DISA STIG compliance checks

Prisma Cloud supports the Docker Enterprise 2.x Linux/Unix STIG - Ver 2, Rel 1 and the Kubernetes STIG - Ver 1, Rel 2 compliance checks. Defense Information Systems Agency Security Technical Implementation Guides (DISA STIGs) contain technical guidance to lock down systems that might otherwise be vulnerable to attack. These STIGs help ensure your environments are properly secured, based on Department of Defense guidance. Prisma Cloud will continue to incorportate DISA STIG guidance as existing STIGs are updated and new STIGs are published.
For an overview of the STIG, see here.
To download the STIGs, see here.

Checks

Prisma Cloud Compute has a compliance template "DISA STIG" for images, containers and hosts. This compliance template maps individual STIG rules to existing compliance checks within Compute. In some cases, we’ve implemented checks specficially to support the STIGs. When configuring your compliance policy, simply select the DISA STIG template to enable ("Alert") all relevant checks.

CAT I

CAT I is a category code for any vulnerability, which when exploited, will directly and immediately result in loss of Confidentiality, Availability, or Integrity. These risks are the most severe.
The following table lists the CAT I checks implemented in Prisma Cloud, and how they map to existing Prisma Cloud checks. All CAT I checks, except DKER-EE-001070, map to CIS Docker Benchmark checks. A separate check has been implemented for DKER-EE-001070 to support the Docker Enterprise STIG.
STIG ID
Prisma Cloud ID
Description
DKER-EE-001070
N/A
FIPS mode must be enabled on all Docker Engine - Enterprise nodes.
DKER-EE-002000
59
Docker Enterprise hosts network namespace must not be shared.
DKER-EE-002030
512
All Docker Enterprise containers root filesystem must be mounted as read only.
DKER-EE-002040
517
Docker Enterprise host devices must not be directly exposed to containers.
DKER-EE-002070
521
The Docker Enterprise default seccomp profile must not be disabled.
DKER-EE-002080
224
Docker Enterprise exec commands must not be used with privileged option.
DKER-EE-002110
525
All Docker Enterprise containers must be restricted from acquiring additional privileges.
DKER-EE-002120
530
The Docker Enterprise hosts user namespace must not be shared.
DKER-EE-002130
531
The Docker Enterprise socket must not be mounted inside any containers.
DKER-EE-002150
57
Docker Enterprise privileged ports must not be mapped within containers.
DKER-EE-005170
31
Docker Enterprise docker.service file ownership must be set to root:root.