
- Telemetry
Configure
- Rule ordering and pattern matching
- Backup and restore
- Custom feeds
- Configuring Prisma Cloud proxy settings
- Custom certs for Console access
- Configure scanning
- User certificate validity period
- Enable HTTP access to Console
- Set different paths for Defender and Console (with DaemonSets)
- Authenticate to Console with certificates
- Customize terminal output
- Collections
- Tags
- Logon settings
- Reconfigure Prisma Cloud
- Subject Alternative Names
- WildFire settings
Authentication
- Logging into Prisma Cloud
- Integrate with Active Directory
- Integrate with OpenLDAP
- Integrate Prisma Cloud with Open ID Connect
- Integrate with Okta via SAML 2.0 federation
- Integrate Google G Suite via SAML 2.0 federation
- Integrate with Azure Active Directory via SAML 2.0 federation
- Integrate with PingFederate via SAML 2.0 federation
- Integrate with Windows Server 2016 & 2012r2 Active Directory Federation Services (ADFS) via SAML 2.0 federation
- Integrate Prisma Cloud with GitHub
- Integrate Prisma Cloud with OpenShift
- Non-default UPN suffixes
- Compute user roles
- Assign roles
- Use custom certificates for authorization
- Credentials store
Vulnerability management
- Malware scanning
- Vulnerability Explorer
- Vulnerability management rules
- Search CVEs
- Scan reports
- Customize image scanning
- Configure registry scans
- Registry scanning
  - Scan images in Alibaba Cloud Container Registry
  - Amazon EC2 Container Registry (ECR)
  - Azure Container Registry (ACR)
  - Docker Registry v2
  - Google Container Registry (GCR)
  - Harbor
  - IBM Cloud Container Registry
  - Scan images on Artifactory Docker Registry
  - OpenShift integrated Docker registry
  - Trigger registry scans with webhooks
- Base images
- Configure VM image scanning
- Configure code repository scanning
- Malware scanning
- Vulnerability risk tree
- Detect vulnerabilities in unpackaged software
- CVSS scoring
- Google Cloud Container Builder
- Windows container image scanning
- Serverless function scanning
- VMware Tanzu blobstore scanning
- Scan Fargate tasks
Compliance
- Compliance Explorer
- Enforce compliance checks
- CIS Benchmarks
- Prisma Cloud Labs compliance checks
- Serverless functions compliance checks
- Windows compliance checks
- Docker Enterprise DISA STIG
- Custom compliance checks
- Trusted images
- Host scanning
- VM image scanning
- Fargate scanning
- Detect secrets
- Cloud discovery
- OSS license management
Runtime defense
- Runtime defense for containers
- Runtime defense for hosts
- Runtime defense for AWS Fargate
- Custom runtime rules
- Import and export individual rules
- ATT&CK Explorer
- Runtime Audits
- Event Aggregation
- Incident Explorer
- Incident types
Access control
- Role-based access control for Docker Engine
- Admission control with Open Policy Agent
Continuous integration
- Jenkins plugin
- Jenkins Freestyle project
- Jenkins Maven project
- Jenkins Pipeline project
- Run Jenkins in a container
- Jenkins pipeline on Kubernetes
- CloudBees Core pipeline on Kubernetes
- CI plugin policy
- Code repo scanning
WAAS
- Web-Application and API Security (WAAS)
- Deploying WAAS
- Firewall Settings
- API Protection
- DoS protection
- Bot Protection
- WAAS Access Controls
- Advanced Settings
- WAAS Analytics
- API observations
- WAAS custom rules
Firewalls
- Cloud Native Network Firewall (CNNF)
Secrets
- Secrets manager
- Integrate with secrets stores
- Secrets Stores
- Inject secrets into containers
- Injecting secrets: end-to-end example
Alerts
- Alert mechanism
- AWS Security Hub
- Cortex XSOAR alerts
- Email alerts
- Google Cloud Pub/Sub
- Google Cloud Security Command Center
- IBM Cloud Security Advisor
- JIRA Alerts
- PagerDuty alerts
- ServiceNow alerts
- ServiceNow alerts
- Slack Alerts
- Webhook alerts
Audit
- Event viewer
- Host activity
- Administrative activity audit trail
- Annotate audit event records
- Delete audit logs
- Syslog and stdout integration
- Log rotation
- Throttling audits
- Prometheus
- Kubernetes auditing
Tools
- twistcli
- Scan images with twistcli
- Scan code repos with twistcli
- Install Console with twistcli
- Update the Intelligence Stream in offline environments
Deployment patterns
- Projects
- Migration options for scale projects
- Best practices for DNS and certificate management
- Caps
- Migrating to a SaaS Console
- Performance planning
- Automated deployment
- High Availability and Disaster Recovery guidelines
API
Howto
- Configure an AWS Classic Load Balancer for ECS
- Configure the load balancer type for AWS EKS
- Deploy Defenders outside an OpenShift Cluster
- Configure Prisma Cloud Console’s listening ports
- Provision tenant projects in OpenShift
- Configure Prisma Cloud to use Istio Ingress Gateway
- Disable automatic learning
- Performing a rolling upgrade of Defenders
- Debug data

Docker Enterprise DISA STIG

Prisma Cloud supports the Docker Enterprise DISA STIG. STIGs contain technical guidance to lock down systems that might otherwise be vulnerable to attack. This STIG ensures government agencies run Docker Enterprise securely.

For an overview of the STIG, see here. To download the STIG, see here.

Checks

Prisma Cloud offers a compliance template for the Docker Enterprise DISA STIG. In many cases, DISA STIG checks map to checks already supported in the product. In some cases, we’ve implemented checks specficially to support the Docker Enterprise STIG. When configuring your compliance policy, simply select the DISA STIG template to enable all relevant checks.

CAT I

CAT I is a category code for any vulnerability, which when exploited, will directly and immediately result in loss of Confidentiality, Availability, or Integrity. These risks are the most severe.

The following table lists the CAT I checks implemented in Prisma Cloud, and how they map to existing Prisma Cloud checks. All CAT I checks, except DKER-EE-001070, map to CIS Docker Benchmark checks. A separate check has been implemented for DKER-EE-001070 to support the Docker Enterprise STIG.

STIG ID	Prisma Cloud ID	Description
DKER-EE-001070	N/A	FIPS mode must be enabled on all Docker Engine - Enterprise nodes.
DKER-EE-002000	59	Docker Enterprise hosts network namespace must not be shared.
DKER-EE-002030	512	All Docker Enterprise containers root filesystem must be mounted as read only.
DKER-EE-002040	517	Docker Enterprise host devices must not be directly exposed to containers.
DKER-EE-002070	521	The Docker Enterprise default seccomp profile must not be disabled.
DKER-EE-002080	224	Docker Enterprise exec commands must not be used with privileged option.
DKER-EE-002110	525	All Docker Enterprise containers must be restricted from acquiring additional privileges.
DKER-EE-002120	530	The Docker Enterprise hosts user namespace must not be shared.
DKER-EE-002130	531	The Docker Enterprise socket must not be mounted inside any containers.
DKER-EE-002150	57	Docker Enterprise privileged ports must not be mapped within containers.
DKER-EE-005170	31	Docker Enterprise docker.service file ownership must be set to root:root.
DKER-EE-005190	33	Docker Enterprise docker.socket file ownership must be set to root:root.
DKER-EE-005210	35	Docker Enterprise /etc/docker directory ownership must be set to root:root.
DKER-EE-005230	37	Docker Enterprise registry certificate file ownership must be set to root:root.
DKER-EE-005250	39	Docker TLS certificate authority (CA) certificate file ownership must be set to root:root
DKER-EE-005270	311	Docker server certificate file ownership must be set to root:root
DKER-EE-005300	314	Docker server certificate key file permissions must be set to 400
DKER-EE-005310	315	Docker Enterprise socket file ownership must be set to root:docker.
DKER-EE-005320	316	Docker Enterprise socket file permissions must be set to 660 or more restrictive.
DKER-EE-005330	317	Docker Enterprise daemon.json file ownership must be set to root:root.
DKER-EE-005340	318	Docker Enterprise daemon.json file permissions must be set to 644 or more restrictive.
DKER-EE-005350	319	Docker Enterprise /etc/default/docker file ownership must be set to root:root.
DKER-EE-005360	320	Docker Enterprise /etc/default/docker file permissions must be set to 644 or more restrictive.

CAT II

CAT II is a category code for any vulnerability, which when exploited, has a potential to result in loss of Confidentiality, Availability, or Integrity.

The following table lists the CAT 1 checks implemented in Prisma Cloud, and how they map to existing checks. Some CAT 1 checks don’t map to any existing checks, and have been implemented specifically for this DISA STIG.

STIG ID	Prisma Cloud ID	Description
DKER-EE-001050	26	TCP socket binding for all Docker Engine - Enterprise nodes in a Universal Control Plane (UCP) cluster must be disabled.
DKER-EE-001240	515	The Docker Enterprise hosts process namespace must not be shared.
DKER-EE-001250	516	The Docker Enterprise hosts IPC namespace must not be shared.
DKER-EE-001800	24	The insecure registry capability in the Docker Engine - Enterprise component of Docker Enterprise must be disabled.
DKER-EE-001810	25	On Linux, a non-AUFS storage driver in the Docker Engine - Enterprise component of Docker Enterprise must be used.
DKER-EE-001830	218	The userland proxy capability in the Docker Engine - Enterprise component of Docker Enterprise must be disabled.
DKER-EE-001840	221	Experimental features in the Docker Engine - Enterprise component of Docker Enterprise must be disabled.
DKER-EE-001930	51	An appropriate AppArmor profile must be enabled on Ubuntu systems for Docker Enterprise.
DKER-EE-001940	52	SELinux security options must be set on Red Hat or CentOS systems for Docker Enterprise.
DKER-EE-001950	53	Linux Kernel capabilities must be restricted within containers as defined in the System Security Plan (SSP) for Docker Enterprise.
DKER-EE-001960	54	Privileged Linux containers must not be used for Docker Enterprise.
DKER-EE-001970	56	SSH must not run within Linux containers for Docker Enterprise.
DKER-EE-001990	58	Only required ports must be open on the containers in Docker Enterprise.
DKER-EE-002010	510	Memory usage for all containers must be limited in Docker Enterprise.
DKER-EE-002050	519	Mount propagation mode must not set to shared in Docker Enterprise.
DKER-EE-002060	520	The Docker Enterprise hosts UTS namespace must not be shared.
DKER-EE-002100	524	cgroup usage must be confirmed in Docker Enterprise.
DKER-EE-002160	513	Docker Enterprise incoming container traffic must be bound to a specific host interface.
DKER-EE-002400	223	Docker Enterprise Swarm manager must be run in auto-lock mode.
DKER-EE-002770	406	Docker Enterprise container health must be checked at runtime.
DKER-EE-002780	528	PIDs cgroup limits must be used in Docker Enterprise.
DKER-EE-003200	41	Docker Enterprise images must be built with the USER instruction to prevent containers from running as root.
DKER-EE-004030	514	The on-failure container restart policy must be is set to 5 in Docker Enterprise.
DKER-EE-004040	518	The Docker Enterprise default ulimit must not be overwritten at runtime unless approved in the System Security Plan (SSP).
DKER-EE-005180	32	Docker Enterprise docker.service file permissions must be set to 644 or more restrictive.
DKER-EE-005200	34	Docker Enterprise docker.socket file permissions must be set to 644 or more restrictive.
DKER-EE-005220	36	Docker Enterprise /etc/docker directory permissions must be set to 755 or more restrictive.
DKER-EE-005240	38	Docker Enterprise registry certificate file permissions must be set to 444 or more restrictive.
DKER-EE-005260	310	Docker TLS certificate authority (CA) certificate file permissions must be set to 444 or more restrictive
DKER-EE-005280	312	Docker server certificate file permissions must be set to 444 or more restrictive
DKER-EE-005290	313	Docker server certificate key file ownership must be set to root:root
DKER-EE-006270	217	Docker Enterprise Swarm services must be bound to a specific host interface.

CAT III

CAT III is a category code for any vulnerability, which when it exists, degrades measures to protect against loss of Confidentiality, Availability, or Integrity.

The following table lists the CAT III checks implemented in Prisma Cloud, and how they map to existing Prisma Cloud checks. All checks map to CIS Docker Benchmark checks.

STIG ID	Prisma Cloud ID	Description
DKER-EE-002020	511	Docker Enterprise CPU priority must be set appropriately on all containers.

Enable DISA STIG for Docker Enterprise checks

DISA STIG for Docker Enterprise checks have been grouped into a template. Checks are relevant to containers, images, and hosts.

Log into Console.

Enable the container checks.

Go to Defend > Compliance > Containers and images > {Deployed | CI}
.

Click Add rule
.

Enter a rule name.

In the Compliance template

Document:Prisma Cloud Compute Edition Administrator’s Guide

Docker Enterprise DISA STIG

Table of Contents

Docker Enterprise DISA STIG

Checks

CAT I

CAT II

CAT III

Enable DISA STIG for Docker Enterprise checks